gotd/auth.c

   1 /*
   2  * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
   3  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 #include "got_compat.h"
  19
  20 #include <sys/types.h>
  21 #include <sys/socket.h>
  22 #include <sys/queue.h>
  23 #include <sys/uio.h>
  24
  25 #include <errno.h>
  26 #include <event.h>
  27 #include <limits.h>
  28 #include <pwd.h>
  29 #include <grp.h>
  30 #include <signal.h>
  31 #include <stdint.h>
  32 #include <stdio.h>
  33 #include <stdlib.h>
  34 #include <string.h>
  35 #include <imsg.h>
  36 #include <unistd.h>
  37
  38 #include "got_error.h"
  39 #include "got_object.h"
  40 #include "got_path.h"
  41
  42 #include "gotd.h"
  43 #include "log.h"
  44 #include "auth.h"
  45
  46 static struct gotd_auth {
  47         pid_t pid;
  48         const char *title;
  49         struct gotd_repo *repo;
  50 } gotd_auth;
  51
  52 static void auth_shutdown(void);
  53
  54 static void
  55 auth_sighdlr(int sig, short event, void *arg)
  56 {
  57         /*
  58          * Normal signal handler rules don't apply because libevent
  59          * decouples for us.
  60          */
  61
  62         switch (sig) {
  63         case SIGHUP:
  64                 break;
  65         case SIGUSR1:
  66                 break;
  67         case SIGTERM:
  68         case SIGINT:
  69                 auth_shutdown();
  70                 /* NOTREACHED */
  71                 break;
  72         default:
  73                 fatalx("unexpected signal");
  74         }
  75 }
  76
  77 static int
  78 uidcheck(const char *s, uid_t desired)
  79 {
  80         uid_t uid;
  81
  82         if (gotd_parseuid(s, &uid) != 0)
  83                 return -1;
  84         if (uid != desired)
  85                 return -1;
  86         return 0;
  87 }
  88
  89 static int
  90 parsegid(const char *s, gid_t *gid)
  91 {
  92         struct group *gr;
  93         const char *errstr;
  94
  95         if ((gr = getgrnam(s)) != NULL) {
  96                 *gid = gr->gr_gid;
  97                 if (*gid == GID_MAX)
  98                         return -1;
  99                 return 0;
 100         }
 101         *gid = strtonum(s, 0, GID_MAX - 1, &errstr);
 102         if (errstr)
 103                 return -1;
 104         return 0;
 105 }
 106
 107 static int
 108 match_identifier(const char *identifier, gid_t *groups, int ngroups,
 109     uid_t euid, gid_t egid)
 110 {
 111         int i;
 112
 113         if (identifier[0] == ':') {
 114                 gid_t rgid;
 115                 if (parsegid(identifier + 1, &rgid) == -1)
 116                         return 0;
 117                 if (rgid == egid)
 118                         return 1;
 119                 for (i = 0; i < ngroups; i++) {
 120                         if (rgid == groups[i])
 121                                 break;
 122                 }
 123                 if (i == ngroups)
 124                         return 0;
 125         } else if (uidcheck(identifier, euid) != 0)
 126                 return 0;
 127
 128         return 1;
 129 }
 130
 131 static const struct got_error *
 132 auth_check(char **username, struct gotd_access_rule_list *rules,
 133     const char *repo_name, uid_t euid, gid_t egid, int required_auth)
 134 {
 135         struct gotd_access_rule *rule;
 136         enum gotd_access access = GOTD_ACCESS_DENIED;
 137         struct passwd *pw;
 138         gid_t groups[NGROUPS_MAX];
 139         int ngroups = NGROUPS_MAX;
 140         int matched_user = 0;
 141
 142         *username = NULL;
 143
 144         pw = getpwuid(euid);
 145         if (pw == NULL) {
 146                 if (errno)
 147                         return got_error_from_errno("getpwuid");
 148                 else
 149                         return got_error_set_errno(EACCES, repo_name);
 150         }
 151
 152         *username = strdup(pw->pw_name);
 153         if (*username == NULL)
 154                 return got_error_from_errno("strdup");
 155
 156         if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1)
 157                 log_warnx("group membership list truncated");
 158
 159         STAILQ_FOREACH(rule, rules, entry) {
 160                 if (!match_identifier(rule->identifier, groups, ngroups,
 161                     euid, egid))
 162                         continue;
 163
 164                 matched_user = 1;
 165                 access = rule->access;
 166                 if (rule->access == GOTD_ACCESS_PERMITTED &&
 167                     (rule->authorization & required_auth) != required_auth)
 168                         access = GOTD_ACCESS_DENIED;
 169         }
 170
 171         if (access == GOTD_ACCESS_DENIED) {
 172                 /*
 173                  * If a user has no explicit read or write access then
 174                  * do not leak the existence of a repository to them.
