From 6adcd2884ee48ec0b1c8b7486e42b2eeffc48159 Mon Sep 17 00:00:00 2001 From: Aylur Date: Sun, 1 Sep 2024 03:19:31 +0200 Subject: move to monorepo --- .gitignore | 3 - LICENSE | 503 -------------------------------------- README.md | 66 ----- auth/.gitignore | 3 + auth/LICENSE | 503 ++++++++++++++++++++++++++++++++++++++ auth/README.md | 66 +++++ auth/examples/full_example.c | 66 +++++ auth/examples/full_example.js | 38 +++ auth/examples/meson.build | 18 ++ auth/examples/simple_example.c | 31 +++ auth/examples/simple_example.js | 9 + auth/flake.lock | 27 +++ auth/flake.nix | 42 ++++ auth/include/astal-auth.h | 32 +++ auth/include/meson.build | 4 + auth/meson.build | 33 +++ auth/meson_options.txt | 3 + auth/pam/astal-auth | 5 + auth/src/astal-auth.c | 153 ++++++++++++ auth/src/meson.build | 65 +++++ auth/src/pam.c | 524 ++++++++++++++++++++++++++++++++++++++++ auth/version | 1 + examples/full_example.c | 66 ----- examples/full_example.js | 38 --- examples/meson.build | 18 -- examples/simple_example.c | 31 --- examples/simple_example.js | 9 - flake.lock | 27 --- flake.nix | 42 ---- include/astal-auth.h | 32 --- include/meson.build | 4 - meson.build | 33 --- meson_options.txt | 3 - pam/astal-auth | 5 - src/astal-auth.c | 153 ------------ src/meson.build | 65 ----- src/pam.c | 524 ---------------------------------------- version | 1 - 38 files changed, 1623 insertions(+), 1623 deletions(-) delete mode 100644 .gitignore delete mode 100644 LICENSE delete mode 100644 README.md create mode 100644 auth/.gitignore create mode 100644 auth/LICENSE create mode 100644 auth/README.md create mode 100644 auth/examples/full_example.c create mode 100644 auth/examples/full_example.js create mode 100644 auth/examples/meson.build create mode 100644 auth/examples/simple_example.c create mode 100644 auth/examples/simple_example.js create mode 100644 auth/flake.lock create mode 100644 auth/flake.nix create mode 100644 auth/include/astal-auth.h create mode 100644 auth/include/meson.build create mode 100644 auth/meson.build create mode 100644 auth/meson_options.txt create mode 100644 auth/pam/astal-auth create mode 100644 auth/src/astal-auth.c create mode 100644 auth/src/meson.build create mode 100644 auth/src/pam.c create mode 100644 auth/version delete mode 100644 examples/full_example.c delete mode 100644 examples/full_example.js delete mode 100644 examples/meson.build delete mode 100644 examples/simple_example.c delete mode 100644 examples/simple_example.js delete mode 100644 flake.lock delete mode 100644 flake.nix delete mode 100644 include/astal-auth.h delete mode 100644 include/meson.build delete mode 100644 meson.build delete mode 100644 meson_options.txt delete mode 100644 pam/astal-auth delete mode 100644 src/astal-auth.c delete mode 100644 src/meson.build delete mode 100644 src/pam.c delete mode 100644 version diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 6bf41b5..0000000 --- a/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -build/ -result/ -.cache/ diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 67cd97b..0000000 --- a/LICENSE +++ /dev/null @@ -1,503 +0,0 @@ - GNU LESSER GENERAL PUBLIC LICENSE - Version 2.1, February 1999 - - Copyright (C) 1991, 1999 Free Software Foundation, Inc. - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - -[This is the first released version of the Lesser GPL. It also counts - as the successor of the GNU Library Public License, version 2, hence - the version number 2.1.] - - Preamble - - The licenses for most software are designed to take away your -freedom to share and change it. By contrast, the GNU General Public -Licenses are intended to guarantee your freedom to share and change -free software--to make sure the software is free for all its users. - - This license, the Lesser General Public License, applies to some -specially designated software packages--typically libraries--of the -Free Software Foundation and other authors who decide to use it. You -can use it too, but we suggest you first think carefully about whether -this license or the ordinary General Public License is the better -strategy to use in any particular case, based on the explanations below. - - When we speak of free software, we are referring to freedom of use, -not price. Our General Public Licenses are designed to make sure that -you have the freedom to distribute copies of free software (and charge -for this service if you wish); that you receive source code or can get -it if you want it; that you can change the software and use pieces of -it in new free programs; and that you are informed that you can do -these things. - - To protect your rights, we need to make restrictions that forbid -distributors to deny you these rights or to ask you to surrender these -rights. These restrictions translate to certain responsibilities for -you if you distribute copies of the library or if you modify it. - - For example, if you distribute copies of the library, whether gratis -or for a fee, you must give the recipients all the rights that we gave -you. You must make sure that they, too, receive or can get the source -code. If you link other code with the library, you must provide -complete object files to the recipients, so that they can relink them -with the library after making changes to the library and recompiling -it. And you must show them these terms so they know their rights. - - We protect your rights with a two-step method: (1) we copyright the -library, and (2) we offer you this license, which gives you legal -permission to copy, distribute and/or modify the library. - - To protect each distributor, we want to make it very clear that -there is no warranty for the free library. Also, if the library is -modified by someone else and passed on, the recipients should know -that what they have is not the original version, so that the original -author's reputation will not be affected by problems that might be -introduced by others. - - Finally, software patents pose a constant threat to the existence of -any free program. We wish to make sure that a company cannot -effectively restrict the users of a free program by obtaining a -restrictive license from a patent holder. Therefore, we insist that -any patent license obtained for a version of the library must be -consistent with the full freedom of use specified in this license. - - Most GNU software, including some libraries, is covered by the -ordinary GNU General Public License. This license, the GNU Lesser -General Public License, applies to certain designated libraries, and -is quite different from the ordinary General Public License. We use -this license for certain libraries in order to permit linking those -libraries into non-free programs. - - When a program is linked with a library, whether statically or using -a shared library, the combination of the two is legally speaking a -combined work, a derivative of the original library. The ordinary -General Public License therefore permits such linking only if the -entire combination fits its criteria of freedom. The Lesser General -Public License permits more lax criteria for linking other code with -the library. - - We call this license the "Lesser" General Public License because it -does Less to protect the user's freedom than the ordinary General -Public License. It also provides other free software developers Less -of an advantage over competing non-free programs. These disadvantages -are the reason we use the ordinary General Public License for many -libraries. However, the Lesser license provides advantages in certain -special circumstances. - - For example, on rare occasions, there may be a special need to -encourage the widest possible use of a certain library, so that it becomes -a de-facto standard. To achieve this, non-free programs must be -allowed to use the library. A more frequent case is that a free -library does the same job as widely used non-free libraries. In this -case, there is little to gain by limiting the free library to free -software only, so we use the Lesser General Public License. - - In other cases, permission to use a particular library in non-free -programs enables a greater number of people to use a large body of -free software. For example, permission to use the GNU C Library in -non-free programs enables many more people to use the whole GNU -operating system, as well as its variant, the GNU/Linux operating -system. - - Although the Lesser General Public License is Less protective of the -users' freedom, it does ensure that the user of a program that is -linked with the Library has the freedom and the wherewithal to run -that program using a modified version of the Library. - - The precise terms and conditions for copying, distribution and -modification follow. Pay close attention to the difference between a -"work based on the library" and a "work that uses the library". The -former contains code derived from the library, whereas the latter must -be combined with the library in order to run. - - GNU LESSER GENERAL PUBLIC LICENSE - TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION - - 0. This License Agreement applies to any software library or other -program which contains a notice placed by the copyright holder or -other authorized party saying it may be distributed under the terms of -this Lesser General Public License (also called "this License"). -Each licensee is addressed as "you". - - A "library" means a collection of software functions and/or data -prepared so as to be conveniently linked with application programs -(which use some of those functions and data) to form executables. - - The "Library", below, refers to any such software library or work -which has been distributed under these terms. A "work based on the -Library" means either the Library or any derivative work under -copyright law: that is to say, a work containing the Library or a -portion of it, either verbatim or with modifications and/or translated -straightforwardly into another language. (Hereinafter, translation is -included without limitation in the term "modification".) - - "Source code" for a work means the preferred form of the work for -making modifications to it. For a library, complete source code means -all the source code for all modules it contains, plus any associated -interface definition files, plus the scripts used to control compilation -and installation of the library. - - Activities other than copying, distribution and modification are not -covered by this License; they are outside its scope. The act of -running a program using the Library is not restricted, and output from -such a program is covered only if its contents constitute a work based -on the Library (independent of the use of the Library in a tool for -writing it). Whether that is true depends on what the Library does -and what the program that uses the Library does. - - 1. You may copy and distribute verbatim copies of the Library's -complete source code as you receive it, in any medium, provided that -you conspicuously and appropriately publish on each copy an -appropriate copyright notice and disclaimer of warranty; keep intact -all the notices that refer to this License and to the absence of any -warranty; and distribute a copy of this License along with the -Library. - - You may charge a fee for the physical act of transferring a copy, -and you may at your option offer warranty protection in exchange for a -fee. - - 2. You may modify your copy or copies of the Library or any portion -of it, thus forming a work based on the Library, and copy and -distribute such modifications or work under the terms of Section 1 -above, provided that you also meet all of these conditions: - - a) The modified work must itself be a software library. - - b) You must cause the files modified to carry prominent notices - stating that you changed the files and the date of any change. - - c) You must cause the whole of the work to be licensed at no - charge to all third parties under the terms of this License. - - d) If a facility in the modified Library refers to a function or a - table of data to be supplied by an application program that uses - the facility, other than as an argument passed when the facility - is invoked, then you must make a good faith effort to ensure that, - in the event an application does not supply such function or - table, the facility still operates, and performs whatever part of - its purpose remains meaningful. - - (For example, a function in a library to compute square roots has - a purpose that is entirely well-defined independent of the - application. Therefore, Subsection 2d requires that any - application-supplied function or table used by this function must - be optional: if the application does not supply it, the square - root function must still compute square roots.) - -These requirements apply to the modified work as a whole. If -identifiable sections of that work are not derived from the Library, -and can be reasonably considered independent and separate works in -themselves, then this License, and its terms, do not apply to those -sections when you distribute them as separate works. But when you -distribute the same sections as part of a whole which is a work based -on the Library, the distribution of the whole must be on the terms of -this License, whose permissions for other licensees extend to the -entire whole, and thus to each and every part regardless of who wrote -it. - -Thus, it is not the intent of this section to claim rights or contest -your rights to work written entirely by you; rather, the intent is to -exercise the right to control the distribution of derivative or -collective works based on the Library. - -In addition, mere aggregation of another work not based on the Library -with the Library (or with a work based on the Library) on a volume of -a storage or distribution medium does not bring the other work under -the scope of this License. - - 3. You may opt to apply the terms of the ordinary GNU General Public -License instead of this License to a given copy of the Library. To do -this, you must alter all the notices that refer to this License, so -that they refer to the ordinary GNU General Public License, version 2, -instead of to this License. (If a newer version than version 2 of the -ordinary GNU General Public License has appeared, then you can specify -that version instead if you wish.) Do not make any other change in -these notices. - - Once this change is made in a given copy, it is irreversible for -that copy, so the ordinary GNU General Public License applies to all -subsequent copies and derivative works made from that copy. - - This option is useful when you wish to copy part of the code of -the Library into a program that is not a library. - - 4. You may copy and distribute the Library (or a portion or -derivative of it, under Section 2) in object code or executable form -under the terms of Sections 1 and 2 above provided that you accompany -it with the complete corresponding machine-readable source code, which -must be distributed under the terms of Sections 1 and 2 above on a -medium customarily used for software interchange. - - If distribution of object code is made by offering access to copy -from a designated place, then offering equivalent access to copy the -source code from the same place satisfies the requirement to -distribute the source code, even though third parties are not -compelled to copy the source along with the object code. - - 5. A program that contains no derivative of any portion of the -Library, but is designed to work with the Library by being compiled or -linked with it, is called a "work that uses the Library". Such a -work, in isolation, is not a derivative work of the Library, and -therefore falls outside the scope of this License. - - However, linking a "work that uses the Library" with the Library -creates an executable that is a derivative of the Library (because it -contains portions of the Library), rather than a "work that uses the -library". The executable is therefore covered by this License. -Section 6 states terms for distribution of such executables. - - When a "work that uses the Library" uses material from a header file -that is part of the Library, the object code for the work may be a -derivative work of the Library even though the source code is not. -Whether this is true is especially significant if the work can be -linked without the Library, or if the work is itself a library. The -threshold for this to be true is not precisely defined by law. - - If such an object file uses only numerical parameters, data -structure layouts and accessors, and small macros and small inline -functions (ten lines or less in length), then the use of the object -file is unrestricted, regardless of whether it is legally a derivative -work. (Executables containing this object code plus portions of the -Library will still fall under Section 6.) - - Otherwise, if the work is a derivative of the Library, you may -distribute the object code for the work under the terms of Section 6. -Any executables containing that work also fall under Section 6, -whether or not they are linked directly with the Library itself. - - 6. As an exception to the Sections above, you may also combine or -link a "work that uses the Library" with the Library to produce a -work containing portions of the Library, and distribute that work -under terms of your choice, provided that the terms permit -modification of the work for the customer's own use and reverse -engineering for debugging such modifications. - - You must give prominent notice with each copy of the work that the -Library is used in it and that the Library and its use are covered by -this License. You must supply a copy of this License. If the work -during execution displays copyright notices, you must include the -copyright notice for the Library among them, as well as a reference -directing the user to the copy of this License. Also, you must do one -of these things: - - a) Accompany the work with the complete corresponding - machine-readable source code for the Library including whatever - changes were used in the work (which must be distributed under - Sections 1 and 2 above); and, if the work is an executable linked - with the Library, with the complete machine-readable "work that - uses the Library", as object code and/or source code, so that the - user can modify the Library and then relink to produce a modified - executable containing the modified Library. (It is understood - that the user who changes the contents of definitions files in the - Library will not necessarily be able to recompile the application - to use the modified definitions.) - - b) Use a suitable shared library mechanism for linking with the - Library. A suitable mechanism is one that (1) uses at run time a - copy of the library already present on the user's computer system, - rather than copying library functions into the executable, and (2) - will operate properly with a modified version of the library, if - the user installs one, as long as the modified version is - interface-compatible with the version that the work was made with. - - c) Accompany the work with a written offer, valid for at - least three years, to give the same user the materials - specified in Subsection 6a, above, for a charge no more - than the cost of performing this distribution. - - d) If distribution of the work is made by offering access to copy - from a designated place, offer equivalent access to copy the above - specified materials from the same place. - - e) Verify that the user has already received a copy of these - materials or that you have already sent this user a copy. - - For an executable, the required form of the "work that uses the -Library" must include any data and utility programs needed for -reproducing the executable from it. However, as a special exception, -the materials to be distributed need not include anything that is -normally distributed (in either source or binary form) with the major -components (compiler, kernel, and so on) of the operating system on -which the executable runs, unless that component itself accompanies -the executable. - - It may happen that this requirement contradicts the license -restrictions of other proprietary libraries that do not normally -accompany the operating system. Such a contradiction means you cannot -use both them and the Library together in an executable that you -distribute. - - 7. You may place library facilities that are a work based on the -Library side-by-side in a single library together with other library -facilities not covered by this License, and distribute such a combined -library, provided that the separate distribution of the work based on -the Library and of the other library facilities is otherwise -permitted, and provided that you do these two things: - - a) Accompany the combined library with a copy of the same work - based on the Library, uncombined with any other library - facilities. This must be distributed under the terms of the - Sections above. - - b) Give prominent notice with the combined library of the fact - that part of it is a work based on the Library, and explaining - where to find the accompanying uncombined form of the same work. - - 8. You may not copy, modify, sublicense, link with, or distribute -the Library except as expressly provided under this License. Any -attempt otherwise to copy, modify, sublicense, link with, or -distribute the Library is void, and will automatically terminate your -rights under this License. However, parties who have received copies, -or rights, from you under this License will not have their licenses -terminated so long as such parties remain in full compliance. - - 9. You are not required to accept this License, since you have not -signed it. However, nothing else grants you permission to modify or -distribute the Library or its derivative works. These actions are -prohibited by law if you do not accept this License. Therefore, by -modifying or distributing the Library (or any work based on the -Library), you indicate your acceptance of this License to do so, and -all its terms and conditions for copying, distributing or modifying -the Library or works based on it. - - 10. Each time you redistribute the Library (or any work based on the -Library), the recipient automatically receives a license from the -original licensor to copy, distribute, link with or modify the Library -subject to these terms and conditions. You may not impose any further -restrictions on the recipients' exercise of the rights granted herein. -You are not responsible for enforcing compliance by third parties with -this License. - - 11. If, as a consequence of a court judgment or allegation of patent -infringement or for any other reason (not limited to patent issues), -conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot -distribute so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you -may not distribute the Library at all. For example, if a patent -license would not permit royalty-free redistribution of the Library by -all those who receive copies directly or indirectly through you, then -the only way you could satisfy both it and this License would be to -refrain entirely from distribution of the Library. - -If any portion of this section is held invalid or unenforceable under any -particular circumstance, the balance of the section is intended to apply, -and the section as a whole is intended to apply in other circumstances. - -It is not the purpose of this section to induce you to infringe any -patents or other property right claims or to contest validity of any -such claims; this section has the sole purpose of protecting the -integrity of the free software distribution system which is -implemented by public license practices. Many people have made -generous contributions to the wide range of software distributed -through that system in reliance on consistent application of that -system; it is up to the author/donor to decide if he or she is willing -to distribute software through any other system and a licensee cannot -impose that choice. - -This section is intended to make thoroughly clear what is believed to -be a consequence of the rest of this License. - - 12. If the distribution and/or use of the Library is restricted in -certain countries either by patents or by copyrighted interfaces, the -original copyright holder who places the Library under this License may add -an explicit geographical distribution limitation excluding those countries, -so that distribution is permitted only in or among countries not thus -excluded. In such case, this License incorporates the limitation as if -written in the body of this License. - - 13. The Free Software Foundation may publish revised and/or new -versions of the Lesser General Public License from time to time. -Such new versions will be similar in spirit to the present version, -but may differ in detail to address new problems or concerns. - -Each version is given a distinguishing version number. If the Library -specifies a version number of this License which applies to it and -"any later version", you have the option of following the terms and -conditions either of that version or of any later version published by -the Free Software Foundation. If the Library does not specify a -license version number, you may choose any version ever published by -the Free Software Foundation. - - 14. If you wish to incorporate parts of the Library into other free -programs whose distribution conditions are incompatible with these, -write to the author to ask for permission. For software which is -copyrighted by the Free Software Foundation, write to the Free -Software Foundation; we sometimes make exceptions for this. Our -decision will be guided by the two goals of preserving the free status -of all derivatives of our free software and of promoting the sharing -and reuse of software generally. - - NO WARRANTY - - 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO -WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. -EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR -OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY -KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE -LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME -THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN -WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY -AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU -FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR -CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE -LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING -RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A -FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF -SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH -DAMAGES. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Libraries - - If you develop a new library, and you want it to be of the greatest -possible use to the public, we recommend making it free software that -everyone can redistribute and change. You can do so by permitting -redistribution under these terms (or, alternatively, under the terms of the -ordinary General Public License). - - To apply these terms, attach the following notices to the library. It is -safest to attach them to the start of each source file to most effectively -convey the exclusion of warranty; and each file should have at least the -"copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This library is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - -Also add information on how to contact you by electronic and paper mail. - -You should also get your employer (if you work as a programmer) or your -school, if any, to sign a "copyright disclaimer" for the library, if -necessary. Here is a sample; alter the names: - - Yoyodyne, Inc., hereby disclaims all copyright interest in the - library `Frob' (a library for tweaking knobs) written by James Random Hacker. - - , 1 April 1990 - Ty Coon, President of Vice - -That's all there is to it! - diff --git a/README.md b/README.md deleted file mode 100644 index f5d52a3..0000000 --- a/README.md +++ /dev/null @@ -1,66 +0,0 @@ -# libastal-auth -This library provides a way for authentication using pam for the libastal suite. - -## Build from source -### Dependencies - -- meson -- glib -- gobject-introspection -- pam -- vala (only required for the vapi option) - -### Meson options - -* `-Dintrospection` (default: `true`): build GObject Introspection data (needed for language bindings) -* `-Dvapi` (default: `true`): build VAPI data (required to make this lib usable in vala). Requires `-Dintrospection=true` -* `-Dexamples` (default: `false`): build examples - -```sh -# Clone the repository -git clone https://github.com/astal-sh/libastal-auth -cd libastal-auth - -# Setup and build -meson setup build -meson compile -C build - -# Install -meson install -C build -``` - -> [!NOTE] -> on NixOS you will have to add `security.pam.services.astal-auth = {}` in `configuration.nix` - -## Usage -This library can be used from any language supporting GObject Introspection. -Have a look at the [examples](examples) for how it can be used in C and gjs. - -The authentication is done asynchronously in its own thread, therefore the GLib mainloop is required to run. -This is already given in all gtk application, but has to be started manually in some cases like in the small examples in this repo. - -Until there are better docs, please refer to the [auth.h](include/auth.h) file for detailed usage. - -For simple authentication using only a password, using the `Pam.authenticate()` method is recommended. -Look at the simple examples for how to use it. - -There is also a way to get access to the pam conversation, to allow for a more complex authentication process, like using multiple factor authentication. -The full examples show how this can be achieved. -Generally it can be used like this: - -1. create the Pam object. -2. set username and service if so required. It has sane defaults, so in most cases you can skip this. -3. connect to the signals - - `auth-prompt-hidden`: is emitted when user input is required, and the input should be hidden (eg, passwords) - - `auth-prompt-visible`: is emitted when user input is required, and the input should be visible (eg, OTP) - - `auth-info`: an information message should be displayed (eg, tell the user to touch his security key) - - `auth-error`: an error message should be displayed - - `sucess`: emitted on successful authentication - - `fail`: emitted on failed authentication - - all signals except the `success` signal have a string containing the message as a parameter. - After an `auth-*` signal is emitted, it hs to be responded with exactly one `pam.supply_secret(secret)` call. The secret is a string containing the user input. For `auth-info` and `auth-error` it can be `NULL`. - Not connecting those signals, is equivalent to calling `pam.supply_secret(NULL)` immediately after the signal is emitted. -4. start authentication process using `Pam.start_authentication()`. This function will return whether the authentication was started or not. -5. it is possible to reuse the same Pam object for multiple sequential authentication attempts. Just call `pam.start_authentication()` again after the `success` or `fail` signal was emitted. - diff --git a/auth/.gitignore b/auth/.gitignore new file mode 100644 index 0000000..6bf41b5 --- /dev/null +++ b/auth/.gitignore @@ -0,0 +1,3 @@ +build/ +result/ +.cache/ diff --git a/auth/LICENSE b/auth/LICENSE new file mode 100644 index 0000000..67cd97b --- /dev/null +++ b/auth/LICENSE @@ -0,0 +1,503 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! + diff --git a/auth/README.md b/auth/README.md new file mode 100644 index 0000000..f5d52a3 --- /dev/null +++ b/auth/README.md @@ -0,0 +1,66 @@ +# libastal-auth +This library provides a way for authentication using pam for the libastal suite. + +## Build from source +### Dependencies + +- meson +- glib +- gobject-introspection +- pam +- vala (only required for the vapi option) + +### Meson options + +* `-Dintrospection` (default: `true`): build GObject Introspection data (needed for language bindings) +* `-Dvapi` (default: `true`): build VAPI data (required to make this lib usable in vala). Requires `-Dintrospection=true` +* `-Dexamples` (default: `false`): build examples + +```sh +# Clone the repository +git clone https://github.com/astal-sh/libastal-auth +cd libastal-auth + +# Setup and build +meson setup build +meson compile -C build + +# Install +meson install -C build +``` + +> [!NOTE] +> on NixOS you will have to add `security.pam.services.astal-auth = {}` in `configuration.nix` + +## Usage +This library can be used from any language supporting GObject Introspection. +Have a look at the [examples](examples) for how it can be used in C and gjs. + +The authentication is done asynchronously in its own thread, therefore the GLib mainloop is required to run. +This is already given in all gtk application, but has to be started manually in some cases like in the small examples in this repo. + +Until there are better docs, please refer to the [auth.h](include/auth.h) file for detailed usage. + +For simple authentication using only a password, using the `Pam.authenticate()` method is recommended. +Look at the simple examples for how to use it. + +There is also a way to get access to the pam conversation, to allow for a more complex authentication process, like using multiple factor authentication. +The full examples show how this can be achieved. +Generally it can be used like this: + +1. create the Pam object. +2. set username and service if so required. It has sane defaults, so in most cases you can skip this. +3. connect to the signals + - `auth-prompt-hidden`: is emitted when user input is required, and the input should be hidden (eg, passwords) + - `auth-prompt-visible`: is emitted when user input is required, and the input should be visible (eg, OTP) + - `auth-info`: an information message should be displayed (eg, tell the user to touch his security key) + - `auth-error`: an error message should be displayed + - `sucess`: emitted on successful authentication + - `fail`: emitted on failed authentication + + all signals except the `success` signal have a string containing the message as a parameter. + After an `auth-*` signal is emitted, it hs to be responded with exactly one `pam.supply_secret(secret)` call. The secret is a string containing the user input. For `auth-info` and `auth-error` it can be `NULL`. + Not connecting those signals, is equivalent to calling `pam.supply_secret(NULL)` immediately after the signal is emitted. +4. start authentication process using `Pam.start_authentication()`. This function will return whether the authentication was started or not. +5. it is possible to reuse the same Pam object for multiple sequential authentication attempts. Just call `pam.start_authentication()` again after the `success` or `fail` signal was emitted. + diff --git a/auth/examples/full_example.c b/auth/examples/full_example.c new file mode 100644 index 0000000..a20c02b --- /dev/null +++ b/auth/examples/full_example.c @@ -0,0 +1,66 @@ +#include + +#include "astal-auth.h" + +GMainLoop *loop; + +static void authenticate(AstalAuthPam *pam) { + if (!astal_auth_pam_start_authenticate(pam)) { + g_print("could not start authentication process\n"); + g_object_unref(pam); + g_main_loop_quit(loop); + } +} + +static void on_visible(AstalAuthPam *pam, const gchar *data) { + gchar passbuf[1024]; + readpassphrase(data, passbuf, sizeof(passbuf), RPP_ECHO_ON); + astal_auth_pam_supply_secret(pam, passbuf); +} + +static void on_hidden(AstalAuthPam *pam, const gchar *data) { + gchar passbuf[1024]; + readpassphrase(data, passbuf, sizeof(passbuf), RPP_ECHO_OFF); + astal_auth_pam_supply_secret(pam, passbuf); +} + +static void on_info(AstalAuthPam *pam, const gchar *data) { + g_print("info: %s\n", data); + astal_auth_pam_supply_secret(pam, NULL); +} + +static void on_error(AstalAuthPam *pam, const gchar *data) { + g_print("error: %s\n", data); + astal_auth_pam_supply_secret(pam, NULL); +} + +static void on_success(AstalAuthPam *pam) { + g_print("success\n"); + g_object_unref(pam); + g_main_loop_quit(loop); +} + +static void on_fail(AstalAuthPam *pam, const gchar *data) { + g_print("fail: %s\n", data); + authenticate(pam); +} + +int main(void) { + GMainContext *loopctx = NULL; + + loop = g_main_loop_new(loopctx, FALSE); + + AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL); + + g_signal_connect(pam, "auth-prompt-visible", G_CALLBACK(on_visible), NULL); + g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(on_hidden), NULL); + g_signal_connect(pam, "auth-info", G_CALLBACK(on_info), NULL); + g_signal_connect(pam, "auth-error", G_CALLBACK(on_error), NULL); + + g_signal_connect(pam, "success", G_CALLBACK(on_success), NULL); + g_signal_connect(pam, "fail", G_CALLBACK(on_fail), NULL); + + authenticate(pam); + + g_main_loop_run(loop); +} diff --git a/auth/examples/full_example.js b/auth/examples/full_example.js new file mode 100644 index 0000000..7359784 --- /dev/null +++ b/auth/examples/full_example.js @@ -0,0 +1,38 @@ +#!