third_party: Add pam_set_items.so from pam_wrapper

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

2 files changed, 276 insertions, 3 deletions

diff --git a/third_party/pam_wrapper/modules/pam_set_items.c b/third_party/pam_wrapper/modules/pam_set_items.c
new file mode 100644
index 00000000000..dd090209cdc
--- /dev/null
+++ b/third_party/pam_wrapper/modules/pam_set_items.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 2015 Andreas Schneider <asn@samba.org>
+ * Copyright (c) 2015 Jakub Hrozek <jakub.hrozek@posteo.se>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#include "config.h"
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#ifdef HAVE_SECURITY_PAM_APPL_H
+#include <security/pam_appl.h>
+#endif
+#ifdef HAVE_SECURITY_PAM_MODULES_H
+#include <security/pam_modules.h>
+#endif
+
+#include "config.h"
+
+/* GCC have printf type attribute check. */
+#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT
+#define PRINTF_ATTRIBUTE(a,b) __attribute__ ((__format__ (__printf__, a, b)))
+#else
+#define PRINTF_ATTRIBUTE(a,b)
+#endif /* HAVE_FUNCTION_ATTRIBUTE_FORMAT */
+
+/*****************
+ * LOGGING
+ *****************/
+
+enum pwrap_dbglvl_e {
+	PWRAP_LOG_ERROR = 0,
+	PWRAP_LOG_WARN,
+	PWRAP_LOG_DEBUG,
+	PWRAP_LOG_TRACE
+};
+
+static void pwrap_log(enum pwrap_dbglvl_e dbglvl,
+		      const char *function,
+		      const char *format, ...) PRINTF_ATTRIBUTE(3, 4);
+# define PWRAP_LOG(dbglvl, ...) pwrap_log((dbglvl), __func__, __VA_ARGS__)
+
+static void pwrap_vlog(enum pwrap_dbglvl_e dbglvl,
+		       const char *function,
+		       const char *format,
+		       va_list args) PRINTF_ATTRIBUTE(3, 0);
+
+static void pwrap_vlog(enum pwrap_dbglvl_e dbglvl,
+		       const char *function,
+		       const char *format,
+		       va_list args)
+{
+	char buffer[1024];
+	const char *d;
+	unsigned int lvl = 0;
+	const char *prefix = "PWRAP";
+
+	d = getenv("PAM_WRAPPER_DEBUGLEVEL");
+	if (d != NULL) {
+		lvl = atoi(d);
+	}
+
+	if (lvl < dbglvl) {
+		return;
+	}
+
+	vsnprintf(buffer, sizeof(buffer), format, args);
+
+	switch (dbglvl) {
+	case PWRAP_LOG_ERROR:
+		prefix = "PWRAP_ERROR";
+		break;
+	case PWRAP_LOG_WARN:
+		prefix = "PWRAP_WARN";
+		break;
+	case PWRAP_LOG_DEBUG:
+		prefix = "PWRAP_DEBUG";
+		break;
+	case PWRAP_LOG_TRACE:
+		prefix = "PWRAP_TRACE";
+		break;
+	}
+
+	fprintf(stderr,
+		"%s(%d) - PAM_SET_ITEM %s: %s\n",
+		prefix,
+		(int)getpid(),
+		function,
+		buffer);
+}
+
+static void pwrap_log(enum pwrap_dbglvl_e dbglvl,
+		      const char *function,
+		      const char *format, ...)
+{
+	va_list va;
+
+	va_start(va, format);
+	pwrap_vlog(dbglvl, function, format, va);
+	va_end(va);
+}
+
+#define ITEM_FILE_KEY	"item_file="
+
+static const char *envs[] = {
+#ifndef HAVE_OPENPAM
+	"PAM_SERVICE",
+#endif
+	"PAM_USER",
+	"PAM_USER_PROMPT",
+	"PAM_TTY",
+	"PAM_RUSER",
+	"PAM_RHOST",
+	"PAM_AUTHTOK",
+	"PAM_OLDAUTHTOK",
+#ifdef PAM_XDISPLAY
+	"PAM_XDISPLAY",
+#endif
+#ifdef PAM_AUTHTOK_TYPE
+	"PAM_AUTHTOK_TYPE",
+#endif
+	NULL
+};
+
+static const int items[] = {
+#ifndef HAVE_OPENPAM
+	PAM_SERVICE,
+#endif
+	PAM_USER,
+	PAM_USER_PROMPT,
+	PAM_TTY,
+	PAM_RUSER,
+	PAM_RHOST,
+	PAM_AUTHTOK,
+	PAM_OLDAUTHTOK,
+#ifdef PAM_XDISPLAY
+	PAM_XDISPLAY,
+#endif
+#ifdef PAM_AUTHTOK_TYPE
+	PAM_AUTHTOK_TYPE,
+#endif
+};
+
+static void pam_setitem_env(pam_handle_t *pamh)
+{
+	int i;
+	int rv;
+	const char *v;
+
+	for (i = 0; envs[i] != NULL; i++) {
+		v = getenv(envs[i]);
+		if (v == NULL) {
+			continue;
+		}
+
+		PWRAP_LOG(PWRAP_LOG_TRACE, "%s=%s", envs[i], v);
+
+		rv = pam_set_item(pamh, items[i], v);
+		if (rv != PAM_SUCCESS) {
+			continue;
+		}
+	}
+}
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags,
+		    int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "AUTHENTICATE");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+	       int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "SETCRED");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
+		 int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "ACCT_MGMT");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags,
+		    int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "OPEN_SESSION");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_close_session(pam_handle_t *pamh, int flags,
+		     int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "CLOSE_SESSION");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
+
+PAM_EXTERN int
+pam_sm_chauthtok(pam_handle_t *pamh, int flags,
+		 int argc, const char *argv[])
+{
+	(void) flags;	/* unused */
+	(void) argc;	/* unused */
+	(void) argv;	/* unused */
+
+	PWRAP_LOG(PWRAP_LOG_TRACE, "CHAUTHTOK");
+
+	pam_setitem_env(pamh);
+	return PAM_SUCCESS;
+}
diff --git a/third_party/pam_wrapper/wscript b/third_party/pam_wrapper/wscript
index f9ad73703de..b94e275013e 100644
--- a/third_party/pam_wrapper/wscript
+++ b/third_party/pam_wrapper/wscript
@@ -7,15 +7,18 @@ VERSION="1.0.7"
 def find_library(library_names, lookup_paths):
     for directory in lookup_paths:
         for filename in library_names:
-            libpam_path = os.path.join(directory, filename)
-            if os.path.exists(libpam_path):
-                return libpam_path
+            so_path = os.path.join(directory, filename)
+            if os.path.exists(so_path):
+                return so_path
     return ''
 