 175                  */
 176                 if (!matched_user)
 177                         return got_error(GOT_ERR_NOT_GIT_REPO);
 178                 else
 179                         return got_error_set_errno(EACCES, repo_name);
 180         }
 181
 182         if (access == GOTD_ACCESS_PERMITTED)
 183                 return NULL;
 184
 185         /* should not happen, this would be a bug */
 186         return got_error_msg(GOT_ERR_NOT_IMPL, "bad access rule");
 187 }
 188
 189 static const struct got_error *
 190 recv_authreq(struct imsg *imsg, struct gotd_imsgev *iev)
 191 {
 192         const struct got_error *err;
 193         struct imsgbuf *ibuf = &iev->ibuf;
 194         struct gotd_imsg_auth iauth;
 195         size_t datalen;
 196         uid_t euid;
 197         gid_t egid;
 198         char *username = NULL;
 199         size_t len;
 200         const size_t maxlen = MAX_IMSGSIZE - IMSG_HEADER_SIZE;
 201         int fd = -1;
 202
 203         log_debug("authentication request received");
 204
 205         datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
 206         if (datalen != sizeof(iauth))
 207                 return got_error(GOT_ERR_PRIVSEP_LEN);
 208
 209         memcpy(&iauth, imsg->data, datalen);
 210
 211         fd = imsg_get_fd(imsg);
 212         if (fd == -1)
 213                 return got_error(GOT_ERR_PRIVSEP_NO_FD);
 214
 215         if (getpeereid(fd, &euid, &egid) == -1)
 216                 return got_error_from_errno("getpeerid");
 217
 218         if (iauth.euid != euid)
 219                 return got_error(GOT_ERR_UID);
 220         if (iauth.egid != egid)
 221                 return got_error(GOT_ERR_GID);
 222
 223         log_debug("authenticating uid %d gid %d", euid, egid);
 224
 225         err = auth_check(&username, &gotd_auth.repo->rules,
 226             gotd_auth.repo->name, iauth.euid, iauth.egid, iauth.required_auth);
 227         if (err) {
 228                 gotd_imsg_send_error(ibuf, PROC_AUTH, iauth.client_id, err);
 229                 goto done;
 230         }
 231
 232         len = strlen(username);
 233         if (len > maxlen)
 234                 len = maxlen;
 235
 236         if (gotd_imsg_compose_event(iev, GOTD_IMSG_ACCESS_GRANTED,
 237             PROC_AUTH, -1, username, len) == -1)
 238                 err = got_error_from_errno("imsg compose ACCESS_GRANTED");
 239 done:
 240         free(username);
 241         return err;
 242 }
 243
 244 static void
 245 auth_dispatch(int fd, short event, void *arg)
 246 {
 247         const struct got_error *err = NULL;
 248         struct gotd_imsgev *iev = arg;
 249         struct imsgbuf *ibuf = &iev->ibuf;
 250         struct imsg imsg;
 251         ssize_t n;
 252         int shut = 0;
 253
 254         if (event & EV_READ) {
 255                 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
 256                         fatal("imsg_read error");
 257                 if (n == 0)     /* Connection closed. */
 258                         shut = 1;
 259         }
 260
 261         if (event & EV_WRITE) {
 262                 n = msgbuf_write(&ibuf->w);
 263                 if (n == -1 && errno != EAGAIN)
 264                         fatal("msgbuf_write");
 265                 if (n == 0)     /* Connection closed. */
 266                         shut = 1;
 267         }
 268
 269         for (;;) {
 270                 if ((n = imsg_get(ibuf, &imsg)) == -1)
 271                         fatal("%s: imsg_get", __func__);
 272                 if (n == 0)     /* No more messages. */
 273                         break;
 274
 275                 switch (imsg.hdr.type) {
 276                 case GOTD_IMSG_AUTHENTICATE:
 277                         err = recv_authreq(&imsg, iev);
 278                         if (err)
 279                                 log_warnx("%s", err->msg);
 280                         break;
 281                 default:
 282                         log_debug("unexpected imsg %d", imsg.hdr.type);
 283                         break;
 284                 }
 285
 286                 imsg_free(&imsg);
 287         }
 288
 289         if (!shut) {
 290                 gotd_imsg_event_add(iev);
 291         } else {
 292                 /* This pipe is dead. Remove its event handler */
 293                 event_del(&iev->ev);
 294                 event_loopexit(NULL);
 295         }
 296 }
 297
 298 void
 299 auth_main(const char *title, struct gotd_repolist *repos,
 300     const char *repo_path)
 301 {
 302         struct gotd_repo *repo = NULL;
 303         struct gotd_imsgev iev;
 304         struct event evsigint, evsigterm, evsighup, evsigusr1;
 305
 306         gotd_auth.title = title;
 307         gotd_auth.pid = getpid();
 308         TAILQ_FOREACH(repo, repos, entry) {
 309                 if (got_path_cmp(repo->path, repo_path,
 310                     strlen(repo->path), strlen(repo_path)) == 0)
 311                         break;
 312         }
 313         if (repo == NULL)
 314                 fatalx("repository %s not found in config", repo_path);
 315         gotd_auth.repo = repo;
 316
 317         signal_set(&evsigint, SIGINT, auth_sighdlr, NULL);
 318         signal_set(&evsigterm, SIGTERM, auth_sighdlr, NULL);
 319         signal_set(&evsighup, SIGHUP, auth_sighdlr, NULL);
 320         signal_set(&evsigusr1, SIGUSR1, auth_sighdlr, NULL);
 321         signal(SIGPIPE, SIG_IGN);
 322
 323         signal_add(&evsigint, NULL);
 324         signal_add(&evsigterm, NULL);
 325         signal_add(&evsighup, NULL);
 326         signal_add(&evsigusr1, NULL);
 327
 328         imsg_init(&iev.ibuf, GOTD_FILENO_MSG_PIPE);
 329         iev.handler = auth_dispatch;
 330         iev.events = EV_READ;
 331         iev.handler_arg = NULL;
 332         event_set(&iev.ev, iev.ibuf.fd, EV_READ, auth_dispatch, &iev);
 333         if (event_add(&iev.ev, NULL) == -1)
 334                 fatalx("event add");
 335
 336         event_dispatch();
 337
 338         auth_shutdown();
 339 }
 340
 341 static void
 342 auth_shutdown(void)
 343 {
 344         log_debug("%s: shutting down", gotd_auth.title);
 345         exit(0);
 346 }