├── .gitignore ├── src ├── compat │ ├── mod.rs │ └── daemon.rs ├── config_ast.rs ├── config.l ├── server │ ├── request_token.rs │ ├── eventer.rs │ ├── notifier.rs │ ├── mod.rs │ ├── http_server.rs │ ├── refresher.rs │ └── state.rs ├── config.y ├── user_sender.rs └── main.rs ├── examples ├── systemd │ └── pizauth.conf ├── pizauth.conf └── pizauth-state-custom.service ├── LICENSE-APACHE ├── COPYRIGHT ├── lib └── systemd │ └── user │ ├── pizauth-state-creds.service │ ├── pizauth.service │ ├── pizauth-state-gpg.service │ ├── pizauth-state-age.service │ └── pizauth-state-gpg-passphrase.service ├── LICENSE-MIT ├── .github └── workflows │ └── ci.yml ├── Cargo.toml ├── share ├── bash │ └── completion.bash └── fish │ └── pizauth.fish ├── Makefile ├── README.systemd.md ├── pizauth.1 ├── pizauth.conf.5 ├── CHANGES.md └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | -------------------------------------------------------------------------------- /src/compat/mod.rs: -------------------------------------------------------------------------------- 1 | //! Shims to provide compatibility with different systems. 2 | 3 | // nix does not support daemon(3) on macOS, so we have to provide our own implementation: 4 | #[cfg(target_os = "macos")] 5 | mod daemon; 6 | #[cfg(target_os = "macos")] 7 | pub use daemon::daemon; 8 | 9 | // Use nix's daemon(3) wrapper on other platforms: 10 | #[cfg(not(target_os = "macos"))] 11 | pub use nix::unistd::daemon; 12 | -------------------------------------------------------------------------------- /examples/systemd/pizauth.conf: -------------------------------------------------------------------------------- 1 | // If using systemd, comment out the following line 2 | // startup_cmd="systemd-notify --ready --pid=parent"; 3 | // If using the pizauth-state-*.service units to save the state, 4 | // the following may be useful -- it will trigger a save/restore of the state 5 | // upon each token state change (set METHOD to whatever storage method you're 6 | // using) 7 | // token_event_cmd="systemctl --user restart pizauth-state-METHOD.service"; 8 | -------------------------------------------------------------------------------- /LICENSE-APACHE: -------------------------------------------------------------------------------- 1 | Licensed under the Apache License, Version 2.0 (the "License"); you may not use 2 | this file except in compliance with the License. You may obtain a copy of the 3 | License at 4 | 5 | http://www.apache.org/licenses/LICENSE-2.0 6 | 7 | Unless required by applicable law or agreed to in writing, software distributed 8 | under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 9 | CONDITIONS OF ANY KIND, either express or implied. See the License for the 10 | specific language governing permissions and limitations under the License. 11 | -------------------------------------------------------------------------------- /COPYRIGHT: -------------------------------------------------------------------------------- 1 | Except as otherwise noted (below and/or in individual files), this project is 2 | licensed under the Apache License, Version 2.0 3 | or the MIT license 4 | , at your option. 5 | 6 | Copyright is retained by contributors and/or the organisations they 7 | represent(ed) -- this project does not require copyright assignment. Please see 8 | version control history for a full list of contributors. Note that some files 9 | may include explicit copyright and/or licensing notices. 10 | -------------------------------------------------------------------------------- /lib/systemd/user/pizauth-state-creds.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=pizauth dump/restore backend (encryption: systemd-creds) 3 | BindsTo=pizauth.service 4 | After=pizauth.service 5 | ReloadPropagatedFrom=pizauth.service 6 | 7 | [Service] 8 | Type=simple 9 | RemainAfterExit=yes 10 | Environment="PIZAUTH_STATE_FILE=%S/%N.dump" 11 | ExecStart=-sh -c 'systemd-creds --user decrypt $PIZAUTH_STATE_FILE | pizauth restore' 12 | ExecReload=-sh -c 'systemd-creds --user decrypt $PIZAUTH_STATE_FILE | pizauth restore' 13 | ExecStop=-sh -c 'pizauth dump | systemd-creds --user encrypt - $PIZAUTH_STATE_FILE' 14 | 15 | [Install] 16 | WantedBy=pizauth.service 17 | -------------------------------------------------------------------------------- /lib/systemd/user/pizauth.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Pizauth OAuth2 token manager 3 | Documentation=man:pizauth(1) man:pizauth.conf(5) 4 | Documentation=https://github.com/ltratt/pizauth/blob/master/README.md 5 | Documentation=https://github.com/ltratt/pizauth/blob/master/README.systemd.md 6 | 7 | [Service] 8 | Type=notify 9 | # Allow all processes in the cgroup to set the service status, needed to be able 10 | # to set status via eg startup_cmd, token_event_cmd, etc 11 | NotifyAccess=all 12 | ExecStart=/usr/bin/pizauth server -vvvv -d 13 | ExecReload=/usr/bin/pizauth reload 14 | ExecStop=/usr/bin/pizauth shutdown 15 | 16 | [Install] 17 | WantedBy=default.target 18 | -------------------------------------------------------------------------------- /examples/pizauth.conf: -------------------------------------------------------------------------------- 1 | account "officesmtp" { 2 | auth_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; 3 | token_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; 4 | client_id = "..."; // Fill in with your Client ID 5 | client_secret = "..."; // Fill in with your Client secret 6 | scopes = [ 7 | "https://outlook.office365.com/IMAP.AccessAsUser.All", 8 | "https://outlook.office365.com/SMTP.Send", 9 | "offline_access" 10 | ]; 11 | // You don't have to specify login_hint, but it does make 12 | // authentication a little easier. 13 | auth_uri_fields = { "login_hint": "email@example.com" }; 14 | } 15 | -------------------------------------------------------------------------------- /src/config_ast.rs: -------------------------------------------------------------------------------- 1 | use lrpar::Span; 2 | 3 | pub enum TopLevel { 4 | Account(Span, Span, Vec), 5 | AuthErrorCmd(Span), 6 | AuthNotifyCmd(Span), 7 | AuthNotifyInterval(Span), 8 | ErrorNotifyCmd(Span), 9 | HttpListen(Span), 10 | HttpListenNone(Span), 11 | HttpsListen(Span), 12 | HttpsListenNone(Span), 13 | TransientErrorIfCmd(Span), 14 | RefreshAtLeast(Span), 15 | RefreshBeforeExpiry(Span), 16 | RefreshRetry(Span), 17 | StartupCmd(Span), 18 | TokenEventCmd(Span), 19 | } 20 | 21 | pub enum AccountField { 22 | AuthUri(Span), 23 | AuthUriFields(Span, Vec<(Span, Span)>), 24 | ClientId(Span), 25 | ClientSecret(Span), 26 | LoginHint(Span), 27 | RedirectUri(Span), 28 | RefreshAtLeast(Span), 29 | RefreshBeforeExpiry(Span), 30 | RefreshRetry(Span), 31 | Scopes(Span, Vec), 32 | TokenUri(Span), 33 | } 34 | -------------------------------------------------------------------------------- /src/config.l: -------------------------------------------------------------------------------- 1 | %% 2 | [0-9]+[dhms] "TIME" 3 | "(?:\\[\\"]|[^"\\])*" "STRING" 4 | = "=" 5 | , "," 6 | \{ "{" 7 | \} "}" 8 | \[ "[" 9 | \] "]" 10 | ; ";" 11 | : ":" 12 | account "ACCOUNT" 13 | auth_error_cmd "AUTH_ERROR_CMD" 14 | auth_notify_cmd "AUTH_NOTIFY_CMD" 15 | auth_notify_interval "AUTH_NOTIFY_INTERVAL" 16 | auth_uri "AUTH_URI" 17 | auth_uri_fields "AUTH_URI_FIELDS" 18 | client_id "CLIENT_ID" 19 | client_secret "CLIENT_SECRET" 20 | error_notify_cmd "ERROR_NOTIFY_CMD" 21 | http_listen "HTTP_LISTEN" 22 | https_listen "HTTPS_LISTEN" 23 | login_hint "LOGIN_HINT" 24 | none "NONE" 25 | refresh_retry "REFRESH_RETRY" 26 | redirect_uri "REDIRECT_URI" 27 | refresh_before_expiry "REFRESH_BEFORE_EXPIRY" 28 | refresh_at_least "REFRESH_AT_LEAST" 29 | scopes "SCOPES" 30 | startup_cmd "STARTUP_CMD" 31 | token_event_cmd "TOKEN_EVENT_CMD" 32 | token_uri "TOKEN_URI" 33 | transient_error_if_cmd "TRANSIENT_ERROR_IF_CMD" 34 | //.*?$ ; 35 | [ \t\n\r]+ ; 36 | . "UNMATCHED" 37 | -------------------------------------------------------------------------------- /lib/systemd/user/pizauth-state-gpg.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=pizauth dump/restore backend (encryption: gpg) 3 | BindsTo=pizauth.service 4 | After=pizauth.service 5 | ReloadPropagatedFrom=pizauth.service 6 | Requires=gpg-agent.socket 7 | 8 | [Service] 9 | Type=simple 10 | RemainAfterExit=yes 11 | # This unit needs to be configured before it's usable! 12 | # To use this unit, use systemctl --user edit pizauth-state-age.service to 13 | # create a drop-in configuration file. In it, set 14 | # Environment="PIZAUTH_KEY_ID=public key you want to encrypt with" 15 | Environment="PIZAUTH_KEY_ID=" 16 | Environment="PIZAUTH_STATE_FILE=%S/%N.dump" 17 | ExecStart=-sh -c 'gpg --batch --decrypt "$PIZAUTH_STATE_FILE" | pizauth restore' 18 | ExecReload=-sh -c 'gpg --batch --decrypt "$PIZAUTH_STATE_FILE" | pizauth restore' 19 | ExecStop=-sh -c 'pizauth dump | gpg --batch --yes --encrypt --recipient $PIZAUTH_KEY_ID -o "$PIZAUTH_STATE_FILE"' 20 | 21 | [Install] 22 | WantedBy=pizauth.service 23 | -------------------------------------------------------------------------------- /lib/systemd/user/pizauth-state-age.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=pizauth dump/restore backend (encryption: age) 3 | BindsTo=pizauth.service 4 | After=pizauth.service 5 | ReloadPropagatedFrom=pizauth.service 6 | 7 | [Service] 8 | Type=simple 9 | RemainAfterExit=yes 10 | # This unit needs to be configured before it's usable! 11 | # To use this unit, use systemctl --user edit pizauth-state-age.service to 12 | # create a drop-in configuration file. In it, set 13 | # Environment="PIZAUTH_KEY_ID=public key you want to encrypt with" 14 | # Environment="PIZAUTH_KEY_FILE=path to file 15 | Environment="PIZAUTH_KEY_ID=" 16 | Environment="PIZAUTH_KEY_FILE=" 17 | Environment="PIZAUTH_STATE_FILE=%S/%N.dump" 18 | ExecStart=-sh -c 'age --decrypt --identity "$PIZAUTH_KEY_FILE" -o - "$PIZAUTH_STATE_FILE" | pizauth restore' 19 | ExecReload=-sh -c 'age --decrypt --identity "$PIZAUTH_KEY_FILE" -o - "$PIZAUTH_STATE_FILE" | pizauth restore' 20 | ExecStop=-sh -c 'pizauth dump | age --encrypt --recipient "$PIZAUTH_KEY_ID" -o "$PIZAUTH_STATE_FILE"' 21 | 22 | [Install] 23 | WantedBy=pizauth.service 24 | -------------------------------------------------------------------------------- /LICENSE-MIT: -------------------------------------------------------------------------------- 1 | Permission is hereby granted, free of charge, to any person obtaining a copy of 2 | this software and associated documentation files (the "Software"), to deal in 3 | the Software without restriction, including without limitation the rights to 4 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 5 | of the Software, and to permit persons to whom the Software is furnished to do 6 | so, subject to the following conditions: 7 | 8 | The above copyright notice and this permission notice shall be included in all 9 | copies or substantial portions of the Software. 10 | 11 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 12 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 13 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 14 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 15 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 16 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 17 | SOFTWARE. 18 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | 3 | on: 4 | pull_request: 5 | 6 | jobs: 7 | rustfmt: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/checkout@v3 11 | - run: rustup update stable && rustup default stable 12 | - run: rustup component add rustfmt 13 | - run: cargo fmt --all --check 14 | 15 | test: 16 | runs-on: ${{ matrix.os }} 17 | strategy: 18 | matrix: 19 | include: 20 | - name: Linux x86_64 stable 21 | os: ubuntu-latest 22 | rust: stable 23 | other: i686-unknown-linux-gnu 24 | - name: Linux x86_64 beta 25 | os: ubuntu-latest 26 | rust: beta 27 | other: i686-unknown-linux-gnu 28 | - name: Linux x86_64 nightly 29 | os: ubuntu-latest 30 | rust: nightly 31 | other: i686-unknown-linux-gnu 32 | - name: macOS x86_64 stable 33 | os: macos-latest 34 | rust: stable 35 | other: x86_64-apple-ios 36 | name: Tests ${{ matrix.name }} 37 | steps: 38 | - uses: actions/checkout@v3 39 | - run: rustup update stable && rustup default stable 40 | - name: debug_tests 41 | run: cargo test 42 | - name: release_tests 43 | run: cargo test --release 44 | -------------------------------------------------------------------------------- /src/compat/daemon.rs: -------------------------------------------------------------------------------- 1 | //! Provides daemon(3) on macOS. 2 | 3 | // We provide our own wrapper for daemon on macOS because nix does not export one for macOS. This 4 | // is *probably* why nix does not support daemon(3) on macOS: 5 | // 6 | // - nix will not compile on macOS, due to errors 7 | // - ... nix compiles with #[deny(warnings)], which treats warnings as errors 8 | // - libc emits a deprecation warning for daemon(3) on macOS [1] 9 | // - ... because daemon(3) has been deprecated in macOS since Mac OS X 10.5 10 | // - ... presumably because Apple wants you to use launchd(8) instead [2]. 11 | // - Therefore, this deprecation warning is treated as an error in nix 12 | // 13 | // [1]: https://github.com/rust-lang/libc/blob/96c85c1b913604fb5b1eb8822e344b7c08bcd6b9/src/unix/bsd/apple/mod.rs#L5064-L5067 14 | // [2]: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html 15 | // 16 | // This module essentially reimplements nix's daemon wrapper on macOS, but allows deprecation 17 | // warnings. 18 | // 19 | // See: https://github.com/ltratt/pizauth/issues/3 20 | use libc::c_int; 21 | #[allow(deprecated)] 22 | use libc::daemon as libc_daemon; 23 | use nix::errno::Errno; 24 | 25 | pub fn daemon(nochdir: bool, noclose: bool) -> nix::Result<()> { 26 | #[allow(deprecated)] 27 | let res = unsafe { libc_daemon(nochdir as c_int, noclose as c_int) }; 28 | Errno::result(res).map(drop) 29 | } 30 | -------------------------------------------------------------------------------- /Cargo.toml: -------------------------------------------------------------------------------- 1 | [package] 2 | name = "pizauth" 3 | description = "Command-line OAuth2 authentication daemon" 4 | version = "1.0.8" 5 | repository = "https://github.com/ltratt/pizauth/" 6 | authors = ["Laurence Tratt "] 7 | readme = "README.md" 8 | license = "Apache-2.0 OR MIT" 9 | categories = ["authentication"] 10 | keywords = ["oauth", "oauth2", "authentication"] 11 | edition = "2021" 12 | 13 | [build-dependencies] 14 | cfgrammar = "0.14" 15 | lrlex = "0.14" 16 | lrpar = "0.14" 17 | rerun_except = "1" 18 | 19 | [dependencies] 20 | base64 = "0.22" 21 | bincode = { version="2", features=["serde"] } 22 | boot-time = "0.1.2" 23 | cfgrammar = "0.14" 24 | chacha20poly1305 = "0.10" 25 | chrono = "0.4" 26 | getopts = "0.2" 27 | hostname = "0.4" 28 | log = "0.4" 29 | lrlex = "0.14" 30 | lrpar = "0.14" 31 | nix = { version="0.29", features=["fs", "signal"] } 32 | rand = "0.9" 33 | serde = { version="1.0", features=["derive"] } 34 | sha2 = "0.10" 35 | serde_json = "1" 36 | stderrlog = "0.6" 37 | syslog = "7.0.0" 38 | ureq = "3" 39 | url = "2" 40 | wait-timeout = "0.2" 41 | whoami = "1.5" 42 | rustls = { version = "0.23.12", features = ["ring", "std"], default-features = false } 43 | rcgen = { version = "0.14.5", features = ["crypto", "ring"], default-features = false } 44 | 45 | [target.'cfg(target_os="openbsd")'.dependencies] 46 | pledge = "0.4" 47 | unveil = "0.3" 48 | 49 | [target.'cfg(target_os="macos")'.dependencies] 50 | libc = "0.2" 51 | 52 | [profile.release] 53 | opt-level = 3 54 | debug = false 55 | rpath = false 56 | lto = true 57 | debug-assertions = false 58 | codegen-units = 1 59 | panic = 'abort' 60 | incremental = false 61 | overflow-checks = true 62 | -------------------------------------------------------------------------------- /examples/pizauth-state-custom.service: -------------------------------------------------------------------------------- 1 | # In case the supplied pizauth-state-*.service files don't suit your needs, 2 | # this is the template for a new pizauth-state-*.service file. 3 | # See systemd.service(5), systemd.unit(5), systemd.exec(5) for more details. 4 | # 5 | # We pull out the dump/restore feature as its own unit since under the systemd 6 | # semantics, it makes more sense -- as indicated by the fact that were we to 7 | # try to configure this directly in the pizauth unit, we'd need to prepend to 8 | # ExecStop. Moreover, pizauth *works* without dump/restore -- this is an 9 | # additional feature on top of it. 10 | # 11 | # Hence, we have a separate dump/restore unit that gets started after pizauth 12 | # and torn down before it, and which is responsible for managing the state file 13 | # upon these events. 14 | 15 | [Unit] 16 | Description=Custom pizauth dump/restore backend 17 | # Makes the start event for this unit propagate to pizauth, 18 | # and makes the stop/abort events for pizauth propagate to this unit 19 | BindsTo=pizauth.service 20 | # Orders this unit to run its start commands after pizauth, and run its stop 21 | # commands before pizauth 22 | After=pizauth.service 23 | # Makes the config-reload event for pizauth propagate to this unit 24 | ReloadPropagatedFrom=pizauth.service 25 | 26 | [Service] 27 | Type=simple 28 | Environment="PIZAUTH_STATE_FILE=%S/%N.dump" 29 | # replace io by whatever program you have to read/write to the state file 30 | # (could be encryption software, could be sending/retrieving to a server, etc) 31 | ExecStart=-sh -c 'io --read "$PIZAUTH_STATE_FILE" | pizauth restore' 32 | ExecReload=-sh -c 'io --read "$PIZAUTH_STATE_FILE" | pizauth restore' 33 | ExecStop=-sh -c 'pizauth dump | io --write "$PIZAUTH_STATE_FILE"' 34 | 35 | [Install] 36 | # Makes systemctl --user enable pizauth-state-custom.service cause that the 37 | # start event for pizauth will propagate to this unit 38 | WantedBy=pizauth.service 39 | -------------------------------------------------------------------------------- /lib/systemd/user/pizauth-state-gpg-passphrase.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=pizauth dump/restore backend (encryption: gpg, passphrase in systemd-creds) 3 | BindsTo=pizauth.service 4 | After=pizauth.service 5 | ReloadPropagatedFrom=pizauth.service 6 | Requires=gpg-agent.socket 7 | 8 | [Service] 9 | # Since we're using credentials, we can't use Type=simple 10 | Type=exec 11 | RemainAfterExit=yes 12 | # This unit needs to be configured before it's usable! 13 | # To use this unit, use systemctl --user edit pizauth-state-gpg.service to 14 | # create a drop-in configuration file. In it, set 15 | # Environment="PIZAUTH_KEY_ID=public key you want to encrypt with" 16 | # and then either 17 | # LoadCredentialEncrypted=pizauth-gpg-passphrase:CREDENTIALFILE 18 | # or 19 | # SetCredentialEncrypted=pizauth-gpg-passphrase: \ 20 | # ..................................................................... \ 21 | # ... 22 | # 23 | # In either case, you will need to store the passphrase for the GPG key 24 | # encrypted. If you plan on storing the credential at CREDENTIALFILE, run 25 | # systemd-ask-password \ 26 | # | systemd-creds encrypt --name pizauth-gpg-passphrase - CREDENTIALFILE 27 | # If you want to store the credential in the drop-in configuration, run 28 | # systemd-ask-password \ 29 | # | systemd-creds encrypt --name pizauth-gpg-passphrase -p - - 30 | # This will print the SetCredentialEncrypted config you'll need to paste in the 31 | # drop-in configuration 32 | Environment="PIZAUTH_KEY_ID=" 33 | Environment="PIZAUTH_STATE_FILE=%S/%N.dump" 34 | ExecStart=-sh -c ' gpg --passphrase-file %d/pizauth-gpg-passphrase --pinentry-mode loopback --batch --decrypt "$PIZAUTH_STATE_FILE" \ 35 | | pizauth restore' 36 | ExecReload=-sh -c ' gpg --passphrase-file %d/pizauth-gpg-passphrase --pinentry-mode loopback --batch --decrypt "$PIZAUTH_STATE_FILE" \ 37 | | pizauth restore' 38 | ExecStop=-sh -c 'pizauth dump | gpg --batch --yes --encrypt --recipient $PIZAUTH_KEY_ID -o "$PIZAUTH_STATE_FILE"' 39 | 40 | [Install] 41 | WantedBy=pizauth.service 42 | -------------------------------------------------------------------------------- /src/server/request_token.rs: -------------------------------------------------------------------------------- 1 | use std::{error::Error, sync::Arc}; 2 | 3 | use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; 4 | use rand::{rng, RngCore}; 5 | use sha2::{Digest, Sha256}; 6 | use url::Url; 7 | 8 | use super::{AccountId, AuthenticatorState, CTGuard, TokenState, CODE_VERIFIER_LEN, STATE_LEN}; 9 | 10 | /// Request a new token for `act_id`, whose tokenstate must be `Empty`. 11 | pub fn request_token( 12 | pstate: Arc, 13 | mut ct_lk: CTGuard, 14 | act_id: AccountId, 15 | ) -> Result> { 16 | assert!(matches!( 17 | ct_lk.tokenstate(act_id), 18 | TokenState::Empty | TokenState::Pending { .. } 19 | )); 20 | 21 | let act = ct_lk.account(act_id); 22 | 23 | let mut state = [0u8; STATE_LEN]; 24 | rng().fill_bytes(&mut state); 25 | let state = URL_SAFE_NO_PAD.encode(state); 26 | 27 | let mut code_verifier = [0u8; CODE_VERIFIER_LEN]; 28 | rng().fill_bytes(&mut code_verifier); 29 | let code_verifier = URL_SAFE_NO_PAD.encode(code_verifier); 30 | let mut hasher = Sha256::new(); 31 | hasher.update(&code_verifier); 32 | let code_challenge = URL_SAFE_NO_PAD.encode(hasher.finalize()); 33 | 34 | let scopes_join = act.scopes.join(" "); 35 | let redirect_uri = act 36 | .redirect_uri(pstate.http_port, pstate.https_port)? 37 | .to_string(); 38 | let mut params = vec![ 39 | ("access_type", "offline"), 40 | ("code_challenge", &code_challenge), 41 | ("code_challenge_method", "S256"), 42 | ("client_id", act.client_id.as_str()), 43 | ("redirect_uri", redirect_uri.as_str()), 44 | ("response_type", "code"), 45 | ("state", &state), 46 | ]; 47 | if !act.scopes.is_empty() { 48 | params.push(("scope", scopes_join.as_str())); 49 | } 50 | for (k, v) in &act.auth_uri_fields { 51 | params.push((k.as_str(), v.as_str())); 52 | } 53 | let url = Url::parse_with_params(ct_lk.account(act_id).auth_uri.as_str(), ¶ms)?; 54 | ct_lk.tokenstate_replace( 55 | act_id, 56 | TokenState::Pending { 57 | code_verifier, 58 | last_notification: None, 59 | url: url.clone(), 60 | state, 61 | }, 62 | ); 63 | drop(ct_lk); 64 | pstate.notifier.notify_changes(); 65 | Ok(url) 66 | } 67 | -------------------------------------------------------------------------------- /share/bash/completion.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | _server() { 3 | local cur prev 4 | 5 | prev=${COMP_WORDS[COMP_CWORD - 1]} 6 | cur=${COMP_WORDS[COMP_CWORD]} 7 | case "$prev" in 8 | -c) _filedir;; 9 | *) mapfile -t COMPREPLY < \ 10 | <(compgen -W '-c -d -v -vv -vvv -vvvv' -- "$cur");; 11 | esac 12 | } 13 | _accounts(){ 14 | local config 15 | 16 | config="$(pizauth info | awk -F' *: *' '$1 ~ /config file/ { print $2 }')" 17 | sed -n '/^account/{s/^account $.*$ {/\1/;p}' "$config" 18 | } 19 | _pizauth() 20 | { 21 | local cur prev sub 22 | local cmds=() 23 | cmds+=(dump restore reload shutdown status) 24 | cmds+=(info server) 25 | cmds+=(refresh revoke show) 26 | 27 | cur=${COMP_WORDS[COMP_CWORD]} 28 | prev=${COMP_WORDS[COMP_CWORD - 1]} 29 | sub=${COMP_WORDS[1]} 30 | 31 | if [ "$sub" == server ] && [ "$COMP_CWORD" -gt 1 ]; then _server; return; fi 32 | 33 | case ${COMP_CWORD} in 34 | 1) mapfile -t COMPREPLY < <(compgen -W "${cmds[*]}" -- "$cur");; 35 | 2) 36 | case $sub in 37 | dump|restore|reload|shutdown|status) COMPREPLY=();; 38 | info) mapfile -t COMPREPLY < <(compgen -W '-j' -- "$cur") ;; 39 | refresh|show) 40 | local accounts 41 | mapfile -t accounts < <(_accounts) 42 | accounts+=(-u) 43 | mapfile -t COMPREPLY < \ 44 | <(compgen -W "${accounts[*]}" -- "$cur") 45 | ;; 46 | revoke) 47 | local accounts 48 | mapfile -t accounts < <(_accounts) 49 | mapfile -t COMPREPLY < \ 50 | <(compgen -W "${accounts[*]}" -- "$cur") 51 | ;; 52 | *) COMPREPLY=() 53 | ;; 54 | esac 55 | ;; 56 | 3) 57 | case $sub in 58 | refresh|show) 59 | case $prev in 60 | -u) 61 | local accounts 62 | mapfile -t accounts < <(_accounts) 63 | mapfile -t COMPREPLY < \ 64 | <(compgen -W "${accounts[*]}" -- "$cur") 65 | ;; 66 | *) COMPREPLY=() 67 | esac 68 | ;; 69 | esac 70 | ;; 71 | *) 72 | COMPREPLY=() 73 | ;; 74 | esac 75 | } 76 | 77 | complete -F _pizauth pizauth 78 | -------------------------------------------------------------------------------- /share/fish/pizauth.fish: -------------------------------------------------------------------------------- 1 | #!/usr/bin/fish 2 | 3 | function __fish_pizauth_accounts --description "Helper function to parse accounts from config" 4 | set -l config (pizauth info | awk -F' *: *' '$1 ~ /config file/ { print $2 }') 5 | sed -n '/^account/{s/^account $.*$ {/\1/;p}' $config | string unescape 6 | end 7 | 8 | function __fish_pizauth_is_main_command --description "Returns true if we're not in a subcommand" 9 | not __fish_seen_subcommand_from dump restore reload shutdown status info server refresh revoke show 10 | end 11 | 12 | # Don't autocomplete files 13 | complete -c pizauth -f 14 | 15 | # pizauth top-level commands 16 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Writes current pizauth state to stdout" -a "dump" 17 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Writes output about pizauth to stdout" -a "info" 18 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Request a refresh of the access token for account" -a "refresh" 19 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Reloads the server's configuration" -a "reload" 20 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Reads previously dumped pizauth state from stdin" -a "restore" 21 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Removes token and cancels authorization for account" -a "revoke" 22 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Start the server" -a "server" 23 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Print access token of account to stdout" -a "show" 24 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Shut the server down" -a "shutdown" 25 | complete -c pizauth -n "__fish_pizauth_is_main_command" -d "Writes output about current accounts to stdout" -a "status" 26 | 27 | # pizauth info [-j] 28 | complete -c pizauth -n "__fish_seen_subcommand_from info" -s j -d "JSON output" 29 | 30 | # pizauth refresh/show [-u] account 31 | complete -c pizauth -n "__fish_seen_subcommand_from refresh show" -s u -d "Exclude authorization URL" 32 | complete -c pizauth -n "__fish_seen_subcommand_from refresh show" -a "(__fish_pizauth_accounts)" 33 | 34 | # pizauth revoke account 35 | complete -c pizauth -n "__fish_seen_subcommand_from revoke" -a "(__fish_pizauth_accounts)" 36 | 37 | # pizauth server [-c config-file] [-dv] 38 | complete -c pizauth -n "__fish_seen_subcommand_from server" -l config -s c -r -F -d "Config file" 39 | complete -c pizauth -n "__fish_seen_subcommand_from server" -s d -d "Do not daemonise" 40 | complete -c pizauth -n "__fish_seen_subcommand_from server" -o v -d "Verbose" 41 | complete -c pizauth -n "__fish_seen_subcommand_from server" -o vv -d "Verboser" 42 | complete -c pizauth -n "__fish_seen_subcommand_from server" -o vvv -d "Verboserer" 43 | complete -c pizauth -n "__fish_seen_subcommand_from server" -o vvvv -d "Verbosest" 44 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | PREFIX ?= /usr/local 2 | BINDIR ?= ${PREFIX}/bin 3 | LIBDIR ?= ${PREFIX}/lib 4 | SHAREDIR ?= ${PREFIX}/share 5 | EXAMPLESDIR ?= ${SHAREDIR}/examples 6 | 7 | MANDIR.${PREFIX} = ${PREFIX}/share/man 8 | MANDIR./usr/local = /usr/local/man 9 | MANDIR. = /usr/share/man 10 | MANDIR ?= ${MANDIR.${PREFIX}} 11 | 12 | .PHONY: all install test distrib 13 | 14 | all: target/release/pizauth 15 | 16 | target/release/pizauth: 17 | cargo build --release 18 | 19 | RUNNINGSYSTEMD=$(shell test -d /run/systemd/system/ && echo yes || echo no) 20 | ifeq ($(USESYSTEMD), 0) 21 | INSTALLSYSTEMD := 22 | else ifneq ($(RUNNINGSYSTEMD), yes) 23 | INSTALLSYSTEMD := 24 | else 25 | INSTALLSYSTEMD := install-systemd 26 | endif 27 | 28 | install: target/release/pizauth ${INSTALLSYSTEMD} 29 | install -d ${DESTDIR}${BINDIR} 30 | install -c -m 555 target/release/pizauth ${DESTDIR}${BINDIR}/pizauth 31 | install -d ${DESTDIR}${MANDIR}/man1 32 | install -d ${DESTDIR}${MANDIR}/man5 33 | install -c -m 444 pizauth.1 ${DESTDIR}${MANDIR}/man1/pizauth.1 34 | install -c -m 444 pizauth.conf.5 ${DESTDIR}${MANDIR}/man5/pizauth.conf.5 35 | install -d ${DESTDIR}${EXAMPLESDIR}/pizauth 36 | install -c -m 444 examples/pizauth.conf ${DESTDIR}${EXAMPLESDIR}/pizauth/pizauth.conf 37 | install -d ${DESTDIR}${SHAREDIR}/bash-completion/completions 38 | install -c -m 444 share/bash/completion.bash ${DESTDIR}${SHAREDIR}/bash-completion/completions/pizauth 39 | install -d ${DESTDIR}${SHAREDIR}/fish/vendor_completions.d 40 | install -c -m 444 share/fish/pizauth.fish ${DESTDIR}${SHAREDIR}/fish/vendor_completions.d 41 | 42 | install-systemd: 43 | install -d ${DESTDIR}${LIBDIR}/systemd/user 44 | install -c -m 444 lib/systemd/user/pizauth.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth.service 45 | install -c -m 444 lib/systemd/user/pizauth-state-creds.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-creds.service 46 | install -c -m 444 lib/systemd/user/pizauth-state-age.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-age.service 47 | install -c -m 444 lib/systemd/user/pizauth-state-gpg.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-gpg.service 48 | install -c -m 444 lib/systemd/user/pizauth-state-gpg-passphrase.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-gpg-passphrase.service 49 | install -d ${DESTDIR}${EXAMPLESDIR}/pizauth 50 | install -c -m 444 examples/pizauth-state-custom.service ${DESTDIR}${EXAMPLESDIR}/pizauth/pizauth-state-custom.service 51 | 52 | test: 53 | cargo test 54 | cargo test --release 55 | 56 | distrib: 57 | test "X`git status --porcelain`" = "X" 58 | @read v?'pizauth version: ' \ 59 | && mkdir pizauth-$$v \ 60 | && cp -rp Makefile build.rs Cargo.lock Cargo.toml \ 61 | COPYRIGHT LICENSE-APACHE LICENSE-MIT \ 62 | CHANGES.md README.md README.systemd.md \ 63 | pizauth.1 pizauth.conf.5 \ 64 | examples lib share src \ 65 | pizauth-$$v \ 66 | && tar cfz pizauth-$$v.tgz pizauth-$$v \ 67 | && rm -rf pizauth-$$v 68 | -------------------------------------------------------------------------------- /README.systemd.md: -------------------------------------------------------------------------------- 1 | # Systemd unit 2 | 3 | Pizauth comes with a systemd unit. In order for it to communicate properly with 4 | `systemd`, your `startup_cmd` in `pizauth.conf` must at some point run 5 | `systemd-notify --ready --pid=parent` -- this will tell `systemd` that `pizauth` 6 | has started up. 7 | 8 | To start pizauth: 9 | 10 | ```sh 11 | $ systemctl --user start pizauth.service 12 | ``` 13 | 14 | If you want `pizauth` to start on login, run 15 | 16 | ```sh 17 | $ systemctl --user enable pizauth.service 18 | ``` 19 | 20 | (pass `--now` to also start `pizauth` with this invocation) 21 | 22 | If you want to save pizauth's dumps encrypted and automatically restore them 23 | when pizauth is started, you need to start/enable one of the 24 | `pizauth-state-*.service` files provided by pizauth. For example, 25 | 26 | ```sh 27 | $ systemctl --user enable pizauth-state-creds.service 28 | ``` 29 | 30 | Some of these units require further configuration, eg for setting the public key 31 | and location of the private key to use for encryption. For this purpose, 32 | 33 | ```sh 34 | $ systemctl --user edit pizauth-state-$METHOD.service 35 | ``` 36 | 37 | will open an editor in which you can configure your local edits to 38 | `pizauth-state-$METHOD.service`. For example, you can override the default 39 | location of the pizauth dumps (`$XDG_STATE_HOME/pizauth-state-$METHOD.dump`) to 40 | be `~/.pizauth.dump` by inserting the following line in the `.conf` file that 41 | `systemctl` will open: 42 | 43 | ```ini 44 | Environment="PIZAUTH_STATE_FILE=%h/.pizauth.dump 45 | ``` 46 | 47 | See `systemd.unit(5)` for supported values of these % "specifiers". 48 | 49 | The provided configurations are: 50 | - `pizauth-state-creds.service`: Uses `systemd-creds` to encrypt the dumps with 51 | some combination of your device's TPM2 chip and a secret accessible only to 52 | `root`. This means the dumps generally can only be decrypted *on the device 53 | that encrypted them*. 54 | - `pizauth-state-age.service`: Uses `age` to encrypt the dumps. 55 | Needs the `Environment="PIZAUTH_KEY_ID="` line to be set to the public key to 56 | encrypt with. 57 | - `pizauth-state-gpg.service`: Uses `gpg` to encrypt the dumps. 58 | Needs the `Environment="PIZAUTH_KEY_ID="` line to be set to the public key to 59 | encrypt with. `gpg-agent` will prompt for the passphrase to unlock the key, 60 | which may be undesireable in nongraphical environments. 61 | - `pizauth-state-gpg-passphrase.service`: Uses `gpg` to encrypt the dumps. 62 | Uses `systemd-creds` to encrypt a file containing the passphrase, which is set 63 | by default to be `$XDG_CONFIG_HOME/pizauth-state-gpg-passphrase.cred`. 64 | Needs the `Environment="PIZAUTH_KEY_ID="` line to be set to the public key to 65 | encrypt with. Also needs the passphrase to be stored encrypted somewhere, see 66 | the unit file for details. 67 | 68 | Note: Given the security implications here, this method is likely not much 69 | more secure than just using `pizauth-state-creds.service` directly. 70 | This unit is provided mostly to document how one might go about automatically 71 | passing key material relatively safely to a unit. 72 | -------------------------------------------------------------------------------- /src/config.y: -------------------------------------------------------------------------------- 1 | %start TopLevels 2 | %avoid_insert "STRING" 3 | %epp TIME "[dhms]" 4 | %expect-unused Unmatched "UNMATCHED" 5 | 6 | %% 7 | 8 | TopLevels -> Result, ()>: 9 | TopLevels TopLevel { flattenr($1, $2) } 10 | | { Ok(vec![]) } 11 | ; 12 | 13 | TopLevel -> Result: 14 | "ACCOUNT" "STRING" "{" AccountFields "}" { Ok(TopLevel::Account($span, map_err($2)?, $4?)) } 15 | | "AUTH_ERROR_CMD" "=" "STRING" ";" { Ok(TopLevel::AuthErrorCmd($span)) } 16 | | "AUTH_NOTIFY_CMD" "=" "STRING" ";" { Ok(TopLevel::AuthNotifyCmd(map_err($3)?)) } 17 | | "AUTH_NOTIFY_INTERVAL" "=" "TIME" ";" { Ok(TopLevel::AuthNotifyInterval(map_err($3)?)) } 18 | | "ERROR_NOTIFY_CMD" "=" "STRING" ";" { Ok(TopLevel::ErrorNotifyCmd(map_err($3)?)) } 19 | | "HTTP_LISTEN" "=" "NONE" ";" { Ok(TopLevel::HttpListenNone(map_err($3)?)) } 20 | | "HTTP_LISTEN" "=" "STRING" ";" { Ok(TopLevel::HttpListen(map_err($3)?)) } 21 | | "HTTPS_LISTEN" "=" "NONE" ";" { Ok(TopLevel::HttpsListenNone(map_err($3)?)) } 22 | | "HTTPS_LISTEN" "=" "STRING" ";" { Ok(TopLevel::HttpsListen(map_err($3)?)) } 23 | | "TRANSIENT_ERROR_IF_CMD" "=" "STRING" ";" { Ok(TopLevel::TransientErrorIfCmd(map_err($3)?)) } 24 | | "REFRESH_AT_LEAST" "=" "TIME" ";" { Ok(TopLevel::RefreshAtLeast(map_err($3)?)) } 25 | | "REFRESH_BEFORE_EXPIRY" "=" "TIME" ";" { Ok(TopLevel::RefreshBeforeExpiry(map_err($3)?)) } 26 | | "REFRESH_RETRY" "=" "TIME" ";" { Ok(TopLevel::RefreshRetry(map_err($3)?)) } 27 | | "STARTUP_CMD" "=" "STRING" ";" { Ok(TopLevel::StartupCmd(map_err($3)?)) } 28 | | "TOKEN_EVENT_CMD" "=" "STRING" ";" { Ok(TopLevel::TokenEventCmd(map_err($3)?)) } 29 | ; 30 | 31 | AccountFields -> Result, ()>: 32 | AccountFields AccountField { flattenr($1, $2) } 33 | | { Ok(vec![]) } 34 | ; 35 | 36 | AccountField -> Result: 37 | "AUTH_URI" "=" "STRING" ";" { Ok(AccountField::AuthUri(map_err($3)?)) } 38 | | "AUTH_URI_FIELDS" "=" "{" AuthUriFields "}" ";" { Ok(AccountField::AuthUriFields($1.unwrap_or_else(|x| x).span(), $4?)) } 39 | | "CLIENT_ID" "=" "STRING" ";" { Ok(AccountField::ClientId(map_err($3)?)) } 40 | | "CLIENT_SECRET" "=" "STRING" ";" { Ok(AccountField::ClientSecret(map_err($3)?)) } 41 | | "LOGIN_HINT" "=" "STRING" ";" { Ok(AccountField::LoginHint(map_err($3)?)) } 42 | | "REDIRECT_URI" "=" "STRING" ";" { Ok(AccountField::RedirectUri(map_err($3)?)) } 43 | | "REFRESH_AT_LEAST" "=" "TIME" ";" { Ok(AccountField::RefreshAtLeast(map_err($3)?)) } 44 | | "REFRESH_BEFORE_EXPIRY" "=" "TIME" ";" { Ok(AccountField::RefreshBeforeExpiry(map_err($3)?)) } 45 | | "REFRESH_RETRY" "=" "TIME" ";" { Ok(AccountField::RefreshRetry(map_err($3)?)) } 46 | | "SCOPES" "=" "[" Scopes "]" ";" { Ok(AccountField::Scopes($1.unwrap_or_else(|x| x).span(), $4?)) } 47 | | "TOKEN_URI" "=" "STRING" ";" { Ok(AccountField::TokenUri(map_err($3)?)) } 48 | ; 49 | 50 | AuthUriFields -> Result, ()>: 51 | AuthUriFields "," "STRING" ":" "STRING" { 52 | let mut spans = $1?; 53 | spans.push((map_err($3)?, map_err($5)?)); 54 | Ok(spans) 55 | } 56 | | "STRING" ":" "STRING" { Ok(vec![(map_err($1)?, map_err($3)?)]) } 57 | | { Ok(vec![]) } 58 | ; 59 | 60 | Scopes -> Result, ()>: 61 | Scopes "," "STRING" { 62 | let mut spans = $1?; 63 | spans.push(map_err($3)?); 64 | Ok(spans) 65 | } 66 | | "STRING" { Ok(vec![map_err($1)?]) } 67 | | { Ok(vec![]) } 68 | ; 69 | 70 | // This rule helps turn lexing errors into parsing errors. 71 | Unmatched -> (): 72 | "UNMATCHED" { } 73 | ; 74 | 75 | %% 76 | 77 | use lrlex::DefaultLexeme; 78 | use lrpar::Span; 79 | 80 | type StorageT = u8; 81 | 82 | use crate::config_ast::{AccountField, TopLevel}; 83 | 84 | fn map_err(r: Result, DefaultLexeme>) 85 | -> Result 86 | { 87 | r.map(|x| x.span()).map_err(|_| ()) 88 | } 89 | 90 | /// Flatten `rhs` into `lhs`. 91 | fn flattenr(lhs: Result, ()>, rhs: Result) -> Result, ()> { 92 | let mut flt = lhs?; 93 | flt.push(rhs?); 94 | Ok(flt) 95 | } 96 | -------------------------------------------------------------------------------- /src/server/eventer.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | collections::VecDeque, 3 | env, 4 | error::Error, 5 | fmt::{self, Display, Formatter}, 6 | process::Command, 7 | sync::{Arc, Condvar, Mutex}, 8 | thread, 9 | time::Duration, 10 | }; 11 | 12 | use log::error; 13 | use wait_timeout::ChildExt; 14 | 15 | use super::AuthenticatorState; 16 | 17 | /// How long to run `not_transient_error_if` commands before killing them? 18 | const NEW_ACCESS_TOKEN_CMD_TIMEOUT: Duration = Duration::from_secs(30); 19 | 20 | pub enum TokenEvent { 21 | Invalidated, 22 | New, 23 | Refresh, 24 | Revoked, 25 | } 26 | 27 | impl Display for TokenEvent { 28 | fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { 29 | match self { 30 | TokenEvent::Invalidated => write!(f, "token_invalidated"), 31 | TokenEvent::New => write!(f, "token_new"), 32 | TokenEvent::Refresh => write!(f, "token_refreshed"), 33 | TokenEvent::Revoked => write!(f, "token_revoked"), 34 | } 35 | } 36 | } 37 | 38 | pub struct Eventer { 39 | pred: Mutex, 40 | condvar: Condvar, 41 | event_queue: Mutex>, 42 | } 43 | 44 | impl Eventer { 45 | pub fn new() -> Result> { 46 | Ok(Eventer { 47 | pred: Mutex::new(false), 48 | condvar: Condvar::new(), 49 | event_queue: Mutex::new(VecDeque::new()), 50 | }) 51 | } 52 | 53 | pub fn eventer(self: Arc, pstate: Arc) -> Result<(), Box> { 54 | thread::spawn(move || loop { 55 | let mut eventer_lk = self.pred.lock().unwrap(); 56 | while !*eventer_lk { 57 | eventer_lk = self.condvar.wait(eventer_lk).unwrap(); 58 | } 59 | *eventer_lk = false; 60 | drop(eventer_lk); 61 | 62 | loop { 63 | let (act_name, event) = 64 | if let Some((act_name, event)) = self.event_queue.lock().unwrap().pop_front() { 65 | (act_name, event) 66 | } else { 67 | break; 68 | }; 69 | let token_event_cmd = if let Some(token_event_cmd) = 70 | pstate.ct_lock().config().token_event_cmd.clone() 71 | { 72 | token_event_cmd 73 | } else { 74 | break; 75 | }; 76 | match env::var("SHELL") { 77 | Ok(s) => { 78 | match Command::new(s) 79 | .env("PIZAUTH_ACCOUNT", act_name.as_str()) 80 | .env("PIZAUTH_EVENT", event.to_string()) 81 | .args(["-c", &token_event_cmd]) 82 | .spawn() 83 | { 84 | Ok(mut child) => match child.wait_timeout(NEW_ACCESS_TOKEN_CMD_TIMEOUT) 85 | { 86 | Ok(Some(status)) => { 87 | if !status.success() { 88 | error!( 89 | "'{token_event_cmd:}' returned {}", 90 | status 91 | .code() 92 | .map(|x| x.to_string()) 93 | .unwrap_or_else(|| " { 98 | child.kill().ok(); 99 | child.wait().ok(); 100 | error!("'{token_event_cmd:}' exceeded timeout"); 101 | } 102 | Err(e) => error!("Waiting on '{token_event_cmd:}' failed: {e:}"), 103 | }, 104 | Err(e) => error!("Couldn't execute '{token_event_cmd:}': {e:}"), 105 | } 106 | } 107 | Err(e) => error!("{e:}"), 108 | } 109 | } 110 | }); 111 | 112 | Ok(()) 113 | } 114 | 115 | pub fn token_event(&self, act_name: String, kind: TokenEvent) { 116 | self.event_queue.lock().unwrap().push_back((act_name, kind)); 117 | let mut event_lk = self.pred.lock().unwrap(); 118 | *event_lk = true; 119 | self.condvar.notify_one(); 120 | } 121 | } 122 | -------------------------------------------------------------------------------- /pizauth.1: -------------------------------------------------------------------------------- 1 | .Dd $Mdocdate: September 13 2022 $ 2 | .Dt PIZAUTH 1 3 | .Os 4 | .Sh NAME 5 | .Nm pizauth 6 | .Nd OAuth2 authentication daemon 7 | .Sh SYNOPSIS 8 | .Nm pizauth 9 | .Sy Em command 10 | .Sh DESCRIPTION 11 | .Nm 12 | requests, shows, and refreshes OAuth2 tokens. 13 | It is formed of two 14 | components: a persistent "server" which interacts with the user to obtain 15 | tokens, and refreshes them as necessary; and a command-line interface which can 16 | be used by other programs to show the OAuth2 token for a current account. 17 | .Pp 18 | The top-level commands are: 19 | .Bl -tag -width Ds 20 | .It Sy dump 21 | Writes the current 22 | .Nm 23 | state to stdout: this can later be fed back into 24 | .Nm 25 | with 26 | .Sy restore . 27 | The dump format is stable within a pizauth major release (but not 28 | across major releases) and stable across platforms, though it includes 29 | timestamps that may be affected by clock drift on either the machine performing 30 | .Sy dump 31 | or 32 | .Sy restore . 33 | Clock drift does not not affect security, though it may cause dumped access 34 | tokens to be refreshed unduly early or late upon a 35 | .Sy restore . 36 | Refreshed access tokens will then be refreshed at the expected intervals. 37 | .Pp 38 | Note that while the 39 | .Sy dump 40 | output may look like it is encrypted, it is trivial for an attacker to recover 41 | access and refresh tokens from it: it is strongly recommended that you use 42 | external encryption on the output so that your data cannot be compromised. 43 | .It Sy info Oo Fl j Oc 44 | Writes output about 45 | .Nm 46 | to stdout including: the cache directory path; the config file path; and 47 | .Nm 48 | version. 49 | Defaults to human-readable output in an unspecified format that may change 50 | freely between 51 | .Nm 52 | versions. 53 | .Pp 54 | .Fl j 55 | specifies JSON output. 56 | The 57 | .Qq info_format_version 58 | field is an integer value specifying the version of the JSON output: if 59 | incompatible changes are made, this integer will be monotonically increased. 60 | .It Sy refresh Oo Fl u Oc Ar account 61 | Request a refresh of the access token for 62 | .Em account . 63 | Exits with 0 upon success. 64 | If there is not currently a valid access or refresh token, 65 | reports an error to stderr, initiates a new token request, and exits with 1. 