Class: ForgetPasswords::CLI

Inherits:
Object
  • Object
show all
Includes:
Commander::Methods
Defined in:
lib/forget-passwords/cli.rb

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.runObject 



510
511
512
 
# File 'lib/forget-passwords/cli.rb', line 510

def self.run
  new.run
end

Instance Method Details

#runObject 



155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
 
# File 'lib/forget-passwords/cli.rb', line 155

def run
  program :name,        File.basename($0)
  program :version,     ForgetPasswords::VERSION
  program :description, 'Command line manager for ForgetPasswords'
  program :int_message, 'mkay bye'

  @cfgfile = CFG_FILE.expand_path
  @config  = DEFAULTS.dup

  global_option '-b', '--base-uri URI',
    'A base URI for relative references' do |o|
    @config[:base] = URI(o)
  end

  global_option '-c', '--config FILE',
    'The location of the configuration file' do |o|
    @cfgfile = Pathname(o).expand_path
  end

  global_option '-d', '--dsn STRING',
    'Specify a data source name, overriding configuration' do |o|
    @config[:state][:dsn] = o
  end

  global_option '-D', '--debug-sql',
    'Log SQL queries to standard error' do
    @log_sql = true
  end

  command :init do |c|
    c.syntax  = "#{program :name} init [OPTIONS]"
    c.summary = 'Initializes configuration file and state database.'
    c.description = <<-DESC
This command initializes the configuration file (default `$PWD/forgetpw.yml`)
and state database (default `sqlite://forgetpw.sqlite`). Global parameters
(-b, -c, -d) will be used to record the default base URL, config file
location, and data source name, respectively.

Most configuration parameters have sane defaults, and the base URI is
optional. If an existing configuration file is found at the specified
location, you will be asked before overwriting it. Initialization will
likewise overwrite any existing database tables, so you'll also get a
chance to move those out of the way if you want to keep them.

If you are using a network-attached RDBMS (Postgres, MySQL, Oracle,
etc), you will almost certainly need to create the designated
database, user, and any applicable access rights before running this
command.
    DESC

    c.option '--query-key TOKEN', 'A URI query key; defaults to `knock`'
    c.option '--cookie-key TOKEN', 'A cookie key; defaults to `forgetpw`'
    c.option '--expiry DURATION',
      'Global default expiry, given as an ISO8601 duration (default P1Y)'
    c.option '--url-expiry DURATION',
      'Set the default expiry duration for URLs only'
    c.option '--cookie-expiry DURATION',
      'Set the default expiry duration for cookies only'
    c.option '--user-var TOKEN',
      'Environment variable name for user (default `FCGI_USER`)'
    c.option '--redirect-var TOKEN',
      'Environment variable name for redirect (default `FCGI_REDIRECT`)'
    c.option '-l', '--listen HOST',
      'Specify listening address for FastCGI daemon (default localhost)'
    c.option '-p', '--port NUMBER',
      'Specify TCP port for FastCGI daemon (default 10101)'
    c.option '-P', '--pid FILE',
      'Create a PID file when FastCGI daemon is detached'

    c.action do |_, opts|
      # check the directory where we're going to drop the config file
      dir = @cfgfile.dirname
      unless dir.exist?
        rel = dir.relative_path_from Pathname.pwd
        if agree "Directory #{rel} doesn't exist. Try to create it?"
          begin
            dir.mkpath
          rescue Errno::EACCES
            say "Could not create #{rel}. :("
            exit 1
          end
        end
      end

      # check for an existing config file
      if @cfgfile.exist?
        rel = @cfgfile.relative_path_from Pathname.pwd
        # get confirmation if config file already exists
        x = "Configuration file #{rel} already exists. Overwrite?"
        unless agree x
          say "Not overwriting #{rel}."
          exit 1
        end

        # complain if not writable
        unless @cfgfile.writable?
          say "Not overwriting #{rel}, which is not writable."
          exit 1
        end
      end

      # wrap these calls
      begin
        cfg = cmdline_config opts
        merge_config @config, cfg, commit: true
        write_config
      rescue SystemCallError => e
        rel = @cfgfile.relative_path_from Pathname.pwd
        say "Could not write #{rel}: #{e}"
        exit 1
      #rescue OptionParser::InvalidArgument => e
      #  say "One or more of the command-line options was invalid: #{e}"
      #  exit 1
      end

      do_db = true
      begin
        state = State.new @config[:dsn], create: false, debug: @log_sql

        # check for existence of database
        if state.initialized?
          x = "Database #{@config[:dsn]} is already initialized. Overwrite?"
          unless agree x
            say "Not overwriting #{@config[:dsn]}."
            do_db = false
          end
        end

        # now create the tables
        state.initialize! if do_db

      rescue Sequel::DatabaseConnectionError => e
        # complain if database doesn't exist or if i don't have access
        say "Could not connect to #{@config[:dsn]}: #{e}"
        do_db = false
      end

