Commit 53eed5f3 authored by Stephane Glondu's avatar Stephane Glondu

Load password db file for admin site on each authentication request

This avoids having to restart ocsigenserver (and kill all sessions) at
each account creation.
parent 84acbcec
...@@ -37,25 +37,7 @@ let configure x = ...@@ -37,25 +37,7 @@ let configure x =
auth_instance, (auth_system, List.map snd auth_config) auth_instance, (auth_system, List.map snd auth_config)
) x ) x
in in
Web_persist.set_auth_config None auth_config |> Lwt_main.run; Web_persist.set_auth_config None auth_config |> Lwt_main.run
List.iter (fun {auth_system; auth_config; _} ->
match auth_system with
| "password" ->
let table = Ocsipersist.open_table "password_site" in
(match auth_config with
| [] -> ()
| ["db", file] ->
Ocsigen_messages.console (fun () ->
Printf.sprintf "Loading passwords from file %s" file
);
let db = Csv.load file in
List.iter (function
| username :: salt :: password :: _ ->
Ocsipersist.add table username (salt, password) |> Lwt_main.run
| _ -> failwith ("error while loading " ^ file)) db
| _ -> failwith "error in passwords configuration")
| _ -> ()
) x
let scope = Eliom_common.default_session_scope let scope = Eliom_common.default_session_scope
...@@ -76,7 +58,7 @@ let default_cont uuid () = ...@@ -76,7 +58,7 @@ let default_cont uuid () =
let dummy_handler () name = let dummy_handler () name =
match%lwt Eliom_reference.get auth_env with match%lwt Eliom_reference.get auth_env with
| None -> failwith "dummy handler was invoked without environment" | None -> failwith "dummy handler was invoked without environment"
| Some (uuid, service) -> | Some (uuid, service, _) ->
Eliom_reference.set user (Some {uuid; service; name}) >> Eliom_reference.set user (Some {uuid; service; name}) >>
Eliom_reference.unset auth_env >> Eliom_reference.unset auth_env >>
default_cont uuid () default_cont uuid ()
...@@ -85,24 +67,45 @@ let () = Eliom_registration.Any.register ~service:dummy_post dummy_handler ...@@ -85,24 +67,45 @@ let () = Eliom_registration.Any.register ~service:dummy_post dummy_handler
(** Password authentication *) (** Password authentication *)
let check_password_with_file db name password =
let%lwt db = Lwt_preemptive.detach Csv.load db in
try
begin
match
List.find (function
| username :: _ :: _ :: _ -> username = name
| _ -> false
) db
with
| _ :: salt :: hashed :: _ ->
return (sha256_hex (salt ^ password) = hashed)
| _ -> return false
end
with Not_found -> return false
let password_handler () (name, password) = let password_handler () (name, password) =
let%lwt uuid, service = let%lwt uuid, service, config =
match%lwt Eliom_reference.get auth_env with match%lwt Eliom_reference.get auth_env with
| None -> failwith "password handler was invoked without environment" | None -> failwith "password handler was invoked without environment"
| Some x -> return x | Some x -> return x
in in
let table = let%lwt ok =
"password_" ^
match uuid with match uuid with
| None -> "site" | None ->
| Some u -> underscorize u begin
in match config with
let table = Ocsipersist.open_table table in | [db] -> check_password_with_file db name password
let%lwt salt, hashed = | _ -> failwith "invalid configuration for admin site"
try%lwt Ocsipersist.find table name end
with Not_found -> fail_http 401 | Some uuid ->
let table = "password_" ^ underscorize uuid in
let table = Ocsipersist.open_table table in
try%lwt
let%lwt salt, hashed = Ocsipersist.find table name in
return (sha256_hex (salt ^ password) = hashed)
with Not_found -> return false
in in
if sha256_hex (salt ^ password) = hashed then if ok then
Eliom_reference.set user (Some {uuid; service; name}) >> Eliom_reference.set user (Some {uuid; service; name}) >>
Eliom_reference.unset auth_env >> Eliom_reference.unset auth_env >>
default_cont uuid () default_cont uuid ()
...@@ -159,7 +162,7 @@ let get_cas_validation server ticket = ...@@ -159,7 +162,7 @@ let get_cas_validation server ticket =
| None -> return (`Error `Http) | None -> return (`Error `Http)
let cas_handler ticket () = let cas_handler ticket () =
let%lwt uuid, service = let%lwt uuid, service, _ =
match%lwt Eliom_reference.get auth_env with match%lwt Eliom_reference.get auth_env with
| None -> failwith "cas handler was invoked without environment" | None -> failwith "cas handler was invoked without environment"
| Some x -> return x | Some x -> return x
...@@ -246,7 +249,7 @@ let oidc_get_name ocfg client_id client_secret code = ...@@ -246,7 +249,7 @@ let oidc_get_name ocfg client_id client_secret code =
| None -> return None | None -> return None
let oidc_handler params () = let oidc_handler params () =
let%lwt uuid, service = let%lwt uuid, service, _ =
match%lwt Eliom_reference.get auth_env with match%lwt Eliom_reference.get auth_env with
| None -> failwith "oidc handler was invoked without environment" | None -> failwith "oidc handler was invoked without environment"
| Some x -> return x | Some x -> return x
...@@ -309,7 +312,7 @@ let oidc_login_handler config () = ...@@ -309,7 +312,7 @@ let oidc_login_handler config () =
(** Generic authentication *) (** Generic authentication *)
let get_login_handler service uuid auth_system config = let get_login_handler service uuid auth_system config =
Eliom_reference.set auth_env (Some (uuid, service)) >> Eliom_reference.set auth_env (Some (uuid, service, config)) >>
match auth_system with match auth_system with
| "dummy" -> Web_templates.login_dummy () >>= Eliom_registration.Html5.send | "dummy" -> Web_templates.login_dummy () >>= Eliom_registration.Html5.send
| "cas" -> cas_login_handler config () | "cas" -> cas_login_handler config ()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment