+ pam authentication for non-root use

rewrote check_credentials to be exception-based
will always pass base_dir to cherrypy.quickstart

Author: hexparrot

auth.py

@@ -17,19 +17,19 @@ def check_credentials(username, password):
     try:
         enc_pwd = getspnam(username)[1]
     except KeyError:
-        return "user '%s' not found" % username
+        raise OSError("user '%s' not found" % username)
     else:
-        if enc_pwd in ["NP", "!", "", None]:
-            return "user '%s' has no password set" % username
-        elif enc_pwd in ["LK", "*"]:
-            return 'account is locked'
+        if enc_pwd in ['NP', '!', '', None]:
+            raise OSError("user '%s' has no password set" % username)
+        elif enc_pwd in ['LK', '*']:
+            raise OSError('account is locked')
         elif enc_pwd == "!!":
-            return 'password is expired'
+            raise OSError('password is expired')
 
         if crypt(password, enc_pwd) == enc_pwd:
-            return None
+            return True
         else:
-            return "incorrect password"
+            raise OSError('incorrect password')
 
 def check_auth(*args, **kwargs):
     """A tool that looks in config for 'auth.require'. If found and it
@@ -111,26 +111,32 @@ def on_login(self, username):
     def on_logout(self, username):
         """Called on logout"""
 
-    def get_loginform(self, username, msg="Enter Username and Password", from_page="/"):
+    def get_loginform(self):
         import os
         from cgi import escape
         from cherrypy.lib.static import serve_file
 
         return serve_file(os.path.join(os.getcwd(),'login.html'))
 
     @cherrypy.expose
-    def login(self, username=None, password=None, from_page="/"):
-        if username is None or password is None:
-            return self.get_loginform("", from_page=from_page)
-        
-        error_msg = check_credentials(username, password)
-        if error_msg:
-            return self.get_loginform(username, error_msg, from_page)
-        else:
-            cherrypy.session.regenerate()
-            cherrypy.session[SESSION_KEY] = cherrypy.request.login = username
-            self.on_login(username)
-            raise cherrypy.HTTPRedirect("/")
+    def login(self, username=None, password=None, from_page='/'):
+        if not username or not password:
+            return self.get_loginform()
+
+        validated = False
+        try:      
+            validated = check_credentials(username, password)
+        except OSError:
+            import pam
+            validated = pam.authenticate(username, password)
+        finally:
+            if validated:
+                cherrypy.session.regenerate()
+                cherrypy.session[SESSION_KEY] = cherrypy.request.login = username
+                self.on_login(username)
+                raise cherrypy.HTTPRedirect("/")
+            else:
+                return self.get_loginform()
 
     @cherrypy.expose
     def logout(self):

