first-commit

modules/auth/pam/pam.go

@@ -0,0 +1,43 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build pam
+
+package pam
+
+import (
+	"errors"
+
+	"github.com/msteinert/pam"
+)
+
+// Supported is true when built with PAM
+var Supported = true
+
+// Auth pam auth service
+func Auth(serviceName, userName, passwd string) (string, error) {
+	t, err := pam.StartFunc(serviceName, userName, func(s pam.Style, msg string) (string, error) {
+		switch s {
+		case pam.PromptEchoOff:
+			return passwd, nil
+		case pam.PromptEchoOn, pam.ErrorMsg, pam.TextInfo:
+			return "", nil
+		}
+		return "", errors.New("Unrecognized PAM message style")
+	})
+	if err != nil {
+		return "", err
+	}
+
+	if err = t.Authenticate(0); err != nil {
+		return "", err
+	}
+
+	if err = t.AcctMgmt(0); err != nil {
+		return "", err
+	}
+
+	// PAM login names might suffer transformations in the PAM stack.
+	// We should take whatever the PAM stack returns for it.
+	return t.GetItem(pam.User)
+}

modules/auth/pam/pam_stub.go

@@ -0,0 +1,22 @@
+// Copyright 2014 The Gogs Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !pam
+
+package pam
+
+import (
+	"errors"
+)
+
+// Supported is false when built without PAM
+var Supported = false
+
+// Auth not supported lack of pam tag
+func Auth(serviceName, userName, passwd string) (string, error) {
+	// bypass the lint on callers: SA4023: this comparison is always true (staticcheck)
+	if !Supported {
+		return "", errors.New("PAM not supported")
+	}
+	return "", nil
+}

modules/auth/pam/pam_test.go

@@ -0,0 +1,19 @@
+//go:build pam
+
+// Copyright 2021 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package pam
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPamAuth(t *testing.T) {
+	result, err := Auth("gitea", "user1", "false-pwd")
+	assert.Error(t, err)
+	assert.EqualError(t, err, "Authentication failure")
+	assert.Empty(t, result)
+}