[ { "path": ".github/workflows/ci.yml", "content": "name: CI\n\non:\n pull_request:\n\njobs:\n rustfmt:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v3\n - run: rustup update stable && rustup default stable\n - run: rustup component add rustfmt\n - run: cargo fmt --all --check\n\n test:\n runs-on: ${{ matrix.os }}\n strategy:\n matrix:\n include:\n - name: Linux x86_64 stable\n os: ubuntu-latest\n rust: stable\n other: i686-unknown-linux-gnu\n - name: Linux x86_64 beta\n os: ubuntu-latest\n rust: beta\n other: i686-unknown-linux-gnu\n - name: Linux x86_64 nightly\n os: ubuntu-latest\n rust: nightly\n other: i686-unknown-linux-gnu\n - name: macOS x86_64 stable\n os: macos-latest\n rust: stable\n other: x86_64-apple-ios\n name: Tests ${{ matrix.name }}\n steps:\n - uses: actions/checkout@v3\n - run: rustup update stable && rustup default stable\n - name: debug_tests\n run: cargo test\n - name: release_tests\n run: cargo test --release\n" }, { "path": ".gitignore", "content": "target/\n" }, { "path": "CHANGES.md", "content": "# pizauth 1.1.0 (2026-XX-XX)\n\n* `auth_notify_cmd` is now subject to a 10 second timeout. If you previously\n relied on the command being run taking an arbitrary amount of time, you will\n need to run it to ensure it is not affected by the timeout.\n\n\n# pizauth 1.0.11 (2026-03-10)\n\n* Mark certain HTTP error codes as transitory, allowing pizauth to retry rather\n than immediately give up.\n\n\n# pizauth 1.0.10 (2026-02-25)\n\n* Remove `tmppath` pledge on OpenBSD. This doesn't do anything useful in\n pizauth, and support for it will be removed in OpenBSD.\n\n\n# pizauth 1.0.9 (2025-12-13)\n\n* Update dependencies with breaking changes.\n\n\n# pizauth 1.0.8 (2025-11-02)\n\n* Add `startup_cmd` configuration option: this shell command is run after\n pizauth's server is fully up and running. It can be used, for example, as a\n callback, safe in the knowledge that the server can respond.\n\n* Add Fish completion.\n\n\n# pizauth 1.0.7 (2025-02-08)\n\n* Add an upper limit to the size of HTTP requests pizauth accepts. In the\n (admittedly rather unlikely) case that a client malfunctions, this makes it\n more difficult for them to accidentally cause pizauth to run out of memory.\n\n* Wake up the refresher / notifier periodically (currently every 37 seconds) to\n see if there is work to do. This is a crude workaround for inconsistency in\n operating systems as to whether \"wake up in X seconds\" includes time spent in\n suspend/hibernate or adjusted by `adjtime` and so on.\n\n* Present times (e.g. about expired tokens) in a way that is less likely to be\n skewed by suspend/hibernate on some operating systems.\n\n\n# pizauth 1.0.6 (2024-11-10)\n\n* Support HTTPS redirects. pizauth now starts, by default, both HTTP and HTTPS\n servers, generating a new self-signed HTTPS certificate on each invocation.\n\n `pizauth info` shows you the certificate hash so you can verify that your\n browser is connecting to the right HTTPS server. You can turn either (but\n not both!) of the HTTP and HTTPS servers off with `http_listen=off` or\n `https_listen=off`. This is most useful if you want to force HTTPS redirects\n and ensure that you're not accidentally being redirected to an HTTP URL (i.e.\n `http_listen=off` is the option you are most likely to be interested in).\n\n\n# pizauth 1.0.5 (2024-07-27)\n\n* Use `XDG_RUNTIME_DIR` instead of `XDG_DATA_HOME` for the socket path.\n\n\n# pizauth 1.0.4 (2024-02-04)\n\n* Add `pizauth revoke` which revokes any tokens / ongoing authentication for a\n given account. Note that this does *not* revoke the remote token, as OAuth2\n does not currently have standard support for this.\n\n* Include bash completion scripts and example systemd units.\n\n* Rework file installation to better handle a variety of OSes and file layouts.\n The Makefile is now only compatible with gmake.\n\n\n# pizauth 1.0.3 (2023-11-28)\n\n* Add `pizauth status` to see which accounts have valid tokens (or not):\n ```\n $ pizauth status\n act1: No access token\n act2: Active access token (obtained Sat, 4 Nov 2023 21:52:11 +0000; expires Sat, 4 Nov 2023 23:20:42 +0000)\n act3: Active access token (obtained Sat, 4 Nov 2023 22:23:03 +0000; expires Mon, 4 Dec 2023 22:23:03 +0000)\n ```\n\n* Give better syntax errors if backslashes (`\\\\`) are used incorrectly.\n\n\n# pizauth 1.0.2 (2023-10-12)\n\n* Better handle syntactically invalid requests. In particular, this causes the\n check for a running instance of pizauth not to cause the existing instance to\n exit.\n\n* Document `-v` (which can be repeated up to 4 times for increased verbosity)\n on `pizauth server`.\n\n\n# pizauth 1.0.1 (2023-08-14)\n\n* Fix location of `ring` dependency.\n\n\n# pizauth 1.0.0 (2023-08-13)\n\n* First stable release.\n\n* Add `pizauth info [-j]` which informs the user where pizauth is looking for\n configuration files and so on. For example:\n\n ```\n $ pizauth info\n pizauth version 0.3.0:\n cache directory: /home/ltratt/.cache/pizauth\n config file: /home/ltratt/.config/pizauth.conf\n ```\n\n Adding `-j` outputs the same information in JSON format for integration with\n external tools. The `info_format_version` field is an integer value\n specifying the version of the JSON output: if incompatible changes are made,\n this integer will be monotonically increased.\n\n\n# pizauth 0.3.0 (2023-05-29)\n\n## Breaking changes\n\n* `not_transient_error_if` has been removed as a global and per-account option.\n In its place is a new global option `transient_error_if_cmd`.\n\n If you have an existing `not_transient_error_if` option, you will need\n to reconsider the shell command you execute. One possibility is to change:\n\n ```\n not_transient_error_if = \"shell-cmd\";\n ```\n \n to:\n \n ```\n transient_error_if_cmd = \"! shell-cmd\";\n ```\n\n `transient_error_if_cmd` sets the environment variable `$PIZAUTH_ACCOUNT` to\n allow you to perform different actions for different accounts if you desire.\n\n\n# pizauth 0.2.2 (2023-04-03)\n\n* Added a global `token_event_cmd` option, which runs a command whenever an\n account's token changes state.\n\n* Added `pizauth dump` and `pizauth restore` which dump and restore pizauth's\n token state respectively. When combined with `token_event_cmd`, these allow\n users to persist token state. The output from `pizauth dump` is not\n meaningfully encrypted: it is the user's responsibility to encrypt, or\n otherwise secure, the dump output.\n\n* Update an account's refresh token if it is sent to pizauth by the remote\n server.\n\n* Move from the unmaintained `json` to the `serde_json` crate.\n\n* Don't bother users with OAuth2 \"errors\" (e.g. that a token cannot be\n refreshed) that are better thought of as an inevitable part of the OAuth2\n lifecycle.\n\n\n# pizauth 0.2.1 (2023-03-11)\n\n* `login_hint` is now deprecated in favour of the more general `auth_uri_fields`.\n Change:\n\n ```\n login_hint = \"email@example.com\";\n ```\n \n to:\n \n ```\n auth_uri_fields = { \"login_hint\": \"email@example.com\" };\n ```\n\n Currently `login_hint` is silently transformed into the equivalent\n `auth_uri_fields` for backwards compatibility.\n\n* `auth_uri_fields` allows users to specify zero or more key/value pairs to be\n appended to the authorisation URI. Keys (and their values) are appended\n in the order they appear in `auth_uri_fields`, each separated by a `&`. The\n same key may be specified multiple times.\n\n* Several options can now be set globally and overridden in individual accounts:\n * `not_transient_error_if`\n * `refresh_at_least`\n * `refresh_before_expiry`\n * `refresh_retry`\n\n* `scopes` is now optional and also, equivalently, can be empty.\n\n# pizauth 0.2.0 (2022-12-14)\n\n## Breaking changes\n\n* `auth_error_cmd` has been renamed to `error_notify_cmd`. pizauth detects the\n (now) incorrect usage and informs the user.\n\n* `refresh_retry_interval` has been renamed to `refresh_retry` and moved from a\n global to a per-account option. Its default value remains unchanged.\n\n## Other changes\n\n* Tease out transitory / permanent refresh errors. Transitory errors are likely\n to be the result of temporary network problems and simply waiting for them to\n resolve is normally the best thing to do. By default, pizauth thus simply\n ignores transitory errors.\n\n Users who wish to check that transitory errors really are transitory can set\n `not_transitory_error_if` setting. This is a shell command that, if\n it returns a zero exit code, signifies that transitory errors are\n permanent and that an access token should be invalidated. `nc -z \n ` is an example of a reasonable setting. `not_transitory_error_if` is\n fail-safe in that if the shell command fails unnecessarily (e.g. if you\n specify `ping` on a network that prevents ping traffic), pizauth will\n invalidate the access token.\n\n* Each refresh of an account now happens in a separate thread, so stalled\n refreshing cannot affect other accounts.\n\n* Fix bug where newly authorised access tokens were immediately refreshed.\n\n\n# pizauth 0.1.1 (2022-10-20)\n\nSecond alpha release.\n\n* Added global `http_listen` option to fix the IP address and port pizauth's\n HTTP server listens on. This is particularly useful when running pizauth on a\n remote machine, since it makes it easy to open an `ssh -L` tunnel to\n authenticate that remote instance.\n\n* Fix build on OS X by ignoring deprecation warnings for the `daemon` function.\n\n* Report config errors before daemonisation.\n\n\n# pizauth 0.1.0 (2022-09-29)\n\nFirst alpha release.\n" }, { "path": "COPYRIGHT", "content": "Except as otherwise noted (below and/or in individual files), this project is\nlicensed under the Apache License, Version 2.0 \n or the MIT license \n, at your option.\n\nCopyright is retained by contributors and/or the organisations they\nrepresent(ed) -- this project does not require copyright assignment. Please see\nversion control history for a full list of contributors. Note that some files\nmay include explicit copyright and/or licensing notices.\n" }, { "path": "Cargo.toml", "content": "[package]\nname = \"pizauth\"\ndescription = \"Command-line OAuth2 authentication daemon\"\nversion = \"1.0.11\"\nrepository = \"https://github.com/ltratt/pizauth/\"\nauthors = [\"Laurence Tratt \"]\nreadme = \"README.md\"\nlicense = \"Apache-2.0 OR MIT\"\ncategories = [\"authentication\"]\nkeywords = [\"oauth\", \"oauth2\", \"authentication\"]\nedition = \"2021\"\n\n[build-dependencies]\ncfgrammar = \"0.14\"\nlrlex = \"0.14\"\nlrpar = \"0.14\"\nrerun_except = \"1\"\n\n[dependencies]\nbase64 = \"0.22\"\nboot-time = \"0.1.2\"\ncfgrammar = \"0.14\"\nchacha20poly1305 = \"0.10\"\nchrono = \"0.4\"\ngetopts = \"0.2\"\nhostname = \"0.4\"\nlog = \"0.4\"\nlrlex = \"0.14\"\nlrpar = \"0.14\"\nnix = { version=\"0.31.2\", features=[\"fs\", \"signal\"] }\nrand = \"0.10.1\"\nserde = { version=\"1.0\", features=[\"derive\"] }\nsha2 = \"0.11.0\"\nserde_json = \"1\"\nstderrlog = \"0.6\"\nsyslog = \"7.0.0\"\nureq = \"3\"\nurl = \"2\"\nwait-timeout = \"0.2\"\nwhoami = \"2.1.2\"\nrustls = { version = \"0.23.12\", features = [\"ring\", \"std\"], default-features = false }\nrcgen = { version = \"0.14.5\", features = [\"crypto\", \"ring\"], default-features = false }\nwincode = { version = \"0.5.3\", features = [\"derive\"] }\n\n[target.'cfg(target_os=\"openbsd\")'.dependencies]\npledge = \"0.4\"\nunveil = \"0.3\"\n\n[target.'cfg(target_os=\"macos\")'.dependencies]\nlibc = \"0.2\"\n\n[dev-dependencies]\ntempfile = \"3.27.0\"\n\n[profile.release]\nopt-level = 3\ndebug = false\nrpath = false\nlto = true\ndebug-assertions = false\ncodegen-units = 1\npanic = 'abort'\nincremental = false\noverflow-checks = true\n" }, { "path": "LICENSE-APACHE", "content": "Licensed under the Apache License, Version 2.0 (the \"License\"); you may not use\nthis file except in compliance with the License. You may obtain a copy of the\nLicense at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software distributed\nunder the License is distributed on an \"AS IS\" BASIS, WITHOUT WARRANTIES OR\nCONDITIONS OF ANY KIND, either express or implied. See the License for the\nspecific language governing permissions and limitations under the License.\n" }, { "path": "LICENSE-MIT", "content": "Permission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies\nof the Software, and to permit persons to whom the Software is furnished to do\nso, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "Makefile", "content": "PREFIX ?= /usr/local\nBINDIR ?= ${PREFIX}/bin\nLIBDIR ?= ${PREFIX}/lib\nSHAREDIR ?= ${PREFIX}/share\nEXAMPLESDIR ?= ${SHAREDIR}/examples\n\nMANDIR.${PREFIX} = ${PREFIX}/share/man\nMANDIR./usr/local = /usr/local/man\nMANDIR. = /usr/share/man\nMANDIR ?= ${MANDIR.${PREFIX}}\n\n.PHONY: all install test distrib\n\nall: target/release/pizauth\n\ntarget/release/pizauth:\n\tcargo build --release\n\nRUNNINGSYSTEMD=$(shell test -d /run/systemd/system/ && echo yes || echo no)\nifeq ($(USESYSTEMD), 0)\n\tINSTALLSYSTEMD :=\nelse ifneq ($(RUNNINGSYSTEMD), yes)\n\tINSTALLSYSTEMD :=\nelse\n\tINSTALLSYSTEMD := install-systemd\nendif\n\ninstall: target/release/pizauth ${INSTALLSYSTEMD}\n\tinstall -d ${DESTDIR}${BINDIR}\n\tinstall -c -m 555 target/release/pizauth ${DESTDIR}${BINDIR}/pizauth\n\tinstall -d ${DESTDIR}${MANDIR}/man1\n\tinstall -d ${DESTDIR}${MANDIR}/man5\n\tinstall -c -m 444 pizauth.1 ${DESTDIR}${MANDIR}/man1/pizauth.1\n\tinstall -c -m 444 pizauth.conf.5 ${DESTDIR}${MANDIR}/man5/pizauth.conf.5\n\tinstall -d ${DESTDIR}${EXAMPLESDIR}/pizauth\n\tinstall -c -m 444 examples/pizauth.conf ${DESTDIR}${EXAMPLESDIR}/pizauth/pizauth.conf\n\tinstall -d ${DESTDIR}${SHAREDIR}/bash-completion/completions\n\tinstall -c -m 444 share/bash/completion.bash ${DESTDIR}${SHAREDIR}/bash-completion/completions/pizauth\n\tinstall -d ${DESTDIR}${SHAREDIR}/fish/vendor_completions.d\n\tinstall -c -m 444 share/fish/pizauth.fish ${DESTDIR}${SHAREDIR}/fish/vendor_completions.d\n\tinstall -d ${DESTDIR}${SHAREDIR}/zsh/site-functions\n\tinstall -c -m 444 share/zsh/_pizauth ${DESTDIR}${SHAREDIR}/zsh/site-functions/_pizauth\n\ninstall-systemd:\n\tinstall -d ${DESTDIR}${LIBDIR}/systemd/user\n\tinstall -c -m 444 lib/systemd/user/pizauth.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth.service\n\tinstall -c -m 444 lib/systemd/user/pizauth-state-creds.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-creds.service\n\tinstall -c -m 444 lib/systemd/user/pizauth-state-age.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-age.service\n\tinstall -c -m 444 lib/systemd/user/pizauth-state-gpg.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-gpg.service\n\tinstall -c -m 444 lib/systemd/user/pizauth-state-gpg-passphrase.service ${DESTDIR}${LIBDIR}/systemd/user/pizauth-state-gpg-passphrase.service\n\tinstall -d ${DESTDIR}${EXAMPLESDIR}/pizauth\n\tinstall -c -m 444 examples/pizauth-state-custom.service ${DESTDIR}${EXAMPLESDIR}/pizauth/pizauth-state-custom.service\n\ntest:\n\tcargo test\n\tcargo test --release\n\ndistrib:\n\ttest \"X`git status --porcelain`\" = \"X\"\n\t@read v?'pizauth version: ' \\\n\t && mkdir pizauth-$$v \\\n\t && cp -rp Makefile build.rs Cargo.lock Cargo.toml \\\n\t COPYRIGHT LICENSE-APACHE LICENSE-MIT \\\n\t CHANGES.md README.md README.systemd.md \\\n\t pizauth.1 pizauth.conf.5 \\\n\t examples lib share src \\\n\t pizauth-$$v \\\n\t && tar cfz pizauth-$$v.tgz pizauth-$$v \\\n\t && rm -rf pizauth-$$v\n" }, { "path": "README.md", "content": "# pizauth: an OAuth2 token requester daemon\n\npizauth is a simple program for requesting, showing, and refreshing OAuth2\naccess tokens. pizauth is formed of two components: a persistent server which\ninteracts with the user to request tokens, and refreshes them as necessary; and\na command-line interface which can be used by programs such as\n[fdm](https://github.com/nicm/fdm) and [msmtp](https://marlam.de/msmtp/) to\nauthenticate with OAuth2.\n\n## Quick setup\n\npizauth's configuration file is `~/.config/pizauth.conf`. You need to specify\nat least one `account`, which tells pizauth how to authenticate against a\nparticular OAuth2 setup. Most users will also want to receive asynchronous\nnotifications of authorisation requests and errors, which requires setting\n`auth_notify_cmd` and `error_notify_cmd`.\nSee [the bundled example configuration](examples/pizauth.conf) for more details.\n\n\n### Account setup\n\nAt a minimum you need to find out from your provider:\n\n * The authorisation URI.\n * The token URI.\n * Your \"Client ID\" (and in many cases also your \"Client secret\"), which\n identify your software.\n * (In some cases) The scope(s) which your OAuth2 access token will give you\n access to. For pizauth to be able to refresh tokens, you may need to add an\n explicit `offline_access` scope.\n * (In some cases) The redirect URI (you must copy this *exactly*, including\n trailing slash `/` characters). The default value of `http://localhost/`\n suffices in most instances.\n\nSome providers allow you to create Client IDs and Client Secrets at will (e.g.\n[Google](https://console.developers.google.com/projectselector/apis/credentials)).\nSome providers sometimes allow you to create Client IDs and Client Secrets\n(e.g. [Microsoft\nAzure](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)\nbut allow organisations to turn off this functionality.\n\nFor example, to create an account called `officesmtp` which obtains OAuth2\ntokens which allow you to read email via IMAP and send email via Office365's\nservers:\n\n```\naccount \"officesmtp\" {\n auth_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/authorize\";\n token_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/token\";\n client_id = \"...\"; // Fill in with your Client ID\n client_secret = \"...\"; // Fill in with your Client secret\n scopes = [\n \"https://outlook.office365.com/IMAP.AccessAsUser.All\",\n \"https://outlook.office365.com/SMTP.Send\",\n \"offline_access\"\n ];\n // You don't have to specify login_hint, but it does make authentication a\n // little easier.\n auth_uri_fields = { \"login_hint\": \"email@example.com\" };\n}\n```\n\n### Notifications\n\nAs standard, pizauth displays authorisation URLs and errors on stderr. If you\nwant to use pizauth in the background, it is easy to miss such output.\nFortunately, pizauth can run arbitrary commands to alert you that you need to\nauthorise a new token, in essence giving you the ability to asynchronously\ndisplay notifications. There are two main settings:\n\n * `auth_notify_cmd` notifies users that an account needs authenticating. The\n command is run with two environment variables set:\n * `PIZAUTH_ACCOUNT` is set to the account name to be authorised.