Handle cases when auth groups are unset

Currently, pappl based applications require authentication every time for any request if authentication module is set, even if authentication group(s) is set to `None`. With this PR, admin can set admin and print group to `None`. Every admin action is allowed if admin group is `None`. For printing jobs, Validate-Job, Print-Job, Create-Job are allowed, Send-Document if the requesting client is owner of the job - value of `requesting-user-name` is used as default value, in case authorization field does not contain it. This allows smooth printing to the printer application via CUPS when printer application uses PAM module to protect against simple attacks.
michaelrsweet · Mar 18, 2024 · 203e31c · 203e31c
1 parent 988b90a
commit 203e31c
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 0 deletions.
diff --git a/pappl/client-auth.c b/pappl/client-auth.c
@@ -64,6 +64,10 @@ papplClientIsAuthorized(
   if (!client)
     return (HTTP_STATUS_BAD_REQUEST);
 
+  if (_papplSystemGroupIsEmpty(client->system->admin_group) &&
+      httpAddrIsLocalhost(httpGetAddress(client->http)))
+    return (HTTP_STATUS_CONTINUE);
+
   // Authorize for admin access...
   return (_papplClientIsAuthorizedForGroup(client, false, client->system->admin_group, client->system->admin_gid));
 }

diff --git a/pappl/client-ipp.c b/pappl/client-ipp.c
@@ -141,6 +141,9 @@ _papplClientProcessIPP(
       client->printer = NULL;
       client->job     = NULL;
 
+      if ((attr = ippFindAttribute(client->request, "requesting-user-name", IPP_TAG_NAME)) != NULL)
+        cupsCopyString(client->username, ippGetString(attr, 0, NULL), sizeof(client->username));
+
       if (charset && strcasecmp(ippGetString(charset, 0, NULL), "us-ascii") && strcasecmp(ippGetString(charset, 0, NULL), "utf-8"))
       {
         // Bad character set...

diff --git a/pappl/printer-ipp.c b/pappl/printer-ipp.c
@@ -26,6 +26,7 @@ static void		ipp_get_jobs(pappl_client_t *client);
 static void		ipp_get_printer_attributes(pappl_client_t *client);
 static void		ipp_hold_new_jobs(pappl_client_t *client);
 static void		ipp_identify_printer(pappl_client_t *client);
+static bool		ipp_is_printing_op(pappl_client_t *client);
 static void		ipp_pause_printer(pappl_client_t *client);
 static void		ipp_print_job(pappl_client_t *client);
 static void		ipp_release_held_new_jobs(pappl_client_t *client);
@@ -785,6 +786,10 @@ bool					// O - `true` on success, `false` on failure
 _papplPrinterIsAuthorized(
     pappl_client_t  *client)		// I - Client
 {
+  if (_papplSystemGroupIsEmpty(client->printer->print_group) && httpAddrIsLocalhost(httpGetAddress(client->http)) &&
+      ipp_is_printing_op(client))
+    return (true);
+
   http_status_t code = _papplClientIsAuthorizedForGroup(client, true, client->printer->print_group, client->printer->print_gid);
 
   if (code == HTTP_STATUS_CONTINUE && client->job && client->job->username && strcmp(client->username, client->job->username))
@@ -2585,3 +2590,22 @@ valid_job_attributes(
 
   return (valid);
 }
+
+
+static bool					// O - `true` if the operation is related to print job and valid, `false` if not
+ipp_is_printing_op(pappl_client_t *client)	// I - Client
+{
+  if (client->operation_id == IPP_OP_PRINT_JOB)
+    return (true);
+
+  if (client->operation_id == IPP_OP_VALIDATE_JOB)
+    return (true);
+
+  if (client->operation_id == IPP_OP_CREATE_JOB)
+    return (true);
+
+  if (client->operation_id == IPP_OP_SEND_DOCUMENT && client->job && client->job->username && !strcmp(client->username, client->job->username))
+    return (true);
+
+  return (false);
+}
diff --git a/pappl/system-accessors.c b/pappl/system-accessors.c
@@ -2882,3 +2882,17 @@ free_inspector(
   free(i->type);
   free(i);
 }
+
+
+//
+// '_papplSystemGroupIsEmpty()' - Check if group is empty
+//
+
+bool						// O - `true` if empty, `false` if set
+_papplSystemGroupIsEmpty(const char *group)	// I - Group name
+{
+  if (!group || !group[0] || !strcmp(group, "none"))
+    return (true);
+
+  return (false);
+}
diff --git a/pappl/system-private.h b/pappl/system-private.h
@@ -182,6 +182,7 @@ extern _pappl_mime_filter_t *_papplSystemFindMIMEFilter(pappl_system_t *system,
 extern _pappl_mime_inspector_t *_papplSystemFindMIMEInspector(pappl_system_t *system, const char *type) _PAPPL_PRIVATE;
 extern _pappl_resource_t *_papplSystemFindResourceForLanguage(pappl_system_t *system, const char *language) _PAPPL_PRIVATE;
 extern _pappl_resource_t *_papplSystemFindResourceForPath(pappl_system_t *system, const char *path) _PAPPL_PRIVATE;
+extern bool		_papplSystemGroupIsEmpty(const char *group) _PAPPL_PRIVATE;
 extern char		*_papplSystemMakeUUID(pappl_system_t *system, const char *printer_name, int job_id, char *buffer, size_t bufsize) _PAPPL_PRIVATE;
 extern void		_papplSystemNeedClean(pappl_system_t *system) _PAPPL_PRIVATE;
 extern void		_papplSystemProcessIPP(pappl_client_t *client) _PAPPL_PRIVATE;