66 | Unless 67 | .Fl u 68 | is specified, the error will include an authorization URL. 69 | Note that this command does not block and will not start a new refresh if one 70 | is ongoing. 71 | .It Sy reload 72 | Reload the server's configuration. 73 | Exits with 0 upon success or 1 if there is a problem in the configuration. 74 | .It Sy restore 75 | Reads previously dumped 76 | .Nm 77 | state from stdin and updates those parts of the current state it determines 78 | to be less useful than the dumped state. 79 | This does not change the running instance's configuration: any changes in 80 | security relevant configuration between the dumping and restoring 81 | .Nm 82 | instances causes those parts of the dump to be silently ignored. 83 | See 84 | .Sy dump 85 | for information about the dump format, timestamp warnings, and encryption 86 | suggestions. 87 | .It Sy revoke Ar account 88 | Removes any token, and cancels any ongoing authentication, for 89 | .Em account . 90 | Note that OAuth2 provides no standard way of remotely revoking a token: 91 | .Sy revoke 92 | thus only affects the local 93 | .Nm 94 | instance. 95 | Exits with 0 upon success. 96 | .It Sy server Oo Fl c Ar config-file Oc Oo Fl dv Oc 97 | Start the server. 98 | If not specified with 99 | .Fl c , 100 | .Nm 101 | checks for the configuration file (in order) at: 102 | .Pa $XDG_CONFIG_HOME/pizauth.conf , 103 | .Pa $HOME/.config/pizauth.conf . 104 | The server will daemonise itself unless 105 | .Fl d 106 | is specified. 107 | Exits with 0 if the server started successfully or 1 otherwise. 108 | .Fl v 109 | enables more verbose logging. 110 | .Fl v 111 | can be used up to 4 times, with each repetition increasing the quantity 112 | of logging. 113 | .It Sy show Oo Fl u Oc Ar account 114 | If there is an access token for 115 | .Em account , 116 | print that access token to stdout and exit with 0. 117 | If there is not currently a valid access token, prints an error to stderr 118 | and exits with 1. 119 | If refreshing might obtain a valid access token, refreshing is initiated 120 | in the background. 121 | Otherwise (unless 122 | .Fl u 123 | is specified), the error will include an authorization URL. 124 | Note that this command does not block: commands must expect that they might 125 | encounter an error when showing an access token. 126 | .It Sy shutdown 127 | Shut the server down. 128 | Note that shutdown occurs asynchronously: the server may still be alive for a 129 | period of time after this command returns. 130 | .It Sy status 131 | Writes output about the current accounts and whether they have access tokens to 132 | stdout. The format is human-readable and in an unspecified format that may 133 | change freely between 134 | .Nm 135 | versions. 136 | .El 137 | .Sh SEE ALSO 138 | .Xr pizauth.conf 5 139 | .Pp 140 | .Lk https://tratt.net/laurie/src/pizauth/ 141 | .Sh AUTHORS 142 | .An -nosplit 143 | .Nm 144 | was written by 145 | .An Laurence Tratt Lk https://tratt.net/laurie/ 146 | -------------------------------------------------------------------------------- /src/user_sender.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | error::Error, 3 | io::{stdin, Read, Write}, 4 | net::Shutdown, 5 | os::unix::net::UnixStream, 6 | path::Path, 7 | }; 8 | 9 | use crate::server::sock_path; 10 | 11 | pub fn dump(cache_path: &Path) -> Result, Box> { 12 | let sock_path = sock_path(cache_path); 13 | let mut stream = UnixStream::connect(sock_path) 14 | .map_err(|_| "pizauth authenticator not running or not responding")?; 15 | stream 16 | .write_all("dump:".as_bytes()) 17 | .map_err(|_| "Socket not writeable")?; 18 | stream.shutdown(Shutdown::Write)?; 19 | 20 | let mut buf = Vec::new(); 21 | stream.read_to_end(&mut buf)?; 22 | Ok(buf) 23 | } 24 | 25 | pub fn server_info(cache_path: &Path) -> Result> { 26 | let sock_path = sock_path(cache_path); 27 | let mut stream = UnixStream::connect(sock_path) 28 | .map_err(|_| "pizauth authenticator not running or not responding")?; 29 | stream 30 | .write_all("info:".as_bytes()) 31 | .map_err(|_| "Socket not writeable")?; 32 | stream.shutdown(Shutdown::Write)?; 33 | 34 | let mut s = String::new(); 35 | stream.read_to_string(&mut s)?; 36 | Ok(serde_json::from_str(&s)?) 37 | } 38 | 39 | pub fn refresh(cache_path: &Path, account: &str, with_url: bool) -> Result<(), Box> { 40 | let sock_path = sock_path(cache_path); 41 | let with_url = if with_url { "withurl" } else { "withouturl" }; 42 | let mut stream = UnixStream::connect(sock_path) 43 | .map_err(|_| "pizauth authenticator not running or not responding")?; 44 | stream 45 | .write_all(format!("refresh:{with_url:} {account:}").as_bytes()) 46 | .map_err(|_| "Socket not writeable")?; 47 | stream.shutdown(Shutdown::Write)?; 48 | 49 | let mut rtn = String::new(); 50 | stream.read_to_string(&mut rtn)?; 51 | match rtn.splitn(2, ':').collect::>()[..] { 52 | ["pending", url] => { 53 | Err(format!("Access token unavailable until authorised with URL {url:}").into()) 54 | } 55 | ["scheduled", ""] => Ok(()), 56 | ["error", cause] => Err(cause.into()), 57 | _ => Err(format!("Malformed response '{rtn:}'").into()), 58 | } 59 | } 60 | 61 | pub fn reload(cache_path: &Path) -> Result<(), Box> { 62 | let sock_path = sock_path(cache_path); 63 | let mut stream = UnixStream::connect(sock_path) 64 | .map_err(|_| "pizauth authenticator not running or not responding")?; 65 | stream 66 | .write_all(b"reload:") 67 | .map_err(|_| "Socket not writeable")?; 68 | stream.shutdown(Shutdown::Write)?; 69 | 70 | let mut rtn = String::new(); 71 | stream.read_to_string(&mut rtn)?; 72 | match rtn.splitn(2, ':').collect::>()[..] { 73 | ["ok", ""] => Ok(()), 74 | ["error", cause] => Err(cause.into()), 75 | _ => Err(format!("Malformed response '{rtn:}'").into()), 76 | } 77 | } 78 | 79 | pub fn restore(cache_path: &Path) -> Result<(), Box> { 80 | let mut buf = Vec::new(); 81 | stdin().read_to_end(&mut buf)?; 82 | let sock_path = sock_path(cache_path); 83 | let mut stream = UnixStream::connect(sock_path) 84 | .map_err(|_| "pizauth authenticator not running or not responding")?; 85 | stream 86 | .write_all("restore:".as_bytes()) 87 | .map_err(|_| "Socket not writeable")?; 88 | stream.write_all(&buf).map_err(|_| "Socket not writeable")?; 89 | stream.shutdown(Shutdown::Write)?; 90 | 91 | let mut rtn = String::new(); 92 | stream.read_to_string(&mut rtn)?; 93 | match rtn.splitn(2, ':').collect::>()[..] { 94 | ["ok", ""] => Ok(()), 95 | ["error", msg] => Err(msg.into()), 96 | _ => Err(format!("Malformed response '{rtn:}'").into()), 97 | } 98 | } 99 | 100 | pub fn revoke(cache_path: &Path, account: &str) -> Result<(), Box> { 101 | let sock_path = sock_path(cache_path); 102 | let mut stream = UnixStream::connect(sock_path) 103 | .map_err(|_| "pizauth authenticator not running or not responding")?; 104 | stream 105 | .write_all(format!("revoke:{account}").as_bytes()) 106 | .map_err(|_| "Socket not writeable")?; 107 | stream.shutdown(Shutdown::Write)?; 108 | 109 | let mut rtn = String::new(); 110 | stream.read_to_string(&mut rtn)?; 111 | match rtn.splitn(2, ':').collect::>()[..] { 112 | ["ok", ""] => Ok(()), 113 | ["error", cause] => Err(cause.into()), 114 | _ => Err(format!("Malformed response '{rtn:}'").into()), 115 | } 116 | } 117 | 118 | pub fn show_token(cache_path: &Path, account: &str, with_url: bool) -> Result<(), Box> { 119 | let sock_path = sock_path(cache_path); 120 | let with_url = if with_url { "withurl" } else { "withouturl" }; 121 | let mut stream = UnixStream::connect(sock_path) 122 | .map_err(|_| "pizauth authenticator not running or not responding")?; 123 | stream 124 | .write_all(format!("showtoken:{with_url:} {account:}").as_bytes()) 125 | .map_err(|_| "Socket not writeable")?; 126 | stream.shutdown(Shutdown::Write)?; 127 | 128 | let mut rtn = String::new(); 129 | stream.read_to_string(&mut rtn)?; 130 | match rtn.splitn(2, ':').collect::>()[..] { 131 | ["access_token", x] => { 132 | println!("{x:}"); 133 | Ok(()) 134 | } 135 | ["pending", url] => { 136 | Err(format!("Access token unavailable until authorised with URL {url:}").into()) 137 | } 138 | ["error", cause] => Err(cause.into()), 139 | _ => Err(format!("Malformed response '{rtn:}'").into()), 140 | } 141 | } 142 | 143 | pub fn shutdown(cache_path: &Path) -> Result<(), Box> { 144 | let sock_path = sock_path(cache_path); 145 | let mut stream = UnixStream::connect(sock_path) 146 | .map_err(|_| "pizauth authenticator not running or not responding")?; 147 | stream 148 | .write_all(b"shutdown:") 149 | .map_err(|_| "Socket not writeable")?; 150 | Ok(()) 151 | } 152 | 153 | pub fn status(cache_path: &Path) -> Result<(), Box> { 154 | let sock_path = sock_path(cache_path); 155 | let mut stream = UnixStream::connect(sock_path) 156 | .map_err(|_| "pizauth authenticator not running or not responding")?; 157 | stream 158 | .write_all("status:".as_bytes()) 159 | .map_err(|_| "Socket not writeable")?; 160 | stream.shutdown(Shutdown::Write)?; 161 | 162 | let mut rtn = String::new(); 163 | stream.read_to_string(&mut rtn)?; 164 | match rtn.splitn(2, ':').collect::>()[..] { 165 | ["ok", x] => { 166 | println!("{x:}"); 167 | Ok(()) 168 | } 169 | ["error", cause] => Err(cause.into()), 170 | _ => Err(format!("Malformed response '{rtn:}'").into()), 171 | } 172 | } 173 | -------------------------------------------------------------------------------- /src/server/notifier.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | cmp, env, 3 | error::Error, 4 | process::Command, 5 | sync::{Arc, Condvar, Mutex}, 6 | thread, 7 | time::Duration, 8 | }; 9 | 10 | use boot_time::Instant; 11 | #[cfg(debug_assertions)] 12 | use log::debug; 13 | use log::error; 14 | 15 | use super::{AccountId, AuthenticatorState, CTGuard, TokenState, MAX_WAIT_SECS}; 16 | 17 | pub struct Notifier { 18 | pred: Mutex, 19 | condvar: Condvar, 20 | } 21 | 22 | impl Notifier { 23 | pub fn new() -> Result> { 24 | Ok(Notifier { 25 | pred: Mutex::new(false), 26 | condvar: Condvar::new(), 27 | }) 28 | } 29 | 30 | pub fn notifier( 31 | self: Arc, 32 | pstate: Arc, 33 | ) -> Result<(), Box> { 34 | thread::spawn(move || loop { 35 | let next_wakeup = self.next_wakeup(&pstate); 36 | let mut notify_lk = self.pred.lock().unwrap(); 37 | while !*notify_lk { 38 | match next_wakeup { 39 | Some(t) => match t.checked_duration_since(Instant::now()) { 40 | Some(d) => { 41 | #[cfg(debug_assertions)] 42 | debug!("Notifier: next wakeup {}", d.as_secs().to_string()); 43 | notify_lk = self.condvar.wait_timeout(notify_lk, d).unwrap().0 44 | } 45 | None => break, 46 | }, 47 | None => { 48 | #[cfg(debug_assertions)] 49 | debug!("Notifier: next wakeup "); 50 | notify_lk = self.condvar.wait(notify_lk).unwrap(); 51 | } 52 | } 53 | } 54 | *notify_lk = false; 55 | drop(notify_lk); 56 | 57 | let mut auth_cmds = Vec::new(); 58 | let mut ct_lk = pstate.ct_lock(); 59 | let now = Instant::now(); 60 | let notify_interval = ct_lk.config().auth_notify_interval; // Pulled out to avoid borrow checker problems. 61 | for act_id in ct_lk.act_ids().collect::>() { 62 | let mut ts = ct_lk.tokenstate(act_id).clone(); 63 | if let TokenState::Pending { 64 | ref mut last_notification, 65 | ref url, 66 | .. 67 | } = ts 68 | { 69 | if let Some(t) = last_notification { 70 | if let Some(t) = t.checked_add(notify_interval) { 71 | if t > now { 72 | continue; 73 | } 74 | } 75 | } 76 | *last_notification = Some(now); 77 | let url = url.clone(); 78 | let act = ct_lk.account(act_id); 79 | if let Some(ref cmd) = ct_lk.config().auth_notify_cmd { 80 | auth_cmds.push((act.name.to_owned(), cmd.clone(), url)); 81 | } 82 | ct_lk.tokenstate_replace(act_id, ts); 83 | } 84 | } 85 | drop(ct_lk); 86 | 87 | for (act_name, cmd, url) in auth_cmds.into_iter() { 88 | thread::spawn(move || match env::var("SHELL") { 89 | Ok(s) => { 90 | match Command::new(s) 91 | .env("PIZAUTH_ACCOUNT", act_name.as_str()) 92 | .env("PIZAUTH_URL", url.as_str()) 93 | .args(["-c", &cmd]) 94 | .output() 95 | { 96 | Ok(output) => { 97 | if !output.status.success() { 98 | error!( 99 | "{act_name:}: error when running '{cmd:}': {}", 100 | std::str::from_utf8(&output.stdout) 101 | .unwrap_or(" error!("{act_name:}: error when running '{cmd:}': {e:}"), 106 | } 107 | } 108 | Err(e) => error!("{e:}"), 109 | }); 110 | } 111 | }); 112 | 113 | Ok(()) 114 | } 115 | 116 | pub fn notify_changes(&self) { 117 | let mut notify_lk = self.pred.lock().unwrap(); 118 | *notify_lk = true; 119 | self.condvar.notify_one(); 120 | } 121 | 122 | fn next_wakeup(&self, pstate: &AuthenticatorState) -> Option { 123 | let ct_lk = pstate.ct_lock(); 124 | ct_lk 125 | .act_ids() 126 | .filter_map(|act_id| notify_at(pstate, &ct_lk, act_id)) 127 | .min() 128 | .map( 129 | |act_min| match Instant::now().checked_add(Duration::from_secs(MAX_WAIT_SECS)) { 130 | Some(x) => cmp::min(act_min, x), 131 | None => act_min, 132 | }, 133 | ) 134 | } 135 | 136 | pub fn notify_error( 137 | &self, 138 | pstate: &AuthenticatorState, 139 | act_name: String, 140 | msg: String, 141 | ) -> Result<(), Box> { 142 | match pstate.ct_lock().config().error_notify_cmd.clone() { 143 | Some(cmd) => { 144 | thread::spawn(move || match env::var("SHELL") { 145 | Ok(s) => { 146 | match Command::new(s) 147 | .env("PIZAUTH_ACCOUNT", act_name.as_str()) 148 | .env("PIZAUTH_MSG", msg) 149 | .args(["-c", &cmd]) 150 | .output() 151 | { 152 | Ok(output) => { 153 | if !output.status.success() { 154 | error!( 155 | "{act_name:}: error when running '{cmd:}': {}", 156 | std::str::from_utf8(&output.stdout) 157 | .unwrap_or("") 158 | ); 159 | } 160 | } 161 | Err(e) => error!("{act_name:}: error when running '{cmd:}': {e:}"), 162 | } 163 | } 164 | Err(e) => error!("{e:}"), 165 | }); 166 | } 167 | None => error!("{act_name:}: {msg:}"), 168 | } 169 | Ok(()) 170 | } 171 | } 172 | 173 | /// If `act_id` has a pending token, return the next time when that user should be notified that 174 | /// it is pending. 175 | fn notify_at(_pstate: &AuthenticatorState, ct_lk: &CTGuard, act_id: AccountId) -> Option { 176 | match ct_lk.tokenstate(act_id) { 177 | TokenState::Pending { 178 | last_notification, .. 179 | } => { 180 | match last_notification { 181 | None => Some(Instant::now()), 182 | Some(t) => { 183 | // There is no concept of Instant::MAX, so if `refreshed_at + d` exceeds 184 | // Instant's bounds, there's nothing we can fall back on. 185 | t.checked_add(ct_lk.config().auth_notify_interval) 186 | } 187 | } 188 | } 189 | _ => None, 190 | } 191 | } 192 | -------------------------------------------------------------------------------- /pizauth.conf.5: -------------------------------------------------------------------------------- 1 | .Dd $Mdocdate: September 13 2022 $ 2 | .Dt PIZAUTH.CONF 5 3 | .Os 4 | .Sh NAME 5 | .Nm pizauth.conf 6 | .Nd pizauth configuration file 7 | .Sh DESCRIPTION 8 | .Nm 9 | is the configuration file for 10 | .Xr pizauth 1 . 11 | .Pp 12 | The top-level options are: 13 | .Bl -tag -width Ds 14 | .It Sy auth_notify_cmd = Qo Em shell-cmd Qc ; 15 | specifies a shell command to be run via 16 | .Ql $SHELL -c 17 | when an account needs to be authenticated. 18 | Two special environment variables are set: 19 | .Em $PIZAUTH_ACCOUNT 20 | is set to the account name; 21 | .Em $PIZAUTH_URL 22 | is set to the URL required to authorise the account. 23 | Optional. 24 | .It Sy auth_notify_interval = Em time ; 25 | specifies the gap between reminders to the user of authentication requests. 26 | Defaults to 15 minutes if not specified. 27 | .It Sy error_notify_cmd = Qo Em shell-cmd Qc ; 28 | specifies a shell command to be run via 29 | .Ql $SHELL -c 30 | when an error has occurred when authenticating an account. 31 | Two special environment variables are set: 32 | .Em $PIZAUTH_ACCOUNT 33 | is set to the account name; 34 | .Em $PIZAUTH_MSG 35 | is set to the error message. 36 | Defaults to logging via 37 | .Xr syslog 3 38 | if not specified. 39 | .It Sy http_listen = Em none | Qo Em bind-name Qc ; 40 | specifies the address for the 41 | .Xr pizauth 1 42 | HTTP server to listen on. 43 | If 44 | .Em none 45 | is specified, the HTTP server is turned off entirely. 46 | Note that at least one of the HTTP and HTTPS servers must be turned on. 47 | Defaults to 48 | .Qq 127.0.0.1:0 . 49 | .It Sy https_listen = Em none | Qo Em bind-name Qc ; 50 | specifies the address for the 51 | .Xr pizauth 1 52 | HTTPS server to listen on. 53 | If 54 | .Em none 55 | is specified, the HTTPS server is turned off entirely. 56 | Note that at least one of the HTTP and HTTPS servers must be turned on. 57 | Defaults to 58 | .Qq 127.0.0.1:0 . 59 | .It Sy refresh_at_least = Em time ; 60 | specifies the maximum period of time before an access token will be forcibly 61 | refreshed. 62 | Defaults to 90 minutes if not specified. 63 | .It Sy refresh_before_expiry = Em time ; 64 | specifies how far in advance an access token should be refreshed before it 65 | expires. 66 | Defaults to 90 seconds if not specified. 67 | .It Sy refresh_retry = Em time ; 68 | specifies the gap between retrying refreshing after transitory errors 69 | (e.g. due to network problems). 70 | Defaults to 40 seconds if not specified. 71 | .It Sy startup_cmd = Qo Em shell-cmd Qc ; 72 | specifies a shell command to be run via 73 | .Ql $SHELL -c 74 | after pizauth's server has completed setup and is ready to accept commands. 75 | Note that unless 76 | .Fl d 77 | is set, 78 | .Sy startup_cmd 79 | will be run after 80 | .Xr pizauth 1 81 | has daemonised. 82 | The command will thus be run with stdin and stdin closed. 83 | .It Sy token_event_cmd = Qo Em shell-cmd Qc ; 84 | specifies a shell command to be run via 85 | .Ql $SHELL -c 86 | when an account's access token changes state. 87 | Two special environment variables are set: 88 | .Em $PIZAUTH_ACCOUNT 89 | is set to the account name; 90 | .Em $PIZAUTH_EVENT 91 | is set to the event type. 92 | The event types are: 93 | .Em token_invalidated 94 | if a previously valid access token is invalidated; 95 | .Em token_new 96 | if a new access token is obtained; 97 | .Em token_refreshed 98 | if an access token is refreshed; 99 | .Em token_revoked 100 | if the user has requested that any token, or ongoing authentication for, 101 | an account should be removed or cancelled. 102 | Token events are queued and processed one-by-one in the order they were 103 | received: at most one instance of 104 | .Sy token_event_cmd 105 | will be executed at any point in time; and there is no guarantee 106 | that an event reflects the current state of an account's access token, 107 | since further events may be stored in the queue. 108 | Note that 109 | .Sy token_event_cmd 110 | is subject to a 10 second timeout. 111 | Optional. 112 | .It Sy transient_error_if_cmd = Qo Em shell-cmd Qc ; 113 | specifies a shell command to be run when pizauth repeatedly encounters 114 | errors when trying to refresh a token. 115 | One special environment variable is set: 116 | .Em $PIZAUTH_ACCOUNT 117 | is set to the account name. 118 | If 119 | .Em shell-cmd 120 | returns a zero exit code, the transient errors are ignored. 121 | If 122 | .Em shell-cmd 123 | returns a non-zero exit code, or exceeds a 3 minute timeout, pizauth treats 124 | the errors as permanent: the access token is invalidated (forcing the user 125 | to later reauthenicate). 126 | Defaults to ignoring non-fatal errors if not specified. 127 | .El 128 | .Pp 129 | An 130 | .Sq account 131 | block supports the following options: 132 | .Bl -tag -width Ds 133 | .It Sy auth_uri = Qo Em URI Qc ; 134 | where 135 | .Em URI 136 | is a URI specifying the OAuth2 server's authentication URI. 137 | Mandatory. 138 | .It Sy auth_uri_fields = { Qo Em Key 1 Qc : Qo Em Val 1 Qc , ..., Qo Em Key n Qc : Qo Val n Qc } ; 139 | specifies zero or more query fields to be passed to 140 | .Sy auth_uri 141 | after any fields that 142 | .Nm 143 | may have added itself. 144 | Keys (and their values) are added to 145 | .Sy auth_uri 146 | in the order they appear in 147 | .Sy auth_uri_fields , 148 | each separated by 149 | .Qq & . 150 | The same key may be specified multiple times. 151 | Optional. 152 | .It Sy client_id = Qo Em ID Qc ; 153 | specifies the OAuth2 client ID (i.e. the identifier of the client software). 154 | Mandatory. 155 | .It Sy client_secret = Qo Em Secret Qc ; 156 | specifies the OAuth2 client secret (similar to the 157 | .Em client_id ) . 158 | Optional. 159 | .It Sy login_hint = Qo Em Hint Qc ; 160 | is used by the authentication server to help the user understand which account 161 | they are authenticating. 162 | Typically a username or email address. 163 | Optional. 164 | .Em Deprecated : 165 | use 166 | .Ql auth_uri_fields = { Qo login_hint Qc : Qo Hint Qc } 167 | instead. 168 | .It Sy redirect_uri = Qo Em URI Qc ; 169 | where 170 | .Em URI 171 | is a URI specifying the OAuth2 server's redirection URI. 172 | Defaults to 173 | .Qq http://localhost/ 174 | if not specified. 175 | .It Sy refresh_at_least = Em time ; 176 | Overrides the global 177 | .Sy refresh_at_least 178 | option for this account. 179 | Follows the same format as the global option. 180 | .It Sy refresh_before_expiry = Em time ; 181 | Overrides the global 182 | .Sy refresh_before_expiry 183 | option for this account. 184 | Follows the same format as the global option. 185 | .It Sy refresh_retry = Em time ; 186 | Overrides the global 187 | .Sy refresh_retry 188 | option for this account. 189 | Follows the same format as the global option. 190 | .It Sy scopes = [ Qo Em Scope 1 Qc , ..., Qo Em Scope n Qc ] ; 191 | specifies zero or more OAuth2 scopes (roughly speaking, 192 | .Qq permissions ) 193 | that access tokens will give you permission to utilise. 194 | Optional. 195 | .It Sy token_uri = Qo Em URI Qc ; 196 | is a URI specifying the OAuth2 server's token URI. 197 | Mandatory. 