pam.py

@@ -0,0 +1,129 @@
+# (c) 2007 Chris AtLee <chris@atlee.ca>
+# Licensed under the MIT license:
+# http://www.opensource.org/licenses/mit-license.php
+"""
+PAM module for python
+
+Provides an authenticate function that will allow the caller to authenticate
+a user against the Pluggable Authentication Modules (PAM) on the system.
+
+Implemented using ctypes, so no compilation is necessary.
+"""
+__all__ = ['authenticate']
+
+from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, pointer, sizeof
+from ctypes import c_void_p, c_uint, c_char_p, c_char, c_int
+from ctypes.util import find_library
+
+LIBPAM = CDLL(find_library("pam"))
+LIBC = CDLL(find_library("c"))
+
+CALLOC = LIBC.calloc
+CALLOC.restype = c_void_p
+CALLOC.argtypes = [c_uint, c_uint]
+
+STRDUP = LIBC.strdup
+STRDUP.argstypes = [c_char_p]
+STRDUP.restype = POINTER(c_char) # NOT c_char_p !!!!
+
+# Various constants
+PAM_PROMPT_ECHO_OFF = 1
+PAM_PROMPT_ECHO_ON = 2
+PAM_ERROR_MSG = 3
+PAM_TEXT_INFO = 4
+
+class PamHandle(Structure):
+    """wrapper class for pam_handle_t"""
+    _fields_ = [
+            ("handle", c_void_p)
+            ]
+
+    def __init__(self):
+        Structure.__init__(self)
+        self.handle = 0
+
+class PamMessage(Structure):
+    """wrapper class for pam_message structure"""
+    _fields_ = [
+            ("msg_style", c_int),
+            ("msg", POINTER(c_char)),
+            ]
+
+    def __repr__(self):
+        return "<PamMessage %i '%s'>" % (self.msg_style, self.msg)
+
+class PamResponse(Structure):
+    """wrapper class for pam_response structure"""
+    _fields_ = [
+            ("resp", POINTER(c_char)),
+            ("resp_retcode", c_int),
+            ]
+
+    def __repr__(self):
+        return "<PamResponse %i '%s'>" % (self.resp_retcode, self.resp)
+
+CONV_FUNC = CFUNCTYPE(c_int,
+        c_int, POINTER(POINTER(PamMessage)),
+               POINTER(POINTER(PamResponse)), c_void_p)
+
+class PamConv(Structure):
+    """wrapper class for pam_conv structure"""
+    _fields_ = [
+            ("conv", CONV_FUNC),
+            ("appdata_ptr", c_void_p)
+            ]
+
+PAM_START = LIBPAM.pam_start
+PAM_START.restype = c_int
+PAM_START.argtypes = [c_char_p, c_char_p, POINTER(PamConv),
+        POINTER(PamHandle)]
+
+PAM_END = LIBPAM.pam_end
+PAM_END.restpe = c_int
+PAM_END.argtypes = [PamHandle, c_int]
+
+PAM_AUTHENTICATE = LIBPAM.pam_authenticate
+PAM_AUTHENTICATE.restype = c_int
+PAM_AUTHENTICATE.argtypes = [PamHandle, c_int]
+
+def authenticate(username, password, service='login'):
+    """Returns True if the given username and password authenticate for the
+    given service.  Returns False otherwise
+    
+    ``username``: the username to authenticate
+    
+    ``password``: the password in plain text
+    
+    ``service``: the PAM service to authenticate against.
+                 Defaults to 'login'"""
+    @CONV_FUNC
+    def my_conv(n_messages, messages, p_response, app_data):
+        """Simple conversation function that responds to any
+        prompt where the echo is off with the supplied password"""
+        # Create an array of n_messages response objects
+        addr = CALLOC(n_messages, sizeof(PamResponse))
+        p_response[0] = cast(addr, POINTER(PamResponse))
+        for i in range(n_messages):
+            if messages[i].contents.msg_style == PAM_PROMPT_ECHO_OFF:
+                pw_copy = STRDUP(str(password))
+                p_response.contents[i].resp = pw_copy
+                p_response.contents[i].resp_retcode = 0
+        return 0
+
+    handle = PamHandle()
+    conv = PamConv(my_conv, 0)
+    retval = PAM_START(service, username, pointer(conv), pointer(handle))
+
+    if retval != 0:
+        # TODO: This is not an authentication error, something
+        # has gone wrong starting up PAM
+        PAM_END(handle, retval)
+        return False
+
+    retval = PAM_AUTHENTICATE(handle, 0)
+    e = PAM_END(handle, retval)
+    return retval == 0 and e == 0
+
+if __name__ == "__main__":
+    import getpass
+    print authenticate(getpass.getuser(), getpass.getpass())

server.py

@@ -399,7 +399,7 @@ def to_jsonable_type(retval):
 if __name__ == "__main__":
     from argparse import ArgumentParser
 
-    parser = ArgumentParser(description='MineOS command line execution scripts',
+    parser = ArgumentParser(description='MineOS web user interface service',
                             version=__version__)
     parser.add_argument('-p',
                         dest='port',
@@ -445,7 +445,7 @@ def to_jsonable_type(retval):
             }
         }
 
-    if args.base_directory:
-         mc._make_skeleton(args.base_directory) 
+    base_dir = args.base_directory or mc.valid_user('will')[1]
+    mc._make_skeleton(base_dir) 
 
-    cherrypy.quickstart(mc_server(args.base_directory), config=conf)
+    cherrypy.quickstart(mc_server(base_dir), config=conf)