ICS-MU · dBucik · Jan 22, 2024 · Jan 22, 2024 · Jan 22, 2024 · Jan 23, 2024
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,6 @@
 # Created by .ignore support plugin (hsz.mobi)
+.idea
+
 ### Python template
 # Byte-compiled / optimized / DLL files
 __pycache__/

diff --git a/README.md b/README.md
@@ -34,8 +34,9 @@ Edit `/etc/pam_oauth2_device/config.json`.
     - 0 - low
     - 1 - medium
     - 2 - high
-- `users` User mapping from claim configured in _username_attribute_
-  to the local account name.
+- `users` User mapping from claim configured in _username_attribute_ to the local account name.
+- `usersFilePath` Path to a JSON file containing user mappings. An alternative to the `users` option
+of the module configuration file.
 - `oauth` configuration for the OIDC identity provider.
   - `require_mfa`: if `true` the module will modify the requests to ask
     user to perform the MFA.

diff --git a/config_template.json → examples/config_template.json b/config_template.json → examples/config_template.json
@@ -27,6 +27,7 @@
         "show": true,
         "error_correction_level": 0
     },
+    "usersFilePath": "./user_mappings.json",
     "users": {
         "provider_user_id_1": [
             "root",

diff --git a/examples/user_mappings.json b/examples/user_mappings.json
@@ -0,0 +1,11 @@
+{
+  "users": {
+    "provider_user_id_1": [
+      "root",
+      "bob"
+    ],
+    "provider_user_id_2": [
+      "mike"
+    ]
+  }
+}
diff --git a/src/include/config.cpp b/src/include/config.cpp
@@ -2,52 +2,66 @@
 
 #include <fstream>
 #include <set>
+#include <syslog.h>
 
 #include "nlohmann/json.hpp"
 
+using namespace std;
 using json = nlohmann::json;
 
 void Config::load(const char *path) {
-  std::ifstream config_fstream(path);
+  ifstream config_fstream(path);
   json j;
   config_fstream >> j;
+
+  json oauth_json = j.at("oauth");
 
-  client_id = j.at("oauth").at("client").at("id").get<std::string>();
-  client_secret = j.at("oauth").at("client").at("secret").get<std::string>();
-  scope = j.at("oauth").at("scope").get<std::string>();
-  device_endpoint = j.at("oauth").at("device_endpoint").get<std::string>();
-  token_endpoint = j.at("oauth").at("token_endpoint").get<std::string>();
-  userinfo_endpoint = j.at("oauth").at("userinfo_endpoint").get<std::string>();
-  username_attribute =
-      j.at("oauth").at("username_attribute").get<std::string>();
-  require_mfa = j["oauth"].contains("require_mfa")
-                    ? j.at("oauth").at("require_mfa").get<bool>()
-                    : false;
+  client_id = oauth_json.at("client").at("id").get<string>();
+  client_secret = oauth_json.at("client").at("secret").get<string>();
+  scope = oauth_json.at("scope").get<string>();
+  device_endpoint = oauth_json.at("device_endpoint").get<string>();
+  token_endpoint = oauth_json.at("token_endpoint").get<string>();
+  userinfo_endpoint = oauth_json.at("userinfo_endpoint").get<string>();
+  username_attribute = oauth_json.at("username_attribute").get<string>();
+  require_mfa = oauth_json.contains("require_mfa") && oauth_json.at("require_mfa").get<bool>();
+
+  json qr_json = j.at("qr");
   qr_error_correction_level =
-      j.at("qr").at("error_correction_level").get<int>();
-  qr_show =
-      (j["qr"].contains("show")) ? j.at("qr").at("show").get<bool>() : true;
-  if (j.find("ldap") != j.end() && j["ldap"].find("hosts") != j["ldap"].end()) {
-    for (auto &host : j["ldap"]["hosts"]) {
-      ldap_hosts.insert((std::string)host);
+      qr_json.at("error_correction_level").get<int>();
+  qr_show = qr_json.contains("show") && qr_json.at("show").get<bool>();
+
+  if (j.find("ldap") != j.end() && j.at("ldap").find("hosts") != j.at("ldap").end()) {
+    json ldap_json = j.at("ldap");
+    for (auto const &host : ldap_json.at("hosts")) {
+      ldap_hosts.insert((string)host);
     }
-    ldap_basedn = j.at("ldap").at("basedn").get<std::string>();
-    ldap_user = j.at("ldap").at("user").get<std::string>();
-    ldap_passwd = j.at("ldap").at("passwd").get<std::string>();
-    ldap_filter = j.at("ldap").at("filter").get<std::string>();
-    ldap_attr = j.at("ldap").at("attr").get<std::string>();
+    ldap_basedn = ldap_json.at("basedn").get<string>();
+    ldap_user = ldap_json.at("user").get<string>();
+    ldap_passwd = ldap_json.at("passwd").get<string>();
+    ldap_filter = ldap_json.at("filter").get<string>();
+    ldap_attr = ldap_json.at("attr").get<string>();
   }
+
+  json users_json;
   if (j.find("users") != j.end()) {
-    for (auto &element : j["users"].items()) {
-      for (auto &local_user : element.value()) {
-        if (usermap.find(element.key()) == usermap.end()) {
-          std::set<std::string> userset;
-          userset.insert((std::string)local_user);
-          usermap[element.key()] = userset;
-        } else {
-          usermap[element.key()].insert((std::string)local_user);
-        }
+    users_json = j.at("users");
+    Config::fill_user_map_from_json(users_json);
+  } else if (j.find("usersFilePath") != j.end()) {
+    string users_path = j.at("usersFilePath").get<string>();
+    ifstream users_fstream(users_path);
+    users_fstream >> users_json;
+    Config::fill_user_map_from_json(users_json);
+  }
+}
+
+void Config::fill_user_map_from_json(json& j) {
+  for (auto const &element : j["users"].items()) {
+    for (auto const &local_user : element.value()) {
+      if (usermap.find(element.key()) == usermap.end()) {
+        set<string> userset;
+        usermap[element.key()] = userset;
       }
+      usermap[element.key()].insert((string)local_user);
     }
   }
 }
diff --git a/src/include/config.hpp b/src/include/config.hpp
@@ -3,18 +3,42 @@
 
