User-List Control for PAM Authentication (#326)

* user list for pam auth * docs * name & type * raise exception
mar10 · Sep 24, 2024 · d3b1b64 · d3b1b64
1 parent f058d05
commit d3b1b64
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/docs/source/user_guide_configure.rst b/docs/source/user_guide_configure.rst
@@ -416,6 +416,11 @@ known user accounts::
 
     pam_dc:
         service: "login"
+        allow_users: "all"
+        #: or "current" for the current user, or a list of user names like deny_users
+        # deny_users:
+        #   - "root"
+        #   - "daemon"
 
 If no config file is used, PAM authentication can be enabled on the command
 line like::

diff --git a/wsgidav/dc/pam_dc.py b/wsgidav/dc/pam_dc.py
@@ -8,6 +8,7 @@
 
 See https://wsgidav.readthedocs.io/en/latest/user_guide_configure.html
 """
+import os
 import threading
 
 from wsgidav import util
@@ -37,6 +38,16 @@ def __init__(self, wsgidav_app, config):
         self.pam_service = dc_conf.get("service", "login")
         self.pam_encoding = dc_conf.get("encoding", "utf-8")
         self.pam_resetcreds = dc_conf.get("resetcreds", True)
+        self.allow_users = dc_conf.get("allow_users", "all")
+        if not (self.allow_users in ("all", "current") or isinstance(self.allow_users, list)):
+            raise ValueError(
+                f"Invalid 'allow_users' value: {self.allow_users!r}, expected 'all', 'current' or list of allowed users."
+            )
+        self.deny_users = dc_conf.get("deny_users", [])
+        if not isinstance(self.deny_users, list):
+            raise ValueError(
+                f"Invalid 'deny_users' value: {self.deny_users!r}, expected list of denied users."
+            )
 
     def __str__(self):
         return f"{self.__class__.__name__}({self.pam_service!r})"
@@ -47,8 +58,23 @@ def get_domain_realm(self, path_info, environ):
     def require_authentication(self, realm, environ):
         return True
 
+    def _validate_user(self, user_name):
+        if user_name in self.deny_users:
+            return False
+        if self.allow_users == "all":
+            return True
+        if self.allow_users == "current":
+            if user_name == os.getlogin():
+                return True
+        if user_name in self.allow_users:
+            return True
+        return False
+
     def basic_auth_user(self, realm, user_name, password, environ):
         # Seems that python_pam is not threadsafe (#265)
+        if not self._validate_user(user_name):
+            _logger.warning(f"User {user_name!r} is not allowed.")
+            return False
         with self.lock:
             is_ok = self.pam.authenticate(
                 user_name,