Add "moonfire-nvr login username" command

This should be useful when creating sessions for robot users without
ever having to set a password for them.

db/auth.rs

@@ -210,7 +210,7 @@ pub enum RevocationReason {
 pub struct Session {
     user_id: i32,
     flags: i32,  // bitmask of SessionFlags enum values
-    domain: Vec<u8>,
+    domain: Option<Vec<u8>>,
     description: Option<String>,
     seed: Seed,
 
@@ -490,14 +490,18 @@ impl State {
         Ok(())
     }
 
+    pub fn get_user(&self, username: &str) -> Option<&User> {
+        self.users_by_name
+            .get(username)
+            .map(|id| self.users_by_id.get(id).expect("users_by_name implies users_by_id"))
+    }
+
     pub fn login_by_password(&mut self, conn: &Connection, req: Request, username: &str,
-                             password: String, domain: Vec<u8>, session_flags: i32)
+                             password: String, domain: Option<Vec<u8>>, session_flags: i32)
                              -> Result<(RawSessionId, &Session), Error> {
-        let id = match self.users_by_name.get(username) {
+        let id = self.users_by_name.get(username)
-            None => bail!("no such user {:?}", username),
+            .ok_or_else(|| format_err!("no such user {:?}", username))?;
-            Some(&id) => id,
+        let u = self.users_by_id.get_mut(id).expect("users_by_name implies users_by_id");
-        };
-        let u = self.users_by_id.get_mut(&id).expect("users_by_name implies users_by_id");
         if u.disabled() {
             bail!("user {:?} is disabled", username);
         }
@@ -521,15 +525,27 @@ impl State {
             u.dirty = true;
         }
         let password_id = u.password_id;
-        State::make_session(conn, req, u, domain, Some(password_id), session_flags,
+        State::make_session_int(conn, req, u, domain, Some(password_id), session_flags,
                             &mut self.sessions, u.permissions.clone())
     }
 
-    fn make_session<'s>(conn: &Connection, creation: Request, user: &mut User, domain: Vec<u8>,
+    /// Makes a session directly (no password required).
-                        creation_password_id: Option<i32>, flags: i32,
+    pub fn make_session<'s>(&'s mut self, conn: &Connection, creation: Request, uid: i32,
-                        sessions: &'s mut FnvHashMap<SessionHash, Session>,
+                            domain: Option<Vec<u8>>, flags: i32, permissions: Permissions)
-                        permissions: Permissions)
+                            -> Result<(RawSessionId, &'s Session), Error> {
-                        -> Result<(RawSessionId, &'s Session), Error> {
+        let u = self.users_by_id.get_mut(&uid).ok_or_else(|| format_err!("no such uid {:?}", uid))?;
+        if u.disabled() {
+            bail!("user is disabled");
+        }
+        State::make_session_int(conn, creation, u, domain, None, flags, &mut self.sessions,
+                                permissions)
+    }
+
+    fn make_session_int<'s>(conn: &Connection, creation: Request, user: &mut User,
+                            domain: Option<Vec<u8>>, creation_password_id: Option<i32>, flags: i32,
+                            sessions: &'s mut FnvHashMap<SessionHash, Session>,
+                            permissions: Permissions)
+                            -> Result<(RawSessionId, &'s Session), Error> {
         let mut session_id = RawSessionId::new();
         ::openssl::rand::rand_bytes(&mut session_id.0).unwrap();
         let mut seed = [0u8; 32];

db/db.rs

@@ -1774,12 +1774,22 @@ impl LockedDatabase {
         self.auth.delete_user(&mut self.conn, id)
     }
 
+    pub fn get_user(&self, username: &str) -> Option<&User> {
+        self.auth.get_user(username)
+    }
+
     pub fn login_by_password(&mut self, req: auth::Request, username: &str, password: String,
-                             domain: Vec<u8>, session_flags: i32)
+                             domain: Option<Vec<u8>>, session_flags: i32)
                              -> Result<(RawSessionId, &Session), Error> {
         self.auth.login_by_password(&self.conn, req, username, password, domain, session_flags)
     }
 
+    pub fn make_session(&mut self, creation: Request, uid: i32,
+                        domain: Option<Vec<u8>>, flags: i32, permissions: schema::Permissions)
+                        -> Result<(RawSessionId, &Session), Error> {
+        self.auth.make_session(&self.conn, creation, uid, domain, flags, permissions)
+    }
+
     pub fn authenticate_session(&mut self, req: auth::Request, sid: &auth::SessionHash)
                                 -> Result<(&auth::Session, &User), Error> {
         self.auth.authenticate_session(&self.conn, req, sid)

src/cmds/login.rs

@@ -0,0 +1,177 @@
+// This file is part of Moonfire NVR, a security camera network video recorder.
+// Copyright (C) 2019 Scott Lamb <slamb@slamb.org>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// In addition, as a special exception, the copyright holders give
+// permission to link the code of portions of this program with the
+// OpenSSL library under certain conditions as described in each
+// individual source file, and distribute linked combinations including
+// the two.
+//
+// You must obey the GNU General Public License in all respects for all
+// of the code used other than OpenSSL. If you modify file(s) with this
+// exception, you may extend this exception to your version of the
+// file(s), but you are not obligated to do so. If you do not wish to do
+// so, delete this exception statement from your version. If you delete
+// this exception statement from all source files in the program, then
+// also delete it here.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+//! Subcommand to login a user (without requiring a password).
+
+use base::clock::{self, Clocks};
+use db::auth::SessionFlags;
+use failure::{Error, bail, format_err};
+use serde::Deserialize;
+use std::os::unix::fs::OpenOptionsExt as _;
+use std::io::Write as _;
+use std::path::PathBuf;
+
+static USAGE: &'static str = r#"
+Logs in a user, returning the session cookie.
+
+This is a privileged command that directly accesses the database. It doesn't
+check the user's password and even can be used to create sessions with
+permissions the user doesn't have.
+
+Usage:
+
+    moonfire-nvr login [options] <username>
+    moonfire-nvr login --help
+
+Options:
+
+    --db-dir=DIR     Set the directory holding the SQLite3 index database. This
+                     is typically on a flash device.
+                     [default: /var/lib/moonfire-nvr/db]
+    --permissions=PERMISSIONS
+                     Create a session with the given permissions. If
+                     unspecified, uses user's default permissions.
+    --domain=DOMAIN  The domain this cookie lives on. Optional.
+    --curl-cookie-jar=FILE
+                     Writes the cookie to a new curl-compatible cookie-jar
+                     file. --domain must be specified. This can be used later
+                     with curl's --cookie flag.
+    --session-flags=FLAGS
+                     Set the given db::auth::SessionFlags.
+                     [default: http-only,secure,same-site,same-site-strict]
+"#;
+
+#[derive(Debug, Default, Deserialize, Eq, PartialEq)]
+struct Args {
+    flag_db_dir: String,
+    flag_permissions: Option<String>,
+    flag_domain: Option<String>,
+    flag_curl_cookie_jar: Option<PathBuf>,
+    flag_session_flags: String,
+    arg_username: String,
+}
+
+pub fn run() -> Result<(), Error> {
+    let args: Args = super::parse_args(USAGE)?;
+    let clocks = clock::RealClocks {};
+    let (_db_dir, conn) = super::open_conn(&args.flag_db_dir, super::OpenMode::ReadWrite)?;
+    let db = std::sync::Arc::new(db::Database::new(clocks.clone(), conn, true).unwrap());
+    let mut l = db.lock();
+    let u = l.get_user(&args.arg_username)
+        .ok_or_else(|| format_err!("no such user {:?}", &args.arg_username))?;
+    let permissions = match args.flag_permissions {
+        None => u.permissions.clone(),
+        Some(s) => protobuf::text_format::parse_from_str(&s)
+                   .map_err(|_| format_err!("unable to parse --permissions"))?
+    };
+    let creation = db::auth::Request {
+        when_sec: Some(db.clocks().realtime().sec),
+        user_agent: None,
+        addr: None,
+    };
+    let mut flags = 0;
+    for f in args.flag_session_flags.split(',') {
+        flags |= match f {
