File: auth.go

package info (click to toggle)
ipp-usb 0.9.30-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 756 kB
  • sloc: sh: 80; makefile: 40
file content (349 lines) | stat: -rw-r--r-- 8,086 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
 
/* ipp-usb - HTTP reverse proxy, backed by IPP-over-USB connection to device
 *
 * Copyright (C) 2020 and up by Alexander Pevzner (pzz@apevzner.com)
 * See LICENSE for license terms and conditions
 *
 * Authentication
 */

package main

import (
	"errors"
	"fmt"
	"net"
	"net/http"
	"os/user"
	"runtime"
	"strconv"
	"strings"
	"sync"
	"time"
)

// AuthUIDRule represents a single rule for client authentication
// based on client UID
type AuthUIDRule struct {
	Name    string  // @name means group, * means any
	Allowed AuthOps // Allowed operations
}

// IsUser tells if rule is a user rule
func (rule *AuthUIDRule) IsUser() bool {
	return !rule.IsGroup()
}

// IsGroup tells if rule is a group rule
func (rule *AuthUIDRule) IsGroup() bool {
	return strings.HasPrefix(rule.Name, "@")
}

// MatchUser matches rule against user name
func (rule *AuthUIDRule) MatchUser(name string) AuthOps {
	if rule.IsGroup() {
		return 0
	}

	if rule.Name == "*" || rule.Name == name {
		return rule.Allowed
	}

	return 0
}

// MatchGroup matches rule against group name
func (rule *AuthUIDRule) MatchGroup(name string) AuthOps {
	if !rule.IsGroup() {
		return 0
	}

	ruleName := rule.Name[1:] // Strip leading '@'
	if ruleName == "*" || ruleName == name {
		return rule.Allowed
	}

	return 0
}

// AuthOps is bitmask of allowed operations
type AuthOps int

// AuthOps values
const (
	AuthOpsConfig AuthOps = 1 << iota // Configuration web console
	AuthOpsFax                        // Faxing
	AuthOpsPrint                      // Printing
	AuthOpsScan                       // Scanning

	// All and None of above
	AuthOpsAll = AuthOpsConfig | AuthOpsFax | AuthOpsPrint |
		AuthOpsScan
	AuthOpsNone AuthOps = 0
)

// String returns string representation of AuthOps flags, for debugging.
func (ops AuthOps) String() string {
	if ops == 0 {
		return "none"
	}

	s := []string{}

	if ops&AuthOpsConfig != 0 {
		s = append(s, "config")
	}

	if ops&AuthOpsFax != 0 {
		s = append(s, "fax")
	}

	if ops&AuthOpsPrint != 0 {
		s = append(s, "print")
	}

	if ops&AuthOpsScan != 0 {
		s = append(s, "scan")
	}

	return strings.Join(s, ",")
}

// AuthUIDinfo is the resolved and cached UID info, for matching
type AuthUIDinfo struct {
	UsrNames []string  // User (numerical and symbolic) names
	GrpNames []string  // Group names (numerical and symbolic)
	expires  time.Time // Expiration time, for caching
}

// authUIDinfoCache contains authUIDinfo cache, indexed by UID
var (
	authUIDinfoCache     = make(map[int]*AuthUIDinfo)
	authUIDinfoCacheLock sync.Mutex
)

// authUIDinfoCacheTTL is the expiration timeout for authUIDinfoCache
const authUIDinfoCacheTTL = 2 * time.Second

// AuthUIDinfoLookup performs AuthUIDinfo lookup by UID.
func AuthUIDinfoLookup(uid int) (*AuthUIDinfo, error) {
	// UID is not known. Use "*" user/group names, as promised
	// by documentation
	if uid == -1 {
		info := &AuthUIDinfo{
			UsrNames: []string{"*"},
			GrpNames: []string{"*"},
			expires:  time.Now().Add(authUIDinfoCacheTTL),
		}

		return info, nil
	}

	// Lookup authUIDinfoCache
	authUIDinfoCacheLock.Lock()
	info := authUIDinfoCache[uid]
	authUIDinfoCacheLock.Unlock()

	if info != nil && info.expires.After(time.Now()) {
		return info, nil
	}

	// Resolve user names for matching
	// Also populates grpIDs with numeric group IDs
	usrNames := []string{strconv.Itoa(uid)}
	grpIDs := []string{}

	usr, err := user.LookupId(usrNames[0])
	if err != nil {
		return nil, err
	}

	usrNames = append(usrNames, usr.Username)
	grpIDs = append(grpIDs, usr.Gid)

	grpids, err := usr.GroupIds()
	if err != nil {
		return nil, err
	}

	grpIDs = append(grpIDs, grpids...)

	// Resolve group IDs to names
	grpNames := append([]string{}, grpIDs...)
	for _, gid := range grpIDs {
		grp, err := user.LookupGroupId(gid)
		if err != nil {
			return nil, err
		}

		grpNames = append(grpNames, grp.Name)
	}

	// Update cache
	info = &AuthUIDinfo{
		UsrNames: usrNames,
		GrpNames: grpNames,
		expires:  time.Now().Add(authUIDinfoCacheTTL),
	}

	authUIDinfoCacheLock.Lock()
	authUIDinfoCache[uid] = info
	authUIDinfoCacheLock.Unlock()

	// Return the answer
	return info, nil
}

// AuthUID returns operations allowed to client with given UID
// uid == -1 indicates that UID is not available (i.e., external
// connection)
func AuthUID(info *AuthUIDinfo) AuthOps {
	// Everything is allowed if authentication is not configured
	if Conf.ConfAuthUID == nil {
		return AuthOpsAll
	}

	// Apply rules
	allowed := AuthOpsNone

	for _, rule := range Conf.ConfAuthUID {
		if rule.IsUser() {
			for _, usr := range info.UsrNames {
				allowed |= rule.MatchUser(usr)
			}
		} else {
			for _, grp := range info.GrpNames {
				allowed |= rule.MatchGroup(grp)
			}
		}
	}

	return allowed
}

// authUIDrequiresUID tells if UID authentication really requires UID.
// UID is not required, if either authentication is not configured, or
// there is no rules with non-wildcard UID.
func authUIDrequiresUID() bool {
	for _, rule := range Conf.ConfAuthUID {
		if rule.Name != "*" && rule.Name != "@*" {
			return true
		}
	}

	return false
}

// AuthHTTPRequest performs authentication for the incoming
// HTTP request
//
// On success, status is http.StatusOK and err is nil.
// Otherwise, status is appropriate for HTTP error response,
// and err explains the reason
func AuthHTTPRequest(log *Logger,
	client, server *net.TCPAddr,
	rq *http.Request) (status int, err error) {

	// Guess the operation by URL
	post := rq.Method == "POST"
	ops := AuthOpsConfig // The default
	switch {
	case post && strings.HasPrefix(rq.URL.Path, "/ipp/print"):
		ops = AuthOpsPrint
	case post && strings.HasPrefix(rq.URL.Path, "/ipp/faxout"):
		ops = AuthOpsFax
	case strings.HasPrefix(rq.URL.Path, "/eSCL"):
		ops = AuthOpsScan
	}

	log.Debug(' ', "auth: operation requested: %s (HTTP %s %s)",
		ops, rq.Method, rq.URL)

	// Check if client and server addresses are both local
	addrs, err := net.InterfaceAddrs()
	if err != nil {
		err = fmt.Errorf("can't get local IP addresses: %s", err)
		log.Error('!', "auth: %s", err)

		return http.StatusInternalServerError, err
	}

	clientIsLocal := client.IP.IsLoopback()
	serverIsLocal := server.IP.IsLoopback()

	for _, addr := range addrs {
		if clientIsLocal && serverIsLocal {
			// Both addresses known to be local,
			// we don't need to continue
			break
		}

		if ip, ok := addr.(*net.IPNet); ok {
			if client.IP.Equal(ip.IP) {
				clientIsLocal = true
			}

			if server.IP.Equal(ip.IP) {
				serverIsLocal = true
			}
		}
	}

	log.Debug(' ', "auth: address check:")
	log.Debug(' ', "  client-addr %s local=%v", client.IP, clientIsLocal)
	log.Debug(' ', "  server-addr %s local=%v", server.IP, serverIsLocal)

	// Do we need UID?
	uid := -1
	reason := ""

	switch {
	case !clientIsLocal || !serverIsLocal:
		reason = "non-local connection"
	case !TCPClientUIDSupported():
		reason = fmt.Sprintf("UID auth not supported on %s",
			runtime.GOOS)
	case !authUIDrequiresUID():
		reason = "auth rules don't use UID"
	}

	// Obtain UID, if we really need it
	if reason == "" {
		uid, err = TCPClientUID(client, server)
		if err != nil {
			err = fmt.Errorf("can't get client UID: %s",
				err)
			log.Error('!', "auth: %s", err)
			return http.StatusInternalServerError, err
		}

		log.Debug(' ', "auth: client UID=%d", uid)
	} else {
		log.Debug(' ', "auth: client UID=%d (%s)", uid, reason)
	}

	// Lookup UID info
	info, err := AuthUIDinfoLookup(uid)
	if err != nil {
		err = fmt.Errorf("can't resolve UID %d: %s", uid, err)
		log.Error('!', "auth: %s", err)
		return 0, err
	}

	log.Debug(' ', "auth: UID %d resolved:", uid)
	log.Debug(' ', "  user names:  %s", strings.Join(info.UsrNames, ","))
	log.Debug(' ', "  group names: %s", strings.Join(info.GrpNames, ","))

	// Authenticate
	allowed := AuthUID(info)
	log.Debug(' ', "auth: allowed operations: %s", allowed)

	if ops&allowed != AuthOpsNone {
		log.Debug(' ', "auth: access granted")
		return http.StatusOK, nil
	}

	err = errors.New("Operation not allowed. See ipp-usb.conf for details")
	log.Error('!', "auth: %s", err)

	return http.StatusForbidden, err
}