auth plugins

kvmd/apps/kvmd/__init__.py

@@ -22,6 +22,9 @@
 
 import asyncio
 
+from typing import List
+from typing import Optional
+
 from ...logging import get_logger
 
 from ... import gpio
@@ -39,13 +42,19 @@ from .server import Server
 
 
 # =====
-def main() -> None:
-    config = init("kvmd", description="The main Pi-KVM daemon")[2].kvmd
+def main(argv: Optional[List[str]]=None) -> None:
+    config = init("kvmd", description="The main Pi-KVM daemon", argv=argv)[2].kvmd
     with gpio.bcm():
         # pylint: disable=protected-access
         loop = asyncio.get_event_loop()
         Server(
-            auth_manager=AuthManager(**config.auth._unpack()),
+            auth_manager=AuthManager(
+                internal_users=config.auth.internal_users,
+                internal_type=config.auth.internal_type,
+                external_type=config.auth.external_type,
+                internal=config.auth.internal._unpack(),
+                external=(config.auth.external._unpack() if config.auth.external_type else {}),
+            ),
             info_manager=InfoManager(loop=loop, **config.info._unpack()),
             log_reader=LogReader(loop=loop),
 

kvmd/apps/kvmd/auth.py

@@ -22,33 +22,56 @@
 
 import secrets
 
+from typing import List
 from typing import Dict
 from typing import Optional
 
-import passlib.apache
-
 from ...logging import get_logger
 
+from ...plugins.auth import BaseAuthService
+from ...plugins.auth import get_auth_service_class
+
 
 # =====
 class AuthManager:
-    def __init__(self, auth_type: str, htpasswd: Dict) -> None:
-        self.__login = {
-            "htpasswd": lambda: _HtpasswdLogin(**htpasswd),
-        }[auth_type]().login
+    def __init__(
+        self,
+        internal_users: List[str],
+
+        internal_type: str,
+        external_type: str,
+
+        internal: Dict,
+        external: Dict,
+    ) -> None:
+
+        self.__internal_users = internal_users
+        self.__internal_service = get_auth_service_class(internal_type)(**internal)
+        get_logger().info("Using internal login service %r", self.__internal_service.PLUGIN_NAME)
+
+        self.__external_service: Optional[BaseAuthService] = None
+        if external_type:
+            self.__external_service = get_auth_service_class(external_type)(**external)
+            get_logger().info("Using external login service %r", self.__external_service.PLUGIN_NAME)
+
         self.__tokens: Dict[str, str] = {}  # {token: user}
 
-    def login(self, user: str, passwd: str) -> Optional[str]:
-        if self.__login(user, passwd):
+    async def login(self, user: str, passwd: str) -> Optional[str]:
+        if user not in self.__internal_users and self.__external_service:
+            service = self.__external_service
+        else:
+            service = self.__internal_service
+
+        if (await service.login(user, passwd)):
             for (token, token_user) in self.__tokens.items():
                 if user == token_user:
                     return token
             token = secrets.token_hex(32)
             self.__tokens[token] = user
-            get_logger().info("Logged in user %r", user)
+            get_logger().info("Logged in user %r via login service %r", user, service.PLUGIN_NAME)
             return token
         else:
-            get_logger().error("Access denied for user %r", user)
+            get_logger().error("Access denied for user %r from login service %r", user, service.PLUGIN_NAME)
             return None
 
     def logout(self, token: str) -> None:
@@ -59,12 +82,7 @@ class AuthManager:
     def check(self, token: str) -> Optional[str]:
         return self.__tokens.get(token)
 
-
-class _HtpasswdLogin:
-    def __init__(self, path: str) -> None:
-        get_logger().info("Using htpasswd auth file %r", path)
-        self.__path = path
-
-    def login(self, user: str, passwd: str) -> bool:
-        htpasswd = passlib.apache.HtpasswdFile(self.__path)
-        return htpasswd.check_password(user, passwd)
+    async def cleanup(self) -> None:
+        await self.__internal_service.cleanup()
+        if self.__external_service:
+            await self.__external_service.cleanup()

kvmd/apps/kvmd/server.py

@@ -311,7 +311,7 @@ class Server:  # pylint: disable=too-many-instance-attributes
     @_exposed("POST", "/auth/login", auth_required=False)
     async def __auth_login_handler(self, request: aiohttp.web.Request) -> aiohttp.web.Response:
         credentials = await request.post()
-        token = self._auth_manager.login(
+        token = await self._auth_manager.login(
             user=valid_user(credentials.get("user", "")),
             passwd=valid_passwd(credentials.get("passwd", "")),
         )
@@ -533,9 +533,18 @@ class Server:  # pylint: disable=too-many-instance-attributes
             await self.__remove_socket(ws)
 
     async def __on_cleanup(self, _: aiohttp.web.Application) -> None:
-        await self.__streamer.cleanup()
-        await self.__msd.cleanup()
-        await self.__hid.cleanup()
+        logger = get_logger(0)
+        for obj in [
+            self._auth_manager,
+            self.__streamer,
+            self.__msd,
+            self.__hid,
+        ]:
+            logger.info("Cleaning up %s ...", type(obj).__name__)
+            try:
+                await obj.cleanup()  # type: ignore
+            except Exception:
+                logger.exception("Cleanup error")
 
     async def __broadcast_event(self, event_type: _Events, event_attrs: Dict) -> None:
         if self.__sockets: