Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User-List Control for PAM Authentication #326

Merged
merged 4 commits into from
Sep 24, 2024
Merged

User-List Control for PAM Authentication #326

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c245410
user list for pam auth
huangyxi Sep 20, 2024
7c6f4a7
docs
huangyxi Sep 22, 2024
bd8bebc
name & type
huangyxi Sep 22, 2024
d8d81bf
raise exception
huangyxi Sep 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions docs/source/user_guide_configure.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -416,6 +416,11 @@ known user accounts::

pam_dc:
service: "login"
allow_users: "all"
#: or "current" for the current user, or a list of user names like deny_users
# deny_users:
# - "root"
# - "daemon"

If no config file is used, PAM authentication can be enabled on the command
line like::
Expand Down
26 changes: 26 additions & 0 deletions wsgidav/dc/pam_dc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

See https://wsgidav.readthedocs.io/en/latest/user_guide_configure.html
"""
import os
import threading

from wsgidav import util
Expand Down Expand Up @@ -37,6 +38,16 @@ def __init__(self, wsgidav_app, config):
self.pam_service = dc_conf.get("service", "login")
self.pam_encoding = dc_conf.get("encoding", "utf-8")
self.pam_resetcreds = dc_conf.get("resetcreds", True)
self.allow_users = dc_conf.get("allow_users", "all")
if not (self.allow_users in ("all", "current") or isinstance(self.allow_users, list)):
raise ValueError(
f"Invalid 'allow_users' value: {self.allow_users!r}, expected 'all', 'current' or list of allowed users."
)
self.deny_users = dc_conf.get("deny_users", [])
if not isinstance(self.deny_users, list):
raise ValueError(
f"Invalid 'deny_users' value: {self.deny_users!r}, expected list of denied users."
)

def __str__(self):
return f"{self.__class__.__name__}({self.pam_service!r})"
Expand All @@ -47,8 +58,23 @@ def get_domain_realm(self, path_info, environ):
def require_authentication(self, realm, environ):
return True

def _validate_user(self, user_name):
if user_name in self.deny_users:
mar10 marked this conversation as resolved.
Show resolved Hide resolved
return False
if self.allow_users == "all":
return True
if self.allow_users == "current":
if user_name == os.getlogin():
return True
if user_name in self.allow_users:
return True
return False

def basic_auth_user(self, realm, user_name, password, environ):
# Seems that python_pam is not threadsafe (#265)
if not self._validate_user(user_name):
_logger.warning(f"User {user_name!r} is not allowed.")
return False
with self.lock:
is_ok = self.pam.authenticate(
user_name,
Expand Down
Loading