/usr/bin/env -S gjs -m + +import Auth from "gi://AstalAuth"; +import GLib from "gi://GLib"; + +const loop = GLib.MainLoop.new(null, false); + +const pam = new Auth.Pam(); +pam.connect("auth-prompt-visible", (p, msg) => { + print(msg); + p.supply_secret(""); +}); +pam.connect("auth-prompt-hidden", (p, msg) => { + print(msg); + p.supply_secret("password"); +}); +pam.connect("auth-info", (p, msg) => { + print(msg); + p.supply_secret(""); +}); +pam.connect("auth-error", (p, msg) => { + print(msg); + p.supply_secret(""); +}); + +pam.connect("success", p => { + print("authentication sucessful"); + loop.quit(); +}); +pam.connect("fail", (p, msg) => { + print(msg); + loop.quit(); +}); + +pam.start_authenticate(); + +loop.runAsync() + diff --git a/auth/examples/meson.build b/auth/examples/meson.build new file mode 100644 index 0000000..cf23d3f --- /dev/null +++ b/auth/examples/meson.build @@ -0,0 +1,18 @@ + +deps_example = [ + dependency('gobject-2.0'), + dependency('libbsd'), + libastal_auth +] + +astal_auth_full_exmple = executable( + 'astal_auth_full_example', + files('full_example.c'), + dependencies : deps_example, + install : false) + +astal_auth_simple_example = executable( + 'astal_auth_simple_example', + files('simple_example.c'), + dependencies : deps_example, + install : false) diff --git a/auth/examples/simple_example.c b/auth/examples/simple_example.c new file mode 100644 index 0000000..d00bad2 --- /dev/null +++ b/auth/examples/simple_example.c @@ -0,0 +1,31 @@ +#include + +#include "astal-auth.h" + +GMainLoop *loop; + +void ready_callback(AstalAuthPam *pam, GAsyncResult *res, gpointer user_data) { + GError *error = NULL; + astal_auth_pam_authenticate_finish(res, &error); + if (error == NULL) { + g_print("success\n"); + } else { + g_print("failure: %s\n", error->message); + g_error_free(error); + } + + g_main_loop_quit(loop); +} + +int main(void) { + GMainContext *loopctx = NULL; + loop = g_main_loop_new(loopctx, FALSE); + + gchar *passbuf = calloc(1024, sizeof(gchar)); + readpassphrase("Password: ", passbuf, 1024, RPP_ECHO_OFF); + astal_auth_pam_authenticate(passbuf, (GAsyncReadyCallback)ready_callback, NULL); + g_free(passbuf); + + g_main_loop_run(loop); + exit(EXIT_SUCCESS); +} diff --git a/auth/examples/simple_example.js b/auth/examples/simple_example.js new file mode 100644 index 0000000..2bf38c1 --- /dev/null +++ b/auth/examples/simple_example.js @@ -0,0 +1,9 @@ +#!/usr/bin/env -S gjs -m +import Auth from "gi://AstalAuth"; +import Gio from "gi://Gio"; + +Gio._promisify(Auth.Pam, "authenticate"); + +await Auth.Pam.authenticate("password") + .then(_ => print("authentication sucessful")) + .catch(logError); \ No newline at end of file diff --git a/auth/flake.lock b/auth/flake.lock new file mode 100644 index 0000000..13f566b --- /dev/null +++ b/auth/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1716137900, + "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/auth/flake.nix b/auth/flake.nix new file mode 100644 index 0000000..39b0289 --- /dev/null +++ b/auth/flake.nix @@ -0,0 +1,42 @@ +{ + description = "Authentication library and cli tool"; + + inputs.nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + + outputs = { self, nixpkgs }: + let + version = builtins.replaceStrings ["\n"] [""] (builtins.readFile ./version); + system = "x86_64-linux"; + pkgs = import nixpkgs { inherit system; }; + + nativeBuildInputs = with pkgs; [ + gobject-introspection + meson + pkg-config + ninja + vala + ]; + + buildInputs = with pkgs; [ + glib + pam + ]; + in { + packages.${system} = rec { + default = auth; + auth = pkgs.stdenv.mkDerivation { + inherit nativeBuildInputs buildInputs; + pname = "astal-auth"; + version = version; + src = ./.; + outputs = ["out" "dev"]; + }; + }; + + devShells.${system} = { + default = pkgs.mkShell { + inherit nativeBuildInputs buildInputs; + }; + }; + }; +} diff --git a/auth/include/astal-auth.h b/auth/include/astal-auth.h new file mode 100644 index 0000000..a3073ff --- /dev/null +++ b/auth/include/astal-auth.h @@ -0,0 +1,32 @@ +#ifndef ASTAL_AUTH_PAM_H +#define ASTAL_AUTH_PAM_H + +#include +#include + +G_BEGIN_DECLS + +#define ASTAL_AUTH_TYPE_PAM (astal_auth_pam_get_type()) + +G_DECLARE_FINAL_TYPE(AstalAuthPam, astal_auth_pam, ASTAL_AUTH, PAM, GObject) + +void astal_auth_pam_set_username(AstalAuthPam *self, const gchar *username); + +const gchar *astal_auth_pam_get_username(AstalAuthPam *self); + +void astal_auth_pam_set_service(AstalAuthPam *self, const gchar *service); + +const gchar *astal_auth_pam_get_service(AstalAuthPam *self); + +gboolean astal_auth_pam_start_authenticate(AstalAuthPam *self); + +void astal_auth_pam_supply_secret(AstalAuthPam *self, const gchar *secret); + +gboolean astal_auth_pam_authenticate(const gchar *password, GAsyncReadyCallback result_callback, + gpointer user_data); + +gssize astal_auth_pam_authenticate_finish(GAsyncResult *res, GError **error); + +G_END_DECLS + +#endif // !ASTAL_AUTH_PAM_H diff --git a/auth/include/meson.build b/auth/include/meson.build new file mode 100644 index 0000000..0575998 --- /dev/null +++ b/auth/include/meson.build @@ -0,0 +1,4 @@ +astal_auth_inc = include_directories('.') +astal_auth_headers = files('astal-auth.h') + +install_headers('astal-auth.h') diff --git a/auth/meson.build b/auth/meson.build new file mode 100644 index 0000000..e9facb1 --- /dev/null +++ b/auth/meson.build @@ -0,0 +1,33 @@ +project('astal_auth', + 'c', + version : run_command('cat', join_paths(meson.project_source_root(), 'version')).stdout().strip(), + default_options : [ + 'c_std=gnu11', + 'warning_level=3', + 'prefix=/usr' + ] +) + +add_project_arguments( + ['-Wno-pedantic'], + language : 'c') + +version_split = meson.project_version().split('.') +lib_so_version = version_split[0] + '.' + version_split[1] + +pkg_config = import('pkgconfig') +gnome = import('gnome') + +subdir('include') +subdir('src') + + +if get_option('examples') + subdir('examples') +endif + + +install_data( + 'pam/astal-auth', + install_dir : get_option('sysconfdir') / 'pam.d' +) diff --git a/auth/meson_options.txt b/auth/meson_options.txt new file mode 100644 index 0000000..e28447e --- /dev/null +++ b/auth/meson_options.txt @@ -0,0 +1,3 @@ +option('examples', type : 'boolean', value : false, description : 'Build example applications') +option('introspection', type : 'boolean', value : true, description : 'Build gobject-introspection data') +option('vapi', type : 'boolean', value : true, description : 'Generate vapi data (needs vapigen & introspection option)') diff --git a/auth/pam/astal-auth b/auth/pam/astal-auth new file mode 100644 index 0000000..41f79d7 --- /dev/null +++ b/auth/pam/astal-auth @@ -0,0 +1,5 @@ +# PAM configuration file for the astal-auth library. +# By default, it only includes the 'login' +# configuration file (see /etc/pam.d/login) + +auth include login diff --git a/auth/src/astal-auth.c b/auth/src/astal-auth.c new file mode 100644 index 0000000..1ac2bd7 --- /dev/null +++ b/auth/src/astal-auth.c @@ -0,0 +1,153 @@ +#include "astal-auth.h" + +#include +#include +#include + +GMainLoop *loop; + +static void cleanup_and_quit(AstalAuthPam *pam, int status) { + g_object_unref(pam); + g_main_loop_quit(loop); + exit(status); +} + +static char *read_secret(const char *msg, gboolean echo) { + struct termios oldt, newt; + char *password = NULL; + size_t size = 0; + ssize_t len; + + if (tcgetattr(STDIN_FILENO, &oldt) != 0) { + return NULL; + } + newt = oldt; + if (echo) { + newt.c_lflag |= ECHO; + } else { + newt.c_lflag &= ~(ECHO); + } + if (tcsetattr(STDIN_FILENO, TCSANOW, &newt) != 0) { + return NULL; + } + g_print("%s", msg); + if ((len = getline(&password, &size, stdin)) == -1) { + g_free(password); + return NULL; + } + + if (password[len - 1] == '\n') { + password[len - 1] = '\0'; + } + + printf("\n"); + + if (tcsetattr(STDIN_FILENO, TCSANOW, &oldt) != 0) { + return NULL; + } + + return password; +} + +static void authenticate(AstalAuthPam *pam) { + static int attempts = 0; + if (attempts >= 3) { + g_print("%d failed attempts.\n", attempts); + cleanup_and_quit(pam, EXIT_FAILURE); + } + if (!astal_auth_pam_start_authenticate(pam)) { + g_print("could not start authentication process\n"); + cleanup_and_quit(pam, EXIT_FAILURE); + } + attempts++; +} + +static void on_visible(AstalAuthPam *pam, const gchar *data) { + char *secret = read_secret(data, TRUE); + if (secret == NULL) cleanup_and_quit(pam, EXIT_FAILURE); + astal_auth_pam_supply_secret(pam, secret); + g_free(secret); +} + +static void on_hidden(AstalAuthPam *pam, const gchar *data, gchar *secret) { + if (!secret) secret = read_secret(data, FALSE); + if (secret == NULL) cleanup_and_quit(pam, EXIT_FAILURE); + astal_auth_pam_supply_secret(pam, secret); + g_free(secret); +} + +static void on_info(AstalAuthPam *pam, const gchar *data) { + g_print("info: %s\n", data); + astal_auth_pam_supply_secret(pam, NULL); +} + +static void on_error(AstalAuthPam *pam, const gchar *data) { + g_print("error: %s\n", data); + astal_auth_pam_supply_secret(pam, NULL); +} + +static void on_success(AstalAuthPam *pam) { + g_print("Authentication successful\n"); + cleanup_and_quit(pam, EXIT_SUCCESS); +} + +static void on_fail(AstalAuthPam *pam, const gchar *data, gboolean retry) { + g_print("%s\n", data); + if (retry) + authenticate(pam); + else + cleanup_and_quit(pam, EXIT_FAILURE); +} + +int main(int argc, char **argv) { + char *password = NULL; + char *username = NULL; + char *service = NULL; + + int opt; + const char *optstring = "p:u:s:"; + + static struct option long_options[] = {{"password", required_argument, NULL, 'p'}, + {"username", required_argument, NULL, 'u'}, + {"service", required_argument, NULL, 's'}, + {NULL, 0, NULL, 0}}; + + while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) { + switch (opt) { + case 'p': + password = optarg; + break; + case 'u': + username = optarg; + break; + case 's': + service = optarg; + break; + default: + g_print("Usage: %s [-p password] [-u username] [-s service]\n", argv[0]); + exit(EXIT_FAILURE); + } + } + + loop = g_main_loop_new(NULL, FALSE); + + AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL); + + if (username) astal_auth_pam_set_username(pam, username); + if (service) astal_auth_pam_set_service(pam, service); + if (password) { + g_signal_connect(pam, "fail", G_CALLBACK(on_fail), (void *)FALSE); + } else { + g_signal_connect(pam, "auth-prompt-visible", G_CALLBACK(on_visible), NULL); + g_signal_connect(pam, "auth-info", G_CALLBACK(on_info), NULL); + g_signal_connect(pam, "auth-error", G_CALLBACK(on_error), NULL); + g_signal_connect(pam, "fail", G_CALLBACK(on_fail), (void *)TRUE); + } + + g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(on_hidden), g_strdup(password)); + g_signal_connect(pam, "success", G_CALLBACK(on_success), NULL); + + authenticate(pam); + + g_main_loop_run(loop); +} diff --git a/auth/src/meson.build b/auth/src/meson.build new file mode 100644 index 0000000..6a34ae0 --- /dev/null +++ b/auth/src/meson.build @@ -0,0 +1,65 @@ +srcs = files( + 'pam.c', +) + +deps = [ + dependency('gobject-2.0'), + dependency('gio-2.0'), + dependency('pam') +] + +astal_auth_lib = library( + 'astal-auth', + sources : srcs, + include_directories : astal_auth_inc, + dependencies : deps, + version : meson.project_version(), + install : true +) + +libastal_auth = declare_dependency( + link_with : astal_auth_lib, + include_directories : astal_auth_inc) + +astal_auth_executable = executable( + 'astal-auth', + files('astal-auth.c'), + dependencies : [ + dependency('gobject-2.0'), + libastal_auth + ], + install : true) + +pkg_config_name = 'astal-auth-' + lib_so_version + +if get_option('introspection') + gir = gnome.generate_gir( + astal_auth_lib, + sources : srcs + astal_auth_headers, + nsversion : '0.1', + namespace : 'AstalAuth', + symbol_prefix : 'astal_auth', + identifier_prefix : 'AstalAuth', + includes : ['GObject-2.0', 'Gio-2.0'], + header : 'astal-auth.h', + export_packages : pkg_config_name, + install : true + ) + + if get_option('vapi') + gnome.generate_vapi( + pkg_config_name, + sources : [gir[0]], + packages : ['gobject-2.0', 'gio-2.0'], + install : true) + endif +endif + +pkg_config.generate( + name : 'astal-auth', + version : meson.project_version(), + libraries : [astal_auth_lib], + filebase : pkg_config_name, + subdirs : 'astal', + description : 'astal authentication module', + url : 'https://github.com/astal-sh/auth') diff --git a/auth/src/pam.c b/auth/src/pam.c new file mode 100644 index 0000000..d0afec4 --- /dev/null +++ b/auth/src/pam.c @@ -0,0 +1,524 @@ +#include +#include +#include + +#include "astal-auth.h" + +struct _AstalAuthPam { + GObject parent_instance; + + gchar *username; + gchar *service; +}; + +typedef struct { + GTask *task; + GMainContext *context; + GMutex data_mutex; + GCond data_cond; + + gchar *secret; + gboolean secret_set; +} AstalAuthPamPrivate; + +typedef struct { + AstalAuthPam *pam; + guint signal_id; + gchar *msg; +} AstalAuthPamSignalEmitData; + +static void astal_auth_pam_signal_emit_data_free(AstalAuthPamSignalEmitData *data) { + g_free(data->msg); + g_free(data); +} + +typedef enum { + ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE, + ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN, + ASTAL_AUTH_PAM_SIGNAL_INFO, + ASTAL_AUTH_PAM_SIGNAL_ERROR, + ASTAL_AUTH_PAM_SIGNAL_SUCCESS, + ASTAL_AUTH_PAM_SIGNAL_FAIL, + ASTAL_AUTH_PAM_N_SIGNALS +} AstalAuthPamSignals; + +typedef enum { + ASTAL_AUTH_PAM_PROP_USERNAME = 1, + ASTAL_AUTH_PAM_PROP_SERVICE, + ASTAL_AUTH_PAM_N_PROPERTIES +} AstalAuthPamProperties; + +static guint astal_auth_pam_signals[ASTAL_AUTH_PAM_N_SIGNALS] = { + 0, +}; +static GParamSpec *astal_auth_pam_properties[ASTAL_AUTH_PAM_N_PROPERTIES] = { + NULL, +}; + +G_DEFINE_TYPE_WITH_PRIVATE(AstalAuthPam, astal_auth_pam, G_TYPE_OBJECT); + +/** + * + * AstalAuthPam + * + * For simple authentication using only a password, using the [func@AstalAuth.Pam.authenticate] + * method is recommended. Look at the simple examples for how to use it. + * + * There is also a way to get access to the pam conversation, to allow for a more complex + * authentication process, like using multiple factor authentication. Generally it can be used like + * this: + * + * 1. create the Pam object. + * 2. set username and service if so required. It has sane defaults, so in most cases you can skip + * this. + * 3. connect to the signals. + * After an `auth-*` signal is emitted, it has to be responded with exactly one + * [method@AstalAuth.Pam.supply_secret] call. The secret is a string containing the user input. For + * [auth-info][signal@AstalAuth.Pam::auth-info:] and [auth-error][signal@AstalAuth.Pam::auth-error:] + * it should be `NULL`. Not connecting those signals, is equivalent to calling + * [method@AstalAuth.Pam.supply_secret] with `NULL` immediately after the signal is emitted. + * 4. start authentication process using [method@AstalAuth.Pam.start_authenticate]. + * 5. it is possible to reuse the same Pam object for multiple sequential authentication attempts. + * Just call [method@AstalAuth.Pam.start_authenticate] again after the `success` or `fail` signal + * was emitted. + * + */ + +/** + * astal_auth_pam_set_username + * @self: a AstalAuthPam object + * @username: the new username + * + * Sets the username to be used for authentication. This must be set to + * before calling start_authenticate. + * Changing it afterwards has no effect on the authentication process. + * + * Defaults to the owner of the process. + * + */ +void astal_auth_pam_set_username(AstalAuthPam *self, const gchar *username) { + g_return_if_fail(ASTAL_AUTH_IS_PAM(self)); + g_return_if_fail(username != NULL); + + g_free(self->username); + self->username = g_strdup(username); + g_object_notify(G_OBJECT(self), "username"); +} + +/** + * astal_auth_pam_supply_secret + * @self: a AstalAuthPam Object + * @secret: (nullable): the secret to be provided to pam. Can be NULL. + * + * provides pam with a secret. This method must be called exactly once after a + * auth-* signal is emitted. + */ +void astal_auth_pam_supply_secret(AstalAuthPam *self, const gchar *secret) { + g_return_if_fail(ASTAL_AUTH_IS_PAM(self)); + AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); + + g_mutex_lock(&priv->data_mutex); + g_free(priv->secret); + priv->secret = g_strdup(secret); + priv->secret_set = TRUE; + g_cond_signal(&priv->data_cond); + g_mutex_unlock(&priv->data_mutex); +} + +/** + * astal_auth_pam_set_service + * @self: a AstalAuthPam object + * @service: the pam service used for authentication + * + * Sets the service to be used for authentication. This must be set to + * before calling start_authenticate. + * Changing it afterwards has no effect on the authentication process. + * + * Defaults to `astal-auth`. + * + */ +void astal_auth_pam_set_service(AstalAuthPam *self, const gchar *service) { + g_return_if_fail(ASTAL_AUTH_IS_PAM(self)); + g_return_if_fail(service != NULL); + + g_free(self->service); + self->service = g_strdup(service); + g_object_notify(G_OBJECT(self), "service"); +} + +/** + * astal_auth_pam_get_username + * @self: a AstalAuthPam object + * + * Fetches the username from AsalAuthPam object. + * + * Returns: the username of the AsalAuthPam object. This string is + * owned by the object and must not be modified or freed. + */ + +const gchar *astal_auth_pam_get_username(AstalAuthPam *self) { + g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), NULL); + return self->username; +} + +/** + * astal_auth_pam_get_service + * @self: a AstalAuthPam + * + * Fetches the service from AsalAuthPam object. + * + * Returns: the service of the AsalAuthPam object. This string is + * owned by the object and must not be modified or freed. + */ +const gchar *astal_auth_pam_get_service(AstalAuthPam *self) { + g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), NULL); + return self->service; +} + +static void astal_auth_pam_set_property(GObject *object, guint property_id, const GValue *value, + GParamSpec *pspec) { + AstalAuthPam *self = ASTAL_AUTH_PAM(object); + + switch (property_id) { + case ASTAL_AUTH_PAM_PROP_USERNAME: + astal_auth_pam_set_username(self, g_value_get_string(value)); + break; + case ASTAL_AUTH_PAM_PROP_SERVICE: + astal_auth_pam_set_service(self, g_value_get_string(value)); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID(object, property_id, pspec); + break; + } +} + +static void astal_auth_pam_get_property(GObject *object, guint property_id, GValue *value, + GParamSpec *pspec) { + AstalAuthPam *self = ASTAL_AUTH_PAM(object); + + switch (property_id) { + case ASTAL_AUTH_PAM_PROP_USERNAME: + g_value_set_string(value, self->username); + break; + case ASTAL_AUTH_PAM_PROP_SERVICE: + g_value_set_string(value, self->service); + break; + default: + G_OBJECT_WARN_INVALID_PROPERTY_ID(object, property_id, pspec); + break; + } +} + +static void astal_auth_pam_callback(GObject *object, GAsyncResult *res, gpointer user_data) { + AstalAuthPam *self = ASTAL_AUTH_PAM(object); + AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); + + GTask *task = g_steal_pointer(&priv->task); + + GError *error = NULL; + g_task_propagate_int(task, &error); + + if (error == NULL) { + g_signal_emit(self, astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_SUCCESS], 0); + } else { + g_signal_emit(self, astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_FAIL], 0, error->message); + g_error_free(error); + } + g_object_unref(task); +} + +static gboolean astal_auth_pam_emit_signal_in_context(gpointer user_data) { + AstalAuthPamSignalEmitData *data = user_data; + g_signal_emit(data->pam, data->signal_id, 0, data->msg); + return G_SOURCE_REMOVE; +} + +static void astal_auth_pam_emit_signal(AstalAuthPam *pam, guint signal, const gchar *msg) { + GSource *emit_source; + AstalAuthPamSignalEmitData *data; + + data = g_new0(AstalAuthPamSignalEmitData, 1); + data->pam = pam; + data->signal_id = astal_auth_pam_signals[signal]; + data->msg = g_strdup(msg); + + emit_source = g_idle_source_new(); + g_source_set_callback(emit_source, astal_auth_pam_emit_signal_in_context, data, + (GDestroyNotify)astal_auth_pam_signal_emit_data_free); + g_source_set_priority(emit_source, G_PRIORITY_DEFAULT); + g_source_attach(emit_source, + ((AstalAuthPamPrivate *)astal_auth_pam_get_instance_private(pam))->context); + g_source_unref(emit_source); +} + +int astal_auth_pam_handle_conversation(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) { + AstalAuthPam *self = appdata_ptr; + AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); + + struct pam_response *replies = NULL; + if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) { + return PAM_CONV_ERR; + } + replies = (struct pam_response *)calloc(num_msg, sizeof(struct pam_response)); + if (replies == NULL) { + return PAM_BUF_ERR; + } + for (int i = 0; i < num_msg; ++i) { + guint signal; + switch (msg[i]->msg_style) { + case PAM_PROMPT_ECHO_OFF: + signal = ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN; + break; + case PAM_PROMPT_ECHO_ON: + signal = ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE; + break; + case PAM_ERROR_MSG: + signal = ASTAL_AUTH_PAM_SIGNAL_ERROR; + ; + break; + case PAM_TEXT_INFO: + signal = ASTAL_AUTH_PAM_SIGNAL_INFO; + break; + default: + g_free(replies); + return PAM_CONV_ERR; + break; + } + guint signal_id = astal_auth_pam_signals[signal]; + if (g_signal_has_handler_pending(self, signal_id, 0, FALSE)) { + astal_auth_pam_emit_signal(self, signal, msg[i]->msg); + g_mutex_lock(&priv->data_mutex); + while (!priv->secret_set) { + g_cond_wait(&priv->data_cond, &priv->data_mutex); + } + replies[i].resp_retcode = 0; + replies[i].resp = g_strdup(priv->secret); + g_free(priv->secret); + priv->secret = NULL; + priv->secret_set = FALSE; + g_mutex_unlock(&priv->data_mutex); + } + } + *resp = replies; + return PAM_SUCCESS; +} + +static void astal_auth_pam_thread(GTask *task, gpointer object, gpointer task_data, + GCancellable *cancellable) { + AstalAuthPam *self = g_task_get_source_object(task); + + pam_handle_t *pamh = NULL; + const struct pam_conv conv = { + .conv = astal_auth_pam_handle_conversation, + .appdata_ptr = self, + }; + + int retval; + retval = pam_start(self->service, self->username, &conv, &pamh); + if (retval == PAM_SUCCESS) { + retval = pam_authenticate(pamh, 0); + pam_end(pamh, retval); + } + if (retval != PAM_SUCCESS) { + g_task_return_new_error(task, G_IO_ERROR, G_IO_ERROR_FAILED, "%s", + pam_strerror(pamh, retval)); + } else { + g_task_return_int(task, retval); + } +} + +gboolean astal_auth_pam_start_authenticate_with_callback(AstalAuthPam *self, + GAsyncReadyCallback result_callback, + gpointer user_data) { + g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), FALSE); + AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); + g_return_val_if_fail(priv->task == NULL, FALSE); + + priv->task = g_task_new(self, NULL, result_callback, user_data); + g_task_set_priority(priv->task, 0); + g_task_set_name(priv->task, "[AstalAuth] authenticate"); + g_task_run_in_thread(priv->task, astal_auth_pam_thread); + + return TRUE; +} + +/** + * astal_auth_pam_start_authenticate: + * @self: a AstalAuthPam Object + * + * starts a new authentication process using the PAM (Pluggable Authentication Modules) system. + * Note that this will cancel an already running authentication process + * associated with this AstalAuthPam object. + */ +gboolean astal_auth_pam_start_authenticate(AstalAuthPam *self) { + return astal_auth_pam_start_authenticate_with_callback( + self, (GAsyncReadyCallback)astal_auth_pam_callback, NULL); +} + +static void astal_auth_pam_on_hidden(AstalAuthPam *pam, const gchar *msg, gchar *password) { + astal_auth_pam_supply_secret(pam, password); + g_free(password); +} + +/** + * astal_auth_pam_authenticate: + * @password: the password to be authenticated + * @result_callback: (scope async) (closure user_data): a GAsyncReadyCallback + * to call when the request is satisfied + * @user_data: the data to pass to callback function + * + * Requests authentication of the provided password using the PAM (Pluggable Authentication Modules) + * system. + */ +gboolean astal_auth_pam_authenticate(const gchar *password, GAsyncReadyCallback result_callback, + gpointer user_data) { + AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL); + g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(astal_auth_pam_on_hidden), + (void *)g_strdup(password)); + + gboolean started = + astal_auth_pam_start_authenticate_with_callback(pam, result_callback, user_data); + g_object_unref(pam); + return started; +} + +gssize astal_auth_pam_authenticate_finish(GAsyncResult *res, GError **error) { + return g_task_propagate_int(G_TASK(res), error); +} + +static void astal_auth_pam_init(AstalAuthPam *self) { + AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); + + priv->secret = NULL; + + g_cond_init(&priv->data_cond); + g_mutex_init(&priv->data_mutex); + + priv->context = g_main_context_get_thread_default(); +} + +static void astal_auth_pam_finalize(GObject *gobject) { + AstalAuthPam *self = ASTAL_AUTH_PAM(gobject); + AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); + + g_free(self->username); + g_free(self->service); + + g_free(priv->secret); + + g_cond_clear(&priv->data_cond); + g_mutex_clear(&priv->data_mutex); + + G_OBJECT_CLASS(astal_auth_pam_parent_class)->finalize(gobject); +} + +static void astal_auth_pam_class_init(AstalAuthPamClass *class) { + GObjectClass *object_class = G_OBJECT_CLASS(class); + + object_class->get_property = astal_auth_pam_get_property; + object_class->set_property = astal_auth_pam_set_property; + + object_class->finalize = astal_auth_pam_finalize; + + struct passwd *passwd = getpwuid(getuid()); + + /** + * AstalAuthPam:username: + * + * The username used for authentication. + * Changing the value of this property has no affect on an already started authentication + * process. + * + * Defaults to the user that owns this process. + */ + astal_auth_pam_properties[ASTAL_AUTH_PAM_PROP_USERNAME] = + g_param_spec_string("username", "username", "username used for authentication", + passwd->pw_name, G_PARAM_CONSTRUCT | G_PARAM_READWRITE); + /** + * AstalAuthPam:service: + * + * The pam service used for authentication. + * Changing the value of this property has no affect on an already started authentication + * process. + * + * Defaults to the astal-auth pam service. + */ + astal_auth_pam_properties[ASTAL_AUTH_PAM_PROP_SERVICE] = + g_param_spec_string("service", "service", "the pam service to use", "astal-auth", + G_PARAM_CONSTRUCT | G_PARAM_READWRITE); + + g_object_class_install_properties(object_class, ASTAL_AUTH_PAM_N_PROPERTIES, + astal_auth_pam_properties); + /** + * AstalAuthPam::auth-prompt-visible: + * @pam: the object which received the signal. + * @msg: the prompt to be shown to the user + * + * This signal is emitted when user input is required. The input should be visible + * when entered (e.g., for One-Time Passwords (OTP)). + * + * This signal has to be matched with exaclty one supply_secret call. + */ + astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE] = + g_signal_new("auth-prompt-visible", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, + NULL, NULL, G_TYPE_NONE, 1, G_TYPE_STRING); + /** + * AstalAuthPam::auth-prompt-hidden: + * @pam: the object which received the signal. + * @msg: the prompt to be shown to the user + * + * This signal is emitted when user input is required. The input should be hidden + * when entered (e.g., for passwords). + * + * This signal has to be matched with exaclty one supply_secret call. + */ + astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN] = + g_signal_new("auth-prompt-hidden", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, + NULL, NULL, G_TYPE_NONE, 1, G_TYPE_STRING); + /** + * AstalAuthPam::auth-info: + * @pam: the object which received the signal. + * @msg: the info mssage to be shown to the user + * + * This signal is emitted when the user should receive an information (e.g., tell the user to + * touch a security key, or the remaining time pam has been locked after multiple failed + * attempts) + * + * This signal has to be matched with exaclty one supply_secret call. + */ + astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_INFO] = + g_signal_new("auth-info", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL, + G_TYPE_NONE, 1, G_TYPE_STRING); + /** + * AstalAuthPam::auth-error: + * @pam: the object which received the signal. + * @msg: the error message + * + * This signal is emitted when an authentication error has occured. + * + * This signal has to be matched with exaclty one supply_secret call. + */ + astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_ERROR] = + g_signal_new("auth-error", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, + NULL, G_TYPE_NONE, 1, G_TYPE_STRING); + /** + * AstalAuthPam::success: + * @pam: the object which received the signal. + * + * This signal is emitted after successful authentication + */ + astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_SUCCESS] = + g_signal_new("success", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL, + G_TYPE_NONE, 0); + /** + * AstalAuthPam::fail: + * @pam: the object which received the signal. + * @msg: the authentication failure message + * + * This signal is emitted when authentication failed. + */ + astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_FAIL] = + g_signal_new("fail", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL, + G_TYPE_NONE, 1, G_TYPE_STRING); +} diff --git a/auth/version b/auth/version new file mode 100644 index 0000000..6e8bf73 --- /dev/null +++ b/auth/version @@ -0,0 +1 @@ +0.1.0 diff --git a/examples/full_example.c b/examples/full_example.c deleted file mode 100644 index a20c02b..0000000 --- a/examples/full_example.c +++ /dev/null @@ -1,66 +0,0 @@ -#include - -#include "astal-auth.h" - -GMainLoop *loop; - -static void authenticate(AstalAuthPam *pam) { - if (!astal_auth_pam_start_authenticate(pam)) { - g_print("could not start authentication process\n"); - g_object_unref(pam); - g_main_loop_quit(loop); - } -} - -static void on_visible(AstalAuthPam *pam, const gchar *data) { - gchar passbuf[1024]; - readpassphrase(data, passbuf, sizeof(passbuf), RPP_ECHO_ON); - astal_auth_pam_supply_secret(pam, passbuf); -} - -static void on_hidden(AstalAuthPam *pam, const gchar *data) { - gchar passbuf[1024]; - readpassphrase(data, passbuf, sizeof(passbuf), RPP_ECHO_OFF); - astal_auth_pam_supply_secret(pam, passbuf); -} - -static void on_info(AstalAuthPam *pam, const gchar *data) { - g_print("info: %s\n", data); - astal_auth_pam_supply_secret(pam, NULL); -} - -static void on_error(AstalAuthPam *pam, const gchar *data) { - g_print("error: %s\n", data); - astal_auth_pam_supply_secret(pam, NULL); -} - -static void on_success(AstalAuthPam *pam) { - g_print("success\n"); - g_object_unref(pam); - g_main_loop_quit(loop); -} - -static void on_fail(AstalAuthPam *pam, const gchar *data) { - g_print("fail: %s\n", data); - authenticate(pam); -} - -int main(void) { - GMainContext *loopctx = NULL; - - loop = g_main_loop_new(loopctx, FALSE); - - AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL); - - g_signal_connect(pam, "auth-prompt-visible", G_CALLBACK(on_visible), NULL); - g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(on_hidden), NULL); - g_signal_connect(pam, "auth-info", G_CALLBACK(on_info), NULL); - g_signal_connect(pam, "auth-error", G_CALLBACK(on_error), NULL); - - g_signal_connect(pam, "success", G_CALLBACK(on_success), NULL); - g_signal_connect(pam, "fail", G_CALLBACK(on_fail), NULL); - - authenticate(pam); - - g_main_loop_run(loop); -} diff --git a/examples/full_example.js b/examples/full_example.js deleted file mode 100644 index 7359784..0000000 --- a/examples/full_example.js +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/env -S gjs -m - -import Auth from "gi://AstalAuth"; -import GLib from "gi://GLib"; - -const loop = GLib.MainLoop.new(null, false); - -const pam = new Auth.Pam(); -pam.connect("auth-prompt-visible", (p, msg) => { - print(msg); - p.supply_secret(""); -}); -pam.connect("auth-prompt-hidden", (p, msg) => { - print(msg); - p.supply_secret("password"); -}); -pam.connect("auth-info", (p, msg) => { - print(msg); - p.supply_secret(""); -}); -pam.connect("auth-error", (p, msg) => { - print(msg); - p.supply_secret(""); -}); - -pam.connect("success", p => { - print("authentication sucessful"); - loop.quit(); -}); -pam.connect("fail", (p, msg) => { - print(msg); - loop.quit(); -}); - -pam.start_authenticate(); - -loop.runAsync() - diff --git a/examples/meson.build b/examples/meson.build deleted file mode 100644 index cf23d3f..0000000 --- a/examples/meson.build +++ /dev/null @@ -1,18 +0,0 @@ - -deps_example = [ - dependency('gobject-2.0'), - dependency('libbsd'), - libastal_auth -] - -astal_auth_full_exmple = executable( - 'astal_auth_full_example', - files('full_example.c'), - dependencies : deps_example, - install : false) - -astal_auth_simple_example = executable( - 'astal_auth_simple_example', - files('simple_example.c'), - dependencies : deps_example, - install : false) diff --git a/examples/simple_example.c b/examples/simple_example.c deleted file mode 100644 index d00bad2..0000000 --- a/examples/simple_example.c +++ /dev/null @@ -1,31 +0,0 @@ -#include - -#include "astal-auth.h" - -GMainLoop *loop; - -void ready_callback(AstalAuthPam *pam, GAsyncResult *res, gpointer user_data) { - GError *error = NULL; - astal_auth_pam_authenticate_finish(res, &error); - if (error == NULL) { - g_print("success\n"); - } else { - g_print("failure: %s\n", error->message); - g_error_free(error); - } - - g_main_loop_quit(loop); -} - -int main(void) { - GMainContext *loopctx = NULL; - loop = g_main_loop_new(loopctx, FALSE); - - gchar *passbuf = calloc(1024, sizeof(gchar)); - readpassphrase("Password: ", passbuf, 1024, RPP_ECHO_OFF); - astal_auth_pam_authenticate(passbuf, (GAsyncReadyCallback)ready_callback, NULL); - g_free(passbuf); - - g_main_loop_run(loop); - exit(EXIT_SUCCESS); -} diff --git a/examples/simple_example.js b/examples/simple_example.js deleted file mode 100644 index 2bf38c1..0000000 --- a/examples/simple_example.js +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env -S gjs -m -import Auth from "gi://AstalAuth"; -import Gio from "gi://Gio"; - -Gio._promisify(Auth.Pam, "authenticate"); - -await Auth.Pam.authenticate("password") - .then(_ => print("authentication sucessful")) - .catch(logError); \ No newline at end of file diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 13f566b..0000000 --- a/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1716137900, - "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index 39b0289..0000000 --- a/flake.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - description = "Authentication library and cli tool"; - - inputs.nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; - - outputs = { self, nixpkgs }: - let - version = builtins.replaceStrings ["\n"] [""] (builtins.readFile ./version); - system = "x86_64-linux"; - pkgs = import nixpkgs { inherit system; }; - - nativeBuildInputs = with pkgs; [ - gobject-introspection - meson - pkg-config - ninja - vala - ]; - - buildInputs = with pkgs; [ - glib - pam - ]; - in { - packages.${system} = rec { - default = auth; - auth = pkgs.stdenv.mkDerivation { - inherit nativeBuildInputs buildInputs; - pname = "astal-auth"; - version = version; - src = ./.; - outputs = ["out" "dev"]; - }; - }; - - devShells.