 #include <map>
 #include <set>
-#include <string>
+
+#include "nlohmann/json.hpp"
+
+using json = nlohmann::json;
 
 class Config {
  public:
-  void load(const char *path);
-  std::string client_id, client_secret, scope, device_endpoint, token_endpoint,
-      userinfo_endpoint, username_attribute, ldap_basedn, ldap_user,
-      ldap_passwd, ldap_filter, ldap_attr;
-  bool require_mfa, qr_show;
-  std::set<std::string> ldap_hosts;
+  // OAuth2
+  std::string client_id;
+  std::string client_secret;
+  std::string scope;
+  std::string device_endpoint;
+  std::string token_endpoint;
+  std::string userinfo_endpoint;
+  std::string username_attribute;
+  bool require_mfa;
+
+  // QR code
+  bool qr_show;
   int qr_error_correction_level;
+
+  // LDAP
+  std::string ldap_basedn;
+  std::string ldap_user;
+  std::string ldap_passwd;
+  std::string ldap_filter;
+  std::string ldap_attr;
+  std::set<std::string> ldap_hosts;
+
+  // usermap
   std::map<std::string, std::set<std::string>> usermap;
+
+  // functions
+  void load(const char *path);
+ private:
+  void fill_user_map_from_json(json& j);
 };
 
 #endif  // PAM_OAUTH2_DEVICE_CONFIG_HPP
diff --git a/src/pam_oauth2_device.cpp b/src/pam_oauth2_device.cpp
@@ -59,20 +59,21 @@ std::string getQr(const char *text, const int ecc = 0, const int border = 1) {
       qrcodegen::QrCode::encodeText(text, error_correction_level);
 
   std::ostringstream oss;
-  int i, j, size, top, bottom;
-  size = qr.getSize();
-  for (j = -border; j < size + border; j += 2) {
-    for (i = -border; i < size + border; ++i) {
-      top = qr.getModule(i, j);
-      bottom = qr.getModule(i, j + 1);
+
+  int size = qr.getSize();
+  for (int j = -border; j < size + border; j += 2) {
+    for (int i = -border; i < size + border; ++i) {
+      int top = qr.getModule(i, j);
+      int bottom = qr.getModule(i, j + 1);
+
       if (top && bottom) {
-        oss << "\033[40;97m \033[0m";
-      } else if (top && !bottom) {
-        oss << "\033[40;97m\u2584\033[0m";
-      } else if (!top && bottom) {
-        oss << "\033[40;97m\u2580\033[0m";
+        oss << " ";
+      } else if (top != 0) {
+        oss << "\u2584";
+      } else if (bottom != 0) {
+        oss << "\u2580";
       } else {
-        oss << "\033[40;97m\u2588\033[0m";
+        oss << "\u2588";
       }
     }
     oss << std::endl;