198 | .El 199 | .Pp 200 | Times can be specified as 201 | .Em int [smhd] 202 | where the suffixes mean (in order): seconds, minutes, hours, days. 203 | For example, 204 | .Em 90s 205 | means 90 seconds and 206 | .Em 5m 207 | means 5 minutes. 208 | .Sh EXAMPLES 209 | An example 210 | .Nm 211 | file for accessing IMAP and SMTP services in Office365 212 | is as follows: 213 | .Bd -literal -offset 4n 214 | account "officesmtp" { 215 | auth_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; 216 | token_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; 217 | client_id = "..."; // Fill in with your Client ID 218 | client_secret = "..."; // Fill in with your Client secret 219 | scopes = [ 220 | "https://outlook.office365.com/IMAP.AccessAsUser.All", 221 | "https://outlook.office365.com/SMTP.Send", 222 | "offline_access" 223 | ]; 224 | // You don't have to specify login_hint, but it does make 225 | // authentication a little easier. 226 | auth_uri_fields = { "login_hint": "email@example.com" }; 227 | } 228 | .Ed 229 | .Pp 230 | Note that Office365 requires the non-standard 231 | .Qq offline_access 232 | scope to be specified in order for 233 | .Xr pizauth 1 234 | to be able to operate successfully. 235 | .Sh SEE ALSO 236 | .Xr pizauth 1 237 | .Pp 238 | .Lk https://tratt.net/laurie/src/pizauth/ 239 | .Sh AUTHORS 240 | .An -nosplit 241 | .Xr pizauth 1 242 | was written by 243 | .An Laurence Tratt Lk https://tratt.net/laurie/ 244 | -------------------------------------------------------------------------------- /CHANGES.md: -------------------------------------------------------------------------------- 1 | # pizauth 1.0.8 (2025-11-02) 2 | 3 | * Add `startup_cmd` configuration option: this shell command is run after 4 | pizauth's server is fully up and running. It can be used, for example, as a 5 | callback, safe in the knowledge that the server can respond. 6 | 7 | * Add Fish completion. 8 | 9 | 10 | # pizauth 1.0.7 (2025-02-08) 11 | 12 | * Add an upper limit to the size of HTTP requests pizauth accepts. In the 13 | (admittedly rather unlikely) case that a client malfunctions, this makes it 14 | more difficult for them to accidentally cause pizauth to run out of memory. 15 | 16 | * Wake up the refresher / notifier periodically (currently every 37 seconds) to 17 | see if there is work to do. This is a crude workaround for inconsistency in 18 | operating systems as to whether "wake up in X seconds" includes time spent in 19 | suspend/hibernate or adjusted by `adjtime` and so on. 20 | 21 | * Present times (e.g. about expired tokens) in a way that is less likely to be 22 | skewed by suspend/hibernate on some operating systems. 23 | 24 | 25 | # pizauth 1.0.6 (2024-11-10) 26 | 27 | * Support HTTPS redirects. pizauth now starts, by default, both HTTP and HTTPS 28 | servers, generating a new self-signed HTTPS certificate on each invocation. 29 | 30 | `pizauth info` shows you the certificate hash so you can verify that your 31 | browser is connecting to the right HTTPS server. You can turn either (but 32 | not both!) of the HTTP and HTTPS servers off with `http_listen=off` or 33 | `https_listen=off`. This is most useful if you want to force HTTPS redirects 34 | and ensure that you're not accidentally being redirected to an HTTP URL (i.e. 35 | `http_listen=off` is the option you are most likely to be interested in). 36 | 37 | 38 | # pizauth 1.0.5 (2024-07-27) 39 | 40 | * Use `XDG_RUNTIME_DIR` instead of `XDG_DATA_HOME` for the socket path. 41 | 42 | 43 | # pizauth 1.0.4 (2024-02-04) 44 | 45 | * Add `pizauth revoke` which revokes any tokens / ongoing authentication for a 46 | given account. Note that this does *not* revoke the remote token, as OAuth2 47 | does not currently have standard support for this. 48 | 49 | * Include bash completion scripts and example systemd units. 50 | 51 | * Rework file installation to better handle a variety of OSes and file layouts. 52 | The Makefile is now only compatible with gmake. 53 | 54 | 55 | # pizauth 1.0.3 (2023-11-28) 56 | 57 | * Add `pizauth status` to see which accounts have valid tokens (or not): 58 | ``` 59 | $ pizauth status 60 | act1: No access token 61 | act2: Active access token (obtained Sat, 4 Nov 2023 21:52:11 +0000; expires Sat, 4 Nov 2023 23:20:42 +0000) 62 | act3: Active access token (obtained Sat, 4 Nov 2023 22:23:03 +0000; expires Mon, 4 Dec 2023 22:23:03 +0000) 63 | ``` 64 | 65 | * Give better syntax errors if backslashes (`\\`) are used incorrectly. 66 | 67 | 68 | # pizauth 1.0.2 (2023-10-12) 69 | 70 | * Better handle syntactically invalid requests. In particular, this causes the 71 | check for a running instance of pizauth not to cause the existing instance to 72 | exit. 73 | 74 | * Document `-v` (which can be repeated up to 4 times for increased verbosity) 75 | on `pizauth server`. 76 | 77 | 78 | # pizauth 1.0.1 (2023-08-14) 79 | 80 | * Fix location of `ring` dependency. 81 | 82 | 83 | # pizauth 1.0.0 (2023-08-13) 84 | 85 | * First stable release. 86 | 87 | * Add `pizauth info [-j]` which informs the user where pizauth is looking for 88 | configuration files and so on. For example: 89 | 90 | ``` 91 | $ pizauth info 92 | pizauth version 0.3.0: 93 | cache directory: /home/ltratt/.cache/pizauth 94 | config file: /home/ltratt/.config/pizauth.conf 95 | ``` 96 | 97 | Adding `-j` outputs the same information in JSON format for integration with 98 | external tools. The `info_format_version` field is an integer value 99 | specifying the version of the JSON output: if incompatible changes are made, 100 | this integer will be monotonically increased. 101 | 102 | 103 | # pizauth 0.3.0 (2023-05-29) 104 | 105 | ## Breaking changes 106 | 107 | * `not_transient_error_if` has been removed as a global and per-account option. 108 | In its place is a new global option `transient_error_if_cmd`. 109 | 110 | If you have an existing `not_transient_error_if` option, you will need 111 | to reconsider the shell command you execute. One possibility is to change: 112 | 113 | ``` 114 | not_transient_error_if = "shell-cmd"; 115 | ``` 116 | 117 | to: 118 | 119 | ``` 120 | transient_error_if_cmd = "! shell-cmd"; 121 | ``` 122 | 123 | `transient_error_if_cmd` sets the environment variable `$PIZAUTH_ACCOUNT` to 124 | allow you to perform different actions for different accounts if you desire. 125 | 126 | 127 | # pizauth 0.2.2 (2023-04-03) 128 | 129 | * Added a global `token_event_cmd` option, which runs a command whenever an 130 | account's token changes state. 131 | 132 | * Added `pizauth dump` and `pizauth restore` which dump and restore pizauth's 133 | token state respectively. When combined with `token_event_cmd`, these allow 134 | users to persist token state. The output from `pizauth dump` is not 135 | meaningfully encrypted: it is the user's responsibility to encrypt, or 136 | otherwise secure, the dump output. 137 | 138 | * Update an account's refresh token if it is sent to pizauth by the remote 139 | server. 140 | 141 | * Move from the unmaintained `json` to the `serde_json` crate. 142 | 143 | * Don't bother users with OAuth2 "errors" (e.g. that a token cannot be 144 | refreshed) that are better thought of as an inevitable part of the OAuth2 145 | lifecycle. 146 | 147 | 148 | # pizauth 0.2.1 (2023-03-11) 149 | 150 | * `login_hint` is now deprecated in favour of the more general `auth_uri_fields`. 151 | Change: 152 | 153 | ``` 154 | login_hint = "email@example.com"; 155 | ``` 156 | 157 | to: 158 | 159 | ``` 160 | auth_uri_fields = { "login_hint": "email@example.com" }; 161 | ``` 162 | 163 | Currently `login_hint` is silently transformed into the equivalent 164 | `auth_uri_fields` for backwards compatibility. 165 | 166 | * `auth_uri_fields` allows users to specify zero or more key/value pairs to be 167 | appended to the authorisation URI. Keys (and their values) are appended 168 | in the order they appear in `auth_uri_fields`, each separated by a `&`. The 169 | same key may be specified multiple times. 170 | 171 | * Several options can now be set globally and overridden in individual accounts: 172 | * `not_transient_error_if` 173 | * `refresh_at_least` 174 | * `refresh_before_expiry` 175 | * `refresh_retry` 176 | 177 | * `scopes` is now optional and also, equivalently, can be empty. 178 | 179 | # pizauth 0.2.0 (2022-12-14) 180 | 181 | ## Breaking changes 182 | 183 | * `auth_error_cmd` has been renamed to `error_notify_cmd`. pizauth detects the 184 | (now) incorrect usage and informs the user. 185 | 186 | * `refresh_retry_interval` has been renamed to `refresh_retry` and moved from a 187 | global to a per-account option. Its default value remains unchanged. 188 | 189 | ## Other changes 190 | 191 | * Tease out transitory / permanent refresh errors. Transitory errors are likely 192 | to be the result of temporary network problems and simply waiting for them to 193 | resolve is normally the best thing to do. By default, pizauth thus simply 194 | ignores transitory errors. 195 | 196 | Users who wish to check that transitory errors really are transitory can set 197 | `not_transitory_error_if` setting. This is a shell command that, if 198 | it returns a zero exit code, signifies that transitory errors are 199 | permanent and that an access token should be invalidated. `nc -z 200 | ` is an example of a reasonable setting. `not_transitory_error_if` is 201 | fail-safe in that if the shell command fails unnecessarily (e.g. if you 202 | specify `ping` on a network that prevents ping traffic), pizauth will 203 | invalidate the access token. 204 | 205 | * Each refresh of an account now happens in a separate thread, so stalled 206 | refreshing cannot affect other accounts. 207 | 208 | * Fix bug where newly authorised access tokens were immediately refreshed. 209 | 210 | 211 | # pizauth 0.1.1 (2022-10-20) 212 | 213 | Second alpha release. 214 | 215 | * Added global `http_listen` option to fix the IP address and port pizauth's 216 | HTTP server listens on. This is particularly useful when running pizauth on a 217 | remote machine, since it makes it easy to open an `ssh -L` tunnel to 218 | authenticate that remote instance. 219 | 220 | * Fix build on OS X by ignoring deprecation warnings for the `daemon` function. 221 | 222 | * Report config errors before daemonisation. 223 | 224 | 225 | # pizauth 0.1.0 (2022-09-29) 226 | 227 | First alpha release. 228 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pizauth: an OAuth2 token requester daemon 2 | 3 | pizauth is a simple program for requesting, showing, and refreshing OAuth2 4 | access tokens. pizauth is formed of two components: a persistent server which 5 | interacts with the user to request tokens, and refreshes them as necessary; and 6 | a command-line interface which can be used by programs such as 7 | [fdm](https://github.com/nicm/fdm) and [msmtp](https://marlam.de/msmtp/) to 8 | authenticate with OAuth2. 9 | 10 | ## Quick setup 11 | 12 | pizauth's configuration file is `~/.config/pizauth.conf`. You need to specify 13 | at least one `account`, which tells pizauth how to authenticate against a 14 | particular OAuth2 setup. Most users will also want to receive asynchronous 15 | notifications of authorisation requests and errors, which requires setting 16 | `auth_notify_cmd` and `error_notify_cmd`. 17 | See [the bundled example configuration](examples/pizauth.conf) for more details. 18 | 19 | 20 | ### Account setup 21 | 22 | At a minimum you need to find out from your provider: 23 | 24 | * The authorisation URI. 25 | * The token URI. 26 | * Your "Client ID" (and in many cases also your "Client secret"), which 27 | identify your software. 28 | * (In some cases) The scope(s) which your OAuth2 access token will give you 29 | access to. For pizauth to be able to refresh tokens, you may need to add an 30 | explicit `offline_access` scope. 31 | * (In some cases) The redirect URI (you must copy this *exactly*, including 32 | trailing slash `/` characters). The default value of `http://localhost/` 33 | suffices in most instances. 34 | 35 | Some providers allow you to create Client IDs and Client Secrets at will (e.g. 36 | [Google](https://console.developers.google.com/projectselector/apis/credentials)). 37 | Some providers sometimes allow you to create Client IDs and Client Secrets 38 | (e.g. [Microsoft 39 | Azure](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) 40 | but allow organisations to turn off this functionality. 41 | 42 | For example, to create an account called `officesmtp` which obtains OAuth2 43 | tokens which allow you to read email via IMAP and send email via Office365's 44 | servers: 45 | 46 | ``` 47 | account "officesmtp" { 48 | auth_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; 49 | token_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; 50 | client_id = "..."; // Fill in with your Client ID 51 | client_secret = "..."; // Fill in with your Client secret 52 | scopes = [ 53 | "https://outlook.office365.com/IMAP.AccessAsUser.All", 54 | "https://outlook.office365.com/SMTP.Send", 55 | "offline_access" 56 | ]; 57 | // You don't have to specify login_hint, but it does make authentication a 58 | // little easier. 59 | auth_uri_fields = { "login_hint": "email@example.com" }; 60 | } 61 | ``` 62 | 63 | ### Notifications 64 | 65 | As standard, pizauth displays authorisation URLs and errors on stderr. If you 66 | want to use pizauth in the background, it is easy to miss such output. 67 | Fortunately, pizauth can run arbitrary commands to alert you that you need to 68 | authorise a new token, in essence giving you the ability to asynchronously 69 | display notifications. There are two main settings: 70 | 71 | * `auth_notify_cmd` notifies users that an account needs authenticating. The 72 | command is run with two environment variables set: 73 | * `PIZAUTH_ACCOUNT` is set to the account name to be authorised. 74 | * `PIZAUTH_URL` is set to the authorisation URL. 75 | * `error_notify_cmd` notifies users of errors. The command is run with two 76 | environment variables set: 77 | * `PIZAUTH_ACCOUNT` is set to the account name to be authorised. 78 | * `PIZAUTH_MSG` is set to the error message. 79 | 80 | For example to use pizauth with `notify-send`: 81 | 82 | ``` 83 | auth_notify_cmd = "if [[ \"$(notify-send -A \"Open $PIZAUTH_ACCOUNT\" -t 30000 'pizauth authorisation')\" == \"0\" ]]; then open \"$PIZAUTH_URL\"; fi"; 84 | error_notify_cmd = "notify-send -t 90000 \"pizauth error for $PIZAUTH_ACCOUNT\" \"$PIZAUTH_MSG\""; 85 | ``` 86 | 87 | In this example, `notify-send` is used to open a notification with a "Open 88 | <account>" button; if that button is clicked, then the authorisation URL 89 | is opened in the user's default web browser. 90 | 91 | 92 | ### Running pizauth 93 | 94 | You need to start the pizauth server (alternatively, start `pizauth.service`, 95 | see [systemd-unit](README.systemd.md#systemd-unit)): 96 | 97 | ```sh 98 | $ pizauth server 99 | ``` 100 | 101 | and configure software to request OAuth2 tokens with `pizauth show officesmtp`. 102 | The first time that `pizauth show officesmtp` is executed, it will print an 103 | error to stderr that includes an authorisation URL (and, if `auth_notify_cmd` 104 | is set, it will also execute that command): 105 | 106 | ``` 107 | $ pizauth show officesmtp 108 | ERROR - Token unavailable until authorised with URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?access_type=offline&code_challenge=xpVa0mDzvR1Ozw5_cWN43DsO-k5_blQNHIzynyPfD3c&code_challenge_method=S256&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office365.com%2FSMTP.Send+offline_access&client_id=&redirect_uri=http%3A%2F%2Flocalhost%3A14204%2F&response_type=code&state=%25E6%25A0%25EF%2503h6%25BCK&client_secret=&login_hint=email@example.com 109 | ``` 110 | 111 | The user then needs to open that URL in the browser of their choice and 112 | complete authentication. Once complete, pizauth will be notified, and shortly 113 | afterwards `pizauth show officesmtp` will start showing a token on stdout: 114 | 115 | ``` 116 | $ pizauth show officesmtp 117 | DIASSPt7jlcBPTWUUCtXMWtj9TlPC6U3P3aV6C9NYrQyrhZ9L2LhyJKgl5MP7YV4 118 | ``` 119 | 120 | Note that: 121 | 122 | 1. `pizauth show` does not block: if a token is not available it will fail; 123 | once a token is available it will succeed. 124 | 2. `pizauth show` can print OAuth2 tokens which are no longer valid. By 125 | default, pizauth will continually refresh your token, but it may 126 | eventually become invalid. There will be a delay between the token 127 | becoming invalid and pizauth realising that has happened and notifying you 128 | to request a new token. 129 | 130 | 131 | ## Command-line interface 132 | 133 | pizauth's usage is: 134 | 135 | ``` 136 | pizauth dump 137 | pizauth refresh [-u] 138 | pizauth reload 139 | pizauth restore 140 | pizauth server [-c ] [-d] 141 | pizauth show [-u] 142 | pizauth shutdown 143 | ``` 144 | 145 | Where: 146 | 147 | * `pizauth refresh` tries to obtain a new access token for an account. If an 148 | access token already exists, a refresh is tried; if an access token doesn't 149 | exist, a new request is made. 150 | * `pizauth reload` causes the server to reload its configuration (this is 151 | a safe equivalent of the traditional `SIGHUP` mechanism). 152 | * `pizauth server` starts a new instance of the server. 153 | * `pizauth show` displays an access token, if one exists, for `account`. If an 154 | access token does not exist, a new request is initiated. 155 | * `pizauth shutdown` asks the server to shut itself down. 156 | 157 | `pizauth dump` and `pizauth restore` are explained in the 158 | [Persistence](#persistence) section below. 159 | 160 | 161 | ## Example integrations 162 | 163 | Once you have set up pizauth, you will then need to set up the software which 164 | needs access tokens. This section contains example configuration snippets to 165 | help you get up and running. 166 | 167 | In these examples, text in chevrons (like ``) needs to be edited to match 168 | your individual setup. The examples assume that `pizauth` is in your `$PATH`: 169 | if it is not, you will need to substitute an absolute path to `pizauth` in 170 | these snippets. 171 | 172 | ### msmtp 173 | 174 | In your configuration file (typically `~/.config/msmtp/config`): 175 | 176 | ``` 177 | account 178 | auth xoauth2 179 | host 180 | protocol smtp 181 | from 182 | user 183 | passwordeval pizauth show 184 | ``` 185 | 186 | ### mbsync 187 | 188 | Ensure you have the xoauth2 plugin for cyrus-sasl installed, and then use 189 | something like this for the IMAP account in `~/.mbsyncrc`: 190 | 191 | ``` 192 | IMAPAccount 193 | Host 194 | User 195 | PassCmd "pizauth show " 196 | AuthMechs XOAUTH2 197 | ``` 198 | 199 | 200 | ## Example account settings 201 | 202 | Each provider you wish to authenticate with will have its own settings it 203 | requires of you. These can be difficult to find, so examples are provided in 204 | this section. Caveat emptor: these settings will not work in all situations, 205 | and providers have historically required users to intermittently change their 206 | settings. 207 | 208 | ### Microsoft / Exchange 209 | 210 | You may need to create your own client ID and secret by registering with 211 | Microsoft's [identity 212 | platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app). 213 | 214 | ``` 215 | account "" { 216 | auth_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; 217 | auth_uri_fields = { "login_hint": "" }; 218 | token_uri = "https://login.microsoftonline.com/common/oauth2/v2.0/token"; 219 | client_id = ""; 220 | client_secret = ""; 221 | scopes = [ 222 | "https://outlook.office365.com/IMAP.AccessAsUser.All", 223 | "https://outlook.office365.com/POP.AccessAsUser.All", 224 | "https://outlook.office365.com/SMTP.Send", 225 | "offline_access" 226 | ]; 227 | } 228 | ``` 229 | 230 | ### Gmail 231 | 232 | You may need to create your own client ID and secret via the [credentials 233 | tab](https://console.cloud.google.com/apis/credentials/oauthclient/) of the 234 | Google Cloud Console. 235 | 236 | ``` 237 | account "" { 238 | auth_uri = "https://accounts.google.com/o/oauth2/auth"; 239 | auth_uri_fields = {"login_hint": ""}; 240 | token_uri = "https://oauth2.googleapis.com/token"; 241 | client_id = ""; 242 | client_secret = ""; 243 | scopes = ["https://mail.google.com/"]; 244 | } 245 | ``` 246 | 247 | ### Miele 248 | 249 | You may need to create your own client ID and secret via the [get involved 250 | tab](https://www.miele.com/f/com/en/register_api.aspx) of the Miele Developer 251 | site. 252 | 253 | No scopes are needed. 254 | 255 | ``` 256 | account "" { 257 | auth_uri = "https://api.mcs3.miele.com/thirdparty/login/"; 258 | token_uri = "https://api.mcs3.miele.com/thirdparty/token/"; 259 | client_id = ""; 260 | client_secret = ""; 261 | } 262 | ``` 263 | 264 | 265 | ## pizauth on a remote machine 266 | 267 | You can run pizauth on a remote machine and have your local machine 268 | authenticate that remote existence with `ssh -L`. pizauth contains a small HTTP 269 | server used to receive authentication requests. By default the HTTP server 270 | listens on a random port, but it is easiest in this scenario to fix a port with 271 | the global `http_listen` option: 272 | 273 | ``` 274 | http_listen = "127.0.0.1:"; 275 | account "..." { ... } 276 | ``` 277 | 278 | Then on your local machine (using the same `` as above run `ssh`: 279 | 280 | ``` 281 | ssh -L 127.0.0.1::127.0.0.1: 282 | ``` 283 | 284 | Then on the remote machine start `pizauth server` and then `pizauth show 285 | `. Copy the authentication URL into a browser on your local 286 | machine and continue as normal. When you see the "pizauth processing 287 | authentication: you can safely close this page." message you can close the 288 | `ssh` tunnel. If the account later needs reauthenticating (e.g. because the 289 | refresh token has become invalid), simply reopen the `ssh` tunnel, 290 | reauthenticate, and close the `ssh` tunnel. 