scottk/sysadm
1
0
Fork 0
mirror of https://github.com/outbackdingo/sysadm.git synced 2026-03-21 06:44:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cb64b84ed032efc02ad5e2e5d041a3a6ed5ec26c
sysadm/src/server/AuthorizationManager.h
Ken Moore 06edd43945 Add API call for list/register/revoke SSL Certificate management (auth system: alternate for the user/password combo). I don't have a way to test this just yet (still need to write the other side of the system in the client first), but here is the expected inputs: 
Namespace: "sysadm"
Name: "settings"
Arguments structure needs the "action" variable/value for all calls:

Action: "list_ssl_certs"
 - No additional input needed: will list the known/registered certificates organized by <username> : { <public_key> : <certificate as text> }

Action: "register_ssl_cert"
Example Payload: {"action" : "register_ssl_cert", "pub_key" : <public_key> }
The <public_key> string needs to match the public key of one of the certificates currently loaded into the server/client connection. This will register that certificate on the server and allow that user to authenticate without a password as long as that same certificate is loaded up in any future connections. No special outputs are send back (just overall error/ok status).

Action: "revoke_ssl_cert"
Example Payload: {"action" : "revoke_ssl_cert", "pub_key" : <public_key>, "user" : <optional-username> }
The <public_key> string needs to match one of the keys given by the list function (does not need to match any currently-loaded certs). The "user" field is optional, and allows a connection with full admin privileges to revoke certs belonging to other users.

Note about current user/connection permissions level:
If the current user has full admin access, the "list_ssl_certs" API call will return the registered certificates for all users on the system - otherwise it will only return the certificates for the current user. Similarly, the "revoke_ssl_cert" may be used to remove certs registered to other users only if the current user/connection has full admin access - otherwise it may only be used to manage the current user's certificates.
2016-02-10 13:26:46 -05:00

62 lines
2.2 KiB
C++
Raw Blame History

// ===============================
// PC-BSD REST/JSON API Server
// Available under the 3-clause BSD License
// Written by: Ken Moore <ken@pcbsd.org> July 2015
// =================================
#ifndef _PCBSD_REST_AUTHORIZATION_MANAGER_H
#define _PCBSD_REST_AUTHORIZATION_MANAGER_H
#include "globals-qt.h"
class AuthorizationManager : public QObject{
Q_OBJECT
public:
AuthorizationManager();
~AuthorizationManager();
// == Token Interaction functions ==
void clearAuth(QString token); //clear an authorization token
bool checkAuth(QString token); //see if the given token is valid
bool hasFullAccess(QString token); //see if the token is associated with a full-access account
//SSL Certificate register/revoke/list (should only run if the current token is valid)
bool RegisterCertificate(QString token, QSslCertificate cert); //if token is valid, register the given cert for future logins
bool RevokeCertificate(QString token, QString key, QString user=""); //user will be the current user if not empty - cannot touch other user's certs without full perms on current session
void ListCertificates(QString token, QJsonObject *out);
int checkAuthTimeoutSecs(QString token); //Return the number of seconds that a token is valid for
// == Token Generation functions
QString LoginUP(QHostAddress host, QString user, QString pass); //Login w/ username & password
QString LoginUC(QHostAddress host, QString user, QList<QSslCertificate> certs); //Login w/ username & SSL certificate
QString LoginService(QHostAddress host, QString service); //Login a particular automated service
private:
QHash<QString, QDateTime> HASH;
QHash <QString, QDateTime> IPFAIL;
QString generateNewToken(bool isOperator, QString name);
QStringList getUserGroups(QString user);
//Failure count management
bool BumpFailCount(QString host);
void ClearHostFail(QString host);
//token->hashID filter simplification
QString hashID(QString token){
QStringList tmp = QStringList(HASH.keys()).filter(token+"::::");
if(tmp.isEmpty()){ return ""; }
else{ return tmp.first(); }
}
//PAM login/check files
bool pam_checkPW(QString user, QString pass);
void pam_logFailure(int ret);
signals:
void BlockHost(QHostAddress); //block a host address temporarily
};
#endif
Reference in New Issue View Git Blame Copy Permalink