Skip to content

Commit

Permalink
Merge pull request #43 from ltratt/https_config
Browse files Browse the repository at this point in the history 
Allow HTTP and HTTP servers to be turned off
  • Loading branch information
@ltratt
ltratt authored Oct 19, 2024
2 parents e19948f + 516e69f commit 1b2ad81
Show file tree
Hide file tree
Showing 11 changed files with 265 additions and 51 deletions.
1 change: 1 addition & 0 deletions Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ chacha20poly1305 = "0.10"
chrono = "0.4"
getopts = "0.2"
getrandom = "0.2"
hostname = "0.4"
log = "0.4"
lrlex = "0.13"
lrpar = "0.13"
Expand Down
16 changes: 15 additions & 1 deletion pizauth.conf.5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,24 @@ is set to the error message.
Defaults to logging via
.Xr syslog 3
if not specified.
.It Sy http_listen = Qo Em bind-name Qc ;
.It Sy http_listen = Em none | Qo Em bind-name Qc ;
specifies the address for the
.Xr pizauth 1
HTTP server to listen on.
If
.Em none
is specified, the HTTP server is turned off entirely.
Note that at least one of the HTTP and HTTPS servers must be turned on.
Defaults to
.Qq 127.0.0.1:0 .
.It Sy https_listen = Em none | Qo Em bind-name Qc ;
specifies the address for the
.Xr pizauth 1
HTTPS server to listen on.
If
.Em none
is specified, the HTTPS server is turned off entirely.
Note that at least one of the HTTP and HTTPS servers must be turned on.
Defaults to
.Qq 127.0.0.1:0 .
.It Sy transient_error_if_cmd = Qo Em shell-cmd Qc ;
Expand Down
3 changes: 2 additions & 1 deletion src/config.l
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,15 @@ error_notify_cmd "ERROR_NOTIFY_CMD"
http_listen "HTTP_LISTEN"
https_listen "HTTPS_LISTEN"
login_hint "LOGIN_HINT"
transient_error_if_cmd "TRANSIENT_ERROR_IF_CMD"
none "NONE"
refresh_retry "REFRESH_RETRY"
redirect_uri "REDIRECT_URI"
refresh_before_expiry "REFRESH_BEFORE_EXPIRY"
refresh_at_least "REFRESH_AT_LEAST"
scopes "SCOPES"
token_event_cmd "TOKEN_EVENT_CMD"
token_uri "TOKEN_URI"
transient_error_if_cmd "TRANSIENT_ERROR_IF_CMD"
//.*?$ ;
[ \t\n\r]+ ;
. "UNMATCHED"
207 changes: 185 additions & 22 deletions src/config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ const REFRESH_RETRY_DEFAULT: Duration = Duration::from_secs(40);
const AUTH_NOTIFY_INTERVAL_DEFAULT: u64 = 15 * 60;
/// What is the default bind() address for the HTTP server?
const HTTP_LISTEN_DEFAULT: &str = "127.0.0.1:0";
/// What is the default bind() address for the HTTPS server?
const HTTPS_LISTEN_DEFAULT: &str = "127.0.0.1:0";

#[derive(Debug)]
Expand All @@ -34,8 +35,8 @@ pub struct Config {
pub auth_notify_cmd: Option<String>,
pub auth_notify_interval: Duration,
pub error_notify_cmd: Option<String>,
pub http_listen: String,
pub https_listen: String,
pub http_listen: Option<String>,
pub https_listen: Option<String>,
pub transient_error_if_cmd: Option<String>,
refresh_at_least: Option<Duration>,
refresh_before_expiry: Option<Duration>,
Expand Down Expand Up @@ -126,20 +127,28 @@ impl Config {
)?)
}
config_ast::TopLevel::HttpListen(span) => {
http_listen = Some(check_not_assigned_str(
http_listen = Some(Some(check_not_assigned_str(
&lexer,
"http_listen",
span,
http_listen,
)?)
)?))
}
config_ast::TopLevel::HttpListenNone(span) => {
check_not_assigned(&lexer, "http_listen", span, http_listen)?;
http_listen = Some(None)
}
config_ast::TopLevel::HttpsListen(span) => {
https_listen = Some(check_not_assigned_str(
https_listen = Some(Some(check_not_assigned_str(
&lexer,
"https_listen",
span,
https_listen,
)?)
)?))
}
config_ast::TopLevel::HttpsListenNone(span) => {
check_not_assigned(&lexer, "https_listen", span, https_listen)?;
https_listen = Some(None)
}
config_ast::TopLevel::TransientErrorIfCmd(span) => {
transient_error_if_cmd = Some(check_not_assigned_str(
Expand Down Expand Up @@ -188,18 +197,40 @@ impl Config {
_ => unreachable!(),
}

if let (&Some(None), &Some(None)) = (&http_listen, &https_listen) {
return Err("Cannot set both http_listen and https_listen to 'none'".into());
}

if accounts.is_empty() {
return Err("Must specify at least one account".into());
}

for (act_name, act) in &accounts {
if act.redirect_uri.starts_with("https") {
match https_listen {
Some(Some(_)) | None => (),
Some(None) => {
return Err(format!("Account {act_name} has an 'https' redirect but the HTTPS server is set to 'none'"));
}
}
} else if act.redirect_uri.starts_with("http") {
match http_listen {
Some(Some(_)) | None => (),
Some(None) => {
return Err(format!("Account {act_name} has an 'http' redirect but the HTTP server is set to 'none'"));
}
}
}
}

