gotd/auth.c

   1 /*
   2  * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
   3  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 #include "got_compat.h"
  19
  20 #include <sys/types.h>
  21 #include <sys/socket.h>
  22 #include <sys/queue.h>
  23 #include <sys/uio.h>
  24
  25 #include <errno.h>
  26 #include <event.h>
  27 #include <limits.h>
  28 #include <pwd.h>
  29 #include <grp.h>
  30 #include <signal.h>
  31 #include <stdint.h>
  32 #include <stdio.h>
  33 #include <stdlib.h>
  34 #include <string.h>
  35 #include <imsg.h>
  36 #include <unistd.h>
  37
  38 #include "got_error.h"
  39 #include "got_path.h"
  40
  41 #include "gotd.h"
  42 #include "log.h"
  43 #include "auth.h"
  44
  45 static struct gotd_auth {
  46         pid_t pid;
  47         const char *title;
  48         struct gotd_repo *repo;
  49 } gotd_auth;
  50
  51 static void auth_shutdown(void);
  52
  53 static void
  54 auth_sighdlr(int sig, short event, void *arg)
  55 {
  56         /*
  57          * Normal signal handler rules don't apply because libevent
  58          * decouples for us.
  59          */
  60
  61         switch (sig) {
  62         case SIGHUP:
  63                 break;
  64         case SIGUSR1:
  65                 break;
  66         case SIGTERM:
  67         case SIGINT:
  68                 auth_shutdown();
  69                 /* NOTREACHED */
  70                 break;
  71         default:
  72                 fatalx("unexpected signal");
  73         }
  74 }
  75
  76 static int
  77 uidcheck(const char *s, uid_t desired)
  78 {
  79         uid_t uid;
  80
  81         if (gotd_parseuid(s, &uid) != 0)
  82                 return -1;
  83         if (uid != desired)
  84                 return -1;
  85         return 0;
  86 }
  87
  88 static int
  89 parsegid(const char *s, gid_t *gid)
  90 {
  91         struct group *gr;
  92         const char *errstr;
  93
  94         if ((gr = getgrnam(s)) != NULL) {
  95                 *gid = gr->gr_gid;
  96                 if (*gid == GID_MAX)
  97                         return -1;
  98                 return 0;
  99         }
 100         *gid = strtonum(s, 0, GID_MAX - 1, &errstr);
 101         if (errstr)
 102                 return -1;
 103         return 0;
 104 }
 105
 106 static int
 107 match_identifier(const char *identifier, gid_t *groups, int ngroups,
 108     uid_t euid, gid_t egid)
 109 {
 110         int i;
 111
 112         if (identifier[0] == ':') {
 113                 gid_t rgid;
 114                 if (parsegid(identifier + 1, &rgid) == -1)
 115                         return 0;
 116                 if (rgid == egid)
 117                         return 1;
 118                 for (i = 0; i < ngroups; i++) {
 119                         if (rgid == groups[i])
 120                                 break;
 121                 }
 122                 if (i == ngroups)
 123                         return 0;
 124         } else if (uidcheck(identifier, euid) != 0)
 125                 return 0;
 126
 127         return 1;
 128 }
 129
 130 static const struct got_error *
 131 auth_check(struct gotd_access_rule_list *rules, const char *repo_name,
 132     uid_t euid, gid_t egid, int required_auth)
 133 {
 134         struct gotd_access_rule *rule;
 135         enum gotd_access access = GOTD_ACCESS_DENIED;
 136         struct passwd *pw;
 137         gid_t groups[NGROUPS_MAX];
 138         int ngroups = NGROUPS_MAX;
 139
 140         pw = getpwuid(euid);
 141         if (pw == NULL) {
 142                 if (errno)
 143                         return got_error_from_errno("getpwuid");
 144                 else
 145                         return got_error_set_errno(EACCES, repo_name);
 146         }
 147
 148         if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1)
 149                 log_warnx("group membership list truncated");
 150
 151         STAILQ_FOREACH(rule, rules, entry) {
 152                 if (!match_identifier(rule->identifier, groups, ngroups,
 153                     euid, egid))
 154                         continue;
 155
 156                 access = rule->access;
 157                 if (rule->access == GOTD_ACCESS_PERMITTED &&
 158                     (rule->authorization & required_auth) != required_auth)
 159                         access = GOTD_ACCESS_DENIED;
 160         }
 161
 162         if (access == GOTD_ACCESS_DENIED)
 163                 return got_error_set_errno(EACCES, repo_name);
 164
 165         if (access == GOTD_ACCESS_PERMITTED)
 166                 return NULL;
 167
 168         /* should not happen, this would be a bug */
 169         return got_error_msg(GOT_ERR_NOT_IMPL, "bad access rule");
 170 }
 171
 172 static const struct got_error *
 173 recv_authreq(struct imsg *imsg, struct gotd_imsgev *iev)
 174 {
 175         const struct got_error *err;
 176         struct imsgbuf *ibuf = &iev->ibuf;
 177         struct gotd_imsg_auth iauth;
 178         size_t datalen;
 179         uid_t euid;
 180         gid_t egid;
 181
 182         log_debug("authentication request received");
 183
 184         datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
 185         if (datalen != sizeof(iauth))
 186                 return got_error(GOT_ERR_PRIVSEP_LEN);
 187
 188         memcpy(&iauth, imsg->data, datalen);
 189
 190         if (imsg->fd == -1)
 191                 return got_error(GOT_ERR_PRIVSEP_NO_FD);
 192
 193         if (getpeereid(imsg->fd, &euid, &egid) == -1)
 194                 return got_error_from_errno("getpeerid");
 195
 196         if (iauth.euid != euid)
 197                 return got_error(GOT_ERR_UID);
 198         if (iauth.egid != egid)
 199                 return got_error(GOT_ERR_GID);
 200
 201         log_debug("authenticating uid %d gid %d", euid, egid);
 202
 203         err = auth_check(&gotd_auth.repo->rules, gotd_auth.repo->name,
 204             iauth.euid, iauth.egid, iauth.required_auth);
 205         if (err) {
 206                 gotd_imsg_send_error(ibuf, PROC_AUTH, iauth.client_id, err);
 207                 return err;
 208         }
 209
 210         if (gotd_imsg_compose_event(iev, GOTD_IMSG_ACCESS_GRANTED,
 211             PROC_AUTH, -1, NULL, 0) == -1)
 212                 return got_error_from_errno("imsg compose ACCESS_GRANTED");
 213
 214         return NULL;
 215 }
 216
 217 static void
 218 auth_dispatch(int fd, short event, void *arg)
 219 {
 220         const struct got_error *err = NULL;
 221         struct gotd_imsgev *iev = arg;
 222         struct imsgbuf *ibuf = &iev->ibuf;
 223         struct imsg imsg;
 224         ssize_t n;
 225         int shut = 0;
 226
 227         if (event & EV_READ) {
 228                 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
 229                         fatal("imsg_read error");
 230                 if (n == 0)     /* Connection closed. */
 231                         shut = 1;
 232         }
 233
 234         if (event & EV_WRITE) {
 235                 n = msgbuf_write(&ibuf->w);
 236                 if (n == -1 && errno != EAGAIN)
 237                         fatal("msgbuf_write");
 238                 if (n == 0)     /* Connection closed. */
 239                         shut = 1;
 240         }
 241
 242         for (;;) {
 243                 if ((n = imsg_get(ibuf, &imsg)) == -1)
 244                         fatal("%s: imsg_get", __func__);
 245                 if (n == 0)     /* No more messages. */
 246                         break;
 247
 248                 switch (imsg.hdr.type) {
 249                 case GOTD_IMSG_AUTHENTICATE:
 250                         err = recv_authreq(&imsg, iev);
 251                         if (err)
 252                                 log_warnx("%s", err->msg);
 253                         break;
 254                 default:
 255                         log_debug("unexpected imsg %d", imsg.hdr.type);
 256                         break;
 257                 }
 258
 259                 imsg_free(&imsg);
 260         }
 261
 262         if (!shut) {
 263                 gotd_imsg_event_add(iev);
 264         } else {
 265                 /* This pipe is dead. Remove its event handler */
 266                 event_del(&iev->ev);
 267                 event_loopexit(NULL);
 268         }
 269 }
 270
 271 void
 272 auth_main(const char *title, struct gotd_repolist *repos,
 273     const char *repo_path)
 274 {
 275         struct gotd_repo *repo = NULL;
 276         struct gotd_imsgev iev;
 277         struct event evsigint, evsigterm, evsighup, evsigusr1;
 278
 279         gotd_auth.title = title;
 280         gotd_auth.pid = getpid();
 281         TAILQ_FOREACH(repo, repos, entry) {
 282                 if (got_path_cmp(repo->path, repo_path,
 283                     strlen(repo->path), strlen(repo_path)) == 0)
 284                         break;
 285         }
 286         if (repo == NULL)
 287                 fatalx("repository %s not found in config", repo_path);
 288         gotd_auth.repo = repo;
 289
 290         signal_set(&evsigint, SIGINT, auth_sighdlr, NULL);
 291         signal_set(&evsigterm, SIGTERM, auth_sighdlr, NULL);
 292         signal_set(&evsighup, SIGHUP, auth_sighdlr, NULL);
 293         signal_set(&evsigusr1, SIGUSR1, auth_sighdlr, NULL);
 294         signal(SIGPIPE, SIG_IGN);
 295
 296         signal_add(&evsigint, NULL);
 297         signal_add(&evsigterm, NULL);
 298         signal_add(&evsighup, NULL);
 299         signal_add(&evsigusr1, NULL);
 300
 301         imsg_init(&iev.ibuf, GOTD_FILENO_MSG_PIPE);
 302         iev.handler = auth_dispatch;
 303         iev.events = EV_READ;
 304         iev.handler_arg = NULL;
 305         event_set(&iev.ev, iev.ibuf.fd, EV_READ, auth_dispatch, &iev);
 306         if (event_add(&iev.ev, NULL) == -1)
 307                 fatalx("event add");
 308
 309         event_dispatch();
 310
 311         auth_shutdown();
 312 }
 313
 314 static void
 315 auth_shutdown(void)
 316 {
 317         log_debug("shutting down");
 318         exit(0);
 319 }