bsd-auth: move approval script section, add more helper functions

1 files changed, 71 insertions, 18 deletions

diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index a15d9ff..70fc635 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -147,6 +147,30 @@
   Most modules also have a hidden flag =-d=, which sets the back
   channel do =stdio=, presumably for debugging purposes.
 
+* Approval Scripts
+  :PROPERTIES:
+  :CUSTOM_ID: approval
+  :END:
+
+  Approval scripts can be much simpler than the full login modules
+  used by the other functions. They may run with limited information
+  and instead of explicitly allowing or denying users with specific
+  conditions. They are given the same back-channel as auth modules,
+  but do not have to explicitly authenticate or revoke users. They
+  should exit with a zero status for approval, or non-zero status to
+  signal disapproval.
+
+  Approval scrips receive arguments in the following form.
+  #+begin_src shell
+  approve [-v name=value] username class service
+  #+end_src
+
+  It can also receive extra key-value =-v= arguments in the same format as
+  [[#modules][auth modules]]. More information is available in the [[https://man.openbsd.org/login.conf#APPROVAL][=APPROVAL=]]
+  section of the =login.conf= man page.
+
+  Approval scripts are checked using [[#auth_approval][=auth_approval=]].
+
 * auth_userokay
   :PROPERTIES:
   :CUSTOM_ID: auth_userokay
@@ -2297,29 +2321,55 @@
 
   It returns either =0= for disapproval, or non-zero for approval.
 
-* Approval Scripts
+* auth_checknologin
   :PROPERTIES:
-  :CUSTOM_ID: approval
+  :CUSTOM_ID: auth_checknologin
   :END:
+  @@html: <details> <summary> @@
+  #+begin_src c
+  void auth_checknologin(login_cap_t *lc)
+  #+end_src
+  @@html: </summary> @@
+  #+begin_src c
+  {
+      if (_auth_checknologin(lc, 1))
+          exit(1);
+  }
 
-  Approval scripts can be much simpler than the full login modules
-  used by the other functions. They may run with limited information
-  and instead of explicitly allowing or denying users with specific
-  conditions. They are given the same back-channel as auth modules,
-  but do not have to explicitly authenticate or revoke users. They
-  should exit with a zero status for approval, or non-zero status to
-  signal disapproval.
+  #+end_src
+  @@html: </details> @@
 
-  Approval scrips receive arguments in the following form.
-  #+begin_src shell
-  approve [-v name=value] username class service
+  [[https://man.openbsd.org/authenticate.3#auth_checknologin][=auth_checknologin=]] is a simple wrapper around the internal
+  =_auth_checknologin=. If the user is now allowed to login, it prints
+  the reason and calls =exit(1)=.
+
+* auth_cat
+  :PROPERTIES:
+  :CUSTOM_ID: auth_cat
+  :END:
+
+  @@html: <details> <summary> @@
+  #+begin_src c
+  int auth_cat(char *file)
   #+end_src
+  @@html: </summary> @@
+  #+begin_src c
+  {
+      int fd, nchars;
+      char tbuf[8192];
 
-  It can also receive extra key-value =-v= arguments in the same format as
-  [[#modules][auth modules]]. More information is available in the [[https://man.openbsd.org/login.conf#APPROVAL][=APPROVAL=]]
-  section of the =login.conf= man page.
+      if ((fd = open(file, O_RDONLY, 0)) == -1)
+          return (0);
+      while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
+          (void)write(fileno(stdout), tbuf, nchars);
+      (void)close(fd);
+      return (1);
+  }
+  #+end_src
+  @@html: </details> @@
 
-  <<here>>
+  =auth_cat= is a helper function that will write the contents of a
+  =file= to =stdout=. It returns =0= on failure or =1= on success.
 
 * _auth_validuser
   :PROPERTIES:
@@ -2410,8 +2460,11 @@
   @@html: </details> @@
 
   =_auth_checknologin= is a helper function in =authenticate.c=. It is
-  used to check the =nologin= status of the account. It returns =0= if
-  the user is allowed to login, and =-1= otherwise.
+  used to check the =nologin= status of the account. If =print= is
+  non-zero, it will print the reason for the failure, and print the
+  contents of the nologin file using [[#auth_cat][=auth_cat=]].
+
+  It returns =0= if the user is allowed to login, and =-1= otherwise.
 
 * COMMENT note                                                     :noexport: