56 lines
1.2 KiB
Go
56 lines
1.2 KiB
Go
//go:build pam
|
|
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
|
|
"github.com/msteinert/pam"
|
|
|
|
"git.sr.ht/~emersion/soju/database"
|
|
)
|
|
|
|
type pamAuth struct{}
|
|
|
|
var (
|
|
_ PlainAuthenticator = (*pamAuth)(nil)
|
|
)
|
|
|
|
func newPAM() (Authenticator, error) {
|
|
return pamAuth{}, nil
|
|
}
|
|
|
|
func (pamAuth) AuthPlain(ctx context.Context, db database.Database, username, password string) error {
|
|
t, err := pam.StartFunc("login", username, func(s pam.Style, msg string) (string, error) {
|
|
switch s {
|
|
case pam.PromptEchoOff:
|
|
return password, nil
|
|
case pam.PromptEchoOn, pam.ErrorMsg, pam.TextInfo:
|
|
return "", nil
|
|
default:
|
|
return "", fmt.Errorf("unsupported PAM conversation style: %v", s)
|
|
}
|
|
})
|
|
if err != nil {
|
|
return fmt.Errorf("failed to start PAM conversation: %v", err)
|
|
}
|
|
|
|
if err := t.Authenticate(0); err != nil {
|
|
return newInvalidCredentialsError(fmt.Errorf("PAM auth error: %v", err))
|
|
}
|
|
|
|
if err := t.AcctMgmt(0); err != nil {
|
|
return fmt.Errorf("PAM account unavailable: %v", err)
|
|
}
|
|
|
|
user, err := t.GetItem(pam.User)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get PAM user: %v", err)
|
|
} else if user != username {
|
|
return fmt.Errorf("PAM user doesn't match supplied username")
|
|
}
|
|
|
|
return nil
|
|
}
|