Coverage for /home/antoine/projects/xpra-git/dist/python3/lib64/python/xpra/server/auth/peercred_auth.py : 55%
Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# This file is part of Xpra.
2# Copyright (C) 2017-2020 Antoine Martin <antoine@xpra.org>
3# Xpra is released under the terms of the GNU GPL v2, or, at your option, any
4# later version. See the file COPYING for details.
6import os
8from xpra.server.auth.sys_auth_base import SysAuthenticator, log
9from xpra.os_util import get_peercred, get_group_id, osexpand, POSIX
10from xpra.util import csv, typedict
13class Authenticator(SysAuthenticator):
15 def __init__(self, username, **kwargs):
16 log("peercred.Authenticator(%s, %s)", username, kwargs)
17 if not POSIX:
18 log.warn("Warning: peercred authentication is not supported on %s", os.name)
19 return
20 self.uid = -1
21 self.gid = -1
22 self.peercred_check = False
23 connection = kwargs.get("connection", None)
24 uids = kwargs.pop("uid", None)
25 gids = kwargs.pop("gid", None)
26 allow_uids = None
27 allow_gids = None
28 if uids:
29 allow_uids = []
30 for x in uids.split(","):
31 x = osexpand(x.strip())
32 try:
33 allow_uids.append(int(x))
34 except ValueError:
35 import pwd
36 try:
37 pw = pwd.getpwnam(x)
38 uids.append(pw.pw_uid)
39 except KeyError:
40 log.warn("Warning: unknown username '%s'", x)
41 log("peercred: allow_uids(%s)=%s", uids, allow_uids)
42 if gids:
43 allow_gids = []
44 for x in gids.split(","):
45 x = osexpand(x.strip())
46 try:
47 allow_gids.append(int(x))
48 except ValueError:
49 gid = get_group_id(x)
50 if gid>=0:
51 allow_gids.append(gid)
52 else:
53 log.warn("Warning: unknown group '%s'", x)
54 log("peercred: allow_gids(%s)=%s", gids, allow_gids)
55 try:
56 from xpra.net.bytestreams import SocketConnection
57 if connection and isinstance(connection, SocketConnection):
58 sock = connection._socket
59 peercred = get_peercred(sock)
60 log("get_peercred(%s)=%s", sock, peercred)
61 if not peercred:
62 log.warn("Warning: failed to get peer credentials on %s", sock)
63 return
64 _, uid, gid = peercred
65 if allow_uids is not None and uid not in allow_uids:
66 log.warn("Warning: peercred access denied,")
67 log.warn(" uid %i is not in the whitelist: %s", uid, csv(allow_uids))
68 elif allow_gids is not None and gid not in allow_gids:
69 log.warn("Warning: peercred access denied,")
70 log.warn(" gid %i is not in the whitelist: %s", gid, csv(allow_gids))
71 else:
72 self.peercred_check = True
73 self.uid = uid
74 self.gid = gid
75 else:
76 log("peercred: invalid connection '%s' (not a socket connection)", connection)
77 except Exception as e:
78 log.error("Error: cannot get peer uid")
79 log.error(" %s", e)
80 super().__init__(username, **kwargs)
82 def get_uid(self):
83 return self.uid
85 def get_gid(self):
86 return self.gid
89 def requires_challenge(self):
90 return False
92 def authenticate(self, caps : typedict) -> bool: #pylint: disable=arguments-differ
93 return self.peercred_check
95 def __repr__(self):
96 return "peercred"