Ok(Config {
accounts,
auth_notify_cmd,
auth_notify_interval: auth_notify_interval
.unwrap_or_else(|| Duration::from_secs(AUTH_NOTIFY_INTERVAL_DEFAULT)),
error_notify_cmd,
http_listen: http_listen.unwrap_or_else(|| HTTP_LISTEN_DEFAULT.to_owned()),
https_listen: https_listen.unwrap_or_else(|| HTTPS_LISTEN_DEFAULT.to_owned()),
http_listen: http_listen.unwrap_or_else(|| Some(HTTP_LISTEN_DEFAULT.to_owned())),
https_listen: https_listen.unwrap_or_else(|| Some(HTTPS_LISTEN_DEFAULT.to_owned())),
transient_error_if_cmd,
refresh_at_least,
refresh_before_expiry,
Expand All @@ -209,6 +240,22 @@ impl Config {
}
}

fn check_not_assigned<T>(
lexer: &LRNonStreamingLexer<DefaultLexerTypes<StorageT>>,
name: &str,
span: Span,
v: Option<T>,
) -> Result<(), String> {
match v {
None => Ok(()),
Some(_) => Err(error_at_span(
lexer,
span,
&format!("Mustn't specify '{name:}' more than once"),
)),
}
}

fn check_not_assigned_str<T>(
lexer: &LRNonStreamingLexer<DefaultLexerTypes<StorageT>>,
name: &str,
Expand Down Expand Up @@ -251,7 +298,13 @@ fn check_not_assigned_uri<T>(
None => {
let s = unescape_str(lexer.span_str(span));
match Url::parse(&s) {
Ok(_) => Ok(s),
Ok(x) => {
if x.scheme() == "http" || x.scheme() == "https" {
Ok(s)
} else {
Err(error_at_span(lexer, span, "not a valid HTTP or HTTPS URI"))
}
}
Err(e) => Err(error_at_span(lexer, span, &format!("Invalid URI: {e:}"))),
}
}
Expand Down Expand Up @@ -368,12 +421,8 @@ impl Account {
)?)
}
config_ast::AccountField::RedirectUri(span) => {
redirect_uri = Some(check_not_assigned_uri(
lexer,
"redirect_uri",
span,
redirect_uri,
)?)
let uri = check_not_assigned_uri(lexer, "redirect_uri", span, redirect_uri)?;
redirect_uri = Some(uri)
}
config_ast::AccountField::RefreshAtLeast(span) => {
refresh_at_least = Some(time_str_to_duration(check_not_assigned_time(
Expand Down Expand Up @@ -495,13 +544,18 @@ impl Account {
&& self.token_uri == act_dump.token_uri
}

pub fn redirect_uri(&self, http_port: u16, https_port: u16) -> Result<Url, Box<dyn Error>> {
pub fn redirect_uri(
&self,
http_port: Option<u16>,
https_port: Option<u16>,
) -> Result<Url, Box<dyn Error>> {
assert!(http_port.is_some() || https_port.is_some());
let mut url = Url::parse(&self.redirect_uri)?;
if self.redirect_uri.to_lowercase().starts_with("https") {
url.set_port(Some(https_port))
if https_port.is_some() && self.redirect_uri.to_lowercase().starts_with("https") {
url.set_port(https_port)
.map_err(|_| "Cannot set https port")?;
} else {
url.set_port(Some(http_port))
url.set_port(http_port)
.map_err(|_| "Cannot set http port")?;
}
Ok(url)
Expand Down Expand Up @@ -690,7 +744,7 @@ mod test {
assert_eq!(c.error_notify_cmd, Some("j".to_owned()));
assert_eq!(c.auth_notify_cmd, Some("g".to_owned()));
assert_eq!(c.auth_notify_interval, Duration::from_secs(88 * 60));
assert_eq!(c.http_listen, "127.0.0.1:56789".to_owned());
assert_eq!(c.http_listen, Some("127.0.0.1:56789".to_owned()));
assert_eq!(c.transient_error_if_cmd, Some("k".to_owned()));
assert_eq!(c.token_event_cmd, Some("q".to_owned()));

Expand Down Expand Up @@ -756,6 +810,18 @@ mod test {
Err(s) if s.contains("Mustn't specify 'http_listen' more than once") => (),
_ => panic!(),
}
match Config::from_str(r#"http_listen = none; http_listen = "a";"#) {
Err(s) if s.contains("Mustn't specify 'http_listen' more than once") => (),
_ => panic!(),
}
match Config::from_str(r#"https_listen = "a"; https_listen = "b";"#) {
Err(s) if s.contains("Mustn't specify 'https_listen' more than once") => (),
_ => panic!(),
}
match Config::from_str(r#"https_listen = none; https_listen = "a";"#) {
Err(s) if s.contains("Mustn't specify 'https_listen' more than once") => (),
_ => panic!(),
}

fn account_dup(field: &str, values: &[&str]) {
let c = format!(
Expand Down Expand Up @@ -788,6 +854,103 @@ mod test {
account_dup("token_uri", &[r#""http://a.com/""#, r#""http://b.com/""#]);
}

