tokidoki/auth/pam.go

//go:build pam

package auth

import (
	"fmt"
	"net/http"

	"github.com/msteinert/pam"
	"github.com/rs/zerolog/log"
)

type pamProvider struct{}

func NewPAM() (AuthProvider, error) {
	return pamProvider{}, nil
}

func (pamProvider) Middleware() func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			pamAuth(next, w, r)
		})
	}
}

func pamAuth(next http.Handler, w http.ResponseWriter, r *http.Request) {
	user, pass, ok := r.BasicAuth()
	if !ok {
		w.Header().Add("WWW-Authenticate", `Basic realm="Please provide your system credentials", charset="UTF-8"`)
		http.Error(w, "HTTP Basic auth is required", http.StatusUnauthorized)
		return
	}

	t, err := pam.StartFunc("login", user, func(s pam.Style, msg string) (string, error) {
		log.Debug().Str("style", fmt.Sprintf("%v", s)).Msg(msg)
		switch s {
		case pam.PromptEchoOff:
			return pass, nil
		case pam.PromptEchoOn, pam.ErrorMsg, pam.TextInfo:
			return "", nil
		default:
			return "", fmt.Errorf("unsupported PAM conversation style: %v", s)
		}
	})
	if err != nil {
		log.Debug().Err(err).Msg("failed to start PAM conversation")
		http.Error(w, "Temporary authentication error, try again later", http.StatusServiceUnavailable)
		return
	}

	if err := t.Authenticate(0); err != nil {
		log.Debug().Err(err).Msg("auth error")
		http.Error(w, "Invalid username or password", http.StatusUnauthorized)
		return
	}

	if err := t.AcctMgmt(0); err != nil {
		log.Debug().Err(err).Msg("account unavailable")
		http.Error(w, "Account unavailable", http.StatusUnauthorized)
		return
	}

	user, err = t.GetItem(pam.User)
	if err != nil {
		log.Debug().Err(err).Msg("failed to get PAM username")
		http.Error(w, "Temporary authentication error, try again later", http.StatusServiceUnavailable)
		return
	}

	authCtx := AuthContext{
		AuthMethod: "pam",
		UserName:   user,
	}
	ctx := NewContext(r.Context(), &authCtx)
	r = r.WithContext(ctx)
	next.ServeHTTP(w, r)
}
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`//go:build pam`

			`package auth`

			`import (`
			`"fmt"`
			`"net/http"`

			`"github.com/msteinert/pam"`
Switch to a proper logging library Structured logs can be enabled with `-log.json`. 2022-12-01 11:00:42 +00:00			`"github.com/rs/zerolog/log"`
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`)`

			`type pamProvider struct{}`

			`func NewPAM() (AuthProvider, error) {`
			`return pamProvider{}, nil`
			`}`

			`func (pamProvider) Middleware() func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`pamAuth(next, w, r)`
			`})`
			`}`
			`}`

			`func pamAuth(next http.Handler, w http.ResponseWriter, r *http.Request) {`
			`user, pass, ok := r.BasicAuth()`
			`if !ok {`
			w.Header().Add("WWW-Authenticate", `Basic realm="Please provide your system credentials", charset="UTF-8"`)
			`http.Error(w, "HTTP Basic auth is required", http.StatusUnauthorized)`
			`return`
			`}`

			`t, err := pam.StartFunc("login", user, func(s pam.Style, msg string) (string, error) {`
Switch to a proper logging library Structured logs can be enabled with `-log.json`. 2022-12-01 11:00:42 +00:00			`log.Debug().Str("style", fmt.Sprintf("%v", s)).Msg(msg)`
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`switch s {`
			`case pam.PromptEchoOff:`
			`return pass, nil`
			`case pam.PromptEchoOn, pam.ErrorMsg, pam.TextInfo:`
			`return "", nil`
			`default:`
			`return "", fmt.Errorf("unsupported PAM conversation style: %v", s)`
			`}`
			`})`
			`if err != nil {`
Switch to a proper logging library Structured logs can be enabled with `-log.json`. 2022-12-01 11:00:42 +00:00			`log.Debug().Err(err).Msg("failed to start PAM conversation")`
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`http.Error(w, "Temporary authentication error, try again later", http.StatusServiceUnavailable)`
			`return`
			`}`

			`if err := t.Authenticate(0); err != nil {`
Switch to a proper logging library Structured logs can be enabled with `-log.json`. 2022-12-01 11:00:42 +00:00			`log.Debug().Err(err).Msg("auth error")`
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`http.Error(w, "Invalid username or password", http.StatusUnauthorized)`
			`return`
			`}`

			`if err := t.AcctMgmt(0); err != nil {`
Switch to a proper logging library Structured logs can be enabled with `-log.json`. 2022-12-01 11:00:42 +00:00			`log.Debug().Err(err).Msg("account unavailable")`
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`http.Error(w, "Account unavailable", http.StatusUnauthorized)`
			`return`
			`}`

			`user, err = t.GetItem(pam.User)`
			`if err != nil {`
Switch to a proper logging library Structured logs can be enabled with `-log.json`. 2022-12-01 11:00:42 +00:00			`log.Debug().Err(err).Msg("failed to get PAM username")`
auth: add PAM support Handy for small local installations. Disabled by default because it adds a dependency on the PAM library. 2022-09-10 18:13:20 +01:00			`http.Error(w, "Temporary authentication error, try again later", http.StatusServiceUnavailable)`
			`return`
			`}`

			`authCtx := AuthContext{`
			`AuthMethod: "pam",`
			`UserName: user,`
			`}`
			`ctx := NewContext(r.Context(), &authCtx)`
			`r = r.WithContext(ctx)`
			`next.ServeHTTP(w, r)`
			`}`