auth plugins

2026-01-31 10:01:53 +08:00 · 2019-04-09 07:13:13 +03:00
parent 0460c2e83b
commit a6028c46a4
16 changed files with 506 additions and 76 deletions
--- a/kvmd/apps/init.py
+++ b/kvmd/apps/init.py
@@ -35,6 +35,9 @@ import pygments
 import pygments.lexers.data
 import pygments.formatters

+from ..plugins import UnknownPluginError
+from ..plugins.auth import get_auth_service_class
+
 from ..yamlconf import ConfigError
 from ..yamlconf import make_config
 from ..yamlconf import Section
@@ -55,8 +58,6 @@ from ..validators.fs import valid_unix_mode
 from ..validators.net import valid_ip_or_host
 from ..validators.net import valid_port

-from ..validators.auth import valid_auth_type
-
 from ..validators.kvm import valid_stream_quality
 from ..validators.kvm import valid_stream_fps

@@ -84,29 +85,11 @@ def init(
    args_parser.add_argument("-m", "--dump-config", dest="dump_config", action="store_true",
                             help="View current configuration (include all overrides)")
    (options, remaining) = args_parser.parse_known_args(argv)
-    raw_config: Dict = {}
-
-    if options.config_path:
-        options.config_path = os.path.expanduser(options.config_path)
-        raw_config = load_yaml_file(options.config_path)
-
-    scheme = _get_config_scheme()
-    try:
-        _merge_dicts(raw_config, build_raw_from_options(options.set_options))
-        config = make_config(raw_config, scheme)
-    except ConfigError as err:
-        raise SystemExit("Config error: " + str(err))

+    config = _init_config(options.config_path, options.set_options)
    if options.dump_config:
-        dump = make_config_dump(config)
-        if sys.stdout.isatty():
-            dump = pygments.highlight(
-                dump,
-                pygments.lexers.data.YamlLexer(),
-                pygments.formatters.TerminalFormatter(bg="dark"),  # pylint: disable=no-member
-            )
-        print(dump)
-        sys.exit(0)
+        _dump_config(config)
+        raise SystemExit()

    logging.captureWarnings(True)
    logging.config.dictConfig(config.logging)
@@ -114,6 +97,35 @@ def init(


 # =====
+def _init_config(config_path: str, options: List[str]) -> Section:
+    config_path = os.path.expanduser(config_path)
+    raw_config: Dict = load_yaml_file(config_path)
+
+    scheme = _get_config_scheme()
+    try:
+        _merge_dicts(raw_config, build_raw_from_options(options))
+        config = make_config(raw_config, scheme)
+
+        scheme["kvmd"]["auth"]["internal"] = get_auth_service_class(config.kvmd.auth.internal_type).get_options()
+        if config.kvmd.auth.external_type:
+            scheme["kvmd"]["auth"]["external"] = get_auth_service_class(config.kvmd.auth.external_type).get_options()
+
+        return make_config(raw_config, scheme)
+    except (ConfigError, UnknownPluginError) as err:
+        raise SystemExit("Config error: %s" % (str(err)))
+
+
+def _dump_config(config: Section) -> None:
+    dump = make_config_dump(config)
+    if sys.stdout.isatty():
+        dump = pygments.highlight(
+            dump,
+            pygments.lexers.data.YamlLexer(),
+            pygments.formatters.TerminalFormatter(bg="dark"),  # pylint: disable=no-member
+        )
+    print(dump)
+
+
 def _merge_dicts(dest: Dict, src: Dict) -> None:
    for key in src:
        if key in dest:
@@ -138,10 +150,11 @@ def _get_config_scheme() -> Dict:
            },

            "auth": {
-                "type": Option("htpasswd", type=valid_auth_type, unpack_as="auth_type"),
-                "htpasswd": {
-                    "file": Option("/etc/kvmd/htpasswd", type=valid_abs_path_exists, unpack_as="path"),
-                },
+                "internal_users": Option([]),
+                "internal_type":  Option("htpasswd"),
+                "external_type":  Option(""),
+                # "internal": {},
+                # "external": {},
            },

            "info": {
--- a/kvmd/apps/htpasswd/init.py
+++ b/kvmd/apps/htpasswd/init.py
@@ -44,9 +44,9 @@ from .. import init

 # =====
 def _get_htpasswd_path(config: Section) -> str:
-    if config.kvmd.auth.type != "htpasswd":
-        print("Warning: KVMD does not use htpasswd auth", file=sys.stderr)
-    return config.kvmd.auth.htpasswd.file
+    if config.kvmd.auth.internal_type != "htpasswd":
+        raise SystemExit("Error: KVMD internal auth not using 'htpasswd' (now configured %r)" % (config.kvmd.auth.internal_type))
+    return config.kvmd.auth.internal.file