\n * `PIZAUTH_URL` is set to the authorisation URL.\n * `error_notify_cmd` notifies users of errors. The command is run with two\n environment variables set:\n * `PIZAUTH_ACCOUNT` is set to the account name to be authorised.\n * `PIZAUTH_MSG` is set to the error message.\n\nFor example to use pizauth with `notify-send`:\n\n```\nauth_notify_cmd = \"if [[ \\\"$(notify-send -A \\\"Open $PIZAUTH_ACCOUNT\\\" -t 30000 'pizauth authorisation')\\\" == \\\"0\\\" ]]; then open \\\"$PIZAUTH_URL\\\"; fi\";\nerror_notify_cmd = \"notify-send -t 90000 \\\"pizauth error for $PIZAUTH_ACCOUNT\\\" \\\"$PIZAUTH_MSG\\\"\";\n```\n\nIn this example, `notify-send` is used to open a notification with a \"Open\n<account>\" button; if that button is clicked, then the authorisation URL\nis opened in the user's default web browser.\n\n\n### Running pizauth\n\nYou need to start the pizauth server (alternatively, start `pizauth.service`,\nsee [systemd-unit](README.systemd.md#systemd-unit)):\n\n```sh\n$ pizauth server\n```\n\nand configure software to request OAuth2 tokens with `pizauth show officesmtp`.\nThe first time that `pizauth show officesmtp` is executed, it will print an\nerror to stderr that includes an authorisation URL (and, if `auth_notify_cmd`\nis set, it will also execute that command):\n\n```\n$ pizauth show officesmtp\nERROR - Token unavailable until authorised with URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize?access_type=offline&code_challenge=xpVa0mDzvR1Ozw5_cWN43DsO-k5_blQNHIzynyPfD3c&code_challenge_method=S256&scope=https%3A%2F%2Foutlook.office365.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office365.com%2FSMTP.Send+offline_access&client_id=&redirect_uri=http%3A%2F%2Flocalhost%3A14204%2F&response_type=code&state=%25E6%25A0%25EF%2503h6%25BCK&client_secret=&login_hint=email@example.com\n```\n\nThe user then needs to open that URL in the browser of their choice and\ncomplete authentication. Once complete, pizauth will be notified, and shortly\nafterwards `pizauth show officesmtp` will start showing a token on stdout:\n\n```\n$ pizauth show officesmtp\nDIASSPt7jlcBPTWUUCtXMWtj9TlPC6U3P3aV6C9NYrQyrhZ9L2LhyJKgl5MP7YV4\n```\n\nNote that:\n\n 1. `pizauth show` does not block: if a token is not available it will fail;\n once a token is available it will succeed.\n 2. `pizauth show` can print OAuth2 tokens which are no longer valid. By\n default, pizauth will continually refresh your token, but it may\n eventually become invalid. There will be a delay between the token\n becoming invalid and pizauth realising that has happened and notifying you\n to request a new token.\n\n\n## Command-line interface\n\npizauth's usage is:\n\n```\npizauth dump\npizauth refresh [-u] \npizauth reload\npizauth restore\npizauth server [-c ] [-d]\npizauth show [-u] \npizauth shutdown\n```\n\nWhere:\n\n* `pizauth refresh` tries to obtain a new access token for an account. If an\n access token already exists, a refresh is tried; if an access token doesn't\n exist, a new request is made.\n* `pizauth reload` causes the server to reload its configuration (this is\n a safe equivalent of the traditional `SIGHUP` mechanism).\n* `pizauth server` starts a new instance of the server.\n* `pizauth show` displays an access token, if one exists, for `account`. If an\n access token does not exist, a new request is initiated.\n* `pizauth shutdown` asks the server to shut itself down.\n\n`pizauth dump` and `pizauth restore` are explained in the\n[Persistence](#persistence) section below.\n\n\n## Example integrations\n\nOnce you have set up pizauth, you will then need to set up the software which\nneeds access tokens. This section contains example configuration snippets to\nhelp you get up and running.\n\nIn these examples, text in chevrons (like ``) needs to be edited to match\nyour individual setup. The examples assume that `pizauth` is in your `$PATH`:\nif it is not, you will need to substitute an absolute path to `pizauth` in\nthese snippets.\n\n### msmtp\n\nIn your configuration file (typically `~/.config/msmtp/config`):\n\n```\naccount \nauth xoauth2\nhost \nprotocol smtp\nfrom \nuser \npasswordeval pizauth show \n```\n\n### mbsync\n\nEnsure you have the xoauth2 plugin for cyrus-sasl installed, and then use\nsomething like this for the IMAP account in `~/.mbsyncrc`:\n\n```\nIMAPAccount \nHost \nUser \nPassCmd \"pizauth show \"\nAuthMechs XOAUTH2\n```\n\n\n## Example account settings\n\nEach provider you wish to authenticate with will have its own settings it\nrequires of you. These can be difficult to find, so examples are provided in\nthis section. Caveat emptor: these settings will not work in all situations,\nand providers have historically required users to intermittently change their\nsettings.\n\n### Microsoft / Exchange\n\nYou may need to create your own client ID and secret by registering with\nMicrosoft's [identity\nplatform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).\n\n```\naccount \"\" {\n auth_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/authorize\";\n auth_uri_fields = { \"login_hint\": \"\" };\n token_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/token\";\n client_id = \"\";\n client_secret = \"\";\n scopes = [\n \"https://outlook.office365.com/IMAP.AccessAsUser.All\",\n \"https://outlook.office365.com/POP.AccessAsUser.All\",\n \"https://outlook.office365.com/SMTP.Send\",\n \"offline_access\"\n ];\n}\n```\n\n### Gmail\n\nYou may need to create your own client ID and secret via the [credentials\ntab](https://console.cloud.google.com/apis/credentials/oauthclient/) of the\nGoogle Cloud Console.\n\n```\naccount \"\" {\n auth_uri = \"https://accounts.google.com/o/oauth2/auth\";\n auth_uri_fields = {\"login_hint\": \"\"};\n token_uri = \"https://oauth2.googleapis.com/token\";\n client_id = \"\";\n client_secret = \"\";\n scopes = [\"https://mail.google.com/\"];\n}\n```\n\n### Miele\n\nYou may need to create your own client ID and secret via the [get involved\ntab](https://www.miele.com/f/com/en/register_api.aspx) of the Miele Developer\nsite.\n\nNo scopes are needed.\n\n```\naccount \"\" {\n auth_uri = \"https://api.mcs3.miele.com/thirdparty/login/\";\n token_uri = \"https://api.mcs3.miele.com/thirdparty/token/\";\n client_id = \"\";\n client_secret = \"\";\n}\n```\n\n\n## pizauth on a remote machine\n\nYou can run pizauth on a remote machine and have your local machine\nauthenticate that remote existence with `ssh -L`. pizauth contains a small HTTP\nserver used to receive authentication requests. By default the HTTP server\nlistens on a random port, but it is easiest in this scenario to fix a port with\nthe global `http_listen` option:\n\n```\nhttp_listen = \"127.0.0.1:\";\naccount \"...\" { ... }\n```\n\nThen on your local machine (using the same `` as above run `ssh`:\n\n```\nssh -L 127.0.0.1::127.0.0.1: \n```\n\nThen on the remote machine start `pizauth server` and then `pizauth show\n`. Copy the authentication URL into a browser on your local\nmachine and continue as normal. When you see the \"pizauth processing\nauthentication: you can safely close this page.\" message you can close the\n`ssh` tunnel. If the account later needs reauthenticating (e.g. because the\nrefresh token has become invalid), simply reopen the `ssh` tunnel,\nreauthenticate, and close the `ssh` tunnel.\n\n\n## Persistence\n\nBy design, pizauth stores tokens state only in memory, and never to disk: users\nnever have to worry that unencrypted secrets may be accessible on disk.\nHowever, if you use pizauth on a machine where pizauth is regularly restarted\n(e.g. because the machine is regularly rebooted), reauthenticating each time\ncan be frustrating.\n\n`pizauth dump` (which writes pizauth's internal token state to `stdout`) and\n`pizauth restore` (which restores previously dumped token state read from\n`stdin`) allow you to persist state, but since they contain secrets they\ninevitably increase your security responsibilities. Although the output from\n`pizauth dump` may look like it is encrypted, it is trivial for an attacker to\nrecover secrets from it: it is strongly recommended that you immediately\nencrypt the output from `pizauth dump` to avoid possible security issues.\n\nThe most common way to call `pizauth dump` is via the `token_event_cmd`\nconfiguration setting. `token_event_cmd` is called each time an account's\ntokens change state (e.g. new tokens, refreshed tokens, etc). You can use this\nto run an arbitrary shell command such as `pizauth dump`:\n\n```\ntoken_event_cmd = \"pizauth dump | age --encrypt --output pizauth.age -R age_public_key\";\n```\n\nIn this example, output from `pizauth dump` is immediately encrypted using\n[age](https://age-encryption.org/). In your machine's startup process you can\nthen call `pizauth restore` to restore the most recent dump e.g.:\n\n```\nage --decrypt -i age_private_key -o - pizauth.age | pizauth restore\n```\n\nNote that `pizauth restore` does not change the running pizauth's\nconfiguration. Any changes in security relevant configuration between the\ndumping and restoring pizauth instances cause those parts of the dump to be\nsilently ignored.