${system} = { - default = pkgs.mkShell { - inherit nativeBuildInputs buildInputs; - }; - }; - }; -} diff --git a/include/astal-auth.h b/include/astal-auth.h deleted file mode 100644 index a3073ff..0000000 --- a/include/astal-auth.h +++ /dev/null @@ -1,32 +0,0 @@ -#ifndef ASTAL_AUTH_PAM_H -#define ASTAL_AUTH_PAM_H - -#include -#include - -G_BEGIN_DECLS - -#define ASTAL_AUTH_TYPE_PAM (astal_auth_pam_get_type()) - -G_DECLARE_FINAL_TYPE(AstalAuthPam, astal_auth_pam, ASTAL_AUTH, PAM, GObject) - -void astal_auth_pam_set_username(AstalAuthPam *self, const gchar *username); - -const gchar *astal_auth_pam_get_username(AstalAuthPam *self); - -void astal_auth_pam_set_service(AstalAuthPam *self, const gchar *service); - -const gchar *astal_auth_pam_get_service(AstalAuthPam *self); - -gboolean astal_auth_pam_start_authenticate(AstalAuthPam *self); - -void astal_auth_pam_supply_secret(AstalAuthPam *self, const gchar *secret); - -gboolean astal_auth_pam_authenticate(const gchar *password, GAsyncReadyCallback result_callback, - gpointer user_data); - -gssize astal_auth_pam_authenticate_finish(GAsyncResult *res, GError **error); - -G_END_DECLS - -#endif // !ASTAL_AUTH_PAM_H diff --git a/include/meson.build b/include/meson.build deleted file mode 100644 index 0575998..0000000 --- a/include/meson.build +++ /dev/null @@ -1,4 +0,0 @@ -astal_auth_inc = include_directories('.') -astal_auth_headers = files('astal-auth.h') - -install_headers('astal-auth.h') diff --git a/meson.build b/meson.build deleted file mode 100644 index e9facb1..0000000 --- a/meson.build +++ /dev/null @@ -1,33 +0,0 @@ -project('astal_auth', - 'c', - version : run_command('cat', join_paths(meson.project_source_root(), 'version')).stdout().strip(), - default_options : [ - 'c_std=gnu11', - 'warning_level=3', - 'prefix=/usr' - ] -) - -add_project_arguments( - ['-Wno-pedantic'], - language : 'c') - -version_split = meson.project_version().split('.') -lib_so_version = version_split[0] + '.' + version_split[1] - -pkg_config = import('pkgconfig') -gnome = import('gnome') - -subdir('include') -subdir('src') - - -if get_option('examples') - subdir('examples') -endif - - -install_data( - 'pam/astal-auth', - install_dir : get_option('sysconfdir') / 'pam.d' -) diff --git a/meson_options.txt b/meson_options.txt deleted file mode 100644 index e28447e..0000000 --- a/meson_options.txt +++ /dev/null @@ -1,3 +0,0 @@ -option('examples', type : 'boolean', value : false, description : 'Build example applications') -option('introspection', type : 'boolean', value : true, description : 'Build gobject-introspection data') -option('vapi', type : 'boolean', value : true, description : 'Generate vapi data (needs vapigen & introspection option)') diff --git a/pam/astal-auth b/pam/astal-auth deleted file mode 100644 index 41f79d7..0000000 --- a/pam/astal-auth +++ /dev/null @@ -1,5 +0,0 @@ -# PAM configuration file for the astal-auth library. -# By default, it only includes the 'login' -# configuration file (see /etc/pam.d/login) - -auth include login diff --git a/src/astal-auth.c b/src/astal-auth.c deleted file mode 100644 index 1ac2bd7..0000000 --- a/src/astal-auth.c +++ /dev/null @@ -1,153 +0,0 @@ -#include "astal-auth.h" - -#include -#include -#include - -GMainLoop *loop; - -static void cleanup_and_quit(AstalAuthPam *pam, int status) { - g_object_unref(pam); - g_main_loop_quit(loop); - exit(status); -} - -static char *read_secret(const char *msg, gboolean echo) { - struct termios oldt, newt; - char *password = NULL; - size_t size = 0; - ssize_t len; - - if (tcgetattr(STDIN_FILENO, &oldt) != 0) { - return NULL; - } - newt = oldt; - if (echo) { - newt.c_lflag |= ECHO; - } else { - newt.c_lflag &= ~(ECHO); - } - if (tcsetattr(STDIN_FILENO, TCSANOW, &newt) != 0) { - return NULL; - } - g_print("%s", msg); - if ((len = getline(&password, &size, stdin)) == -1) { - g_free(password); - return NULL; - } - - if (password[len - 1] == '\n') { - password[len - 1] = '\0'; - } - - printf("\n"); - - if (tcsetattr(STDIN_FILENO, TCSANOW, &oldt) != 0) { - return NULL; - } - - return password; -} - -static void authenticate(AstalAuthPam *pam) { - static int attempts = 0; - if (attempts >= 3) { - g_print("%d failed attempts.\n", attempts); - cleanup_and_quit(pam, EXIT_FAILURE); - } - if (!astal_auth_pam_start_authenticate(pam)) { - g_print("could not start authentication process\n"); - cleanup_and_quit(pam, EXIT_FAILURE); - } - attempts++; -} - -static void on_visible(AstalAuthPam *pam, const gchar *data) { - char *secret = read_secret(data, TRUE); - if (secret == NULL) cleanup_and_quit(pam, EXIT_FAILURE); - astal_auth_pam_supply_secret(pam, secret); - g_free(secret); -} - -static void on_hidden(AstalAuthPam *pam, const gchar *data, gchar *secret) { - if (!secret) secret = read_secret(data, FALSE); - if (secret == NULL) cleanup_and_quit(pam, EXIT_FAILURE); - astal_auth_pam_supply_secret(pam, secret); - g_free(secret); -} - -static void on_info(AstalAuthPam *pam, const gchar *data) { - g_print("info: %s\n", data); - astal_auth_pam_supply_secret(pam, NULL); -} - -static void on_error(AstalAuthPam *pam, const gchar *data) { - g_print("error: %s\n", data); - astal_auth_pam_supply_secret(pam, NULL); -} - -static void on_success(AstalAuthPam *pam) { - g_print("Authentication successful\n"); - cleanup_and_quit(pam, EXIT_SUCCESS); -} - -static void on_fail(AstalAuthPam *pam, const gchar *data, gboolean retry) { - g_print("%s\n", data); - if (retry) - authenticate(pam); - else - cleanup_and_quit(pam, EXIT_FAILURE); -} - -int main(int argc, char **argv) { - char *password = NULL; - char *username = NULL; - char *service = NULL; - - int opt; - const char *optstring = "p:u:s:"; - - static struct option long_options[] = {{"password", required_argument, NULL, 'p'}, - {"username", required_argument, NULL, 'u'}, - {"service", required_argument, NULL, 's'}, - {NULL, 0, NULL, 0}}; - - while ((opt = getopt_long(argc, argv, optstring, long_options, NULL)) != -1) { - switch (opt) { - case 'p': - password = optarg; - break; - case 'u': - username = optarg; - break; - case 's': - service = optarg; - break; - default: - g_print("Usage: %s [-p password] [-u username] [-s service]\n", argv[0]); - exit(EXIT_FAILURE); - } - } - - loop = g_main_loop_new(NULL, FALSE); - - AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL); - - if (username) astal_auth_pam_set_username(pam, username); - if (service) astal_auth_pam_set_service(pam, service); - if (password) { - g_signal_connect(pam, "fail", G_CALLBACK(on_fail), (void *)FALSE); - } else { - g_signal_connect(pam, "auth-prompt-visible", G_CALLBACK(on_visible), NULL); - g_signal_connect(pam, "auth-info", G_CALLBACK(on_info), NULL); - g_signal_connect(pam, "auth-error", G_CALLBACK(on_error), NULL); - g_signal_connect(pam, "fail", G_CALLBACK(on_fail), (void *)TRUE); - } - - g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(on_hidden), g_strdup(password)); - g_signal_connect(pam, "success", G_CALLBACK(on_success), NULL); - - authenticate(pam); - - g_main_loop_run(loop); -} diff --git a/src/meson.build b/src/meson.build deleted file mode 100644 index 6a34ae0..0000000 --- a/src/meson.build +++ /dev/null @@ -1,65 +0,0 @@ -srcs = files( - 'pam.c', -) - -deps = [ - dependency('gobject-2.0'), - dependency('gio-2.0'), - dependency('pam') -] - -astal_auth_lib = library( - 'astal-auth', - sources : srcs, - include_directories : astal_auth_inc, - dependencies : deps, - version : meson.project_version(), - install : true -) - -libastal_auth = declare_dependency( - link_with : astal_auth_lib, - include_directories : astal_auth_inc) - -astal_auth_executable = executable( - 'astal-auth', - files('astal-auth.c'), - dependencies : [ - dependency('gobject-2.0'), - libastal_auth - ], - install : true) - -pkg_config_name = 'astal-auth-' + lib_so_version - -if get_option('introspection') - gir = gnome.generate_gir( - astal_auth_lib, - sources : srcs + astal_auth_headers, - nsversion : '0.1', - namespace : 'AstalAuth', - symbol_prefix : 'astal_auth', - identifier_prefix : 'AstalAuth', - includes : ['GObject-2.0', 'Gio-2.0'], - header : 'astal-auth.h', - export_packages : pkg_config_name, - install : true - ) - - if get_option('vapi') - gnome.generate_vapi( - pkg_config_name, - sources : [gir[0]], - packages : ['gobject-2.0', 'gio-2.0'], - install : true) - endif -endif - -pkg_config.generate( - name : 'astal-auth', - version : meson.project_version(), - libraries : [astal_auth_lib], - filebase : pkg_config_name, - subdirs : 'astal', - description : 'astal authentication module', - url : 'https://github.com/astal-sh/auth') diff --git a/src/pam.c b/src/pam.c deleted file mode 100644 index d0afec4..0000000 --- a/src/pam.c +++ /dev/null @@ -1,524 +0,0 @@ -#include -#include -#include - -#include "astal-auth.h" - -struct _AstalAuthPam { - GObject parent_instance; - - gchar *username; - gchar *service; -}; - -typedef struct { - GTask *task; - GMainContext *context; - GMutex data_mutex; - GCond data_cond; - - gchar *secret; - gboolean secret_set; -} AstalAuthPamPrivate; - -typedef struct { - AstalAuthPam *pam; - guint signal_id; - gchar *msg; -} AstalAuthPamSignalEmitData; - -static void astal_auth_pam_signal_emit_data_free(AstalAuthPamSignalEmitData *data) { - g_free(data->msg); - g_free(data); -} - -typedef enum { - ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE, - ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN, - ASTAL_AUTH_PAM_SIGNAL_INFO, - ASTAL_AUTH_PAM_SIGNAL_ERROR, - ASTAL_AUTH_PAM_SIGNAL_SUCCESS, - ASTAL_AUTH_PAM_SIGNAL_FAIL, - ASTAL_AUTH_PAM_N_SIGNALS -} AstalAuthPamSignals; - -typedef enum { - ASTAL_AUTH_PAM_PROP_USERNAME = 1, - ASTAL_AUTH_PAM_PROP_SERVICE, - ASTAL_AUTH_PAM_N_PROPERTIES -} AstalAuthPamProperties; - -static guint astal_auth_pam_signals[ASTAL_AUTH_PAM_N_SIGNALS] = { - 0, -}; -static GParamSpec *astal_auth_pam_properties[ASTAL_AUTH_PAM_N_PROPERTIES] = { - NULL, -}; - -G_DEFINE_TYPE_WITH_PRIVATE(AstalAuthPam, astal_auth_pam, G_TYPE_OBJECT); - -/** - * - * AstalAuthPam - * - * For simple authentication using only a password, using the [func@AstalAuth.Pam.authenticate] - * method is recommended. Look at the simple examples for how to use it. - * - * There is also a way to get access to the pam conversation, to allow for a more complex - * authentication process, like using multiple factor authentication. Generally it can be used like - * this: - * - * 1. create the Pam object. - * 2. set username and service if so required. It has sane defaults, so in most cases you can skip - * this. - * 3. connect to the signals. - * After an `auth-*` signal is emitted, it has to be responded with exactly one - * [method@AstalAuth.Pam.supply_secret] call. The secret is a string containing the user input. For - * [auth-info][signal@AstalAuth.Pam::auth-info:] and [auth-error][signal@AstalAuth.Pam::auth-error:] - * it should be `NULL`. Not connecting those signals, is equivalent to calling - * [method@AstalAuth.Pam.supply_secret] with `NULL` immediately after the signal is emitted. - * 4. start authentication process using [method@AstalAuth.Pam.start_authenticate]. - * 5. it is possible to reuse the same Pam object for multiple sequential authentication attempts. - * Just call [method@AstalAuth.Pam.start_authenticate] again after the `success` or `fail` signal - * was emitted. - * - */ - -/** - * astal_auth_pam_set_username - * @self: a AstalAuthPam object - * @username: the new username - * - * Sets the username to be used for authentication. This must be set to - * before calling start_authenticate. - * Changing it afterwards has no effect on the authentication process. - * - * Defaults to the owner of the process. - * - */ -void astal_auth_pam_set_username(AstalAuthPam *self, const gchar *username) { - g_return_if_fail(ASTAL_AUTH_IS_PAM(self)); - g_return_if_fail(username != NULL); - - g_free(self->username); - self->username = g_strdup(username); - g_object_notify(G_OBJECT(self), "username"); -} - -/** - * astal_auth_pam_supply_secret - * @self: a AstalAuthPam Object - * @secret: (nullable): the secret to be provided to pam. Can be NULL. - * - * provides pam with a secret. This method must be called exactly once after a - * auth-* signal is emitted. - */ -void astal_auth_pam_supply_secret(AstalAuthPam *self, const gchar *secret) { - g_return_if_fail(ASTAL_AUTH_IS_PAM(self)); - AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); - - g_mutex_lock(&priv->data_mutex); - g_free(priv->secret); - priv->secret = g_strdup(secret); - priv->secret_set = TRUE; - g_cond_signal(&priv->data_cond); - g_mutex_unlock(&priv->data_mutex); -} - -/** - * astal_auth_pam_set_service - * @self: a AstalAuthPam object - * @service: the pam service used for authentication - * - * Sets the service to be used for authentication. This must be set to - * before calling start_authenticate. - * Changing it afterwards has no effect on the authentication process. - * - * Defaults to `astal-auth`. - * - */ -void astal_auth_pam_set_service(AstalAuthPam *self, const gchar *service) { - g_return_if_fail(ASTAL_AUTH_IS_PAM(self)); - g_return_if_fail(service != NULL); - - g_free(self->service); - self->service = g_strdup(service); - g_object_notify(G_OBJECT(self), "service"); -} - -/** - * astal_auth_pam_get_username - * @self: a AstalAuthPam object - * - * Fetches the username from AsalAuthPam object. - * - * Returns: the username of the AsalAuthPam object. This string is - * owned by the object and must not be modified or freed. - */ - -const gchar *astal_auth_pam_get_username(AstalAuthPam *self) { - g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), NULL); - return self->username; -} - -/** - * astal_auth_pam_get_service - * @self: a AstalAuthPam - * - * Fetches the service from AsalAuthPam object. - * - * Returns: the service of the AsalAuthPam object. This string is - * owned by the object and must not be modified or freed. - */ -const gchar *astal_auth_pam_get_service(AstalAuthPam *self) { - g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), NULL); - return self->service; -} - -static void astal_auth_pam_set_property(GObject *object, guint property_id, const GValue *value, - GParamSpec *pspec) { - AstalAuthPam *self = ASTAL_AUTH_PAM(object); - - switch (property_id) { - case ASTAL_AUTH_PAM_PROP_USERNAME: - astal_auth_pam_set_username(self, g_value_get_string(value)); - break; - case ASTAL_AUTH_PAM_PROP_SERVICE: - astal_auth_pam_set_service(self, g_value_get_string(value)); - break; - default: - G_OBJECT_WARN_INVALID_PROPERTY_ID(object, property_id, pspec); - break; - } -} - -static void astal_auth_pam_get_property(GObject *object, guint property_id, GValue *value, - GParamSpec *pspec) { - AstalAuthPam *self = ASTAL_AUTH_PAM(object); - - switch (property_id) { - case ASTAL_AUTH_PAM_PROP_USERNAME: - g_value_set_string(value, self->username); - break; - case ASTAL_AUTH_PAM_PROP_SERVICE: - g_value_set_string(value, self->service); - break; - default: - G_OBJECT_WARN_INVALID_PROPERTY_ID(object, property_id, pspec); - break; - } -} - -static void astal_auth_pam_callback(GObject *object, GAsyncResult *res, gpointer user_data) { - AstalAuthPam *self = ASTAL_AUTH_PAM(object); - AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); - - GTask *task = g_steal_pointer(&priv->task); - - GError *error = NULL; - g_task_propagate_int(task, &error); - - if (error == NULL) { - g_signal_emit(self, astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_SUCCESS], 0); - } else { - g_signal_emit(self, astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_FAIL], 0, error->message); - g_error_free(error); - } - g_object_unref(task); -} - -static gboolean astal_auth_pam_emit_signal_in_context(gpointer user_data) { - AstalAuthPamSignalEmitData *data = user_data; - g_signal_emit(data->pam, data->signal_id, 0, data->msg); - return G_SOURCE_REMOVE; -} - -static void astal_auth_pam_emit_signal(AstalAuthPam *pam, guint signal, const gchar *msg) { - GSource *emit_source; - AstalAuthPamSignalEmitData *data; - - data = g_new0(AstalAuthPamSignalEmitData, 1); - data->pam = pam; - data->signal_id = astal_auth_pam_signals[signal]; - data->msg = g_strdup(msg); - - emit_source = g_idle_source_new(); - g_source_set_callback(emit_source, astal_auth_pam_emit_signal_in_context, data, - (GDestroyNotify)astal_auth_pam_signal_emit_data_free); - g_source_set_priority(emit_source, G_PRIORITY_DEFAULT); - g_source_attach(emit_source, - ((AstalAuthPamPrivate *)astal_auth_pam_get_instance_private(pam))->context); - g_source_unref(emit_source); -} - -int astal_auth_pam_handle_conversation(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr) { - AstalAuthPam *self = appdata_ptr; - AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); - - struct pam_response *replies = NULL; - if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) { - return PAM_CONV_ERR; - } - replies = (struct pam_response *)calloc(num_msg, sizeof(struct pam_response)); - if (replies == NULL) { - return PAM_BUF_ERR; - } - for (int i = 0; i < num_msg; ++i) { - guint signal; - switch (msg[i]->msg_style) { - case PAM_PROMPT_ECHO_OFF: - signal = ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN; - break; - case PAM_PROMPT_ECHO_ON: - signal = ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE; - break; - case PAM_ERROR_MSG: - signal = ASTAL_AUTH_PAM_SIGNAL_ERROR; - ; - break; - case PAM_TEXT_INFO: - signal = ASTAL_AUTH_PAM_SIGNAL_INFO; - break; - default: - g_free(replies); - return PAM_CONV_ERR; - break; - } - guint signal_id = astal_auth_pam_signals[signal]; - if (g_signal_has_handler_pending(self, signal_id, 0, FALSE)) { - astal_auth_pam_emit_signal(self, signal, msg[i]->msg); - g_mutex_lock(&priv->data_mutex); - while (!priv->secret_set) { - g_cond_wait(&priv->data_cond, &priv->data_mutex); - } - replies[i].resp_retcode = 0; - replies[i].resp = g_strdup(priv->secret); - g_free(priv->secret); - priv->secret = NULL; - priv->secret_set = FALSE; - g_mutex_unlock(&priv->data_mutex); - } - } - *resp = replies; - return PAM_SUCCESS; -} - -static void astal_auth_pam_thread(GTask *task, gpointer object, gpointer task_data, - GCancellable *cancellable) { - AstalAuthPam *self = g_task_get_source_object(task); - - pam_handle_t *pamh = NULL; - const struct pam_conv conv = { - .conv = astal_auth_pam_handle_conversation, - .appdata_ptr = self, - }; - - int retval; - retval = pam_start(self->service, self->username, &conv, &pamh); - if (retval == PAM_SUCCESS) { - retval = pam_authenticate(pamh, 0); - pam_end(pamh, retval); - } - if (retval != PAM_SUCCESS) { - g_task_return_new_error(task, G_IO_ERROR, G_IO_ERROR_FAILED, "%s", - pam_strerror(pamh, retval)); - } else { - g_task_return_int(task, retval); - } -} - -gboolean astal_auth_pam_start_authenticate_with_callback(AstalAuthPam *self, - GAsyncReadyCallback result_callback, - gpointer user_data) { - g_return_val_if_fail(ASTAL_AUTH_IS_PAM(self), FALSE); - AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); - g_return_val_if_fail(priv->task == NULL, FALSE); - - priv->task = g_task_new(self, NULL, result_callback, user_data); - g_task_set_priority(priv->task, 0); - g_task_set_name(priv->task, "[AstalAuth] authenticate"); - g_task_run_in_thread(priv->task, astal_auth_pam_thread); - - return TRUE; -} - -/** - * astal_auth_pam_start_authenticate: - * @self: a AstalAuthPam Object - * - * starts a new authentication process using the PAM (Pluggable Authentication Modules) system. - * Note that this will cancel an already running authentication process - * associated with this AstalAuthPam object. - */ -gboolean astal_auth_pam_start_authenticate(AstalAuthPam *self) { - return astal_auth_pam_start_authenticate_with_callback( - self, (GAsyncReadyCallback)astal_auth_pam_callback, NULL); -} - -static void astal_auth_pam_on_hidden(AstalAuthPam *pam, const gchar *msg, gchar *password) { - astal_auth_pam_supply_secret(pam, password); - g_free(password); -} - -/** - * astal_auth_pam_authenticate: - * @password: the password to be authenticated - * @result_callback: (scope async) (closure user_data): a GAsyncReadyCallback - * to call when the request is satisfied - * @user_data: the data to pass to callback function - * - * Requests authentication of the provided password using the PAM (Pluggable Authentication Modules) - * system. - */ -gboolean astal_auth_pam_authenticate(const gchar *password, GAsyncReadyCallback result_callback, - gpointer user_data) { - AstalAuthPam *pam = g_object_new(ASTAL_AUTH_TYPE_PAM, NULL); - g_signal_connect(pam, "auth-prompt-hidden", G_CALLBACK(astal_auth_pam_on_hidden), - (void *)g_strdup(password)); - - gboolean started = - astal_auth_pam_start_authenticate_with_callback(pam, result_callback, user_data); - g_object_unref(pam); - return started; -} - -gssize astal_auth_pam_authenticate_finish(GAsyncResult *res, GError **error) { - return g_task_propagate_int(G_TASK(res), error); -} - -static void astal_auth_pam_init(AstalAuthPam *self) { - AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); - - priv->secret = NULL; - - g_cond_init(&priv->data_cond); - g_mutex_init(&priv->data_mutex); - - priv->context = g_main_context_get_thread_default(); -} - -static void astal_auth_pam_finalize(GObject *gobject) { - AstalAuthPam *self = ASTAL_AUTH_PAM(gobject); - AstalAuthPamPrivate *priv = astal_auth_pam_get_instance_private(self); - - g_free(self->username); - g_free(self->service); - - g_free(priv->secret); - - g_cond_clear(&priv->data_cond); - g_mutex_clear(&priv->data_mutex); - - G_OBJECT_CLASS(astal_auth_pam_parent_class)->finalize(gobject); -} - -static void astal_auth_pam_class_init(AstalAuthPamClass *class) { - GObjectClass *object_class = G_OBJECT_CLASS(class); - - object_class->get_property = astal_auth_pam_get_property; - object_class->set_property = astal_auth_pam_set_property; - - object_class->finalize = astal_auth_pam_finalize; - - struct passwd *passwd = getpwuid(getuid()); - - /** - * AstalAuthPam:username: - * - * The username used for authentication. - * Changing the value of this property has no affect on an already started authentication - * process. - * - * Defaults to the user that owns this process. - */ - astal_auth_pam_properties[ASTAL_AUTH_PAM_PROP_USERNAME] = - g_param_spec_string("username", "username", "username used for authentication", - passwd->pw_name, G_PARAM_CONSTRUCT | G_PARAM_READWRITE); - /** - * AstalAuthPam:service: - * - * The pam service used for authentication. - * Changing the value of this property has no affect on an already started authentication - * process. - * - * Defaults to the astal-auth pam service. - */ - astal_auth_pam_properties[ASTAL_AUTH_PAM_PROP_SERVICE] = - g_param_spec_string("service", "service", "the pam service to use", "astal-auth", - G_PARAM_CONSTRUCT | G_PARAM_READWRITE); - - g_object_class_install_properties(object_class, ASTAL_AUTH_PAM_N_PROPERTIES, - astal_auth_pam_properties); - /** - * AstalAuthPam::auth-prompt-visible: - * @pam: the object which received the signal. - * @msg: the prompt to be shown to the user - * - * This signal is emitted when user input is required. The input should be visible - * when entered (e.g., for One-Time Passwords (OTP)). - * - * This signal has to be matched with exaclty one supply_secret call. - */ - astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_PROMPT_VISIBLE] = - g_signal_new("auth-prompt-visible", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, - NULL, NULL, G_TYPE_NONE, 1, G_TYPE_STRING); - /** - * AstalAuthPam::auth-prompt-hidden: - * @pam: the object which received the signal. - * @msg: the prompt to be shown to the user - * - * This signal is emitted when user input is required. The input should be hidden - * when entered (e.g., for passwords). - * - * This signal has to be matched with exaclty one supply_secret call. - */ - astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_PROMPT_HIDDEN] = - g_signal_new("auth-prompt-hidden", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, - NULL, NULL, G_TYPE_NONE, 1, G_TYPE_STRING); - /** - * AstalAuthPam::auth-info: - * @pam: the object which received the signal. - * @msg: the info mssage to be shown to the user - * - * This signal is emitted when the user should receive an information (e.g., tell the user to - * touch a security key, or the remaining time pam has been locked after multiple failed - * attempts) - * - * This signal has to be matched with exaclty one supply_secret call. - */ - astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_INFO] = - g_signal_new("auth-info", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL, - G_TYPE_NONE, 1, G_TYPE_STRING); - /** - * AstalAuthPam::auth-error: - * @pam: the object which received the signal. - * @msg: the error message - * - * This signal is emitted when an authentication error has occured. - * - * This signal has to be matched with exaclty one supply_secret call. - */ - astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_ERROR] = - g_signal_new("auth-error", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, - NULL, G_TYPE_NONE, 1, G_TYPE_STRING); - /** - * AstalAuthPam::success: - * @pam: the object which received the signal. - * - * This signal is emitted after successful authentication - */ - astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_SUCCESS] = - g_signal_new("success", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL, - G_TYPE_NONE, 0); - /** - * AstalAuthPam::fail: - * @pam: the object which received the signal. - * @msg: the authentication failure message - * - * This signal is emitted when authentication failed. - */ - astal_auth_pam_signals[ASTAL_AUTH_PAM_SIGNAL_FAIL] = - g_signal_new("fail", G_TYPE_FROM_CLASS(class), G_SIGNAL_RUN_FIRST, 0, NULL, NULL, NULL, - G_TYPE_NONE, 1, G_TYPE_STRING); -} diff --git a/version b/version deleted file mode 100644 index 6e8bf73..0000000 --- a/version +++ /dev/null @@ -1 +0,0 @@ -0.1.0 -- cgit v1.2.3