291 | 292 | 293 | ## Persistence 294 | 295 | By design, pizauth stores tokens state only in memory, and never to disk: users 296 | never have to worry that unencrypted secrets may be accessible on disk. 297 | However, if you use pizauth on a machine where pizauth is regularly restarted 298 | (e.g. because the machine is regularly rebooted), reauthenticating each time 299 | can be frustrating. 300 | 301 | `pizauth dump` (which writes pizauth's internal token state to `stdout`) and 302 | `pizauth restore` (which restores previously dumped token state read from 303 | `stdin`) allow you to persist state, but since they contain secrets they 304 | inevitably increase your security responsibilities. Although the output from 305 | `pizauth dump` may look like it is encrypted, it is trivial for an attacker to 306 | recover secrets from it: it is strongly recommended that you immediately 307 | encrypt the output from `pizauth dump` to avoid possible security issues. 308 | 309 | The most common way to call `pizauth dump` is via the `token_event_cmd` 310 | configuration setting. `token_event_cmd` is called each time an account's 311 | tokens change state (e.g. new tokens, refreshed tokens, etc). You can use this 312 | to run an arbitrary shell command such as `pizauth dump`: 313 | 314 | ``` 315 | token_event_cmd = "pizauth dump | age --encrypt --output pizauth.age -R age_public_key"; 316 | ``` 317 | 318 | In this example, output from `pizauth dump` is immediately encrypted using 319 | [age](https://age-encryption.org/). In your machine's startup process you can 320 | then call `pizauth restore` to restore the most recent dump e.g.: 321 | 322 | ``` 323 | age --decrypt -i age_private_key -o - pizauth.age | pizauth restore 324 | ``` 325 | 326 | Note that `pizauth restore` does not change the running pizauth's 327 | configuration. Any changes in security relevant configuration between the 328 | dumping and restoring pizauth instances cause those parts of the dump to be 329 | silently ignored. 330 | 331 | 332 | ## Alternatives 333 | 334 | pizauth will not be perfect for everyone. You may also wish to consider these 335 | programs as alternatives: 336 | 337 | * [Email OAuth 2.0 Proxy](https://github.com/simonrob/email-oauth2-proxy) 338 | * [mailctl](https://github.com/pdobsan/mailctl) 339 | * [mutt_oauth2.py](https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py) 340 | * [oauth-helper-office-365](https://github.com/ahrex/oauth-helper-office-365) 341 | -------------------------------------------------------------------------------- /src/main.rs: -------------------------------------------------------------------------------- 1 | #![allow(clippy::derive_partial_eq_without_eq)] 2 | #![allow(clippy::too_many_arguments)] 3 | #![allow(clippy::type_complexity)] 4 | 5 | mod compat; 6 | mod config; 7 | mod config_ast; 8 | mod server; 9 | mod user_sender; 10 | 11 | use std::{ 12 | env::{self, current_exe}, 13 | fs, 14 | io::{stdout, Write}, 15 | os::unix::{fs::PermissionsExt, net::UnixStream}, 16 | path::PathBuf, 17 | process, thread, 18 | time::Duration, 19 | }; 20 | 21 | use getopts::Options; 22 | use log::error; 23 | use nix::sys::{ 24 | stat::{utimensat, UtimensatFlags}, 25 | time::TimeSpec, 26 | }; 27 | #[cfg(target_os = "openbsd")] 28 | use pledge::pledge; 29 | use serde_json::json; 30 | use server::sock_path; 31 | use whoami::username; 32 | 33 | use compat::daemon; 34 | use config::Config; 35 | use user_sender::show_token; 36 | 37 | /// Name of cache directory within $XDG_DATA_HOME. 38 | const PIZAUTH_CACHE_LEAF: &str = "pizauth"; 39 | /// Name of socket file within $XDG_DATA_HOME/PIZAUTH_CACHE_LEAF. 40 | const PIZAUTH_CACHE_SOCK_LEAF: &str = "pizauth.sock"; 41 | /// Name of `pizauth.conf` file relative to $XDG_CONFIG_HOME. 42 | const PIZAUTH_CONF_LEAF: &str = "pizauth.conf"; 43 | 44 | fn progname() -> String { 45 | match current_exe() { 46 | Ok(p) => p 47 | .file_name() 48 | .map(|x| x.to_str().unwrap_or("pizauth")) 49 | .unwrap_or("pizauth") 50 | .to_owned(), 51 | Err(_) => "pizauth".to_owned(), 52 | } 53 | } 54 | 55 | /// Exit with a fatal error: only to be called before the log crate is setup. 56 | fn fatal(msg: &str) -> ! { 57 | eprintln!("{msg:}"); 58 | process::exit(1); 59 | } 60 | 61 | /// Print out program usage then exit. This function must not be called after daemonisation. 62 | fn usage() -> ! { 63 | let pn = progname(); 64 | eprintln!( 65 | "Usage:\n {pn:} dump\n {pn:} info [-j]\n {pn:} refresh [-u] \n {pn:} restore\n {pn:} reload\n {pn:} revoke \n {pn:} server [-c ] [-dv]\n {pn:} show [-u] \n {pn:} shutdown\n {pn:} status" 66 | ); 67 | process::exit(1) 68 | } 69 | 70 | fn cache_path() -> PathBuf { 71 | let mut p = PathBuf::new(); 72 | match env::var_os("XDG_RUNTIME_DIR") { 73 | Some(s) => p.push(s), 74 | None => { 75 | match env::var_os("TMPDIR") { 76 | Some(s) => p.push(s), 77 | None => p.push("/tmp"), 78 | } 79 | p.push(format!("runtime-{}", username())); 80 | } 81 | } 82 | 83 | let md = |p: &PathBuf| { 84 | if !p.exists() { 85 | fs::create_dir(p).unwrap_or_else(|e| fatal(&format!("Can't create cache dir: {e}"))); 86 | } 87 | fs::set_permissions(p, PermissionsExt::from_mode(0o700)).unwrap_or_else(|_| { 88 | fatal(&format!( 89 | "Can't set permissions for {} to 0700 (octal)", 90 | p.to_str() 91 | .unwrap_or("") 92 | )) 93 | }); 94 | }; 95 | 96 | md(&p); 97 | p.push(PIZAUTH_CACHE_LEAF); 98 | md(&p); 99 | 100 | p 101 | } 102 | 103 | fn conf_path(matches: &getopts::Matches) -> PathBuf { 104 | match matches.opt_str("c") { 105 | Some(p) => PathBuf::from(&p), 106 | None => { 107 | let mut p = PathBuf::new(); 108 | match env::var_os("XDG_CONFIG_HOME") { 109 | Some(s) => p.push(s), 110 | None => match env::var_os("HOME") { 111 | Some(s) => { 112 | p.push(s); 113 | p.push(".config") 114 | } 115 | None => fatal("Neither $XDG_CONFIG_HOME or $HOME set"), 116 | }, 117 | } 118 | p.push(PIZAUTH_CONF_LEAF); 119 | if !p.is_file() { 120 | fatal(&format!( 121 | "No config file found at {}", 122 | p.to_str().unwrap_or("pizauth.conf") 123 | )); 124 | } 125 | p 126 | } 127 | } 128 | } 129 | 130 | fn main() { 131 | // Generic pledge support for all pizauth's commands. Note that the server later restricts 132 | // these further. 133 | #[cfg(target_os = "openbsd")] 134 | pledge( 135 | "stdio rpath wpath cpath tmppath inet fattr flock unix dns proc ps exec unveil", 136 | None, 137 | ) 138 | .unwrap(); 139 | 140 | let args: Vec = env::args().collect(); 141 | if args.len() < 2 { 142 | usage(); 143 | } 144 | let mut opts = Options::new(); 145 | opts.optflag("h", "help", "") 146 | .optflagmulti("v", "verbose", ""); 147 | 148 | let cache_path = cache_path(); 149 | match args[1].as_str() { 150 | "dump" => { 151 | let matches = opts.parse(&args[2..]).unwrap_or_else(|_| usage()); 152 | if matches.opt_present("h") || !matches.free.is_empty() { 153 | usage(); 154 | } 155 | stderrlog::new() 156 | .module(module_path!()) 157 | .verbosity(matches.opt_count("v")) 158 | .init() 159 | .unwrap(); 160 | match user_sender::dump(&cache_path) { 161 | Ok(d) => { 162 | stdout().write_all(&d).ok(); 163 | } 164 | Err(e) => { 165 | error!("{e:}"); 166 | process::exit(1); 167 | } 168 | } 169 | } 170 | "info" => { 171 | let matches = opts 172 | .optflagopt("c", "config", "Path to pizauth.conf.", "") 173 | .optflag("j", "", "JSON output.") 174 | .parse(&args[2..]) 175 | .unwrap_or_else(|_| usage()); 176 | if matches.opt_present("h") || !matches.free.is_empty() { 177 | usage(); 178 | } 179 | let svj = user_sender::server_info(&cache_path).ok(); 180 | let progname = progname(); 181 | let cache_path = cache_path 182 | .to_str() 183 | .unwrap_or(""); 184 | let conf_path = conf_path(&matches); 185 | let conf_path = conf_path 186 | .to_str() 187 | .unwrap_or(""); 188 | let ver = env!("CARGO_PKG_VERSION"); 189 | if matches.opt_present("j") { 190 | let mut j = json!({ 191 | "cache_directory": cache_path, 192 | "config_file": conf_path, 193 | "executed_as": progname, 194 | "info_format_version": 2, 195 | "pizauth_version": ver 196 | }); 197 | let svj = match svj { 198 | Some(x) => json!({ "server_running": true, "server_info": x}), 199 | None => json!({ "server_running": false }), 200 | }; 201 | j.as_object_mut() 202 | .unwrap() 203 | .extend(svj.as_object().unwrap().clone()); 204 | println!("{}", j); 205 | } else { 206 | println!("{progname} version {ver}:\n cache directory: {cache_path}\n config file: {conf_path}"); 207 | if let Some(svj) = svj { 208 | println!( 209 | "server running:\n HTTP port: {}\n HTTPS port: {}", 210 | svj["http_port"].as_str().unwrap(), 211 | svj["https_port"].as_str().unwrap() 212 | ); 213 | if let Some(x) = svj.get("https_pub_key") { 214 | println!(" HTTPS public key: {}", x.as_str().unwrap()); 215 | } 216 | } else { 217 | println!("server not running"); 218 | } 219 | } 220 | } 221 | "refresh" => { 222 | let matches = opts 223 | .optflag("u", "", "Don't display authorisation URLs.") 224 | .parse(&args[2..]) 225 | .unwrap_or_else(|_| usage()); 226 | if matches.opt_present("h") || matches.free.len() != 1 { 227 | usage(); 228 | } 229 | stderrlog::new() 230 | .module(module_path!()) 231 | .verbosity(matches.opt_count("v")) 232 | .init() 233 | .unwrap(); 234 | let with_url = !matches.opt_present("u"); 235 | if let Err(e) = user_sender::refresh(&cache_path, &matches.free[0], with_url) { 236 | error!("{e:}"); 237 | process::exit(1); 238 | } 239 | } 240 | "reload" => { 241 | let matches = opts.parse(&args[2..]).unwrap_or_else(|_| usage()); 242 | if matches.opt_present("h") || !matches.free.is_empty() { 243 | usage(); 244 | } 245 | stderrlog::new() 246 | .module(module_path!()) 247 | .verbosity(matches.opt_count("v")) 248 | .init() 249 | .unwrap(); 250 | if let Err(e) = user_sender::reload(&cache_path) { 251 | error!("{e:}"); 252 | process::exit(1); 253 | } 254 | } 255 | "restore" => { 256 | let matches = opts.parse(&args[2..]).unwrap_or_else(|_| usage()); 257 | if matches.opt_present("h") || !matches.free.is_empty() { 258 | usage(); 259 | } 260 | stderrlog::new() 261 | .module(module_path!()) 262 | .verbosity(matches.opt_count("v")) 263 | .init() 264 | .unwrap(); 265 | if let Err(e) = user_sender::restore(&cache_path) { 266 | error!("{e:}"); 267 | process::exit(1); 268 | } 269 | } 270 | "revoke" => { 271 | let matches = opts.parse(&args[2..]).unwrap_or_else(|_| usage()); 272 | if matches.opt_present("h") || matches.free.len() != 1 { 273 | usage(); 274 | } 275 | stderrlog::new() 276 | .module(module_path!()) 277 | .verbosity(matches.opt_count("v")) 278 | .init() 279 | .unwrap(); 280 | if let Err(e) = user_sender::revoke(&cache_path, &matches.free[0]) { 281 | error!("{e:}"); 282 | process::exit(1); 283 | } 284 | } 285 | "server" => { 286 | let matches = opts 287 | .optflagopt("c", "config", "Path to pizauth.conf.", "") 288 | .optflag("d", "", "Don't detach from the terminal.") 289 | .parse(&args[2..]) 290 | .unwrap_or_else(|_| usage()); 291 | if matches.opt_present("h") || !matches.free.is_empty() { 292 | usage(); 293 | } 294 | 295 | let sock_path = sock_path(&cache_path); 296 | if sock_path.exists() { 297 | // Is an existing authenticator running? 298 | if UnixStream::connect(&sock_path).is_ok() { 299 | eprintln!("pizauth authenticator already running"); 300 | process::exit(1); 301 | } 302 | fs::remove_file(&sock_path).ok(); 303 | } 304 | 305 | // The XDG spec says of `$XDG_RUNTIME_DIR` (where our socket file will live): 306 | // Files in this directory MAY be subjected to periodic clean-up. To ensure that your files 307 | // are not removed, they should have their access time timestamp modified at least once every 308 | // 6 hours of monotonic time 309 | let sock_path_cl = sock_path.clone(); 310 | thread::spawn(move || loop { 311 | thread::sleep(Duration::from_secs(6 * 60 * 60)); 312 | let _ = utimensat( 313 | None, 314 | &sock_path_cl, 315 | &TimeSpec::UTIME_NOW, 316 | &TimeSpec::UTIME_NOW, 317 | UtimensatFlags::NoFollowSymlink, 318 | ); 319 | }); 320 | 321 | let conf_path = conf_path(&matches); 322 | let conf = Config::from_path(&conf_path).unwrap_or_else(|m| fatal(&m)); 323 | 324 | let daemonise = !matches.opt_present("d"); 325 | if daemonise { 326 | let formatter = syslog::Formatter3164 { 327 | process: progname(), 328 | ..Default::default() 329 | }; 330 | let logger = syslog::unix(formatter) 331 | .unwrap_or_else(|e| fatal(&format!("Cannot connect to syslog: {e:}"))); 332 | let levelfilter = match matches.opt_count("v") { 333 | 0 => log::LevelFilter::Error, 334 | 1 => log::LevelFilter::Warn, 335 | 2 => log::LevelFilter::Info, 336 | 3 => log::LevelFilter::Debug, 337 | _ => log::LevelFilter::Trace, 338 | }; 339 | log::set_boxed_logger(Box::new(syslog::BasicLogger::new(logger))) 340 | .map(|()| log::set_max_level(levelfilter)) 341 | .unwrap_or_else(|e| fatal(&format!("Cannot set logger: {e:}"))); 342 | daemon(true, false).unwrap_or_else(|e| fatal(&format!("Cannot daemonise: {e:}"))); 343 | } else { 344 | stderrlog::new() 345 | .module(module_path!()) 346 | .verbosity(matches.opt_count("v")) 347 | .init() 348 | .unwrap(); 349 | } 350 | if let Err(e) = server::server(conf_path, conf, cache_path.as_path()) { 351 | error!("{e:}"); 352 | process::exit(1); 353 | } 354 | } 355 | "show" => { 356 | let matches = opts 357 | .optflag("u", "", "Don't display authorisation URLs.") 358 | .parse(&args[2..]) 359 | .unwrap_or_else(|_| usage()); 360 | if matches.opt_present("h") { 361 | usage(); 362 | } 363 | if matches.free.len() != 1 { 364 | usage(); 365 | } 366 | stderrlog::new() 367 | .module(module_path!()) 368 | .verbosity(matches.opt_count("v")) 369 | .init() 370 | .unwrap(); 371 | let account = matches.free[0].as_str(); 372 | if let Err(e) = show_token(cache_path.as_path(), account, !matches.opt_present("u")) { 373 | error!("{e:}"); 374 | process::exit(1); 375 | } 376 | } 377 | "shutdown" => { 378 | let matches = opts.parse(&args[2..]).unwrap_or_else(|_| usage()); 379 | if matches.opt_present("h") || !matches.free.is_empty() { 380 | usage(); 381 | } 382 | stderrlog::new() 383 | .module(module_path!()) 384 | .verbosity(matches.opt_count("v")) 385 | .init() 386 | .unwrap(); 387 | if let Err(e) = user_sender::shutdown(&cache_path) { 388 | error!("{e:}"); 389 | process::exit(1); 390 | } 391 | } 392 | "status" => { 393 | let matches = opts.parse(&args[2..]).unwrap_or_else(|_| usage()); 394 | if matches.opt_present("h") { 395 | usage(); 396 | } 397 | if !matches.free.is_empty() { 398 | usage(); 399 | } 400 | stderrlog::new() 401 | .module(module_path!()) 402 | .verbosity(matches.opt_count("v")) 403 | .init() 404 | .unwrap(); 405 | if let Err(e) = user_sender::status(cache_path.as_path()) { 406 | error!("{e:}"); 407 | process::exit(1); 408 | } 409 | } 410 | _ => usage(), 411 | } 412 | } 413 | -------------------------------------------------------------------------------- /src/server/mod.rs: -------------------------------------------------------------------------------- 1 | mod eventer; 2 | mod http_server; 3 | mod notifier; 4 | mod refresher; 5 | mod request_token; 6 | mod state; 7 | 8 | use std::{ 9 | collections::HashMap, 10 | env, 11 | error::Error, 12 | io::{Read, Write}, 13 | os::unix::net::{UnixListener, UnixStream}, 14 | path::{Path, PathBuf}, 15 | process::Command, 16 | sync::Arc, 17 | thread, 18 | time::{Duration, SystemTime}, 19 | }; 20 | 21 | use boot_time::Instant; 22 | use chrono::{DateTime, Local}; 23 | use log::{error, warn}; 24 | use nix::sys::signal::{raise, Signal}; 25 | #[cfg(target_os = "openbsd")] 26 | use pledge::pledge; 27 | #[cfg(target_os = "openbsd")] 28 | use unveil::unveil; 29 | 30 | use crate::{config::Config, PIZAUTH_CACHE_SOCK_LEAF}; 31 | use eventer::{Eventer, TokenEvent}; 32 | use notifier::Notifier; 33 | use refresher::Refresher; 34 | use request_token::request_token; 35 | use serde_json::json; 36 | use state::{AccountId, AuthenticatorState, CTGuard, TokenState}; 37 | 38 | /// Length of the PKCE code verifier in bytes. 39 | const CODE_VERIFIER_LEN: usize = 64; 40 | /// The timeout for ureq HTTP requests. It is recommended to make this value lower than 41 | /// REFRESH_RETRY_DEFAULT to reduce the likelihood that refresh requests overlap. 42 | pub const UREQ_TIMEOUT: Duration = Duration::from_secs(30); 43 | /// Length of the OAuth state in bytes. 44 | const STATE_LEN: usize = 8; 45 | /// When waiting to do something (e.g. in the notifier or refresher), we have the problem that when 46 | /// we ask to be woken up in "X seconds from now", operating systems do not interpret that as "wake 47 | /// you up in X seconds of wall-clock time". For example, if a machine is suspended then resumed, 48 | /// then the time the machine was out of action may not be counted as "wait time". The impact of 49 | /// ntp/adjtime and friends is also unclear. There is no portable way for us to know if any of 50 | /// these things has happened, so we are left in the unhappy situation that if a thread knows it 51 | /// has work to do in the future, it needs to wake itself up every so often to check if -- without 52 | /// us knowing it! -- the clock has changed underneath it. 53 | /// 54 | /// There is no universally good value here. Too short means that we waste resources; too long and 55 | /// the user will think that we have gone wrong; too predictable and we might end up causing weird 56 | /// spikes in performance (e.g. if we wake up exactly every 10/30/60 seconds). To make problems 57 | /// even less likely, we choose a prime number. 58 | const MAX_WAIT_SECS: u64 = 37; 59 | 60 | pub fn sock_path(cache_path: &Path) -> PathBuf { 61 | let mut p = cache_path.to_owned(); 62 | p.push(PIZAUTH_CACHE_SOCK_LEAF); 63 | p 64 | } 65 | 66 | /// Calculate the [Instant] that a token will expire at. Returns `Err` if [Instant] cannot 67 | /// represent the expiry. 68 | pub fn expiry_instant( 69 | ct_lk: &CTGuard, 70 | act_id: AccountId, 71 | refreshed_at: Instant, 72 | expires_in: u64, 73 | ) -> Result> { 74 | refreshed_at 75 | .checked_add(Duration::from_secs(expires_in)) 76 | .or_else(|| { 77 | refreshed_at.checked_add(ct_lk.account(act_id).refresh_at_least(ct_lk.config())) 78 | }) 79 | .ok_or_else(|| "Can't represent expiry".into()) 80 | } 81 | 82 | fn request(pstate: Arc, mut stream: UnixStream) -> Result<(), Box> { 83 | let mut buf = Vec::new(); 84 | stream.read_to_end(&mut buf)?; 85 | let (cmd, rest) = { 86 | let len = buf 87 | .iter() 88 | .map(|b| *b as char) 89 | .take_while(|c| *c != ':') 90 | .count(); 91 | if len == buf.len() { 92 | return Err(format!( 93 | "Syntactically invalid request '{}'", 94 | std::str::from_utf8(&buf).unwrap_or(" { 103 | stream.write_all(&pstate.dump()?)?; 104 | return Ok(()); 105 | } 106 | "info" if rest.is_empty() => { 107 | let mut m = HashMap::new(); 108 | m.insert( 109 | "http_port", 110 | match pstate.http_port { 111 | Some(x) => x.to_string(), 112 | None => "none".to_string(), 113 | }, 114 | ); 115 | m.insert( 116 | "https_port", 117 | match pstate.https_port { 118 | Some(x) => x.to_string(), 119 | None => "none".to_string(), 120 | }, 121 | ); 122 | if let Some(x) = &pstate.https_pub_key { 123 | m.insert("https_pub_key", x.clone()); 124 | } 125 | stream.write_all(json!(m).to_string().as_bytes())?; 126 | return Ok(()); 127 | } 128 | "reload" if rest.is_empty() => { 129 | match Config::from_path(&pstate.conf_path) { 130 | Ok(new_conf) => { 131 | pstate.update_conf(new_conf); 132 | stream.write_all(b"ok:")? 133 | } 134 | Err(e) => stream.write_all(format!("error:{e:}").as_bytes())?, 135 | } 136 | return Ok(()); 137 | } 138 | "refresh" => { 139 | let rest = std::str::from_utf8(rest)?; 140 | if let [with_url, act_name] = &rest.splitn(2, ' ').collect::>()[..] { 141 | let ct_lk = pstate.ct_lock(); 142 | let act_id = match ct_lk.validate_act_name(act_name) { 143 | Some(x) => x, 144 | None => { 145 | drop(ct_lk); 146 | stream.write_all(format!("error:No account '{act_name:}'").as_bytes())?; 147 | return Ok(()); 148 | } 149 | }; 150 | match ct_lk.tokenstate(act_id) { 151 | TokenState::Empty | TokenState::Pending { .. } => { 152 | let url = request_token(Arc::clone(&pstate), ct_lk, act_id)?; 153 | if *with_url == "withurl" { 154 | stream.write_all(format!("pending:{url:}").as_bytes())?; 155 | } else { 156 | stream.write_all(b"pending:")?; 157 | } 158 | } 159 | TokenState::Active { .. } => { 160 | drop(ct_lk); 161 | pstate.refresher.sched_refresh(Arc::clone(&pstate), act_id); 162 | stream.write_all(b"scheduled:")?; 163 | } 164 | } 165 | return Ok(()); 166 | } 167 | } 168 | "restore" => { 169 | match pstate.restore(rest.to_vec()) { 170 | Ok(_) => stream.write_all(b"ok:")?, 171 | Err(e) => stream.write_all(format!("error:{e:}").as_bytes())?, 172 | } 173 | return Ok(()); 174 | } 175 | "revoke" => { 176 | let act_name = std::str::from_utf8(rest)?; 177 | let mut ct_lk = pstate.ct_lock(); 178 | match ct_lk.validate_act_name(act_name) { 179 | Some(act_id) => { 180 | ct_lk.tokenstate_replace(act_id, TokenState::Empty); 181 | drop(ct_lk); 182 | 183 | pstate 184 | .eventer 185 | .token_event(act_name.to_owned(), TokenEvent::Revoked); 186 | stream.write_all(b"ok:")?; 187 | return Ok(()); 188 | } 189 | None => { 190 | drop(ct_lk); 191 | stream.write_all(format!("error:No account '{act_name:}'").as_bytes())?; 192 | return Ok(()); 193 | } 194 | }; 195 | } 196 | "showtoken" => { 197 | let rest = std::str::from_utf8(rest)?; 198 | if let [with_url, act_name] = &rest.splitn(2, ' ').collect::>()[..] { 199 | let ct_lk = pstate.ct_lock(); 200 | let act_id = match ct_lk.validate_act_name(act_name) { 201 | Some(x) => x, 202 | None => { 203 | drop(ct_lk); 204 | stream.write_all(format!("error:No account '{act_name:}'").as_bytes())?; 205 | return Ok(()); 206 | } 207 | }; 208 | match ct_lk.tokenstate(act_id) { 209 | TokenState::Empty => { 210 | let url = request_token(Arc::clone(&pstate), ct_lk, act_id)?; 211 | if *with_url == "withurl" { 212 | stream.write_all(format!("pending:{url:}").as_bytes())?; 213 | } else { 214 | stream.write_all(b"pending:")?; 215 | } 216 | } 217 | TokenState::Pending { ref url, .. } => { 218 | let response = if *with_url == "withurl" { 219 | format!("pending:{url:}") 220 | } else { 221 | "pending:".to_owned() 222 | }; 223 | drop(ct_lk); 224 | stream.write_all(response.as_bytes())?; 225 | } 226 | TokenState::Active { 227 | access_token, 228 | access_token_expiry, 229 | ongoing_refresh, 230 | .. 231 | } => { 232 | let response = if access_token_expiry > &Instant::now() { 233 | format!("access_token:{access_token:}") 234 | } else if *ongoing_refresh { 235 | "error:Access token has expired. Refreshing is in progress but has not yet succeeded" 236 | .into() 237 | } else { 238 | pstate.refresher.sched_refresh(Arc::clone(&pstate), act_id); 239 | "error:Access token has expired. Refreshing initiated".into() 240 | }; 241 | drop(ct_lk); 242 | stream.write_all(response.as_bytes())?; 243 | } 244 | } 245 | return Ok(()); 246 | } 247 | } 248 | "shutdown" if rest.is_empty() => { 249 | raise(Signal::SIGTERM).ok(); 250 | return Ok(()); 251 | } 252 | "status" if rest.is_empty() => { 253 | let ct_lk = pstate.ct_lock(); 254 | let mut acts = Vec::new(); 255 | for act_id in ct_lk.act_ids() { 256 | let act = ct_lk.account(act_id); 257 | let st = match ct_lk.tokenstate(act_id) { 258 | TokenState::Empty => "No access token".into(), 259 | TokenState::Pending { 260 | last_notification: Some(i), 261 | .. 262 | } => format!( 263 | "Access token pending authentication (last notification {})", 264 | instant_fmt(*i) 265 | ), 266 | TokenState::Pending { 267 | last_notification: None, 268 | .. 269 | } => "Access token pending authentication".into(), 270 | TokenState::Active { 271 | access_token_obtained, 272 | access_token_expiry, 273 | last_refresh_attempt, 274 | .. 275 | } => { 276 | if *access_token_expiry > Instant::now() { 277 | format!( 278 | "Active access token (obtained {}; expires {})", 279 | instant_fmt(*access_token_obtained), 280 | instant_fmt(*access_token_expiry) 281 | ) 282 | } else if let Some(i) = last_refresh_attempt { 283 | format!( 284 | "Access token expired (last refresh attempt {})", 285 | instant_fmt(*i) 286 | ) 287 | } else { 288 | "Access token expired (refresh not yet attempted)".into() 289 | } 290 | } 291 | }; 292 | acts.push(format!("{}: {st}", act.name)); 293 | } 294 | acts.sort(); 295 | if acts.is_empty() { 296 | stream.write_all(b"error:No accounts configured")?; 297 | } else { 298 | stream.write_all(format!("ok:{}", acts.join("\n")).as_bytes())?; 299 | } 300 | return Ok(()); 301 | } 302 | x => stream.write_all(format!("error:Unknown command '{x}'").as_bytes())?, 303 | } 304 | Err("Invalid command".into()) 305 | } 306 | 307 | /// Attempt to print an [Instant] as a user-readable string. By the very nature of [Instant]s, 308 | /// there is no guarantee this is possible or that the time presented is accurate. 309 | fn instant_fmt(i: Instant) -> String { 310 | let now = Instant::now(); 311 | if i < now { 312 | if let Some(d) = now.checked_duration_since(i) { 313 | if let Some(st) = SystemTime::now().checked_sub(d) { 314 | let dt: DateTime = st.into(); 315 | return dt.to_rfc2822(); 316 | } 317 | } 318 | } else if let Some(d) = i.checked_duration_since(now) { 319 | if let Some(st) = SystemTime::now().checked_add(d) { 320 | let dt: DateTime = st.into(); 321 | return dt.to_rfc2822(); 322 | } 323 | } 324 | "".into() 325 | } 326 | 327 | /// If [Config::startup_cmd] is non-`None`, call this function to run that command (in a thread, so 328 | /// this is non-blocking). 329 | fn startup_cmd(cmd: String) { 330 | thread::spawn(move || match env::var("SHELL") { 331 | Ok(s) => match Command::new(s).args(["-c", &cmd]).spawn() { 332 | Ok(mut child) => match child.wait() { 333 | Ok(status) => { 334 | if !status.success() { 335 | error!( 336 | "'{cmd:}' returned {}", 337 | status 338 | .code() 339 | .map(|x| x.to_string()) 340 | .unwrap_or_else(|| " error!("Waiting on '{cmd:}' failed: {e:}"), 345 | }, 346 | Err(e) => error!("Couldn't execute '{cmd:}': {e:}"), 347 | }, 348 | Err(e) => error!("{e:}"), 349 | }); 350 | } 351 | 352 | pub fn server(conf_path: PathBuf, conf: Config, cache_path: &Path) -> Result<(), Box> { 353 | let sock_path = sock_path(cache_path); 354 | 355 | #[cfg(target_os = "openbsd")] 356 | unveil( 357 | conf_path 358 | .as_os_str() 359 | .to_str() 360 | .ok_or("Cannot use configuration path in unveil")?, 361 | "rx", 362 | )?; 363 | #[cfg(target_os = "openbsd")] 364 | unveil( 365 | sock_path 366 | .as_os_str() 367 | .to_str() 368 | .ok_or("Cannot use socket path in unveil")?, 369 | "rwxc", 370 | )?; 371 | #[cfg(target_os = "openbsd")] 372 | unveil(std::env::var("SHELL")?, "rx")?; 373 | #[cfg(target_os = "openbsd")] 374 | unveil("/dev/random", "rx")?; 375 | #[cfg(target_os = "openbsd")] 376 | unveil("", "")?; 377 | 378 | #[cfg(target_os = "openbsd")] 379 | pledge("stdio rpath wpath inet fattr unix dns proc exec", None).unwrap(); 380 | 381 | let (http_port, http_state) = match http_server::http_server_setup(&conf)? { 382 | Some((x, y)) => (Some(x), Some(y)), 383 | None => (None, None), 384 | }; 385 | let (https_port, https_state, certified_key) = match http_server::https_server_setup(&conf)? { 386 | Some((x, y, z)) => (Some(x), Some(y), Some(z)), 387 | None => (None, None, None), 388 | }; 389 | // TODO: Store certificate into trusted folder (OS dependent..)? 390 | 391 | let eventer = Arc::new(Eventer::new()?); 392 | let notifier = Arc::new(Notifier::new()?); 393 | let refresher = Refresher::new(); 394 | 395 | let pub_key_str = certified_key.as_ref().map(|x| { 396 | x.signing_key 397 | .public_key_raw() 398 | .iter() 399 | .map(|x| format!("{x:02X}")) 400 | .collect::>() 401 | .join(":") 402 | }); 403 | 404 | let pstate = Arc::new(AuthenticatorState::new( 405 | conf_path, 406 | conf, 407 | http_port, 408 | https_port, 409 | pub_key_str, 410 | Arc::clone(&eventer), 411 | Arc::clone(¬ifier), 412 | Arc::clone(&refresher), 413 | )); 414 | 415 | if let Some(x) = http_state { 416 | http_server::http_server(Arc::clone(&pstate), x)?; 417 | } 418 | if let (Some(x), Some(y)) = (https_state, certified_key) { 419 | http_server::https_server(Arc::clone(&pstate), x, y)?; 420 | } 421 | eventer.eventer(Arc::clone(&pstate))?; 422 | refresher.refresher(Arc::clone(&pstate))?; 423 | notifier.notifier(Arc::clone(&pstate))?; 424 | 425 | let listener = UnixListener::bind(sock_path)?; 426 | if let Some(s) = &pstate.ct_lock().config().startup_cmd { 427 | startup_cmd(s.to_owned()); 428 | } 429 | for stream in listener.incoming().flatten() { 430 | let pstate = Arc::clone(&pstate); 431 | if let Err(e) = request(pstate, stream) { 432 | warn!("{e:}"); 433 | } 434 | } 435 | 436 | Ok(()) 437 | } 438 | -------------------------------------------------------------------------------- /src/server/http_server.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | error::Error, 3 | io::{BufRead, BufReader, Read, Write}, 4 | net::TcpListener, 5 | sync::Arc, 6 | thread, 7 | time::Duration, 8 | }; 9 | 10 | use boot_time::Instant; 11 | use log::warn; 12 | use serde_json::Value; 13 | use url::Url; 14 | 15 | use rcgen::{generate_simple_self_signed, CertifiedKey, KeyPair}; 16 | use rustls::{ 17 | pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}, 18 | ServerConfig, 19 | }; 20 | 21 | use super::{ 22 | eventer::TokenEvent, expiry_instant, AccountId, AuthenticatorState, Config, TokenState, 23 | UREQ_TIMEOUT, 24 | }; 25 | 26 | /// How often should we try making a request to an OAuth server for possibly-temporary transport 27 | /// issues? 28 | const RETRY_POST: u8 = 10; 29 | /// How long to delay between each retry? 30 | const RETRY_DELAY: u64 = 6; 31 | /// What is the maximum HTTP request size, in bytes, we allow? We are less worried about malicious 32 | /// actors than we are about malfunctioning systems. We thus set this to a far higher value than we 33 | /// actually expect to see in practise: if any client connecting exceeds this, they've probably got 34 | /// real problems! 35 | const MAX_HTTP_REQUEST_SIZE: usize = 16 * 1024; 36 | 37 | /// Handle an incoming (hopefully OAuth2) HTTP request. 38 | fn request( 39 | pstate: Arc, 40 | mut stream: T, 41 | is_https: bool, 42 | ) -> Result<(), Box> { 43 | // This function is split into two halves. In the first half, we process the incoming HTTP 44 | // request: if there's a problem, it (mostly) means the request is mal-formed or stale, and 45 | // there's no effect on the tokenstate. In the second half we make a request to an OAuth 46 | // server: if there's a problem, we have to reset the tokenstate and force the user to make an 47 | // entirely fresh request. 48 | let uri = match parse_get(&mut stream, is_https) { 49 | Ok(x) => x, 50 | Err(_) => { 51 | // If someone couldn't even be bothered giving us a valid URI, it's unlikely this was a 52 | // genuine request that's worth reporting as an error. 53 | http_400(stream); 54 | return Ok(()); 55 | } 56 | }; 57 | 58 | // All valid requests (even those reporting an error!) should report back a valid "state" to 59 | // us, so fish that out of the URI and check that it matches a request we made. 60 | let state = match uri.query_pairs().find(|(k, _)| k == "state") { 61 | Some((_, state)) => state.into_owned(), 62 | None => { 63 | // As well as malformed OAuth queries this will also 404 for favicon.ico. 64 | http_404(stream); 65 | return Ok(()); 66 | } 67 | }; 68 | let mut ct_lk = pstate.ct_lock(); 69 | let act_id = match ct_lk.act_id_matching_token_state(&state) { 70 | Some(x) => x, 71 | None => { 72 | drop(ct_lk); 73 | http_200( 74 | stream, 75 | "No pending token matches request state: request a fresh token", 76 | ); 77 | return Ok(()); 78 | } 79 | }; 80 | 81 | // Now that we know which account has been matched we can check if the full URI requested 82 | // matched the redirect URI we expected for that account. 83 | let act = ct_lk.account(act_id); 84 | let expected_uri = act.redirect_uri(pstate.http_port, pstate.https_port)?; 85 | if expected_uri.scheme() != uri.scheme() 86 | || expected_uri.host_str() != uri.host_str() 87 | || expected_uri.port() != uri.port() 88 | { 89 | // If the redirect URI doesn't match then all we can do is 404. 90 | drop(ct_lk); 91 | http_404(stream); 92 | return Ok(()); 93 | } 94 | 95 | // Did authentication fail? 96 | if let Some((_, reason)) = uri.query_pairs().find(|(k, _)| k == "error") { 97 | let act_id = ct_lk.tokenstate_replace(act_id, TokenState::Empty); 98 | let act_name = ct_lk.account(act_id).name.clone(); 99 | let msg = format!( 100 | "Authentication for {} failed: {}", 101 | ct_lk.account(act_id).name, 102 | reason 103 | ); 104 | drop(ct_lk); 105 | http_400(stream); 106 | pstate.notifier.notify_error(&pstate, act_name, msg)?; 107 | return Ok(()); 108 | } 109 | 110 | // Fish out the code query. 111 | let code = match uri.query_pairs().find(|(k, _)| k == "code") { 112 | Some((_, code)) => code.to_string(), 113 | None => { 114 | // A request without a 'code' is broken. This seems very unlikely to happen and if it 115 | // does, would retrying our request from scratch improve anything? 116 | drop(ct_lk); 117 | http_400(stream); 118 | return Ok(()); 119 | } 120 | }; 121 | 122 | let code_verifier = match ct_lk.tokenstate(act_id) { 123 | TokenState::Pending { 124 | ref code_verifier, .. 125 | } => code_verifier.clone(), 126 | _ => unreachable!(), 127 | }; 128 | let token_uri = act.token_uri.clone(); 129 | let client_id = act.client_id.clone(); 130 | let redirect_uri = act 131 | .redirect_uri(pstate.http_port, pstate.https_port)? 132 | .to_string(); 133 | let mut pairs = vec![ 134 | ("code", code.as_str()), 135 | ("client_id", client_id.as_str()), 136 | ("code_verifier", code_verifier.as_str()), 137 | ("redirect_uri", redirect_uri.as_str()), 138 | ("grant_type", "authorization_code"), 139 | ]; 140 | let client_secret = act.client_secret.clone(); 141 | if let Some(ref x) = client_secret { 142 | pairs.push(("client_secret", x)); 143 | } 144 | 145 | // At this point we know we've got a sensible looking query, so we complete the HTTP request, 146 | // because we don't know how long we'll spend going through the rest of the OAuth process, and 147 | // we can notify the user another way than through their web browser. 148 | drop(ct_lk); 149 | http_200( 150 | stream, 151 | "pizauth processing authentication: you can safely close this page.", 152 | ); 153 | 154 | // Try moderately hard to deal with temporary network errors and the like, but assume that any 155 | // request that partially makes a connection but does not then fully succeed is an error (since 156 | // we can't reuse authentication codes), and we'll have to start again entirely. 157 | let mut body = None; 158 | let agent_conf = ureq::Agent::config_builder() 159 | .timeout_global(Some(UREQ_TIMEOUT)) 160 | .build(); 161 | for _ in 0..RETRY_POST { 162 | match ureq::Agent::new_with_config(agent_conf.clone()) 163 | .post(token_uri.as_str()) 164 | .send_form(pairs.clone()) 165 | { 166 | Ok(response) => { 167 | if let Ok(s) = response.into_body().read_to_string() { 168 | body = Some(s); 169 | break; 170 | } 171 | } 172 | Err(ureq::Error::StatusCode(code)) => { 173 | let reason = format!("HTTP code {code}"); 174 | fail(pstate, act_id, &reason)?; 175 | return Ok(()); 176 | } 177 | Err(_) => (), // Temporary network error or the like 178 | } 179 | thread::sleep(Duration::from_secs(RETRY_DELAY)); 180 | } 181 | let body = match body { 182 | Some(x) => x, 183 | None => { 184 | fail(pstate, act_id, &format!("couldn't connect to {token_uri:}"))?; 185 | return Ok(()); 186 | } 187 | }; 188 | 189 | let parsed = match serde_json::from_str::(&body) { 190 | Ok(x) => x, 191 | Err(e) => { 192 | fail(pstate, act_id, &format!("Invalid JSON: {e}"))?; 193 | return Ok(()); 194 | } 195 | }; 196 | 197 | let mut ct_lk = pstate.ct_lock(); 198 | if !ct_lk.is_act_id_valid(act_id) { 199 | return Ok(()); 200 | } 201 | 202 | if let Some(err_msg) = parsed["error"].as_str() { 203 | drop(ct_lk); 204 | fail(pstate, act_id, err_msg)?; 205 | return Ok(()); 206 | } 207 | 208 | match ( 209 | parsed["token_type"].as_str(), 210 | parsed["expires_in"].as_u64(), 211 | parsed["access_token"].as_str(), 212 | parsed["refresh_token"].as_str(), 213 | ) { 214 | (Some("Bearer"), Some(expires_in), Some(access_token), refresh_token) => { 215 | let now = Instant::now(); 216 | let expiry = expiry_instant(&ct_lk, act_id, now, expires_in)?; 217 | let act_name = ct_lk.account(act_id).name.to_owned(); 218 | ct_lk.tokenstate_replace( 219 | act_id, 220 | TokenState::Active { 221 | access_token: access_token.to_owned(), 222 | access_token_obtained: now, 223 | access_token_expiry: expiry, 224 | ongoing_refresh: false, 225 | consecutive_refresh_fails: 0, 226 | last_refresh_attempt: None, 227 | refresh_token: refresh_token.map(|x| x.to_owned()), 228 | }, 229 | ); 230 | drop(ct_lk); 231 | pstate.refresher.notify_changes(); 232 | pstate.eventer.token_event(act_name, TokenEvent::New); 233 | } 234 | _ => { 235 | drop(ct_lk); 236 | fail(pstate, act_id, "invalid response received")?; 237 | } 238 | } 239 | Ok(()) 240 | } 241 | 242 | /// If a request to an OAuth server has failed then notify the user of that failure and mark the 243 | /// tokenstate as [TokenState::Empty] unless the config has changed or the user has initiated a new 244 | /// request while we've been trying (unsuccessfully) with the OAuth server. 245 | fn fail( 246 | pstate: Arc, 247 | act_id: AccountId, 248 | msg: &str, 249 | ) -> Result<(), Box> { 250 | let mut ct_lk = pstate.ct_lock(); 251 | if ct_lk.is_act_id_valid(act_id) { 252 | // It's possible -- though admittedly unlikely -- that another thread has managed to grab 253 | // an `Active` token so we have to handle the possibility. 254 | let is_active = matches!(ct_lk.tokenstate(act_id), TokenState::Active { .. }); 255 | let act_id = ct_lk.tokenstate_replace(act_id, TokenState::Empty); 256 | let act_name = ct_lk.account(act_id).name.clone(); 257 | let msg = format!( 258 | "Authentication for {} failed: {msg:}", 259 | ct_lk.account(act_id).name 260 | ); 261 | drop(ct_lk); 262 | pstate 263 | .notifier 264 | .notify_error(&pstate, act_name.clone(), msg)?; 265 | if is_active { 266 | pstate 267 | .eventer 268 | .token_event(act_name, TokenEvent::Invalidated); 269 | } 270 | } 271 | Ok(()) 272 | } 273 | 274 | /// A very literal, and rather unforgiving, implementation of RFC2616 (HTTP/1.1), returning the URL 275 | /// of GET requests: returns `Err` for anything else. 276 | fn parse_get(stream: &mut T, is_https: bool) -> Result> { 277 | let mut rdr = BufReader::new(stream); 278 | let mut req_line = String::new(); 279 | rdr.read_line(&mut req_line)?; 280 | let mut http_req_size = req_line.len(); 281 | 282 | // First the request line: 283 | // Request-Line = Method SP Request-URI SP HTTP-Version CRLF 284 | // where Method = "GET" and `SP` is a single space character. 285 | let req_line_sp = req_line.split(' ').collect::>(); 286 | if !matches!(req_line_sp.as_slice(), &["GET", _, _]) { 287 | return Err("Malformed HTTP request".into()); 288 | } 289 | let path = req_line_sp[1]; 290 | 291 | // Consume rest of HTTP request 292 | let mut req: Vec = Vec::new(); 293 | loop { 294 | if http_req_size >= MAX_HTTP_REQUEST_SIZE { 295 | return Err("HTTP request exceeds maximum permitted size".into()); 296 | } 297 | let mut line = String::new(); 298 | rdr.read_line(&mut line)?; 299 | if line.as_str().trim().is_empty() { 300 | break; 301 | } 302 | http_req_size += line.len(); 303 | match line.chars().next() { 304 | Some(' ') | Some('\t') => { 305 | // Continuation of previous header 306 | match req.last_mut() { 307 | Some(x) => { 308 | // Not calling `trim_start` means that the two joined lines have at least 309 | // one space|tab between them. 310 | x.push_str(line.as_str().trim_end()); 311 | } 312 | None => return Err("Malformed HTTP header".into()), 313 | } 314 | } 315 | _ => req.push(line.as_str().trim_end().to_owned()), 316 | } 317 | } 318 | 319 | // Find the host field. 320 | let mut host = None; 321 | for f in req { 322 | // Fields are a case insensitive name, followed by a colon, then zero or more tabs/spaces, 323 | // and then the value. 324 | if let Some(i) = f.as_str().find(':') { 325 | if f.as_str()[..i].eq_ignore_ascii_case("host") { 326 | if host.is_some() { 327 | // Fields can be repeated, but that doesn't make sense for "host" 328 | return Err("Repeated 'host' field in HTTP header".into()); 329 | } 330 | let j: usize = f[i + ':'.len_utf8()..] 331 | .chars() 332 | .take_while(|c| *c == ' ' || *c == '\t') 333 | .map(|c| c.len_utf8()) 334 | .sum(); 335 | host = Some(f[i + ':'.len_utf8() + j..].to_string()); 336 | } 337 | } 338 | } 339 | 340 | // If host is Some, use addressed port to select scheme (http / https) 341 | // This works, as no HTTPS request will arrive until here on the HTTP port and vice versa 342 | match host { 343 | Some(h) => Url::parse(&format!( 344 | "{}://{h:}{path:}", 345 | if is_https { "https" } else { "http" } 346 | )) 347 | .map_err(|e| format!("Invalid request URI: {e:}").into()), 348 | None => Err("No host field specified in HTTP request".into()), 349 | } 350 | } 351 | 352 | fn http_200(mut stream: T, body: &str) { 353 | stream 354 | .write_all( 355 | format!("HTTP/1.1 200 OK\r\n\r\n

{body}

