-
Notifications
You must be signed in to change notification settings - Fork 26
/
auth_linux.go
97 lines (86 loc) · 2.65 KB
/
auth_linux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
// Copyright 2014 The Serviced Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package web
//#include <stdlib.h>
//#include <string.h>
//extern int isGroupMember(const char *username, const char *group);
import "C"
import (
"github.com/msteinert/pam"
"github.com/zenoss/glog"
"errors"
"fmt"
"os/user"
"unsafe"
)
// currently logged in user
var currentUser *user.User
func init() {
var err error
currentUser, err = user.Current()
if err != nil {
panic(fmt.Errorf("could not get current user: %s", err))
}
}
func isGroupMember(username, group string) bool {
var cuser = C.CString(username)
defer C.free(unsafe.Pointer(cuser))
var cgroup = C.CString(group)
defer C.free(unsafe.Pointer(cgroup))
result := C.isGroupMember(cuser, cgroup)
glog.V(2).Infof("C.isGroupMember(%s, %s) returned %d.\n", username, group, result)
return (result != 0)
}
func pamValidateLogin(creds *login, group string) bool {
return pamValidateLoginOnly(creds, group) && isGroupMember(creds.Username, group)
}
func makePamConvHandler(creds *login) func(pam.Style, string) (string, error) {
return func(s pam.Style, msg string) (string, error) {
switch s {
case pam.PromptEchoOff:
return creds.Password, nil
case pam.PromptEchoOn:
glog.V(1).Infof("PAM Prompt: %s\n", msg)
return creds.Username, nil
case pam.ErrorMsg:
glog.Errorf("PAM ERROR: %s\n", msg)
return "", nil
case pam.TextInfo:
glog.V(1).Infof("PAM MESSAGE: %s\n", msg)
return "", nil
}
return "", errors.New("Unrecognized message style")
}
}
func pamValidateLoginOnly(creds *login, group string) bool {
if len(creds.Username) == 0 {
glog.Errorf("Authentication failed: User not given")
return false
}
t, err := pam.StartFunc("sudo", creds.Username, makePamConvHandler(creds))
if err != nil {
glog.Errorf("Start: %s", err.Error())
return false
}
err = t.Authenticate(0)
if err != nil {
glog.Errorf("Authentication failed for user %s: Authenticate error: %s", creds.Username, err.Error())
return false
}
err = t.AcctMgmt(pam.Silent)
if err != nil {
glog.Errorf("Authentication failed for user %s: AcctMgmt error: %s", creds.Username, err.Error())
return false
}
return true
}