1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
-- ACF Authenticator - does validation and loads sub-authenticator to read/write database
-- We store the login info in the passwd table, "" field. It looks like
-- password:username:ROLE1[,ROLE2...]
module (..., package.seeall)
require("modelfunctions")
format = require("acf.format")
require("md5")
require("posix")
require("session")
-- This is the sub-authenticator
-- In the future, this will be set based upon configuration
-- This is a public variable to allow other controllers (ie tinydns) to do their own permissions
if APP and APP.conf and APP.conf.authenticator and APP.conf.authenticator ~= "" then
auth = require(string.gsub(APP.conf.authenticator, "%.lua$", ""))
else
auth = require("authenticator-plaintext")
end
-- Publicly define the pre-defined tables
usertable = "passwd"
roletable = "roles"
-- This will hold the auth structure from the database
local authstruct = {}
local complete = false
local parse_entry = function(id, entry)
local a
if id and id ~= "" and entry and entry ~= "" then
local fields = {}
for x in string.gmatch(entry or "", "([^:]*):?") do
fields[#fields + 1] = x
end
a = {}
a.userid = id
a.password = fields[1] or ""
a.username = fields[2] or ""
a.roles = fields[3] or ""
a.skin = fields[4] or ""
a.home = fields[5] or ""
authstruct[id] = a
end
return a
end
local load_database = function(self)
if not complete then
local authtable = auth.read_field(self, usertable, "") or {}
authstruct = {}
for i,value in ipairs(authtable) do
parse_entry(value.id, value.entry)
end
complete = true
end
end
local get_id = function(self, userid)
if not authstruct[userid] then
parse_entry(userid, auth.read_entry(self, usertable, "", userid))
end
return authstruct[userid]
end
-- verify a plaintextword against a hash
-- returns:
-- true if password matches or
-- false if password does not match
local verify_password = function(plaintext, pwhash)
--[[
from man crypt(3):
If salt is a character string starting with the characters "$id$" fol-
lowed by a string terminated by "$":
$id$salt$encrypted
then instead of using the DES machine, id identifies the encryption
method used and this then determines how the rest of the password
string is interpreted. The following values of id are supported:
ID | Method
---------------------------------------------------------
1 | MD5
2a | Blowfish (not in mainline glibc; added in some
| Linux distributions)
5 | SHA-256 (since glibc 2.7)
6 | SHA-512 (since glibc 2.7)
]]--
local algo_salt, hash = string.match(pwhash, "^(%$%d%$[a-zA-Z0-9./]+%$)(.*)")
if algo_salt ~= nil and hash ~= nil then
return (pwhash == posix.crypt(plaintext, algo_salt))
end
-- fall back to old style md5 checksum
return (pwhash == md5.sumhexa(plaintext))
end
local b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./"
local mksalt = function()
local file = io.open("/dev/urandom")
local str = ""
if file == nil then return nil end
for i = 1,16 do
local offset = (string.byte(file:read(1)) % 64) + 1
str = str .. string.sub (b64, offset, offset)
end
return "$6$"..str.."$"
end
--- public methods
-- This function returns true or false, and
-- if false: the reason for failure
authenticate = function(self, userid, password)
local errtxt
if not userid or not password then
errtxt = "Invalid parameter"
else
local id = get_id(self, userid)
if not id then
errtxt = "Userid not found"
elseif not verify_password(password, id.password) then
errtxt = "Invalid password"
end
end
return (errtxt == nil), errtxt
end
-- This function returns the username, roles, ...
get_userinfo = function(self, userid)
local id = get_id(self, userid)
if id then
-- Make a copy so roles don't get changed in the authstruct
local result = {}
for n,v in pairs(id) do
result[n]=v
end
local tmp = {}
for x in string.gmatch(id.roles or "", "([^,]+),?") do
tmp[#tmp + 1] = x
end
result.roles = tmp
return result
end
return nil
end
write_userinfo = function(self, userinfo)
if not userinfo or not userinfo.userid or userinfo.userid == "" then
return false
end
id = get_id(self, userinfo.userid) or {}
-- Username, password, roles, skin, home are allowed to not exist, just leave the same
id.userid = userinfo.userid
if userinfo.username then id.username = userinfo.username end
if userinfo.password then id.password = posix.crypt(userinfo.password, mksalt()) end
if userinfo.roles then id.roles = table.concat(userinfo.roles, ",") end
if userinfo.skin then id.skin = userinfo.skin end
if userinfo.home then id.home = userinfo.home end
local success = auth.write_entry(self, usertable, "", id.userid, (id.password or "")..":"..(id.username or "")..":"..(id.roles or "")..":"..(id.skin or "")..":"..(id.home or ""))
authstruct[userinfo.userid] = nil
get_id(self, id.userid)
if success and self.sessiondata and self.sessiondata.userinfo and self.sessiondata.userinfo.userid == id.userid then
self.sessiondata.userinfo = {}
for name,value in pairs(id) do
if name == "roles" then
if value == "" then
value = "GUEST"
else
value = value..",GUEST"
end
self.sessiondata.userinfo.roles = format.string_to_table(value, "%s*,%s*")
else
self.sessiondata.userinfo[name] = value
end
end
self.logevent(session.serialize("userinfo", self.sessiondata.userinfo))
end
return success
end
list_users = function (self)
load_database(self)
local output = {}
for k in pairs(authstruct) do
table.insert(output,k)
end
return output
end
delete_user = function (self, userid)
authstruct[userid] = nil
return auth.delete_entry(self, usertable, "", userid)
end
|