").as_bytes(), 356 | ) 357 | .ok(); 358 | } 359 | 360 | fn http_404(mut stream: T) { 361 | stream.write_all(b"HTTP/1.1 404\r\n\r\n").ok(); 362 | } 363 | 364 | fn http_400(mut stream: T) { 365 | stream.write_all(b"HTTP/1.1 400\r\n\r\n").ok(); 366 | } 367 | 368 | pub fn http_server_setup(conf: &Config) -> Result, Box> { 369 | // Bind TCP port for HTTP 370 | match &conf.http_listen { 371 | Some(http_listen) => { 372 | let listener = TcpListener::bind(http_listen)?; 373 | Ok(Some((listener.local_addr()?.port(), listener))) 374 | } 375 | None => Ok(None), 376 | } 377 | } 378 | 379 | pub fn http_server( 380 | pstate: Arc, 381 | listener: TcpListener, 382 | ) -> Result<(), Box> { 383 | thread::spawn(move || { 384 | for stream in listener.incoming().flatten() { 385 | let pstate = Arc::clone(&pstate); 386 | thread::spawn(|| { 387 | if let Err(e) = request(pstate, stream, false) { 388 | warn!("{e:}"); 389 | } 390 | }); 391 | } 392 | }); 393 | Ok(()) 394 | } 395 | 396 | pub fn https_server_setup( 397 | conf: &Config, 398 | ) -> Result)>, Box> { 399 | match &conf.https_listen { 400 | Some(https_listen) => { 401 | // Set a process wide default crypto provider. 402 | let _ = rustls::crypto::ring::default_provider().install_default(); 403 | 404 | // Generate self-signed certificate 405 | let mut names = vec![ 406 | String::from("localhost"), 407 | String::from("127.0.0.1"), 408 | String::from("::1"), 409 | ]; 410 | if let Ok(x) = hostname::get() { 411 | if let Some(x) = x.to_str() { 412 | names.push(String::from(x)); 413 | } 414 | } 415 | let cert = generate_simple_self_signed(names)?; 416 | 417 | // Bind TCP port for HTTPS 418 | let listener = TcpListener::bind(https_listen)?; 419 | Ok(Some((listener.local_addr()?.port(), listener, cert))) 420 | } 421 | None => Ok(None), 422 | } 423 | } 424 | 425 | pub fn https_server( 426 | pstate: Arc, 427 | listener: TcpListener, 428 | cert: CertifiedKey, 429 | ) -> Result<(), Box> { 430 | // Build TLS configuration. 431 | let mut server_config = ServerConfig::builder() 432 | .with_no_client_auth() 433 | .with_single_cert( 434 | vec![cert.cert.into()], 435 | PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(cert.signing_key.serialize_der())), 436 | ) 437 | .map_err(|e| e.to_string())?; 438 | 439 | // Negotiate application layer protocols: Only HTTP/1.1 is allowed 440 | server_config.alpn_protocols = vec![b"http/1.1".to_vec()]; 441 | 442 | thread::spawn(move || { 443 | for mut stream in listener.incoming().flatten() { 444 | // generate a new TLS connection 445 | let conn = rustls::ServerConnection::new(Arc::new(server_config.clone())); 446 | if let Err(e) = conn { 447 | warn!("{e:}"); 448 | continue; 449 | } 450 | let mut conn = conn.unwrap(); 451 | 452 | let pstate = Arc::clone(&pstate); 453 | thread::spawn(move || { 454 | // convert TCP stream into TLS stream 455 | let stream = rustls::Stream::new(&mut conn, &mut stream); 456 | if let Err(e) = request(pstate, stream, true) { 457 | warn!("{e:}"); 458 | } 459 | }); 460 | } 461 | }); 462 | Ok(()) 463 | } 464 | -------------------------------------------------------------------------------- /src/server/refresher.rs: -------------------------------------------------------------------------------- 1 | use std::{ 2 | cmp, 3 | collections::HashSet, 4 | env, 5 | error::Error, 6 | process::{Command, Stdio}, 7 | sync::{Arc, Condvar, Mutex}, 8 | thread, 9 | time::Duration, 10 | }; 11 | 12 | use boot_time::Instant; 13 | #[cfg(debug_assertions)] 14 | use log::debug; 15 | use log::info; 16 | use serde_json::Value; 17 | use wait_timeout::ChildExt; 18 | 19 | use super::{ 20 | eventer::TokenEvent, expiry_instant, AccountId, AuthenticatorState, CTGuard, TokenState, 21 | MAX_WAIT_SECS, UREQ_TIMEOUT, 22 | }; 23 | 24 | /// How many times can a transient error be encountered before we try `not_transient_error_if`? 25 | const TRANSIENT_ERROR_RETRIES: u64 = 6; 26 | /// How long to run `transient_error_if_cmd` commands before killing them? 27 | const TRANSIENT_ERROR_IF_CMD_TIMEOUT: Duration = Duration::from_secs(3 * 60); 28 | 29 | /// The outcome of an attempted refresh. 30 | #[derive(Debug)] 31 | enum RefreshKind { 32 | /// Refreshing terminated because the config or tokenstate changed. 33 | AccountOrTokenStateChanged, 34 | /// There is no refresh token so refreshing cannot succeed. 35 | NoRefreshToken, 36 | /// Refreshing failed in a way that is likely to repeat if retried. 37 | PermanentError(String), 38 | /// The token was refreshed. 39 | Refreshed, 40 | /// Refreshing failed but in a way that is not likely to repeat if retried. 41 | TransitoryError(AccountId, String), 42 | } 43 | 44 | pub struct Refresher { 45 | pred: Mutex, 46 | condvar: Condvar, 47 | } 48 | 49 | impl Refresher { 50 | pub fn new() -> Arc { 51 | Arc::new(Refresher { 52 | pred: Mutex::new(false), 53 | condvar: Condvar::new(), 54 | }) 55 | } 56 | 57 | pub fn sched_refresh(self: &Arc, pstate: Arc, act_id: AccountId) { 58 | let refresher = Arc::clone(self); 59 | thread::spawn(move || { 60 | let mut ct_lk = pstate.ct_lock(); 61 | if ct_lk.is_act_id_valid(act_id) { 62 | let mut new_ts = ct_lk.tokenstate(act_id).clone(); 63 | if let TokenState::Active { 64 | ref mut ongoing_refresh, 65 | .. 66 | } = new_ts 67 | { 68 | if !*ongoing_refresh { 69 | *ongoing_refresh = true; 70 | let act_id = ct_lk.tokenstate_replace(act_id, new_ts); 71 | let act_name = ct_lk.account(act_id).name.clone(); 72 | match refresher.inner_refresh(&pstate, ct_lk, act_id) { 73 | RefreshKind::AccountOrTokenStateChanged => (), 74 | RefreshKind::NoRefreshToken => (), 75 | RefreshKind::PermanentError(msg) => { 76 | info!("Permanent refresh error for {act_name}: {msg}"); 77 | pstate 78 | .eventer 79 | .token_event(act_name, TokenEvent::Invalidated); 80 | } 81 | RefreshKind::Refreshed => { 82 | refresher.notify_changes(); 83 | pstate.eventer.token_event(act_name, TokenEvent::Refresh); 84 | } 85 | RefreshKind::TransitoryError(act_id, msg) => { 86 | ct_lk = pstate.ct_lock(); 87 | if ct_lk.is_act_id_valid(act_id) { 88 | let mut new_ts = ct_lk.tokenstate(act_id).clone(); 89 | if let TokenState::Active { 90 | ref mut last_refresh_attempt, 91 | ref mut consecutive_refresh_fails, 92 | .. 93 | } = new_ts 94 | { 95 | *last_refresh_attempt = Some(Instant::now()); 96 | *consecutive_refresh_fails += 1; 97 | let consecutive_refresh_fails = *consecutive_refresh_fails; 98 | let act_id = ct_lk.tokenstate_replace(act_id, new_ts); 99 | if consecutive_refresh_fails 100 | .rem_euclid(TRANSIENT_ERROR_RETRIES) 101 | == 0 102 | { 103 | if let Some(ref cmd) = 104 | ct_lk.config().transient_error_if_cmd 105 | { 106 | let cmd = cmd.to_owned(); 107 | drop(ct_lk); 108 | match refresher.run_not_transient_error_if( 109 | cmd, 110 | act_name.as_str(), 111 | ) { 112 | Ok(()) => { 113 | ct_lk = pstate.ct_lock(); 114 | if ct_lk.is_act_id_valid(act_id) { 115 | ct_lk.tokenstate_set_ongoing_refresh( 116 | act_id, false, 117 | ); 118 | } 119 | drop(ct_lk); 120 | } 121 | Err(e) => { 122 | ct_lk = pstate.ct_lock(); 123 | if ct_lk.is_act_id_valid(act_id) { 124 | ct_lk.tokenstate_replace( 125 | act_id, 126 | TokenState::Empty, 127 | ); 128 | } 129 | drop(ct_lk); 130 | info!("Permanent refresh error for {act_name} : {e}"); 131 | pstate.eventer.token_event( 132 | act_name, 133 | TokenEvent::Invalidated, 134 | ); 135 | } 136 | }; 137 | } else { 138 | ct_lk.tokenstate_set_ongoing_refresh(act_id, false); 139 | drop(ct_lk); 140 | info!("Transitory refresh error for {act_name} : {msg}"); 141 | } 142 | } else { 143 | ct_lk.tokenstate_set_ongoing_refresh(act_id, false); 144 | drop(ct_lk); 145 | info!( 146 | "Transitory refresh error for {act_name} : {msg}" 147 | ); 148 | } 149 | } else { 150 | unreachable!(); 151 | } 152 | } else { 153 | drop(ct_lk); 154 | } 155 | // If the main refresher thread noticed we were running it 156 | // might have given up, so give it a chance to recalculate when 157 | // it should next wake up. 158 | refresher.notify_changes(); 159 | } 160 | } 161 | } 162 | } 163 | } 164 | }); 165 | } 166 | 167 | fn run_not_transient_error_if(&self, cmd: String, act_name: &str) -> Result<(), String> { 168 | match env::var("SHELL") { 169 | Ok(s) => match Command::new(s) 170 | .stdin(Stdio::null()) 171 | .stdout(Stdio::null()) 172 | .stderr(Stdio::null()) 173 | .env("PIZAUTH_ACCOUNT", act_name) 174 | .args(["-c", &cmd]) 175 | .spawn() 176 | { 177 | Ok(mut child) => match child.wait_timeout(TRANSIENT_ERROR_IF_CMD_TIMEOUT) { 178 | Ok(Some(status)) => { 179 | if status.success() { 180 | Ok(()) 181 | } else { 182 | Err(format!( 183 | "'{cmd:}' returned {}", 184 | status 185 | .code() 186 | .map(|x| x.to_string()) 187 | .unwrap_or_else(|| "".to_string()) 188 | )) 189 | } 190 | } 191 | Ok(None) => { 192 | child.kill().ok(); 193 | child.wait().ok(); 194 | Err(format!("'{cmd:}' exceeded timeout")) 195 | } 196 | Err(e) => Err(format!("Waiting on '{cmd:}' failed: {e:}")), 197 | }, 198 | Err(e) => Err(format!("Couldn't execute '{cmd:}': {e:}")), 199 | }, 200 | Err(e) => Err(format!("{e:}")), 201 | } 202 | } 203 | 204 | /// For a [TokenState::Active] token for `act_id`, refresh it, blocking until the token is 205 | /// refreshed or an error occurred. This function must be called with a [TokenState::Active] 206 | /// tokenstate. 207 | /// 208 | /// # Panics 209 | /// 210 | /// If the tokenstate is not [TokenState::Active]. 211 | fn inner_refresh( 212 | &self, 213 | pstate: &AuthenticatorState, 214 | mut ct_lk: CTGuard, 215 | mut act_id: AccountId, 216 | ) -> RefreshKind { 217 | info!("starting inner refresh"); 218 | let mut new_ts = ct_lk.tokenstate(act_id).clone(); 219 | let refresh_token = match new_ts { 220 | TokenState::Active { 221 | ref refresh_token, 222 | ref mut last_refresh_attempt, 223 | .. 224 | } => match refresh_token { 225 | Some(r) => { 226 | *last_refresh_attempt = Some(Instant::now()); 227 | let r = r.to_owned(); 228 | act_id = ct_lk.tokenstate_replace(act_id, new_ts); 229 | r 230 | } 231 | None => { 232 | ct_lk.tokenstate_replace(act_id, TokenState::Empty); 233 | return RefreshKind::NoRefreshToken; 234 | } 235 | }, 236 | _ => unreachable!("tokenstate is not TokenState::Active"), 237 | }; 238 | 239 | let act = ct_lk.account(act_id); 240 | let token_uri = act.token_uri.clone(); 241 | let client_id = act.client_id.clone(); 242 | let mut pairs = vec![ 243 | ("client_id", client_id.as_str()), 244 | ("refresh_token", refresh_token.as_str()), 245 | ("grant_type", "refresh_token"), 246 | ]; 247 | let client_secret = act.client_secret.clone(); 248 | if let Some(ref x) = client_secret { 249 | pairs.push(("client_secret", x)); 250 | } 251 | 252 | drop(ct_lk); 253 | let agent_conf = ureq::Agent::config_builder() 254 | .timeout_global(Some(UREQ_TIMEOUT)) 255 | .build(); 256 | let body = match ureq::Agent::new_with_config(agent_conf) 257 | .post(token_uri.as_str()) 258 | .send_form(pairs) 259 | { 260 | Ok(response) => match response.into_body().read_to_string() { 261 | Ok(s) => s, 262 | Err(e) => return RefreshKind::TransitoryError(act_id, e.to_string()), 263 | }, 264 | Err(ureq::Error::StatusCode(code)) => { 265 | let reason = format!("HTTP code {code}"); 266 | let mut ct_lk = pstate.ct_lock(); 267 | if ct_lk.is_act_id_valid(act_id) { 268 | ct_lk.tokenstate_replace(act_id, TokenState::Empty); 269 | return RefreshKind::PermanentError(reason); 270 | } else { 271 | return RefreshKind::AccountOrTokenStateChanged; 272 | } 273 | } 274 | Err( 275 | e @ ureq::Error::ConnectionFailed 276 | | e @ ureq::Error::HostNotFound 277 | | e @ ureq::Error::Io(_) 278 | | e @ ureq::Error::Timeout(_), 279 | ) => return RefreshKind::TransitoryError(act_id, e.to_string()), 280 | Err(e) => { 281 | let mut ct_lk = pstate.ct_lock(); 282 | if ct_lk.is_act_id_valid(act_id) { 283 | ct_lk.tokenstate_replace(act_id, TokenState::Empty); 284 | return RefreshKind::PermanentError(e.to_string()); 285 | } else { 286 | return RefreshKind::AccountOrTokenStateChanged; 287 | } 288 | } 289 | }; 290 | 291 | let parsed = match serde_json::from_str::(&body) { 292 | Ok(v) => { 293 | if let Some(e) = v["error"].as_str() { 294 | let mut ct_lk = pstate.ct_lock(); 295 | if ct_lk.is_act_id_valid(act_id) { 296 | let act_id = ct_lk.tokenstate_replace(act_id, TokenState::Empty); 297 | let msg = 298 | format!("Refreshing {} failed: {}", ct_lk.account(act_id).name, e); 299 | return RefreshKind::PermanentError(msg); 300 | } else { 301 | return RefreshKind::AccountOrTokenStateChanged; 302 | } 303 | } 304 | v 305 | } 306 | Err(e) => { 307 | let mut ct_lk = pstate.ct_lock(); 308 | if ct_lk.is_act_id_valid(act_id) { 309 | let act_id = ct_lk.tokenstate_replace(act_id, TokenState::Empty); 310 | let msg = format!("Refreshing {} failed: {e}", ct_lk.account(act_id).name); 311 | return RefreshKind::PermanentError(msg); 312 | } else { 313 | return RefreshKind::AccountOrTokenStateChanged; 314 | } 315 | } 316 | }; 317 | 318 | match ( 319 | parsed["access_token"].as_str(), 320 | parsed["expires_in"].as_u64(), 321 | parsed["token_type"].as_str(), 322 | ) { 323 | (Some(access_token), Some(expires_in), Some("Bearer")) => { 324 | let refresh_token = match parsed.get("refresh_token") { 325 | None => Some(refresh_token), 326 | Some(Value::String(x)) => Some(x.to_owned()), 327 | Some(_) => None, 328 | }; 329 | let now = Instant::now(); 330 | let mut ct_lk = pstate.ct_lock(); 331 | if ct_lk.is_act_id_valid(act_id) { 332 | let expiry = match expiry_instant(&ct_lk, act_id, now, expires_in) { 333 | Ok(x) => x, 334 | Err(e) => { 335 | ct_lk.tokenstate_replace(act_id, TokenState::Empty); 336 | return RefreshKind::PermanentError(format!("{e}")); 337 | } 338 | }; 339 | ct_lk.tokenstate_replace( 340 | act_id, 341 | TokenState::Active { 342 | access_token: access_token.to_owned(), 343 | access_token_obtained: now, 344 | access_token_expiry: expiry, 345 | ongoing_refresh: false, 346 | consecutive_refresh_fails: 0, 347 | last_refresh_attempt: None, 348 | refresh_token, 349 | }, 350 | ); 351 | drop(ct_lk); 352 | RefreshKind::Refreshed 353 | } else { 354 | RefreshKind::AccountOrTokenStateChanged 355 | } 356 | } 357 | _ => { 358 | let mut ct_lk = pstate.ct_lock(); 359 | if ct_lk.is_act_id_valid(act_id) { 360 | ct_lk.tokenstate_replace(act_id, TokenState::Empty); 361 | RefreshKind::PermanentError("Received JSON in unexpected format".to_string()) 362 | } else { 363 | RefreshKind::AccountOrTokenStateChanged 364 | } 365 | } 366 | } 367 | } 368 | 369 | /// If `act_id` has an active token, return the time when that token should be refreshed. 370 | fn refresh_at( 371 | &self, 372 | _pstate: &AuthenticatorState, 373 | ct_lk: &CTGuard, 374 | act_id: AccountId, 375 | ) -> Option { 376 | match ct_lk.tokenstate(act_id) { 377 | TokenState::Active { 378 | access_token_obtained, 379 | access_token_expiry, 380 | ongoing_refresh, 381 | last_refresh_attempt, 382 | .. 383 | } if !ongoing_refresh => { 384 | let act = &ct_lk.account(act_id); 385 | if let Some(lra) = last_refresh_attempt { 386 | // There are two ways for `last_refresh_attempt` to be non-`None`: 387 | // 1. The token expired (i.e. last_refresh_attempt > expiry). 388 | // 2. The user tried manually refreshing the token but that refreshing has 389 | // not yet succeeded (and it is possible that last_refresh_attempt < 390 | // expiry). 391 | // If the second case occurs, we assume that the user knows that the token 392 | // really needs refreshing, and we treat the token as if it had expired. 393 | if let Some(t) = lra.checked_add(act.refresh_retry(ct_lk.config())) { 394 | return Some(t.to_owned()); 395 | } 396 | } 397 | 398 | let mut expiry = access_token_expiry 399 | .checked_sub(act.refresh_before_expiry(ct_lk.config())) 400 | .unwrap_or_else(|| cmp::min(Instant::now(), *access_token_expiry)); 401 | 402 | // There is no concept of Instant::MAX, so if `access_token_obtained + d` exceeds 403 | // Instant's bounds, there's nothing we can fall back on. 404 | if let Some(t) = 405 | access_token_obtained.checked_add(act.refresh_at_least(ct_lk.config())) 406 | { 407 | expiry = cmp::min(expiry, t); 408 | } 409 | Some(expiry.to_owned()) 410 | } 411 | _ => None, 412 | } 413 | } 414 | 415 | fn next_wakeup(&self, pstate: &AuthenticatorState) -> Option { 416 | let ct_lk = pstate.ct_lock(); 417 | ct_lk 418 | .act_ids() 419 | .filter_map(|act_id| self.refresh_at(pstate, &ct_lk, act_id)) 420 | .min() 421 | .map( 422 | |act_min| match Instant::now().checked_add(Duration::from_secs(MAX_WAIT_SECS)) { 423 | Some(x) => cmp::min(act_min, x), 424 | None => act_min, 425 | }, 426 | ) 427 | } 428 | 429 | /// Notify the refresher that one or more [TokenState]s is likely to have changed in a way that 430 | /// effects the refresher. 431 | pub fn notify_changes(&self) { 432 | let mut refresh_lk = self.pred.lock().unwrap(); 433 | *refresh_lk = true; 434 | self.condvar.notify_one(); 435 | } 436 | 437 | /// Start the refresher thread. 438 | pub fn refresher( 439 | self: Arc, 440 | pstate: Arc, 441 | ) -> Result<(), Box> { 442 | let refresher = Arc::clone(&self); 443 | thread::spawn(move || loop { 444 | let next_wakeup = refresher.next_wakeup(&pstate); 445 | let mut refresh_lk = refresher.pred.lock().unwrap(); 446 | while !*refresh_lk { 447 | match next_wakeup { 448 | Some(t) => match t.checked_duration_since(Instant::now()) { 449 | Some(d) => { 450 | #[cfg(debug_assertions)] 451 | debug!("Refresher: next wakeup {}", d.as_secs().to_string()); 452 | refresh_lk = refresher.condvar.wait_timeout(refresh_lk, d).unwrap().0 453 | } 454 | None => break, 455 | }, 456 | None => { 457 | #[cfg(debug_assertions)] 458 | debug!("Refresher: next wakeup "); 459 | refresh_lk = refresher.condvar.wait(refresh_lk).unwrap(); 460 | } 461 | } 462 | } 463 | 464 | *refresh_lk = false; 465 | drop(refresh_lk); 466 | 467 | let ct_lk = pstate.ct_lock(); 468 | let now = Instant::now(); 469 | let to_refresh = ct_lk 470 | .act_ids() 471 | .filter( 472 | |act_id| match refresher.refresh_at(&pstate, &ct_lk, *act_id) { 473 | Some(t) => t <= now, 474 | None => false, 475 | }, 476 | ) 477 | .collect::>(); 478 | drop(ct_lk); 479 | 480 | for act_id in to_refresh.iter() { 481 | refresher.sched_refresh(Arc::clone(&pstate), *act_id); 482 | } 483 | }); 484 | Ok(()) 485 | } 486 | } 487 | -------------------------------------------------------------------------------- /src/server/state.rs: -------------------------------------------------------------------------------- 1 | //! This module contains pizauth's core central state. [AuthenticatorState] is the global state, 2 | //! but mostly what one is interested in are [Account]s and [TokenState]s. These are (literally) 3 | //! locked together: every [Account] has a [TokenState] and vice versa. However, a challenge is 4 | //! that we allow users to reload their config at any point: we have to be very careful about 5 | //! associating an [Account] with a [TokenState], as we don't want to hand out credentials for an 6 | //! old version of an account. 7 | //! 8 | //! To that end, we provide an abstraction [AccountId] which is a sort-of "the current version of 9 | //! an [Account]". Any change to the user's configuration of an [Account] *or* a change to an 10 | //! [Account]'s associated [TokenState] will cause the [AccountId] to change. Every time a 11 | //! [CTGuard] is dropped/reacquired, or [tokenstate_replace] is called, [AccountId]s must be 12 | //! revalidated. Failing to do so will cause panics. 13 | 14 | use std::{ 15 | collections::HashMap, 16 | error::Error, 17 | path::PathBuf, 18 | sync::{Arc, Mutex, MutexGuard}, 19 | time::SystemTime, 20 | }; 21 | 22 | use boot_time::Instant; 23 | use chacha20poly1305::{ 24 | aead::{Aead, KeyInit}, 25 | ChaCha20Poly1305, Key, Nonce, 26 | }; 27 | use rand::{rng, Rng}; 28 | use serde::{Deserialize, Serialize}; 29 | use url::Url; 30 | 31 | use super::{eventer::Eventer, notifier::Notifier, refresher::Refresher}; 32 | use crate::config::{Account, AccountDump, Config}; 33 | 34 | /// We lightly encrypt the dump output to make it at least resistant to simple string-based 35 | /// grepping. This is the length of the dump nonce. 36 | const NONCE_LEN: usize = 12; 37 | /// The ChaCha20 key for the dump. 38 | const CHACHA20_KEY: &[u8; 32] = b"\x66\xa2\x47\xa8\x5e\x48\xcf\xec\xaa\xed\x9b\x36\xeb\xa9\x7d\x53\x50\xd4\x28\x63\x75\x09\x7a\x44\xee\xff\xb9\xc4\x54\x6b\x65\xa3"; 39 | /// The format of the dump. Monotonically increment if the semantics of the `pizauth dump` change 40 | /// in an incompatible manner. 41 | const DUMP_VERSION: u64 = 1; 42 | 43 | /// pizauth's global state. 44 | pub struct AuthenticatorState { 45 | pub conf_path: PathBuf, 46 | /// The "global lock" protecting the config and current [TokenState]s. Can only be accessed via 47 | /// [AuthenticatorState::ct_lock]. 48 | locked_state: Mutex, 49 | /// Port of the HTTP server required by OAuth. 50 | pub http_port: Option, 51 | /// Port of the HTTPS server required by OAuth. 52 | pub https_port: Option, 53 | /// If an HTTPS server is running, its raw public key formatted in hex with each byte separated by `:`. 54 | pub https_pub_key: Option, 55 | pub eventer: Arc, 56 | pub notifier: Arc, 57 | pub refresher: Arc, 58 | } 59 | 60 | impl AuthenticatorState { 61 | pub fn new( 62 | conf_path: PathBuf, 63 | conf: Config, 64 | http_port: Option, 65 | https_port: Option, 66 | https_pub_key: Option, 67 | eventer: Arc, 68 | notifier: Arc, 69 | refresher: Arc, 70 | ) -> Self { 71 | AuthenticatorState { 72 | conf_path, 73 | locked_state: Mutex::new(LockedState::new(conf)), 74 | http_port, 75 | https_port, 76 | https_pub_key, 77 | eventer, 78 | notifier, 79 | refresher, 80 | } 81 | } 82 | 83 | /// Lock the config and tokens and return a guard. 84 | /// 85 | /// # Panics 86 | /// 87 | /// If another thread poisoned the underlying lock, this function will panic. There is little 88 | /// to be done in such a case, as it is likely that pizauth is in an inconsistent, and 89 | /// irretrievable, state. 90 | pub fn ct_lock(&self) -> CTGuard<'_> { 91 | CTGuard::new(self.locked_state.lock().unwrap()) 92 | } 93 | 94 | /// Update the global [Config] to `new_conf`. This cannot fail, but note that there is no 95 | /// guarantee that by the time this function calls the configuration is still the same as 96 | /// `new_conf` since another thread(s) may also have called this function. 97 | pub fn update_conf(&self, new_conf: Config) { 98 | { 99 | let mut lk = self.locked_state.lock().unwrap(); 100 | lk.update_conf(new_conf); 101 | } 102 | self.notifier.notify_changes(); 103 | self.refresher.notify_changes(); 104 | } 105 | 106 | pub fn dump(&self) -> Result, Box> { 107 | let lk = self.locked_state.lock().unwrap(); 108 | let d = lk.dump()?; 109 | drop(lk); 110 | 111 | // The aim of encrypting the dump output isn't to render it impossible to decrypt, but to 112 | // at least make it harder for people to shoot themselves in the foot by leaving important 113 | // information lurking on a file system in a way that `grep` or `strings` can easily find. 114 | let key = Key::from_slice(CHACHA20_KEY); 115 | let cipher = ChaCha20Poly1305::new(key); 116 | let mut nonce = [0u8; NONCE_LEN]; 117 | rng().fill(&mut nonce[..]); 118 | let nonce = Nonce::from_slice(&nonce); 119 | let bytes = cipher 120 | .encrypt(nonce, &*d) 121 | .map_err(|_| "Creating dump failed.")?; 122 | let mut buf = Vec::from(nonce.as_slice()); 123 | buf.extend(&bytes); 124 | Ok(buf) 125 | } 126 | 127 | pub fn restore(&self, d: Vec) -> Result<(), Box> { 128 | if d.len() < NONCE_LEN { 129 | return Err("Input too short")?; 130 | } 131 | let key = Key::from_slice(CHACHA20_KEY); 132 | let cipher = ChaCha20Poly1305::new(key); 133 | let nonce = &d[..NONCE_LEN]; 134 | let encrypted = &d[NONCE_LEN..]; 135 | let d = cipher 136 | .decrypt(Nonce::from_slice(nonce), encrypted.as_ref()) 137 | .map_err(|_| "Restoring dump failed")?; 138 | 139 | let lk = self.locked_state.lock().unwrap().restore(d); 140 | drop(lk); 141 | self.notifier.notify_changes(); 142 | self.refresher.notify_changes(); 143 | Ok(()) 144 | } 145 | } 146 | 147 | /// An invariant "I1" that must be maintained at all times is that the set of keys in 148 | /// `LockedState.config.Config.accounts` must exactly equal `LockedState.tokenstates`. This 149 | /// invariant is relied upon by a number of `unwrap` calls which assume that if a key `x` was found 150 | /// in one of these sets it is guaranteed to be found in the other. 