Skip to content

GitLab

Switch branch/tag
Find file Normal viewHistoryPermalink
lib.rs 6.46 KB
Newer Older
liming6's avatar
init commit  
liming6 committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 
use std::ffi::{CStr, CString};
use std::fs::OpenOptions;
use std::os::raw::{c_int,c_char};
use std::ptr;
use std::sync::atomic::{AtomicBool, Ordering::SeqCst};
use anyhow::Result;
use libpam_sys::{pam_get_user,pam_handle,PAM_SUCCESS};
use serde_json::json;
use ureq::{Agent};
use totp_rs::{Algorithm, TOTP, Secret};
use base64::{Engine as _, engine::general_purpose};
use std::io::Write;

/*
认证流程:

获取用户名、主机IP地址(如果用户是root,直接放行)
发送请求到指定接口(超时也放行)
如果返回0表示放行,返回1表示不放行

*/
liming6's avatar
fix 优化日志逻辑  
liming6 committed
23
24
25 
static  PAM_AUTH_ERR: c_int = 9;
// 是否开启debug模式的标志
static  DEBUG: AtomicBool = AtomicBool::new(false);
liming6's avatar
init commit  
liming6 committed
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42 


#[unsafe(no_mangle)]
pub extern "C" fn pam_sm_authenticate(pamh: *mut pam_handle,flags: c_int,argc: c_int,argv: *const*const c_char) -> c_int {
    PAM_SUCCESS
}

#[unsafe(no_mangle)]
pub unsafe extern "C" fn pam_sm_acct_mgmt(pamh: *mut pam_handle,flags: c_int,argc: c_int,argv: *const*const c_char) -> c_int {
    unsafe {
        let mut user_ptr: *const c_char = ptr::null();
        let prompt = CString::new("Username: ").unwrap();
        let status = pam_get_user(pamh,&mut user_ptr, prompt.as_ptr());
        if status != PAM_SUCCESS as c_int || user_ptr.is_null() {
            return PAM_AUTH_ERR;
        }
        let uname = CStr::from_ptr(user_ptr).to_string_lossy();
liming6's avatar
fix 优化日志逻辑  
liming6 committed
43
liming6's avatar
init commit  
liming6 committed
44
45
46
47
48
49 
        // 如果是root用户,必然成功
        if uname == "root" {
            return PAM_SUCCESS;
        }
        let res_arg = parse_args(argc, argv);
        if res_arg.is_err() {
liming6's avatar
fix 优化日志逻辑  
liming6 committed
50
51
52 
            // 如果解析参数错误,必生成日志
            DEBUG.store(true, SeqCst);
            wirte_log(&format!("=== parse_args error: {}", res_arg.err().unwrap()));
liming6's avatar
init commit  
liming6 committed
53
54 
            return PAM_SUCCESS;
        }
liming6's avatar
fix 优化日志逻辑  
liming6 committed
55
56 
        wirte_log(format!("----- a login auth start, user: {} -----",uname).as_str());
        wirte_log(format!("--- parse_args: {:?}", res_arg.as_ref().unwrap()).as_str());
liming6's avatar
init commit  
liming6 committed
57
58
59 
        let arg = res_arg.unwrap();
        let res = query_access(&uname, &arg.0, &arg.1);
        if res.is_err() {
liming6's avatar
fix 优化日志逻辑  
liming6 committed
60 
            wirte_log(format!("=== query_access error: {}", res.err().unwrap()).as_str());
liming6's avatar
init commit  
liming6 committed
61
62 
            return PAM_SUCCESS;
        } else {
liming6's avatar
fix 优化日志逻辑  
liming6 committed
63 
            wirte_log(format!("--- query_access success: {}", res.as_ref().unwrap()).as_str());
liming6's avatar
init commit  
liming6 committed
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109 
            if *res.as_ref().unwrap() {
                return PAM_SUCCESS;
            } else {
                return PAM_AUTH_ERR;
            }
        }
    }
}

#[unsafe(no_mangle)]
pub extern "C" fn pam_sm_setcred(pamh: *mut pam_handle,flags: c_int,argc: c_int,argv: *const*const c_char) -> c_int {
    PAM_SUCCESS
}

/// 解析参数,返回的结果是url和totp密钥
unsafe fn parse_args(argc: c_int, argv:*const*const c_char) -> Result<(String,String)> {
    let mut args = Vec::<String>::new();
    unsafe {
        for i in 0..argc {
            let arg_ptr = *argv.offset(i as isize);
            if !arg_ptr.is_null() {
                if let Ok(s) = CStr::from_ptr(arg_ptr).to_str() {
                    args.push(s.to_string());
                }
            }
        }
    }
    let mut result:(String,String) = (String::default(),String::default());
    for i in &args {
        if i.starts_with("url=") {
            result.0 = i.strip_prefix("url=").unwrap().to_string();
            continue;
        }
        if i.starts_with("totp=") {
            result.1 = i.strip_prefix("totp=").unwrap().to_string();
            continue;
        }
        if i == "debug" {
            DEBUG.store(true,SeqCst);
            continue;
        }
    }
    Ok(result)
}
liming6's avatar
fix 优化日志逻辑  
liming6 committed
110 
/// 若开启调试模式,就将信息追加到日志文件中
liming6's avatar
init commit  
liming6 committed
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142 
fn wirte_log(msg: &str) {
    if DEBUG.load(SeqCst) {
        let mut file = OpenOptions::new().append(true).create(true).open("/tmp/pam_rs.log").unwrap();
        _ = writeln!(&mut file, "{}", msg);
    }
}



/// 查询是否允许登录,远端返回0表示允许,其他值表示不允许
fn query_access(user: &str, url: &str, secret: &str) -> Result<bool> {

    let sec = Secret::Encoded(secret.to_string()).to_bytes()?;
    let totp = TOTP::new(Algorithm::SHA1,6,1,30,sec)?;
    let mut code = totp.generate_current()?;
    code = general_purpose::STANDARD.encode(code);

    let a = local_ip_address::list_afinet_netifas()?;
    let mut ips = Vec::<String>::with_capacity(4);
    for i in &a {
        if i.1.is_ipv4() && i.1.to_string() != "127.0.0.1" {
            ips.push(i.1.to_string());
        }
    }
    let config = ureq::Agent::config_builder().timeout_global(Some(std::time::Duration::from_secs(1))).build();
    let agent: Agent = config.into();
    let mut res = agent.post(url)
        .header("Authorization", format!("Bearer {}", code))
        .send(json!({
            "user": user,
            "host": &ips,
        }).to_string())?;
liming6's avatar
fix 优化日志逻辑  
liming6 committed
143
144
145 
    let query_res = res.body_mut().read_to_string()?;
    if query_res.eq("0") {
        wirte_log(format!("--- login ok, user: {}", user).as_str());
liming6's avatar
init commit  
liming6 committed
146
147 
        return Ok(true);
    } else {
liming6's avatar
fix 优化日志逻辑  
liming6 committed
148 
        wirte_log(format!("=== login fail, user: {}, post return: {}", user, query_res).as_str());
liming6's avatar
init commit  
liming6 committed
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185 
        return Ok(false);
    }
}


#[test]
fn url_get() {
    let config = ureq::Agent::config_builder().timeout_global(Some(std::time::Duration::from_secs(1))).build();
    let agent:Agent = config.into();
    let res = agent.get("https://www.baidu.com").call();
    if res.is_err() {
        eprint!("{}", res.err().unwrap());
        return;
    } 
    let body=  res.unwrap().body_mut().read_to_string();
    print!("ok: {}", body.unwrap())
}

#[test]
fn totp() {
    let totp = TOTP::new(Algorithm::SHA1, 6, 1, 30, 
        Secret::Encoded("FRZPBN2FAZMJY7G2FKTBZVXNNU".to_string()).to_bytes().unwrap()).unwrap();
    let code = totp.generate_current().unwrap();
    println!("{}", code);
    if let Ok(b) = totp.check_current(&code) {
        if b {
            println!("check pass")
        } else {
            println!("check error")
        }
    } else {
        println!("check error")
    }
}

#[test]
fn test_query() {
liming6's avatar
fix 优化日志逻辑  
liming6 committed
186
187 
    let b = query_access("liming6",  "http://127.0.0.1:99/pam/auth/fai", "FRZPBN2FAZMJY7G2FKTBZVXNNU");
    DEBUG.store(true, SeqCst);
liming6's avatar
init commit  
liming6 committed
188
189 
    match b {
        Ok(o) => {println!("access: {}", o)},
liming6's avatar
fix 优化日志逻辑  
liming6 committed
190 
        Err(e) => {println!("err: {}",e); wirte_log(e.to_string().as_str());}
liming6's avatar
init commit  
liming6 committed
191
192
193
194
195
196
197
198
199
200
201
202
203 
    }
}

#[test]
fn test_get_ip() -> anyhow::Result<()>{
    let a = local_ip_address::list_afinet_netifas()?;
    for i in &a {
        if i.1.is_ipv4() && i.1.to_string() != "127.0.0.1" {
            println!("{}", i.1);
        }
    }
    Ok(())
}