1 /*
2  * Copyright (c) 2022 Stefan Sperling <stsp@openbsd.org>
3  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <sys/types.h>
19 #include <sys/socket.h>
20 #include <sys/queue.h>
21 #include <sys/uio.h>
22 
23 #include <errno.h>
24 #include <event.h>
25 #include <limits.h>
26 #include <pwd.h>
27 #include <grp.h>
28 #include <sha1.h>
29 #include <sha2.h>
30 #include <signal.h>
31 #include <stdint.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <imsg.h>
36 #include <unistd.h>
37 
38 #include "got_error.h"
39 #include "got_path.h"
40 
41 #include "gotd.h"
42 #include "log.h"
43 #include "auth.h"
44 
45 static struct gotd_auth {
46 	pid_t pid;
47 	const char *title;
48 	struct gotd_repo *repo;
49 } gotd_auth;
50 
51 static void auth_shutdown(void);
52 
53 static void
54 auth_sighdlr(int sig, short event, void *arg)
55 {
56 	/*
57 	 * Normal signal handler rules don't apply because libevent
58 	 * decouples for us.
59 	 */
60 
61 	switch (sig) {
62 	case SIGHUP:
63 		break;
64 	case SIGUSR1:
65 		break;
66 	case SIGTERM:
67 	case SIGINT:
68 		auth_shutdown();
69 		/* NOTREACHED */
70 		break;
71 	default:
72 		fatalx("unexpected signal");
73 	}
74 }
75 
76 static int
77 uidcheck(const char *s, uid_t desired)
78 {
79 	uid_t uid;
80 
81 	if (gotd_parseuid(s, &uid) != 0)
82 		return -1;
83 	if (uid != desired)
84 		return -1;
85 	return 0;
86 }
87 
88 static int
89 parsegid(const char *s, gid_t *gid)
90 {
91 	struct group *gr;
92 	const char *errstr;
93 
94 	if ((gr = getgrnam(s)) != NULL) {
95 		*gid = gr->gr_gid;
96 		if (*gid == GID_MAX)
97 			return -1;
98 		return 0;
99 	}
100 	*gid = strtonum(s, 0, GID_MAX - 1, &errstr);
101 	if (errstr)
102 		return -1;
103 	return 0;
104 }
105 
106 static int
107 match_identifier(const char *identifier, gid_t *groups, int ngroups,
108     uid_t euid, gid_t egid)
109 {
110 	int i;
111 
112 	if (identifier[0] == ':') {
113 		gid_t rgid;
114 		if (parsegid(identifier + 1, &rgid) == -1)
115 			return 0;
116 		if (rgid == egid)
117 			return 1;
118 		for (i = 0; i < ngroups; i++) {
119 			if (rgid == groups[i])
120 				break;
121 		}
122 		if (i == ngroups)
123 			return 0;
124 	} else if (uidcheck(identifier, euid) != 0)
125 		return 0;
126 
127 	return 1;
128 }
129 
130 static const struct got_error *
131 auth_check(char **username, struct gotd_access_rule_list *rules,
132     const char *repo_name, uid_t euid, gid_t egid, int required_auth)
133 {
134 	struct gotd_access_rule *rule;
135 	enum gotd_access access = GOTD_ACCESS_DENIED;
136 	struct passwd *pw;
137 	gid_t groups[NGROUPS_MAX];
138 	int ngroups = NGROUPS_MAX;
139 
140 	*username = NULL;
141 
142 	pw = getpwuid(euid);
143 	if (pw == NULL) {
144 		if (errno)
145 			return got_error_from_errno("getpwuid");
146 		else
147 			return got_error_set_errno(EACCES, repo_name);
148 	}
149 
150 	*username = strdup(pw->pw_name);
151 	if (*username == NULL)
152 		return got_error_from_errno("strdup");
153 
154 	if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) == -1)
155 		log_warnx("group membership list truncated");
156 
157 	STAILQ_FOREACH(rule, rules, entry) {
158 		if (!match_identifier(rule->identifier, groups, ngroups,
159 		    euid, egid))
160 			continue;
161 
162 		access = rule->access;
163 		if (rule->access == GOTD_ACCESS_PERMITTED &&
164 		    (rule->authorization & required_auth) != required_auth)
165 			access = GOTD_ACCESS_DENIED;
166 	}
167 
168 	if (access == GOTD_ACCESS_DENIED)
169 		return got_error_set_errno(EACCES, repo_name);
170 
171 	if (access == GOTD_ACCESS_PERMITTED)
172 		return NULL;
173 
174 	/* should not happen, this would be a bug */
175 	return got_error_msg(GOT_ERR_NOT_IMPL, "bad access rule");
176 }
177 
178 static const struct got_error *
179 recv_authreq(struct imsg *imsg, struct gotd_imsgev *iev)
180 {
181 	const struct got_error *err;
182 	struct imsgbuf *ibuf = &iev->ibuf;
183 	struct gotd_imsg_auth iauth;
184 	size_t datalen;
185 	uid_t euid;
186 	gid_t egid;
187 	char *username = NULL;
188 	size_t len;
