auth plugins

kvmd/plugins/__init__.py

@@ -0,0 +1,71 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main Pi-KVM daemon.                                          #
+#                                                                            #
+#    Copyright (C) 2018  Maxim Devaev <mdevaev@gmail.com>                    #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+import importlib
+import functools
+import os
+
+from typing import Dict
+from typing import Type
+from typing import Any
+
+from ..yamlconf import Option
+
+
+# =====
+class UnknownPluginError(Exception):
+    pass
+
+
+# =====
+class BasePlugin:
+    PLUGIN_NAME: str = ""
+
+    def __init__(self, **_: Any) -> None:
+        pass
+
+    @classmethod
+    def get_options(cls) -> Dict[str, Option]:
+        return {}
+
+
+# =====
+def get_plugin_class(sub: str, name: str) -> Type[BasePlugin]:
+    classes = _get_plugin_classes(sub)
+    try:
+        return classes[name]
+    except KeyError:
+        raise UnknownPluginError("Unknown plugin '%s/%s'" % (sub, name))
+
+
+# =====
+@functools.lru_cache()
+def _get_plugin_classes(sub: str) -> Dict[str, Type[BasePlugin]]:
+    classes: Dict[str, Type[BasePlugin]] = {}  # noqa: E701
+    sub_path = os.path.join(os.path.dirname(__file__), sub)
+    for file_name in os.listdir(sub_path):
+        if not file_name.startswith("__") and file_name.endswith(".py"):
+            module_name = file_name[:-3]
+            module = importlib.import_module("kvmd.plugins.{}.{}".format(sub, module_name))
+            plugin_class = getattr(module, "Plugin")
+            classes[plugin_class.PLUGIN_NAME] = plugin_class
+    return classes

kvmd/plugins/auth/__init__.py

@@ -0,0 +1,40 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main Pi-KVM daemon.                                          #
+#                                                                            #
+#    Copyright (C) 2018  Maxim Devaev <mdevaev@gmail.com>                    #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+from typing import Type
+
+from .. import BasePlugin
+from .. import get_plugin_class
+
+
+# =====
+class BaseAuthService(BasePlugin):
+    async def login(self, user: str, passwd: str) -> bool:
+        raise NotImplementedError
+
+    async def cleanup(self) -> None:
+        pass
+
+
+# =====
+def get_auth_service_class(name: str) -> Type[BaseAuthService]:
+    return get_plugin_class("auth", name)  # type: ignore

kvmd/plugins/auth/htpasswd.py

@@ -0,0 +1,49 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main Pi-KVM daemon.                                          #
+#                                                                            #
+#    Copyright (C) 2018  Maxim Devaev <mdevaev@gmail.com>                    #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+from typing import Dict
+
+import passlib.apache
+
+from ...yamlconf import Option
+
+from ...validators.fs import valid_abs_path_exists
+
+from . import BaseAuthService
+
+
+# =====
+class Plugin(BaseAuthService):
+    PLUGIN_NAME = "htpasswd"
+
+    def __init__(self, path: str) -> None:  # pylint: disable=super-init-not-called
+        self.__path = path
+
+    @classmethod
+    def get_options(cls) -> Dict[str, Option]:
+        return {
+            "file": Option("/etc/kvmd/htpasswd", type=valid_abs_path_exists, unpack_as="path"),
+        }
+
+    async def login(self, user: str, passwd: str) -> bool:
+        htpasswd = passlib.apache.HtpasswdFile(self.__path)
+        return htpasswd.check_password(user, passwd)

kvmd/plugins/auth/http.py

@@ -0,0 +1,111 @@
+# ========================================================================== #
+#                                                                            #
+#    KVMD - The main Pi-KVM daemon.                                          #
+#                                                                            #
+#    Copyright (C) 2018  Maxim Devaev <mdevaev@gmail.com>                    #
+#                                                                            #
+#    This program is free software: you can redistribute it and/or modify    #
+#    it under the terms of the GNU General Public License as published by    #
+#    the Free Software Foundation, either version 3 of the License, or       #
+#    (at your option) any later version.                                     #
+#                                                                            #
+#    This program is distributed in the hope that it will be useful,         #
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of          #
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           #
+#    GNU General Public License for more details.                            #
+#                                                                            #
+#    You should have received a copy of the GNU General Public License       #
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.  #
+#                                                                            #
+# ========================================================================== #
+
+
+from typing import Dict
+from typing import Optional
+
+import aiohttp
+import aiohttp.web
+
+from ...yamlconf import Option
+
+from ...validators.basic import valid_bool
+from ...validators.basic import valid_float_f01
+
+from ...logging import get_logger
+
+from ... import __version__
+
+from . import BaseAuthService
+
+
+# =====
+class Plugin(BaseAuthService):
+    PLUGIN_NAME = "http"
+
+    def __init__(  # pylint: disable=super-init-not-called
+        self,
+        url: str,
+        verify: bool,
+        post: bool,
+        user: str,
+        passwd: str,
+        timeout: float,
+    ) -> None:
+
+        self.__url = url
+        self.__verify = verify
+        self.__post = post
+        self.__user = user
+        self.__passwd = passwd
+        self.__timeout = timeout
+
+        self.__http_session: Optional[aiohttp.ClientSession] = None
+
+    @classmethod
+    def get_options(cls) -> Dict[str, Option]:
+        return {
+            "url":     Option("http://localhost/auth_post"),
+            "verify":  Option(True, type=valid_bool),
+            "post":    Option(True, type=valid_bool),
+            "user":    Option(""),
+            "passwd":  Option(""),
+            "timeout": Option(5.0, type=valid_float_f01),
+        }
+
+    async def login(self, user: str, passwd: str) -> bool:
+        kwargs: Dict = {
+            "method": "GET",
+            "url": self.__url,
+            "timeout": self.__timeout,
+            "headers": {
+                "User-Agent": "KVMD/%s" % (__version__),
+                "X-KVMD-User": user,
+            },
+        }
+        if self.__post:
+            kwargs["method"] = "POST"
+            kwargs["json"] = {"user": user, "passwd": passwd}
+
+        session = self.__ensure_session()
+        try:
+            async with session.request(**kwargs) as response:
+                response.raise_for_status()
+            return True
+        except Exception:
+            get_logger().exception("Failed HTTP auth request for user %r", user)
+            return False
+
+    async def cleanup(self) -> None:
+        if self.__http_session:
+            await self.__http_session.close()
+            self.__http_session = None
+
+    def __ensure_session(self) -> aiohttp.ClientSession:
+        if not self.__http_session:
+            kwargs: Dict = {}
+            if self.__user:
+                kwargs["auth"] = aiohttp.BasicAuth(login=self.__user, password=self.__passwd)
+            if not self.__verify:
+                kwargs["connector"] = aiohttp.TCPConnector(ssl=False)
+            self.__http_session = aiohttp.ClientSession(**kwargs)
+        return self.__http_session