\n\n\n## Alternatives\n\npizauth will not be perfect for everyone. You may also wish to consider these\nprograms as alternatives:\n\n* [Email OAuth 2.0 Proxy](https://github.com/simonrob/email-oauth2-proxy)\n* [mailctl](https://github.com/pdobsan/mailctl)\n* [mutt_oauth2.py](https://gitlab.com/muttmua/mutt/-/blob/master/contrib/mutt_oauth2.py)\n* [oauth-helper-office-365](https://github.com/ahrex/oauth-helper-office-365)\n" }, { "path": "README.systemd.md", "content": "# Systemd unit\n\nPizauth comes with a systemd unit. In order for it to communicate properly with\n`systemd`, your `startup_cmd` in `pizauth.conf` must at some point run\n`systemd-notify --ready --pid=parent` -- this will tell `systemd` that `pizauth`\nhas started up.\n\nTo start pizauth:\n\n```sh\n$ systemctl --user start pizauth.service\n```\n\nIf you want `pizauth` to start on login, run\n\n```sh\n$ systemctl --user enable pizauth.service\n```\n\n(pass `--now` to also start `pizauth` with this invocation)\n\nIf you want to save pizauth's dumps encrypted and automatically restore them\nwhen pizauth is started, you need to start/enable one of the\n`pizauth-state-*.service` files provided by pizauth. For example,\n\n```sh\n$ systemctl --user enable pizauth-state-creds.service\n```\n\nSome of these units require further configuration, eg for setting the public key\nand location of the private key to use for encryption. For this purpose,\n\n```sh\n$ systemctl --user edit pizauth-state-$METHOD.service\n```\n\nwill open an editor in which you can configure your local edits to\n`pizauth-state-$METHOD.service`. For example, you can override the default\nlocation of the pizauth dumps (`$XDG_STATE_HOME/pizauth-state-$METHOD.dump`) to\nbe `~/.pizauth.dump` by inserting the following line in the `.conf` file that\n`systemctl` will open:\n\n```ini\nEnvironment=\"PIZAUTH_STATE_FILE=%h/.pizauth.dump\n```\n\nSee `systemd.unit(5)` for supported values of these % \"specifiers\".\n\nThe provided configurations are:\n- `pizauth-state-creds.service`: Uses `systemd-creds` to encrypt the dumps with\n some combination of your device's TPM2 chip and a secret accessible only to\n `root`. This means the dumps generally can only be decrypted *on the device\n that encrypted them*.\n- `pizauth-state-age.service`: Uses `age` to encrypt the dumps.\n Needs the `Environment=\"PIZAUTH_KEY_ID=\"` line to be set to the public key to\n encrypt with.\n- `pizauth-state-gpg.service`: Uses `gpg` to encrypt the dumps.\n Needs the `Environment=\"PIZAUTH_KEY_ID=\"` line to be set to the public key to\n encrypt with. `gpg-agent` will prompt for the passphrase to unlock the key,\n which may be undesireable in nongraphical environments.\n- `pizauth-state-gpg-passphrase.service`: Uses `gpg` to encrypt the dumps.\n Uses `systemd-creds` to encrypt a file containing the passphrase, which is set\n by default to be `$XDG_CONFIG_HOME/pizauth-state-gpg-passphrase.cred`.\n Needs the `Environment=\"PIZAUTH_KEY_ID=\"` line to be set to the public key to\n encrypt with. Also needs the passphrase to be stored encrypted somewhere, see\n the unit file for details.\n\n Note: Given the security implications here, this method is likely not much\n more secure than just using `pizauth-state-creds.service` directly.\n This unit is provided mostly to document how one might go about automatically\n passing key material relatively safely to a unit.\n" }, { "path": "build.rs", "content": "use cfgrammar::yacc::YaccKind;\nuse lrlex::{CTLexerBuilder, DefaultLexerTypes};\nuse rerun_except::rerun_except;\n\nfn main() -> Result<(), Box> {\n rerun_except(&[\n \"CHANGES.md\",\n \"LICENSE-APACHE\",\n \"LICENSE-MIT\",\n \"pizauth.1\",\n \"pizauth.conf.5\",\n \"pizauth.conf.example\",\n \"README.md\",\n ])?;\n\n CTLexerBuilder::>::new_with_lexemet()\n .lrpar_config(|ctp| {\n ctp.yacckind(YaccKind::Grmtools)\n .grammar_in_src_dir(\"config.y\")\n .unwrap()\n })\n .lexer_in_src_dir(\"config.l\")?\n .build()?;\n Ok(())\n}\n" }, { "path": "examples/pizauth-state-custom.service", "content": "# In case the supplied pizauth-state-*.service files don't suit your needs,\n# this is the template for a new pizauth-state-*.service file.\n# See systemd.service(5), systemd.unit(5), systemd.exec(5) for more details.\n#\n# We pull out the dump/restore feature as its own unit since under the systemd\n# semantics, it makes more sense -- as indicated by the fact that were we to\n# try to configure this directly in the pizauth unit, we'd need to prepend to\n# ExecStop. Moreover, pizauth *works* without dump/restore -- this is an\n# additional feature on top of it.\n#\n# Hence, we have a separate dump/restore unit that gets started after pizauth\n# and torn down before it, and which is responsible for managing the state file\n# upon these events.\n\n[Unit]\nDescription=Custom pizauth dump/restore backend\n# Makes the start event for this unit propagate to pizauth,\n# and makes the stop/abort events for pizauth propagate to this unit\nBindsTo=pizauth.service\n# Orders this unit to run its start commands after pizauth, and run its stop\n# commands before pizauth\nAfter=pizauth.service\n# Makes the config-reload event for pizauth propagate to this unit\nReloadPropagatedFrom=pizauth.service\n\n[Service]\nType=simple\nEnvironment=\"PIZAUTH_STATE_FILE=%S/%N.dump\"\n# replace io by whatever program you have to read/write to the state file\n# (could be encryption software, could be sending/retrieving to a server, etc)\nExecStart=-sh -c 'io --read \"$PIZAUTH_STATE_FILE\" | pizauth restore'\nExecReload=-sh -c 'io --read \"$PIZAUTH_STATE_FILE\" | pizauth restore'\nExecStop=-sh -c 'pizauth dump | io --write \"$PIZAUTH_STATE_FILE\"'\n\n[Install]\n# Makes systemctl --user enable pizauth-state-custom.service cause that the\n# start event for pizauth will propagate to this unit\nWantedBy=pizauth.service\n" }, { "path": "examples/pizauth.conf", "content": "account \"officesmtp\" {\n auth_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/authorize\";\n token_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/token\";\n client_id = \"...\"; // Fill in with your Client ID\n client_secret = \"...\"; // Fill in with your Client secret\n scopes = [\n \"https://outlook.office365.com/IMAP.AccessAsUser.All\",\n \"https://outlook.office365.com/SMTP.Send\",\n \"offline_access\"\n ];\n // You don't have to specify login_hint, but it does make\n // authentication a little easier.\n auth_uri_fields = { \"login_hint\": \"email@example.com\" };\n}\n" }, { "path": "examples/systemd/pizauth.conf", "content": "// If using systemd, comment out the following line\n// startup_cmd=\"systemd-notify --ready --pid=parent\";\n// If using the pizauth-state-*.service units to save the state,\n// the following may be useful -- it will trigger a save/restore of the state\n// upon each token state change (set METHOD to whatever storage method you're\n// using)\n// token_event_cmd=\"systemctl --user restart pizauth-state-METHOD.service\";\n" }, { "path": "lib/systemd/user/pizauth-state-age.service", "content": "[Unit]\nDescription=pizauth dump/restore backend (encryption: age)\nBindsTo=pizauth.service\nAfter=pizauth.service\nReloadPropagatedFrom=pizauth.service\n\n[Service]\nType=simple\nRemainAfterExit=yes\n# This unit needs to be configured before it's usable!\n# To use this unit, use systemctl --user edit pizauth-state-age.service to\n# create a drop-in configuration file. In it, set\n# Environment=\"PIZAUTH_KEY_ID=public key you want to encrypt with\"\n# Environment=\"PIZAUTH_KEY_FILE=path to file\nEnvironment=\"PIZAUTH_KEY_ID=\"\nEnvironment=\"PIZAUTH_KEY_FILE=\"\nEnvironment=\"PIZAUTH_STATE_FILE=%S/%N.dump\"\nExecStart=-sh -c 'age --decrypt --identity \"$PIZAUTH_KEY_FILE\" -o - \"$PIZAUTH_STATE_FILE\" | pizauth restore'\nExecReload=-sh -c 'age --decrypt --identity \"$PIZAUTH_KEY_FILE\" -o - \"$PIZAUTH_STATE_FILE\" | pizauth restore'\nExecStop=-sh -c 'pizauth dump | age --encrypt --recipient \"$PIZAUTH_KEY_ID\" -o \"$PIZAUTH_STATE_FILE\"'\n\n[Install]\nWantedBy=pizauth.service\n" }, { "path": "lib/systemd/user/pizauth-state-creds.service", "content": "[Unit]\nDescription=pizauth dump/restore backend (encryption: systemd-creds)\nBindsTo=pizauth.service\nAfter=pizauth.service\nReloadPropagatedFrom=pizauth.service\n\n[Service]\nType=simple\nRemainAfterExit=yes\nEnvironment=\"PIZAUTH_STATE_FILE=%S/%N.dump\"\nExecStart=-sh -c 'systemd-creds --user decrypt $PIZAUTH_STATE_FILE | pizauth restore'\nExecReload=-sh -c 'systemd-creds --user decrypt $PIZAUTH_STATE_FILE | pizauth restore'\nExecStop=-sh -c 'pizauth dump | systemd-creds --user encrypt - $PIZAUTH_STATE_FILE'\n\n[Install]\nWantedBy=pizauth.service\n" }, { "path": "lib/systemd/user/pizauth-state-gpg-passphrase.service", "content": "[Unit]\nDescription=pizauth dump/restore backend (encryption: gpg, passphrase in systemd-creds)\nBindsTo=pizauth.service\nAfter=pizauth.service\nReloadPropagatedFrom=pizauth.service\nRequires=gpg-agent.socket\n\n[Service]\n# Since we're using credentials, we can't use Type=simple\nType=exec\nRemainAfterExit=yes\n# This unit needs to be configured before it's usable!\n# To use this unit, use systemctl --user edit pizauth-state-gpg.service to\n# create a drop-in configuration file. In it, set\n# Environment=\"PIZAUTH_KEY_ID=public key you want to encrypt with\"\n# and then either\n# LoadCredentialEncrypted=pizauth-gpg-passphrase:CREDENTIALFILE\n# or\n# SetCredentialEncrypted=pizauth-gpg-passphrase: \\\n# ..................................................................... \\\n# ...