@contextlib.contextmanager
--- a/kvmd/apps/kvmd/init.py
+++ b/kvmd/apps/kvmd/init.py
@@ -22,6 +22,9 @@

 import asyncio

+from typing import List
+from typing import Optional
+
 from ...logging import get_logger

 from ... import gpio
@@ -39,13 +42,19 @@ from .server import Server


 # =====
-def main() -> None:
-    config = init("kvmd", description="The main Pi-KVM daemon")[2].kvmd
+def main(argv: Optional[List[str]]=None) -> None:
+    config = init("kvmd", description="The main Pi-KVM daemon", argv=argv)[2].kvmd
    with gpio.bcm():
        # pylint: disable=protected-access
        loop = asyncio.get_event_loop()
        Server(
-            auth_manager=AuthManager(**config.auth._unpack()),
+            auth_manager=AuthManager(
+                internal_users=config.auth.internal_users,
+                internal_type=config.auth.internal_type,
+                external_type=config.auth.external_type,
+                internal=config.auth.internal._unpack(),
+                external=(config.auth.external._unpack() if config.auth.external_type else {}),
+            ),
            info_manager=InfoManager(loop=loop, **config.info._unpack()),
            log_reader=LogReader(loop=loop),

--- a/kvmd/apps/kvmd/auth.py
+++ b/kvmd/apps/kvmd/auth.py
@@ -22,33 +22,56 @@

 import secrets

+from typing import List
 from typing import Dict
 from typing import Optional

-import passlib.apache
-
 from ...logging import get_logger

+from ...plugins.auth import BaseAuthService
+from ...plugins.auth import get_auth_service_class
+

 # =====
 class AuthManager:
-    def __init__(self, auth_type: str, htpasswd: Dict) -> None:
-        self.__login = {
-            "htpasswd": lambda: _HtpasswdLogin(**htpasswd),
-        }[auth_type]().login
+    def __init__(
+        self,
+        internal_users: List[str],
+
+        internal_type: str,
+        external_type: str,
+
+        internal: Dict,
+        external: Dict,
+    ) -> None:
+
+        self.__internal_users = internal_users
+        self.__internal_service = get_auth_service_class(internal_type)(**internal)
+        get_logger().info("Using internal login service %r", self.__internal_service.PLUGIN_NAME)
+
+        self.__external_service: Optional[BaseAuthService] = None
+        if external_type:
+            self.__external_service = get_auth_service_class(external_type)(**external)
+            get_logger().info("Using external login service %r", self.__external_service.PLUGIN_NAME)
+
        self.__tokens: Dict[str, str] = {}  # {token: user}

-    def login(self, user: str, passwd: str) -> Optional[str]:
-        if self.__login(user, passwd):
+    async def login(self, user: str, passwd: str) -> Optional[str]:
+        if user not in self.__internal_users and self.__external_service:
+            service = self.__external_service
+        else:
+            service = self.__internal_service
+
+        if (await service.login(user, passwd)):
            for (token, token_user) in self.__tokens.items():
                if user == token_user:
                    return token
            token = secrets.token_hex(32)
            self.__tokens[token] = user
-            get_logger().info("Logged in user %r", user)
+            get_logger().info("Logged in user %r via login service %r", user, service.PLUGIN_NAME)
            return token
        else:
-            get_logger().error("Access denied for user %r", user)
+            get_logger().error("Access denied for user %r from login service %r", user, service.PLUGIN_NAME)
            return None

    def logout(self, token: str) -> None:
@@ -59,12 +82,7 @@ class AuthManager:
    def check(self, token: str) -> Optional[str]:
        return self.__tokens.get(token)

-
-class _HtpasswdLogin:
-    def __init__(self, path: str) -> None:
-        get_logger().info("Using htpasswd auth file %r", path)
-        self.__path = path
-
-    def login(self, user: str, passwd: str) -> bool:
-        htpasswd = passlib.apache.HtpasswdFile(self.__path)
-        return htpasswd.check_password(user, passwd)
+    async def cleanup(self) -> None:
+        await self.__internal_service.cleanup()
+        if self.__external_service:
+            await self.__external_service.cleanup()
--- a/kvmd/apps/kvmd/server.py
+++ b/kvmd/apps/kvmd/server.py
@@ -311,7 +311,7 @@ class Server:  # pylint: disable=too-many-instance-attributes
    @_exposed("POST", "/auth/login", auth_required=False)
    async def __auth_login_handler(self, request: aiohttp.web.Request) -> aiohttp.web.Response:
        credentials = await request.post()
-        token = self._auth_manager.login(
+        token = await self._auth_manager.login(
            user=valid_user(credentials.get("user", "")),
            passwd=valid_passwd(credentials.get("passwd", "")),
        )
@@ -533,9 +533,18 @@ class Server:  # pylint: disable=too-many-instance-attributes
            await self.__remove_socket(ws)

    async def __on_cleanup(self, _: aiohttp.web.Application) -> None:
-        await self.__streamer.cleanup()
-        await self.__msd.cleanup()
-        await self.__hid.cleanup()
+        logger = get_logger(0)
+        for obj in [
+            self._auth_manager,
+            self.__streamer,
+            self.__msd,
+            self.__hid,
+        ]:
+            logger.info("Cleaning up %s ...", type(obj).__name__)
+            try:
+                await obj.cleanup()  # type: ignore
+            except Exception:
+                logger.exception("Cleanup error")

    async def __broadcast_event(self, event_type: _Events, event_attrs: Dict) -> None:
        if self.__sockets: