MyFavMirrors
/
moonfire-nvr
mirror of https://github.com/scottlamb/moonfire-nvr.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add "moonfire-nvr login username" command 

This should be useful when creating sessions for robot users without
ever having to set a password for them.
This commit is contained in:
Scott Lamb 2019-06-19 22:54:46 -07:00
parent 004aa5d6ce
commit 49a8e5c5a1
5 changed files with 221 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
db/auth.rs
View File

@ -210,7 +210,7 @@ pub enum RevocationReason {
pub struct Session {
user_id: i32,
flags: i32, // bitmask of SessionFlags enum values
domain: Vec<u8>,
domain: Option<Vec<u8>>,
description: Option<String>,
seed: Seed,
@ -490,14 +490,18 @@ impl State {
Ok(())
}
pub fn get_user(&self, username: &str) -> Option<&User> {
self.users_by_name
.get(username)
.map(|id| self.users_by_id.get(id).expect("users_by_name implies users_by_id"))
}
pub fn login_by_password(&mut self, conn: &Connection, req: Request, username: &str,
password: String, domain: Vec<u8>, session_flags: i32)
password: String, domain: Option<Vec<u8>>, session_flags: i32)
-> Result<(RawSessionId, &Session), Error> {
let id = match self.users_by_name.get(username) {
None => bail!("no such user {:?}", username),
Some(&id) => id,
};
let u = self.users_by_id.get_mut(&id).expect("users_by_name implies users_by_id");
let id = self.users_by_name.get(username)
.ok_or_else(|| format_err!("no such user {:?}", username))?;
let u = self.users_by_id.get_mut(id).expect("users_by_name implies users_by_id");
if u.disabled() {
bail!("user {:?} is disabled", username);
}
@ -521,12 +525,24 @@ impl State {
u.dirty = true;
}
let password_id = u.password_id;
State::make_session(conn, req, u, domain, Some(password_id), session_flags,
State::make_session_int(conn, req, u, domain, Some(password_id), session_flags,
&mut self.sessions, u.permissions.clone())
}
fn make_session<'s>(conn: &Connection, creation: Request, user: &mut User, domain: Vec<u8>,
creation_password_id: Option<i32>, flags: i32,
/// Makes a session directly (no password required).
pub fn make_session<'s>(&'s mut self, conn: &Connection, creation: Request, uid: i32,
domain: Option<Vec<u8>>, flags: i32, permissions: Permissions)
-> Result<(RawSessionId, &'s Session), Error> {
let u = self.users_by_id.get_mut(&uid).ok_or_else(|| format_err!("no such uid {:?}", uid))?;
if u.disabled() {
bail!("user is disabled");
}
State::make_session_int(conn, creation, u, domain, None, flags, &mut self.sessions,
permissions)
}
fn make_session_int<'s>(conn: &Connection, creation: Request, user: &mut User,
domain: Option<Vec<u8>>, creation_password_id: Option<i32>, flags: i32,
sessions: &'s mut FnvHashMap<SessionHash, Session>,
permissions: Permissions)
-> Result<(RawSessionId, &'s Session), Error> {

12
db/db.rs
View File

@ -1774,12 +1774,22 @@ impl LockedDatabase {
self.auth.delete_user(&mut self.conn, id)
}
pub fn get_user(&self, username: &str) -> Option<&User> {
self.auth.get_user(username)
}
pub fn login_by_password(&mut self, req: auth::Request, username: &str, password: String,
domain: Vec<u8>, session_flags: i32)
domain: Option<Vec<u8>>, session_flags: i32)
-> Result<(RawSessionId, &Session), Error> {
self.auth.login_by_password(&self.conn, req, username, password, domain, session_flags)
}
pub fn make_session(&mut self, creation: Request, uid: i32,
domain: Option<Vec<u8>>, flags: i32, permissions: schema::Permissions)
-> Result<(RawSessionId, &Session), Error> {
self.auth.make_session(&self.conn, creation, uid, domain, flags, permissions)
}
pub fn authenticate_session(&mut self, req: auth::Request, sid: &auth::SessionHash)
-> Result<(&auth::Session, &User), Error> {
self.auth.authenticate_session(&self.conn, req, sid)

177
src/cmds/login.rs Normal file
View File

@ -0,0 +1,177 @@
// This file is part of Moonfire NVR, a security camera network video recorder.
// Copyright (C) 2019 Scott Lamb <slamb@slamb.org>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// In addition, as a special exception, the copyright holders give
// permission to link the code of portions of this program with the
// OpenSSL library under certain conditions as described in each
// individual source file, and distribute linked combinations including
// the two.
//
// You must obey the GNU General Public License in all respects for all
// of the code used other than OpenSSL. If you modify file(s) with this
// exception, you may extend this exception to your version of the
// file(s), but you are not obligated to do so. If you do not wish to do
// so, delete this exception statement from your version. If you delete
// this exception statement from all source files in the program, then
// also delete it here.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//! Subcommand to login a user (without requiring a password).
use base::clock::{self, Clocks};
use db::auth::SessionFlags;
use failure::{Error, bail, format_err};
use serde::Deserialize;
use std::os::unix::fs::OpenOptionsExt as _;
use std::io::Write as _;
use std::path::PathBuf;
static USAGE: &'static str = r#"
Logs in a user, returning the session cookie.
This is a privileged command that directly accesses the database. It doesn't
check the user's password and even can be used to create sessions with
permissions the user doesn't have.
Usage:
moonfire-nvr login [options] <username>
moonfire-nvr login --help
Options:
--db-dir=DIR Set the directory holding the SQLite3 index database. This
is typically on a flash device.
[default: /var/lib/moonfire-nvr/db]
--permissions=PERMISSIONS
Create a session with the given permissions. If
unspecified, uses user's default permissions.
--domain=DOMAIN The domain this cookie lives on. Optional.
--curl-cookie-jar=FILE
Writes the cookie to a new curl-compatible cookie-jar
file. --domain must be specified. This can be used later
with curl's --cookie flag.
--session-flags=FLAGS
Set the given db::auth::SessionFlags.
[default: http-only,secure,same-site,same-site-strict]
"#;
#[derive(Debug, Default, Deserialize, Eq, PartialEq)]
struct Args {
flag_db_dir: String,
flag_permissions: Option<String>,
flag_domain: Option<String>,
flag_curl_cookie_jar: Option<PathBuf>,
flag_session_flags: String,
arg_username: String,
}
pub fn run() -> Result<(), Error> {
let args: Args = super::parse_args(USAGE)?;
let clocks = clock::RealClocks {};
let (_db_dir, conn) = super::open_conn(&args.flag_db_dir, super::OpenMode::ReadWrite)?;
let db = std::sync::Arc::new(db::Database::new(clocks.clone(), conn, true).unwrap());
let mut l = db.lock();
let u = l.get_user(&args.arg_username)
.ok_or_else(|| format_err!("no such user {:?}", &args.arg_username))?;
let permissions = match args.flag_permissions {
None => u.permissions.clone(),
Some(s) => protobuf::text_format::parse_from_str(&s)
.map_err(|_| format_err!("unable to parse --permissions"))?
};
let creation = db::auth::Request {
when_sec: Some(db.clocks().realtime().sec),
user_agent: None,
addr: None,
};
let mut flags = 0;
for f in args.flag_session_flags.split(',') {
flags |= match f {
"http-only" => SessionFlags::HttpOnly,
"secure" => SessionFlags::Secure,
"same-site" => SessionFlags::SameSite,
"same-site-strict" => SessionFlags::SameSiteStrict,
_ => bail!("unknown session flag {:?}", f),
} as i32;
}
let uid = u.id;
drop(u);
let (sid, _) = l.make_session(creation, uid,
args.flag_domain.as_ref().map(|d| d.as_bytes().to_owned()),
flags, permissions)?;
let mut encoded = [0u8; 64];
base64::encode_config_slice(&sid, base64::STANDARD_NO_PAD, &mut encoded);
let encoded = std::str::from_utf8(&encoded[..]).expect("base64 is valid UTF-8");
if let Some(ref p) = args.flag_curl_cookie_jar {
let d = args.flag_domain.as_ref()
.ok_or_else(|| format_err!("--cookiejar requires --domain"))?;
let mut f = std::fs::OpenOptions::new()
.write(true)
.create_new(true)
.mode(0o600)
.open(p)
.map_err(|e| format_err!("Unable to open {}: {}", p.display(), e))?;
write!(&mut f,
"# Netscape HTTP Cookie File\n\
# https://curl.haxx.se/docs/http-cookies.html\n\
# This file was generated by moonfire-nvr login! Edit at your own risk.\n\n\
{}\n", curl_cookie(encoded, flags, d))?;
f.sync_all()?;
println!("Wrote cookie to {}", p.display());
} else {
println!("s={}", encoded);
}
Ok(())
}
fn curl_cookie(cookie: &str, flags: i32, domain: &str) -> String {
format!("{httponly}{domain}\t{tailmatch}\t{path}\t{secure}\t{expires}\t{name}\t{value}",
httponly=if (flags & SessionFlags::HttpOnly as i32) != 0 { "#HttpOnly_" } else { "" },
domain=domain,
tailmatch="FALSE",
path="/",
secure=if (flags & SessionFlags::Secure as i32) != 0 { "TRUE" } else { "FALSE" },
expires="9223372036854775807", // 64-bit CURL_OFF_T_MAX, never expires
name="s",
value=cookie)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_args() {
let args: Args = docopt::Docopt::new(USAGE).unwrap()
.argv(&["nvr", "login", "--curl-cookie-jar=foo.txt", "slamb"])
.deserialize().unwrap();
assert_eq!(args, Args {
flag_db_dir: "/var/lib/moonfire-nvr/db".to_owned(),
flag_curl_cookie_jar: Some(PathBuf::from("foo.txt")),
flag_session_flags: "http-only,secure,same-site,same-site-strict".to_owned(),
arg_username: "slamb".to_owned(),
..Default::default()
});
}
#[test]
fn test_curl_cookie() {
assert_eq!(curl_cookie("o3mx3OntO7GzwwsD54OuyQ4IuipYrwPR2aiULPHSudAa+xIhwWjb+w1TnGRh8Z5Q",
SessionFlags::HttpOnly as i32, "localhost"),
"#HttpOnly_localhost\tFALSE\t/\tFALSE\t9223372036854775807\ts\t\
o3mx3OntO7GzwwsD54OuyQ4IuipYrwPR2aiULPHSudAa+xIhwWjb+w1TnGRh8Z5Q");
}
}

3
src/cmds/mod.rs
View File

@ -38,6 +38,7 @@ use std::path::Path;
mod check;
mod config;
mod login;
mod init;
mod run;
mod sql;
@ -48,6 +49,7 @@ mod upgrade;
pub enum Command {
Check,
Config,
Login,
Init,
Run,
Sql,
@ -60,6 +62,7 @@ impl Command {
match *self {
Command::Check => check::run(),
Command::Config => config::run(),
Command::Login => login::run(),
Command::Init => init::run(),
Command::Run => run::run(),
Command::Sql => sql::run(),

2
src/web.rs
View File

@ -579,7 +579,7 @@ impl ServiceInner {
(auth::SessionFlags::SameSite as i32) |
(auth::SessionFlags::SameSiteStrict as i32) |
if is_secure { (auth::SessionFlags::Secure as i32) } else { 0 };
let (sid, _) = l.login_by_password(authreq, &username, password.into_owned(), domain,
let (sid, _) = l.login_by_password(authreq, &username, password.into_owned(), Some(domain),
flags)
.map_err(|e| plain_response(StatusCode::UNAUTHORIZED, e.to_string()))?;
let s_suffix = if is_secure {