Bits of support of temporary tokens

[subauth.git] / server / cmd.c

diff --git a/server/cmd.c b/server/cmd.c
index 5533ddc92e677bad4572d39c2e18a19644d88afb..207c31356f14a97007f0af22734b0717622941b0 100644 (file)
--- a/server/cmd.c
+++ b/server/cmd.c
@@ -294,12 +294,78 @@ static void cmd_delete_token(struct client *c)
   cmd_ok(c);
 }
 
+static void cmd_create_temp(struct client *c)
+{
+  struct auth_acct *aa = cmd_need_target_acct(c);
+
+  uint validity;
+  if (get_uint(c->request, "validity", &validity))
+    cmd_error(c, "Validity must be given");
+
+  if (!aa->zone->max_temp_validity)
+    cmd_error(c, "This zone does not allow temporary tokens");
+
+  if (validity > aa->zone->max_temp_validity)
+    cmd_error(c, "This zone limits temporary token validity to %d seconds", aa->zone->max_temp_validity);
+
+  char *tok = temp_generate(aa->zone->name, aa->user->login, validity);
+  set_string(c, c->reply, "token", tok);
+  xfree(tok);
+
+  msg(L_INFO, "Created temp token: login=<%s> zone=<%s> validity=%u", aa->user->login, aa->zone->name, validity);
+
+  cmd_ok(c);
+}
+
 static void cmd_login_fake(struct client *c, const char *passwd)
 {
   auth_check_token(auth_fake_token, passwd);
   cmd_error(c, "Invalid password");
 }
 
+static void cmd_login_by_temp(struct client *c, struct auth_zone *az, const char *given_passwd)
+{
+  const char *login = cmd_need_string(c, "login");
+
+  const char *reason = temp_check(az->name, login, given_passwd);
+  if (reason)
+    {
+      msg(L_INFO, "Login failed: %s user=<%s> zone=<%s> type=<temp>", reason, login, az->name);
+      goto reject;
+    }
+
+  /*
+   * The following checks test for improbable things like user
+   * disappearing since the token has been issued.
+   */
+
+  if (!az->max_temp_validity)
+    {
+      msg(L_INFO, "Login failed: Temporary tokens no longer accepted for zone=<%s>", az->name);
+      goto reject;
+    }
+
+  struct auth_user *au = auth_find_user(login, 0);
+  if (!au)
+    {
+      msg(L_INFO, "Login failed: No user=<%s> type=<temp>", login);
+      goto reject;
+    }
+
+  struct auth_acct *aa = auth_find_acct(au, az, 0);
+  if (!aa)
+    {
+      msg(L_INFO, "Login failed: No account user=<%s> zone=<%s> type=<temp>", login, az->name);
+      goto reject;
+    }
+
+  msg(L_INFO, "Login successful: user=<%s> zone=<%s> type=<temp>", login, az->name);
+  cmd_ok(c);
+
+reject:
+  cmd_error(c, "Temporary token refused");
+}
+
 static void cmd_login(struct client *c)
 {
   struct auth_zone *az = cmd_need_zone(c);
@@ -322,6 +388,9 @@ static void cmd_login(struct client *c)
       passwd = passbuf;
     }
 
+  if (ident && !strcmp(ident, "t"))
+    return cmd_login_by_temp(c, az, given_passwd);
+
   const char *login = cmd_need_string(c, "login");
   struct auth_user *au = auth_find_user(login, 0);
   if (!au)
@@ -439,6 +508,7 @@ static const struct command command_table[] = {
   { "delete-token",    cmd_delete_token },
   { "set-passwd",      cmd_set_passwd },
   { "delete-passwd",   cmd_delete_passwd },
+  { "create-temp",     cmd_create_temp },
   { "login",           cmd_login },
   { "list-accts",      cmd_list_accts },
   { "list-zones",      cmd_list_zones },