189 	const size_t maxlen = MAX_IMSGSIZE - IMSG_HEADER_SIZE;
190 	int fd = -1;
191 
192 	log_debug("authentication request received");
193 
194 	datalen = imsg->hdr.len - IMSG_HEADER_SIZE;
195 	if (datalen != sizeof(iauth))
196 		return got_error(GOT_ERR_PRIVSEP_LEN);
197 
198 	memcpy(&iauth, imsg->data, datalen);
199 
200 	fd = imsg_get_fd(imsg);
201 	if (fd == -1)
202 		return got_error(GOT_ERR_PRIVSEP_NO_FD);
203 
204 	if (getpeereid(fd, &euid, &egid) == -1)
205 		return got_error_from_errno("getpeerid");
206 
207 	if (iauth.euid != euid)
208 		return got_error(GOT_ERR_UID);
209 	if (iauth.egid != egid)
210 		return got_error(GOT_ERR_GID);
211 
212 	log_debug("authenticating uid %d gid %d", euid, egid);
213 
214 	err = auth_check(&username, &gotd_auth.repo->rules,
215 	    gotd_auth.repo->name, iauth.euid, iauth.egid, iauth.required_auth);
216 	if (err) {
217 		gotd_imsg_send_error(ibuf, PROC_AUTH, iauth.client_id, err);
218 		goto done;
219 	}
220 
221 	len = strlen(username);
222 	if (len > maxlen)
223 		len = maxlen;
224 
225 	if (gotd_imsg_compose_event(iev, GOTD_IMSG_ACCESS_GRANTED,
226 	    PROC_AUTH, -1, username, len) == -1)
227 		err = got_error_from_errno("imsg compose ACCESS_GRANTED");
228 done:
229 	free(username);
230 	return err;
231 }
232 
233 static void
234 auth_dispatch(int fd, short event, void *arg)
235 {
236 	const struct got_error *err = NULL;
237 	struct gotd_imsgev *iev = arg;
238 	struct imsgbuf *ibuf = &iev->ibuf;
239 	struct imsg imsg;
240 	ssize_t n;
241 	int shut = 0;
242 
243 	if (event & EV_READ) {
244 		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
245 			fatal("imsg_read error");
246 		if (n == 0)	/* Connection closed. */
247 			shut = 1;
248 	}
249 
250 	if (event & EV_WRITE) {
251 		n = msgbuf_write(&ibuf->w);
252 		if (n == -1 && errno != EAGAIN)
253 			fatal("msgbuf_write");
254 		if (n == 0)	/* Connection closed. */
255 			shut = 1;
256 	}
257 
258 	for (;;) {
259 		if ((n = imsg_get(ibuf, &imsg)) == -1)
260 			fatal("%s: imsg_get", __func__);
261 		if (n == 0)	/* No more messages. */
262 			break;
263 
264 		switch (imsg.hdr.type) {
265 		case GOTD_IMSG_AUTHENTICATE:
266 			err = recv_authreq(&imsg, iev);
267 			if (err)
268 				log_warnx("%s", err->msg);
269 			break;
270 		default:
271 			log_debug("unexpected imsg %d", imsg.hdr.type);
272 			break;
273 		}
274 
275 		imsg_free(&imsg);
276 	}
277 
278 	if (!shut) {
279 		gotd_imsg_event_add(iev);
280 	} else {
281 		/* This pipe is dead. Remove its event handler */
282 		event_del(&iev->ev);
283 		event_loopexit(NULL);
284 	}
285 }
286 
287 void
288 auth_main(const char *title, struct gotd_repolist *repos,
289     const char *repo_path)
290 {
291 	struct gotd_repo *repo = NULL;
292 	struct gotd_imsgev iev;
293 	struct event evsigint, evsigterm, evsighup, evsigusr1;
294 
295 	gotd_auth.title = title;
296 	gotd_auth.pid = getpid();
297 	TAILQ_FOREACH(repo, repos, entry) {
298 		if (got_path_cmp(repo->path, repo_path,
299 		    strlen(repo->path), strlen(repo_path)) == 0)
300 			break;
301 	}
302 	if (repo == NULL)
303 		fatalx("repository %s not found in config", repo_path);
304 	gotd_auth.repo = repo;
305 
306 	signal_set(&evsigint, SIGINT, auth_sighdlr, NULL);
307 	signal_set(&evsigterm, SIGTERM, auth_sighdlr, NULL);
308 	signal_set(&evsighup, SIGHUP, auth_sighdlr, NULL);
309 	signal_set(&evsigusr1, SIGUSR1, auth_sighdlr, NULL);
310 	signal(SIGPIPE, SIG_IGN);
311 
312 	signal_add(&evsigint, NULL);
313 	signal_add(&evsigterm, NULL);
314 	signal_add(&evsighup, NULL);
315 	signal_add(&evsigusr1, NULL);
316 
317 	imsg_init(&iev.ibuf, GOTD_FILENO_MSG_PIPE);
318 	iev.handler = auth_dispatch;
319 	iev.events = EV_READ;
320 	iev.handler_arg = NULL;
321 	event_set(&iev.ev, iev.ibuf.fd, EV_READ, auth_dispatch, &iev);
322 	if (event_add(&iev.ev, NULL) == -1)
323 		fatalx("event add");
324 
325 	event_dispatch();
326 
327 	auth_shutdown();
328 }
329 
330 static void
331 auth_shutdown(void)
332 {
333 	log_debug("%s: shutting down", gotd_auth.title);
334 	exit(0);
335 }