151 | struct LockedState { 152 | config: Config, 153 | details: Vec<(String, AccountId, TokenState)>, 154 | /// The next [AccountId] we'll hand out. 155 | /// 156 | // The account ID may change frequently, and if it wraps, we lose correctness, so we use a 157 | // ludicrously large type. On my current desktop machine a quick measurement suggests that if 158 | // this was incremented at the maximum possible continuous rate, it would take about 159 | // 4,522,155,402,651,803,058,176 years before this wrapped. In contrast if we were to, 160 | // recklessly, use a u64 it could wrap in a blink-and-you-miss-it 245 years. 161 | next_account_id: u128, 162 | } 163 | 164 | impl LockedState { 165 | fn new(config: Config) -> Self { 166 | let mut details = Vec::with_capacity(config.accounts.len()); 167 | 168 | let mut next_account_id = 0; 169 | for act_name in config.accounts.keys() { 170 | let act_id = AccountId { 171 | id: next_account_id, 172 | }; 173 | next_account_id += 1; 174 | details.push((act_name.to_owned(), act_id, TokenState::Empty)); 175 | } 176 | 177 | LockedState { 178 | next_account_id, 179 | config, 180 | details, 181 | } 182 | } 183 | 184 | fn update_conf(&mut self, config: Config) { 185 | let mut details = Vec::with_capacity(config.accounts.len()); 186 | 187 | for act_name in config.accounts.keys() { 188 | if let Some(old_act) = self.config.accounts.get(act_name) { 189 | let new_act = &config.accounts[act_name]; 190 | if new_act.secure_eq(old_act) { 191 | // We know that `self.details` must contain `act_name` so the unwrap is safe. 192 | details.push( 193 | self.details 194 | .iter() 195 | .find(|x| x.0 == act_name.as_str()) 196 | .unwrap() 197 | .clone(), 198 | ); 199 | } else { 200 | // The two accounts are not the same so we can't reuse the existing tokenstate, 201 | // instead keeping it as Empty. However, we need to increment the version 202 | // number, because there could be a very long-running thread that started 203 | // acting on an Empty tokenstate, did something (very slowly), and now wants to 204 | // update its status, even though multiple other updates have happened in the 205 | // interim. Incrementing the version implicitly invalidates whatever (slow...) 206 | // calculation it has performed. 207 | details.push(( 208 | act_name.to_owned(), 209 | self.next_account_id(), 210 | TokenState::Empty, 211 | )); 212 | } 213 | } else { 214 | details.push(( 215 | act_name.to_owned(), 216 | self.next_account_id(), 217 | TokenState::Empty, 218 | )); 219 | } 220 | } 221 | 222 | self.config = config; 223 | self.details = details; 224 | } 225 | 226 | fn dump(&self) -> Result, Box> { 227 | let mut acts = HashMap::with_capacity(self.details.len()); 228 | for (act_name, _, ts) in &self.details { 229 | acts.insert( 230 | act_name.to_owned(), 231 | (self.config.accounts[act_name.as_str()].dump(), ts.dump()), 232 | ); 233 | } 234 | 235 | Ok(bincode::serde::encode_to_vec( 236 | &Dump { 237 | version: DUMP_VERSION, 238 | accounts: acts, 239 | }, 240 | bincode::config::legacy(), 241 | )?) 242 | } 243 | 244 | fn restore(&mut self, dump: Vec) -> Result<(), Box> { 245 | let d: Dump = bincode::serde::decode_from_slice(&dump, bincode::config::legacy())?.0; 246 | if d.version != DUMP_VERSION { 247 | return Err("Unknown dump version".into()); 248 | } 249 | 250 | let mut restore = HashMap::new(); 251 | for (act_name, _, old_ts) in &self.details { 252 | let act = &self.config.accounts[act_name.as_str()]; 253 | if let Some((act_dump, ts_dump)) = d.accounts.get(act_name) { 254 | if act.secure_restorable(act_dump) { 255 | let new_ts = TokenState::restore(ts_dump); 256 | match (old_ts, &new_ts) { 257 | ( 258 | &TokenState::Empty | &TokenState::Pending { .. }, 259 | &TokenState::Empty | &TokenState::Pending { .. }, 260 | ) => (), 261 | ( 262 | &TokenState::Empty | &TokenState::Pending { .. }, 263 | &TokenState::Active { .. }, 264 | ) => { 265 | restore.insert(act_name.to_owned(), new_ts); 266 | } 267 | (&TokenState::Active { .. }, _) => (), 268 | } 269 | } 270 | } 271 | } 272 | 273 | for (act_name, ts) in restore.drain() { 274 | let ts_idx = self 275 | .details 276 | .iter() 277 | .position(|(n, _, _)| n == &act_name) 278 | .unwrap(); 279 | self.details[ts_idx].1 = self.next_account_id(); 280 | self.details[ts_idx].2 = ts; 281 | } 282 | 283 | Ok(()) 284 | } 285 | 286 | /// Returns a unique [AccountId]. 287 | fn next_account_id(&mut self) -> AccountId { 288 | let new_id = AccountId { 289 | id: self.next_account_id, 290 | }; 291 | self.next_account_id += 1; 292 | new_id 293 | } 294 | } 295 | 296 | #[derive(Deserialize, Serialize)] 297 | struct Dump { 298 | version: u64, 299 | accounts: HashMap, 300 | } 301 | 302 | /// A lock guard around the [Config] and tokens. When this guard is dropped: 303 | /// 304 | /// 1. the config lock will be released. 305 | /// 2. any [AccountId] instances created from this [CTGuard] will no longer by valid 306 | /// i.e. they will not be able to access [Account]s or [TokenState]s until they are 307 | /// revalidated. 308 | pub struct CTGuard<'a> { 309 | guard: MutexGuard<'a, LockedState>, 310 | } 311 | 312 | impl<'a> CTGuard<'a> { 313 | fn new(guard: MutexGuard<'a, LockedState>) -> CTGuard<'a> { 314 | CTGuard { guard } 315 | } 316 | 317 | pub fn config(&self) -> &Config { 318 | &self.guard.config 319 | } 320 | 321 | /// If `act_name` references a current account, return a [AccountId]. 322 | pub fn validate_act_name(&self, act_name: &str) -> Option { 323 | self.guard 324 | .details 325 | .iter() 326 | .find(|x| x.0 == act_name) 327 | .map(|x| x.1) 328 | } 329 | 330 | /// Is `act_id` still a valid [AccountId]? 331 | pub fn is_act_id_valid(&self, act_id: AccountId) -> bool { 332 | self.guard.details.iter().any(|x| x.1 == act_id) 333 | } 334 | 335 | /// An iterator that will produce one [AccountId] for each currently active account. 336 | pub fn act_ids(&self) -> impl Iterator + '_ { 337 | self.guard.details.iter().map(|x| x.1) 338 | } 339 | 340 | /// Return the [AccountId] with state `state`. 341 | pub fn act_id_matching_token_state(&self, state: &str) -> Option { 342 | self.guard 343 | .details 344 | .iter() 345 | .find(|x| matches!(&x.2, TokenState::Pending { state: s, .. } if s == state)) 346 | .map(|x| x.1) 347 | } 348 | 349 | /// Return the [Account] for account `act_id`. 350 | /// 351 | /// # Panics 352 | /// 353 | /// If `act_id` is not valid. 354 | pub fn account(&self, act_id: AccountId) -> &Account { 355 | let act_name = self 356 | .guard 357 | .details 358 | .iter() 359 | .find(|x| x.1 == act_id) 360 | .map(|x| &x.0) 361 | .unwrap(); 362 | &self.guard.config.accounts[act_name] 363 | } 364 | 365 | /// Return a reference to the [TokenState] of `act_id`. The user must have validated `act_id` 366 | /// under the current [CTGuard]. 367 | /// 368 | /// # Panics 369 | /// 370 | /// If `act_id` is not valid. 371 | pub fn tokenstate(&self, act_id: AccountId) -> &TokenState { 372 | self.guard 373 | .details 374 | .iter() 375 | .find(|x| x.1 == act_id) 376 | .map(|x| &x.2) 377 | .unwrap() 378 | } 379 | 380 | /// If `act_id` is `Active`, set `ongoing_refresh` to `new_ongoing_refresh` and return the new 381 | /// `AccountId`. 382 | /// 383 | /// # Panics 384 | /// 385 | /// If `act_id` is not valid or is not `Active`. 386 | pub fn tokenstate_set_ongoing_refresh( 387 | &mut self, 388 | act_id: AccountId, 389 | new_ongoing_refresh: bool, 390 | ) -> AccountId { 391 | let i = self 392 | .guard 393 | .details 394 | .iter() 395 | .position(|x| x.1 == act_id) 396 | .unwrap(); 397 | 398 | let new_id = self.guard.next_account_id(); 399 | let ts = &mut self.guard.details[i]; 400 | if let TokenState::Active { 401 | ref mut ongoing_refresh, 402 | .. 403 | } = ts.2 404 | { 405 | ts.1 = new_id; 406 | *ongoing_refresh = new_ongoing_refresh; 407 | return new_id; 408 | } 409 | unreachable!(); 410 | } 411 | 412 | /// Update the tokenstate for `act_id` to `new_tokenstate` returning a new [AccountId] 413 | /// valid for the new tokenstate, updating the tokenstate version. 414 | /// 415 | /// # Panics 416 | /// 417 | /// If `act_id` is not valid. 418 | pub fn tokenstate_replace( 419 | &mut self, 420 | act_id: AccountId, 421 | new_tokenstate: TokenState, 422 | ) -> AccountId { 423 | let i = self 424 | .guard 425 | .details 426 | .iter() 427 | .position(|x| x.1 == act_id) 428 | .unwrap(); 429 | let new_id = self.guard.next_account_id(); 430 | self.guard.details[i].1 = new_id; 431 | self.guard.details[i].2 = new_tokenstate; 432 | new_id 433 | } 434 | } 435 | 436 | /// An account ID. Must be created by [LockedState::next_account_id]. 437 | #[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)] 438 | pub struct AccountId { 439 | id: u128, 440 | } 441 | 442 | #[derive(Clone, Debug)] 443 | pub enum TokenState { 444 | /// Authentication is neither pending nor active. 445 | Empty, 446 | /// Pending authentication 447 | Pending { 448 | code_verifier: String, 449 | last_notification: Option, 450 | state: String, 451 | url: Url, 452 | }, 453 | /// There is an active token (and, possibly, also an active refresh token). 454 | Active { 455 | access_token: String, 456 | /// When did we obtain the current access_token? 457 | access_token_obtained: Instant, 458 | /// When does the current access token expire? 459 | access_token_expiry: Instant, 460 | /// We may have been given a refresh token which may allow us to obtain another access 461 | /// token when the existing one expires (notice the two "may"s!). The remaining fields in 462 | /// the `Active` variant are only relevant if `refresh_token` is `Some(...)`. 463 | refresh_token: Option, 464 | /// Is the refresher currently trying to refresh this token? 465 | ongoing_refresh: bool, 466 | /// How many times in a row has refreshing failed? This will be reset to zero when 467 | /// refreshing succeeds. 468 | consecutive_refresh_fails: u64, 469 | /// The instant in time when the last ongoing, or unsuccessful, refresh attempt was made. 470 | last_refresh_attempt: Option, 471 | }, 472 | } 473 | 474 | #[derive(Deserialize, Serialize)] 475 | /// The format of a dumped [TokenState]. Note that [std::time::Instant] instances are translated to 476 | /// [std::time::SystemTime] instances: there is no guarantee that we can precisely represent the 477 | /// latter as the former, so when conversions fail we default to setting values to 478 | /// [std::time::Instant::now()] or [std::time::SystemTime::now()], as appropriate, as a safe 479 | /// fallback. 480 | pub enum TokenStateDump { 481 | Empty, 482 | Active { 483 | access_token: String, 484 | access_token_obtained: SystemTime, 485 | access_token_expiry: SystemTime, 486 | refresh_token: Option, 487 | }, 488 | } 489 | 490 | impl TokenState { 491 | pub fn dump(&self) -> TokenStateDump { 492 | fn dump_instant(i: &Instant) -> SystemTime { 493 | let t; 494 | if let Some(d) = i.checked_duration_since(Instant::now()) { 495 | // Instant is in the future 496 | t = SystemTime::now().checked_add(d); 497 | } else if let Some(d) = Instant::now().checked_duration_since(*i) { 498 | // Instant is in the past 499 | t = SystemTime::now().checked_sub(d); 500 | } else { 501 | t = None; 502 | } 503 | t.unwrap_or_else(SystemTime::now) 504 | } 505 | 506 | match self { 507 | TokenState::Empty => TokenStateDump::Empty, 508 | TokenState::Pending { .. } => TokenStateDump::Empty, 509 | TokenState::Active { 510 | access_token, 511 | access_token_obtained, 512 | access_token_expiry, 513 | refresh_token, 514 | ongoing_refresh: _, 515 | consecutive_refresh_fails: _, 516 | last_refresh_attempt: _, 517 | } => TokenStateDump::Active { 518 | access_token: access_token.to_owned(), 519 | access_token_obtained: dump_instant(access_token_obtained), 520 | access_token_expiry: dump_instant(access_token_expiry), 521 | refresh_token: refresh_token.clone(), 522 | }, 523 | } 524 | } 525 | 526 | pub fn restore(tsd: &TokenStateDump) -> TokenState { 527 | fn restore_instant(t: &SystemTime) -> Instant { 528 | let i; 529 | if let Ok(d) = t.duration_since(SystemTime::now()) { 530 | // SystemTime is in the future 531 | i = Instant::now().checked_add(d); 532 | } else if let Ok(d) = SystemTime::now().duration_since(*t) { 533 | // SystemTime is in the past 534 | i = Instant::now().checked_sub(d); 535 | } else { 536 | i = None; 537 | } 538 | i.unwrap_or_else(Instant::now) 539 | } 540 | 541 | match tsd { 542 | TokenStateDump::Empty => TokenState::Empty, 543 | TokenStateDump::Active { 544 | access_token, 545 | access_token_obtained, 546 | access_token_expiry, 547 | refresh_token, 548 | } => TokenState::Active { 549 | access_token: access_token.clone(), 550 | access_token_obtained: restore_instant(access_token_obtained), 551 | access_token_expiry: restore_instant(access_token_expiry), 552 | refresh_token: refresh_token.clone(), 553 | ongoing_refresh: false, 554 | consecutive_refresh_fails: 0, 555 | last_refresh_attempt: None, 556 | }, 557 | } 558 | } 559 | } 560 | 561 | #[cfg(test)] 562 | mod test { 563 | use super::*; 564 | use crate::server::refresher::Refresher; 565 | use std::time::Duration; 566 | 567 | #[test] 568 | fn test_act_validation() { 569 | let conf1_str = r#" 570 | account "x" { 571 | auth_uri = "http://a.com"; 572 | client_id = "b"; 573 | client_secret = "c"; 574 | scopes = ["d", "e"]; 575 | redirect_uri = "http://f.com"; 576 | token_uri = "http://g.com"; 577 | } 578 | "#; 579 | let conf2_str = r#" 580 | account "x" { 581 | auth_uri = "http://h.com"; 582 | client_id = "b"; 583 | client_secret = "c"; 584 | scopes = ["d", "e"]; 585 | redirect_uri = "http://f.com"; 586 | token_uri = "http://g.com"; 587 | } 588 | "#; 589 | let conf3_str = r#" 590 | account "x" { 591 | auth_uri = "http://a.com"; 592 | client_id = "b"; 593 | client_secret = "c"; 594 | scopes = ["d", "e"]; 595 | redirect_uri = "http://f.com"; 596 | token_uri = "http://g.com"; 597 | } 598 | 599 | account "y" { 600 | auth_uri = "http://a.com"; 601 | client_id = "b"; 602 | client_secret = "c"; 603 | scopes = ["d", "e"]; 604 | redirect_uri = "http://f.com"; 605 | token_uri = "http://g.com"; 606 | } 607 | "#; 608 | 609 | let conf = Config::from_str(conf1_str).unwrap(); 610 | let eventer = Arc::new(Eventer::new().unwrap()); 611 | let notifier = Arc::new(Notifier::new().unwrap()); 612 | let pstate = AuthenticatorState::new( 613 | PathBuf::new(), 614 | conf, 615 | Some(0), 616 | Some(0), 617 | Some("".to_string()), 618 | eventer, 619 | notifier, 620 | Refresher::new(), 621 | ); 622 | let mut old_x_id; 623 | { 624 | let ct_lk = pstate.ct_lock(); 625 | let act_id = ct_lk.validate_act_name("x").unwrap(); 626 | old_x_id = act_id; 627 | assert_eq!(act_id, AccountId { id: 0 }); 628 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 629 | } 630 | 631 | let conf = Config::from_str(conf2_str).unwrap(); 632 | pstate.update_conf(conf); 633 | { 634 | let ct_lk = pstate.ct_lock(); 635 | let act_id = ct_lk.validate_act_name("x").unwrap(); 636 | assert_ne!(act_id, old_x_id); 637 | old_x_id = act_id; 638 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 639 | } 640 | 641 | let conf = Config::from_str(conf2_str).unwrap(); 642 | pstate.update_conf(conf); 643 | { 644 | let ct_lk = pstate.ct_lock(); 645 | let act_id = ct_lk.validate_act_name("x").unwrap(); 646 | assert_eq!(act_id, old_x_id); 647 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 648 | } 649 | 650 | let conf = Config::from_str(conf3_str).unwrap(); 651 | pstate.update_conf(conf); 652 | let old_y_ver; 653 | { 654 | let ct_lk = pstate.ct_lock(); 655 | let act_id = ct_lk.validate_act_name("x").unwrap(); 656 | assert_ne!(act_id, old_x_id); 657 | old_x_id = act_id; 658 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 659 | 660 | let act_id = ct_lk.validate_act_name("y").unwrap(); 661 | old_y_ver = act_id.id; 662 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 663 | } 664 | 665 | let conf = Config::from_str(conf2_str).unwrap(); 666 | pstate.update_conf(conf); 667 | { 668 | let ct_lk = pstate.ct_lock(); 669 | 670 | let act_id = ct_lk.validate_act_name("x").unwrap(); 671 | assert_ne!(act_id, old_x_id); 672 | old_x_id = act_id; 673 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 674 | 675 | assert!(ct_lk.validate_act_name("y").is_none()); 676 | assert!(!ct_lk.is_act_id_valid(AccountId { id: old_y_ver })); 677 | } 678 | 679 | { 680 | let mut ct_lk = pstate.ct_lock(); 681 | let act_id = ct_lk.validate_act_name("x").unwrap(); 682 | let act_id = ct_lk.tokenstate_replace( 683 | act_id, 684 | TokenState::Pending { 685 | code_verifier: "abc".to_owned(), 686 | last_notification: None, 687 | state: "xyz".to_string(), 688 | url: Url::parse("http://a.com/").unwrap(), 689 | }, 690 | ); 691 | assert_ne!(act_id, old_x_id); 692 | old_x_id = act_id; 693 | assert!(matches!( 694 | ct_lk.tokenstate(act_id), 695 | TokenState::Pending { .. } 696 | )); 697 | } 698 | 699 | let conf = Config::from_str(conf2_str).unwrap(); 700 | pstate.update_conf(conf); 701 | { 702 | let ct_lk = pstate.ct_lock(); 703 | let act_id = ct_lk.validate_act_name("x").unwrap(); 704 | assert_eq!(act_id, old_x_id); 705 | assert!(matches!( 706 | ct_lk.tokenstate(act_id), 707 | TokenState::Pending { .. } 708 | )); 709 | } 710 | 711 | let conf = Config::from_str(conf1_str).unwrap(); 712 | pstate.update_conf(conf); 713 | { 714 | let ct_lk = pstate.ct_lock(); 715 | let act_id = ct_lk.validate_act_name("x").unwrap(); 716 | assert_ne!(act_id, old_x_id); 717 | assert!(matches!(ct_lk.tokenstate(act_id), TokenState::Empty)); 718 | } 719 | } 720 | 721 | #[test] 722 | fn dump_restore() { 723 | let conf_str = r#" 724 | account "x" { 725 | auth_uri = "http://a.com"; 726 | client_id = "b"; 727 | client_secret = "c"; 728 | scopes = ["d", "e"]; 729 | redirect_uri = "http://f.com"; 730 | token_uri = "http://g.com"; 731 | } 732 | 733 | account "y" { 734 | auth_uri = "http://a.com"; 735 | client_id = "b"; 736 | client_secret = "c"; 737 | scopes = ["d", "e"]; 738 | redirect_uri = "http://f.com"; 739 | token_uri = "http://g.com"; 740 | } 741 | "#; 742 | 743 | let conf = Config::from_str(conf_str).unwrap(); 744 | let eventer = Arc::new(Eventer::new().unwrap()); 745 | let notifier = Arc::new(Notifier::new().unwrap()); 746 | let pstate = AuthenticatorState::new( 747 | PathBuf::new(), 748 | conf, 749 | Some(0), 750 | Some(0), 751 | Some("".to_string()), 752 | eventer, 753 | notifier, 754 | Refresher::new(), 755 | ); 756 | let old_x_id; 757 | { 758 | let ct_lk = pstate.ct_lock(); 759 | old_x_id = ct_lk.validate_act_name("x").unwrap(); 760 | assert!(matches!(ct_lk.tokenstate(old_x_id), TokenState::Empty)); 761 | } 762 | let dump = pstate.dump().unwrap(); 763 | 764 | { 765 | pstate.restore(dump.clone()).unwrap(); 766 | 767 | let ct_lk = pstate.ct_lock(); 768 | let x_id = ct_lk.validate_act_name("x").unwrap(); 769 | assert_eq!(old_x_id, x_id); 770 | assert!(matches!(ct_lk.tokenstate(x_id), TokenState::Empty)); 771 | } 772 | 773 | { 774 | let mut ct_lk = pstate.ct_lock(); 775 | let act_id = ct_lk.validate_act_name("x").unwrap(); 776 | ct_lk.tokenstate_replace( 777 | act_id, 778 | TokenState::Pending { 779 | code_verifier: "abc".to_owned(), 780 | last_notification: None, 781 | state: "xyz".to_string(), 782 | url: Url::parse("http://a.com/").unwrap(), 783 | }, 784 | ); 785 | } 786 | 787 | { 788 | pstate.restore(dump.clone()).unwrap(); 789 | 790 | let ct_lk = pstate.ct_lock(); 791 | let x_id = ct_lk.validate_act_name("x").unwrap(); 792 | assert_ne!(old_x_id, x_id); 793 | assert!(matches!(ct_lk.tokenstate(x_id), TokenState::Pending { .. })); 794 | } 795 | 796 | { 797 | let mut ct_lk = pstate.ct_lock(); 798 | let act_id = ct_lk.validate_act_name("x").unwrap(); 799 | ct_lk.tokenstate_replace( 800 | act_id, 801 | TokenState::Active { 802 | access_token: "abc".to_owned(), 803 | access_token_obtained: Instant::now(), 804 | access_token_expiry: Instant::now() 805 | .checked_add(Duration::from_secs(60)) 806 | .unwrap(), 807 | refresh_token: None, 808 | ongoing_refresh: false, 809 | consecutive_refresh_fails: 0, 810 | last_refresh_attempt: None, 811 | }, 812 | ); 813 | } 814 | let dump = pstate.dump().unwrap(); 815 | 816 | { 817 | pstate.restore(dump.clone()).unwrap(); 818 | 819 | let ct_lk = pstate.ct_lock(); 820 | let x_id = ct_lk.validate_act_name("x").unwrap(); 821 | assert_ne!(old_x_id, x_id); 822 | assert!(matches!(ct_lk.tokenstate(x_id), TokenState::Active { .. })); 823 | } 824 | 825 | let conf = Config::from_str(conf_str).unwrap(); 826 | let eventer = Arc::new(Eventer::new().unwrap()); 827 | let notifier = Arc::new(Notifier::new().unwrap()); 828 | let pstate = AuthenticatorState::new( 829 | PathBuf::new(), 830 | conf, 831 | Some(0), 832 | Some(0), 833 | Some("".to_string()), 834 | eventer, 835 | notifier, 836 | Refresher::new(), 837 | ); 838 | 839 | let old_x_id; 840 | { 841 | let ct_lk = pstate.ct_lock(); 842 | old_x_id = ct_lk.validate_act_name("x").unwrap(); 843 | assert!(matches!(ct_lk.tokenstate(old_x_id), TokenState::Empty)); 844 | } 845 | 846 | { 847 | pstate.restore(dump.clone()).unwrap(); 848 | 849 | let ct_lk = pstate.ct_lock(); 850 | let x_id = ct_lk.validate_act_name("x").unwrap(); 851 | dbg!(ct_lk.tokenstate(x_id)); 852 | assert_ne!(old_x_id, x_id); 853 | assert!(matches!(ct_lk.tokenstate(x_id), TokenState::Active { .. })); 854 | } 855 | } 856 | } 857 | --------------------------------------------------------------------------------