+            "http-only"        => SessionFlags::HttpOnly,
+            "secure"           => SessionFlags::Secure,
+            "same-site"        => SessionFlags::SameSite,
+            "same-site-strict" => SessionFlags::SameSiteStrict,
+            _ => bail!("unknown session flag {:?}", f),
+        } as i32;
+    }
+    let uid = u.id;
+    drop(u);
+    let (sid, _) = l.make_session(creation, uid,
+                                  args.flag_domain.as_ref().map(|d| d.as_bytes().to_owned()),
+                                  flags, permissions)?;
+    let mut encoded = [0u8; 64];
+    base64::encode_config_slice(&sid, base64::STANDARD_NO_PAD, &mut encoded);
+    let encoded = std::str::from_utf8(&encoded[..]).expect("base64 is valid UTF-8");
+
+    if let Some(ref p) = args.flag_curl_cookie_jar {
+        let d = args.flag_domain.as_ref()
+                    .ok_or_else(|| format_err!("--cookiejar requires --domain"))?;
+        let mut f = std::fs::OpenOptions::new()
+            .write(true)
+            .create_new(true)
+            .mode(0o600)
+            .open(p)
+            .map_err(|e| format_err!("Unable to open {}: {}", p.display(), e))?;
+        write!(&mut f,
+               "# Netscape HTTP Cookie File\n\
+               # https://curl.haxx.se/docs/http-cookies.html\n\
+               # This file was generated by moonfire-nvr login! Edit at your own risk.\n\n\
+               {}\n", curl_cookie(encoded, flags, d))?;
+        f.sync_all()?;
+        println!("Wrote cookie to {}", p.display());
+    } else {
+        println!("s={}", encoded);
+    }
+    Ok(())
+}
+
+fn curl_cookie(cookie: &str, flags: i32, domain: &str) -> String {
+    format!("{httponly}{domain}\t{tailmatch}\t{path}\t{secure}\t{expires}\t{name}\t{value}",
+            httponly=if (flags & SessionFlags::HttpOnly as i32) != 0 { "#HttpOnly_" } else { "" },
+            domain=domain,
+            tailmatch="FALSE",
+            path="/",
+            secure=if (flags & SessionFlags::Secure as i32) != 0 { "TRUE" } else { "FALSE" },
+            expires="9223372036854775807",  // 64-bit CURL_OFF_T_MAX, never expires
+            name="s",
+            value=cookie)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_args() {
+        let args: Args = docopt::Docopt::new(USAGE).unwrap()
+            .argv(&["nvr", "login", "--curl-cookie-jar=foo.txt", "slamb"])
+            .deserialize().unwrap();
+        assert_eq!(args, Args {
+            flag_db_dir: "/var/lib/moonfire-nvr/db".to_owned(),
+            flag_curl_cookie_jar: Some(PathBuf::from("foo.txt")),
+            flag_session_flags: "http-only,secure,same-site,same-site-strict".to_owned(),
+            arg_username: "slamb".to_owned(),
+            ..Default::default()
+        });
+    }
+
+    #[test]
+    fn test_curl_cookie() {
+        assert_eq!(curl_cookie("o3mx3OntO7GzwwsD54OuyQ4IuipYrwPR2aiULPHSudAa+xIhwWjb+w1TnGRh8Z5Q",
+                               SessionFlags::HttpOnly as i32, "localhost"),
+                   "#HttpOnly_localhost\tFALSE\t/\tFALSE\t9223372036854775807\ts\t\
+                   o3mx3OntO7GzwwsD54OuyQ4IuipYrwPR2aiULPHSudAa+xIhwWjb+w1TnGRh8Z5Q");
+    }
+}

src/cmds/mod.rs

@@ -38,6 +38,7 @@ use std::path::Path;
 
 mod check;
 mod config;
+mod login;
 mod init;
 mod run;
 mod sql;
@@ -48,6 +49,7 @@ mod upgrade;
 pub enum Command {
     Check,
     Config,
+    Login,
     Init,
     Run,
     Sql,
@@ -60,6 +62,7 @@ impl Command {
         match *self {
             Command::Check => check::run(),
             Command::Config => config::run(),
+            Command::Login => login::run(),
             Command::Init => init::run(),
             Command::Run => run::run(),
             Command::Sql => sql::run(),

src/web.rs

@@ -579,7 +579,7 @@ impl ServiceInner {
                     (auth::SessionFlags::SameSite as i32) |
                     (auth::SessionFlags::SameSiteStrict as i32) |
                     if is_secure { (auth::SessionFlags::Secure as i32) } else { 0 };
-        let (sid, _) = l.login_by_password(authreq, &username, password.into_owned(), domain,
+        let (sid, _) = l.login_by_password(authreq, &username, password.into_owned(), Some(domain),
             flags)
             .map_err(|e| plain_response(StatusCode::UNAUTHORIZED, e.to_string()))?;
         let s_suffix = if is_secure {