 def configure(conf):
     if conf.CHECK_PAM_WRAPPER():
         conf.DEFINE('USING_SYSTEM_PAM_WRAPPER', 1)
         libpam_wrapper_so_path = 'libpam_wrapper.so'
+
+        pam_set_items_so_path = find_library(['pam_set_items.so'],
+                                             ['/usr/lib64/pam_wrapper', '/usr/lib/pam_wrapper'])
     else:
 
         if conf.CONFIG_SET("HAVE___THREAD"):
@@ -70,8 +73,10 @@ def configure(conf):
         # Create full path to pam_wrapper
         blddir = os.path.realpath(conf.bldnode.abspath())
         libpam_wrapper_so_path = blddir + '/default/third_party/pam_wrapper/libpam-wrapper.so'
+        pam_set_items_so_path = blddir + '/default/third_party/pam_wrapper/libpam-set-items.so'
 
     conf.DEFINE('LIBPAM_WRAPPER_SO_PATH', libpam_wrapper_so_path)
+    conf.DEFINE('PAM_SET_ITEMS_SO_PATH', pam_set_items_so_path)
     conf.DEFINE('PAM_WRAPPER', 1)
 
 def build(bld):
@@ -89,6 +94,12 @@ def build(bld):
                             source='libpamtest.c',
                             deps='dl pam')
 
+        bld.SAMBA_LIBRARY('pam_set_items',
+                          source='modules/pam_set_items.c',
+                          deps='pam',
+                          install=False,
+                          realname='pam_set_items.so')
+
         # Can be used to write pam tests in python
         for env in bld.gen_python_environments():
             bld.SAMBA_PYTHON('pypamtest',