\n#\n# In either case, you will need to store the passphrase for the GPG key\n# encrypted. If you plan on storing the credential at CREDENTIALFILE, run\n# systemd-ask-password \\\n# | systemd-creds encrypt --name pizauth-gpg-passphrase - CREDENTIALFILE\n# If you want to store the credential in the drop-in configuration, run\n# systemd-ask-password \\\n# | systemd-creds encrypt --name pizauth-gpg-passphrase -p - -\n# This will print the SetCredentialEncrypted config you'll need to paste in the\n# drop-in configuration\nEnvironment=\"PIZAUTH_KEY_ID=\"\nEnvironment=\"PIZAUTH_STATE_FILE=%S/%N.dump\"\nExecStart=-sh -c ' gpg --passphrase-file %d/pizauth-gpg-passphrase --pinentry-mode loopback --batch --decrypt \"$PIZAUTH_STATE_FILE\" \\\n | pizauth restore'\nExecReload=-sh -c ' gpg --passphrase-file %d/pizauth-gpg-passphrase --pinentry-mode loopback --batch --decrypt \"$PIZAUTH_STATE_FILE\" \\\n | pizauth restore'\nExecStop=-sh -c 'pizauth dump | gpg --batch --yes --encrypt --recipient $PIZAUTH_KEY_ID -o \"$PIZAUTH_STATE_FILE\"'\n\n[Install]\nWantedBy=pizauth.service\n" }, { "path": "lib/systemd/user/pizauth-state-gpg.service", "content": "[Unit]\nDescription=pizauth dump/restore backend (encryption: gpg)\nBindsTo=pizauth.service\nAfter=pizauth.service\nReloadPropagatedFrom=pizauth.service\nRequires=gpg-agent.socket\n\n[Service]\nType=simple\nRemainAfterExit=yes\n# This unit needs to be configured before it's usable!\n# To use this unit, use systemctl --user edit pizauth-state-age.service to\n# create a drop-in configuration file. In it, set\n# Environment=\"PIZAUTH_KEY_ID=public key you want to encrypt with\"\nEnvironment=\"PIZAUTH_KEY_ID=\"\nEnvironment=\"PIZAUTH_STATE_FILE=%S/%N.dump\"\nExecStart=-sh -c 'gpg --batch --decrypt \"$PIZAUTH_STATE_FILE\" | pizauth restore'\nExecReload=-sh -c 'gpg --batch --decrypt \"$PIZAUTH_STATE_FILE\" | pizauth restore'\nExecStop=-sh -c 'pizauth dump | gpg --batch --yes --encrypt --recipient $PIZAUTH_KEY_ID -o \"$PIZAUTH_STATE_FILE\"'\n\n[Install]\nWantedBy=pizauth.service\n" }, { "path": "lib/systemd/user/pizauth.service", "content": "[Unit]\nDescription=Pizauth OAuth2 token manager\nDocumentation=man:pizauth(1) man:pizauth.conf(5)\nDocumentation=https://github.com/ltratt/pizauth/blob/master/README.md\nDocumentation=https://github.com/ltratt/pizauth/blob/master/README.systemd.md\n\n[Service]\nType=notify\n# Allow all processes in the cgroup to set the service status, needed to be able\n# to set status via eg startup_cmd, token_event_cmd, etc\nNotifyAccess=all\nExecStart=/usr/bin/pizauth server -vvvv -d\nExecReload=/usr/bin/pizauth reload\nExecStop=/usr/bin/pizauth shutdown\n\n[Install]\nWantedBy=default.target\n" }, { "path": "pizauth.1", "content": ".Dd $Mdocdate: September 13 2022 $\n.Dt PIZAUTH 1\n.Os\n.Sh NAME\n.Nm pizauth\n.Nd OAuth2 authentication daemon\n.Sh SYNOPSIS\n.Nm pizauth\n.Sy Em command\n.Sh DESCRIPTION\n.Nm\nrequests, shows, and refreshes OAuth2 tokens.\nIt is formed of two\ncomponents: a persistent \"server\" which interacts with the user to obtain\ntokens, and refreshes them as necessary; and a command-line interface which can\nbe used by other programs to show the OAuth2 token for a current account.\n.Pp\nThe top-level commands are:\n.Bl -tag -width Ds\n.It Sy dump\nWrites the current\n.Nm\nstate to stdout: this can later be fed back into\n.Nm\nwith\n.Sy restore .\nThe dump format is stable within a pizauth major release (but not\nacross major releases) and stable across platforms, though it includes\ntimestamps that may be affected by clock drift on either the machine performing\n.Sy dump\nor\n.Sy restore .\nClock drift does not not affect security, though it may cause dumped access\ntokens to be refreshed unduly early or late upon a\n.Sy restore .\nRefreshed access tokens will then be refreshed at the expected intervals.\n.Pp\nNote that while the\n.Sy dump\noutput may look like it is encrypted, it is trivial for an attacker to recover\naccess and refresh tokens from it: it is strongly recommended that you use\nexternal encryption on the output so that your data cannot be compromised.\n.It Sy info Oo Fl j Oc\nWrites output about\n.Nm\nto stdout including: the cache directory path; the config file path; and\n.Nm\nversion.\nDefaults to human-readable output in an unspecified format that may change\nfreely between\n.Nm\nversions.\n.Pp\n.Fl j\nspecifies JSON output.\nThe\n.Qq info_format_version\nfield is an integer value specifying the version of the JSON output: if\nincompatible changes are made, this integer will be monotonically increased.\n.It Sy refresh Oo Fl u Oc Ar account\nRequest a refresh of the access token for\n.Em account .\nExits with 0 upon success.\nIf there is not currently a valid access or refresh token,\nreports an error to stderr, initiates a new token request, and exits with 1.\nUnless\n.Fl u\nis specified, the error will include an authorization URL.\nNote that this command does not block and will not start a new refresh if one\nis ongoing.\n.It Sy reload\nReload the server's configuration.\nExits with 0 upon success or 1 if there is a problem in the configuration.\n.It Sy restore\nReads previously dumped\n.Nm\nstate from stdin and updates those parts of the current state it determines\nto be less useful than the dumped state.\nThis does not change the running instance's configuration: any changes in\nsecurity relevant configuration between the dumping and restoring\n.Nm\ninstances causes those parts of the dump to be silently ignored.\nSee\n.Sy dump\nfor information about the dump format, timestamp warnings, and encryption\nsuggestions.\n.It Sy revoke Ar account\nRemoves any token, and cancels any ongoing authentication, for\n.Em account .\nNote that OAuth2 provides no standard way of remotely revoking a token:\n.Sy revoke\nthus only affects the local\n.Nm\ninstance.\nExits with 0 upon success.\n.It Sy server Oo Fl c Ar config-file Oc Oo Fl dv Oc\nStart the server.\nIf not specified with\n.Fl c ,\n.Nm\nchecks for the configuration file (in order) at:\n.Pa $XDG_CONFIG_HOME/pizauth.conf ,\n.Pa $HOME/.config/pizauth.conf .\nThe server will daemonise itself unless\n.Fl d\nis specified.\nExits with 0 if the server started successfully or 1 otherwise.\n.Fl v\nenables more verbose logging.\n.Fl v\ncan be used up to 4 times, with each repetition increasing the quantity\nof logging.\n.It Sy show Oo Fl u Oc Ar account\nIf there is an access token for\n.Em account ,\nprint that access token to stdout and exit with 0.\nIf there is not currently a valid access token, prints an error to stderr\nand exits with 1.\nIf refreshing might obtain a valid access token, refreshing is initiated\nin the background.\nOtherwise (unless\n.Fl u\nis specified), the error will include an authorization URL.\nNote that this command does not block: commands must expect that they might\nencounter an error when showing an access token.\n.It Sy shutdown\nShut the server down.\nNote that shutdown occurs asynchronously: the server may still be alive for a\nperiod of time after this command returns.\n.It Sy status\nWrites output about the current accounts and whether they have access tokens to\nstdout. The format is human-readable and in an unspecified format that may\nchange freely between\n.Nm\nversions.\n.El\n.Sh SEE ALSO\n.Xr pizauth.conf 5\n.Pp\n.Lk https://tratt.net/laurie/src/pizauth/\n.Sh AUTHORS\n.An -nosplit\n.Nm\nwas written by\n.An Laurence Tratt Lk https://tratt.net/laurie/\n" }, { "path": "pizauth.conf.5", "content": ".Dd $Mdocdate: September 13 2022 $\n.Dt PIZAUTH.CONF 5\n.Os\n.Sh NAME\n.Nm pizauth.conf\n.Nd pizauth configuration file\n.Sh DESCRIPTION\n.Nm\nis the configuration file for\n.Xr pizauth 1 .\n.Pp\nThe top-level options are:\n.Bl -tag -width Ds\n.It Sy auth_notify_cmd = Qo Em shell-cmd Qc ;\nspecifies a shell command to be run via\n.Ql $SHELL -c\nwhen an account needs to be authenticated.\nTwo special environment variables are set:\n.Em $PIZAUTH_ACCOUNT\nis set to the account name;\n.Em $PIZAUTH_URL\nis set to the URL required to authorise the account.\nNote that\n.Sy auth_event_cmd\nis subject to a 10 second timeout.\nOptional.\nOptional.\n.It Sy auth_notify_interval = Em time ;\nspecifies the gap between reminders to the user of authentication requests.\nDefaults to 15 minutes if not specified.\n.It Sy error_notify_cmd = Qo Em shell-cmd Qc ;\nspecifies a shell command to be run via\n.Ql $SHELL -c\nwhen an error has occurred when authenticating an account.\nTwo special environment variables are set:\n.Em $PIZAUTH_ACCOUNT\nis set to the account name;\n.Em $PIZAUTH_MSG\nis set to the error message.\nDefaults to logging via\n.Xr syslog 3\nif not specified.\n.It Sy http_listen = Em none | Qo Em bind-name Qc ;\nspecifies the address for the\n.Xr pizauth 1\nHTTP server to listen on.\nIf\n.Em none\nis specified, the HTTP server is turned off entirely.\nNote that at least one of the HTTP and HTTPS servers must be turned on.\nDefaults to\n.Qq 127.0.0.1:0 .\n.It Sy https_listen = Em none | Qo Em bind-name Qc ;\nspecifies the address for the\n.Xr pizauth 1\nHTTPS server to listen on.\nIf\n.Em none\nis specified, the HTTPS server is turned off entirely.