--- a/dav/config.c Sun Aug 08 14:59:02 2021 +0200 +++ b/dav/config.c Sun Aug 08 16:49:47 2021 +0200 @@ -37,6 +37,7 @@ #include "pwd.h" #include "config.h" #include "main.h" +#include "pwd.h" #include <libidav/utils.h> #define xstreq(a,b) xmlStrEqual(BAD_CAST a, BAD_CAST b) @@ -817,3 +818,286 @@ free(pwfile); return ret; } + + + + +Repository* url2repo_s(sstr_t url, char **path) { + *path = NULL; + + int s; + if(sstrprefix(url, SC("http://"))) { + s = 7; + } else if(sstrprefix(url, SC("https://"))) { + s = 8; + } else { + s = 1; + } + + // split URL into repository and path + sstr_t r = sstrsubs(url, s); + sstr_t p = sstrchr(r, '/'); + r = sstrsubsl(url, 0, url.length-p.length); + if(p.length == 0) { + p = sstrn("/", 1); + } + + Repository *repo = get_repository(r); + if(repo) { + *path = sstrdup(p).ptr; + } else { + // TODO: who is responsible for freeing this repository? + // how can the callee know, if he has to call free()? + repo = calloc(1, sizeof(Repository)); + repo->name = strdup(""); + repo->decrypt_content = true; + repo->verification = true; + repo->authmethods = CURLAUTH_BASIC; + if(url.ptr[url.length-1] == '/') { + repo->url = sstrdup(url).ptr; + *path = strdup("/"); + } else if (sstrchr(url, '/').length > 0) { + // TODO: fix the following workaround after + // fixing the inconsistent behavior of util_url_*() + repo->url = util_url_base_s(url); + sstr_t truncated = sstrdup(url); + *path = strdup(util_url_path(truncated.ptr)); + free(truncated.ptr); + } else { + repo->url = sstrdup(url).ptr; + *path = strdup("/"); + } + } + + return repo; +} + +Repository* url2repo(char *url, char **path) { + return url2repo_s(sstr(url), path); +} + +static int decrypt_secrets(CmdArgs *a, PwdStore *secrets) { + if(cmd_getoption(a, "noinput")) { + return 1; + } + + char *ps_password = NULL; + if(secrets->unlock_cmd && strlen(secrets->unlock_cmd) > 0) { + UcxBuffer *cmd_out = ucx_buffer_new(NULL, 128, UCX_BUFFER_AUTOEXTEND); + if(!util_exec_command(secrets->unlock_cmd, cmd_out)) { + // command successful, get first line from output without newline + // and use that as password for the secretstore + size_t len = 0; + for(size_t i=0;i<=cmd_out->size;i++) { + if(i == cmd_out->size || cmd_out->space[i] == '\n') { + len = i; + break; + } + } + if(len > 0) { + ps_password = malloc(len + 1); + memcpy(ps_password, cmd_out->space, len); + ps_password[len] = 0; + } + } + ucx_buffer_free(cmd_out); + } + + if(!ps_password) { + ps_password = util_password_input("Master password: "); + if(!ps_password) { + return 1; + } + } + + if(pwdstore_setpassword(secrets, ps_password)) { + fprintf(stderr, "Error: cannot create key from password\n"); + return 1; + } + if(pwdstore_decrypt(secrets)) { + fprintf(stderr, "Error: cannot decrypt secrets store\n"); + return 1; + } + return 0; +} + +typedef struct CredLocation { + char *id; + char *location; +} CredLocation; + +static int cmp_url_cred_entry(CredLocation *e1, CredLocation *e2, void *n) { + return strcmp(e2->location, e1->location); +} + +static void free_cred_location(CredLocation *c) { + // c->id is not a copy, therefore we don't have to free it + free(c->location); + free(c); +} + +static int get_stored_credentials(CmdArgs *a, char *credid, char **user, char **password) { + if(!credid) { + return 0; + } + + PwdStore *secrets = get_pwdstore(); + if(!secrets) { + fprintf(stderr, "Error: no secrets store available\n"); + return 0; + } + + if(pwdstore_has_id(secrets, credid)) { + if(!secrets->isdecrypted) { + if(decrypt_secrets(a, secrets)) { + return 0; + } + } + + PwdEntry *s_cred = pwdstore_get(secrets, credid); + if(s_cred) { + *user = s_cred->user; + *password = s_cred->password; + return 1; + } + } else { + fprintf(stderr, "Error: credentials id '%s' not found\n", credid); + } + + return 0; +} + + +static int get_location_credentials(CmdArgs *a, Repository *repo, char *path, char **user, char **password) { + PwdStore *secrets = get_pwdstore(); + if(!secrets) { + return 0; + } + + /* + * The list secrets->location contains urls or repo names as + * location strings. We need a list, that contains only urls + */ + UcxList *locations = NULL; + UCX_FOREACH(elm, secrets->locations) { + PwdIndexEntry *e = elm->data; + + UCX_FOREACH(loc, e->locations) { + char *path; + Repository *r = url2repo(loc->data, &path); + CredLocation *urlentry = calloc(1, sizeof(CredLocation)); + urlentry->id = e->id; + urlentry->location = util_concat_path(r->url, path); + locations = ucx_list_append(locations, urlentry); + } + } + // the list must be sorted + locations = ucx_list_sort(locations, (cmp_func)cmp_url_cred_entry, NULL); + + // create full request url string and remove protocol prefix + sstr_t req_url_proto = sstr(util_concat_path(repo->url, path)); + sstr_t req_url = req_url_proto; + if(sstrprefix(req_url, S("http://"))) { + req_url = sstrsubs(req_url, 7); + } else if(sstrprefix(req_url, S("https://"))) { + req_url = sstrsubs(req_url, 8); + } + + // iterate over sorted locations and check if a location is a prefix + // of the requested url + char *id = NULL; + int ret = 0; + UCX_FOREACH(elm, locations) { + CredLocation *cred = elm->data; + sstr_t cred_url = sstr(cred->location); + + // remove protocol prefix + if(sstrprefix(cred_url, S("http://"))) { + cred_url = sstrsubs(cred_url, 7); + } else if(sstrprefix(cred_url, S("https://"))) { + cred_url = sstrsubs(cred_url, 8); + } + + if(sstrprefix(req_url, cred_url)) { + id = cred->id; + break; + } + } + + // if an id is found and we can access the decrypted secret store + // we can set the user/password + if(id && (secrets->isdecrypted || !decrypt_secrets(a, secrets))) { + PwdEntry *cred = pwdstore_get(secrets, id); + if(cred) { + *user = cred->user; + *password = cred->password; + ret = 1; + } + } + + free(req_url_proto.ptr); + ucx_list_free_content(locations, (ucx_destructor)free_cred_location); + ucx_list_free(locations); + + return ret; +} + +DavSession* connect_to_repo(DavContext *ctx, Repository *repo, char *path, dav_auth_func authfunc, CmdArgs *a) { + char *user = repo->user; + char *password = repo->password; + + if(!user && !password) { + if(!get_stored_credentials(a, repo->stored_user, &user, &password)) { + get_location_credentials(a, repo, path, &user, &password); + } + } + + DavSession *sn = dav_session_new_auth(ctx, repo->url, user, password); + sn->flags = get_repository_flags(repo); + sn->key = dav_context_get_key(ctx, repo->default_key); + curl_easy_setopt(sn->handle, CURLOPT_HTTPAUTH, repo->authmethods); + curl_easy_setopt(sn->handle, CURLOPT_SSLVERSION, repo->ssl_version); + if(repo->cert) { + curl_easy_setopt(sn->handle, CURLOPT_CAINFO, repo->cert); + } + if(!repo->verification || cmd_getoption(a, "insecure")) { + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYPEER, 0); + curl_easy_setopt(sn->handle, CURLOPT_SSL_VERIFYHOST, 0); + } + if(!cmd_getoption(a, "noinput")) { + dav_session_set_authcallback(sn, authfunc, repo); + } + return sn; +} + +int request_auth(DavSession *sn, void *userdata) { + Repository *repo = userdata; + + char *user = NULL; + char ubuf[256]; + if(repo->user) { + user = repo->user; + } else { + fprintf(stderr, "User: "); + fflush(stderr); + user = fgets(ubuf, 256, stdin); + } + if(!user) { + return 0; + } + + char *password = util_password_input("Password: "); + if(!password || strlen(password) == 0) { + return 0; + } + + size_t ulen = strlen(user); + if(user[ulen-1] == '\n') { + user[ulen-1] = '\0'; + } + + dav_session_set_auth(sn, user, password); + free(password); + + return 0; +}