#[test]
fn one_of_http_or_https() {
match Config::from_str(
r#"
http_listen = none;
https_listen = none;
account "x" {
auth_uri = "http://a.com";
client_id = "b";
token_uri = "http://f.com";
}
"#,
) {
Err(e) if e.contains("Cannot set both http_listen and https_listen to 'none'") => (),
Err(e) => panic!("{e:?}"),
_ => panic!(),
}
}

#[test]
fn http_or_https_redirect_uris_only() {
match Config::from_str(
r#"
account "x" {
auth_uri = "http://a.com";
client_id = "b";
redirect_uri = "httpx://";
token_uri = "http://f.com";
}
"#,
) {
Err(e) if e.contains("not a valid HTTP or HTTPS URI") => (),
Err(e) => panic!("{e:?}"),
_ => panic!(),
}

match Config::from_str(
r#"
account "x" {
auth_uri = "http://a.com";
client_id = "b";
redirect_uri = "ftp://blah/";
token_uri = "http://f.com";
}
"#,
) {
Err(e) if e.contains("not a valid HTTP or HTTPS URI") => (),
Err(e) => panic!("{e:?}"),
_ => panic!(),
}
}

#[test]
fn correct_listen_for_account() {
match Config::from_str(
r#"
http_listen = none;
account "x" {
auth_uri = "http://a.com";
client_id = "b";
token_uri = "http://f.com";
}
"#,
) {
Err(e)
if e.contains(
"Account x has an 'http' redirect but the HTTP server is set to 'none'",
) =>
{
()
}
Err(e) => panic!("{e:?}"),
_ => panic!(),
}
match Config::from_str(
r#"
https_listen = none;
account "x" {
auth_uri = "http://a.com";
client_id = "b";
redirect_uri = "https://c.com";
token_uri = "http://f.com";
}
"#,
) {
Err(e)
if e.contains(
"Account x has an 'https' redirect but the HTTPS server is set to 'none'",
) =>
{
()
}
Err(e) => panic!("{e:?}"),
_ => panic!(),
}
}

#[test]
fn invalid_uris() {
fn invalid_uri(field: &str) {
Expand Down Expand Up @@ -822,10 +985,10 @@ mod test {
"#,
)
.unwrap();
assert_eq!(c.https_listen, "127.0.0.1:56789".to_owned());
assert_eq!(c.https_listen, Some("127.0.0.1:56789".to_owned()));
let act = &c.accounts["x"];
assert_eq!(act.redirect_uri, "https://e.com");
let uri = act.redirect_uri(0, 56789).unwrap();
let uri = act.redirect_uri(Some(0), Some(56789)).unwrap();
assert_eq!(uri.scheme(), "https");
assert_eq!(uri.port(), Some(56789));
assert_eq!(uri.host_str(), Some("e.com"));
Expand Down
2 changes: 2 additions & 0 deletions src/config.y
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ TopLevel -> Result<TopLevel, ()>:
| "AUTH_NOTIFY_CMD" "=" "STRING" ";" { Ok(TopLevel::AuthNotifyCmd(map_err($3)?)) }
| "AUTH_NOTIFY_INTERVAL" "=" "TIME" ";" { Ok(TopLevel::AuthNotifyInterval(map_err($3)?)) }
| "ERROR_NOTIFY_CMD" "=" "STRING" ";" { Ok(TopLevel::ErrorNotifyCmd(map_err($3)?)) }
| "HTTP_LISTEN" "=" "NONE" ";" { Ok(TopLevel::HttpListenNone(map_err($3)?)) }
| "HTTP_LISTEN" "=" "STRING" ";" { Ok(TopLevel::HttpListen(map_err($3)?)) }
| "HTTPS_LISTEN" "=" "NONE" ";" { Ok(TopLevel::HttpsListenNone(map_err($3)?)) }
| "HTTPS_LISTEN" "=" "STRING" ";" { Ok(TopLevel::HttpsListen(map_err($3)?)) }
| "TRANSIENT_ERROR_IF_CMD" "=" "STRING" ";" { Ok(TopLevel::TransientErrorIfCmd(map_err($3)?)) }
| "REFRESH_AT_LEAST" "=" "TIME" ";" { Ok(TopLevel::RefreshAtLeast(map_err($3)?)) }
Expand Down
2 changes: 2 additions & 0 deletions src/config_ast.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,9 @@ pub enum TopLevel {
AuthNotifyInterval(Span),
ErrorNotifyCmd(Span),
HttpListen(Span),
HttpListenNone(Span),
HttpsListen(Span),
HttpsListenNone(Span),
TransientErrorIfCmd(Span),
RefreshAtLeast(Span),
RefreshBeforeExpiry(Span),
Expand Down
Loading

0 comments on commit 1b2ad81

Please sign in to comment.