auth: add PAM support

Handy for small local installations. Disabled by default because it adds a dependency on the PAM library.
2025-12-12 14:17:21 +01:00 · 2022-09-10 17:13:20 +00:00 · 2022-09-10 17:13:20 +00:00 · 10587f425b
commit 10587f425b
parent 228384530e
6 changed files with 99 additions and 1 deletions
--- a/auth/pam.go
+++ b/auth/pam.go
@ -0,0 +1,79 @@
+//go:build pam
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/msteinert/pam"
+
+	"git.sr.ht/~sircmpwn/tokidoki/debug"
+)
+
+type pamProvider struct{}
+
+func NewPAM() (AuthProvider, error) {
+	return pamProvider{}, nil
+}
+
+func (pamProvider) Middleware() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			pamAuth(next, w, r)
+		})
+	}
+}
+
+func pamAuth(next http.Handler, w http.ResponseWriter, r *http.Request) {
+	user, pass, ok := r.BasicAuth()
+	if !ok {
+		w.Header().Add("WWW-Authenticate", `Basic realm="Please provide your system credentials", charset="UTF-8"`)
+		http.Error(w, "HTTP Basic auth is required", http.StatusUnauthorized)
+		return
+	}
+
+	t, err := pam.StartFunc("login", user, func(s pam.Style, msg string) (string, error) {
+		debug.Printf("%v %v", s, msg)
+		switch s {
+		case pam.PromptEchoOff:
+			return pass, nil
+		case pam.PromptEchoOn, pam.ErrorMsg, pam.TextInfo:
+			return "", nil
+		default:
+			return "", fmt.Errorf("unsupported PAM conversation style: %v", s)
+		}
+	})
+	if err != nil {
+		debug.Printf("Failed to start PAM conversation: %v", err)
+		http.Error(w, "Temporary authentication error, try again later", http.StatusServiceUnavailable)
+		return
+	}
+
+	if err := t.Authenticate(0); err != nil {
+		debug.Printf("Auth error: %v", err)
+		http.Error(w, "Invalid username or password", http.StatusUnauthorized)
+		return
+	}
+
+	if err := t.AcctMgmt(0); err != nil {
+		debug.Printf("Account unavailable: %v", err)
+		http.Error(w, "Account unavailable", http.StatusUnauthorized)
+		return
+	}
+
+	user, err = t.GetItem(pam.User)
+	if err != nil {
+		debug.Printf("Failed to get PAM username: %v", err)
+		http.Error(w, "Temporary authentication error, try again later", http.StatusServiceUnavailable)
+		return
+	}
+
+	authCtx := AuthContext{
+		AuthMethod: "pam",
+		UserName:   user,
+	}
+	ctx := NewContext(r.Context(), &authCtx)
+	r = r.WithContext(ctx)
+	next.ServeHTTP(w, r)
+}
--- a/auth/pam_stub.go
+++ b/auth/pam_stub.go
@ -0,0 +1,11 @@
+//go:build !pam
+
+package auth
+
+import (
+	"errors"
+)
+
+func NewPAM() (AuthProvider, error) {
+	return nil, errors.New("PAM support is disabled")
+}
--- a/auth/url.go
+++ b/auth/url.go
@ -16,6 +16,8 @@ func NewFromURL(authURL string) (AuthProvider, error) {
 		return NewIMAP(u.Host, false), nil
 	case "imaps":
 		return NewIMAP(u.Host, true), nil
+	case "pam":
+		return NewPAM()
 	default:
 		return nil, fmt.Errorf("no auth provider found for %s:// URL", u.Scheme)
 	}