      # now tell the user what i did
      say 'Created new configuration file' +
        "#{do_db ? ' and state database' : ''}."
    end
  end

  command :privilege do |c|
    c.syntax = "#{program :name} privilege [OPTIONS] EMAIL|DOMAIN ..."
    c.summary = "Adds or revokes privileges to an e-mail address or domain."
    c.description = <<-DESC
This command will either add or revoke access privileges to one or
more e-mail address or e-mail domain, associated with a Web domain.
    DESC

    c.option '-d', '--domain DOMAIN',
      'Constrain to the given Web domain'
    c.option '-l', '--list', 'List instead of acting'
    c.option '-r', '--revoke', 'Revoke privileges instead of granting them'

    c.action do |args, opts|
      read_config
      @config = Config.(@config)

      db = @config[:state]
      # warn db.inspect

      domain = opts.domain ||= ''

      if opts.list
      else
        method = opts.revoke ? :revoke : :permit
        db.transaction do
          args.each do |email|
            db.acl.send method, domain, email
            say "added #{email} to #{domain.empty? ? ?* : domain}"
          end
        end
      end

    end
  end

  command :mint do |c|
    c.syntax = "#{program :name} [mint] [OPTIONS] USERID [URL]"
    c.summary = 'Mints a new URL associated with the given user.'
    c.description = <<-DESC
This command mints a new URL associated with the given user. If the
URL is omitted, the slug will be appended to the configured base
URL. If that is missing too, the command will just return the
generated token. If there is already an active token for this user, it
will be reused with the new URL, unless you pass -n or -x, which will
add a new

This command will create a new record for a given user ID if none is
present. You can include an optional email address (-e), or you can make
the user ID an email address, LDAP DN, Kerberos principal, or whatever
you want. The user ID, whatever it ends up as, is what will be showing
up verbatim in the `REMOTE_USER` field of downstream Web apps. Note
that this database only maps one kind of identifier to another, and is
not meant to be authoritative storage for user profiles.
    DESC

    c.option '-e', '--email EMAIL',
      'Set the email address for the (new) user'
    c.option '-l', '--lifetime DURATION',
      'How long this URL will work, as an ISO8601 duration (default P1Y)'
    c.option '-n', '--new',
      'Force minting a new token even if the current one is still fresh'
    c.option '-x', '--expire',
      'Expire any active tokens in circulation (implies --new)'
    c.option '-1', '--oneoff', 'The token will expire after the first ' +
      'time it is used (implies --new).'

    c.action do |args, opts|
      read_config
      merge_config @config, cmdline_config(opts),
        commit: true

      user, url = *(args.map(&:strip))

      raise Commander::Runner::CommandError.new 'No user supplied' unless
        user and user != ''
      if url and url != ''
        begin
          if @config[:base]
            url = @config[:base].merge url
          else
            url = URI(url)
          end

          scheme = url.scheme.to_s.downcase

          if scheme.start_with? 'http'
            say 'Unencrypted HTTP will be insecure,' +
              "but I assume you know what you're doing" if
              url.scheme == 'http'
          else
            say 'Gonna be hard doing Web authentication ' +
              "against a non-Web URL, but you're the boss!"
          end
        rescue URI::InvalidURIError => e
          raise Commander::Runner::CommandError.new e
        end
      else
        url = @config[:base] ? @config[:base].dup : nil
      end

      # handle implications of expire/oneoff options
      opts.default :new => !!(opts.expire || opts.oneoff)

      begin

        # connect to the database
        state = State.new @config[:dsn], debug: @log_sql,
          query_expires:  @config[:expiry][:url],
          cookie_expires: @config[:expiry][:cookie]

        id = state.id_for user, create: true, email: opts.email

        # obtain the latest live token for this principal
        token = state.token_for id unless opts.new

        # eh i don't like this logic but it was the least-bad
        # option i could think of at the time
        if !token || opts.new
          if opts.expire
            say "Expiring all live tokens for #{user}."
            # burn all existing query-string tokens
            state.expire_tokens_for id, cookie: false

            # XXX do we put in a command-line switch for burning
            # the cookies too?
          end
          # create new token
          token = state.new_token id, oneoff: opts.oneoff,
            expires: @config[:expiry][:query]
        end

        if url
          if (query = url.query)
            query = URI::decode_www_form query
          else
            query = []
          end

          # now add the key
          query << [@config[:query], token]

          url.query = URI::encode_www_form query

          say "Here's the link to give to #{user} (and only #{user}): " +
            url.to_s
        else
          say "No URL given, so here's your token: #{token}"
        end

        exit 0

      rescue Sequel::DatabaseConnectionError => e
        say "Could not connect to #{@config[:dsn]}: #{e}"
        exit 1
      end
    end
  end

  command :fcgi do |c|
    c.syntax = "#{program :name} fcgi [OPTIONS]"
    c.summary = 'Runs the ForgetPasswords FastCGI authenticator.'
    c.description = <<-DESC
This command fires up the ForgetPasswords FastCGI authenticator service. By
default it runs in the foreground, listening on localhost, TCP port
10101. All of these parameters of course can be changed, either in
configuration or on the command line. Of course this daemon is only
half the setup, the other half being done on the Web server, using
something like `mod_authnz_fcgi`.
    DESC
    c.option '-l', '--listen HOST',
      'Specify listening address (default localhost)'
    c.option '-p', '--port NUMBER', 'Specify TCP port (default 10101)'
    c.option '-z', '--detach', 'Detach and daemonize the process'
    c.option '-P', '--pid FILE', 'Create a PID file when detached'

    c.action do |args, opts|
      require 'forget-passwords'
      require 'rack'

      # booooo
      require 'forget-passwords/fastcgi'

      read_config
      merge_config @config,
        cmdline_config(opts, { listen: :host, port: :port }), commit: true
      @config = Config.(@config)

      appcfg = @config.slice(
        :keys, :vars, :targets, :templates, :email
      ).merge({ debug: @log_sql })

      say 'Running authenticator daemon on ' +
        "fcgi://#{@config[:host]}:#{@config[:port]}/"

      Rack::Server.start({
        # app: ForgetPasswords::App.new(@config[:dsn], debug: @log_sql),
        app: ForgetPasswords::App.new(@config[:state], **appcfg),
        server: 'hacked-fcgi',
        environment: 'none',
        daemonize: opts.detach,
        Host: @config[:host],
        Port: @config[:port],
      })
    end
  end

  default_command :mint

  run!
end