\nNote that at least one of the HTTP and HTTPS servers must be turned on.\nDefaults to\n.Qq 127.0.0.1:0 .\n.It Sy refresh_at_least = Em time ;\nspecifies the maximum period of time before an access token will be forcibly\nrefreshed.\nDefaults to 90 minutes if not specified.\n.It Sy refresh_before_expiry = Em time ;\nspecifies how far in advance an access token should be refreshed before it\nexpires.\nDefaults to 90 seconds if not specified.\n.It Sy refresh_retry = Em time ;\nspecifies the gap between retrying refreshing after transitory errors\n(e.g. due to network problems).\nDefaults to 40 seconds if not specified.\n.It Sy startup_cmd = Qo Em shell-cmd Qc ;\nspecifies a shell command to be run via\n.Ql $SHELL -c\nafter pizauth's server has completed setup and is ready to accept commands.\nNote that unless\n.Fl d\nis set,\n.Sy startup_cmd\nwill be run after\n.Xr pizauth 1\nhas daemonised.\nThe command will thus be run with stdin and stdin closed.\n.It Sy token_event_cmd = Qo Em shell-cmd Qc ;\nspecifies a shell command to be run via\n.Ql $SHELL -c\nwhen an account's access token changes state.\nTwo special environment variables are set:\n.Em $PIZAUTH_ACCOUNT\nis set to the account name;\n.Em $PIZAUTH_EVENT\nis set to the event type.\nThe event types are:\n.Em token_invalidated\nif a previously valid access token is invalidated;\n.Em token_new\nif a new access token is obtained;\n.Em token_refreshed\nif an access token is refreshed;\n.Em token_revoked\nif the user has requested that any token, or ongoing authentication for,\nan account should be removed or cancelled.\nToken events are queued and processed one-by-one in the order they were\nreceived: at most one instance of\n.Sy token_event_cmd\nwill be executed at any point in time; and there is no guarantee\nthat an event reflects the current state of an account's access token,\nsince further events may be stored in the queue.\nNote that\n.Sy token_event_cmd\nis subject to a 10 second timeout.\nOptional.\n.It Sy transient_error_if_cmd = Qo Em shell-cmd Qc ;\nspecifies a shell command to be run when pizauth repeatedly encounters\nerrors when trying to refresh a token.\nOne special environment variable is set:\n.Em $PIZAUTH_ACCOUNT\nis set to the account name.\nIf\n.Em shell-cmd\nreturns a zero exit code, the transient errors are ignored.\nIf\n.Em shell-cmd\nreturns a non-zero exit code, or exceeds a 3 minute timeout, pizauth treats\nthe errors as permanent: the access token is invalidated (forcing the user\nto later reauthenicate).\nDefaults to ignoring non-fatal errors if not specified.\n.El\n.Pp\nAn\n.Sq account\nblock supports the following options:\n.Bl -tag -width Ds\n.It Sy auth_uri = Qo Em URI Qc ;\nwhere\n.Em URI\nis a URI specifying the OAuth2 server's authentication URI.\nMandatory.\n.It Sy auth_uri_fields = { Qo Em Key 1 Qc : Qo Em Val 1 Qc , ..., Qo Em Key n Qc : Qo Val n Qc } ;\nspecifies zero or more query fields to be passed to\n.Sy auth_uri\nafter any fields that\n.Nm\nmay have added itself.\nKeys (and their values) are added to\n.Sy auth_uri\nin the order they appear in\n.Sy auth_uri_fields ,\neach separated by\n.Qq & .\nThe same key may be specified multiple times.\nOptional.\n.It Sy client_id = Qo Em ID Qc ;\nspecifies the OAuth2 client ID (i.e. the identifier of the client software).\nMandatory.\n.It Sy client_secret = Qo Em Secret Qc ;\nspecifies the OAuth2 client secret (similar to the\n.Em client_id ) .\nOptional.\n.It Sy login_hint = Qo Em Hint Qc ;\nis used by the authentication server to help the user understand which account\nthey are authenticating.\nTypically a username or email address.\nOptional.\n.Em Deprecated :\nuse\n.Ql auth_uri_fields = { Qo login_hint Qc : Qo Hint Qc }\ninstead.\n.It Sy redirect_uri = Qo Em URI Qc ;\nwhere\n.Em URI\nis a URI specifying the OAuth2 server's redirection URI.\nDefaults to\n.Qq http://localhost/\nif not specified.\n.It Sy refresh_at_least = Em time ;\nOverrides the global\n.Sy refresh_at_least\noption for this account.\nFollows the same format as the global option.\n.It Sy refresh_before_expiry = Em time ;\nOverrides the global\n.Sy refresh_before_expiry\noption for this account.\nFollows the same format as the global option.\n.It Sy refresh_retry = Em time ;\nOverrides the global\n.Sy refresh_retry\noption for this account.\nFollows the same format as the global option.\n.It Sy scopes = [ Qo Em Scope 1 Qc , ..., Qo Em Scope n Qc ] ;\nspecifies zero or more OAuth2 scopes (roughly speaking,\n.Qq permissions )\nthat access tokens will give you permission to utilise.\nOptional.\n.It Sy token_uri = Qo Em URI Qc ;\nis a URI specifying the OAuth2 server's token URI.\nMandatory.\n.El\n.Pp\nTimes can be specified as\n.Em int [smhd]\nwhere the suffixes mean (in order): seconds, minutes, hours, days.\nFor example,\n.Em 90s\nmeans 90 seconds and\n.Em 5m\nmeans 5 minutes.\n.Sh EXAMPLES\nAn example\n.Nm\nfile for accessing IMAP and SMTP services in Office365\nis as follows:\n.Bd -literal -offset 4n\naccount \"officesmtp\" {\n auth_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/authorize\";\n token_uri = \"https://login.microsoftonline.com/common/oauth2/v2.0/token\";\n client_id = \"...\"; // Fill in with your Client ID\n client_secret = \"...\"; // Fill in with your Client secret\n scopes = [\n \"https://outlook.office365.com/IMAP.AccessAsUser.All\",\n \"https://outlook.office365.com/SMTP.Send\",\n \"offline_access\"\n ];\n // You don't have to specify login_hint, but it does make\n // authentication a little easier.\n auth_uri_fields = { \"login_hint\": \"email@example.com\" };\n}\n.Ed\n.Pp\nNote that Office365 requires the non-standard\n.Qq offline_access\nscope to be specified in order for\n.Xr pizauth 1\nto be able to operate successfully.\n.Sh SEE ALSO\n.Xr pizauth 1\n.Pp\n.Lk https://tratt.net/laurie/src/pizauth/\n.Sh AUTHORS\n.An -nosplit\n.Xr pizauth 1\nwas written by\n.An Laurence Tratt Lk https://tratt.net/laurie/\n" }, { "path": "share/bash/completion.bash", "content": "#!/bin/bash\n_server() {\n local cur prev\n\n prev=${COMP_WORDS[COMP_CWORD - 1]}\n cur=${COMP_WORDS[COMP_CWORD]}\n case \"$prev\" in\n -c) _filedir;;\n *) mapfile -t COMPREPLY < \\\n <(compgen -W '-c -d -v -vv -vvv -vvvv' -- \"$cur\");;\n esac\n}\n_accounts(){\n local config\n\n config=\"$(pizauth info | awk -F' *: *' '$1 ~ /config file/ { print $2 }')\"\n sed -n '/^account/{s/^account \\(.*\\) {/\\1/;p}' \"$config\"\n}\n_pizauth()\n{\n local cur prev sub\n local cmds=()\n cmds+=(dump restore reload shutdown status)\n cmds+=(info server)\n cmds+=(refresh revoke show)\n\n cur=${COMP_WORDS[COMP_CWORD]}\n prev=${COMP_WORDS[COMP_CWORD - 1]}\n sub=${COMP_WORDS[1]}\n\n if [ \"$sub\" == server ] && [ \"$COMP_CWORD\" -gt 1 ]; then _server; return; fi\n\n case ${COMP_CWORD} in\n 1) mapfile -t COMPREPLY < <(compgen -W \"${cmds[*]}\" -- \"$cur\");;\n 2)\n case $sub in\n dump|restore|reload|shutdown|status) COMPREPLY=();;\n info) mapfile -t COMPREPLY < <(compgen -W '-j' -- \"$cur\") ;;\n refresh|show)\n local accounts\n mapfile -t accounts < <(_accounts)\n accounts+=(-u)\n mapfile -t COMPREPLY < \\\n <(compgen -W \"${accounts[*]}\" -- \"$cur\")\n ;;\n revoke)\n local accounts\n mapfile -t accounts < <(_accounts)\n mapfile -t COMPREPLY < \\\n <(compgen -W \"${accounts[*]}\" -- \"$cur\")\n ;;\n *) COMPREPLY=()\n ;;\n esac\n ;;\n 3)\n case $sub in\n refresh|show)\n case $prev in\n -u)\n local accounts\n mapfile -t accounts < <(_accounts)\n mapfile -t COMPREPLY < \\\n <(compgen -W \"${accounts[*]}\" -- \"$cur\")\n ;;\n *) COMPREPLY=()\n esac\n ;;\n esac\n ;;\n *)\n COMPREPLY=()\n ;;\n esac\n}\n\ncomplete -F _pizauth pizauth\n" }, { "path": "share/fish/pizauth.fish", "content": "#!/usr/bin/fish\n\nfunction __fish_pizauth_accounts --description \"Helper function to parse accounts from config\"\n set -l config (pizauth info | awk -F' *: *' '$1 ~ /config file/ { print $2 }')\n sed -n '/^account/{s/^account \\(.*\\) {/\\1/;p}' $config | string unescape\nend\n\nfunction __fish_pizauth_is_main_command --description \"Returns true if we're not in a subcommand\"\n not __fish_seen_subcommand_from dump restore reload shutdown status info server refresh revoke show\nend\n\n# Don't autocomplete files\ncomplete -c pizauth -f\n\n# pizauth top-level commands\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Writes current pizauth state to stdout\" -a \"dump\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Writes output about pizauth to stdout\" -a \"info\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Request a refresh of the access token for account\" -a \"refresh\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Reloads the server's configuration\" -a \"reload\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Reads previously dumped pizauth state from stdin\" -a \"restore\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Removes token and cancels authorization for account\" -a \"revoke\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Start the server\" -a \"server\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Print access token of account to stdout\" -a \"show\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Shut the server down\" -a \"shutdown\"\ncomplete -c pizauth -n \"__fish_pizauth_is_main_command\" -d \"Writes output about current accounts to stdout\" -a \"status\"\n\n# pizauth info [-j]\ncomplete -c pizauth -n \"__fish_seen_subcommand_from info\" -s j -d \"JSON output\"\n\n# pizauth refresh/show [-u] account\ncomplete -c pizauth -n \"__fish_seen_subcommand_from refresh show\" -s u -d \"Exclude authorization URL\"\ncomplete -c pizauth -n \"__fish_seen_subcommand_from refresh show\" -a \"(__fish_pizauth_accounts)\"\n\n# pizauth revoke account\ncomplete -c pizauth -n \"__fish_seen_subcommand_from revoke\" -a \"(__fish_pizauth_accounts)\"\n\n# pizauth server [-c config-file] [-dv]\ncomplete -c pizauth -n \"__fish_seen_subcommand_from server\" -s c -r -F -d \"Config file\"\ncomplete -c pizauth -n \"__fish_seen_subcommand_from server\" -s d -d \"Do not daemonise\"\ncomplete -c pizauth -n \"__fish_seen_subcommand_from server\" -o v -d \"Verbose\"\ncomplete -c pizauth -n \"__fish_seen_subcommand_from server\" -o vv -d \"Verboser\"\ncomplete -c pizauth -n \"__fish_seen_subcommand_from server\" -o vvv -d \"Verboserer\"\ncomplete -c pizauth -n \"__fish_seen_subcommand_from server\" -o vvvv -d \"Verbosest\"\n" }, { "path": "share/zsh/_pizauth", "content": "#compdef pizauth\n\n_pizauth_accounts() {\n local config account\n local -a accounts\n accounts=(\"${(@f)$(pizauth status 2>/dev/null | cut -d ':' -f 1)}\")\n (( ${#accounts} )) || return 1\n _wanted accounts expl 'account' compadd \"$expl[@]\" -a accounts\n}\n\n_pizauth() {\n local curcontext=\"$curcontext\" state line ret=1\n local -a commands\n typeset -A opt_args\n\n commands=(\n 'dump:write internal state to stdout for later restore'\n 'info:write config information to stdout'\n 'refresh:request refresh of an access token'\n 'reload:reload server config'\n 'restore:read previously dumped state from stdin'\n 'revoke:remove local access token'\n 'server:start the server'\n 'show:write access token to stdout'\n 'shutdown:shut server down'\n 'status:write accounts state to stdout'\n )\n\n _arguments -C \\\n '1:command:->command' \\\n '*::argument:->argument' && ret=0\n\n case \"$state\" in\n command) _describe -t commands 'pizauth command' commands && ret=0 ;;\n argument)\n curcontext=\"${curcontext%:*:*}:pizauth-${words[1]}:\"\n case $words[1] in\n dump|reload|restore|shutdown|status) _message 'no more arguments' ;;\n info) _arguments '-j[write JSON output]' ;;\n refresh|show)\n _arguments \\\n '-u[do not include an authorization URL in errors]' \\\n '1:account:_pizauth_accounts'\n ;;\n revoke) _arguments '1:account:_pizauth_accounts' ;;\n server)\n _arguments \\\n '-c[config file]:config file:_files' \\\n '-d[do not daemonise]' \\\n '*-v[verbose: repeat for greater verbosity]'\n ;;\n *) _message 'unknown pizauth command' ;;\n esac\n ;;\n esac\n\n return ret\n}\n\n_pizauth \"$@\"\n" }, { "path": "src/compat/daemon.rs", "content": "//! Provides daemon(3) on macOS.\n\n// We provide our own wrapper for daemon on macOS because nix does not export one for macOS. This\n// is *probably* why nix does not support daemon(3) on macOS:\n//\n// - nix will not compile on macOS, due to errors\n// - ... nix compiles with #[deny(warnings)], which treats warnings as errors\n// - libc emits a deprecation warning for daemon(3) on macOS [1]\n// - ... because daemon(3) has been deprecated in macOS since Mac OS X 10.5\n// - ... presumably because Apple wants you to use launchd(8) instead [2].\n// - Therefore, this deprecation warning is treated as an error in nix\n//\n// [1]: https://github.com/rust-lang/libc/blob/96c85c1b913604fb5b1eb8822e344b7c08bcd6b9/src/unix/bsd/apple/mod.rs#L5064-L5067\n// [2]: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html\n//\n// This module essentially reimplements nix's daemon wrapper on macOS, but allows deprecation\n// warnings.\n//\n// See: https://github.com/ltratt/pizauth/issues/3\nuse libc::c_int;\n#[allow(deprecated)]\nuse libc::daemon as libc_daemon;\nuse nix::errno::Errno;\n\npub fn daemon(nochdir: bool, noclose: bool) -> nix::Result<()> {\n #[allow(deprecated)]\n let res = unsafe { libc_daemon(nochdir as c_int, noclose as c_int) };\n Errno::result(res).map(drop)\n}\n" }, { "path": "src/compat/mod.rs", "content": "//! Shims to provide compatibility with different systems.\n\n// nix does not support daemon(3) on macOS, so we have to provide our own implementation:\n#[cfg(target_os = \"macos\")]\nmod daemon;\n#[cfg(target_os = \"macos\")]\npub use daemon::daemon;\n\n// Use nix's daemon(3) wrapper on other platforms:\n#[cfg(not(target_os = \"macos\"))]\npub use nix::unistd::daemon;\n" }, { "path": "src/config.l", "content": "%%\n[0-9]+[dhms] \"TIME\"\n\"(?:\\\\[\\\\\"]|[^\"\\\\])*\" \"STRING\"\n= \"=\"\n, \",\"\n\\{ \"{\"\n\\} \"}\"\n\\[ \"[\"\n\\] \"]\"\n; \";\"\n: \":\"\naccount \"ACCOUNT\"\nauth_error_cmd \"AUTH_ERROR_CMD\"\nauth_notify_cmd \"AUTH_NOTIFY_CMD\"\nauth_notify_interval \"AUTH_NOTIFY_INTERVAL\"\nauth_uri \"AUTH_URI\"\nauth_uri_fields \"AUTH_URI_FIELDS\"\nclient_id \"CLIENT_ID\"\nclient_secret \"CLIENT_SECRET\"\nerror_notify_cmd \"ERROR_NOTIFY_CMD\"\nhttp_listen \"HTTP_LISTEN\"\nhttps_listen \"HTTPS_LISTEN\"\nlogin_hint \"LOGIN_HINT\"\nnone \"NONE\"\nrefresh_retry \"REFRESH_RETRY\"\nredirect_uri \"REDIRECT_URI\"\nrefresh_before_expiry \"REFRESH_BEFORE_EXPIRY\"\nrefresh_at_least \"REFRESH_AT_LEAST\"\nscopes \"SCOPES\"\nstartup_cmd \"STARTUP_CMD\"\ntoken_event_cmd \"TOKEN_EVENT_CMD\"\ntoken_uri \"TOKEN_URI\"\ntransient_error_if_cmd \"TRANSIENT_ERROR_IF_CMD\"\n//.*?$ ;\n[ \\t\\n\\r]+ ;\n. \"UNMATCHED\"\n" }, { "path": "src/config.rs", "content": "use std::{\n collections::HashMap, error::Error, fs::read_to_string, path::Path, sync::Arc, time::Duration,\n};\n\nuse lrlex::{lrlex_mod, DefaultLexerTypes, LRNonStreamingLexer};\nuse lrpar::{lrpar_mod, NonStreamingLexer, Span};\nuse serde::{Deserialize, Serialize};\nuse url::Url;\nuse wincode::{SchemaRead, SchemaWrite};\n\nuse crate::config_ast;\n\nlrlex_mod!(\"config.l\");\nlrpar_mod!(\"config.y\");\n\ntype StorageT = u8;\n\n/// How many seconds before an access token's expiry do we try refreshing it?\nconst REFRESH_BEFORE_EXPIRY_DEFAULT: Duration = Duration::from_secs(90);\n/// How many seconds before we forcibly try refreshing an access token, even if it's not yet\n/// expired?\nconst REFRESH_AT_LEAST_DEFAULT: Duration = Duration::from_secs(90 * 60);\n/// How many seconds after a refresh failed in a non-permanent way before we retry refreshing?\nconst REFRESH_RETRY_DEFAULT: Duration = Duration::from_secs(40);\n/// How many seconds do we raise a notification if it only contains authorisations that have been\n/// shown before?\nconst AUTH_NOTIFY_INTERVAL_DEFAULT: u64 = 15 * 60;\n/// What is the default bind() address for the HTTP server?\nconst HTTP_LISTEN_DEFAULT: &str = \"127.0.0.1:0\";\n/// What is the default bind() address for the HTTPS server?\nconst HTTPS_LISTEN_DEFAULT: &str = \"127.0.0.1:0\";\n\n#[derive(Debug)]\npub struct Config {\n pub accounts: HashMap>,\n pub auth_notify_cmd: Option,\n pub auth_notify_interval: Duration,\n pub error_notify_cmd: Option,\n pub http_listen: Option,\n pub https_listen: Option,\n pub transient_error_if_cmd: Option,\n refresh_at_least: Option,\n refresh_before_expiry: Option,\n refresh_retry: Option,\n pub startup_cmd: Option,\n pub token_event_cmd: Option,\n}\n\nimpl Config {\n /// Create a `Config` from `path`, returning `Err(String)` (containing a human readable\n /// message) if it was unable to do so.\n pub fn from_path(conf_path: &Path) -> Result {\n let input = match read_to_string(conf_path) {\n Ok(s) => s,\n Err(e) => return Err(format!(\"Can't read {:?}: {}\", conf_path, e)),\n };\n Config::from_str(&input)\n }\n\n pub fn from_str(input: &str) -> Result {\n let lexerdef = config_l::lexerdef();\n let lexer = lexerdef.lexer(input);\n let (astopt, errs) = config_y::parse(&lexer);\n if !errs.is_empty() {\n let msgs = errs\n .iter()\n .map(|e| e.pp(&lexer, &config_y::token_epp))\n .collect::>();\n return Err(msgs.join(\"\\n\"));\n }\n\n let mut accounts = HashMap::new();\n let mut auth_notify_cmd = None;\n let mut auth_notify_interval = None;\n let mut error_notify_cmd = None;\n let mut http_listen = None;\n let mut https_listen = None;\n let mut transient_error_if_cmd = None;\n let mut refresh_at_least = None;\n let mut refresh_before_expiry = None;\n let mut refresh_retry = None;\n let mut startup_cmd = None;\n let mut token_event_cmd = None;\n match astopt {\n Some(Ok(opts)) => {\n for opt in opts {\n match opt {\n config_ast::TopLevel::Account(overall_span, name, fields) => {\n let act_name = unescape_str(lexer.span_str(name));\n accounts.insert(\n act_name.clone(),\n Arc::new(Account::from_fields(\n act_name,\n &lexer,\n overall_span,\n fields,\n )?),\n );\n }\n config_ast::TopLevel::AuthErrorCmd(span) => {\n return Err(error_at_span(\n &lexer,\n span,\n \"'auth_error_cmd' has been renamed to 'error_notify_cmd'\",\n ));\n }\n config_ast::TopLevel::AuthNotifyCmd(span) => {\n auth_notify_cmd = Some(check_not_assigned_str(\n &lexer,\n \"auth_notify_cmd\",\n span,\n auth_notify_cmd,\n )?)\n }\n config_ast::TopLevel::AuthNotifyInterval(span) => {\n auth_notify_interval =\n Some(time_str_to_duration(check_not_assigned_time(\n &lexer,\n \"auth_notify_interval\",\n span,\n auth_notify_interval,\n )?)?)\n }\n config_ast::TopLevel::ErrorNotifyCmd(span) => {\n error_notify_cmd = Some(check_not_assigned_str(\n &lexer,\n \"error_notify_cmd\",\n span,\n error_notify_cmd,\n )?)\n }\n config_ast::TopLevel::HttpListen(span) => {\n http_listen = Some(Some(check_not_assigned_str(\n &lexer,\n \"http_listen\",\n span,\n http_listen,\n )?))\n }\n config_ast::TopLevel::HttpListenNone(span) => {\n check_not_assigned(&lexer, \"http_listen\", span, http_listen)?;\n http_listen = Some(None)\n }\n config_ast::TopLevel::HttpsListen(span) => {\n https_listen = Some(Some(check_not_assigned_str(\n &lexer,\n \"https_listen\",\n span,\n https_listen,\n )?))\n }\n config_ast::TopLevel::HttpsListenNone(span) => {\n check_not_assigned(&lexer, \"https_listen\", span, https_listen)?;\n https_listen = Some(None)\n }\n config_ast::TopLevel::TransientErrorIfCmd(span) => {\n transient_error_if_cmd = Some(check_not_assigned_str(\n &lexer,\n \"transient_error_if_cmd\",\n span,\n transient_error_if_cmd,\n )?)\n }\n config_ast::TopLevel::RefreshAtLeast(span) => {\n refresh_at_least = Some(time_str_to_duration(check_not_assigned_time(\n &lexer,\n \"refresh_at_least\",\n span,\n refresh_at_least,\n )?)?)\n }\n config_ast::TopLevel::RefreshBeforeExpiry(span) => {\n refresh_before_expiry =\n Some(time_str_to_duration(check_not_assigned_time(\n &lexer,\n \"refresh_before_expiry\",\n span,\n refresh_before_expiry,\n )?)?)\n }\n config_ast::TopLevel::RefreshRetry(span) => {\n refresh_retry = Some(time_str_to_duration(check_not_assigned_time(\n &lexer,\n \"refresh_retry\",\n span,\n refresh_retry,\n )?)?)\n }\n config_ast::TopLevel::StartupCmd(span) => {\n startup_cmd = Some(check_not_assigned_str(\n &lexer,\n \"startup_cmd\",\n span,\n startup_cmd,\n )?)\n }\n config_ast::TopLevel::TokenEventCmd(span) => {\n token_event_cmd = Some(check_not_assigned_str(\n &lexer,\n \"token_event_cmd\",\n span,\n token_event_cmd,\n )?)\n }\n }\n }\n }\n _ => unreachable!(),\n }\n\n if let (&Some(None), &Some(None)) = (&http_listen, &https_listen) {\n return Err(\"Cannot set both http_listen and https_listen to 'none'\".into());\n }\n\n if accounts.is_empty() {\n return Err(\"Must specify at least one account\".into());\n }\n\n for (act_name, act) in &accounts {\n if act.redirect_uri.starts_with(\"https\") {\n match https_listen {\n Some(Some(_)) | None => (),\n Some(None) => {\n return Err(format!(\"Account {act_name} has an 'https' redirect but the HTTPS server is set to 'none'\"));\n }\n }\n } else if act.redirect_uri.starts_with(\"http\") {\n match http_listen {\n Some(Some(_)) | None => (),\n Some(None) => {\n return Err(format!(\"Account {act_name} has an 'http' redirect but the HTTP server is set to 'none'\"));\n }\n }\n }\n }\n\n Ok(Config {\n accounts,\n auth_notify_cmd,\n auth_notify_interval: auth_notify_interval\n .unwrap_or_else(|| Duration::from_secs(AUTH_NOTIFY_INTERVAL_DEFAULT)),\n error_notify_cmd,\n http_listen: http_listen.unwrap_or_else(|| Some(HTTP_LISTEN_DEFAULT.to_owned())),\n https_listen: https_listen.unwrap_or_else(|| Some(HTTPS_LISTEN_DEFAULT.to_owned())),\n transient_error_if_cmd,\n refresh_at_least,\n refresh_before_expiry,\n refresh_retry,\n startup_cmd,\n token_event_cmd,\n })\n }\n}\n\nfn check_not_assigned(\n lexer: &LRNonStreamingLexer>,\n name: &str,\n span: Span,\n v: Option,\n) -> Result<(), String> {\n match v {\n None => Ok(()),\n Some(_) => Err(error_at_span(\n lexer,\n span,\n &format!(\"Mustn't specify '{name:}' more than once\"),\n )),\n }\n}\n\nfn check_not_assigned_str(\n lexer: &LRNonStreamingLexer>,\n name: &str,\n span: Span,\n v: Option,\n) -> Result {\n match v {\n None => Ok(unescape_str(lexer.span_str(span))),\n Some(_) => Err(error_at_span(\n lexer,\n span,\n &format!(\"Mustn't specify '{name:}' more than once\"),\n )),\n }\n}\n\nfn check_not_assigned_time<'a, T>(\n lexer: &'a LRNonStreamingLexer>,\n name: &str,\n span: Span,\n v: Option,\n) -> Result<&'a str, String> {\n match v {\n None => Ok(lexer.span_str(span)),\n Some(_) => Err(error_at_span(\n lexer,\n span,\n &format!(\"Mustn't specify '{name:}' more than once\"),\n )),\n }\n}\n\nfn check_not_assigned_uri(\n lexer: &LRNonStreamingLexer>,\n name: &str,\n span: Span,\n v: Option,\n) -> Result {\n match v {\n None => {\n let s = unescape_str(lexer.span_str(span));\n match Url::parse(&s) {\n Ok(x) => {\n if x.fragment().is_some() {\n Err(error_at_span(\n lexer,\n span,\n \"URI fragments ('#...') are not allowed\",\n ))\n } else if x.scheme() == \"http\" || x.scheme() == \"https\" {\n Ok(s)\n } else {\n Err(error_at_span(lexer, span, \"not a valid HTTP or HTTPS URI\"))\n }\n }\n Err(e) => Err(error_at_span(lexer, span, &format!(\"Invalid URI: {e:}\"))),\n }\n }\n Some(_) => Err(error_at_span(\n lexer,\n span,\n &format!(\"Mustn't specify '{name:}' more than once\"),\n )),\n }\n}\n\nfn check_assigned(\n lexer: &LRNonStreamingLexer>,\n name: &str,\n span: Span,\n v: Option,\n) -> Result {\n match v {\n Some(x) => Ok(x),\n None => Err(error_at_span(\n lexer,\n span,\n &format!(\"{name:} not specified\"),\n )),\n }\n}\n\n/// If you add to the, or alter the semantics of any existing, fields in this struct, you *must*\n/// check whether any of the following also need to be chnaged:\n/// * `Account::secure_eq`\n/// * `Account::dump`\n/// * `Account::secure_restoreable`\n/// * `AccountDump`\n///\n/// These functions are vital to the security guarantees pizauth makes when reloading/restoring\n/// configurations.\n#[derive(Clone, Debug)]\npub struct Account {\n pub name: String,\n pub auth_uri: String,\n pub auth_uri_fields: Vec<(String, String)>,\n pub client_id: String,\n pub client_secret: Option,\n redirect_uri: String,\n refresh_at_least: Option,\n refresh_before_expiry: Option,\n refresh_retry: Option,\n pub scopes: Vec,\n pub token_uri: String,\n}\n\nimpl Account {\n fn from_fields(\n name: String,\n lexer: &LRNonStreamingLexer>,\n overall_span: Span,\n fields: Vec,\n ) -> Result {\n let mut auth_uri = None;\n let mut auth_uri_fields = None;\n let mut client_id = None;\n let mut client_secret = None;\n let mut login_hint = None;\n let mut redirect_uri = None;\n let mut refresh_at_least = None;\n let mut refresh_before_expiry = None;\n let mut refresh_retry = None;\n let mut scopes = None;\n let mut token_uri = None;\n\n for f in fields {\n match f {\n config_ast::AccountField::AuthUri(span) => {\n auth_uri = Some(check_not_assigned_uri(lexer, \"auth_uri\", span, auth_uri)?)\n }\n config_ast::AccountField::AuthUriFields(span, spans) => {\n if auth_uri_fields.is_some() {\n debug_assert!(!spans.is_empty());\n return Err(error_at_span(\n lexer,\n span,\n \"Mustn't specify 'auth_uri_fields' more than once\",\n ));\n }\n auth_uri_fields = Some(\n spans\n .iter()\n .map(|(key_sp, val_sp)| {\n (\n unescape_str(lexer.span_str(*key_sp)),\n unescape_str(lexer.span_str(*val_sp)),\n )\n })\n .collect::>(),\n );\n }\n config_ast::AccountField::ClientId(span) => {\n client_id = Some(check_not_assigned_str(lexer, \"client_id\", span, client_id)?)\n }\n config_ast::AccountField::ClientSecret(span) => {\n client_secret = Some(check_not_assigned_str(\n lexer,\n \"client_secret\",\n span,\n client_secret,\n )?)\n }\n config_ast::AccountField::LoginHint(span) => {\n login_hint = Some(check_not_assigned_str(\n lexer,\n \"login_hint\",\n span,\n login_hint,\n )?)\n }\n config_ast::AccountField::RedirectUri(span) => {\n let uri = check_not_assigned_uri(lexer, \"redirect_uri\", span, redirect_uri)?;\n redirect_uri = Some(uri)\n }\n config_ast::AccountField::RefreshAtLeast(span) => {\n refresh_at_least = Some(time_str_to_duration(check_not_assigned_time(\n lexer,\n \"refresh_at_least\",\n span,\n refresh_at_least,\n )?)?)\n }\n config_ast::AccountField::RefreshBeforeExpiry(span) => {\n refresh_before_expiry = Some(time_str_to_duration(check_not_assigned_time(\n lexer,\n \"refresh_before_expiry\",\n span,\n refresh_before_expiry,\n )?)?)\n }\n config_ast::AccountField::RefreshRetry(span) => {\n refresh_retry = Some(time_str_to_duration(check_not_assigned_time(\n lexer,\n \"refresh_retry\",\n span,\n refresh_retry,\n )?)?)\n }\n config_ast::AccountField::Scopes(span, spans) => {\n if scopes.is_some() {\n debug_assert!(!spans.is_empty());\n return Err(error_at_span(\n lexer,\n span,\n \"Mustn't specify 'scopes' more than once\",\n ));\n }\n scopes = Some(\n spans\n .iter()\n .map(|sp| unescape_str(lexer.span_str(*sp)))\n .collect::>(),\n );\n }\n config_ast::AccountField::TokenUri(span) => {\n token_uri = Some(check_not_assigned_uri(lexer, \"token_uri\", span, token_uri)?)\n }\n }\n }\n\n let auth_uri = check_assigned(lexer, \"auth_uri\", overall_span, auth_uri)?;\n let client_id = check_assigned(lexer, \"client_id\", overall_span, client_id)?;\n let token_uri = check_assigned(lexer, \"token_uri\", overall_span, token_uri)?;\n\n // We allow the deprecated `login_hint` field through but don't want to allow it to clash\n // with a field of the same name in `auth_uri_fields`.\n if let (Some(_), Some(auth_uri_fields)) = (&login_hint, &auth_uri_fields) {\n if auth_uri_fields.iter().any(|(k, _)| k == \"login_hint\") {\n return Err(error_at_span(lexer, overall_span, \"Both the 'login_hint' attribute and a 'auth_uri_fields' field with the name 'login_hint' are specified. The 'login_hint' attribute is deprecated so remove it.\"));\n }\n }\n\n Ok(Account {\n name,\n auth_uri,\n auth_uri_fields: auth_uri_fields.unwrap_or_default(),\n client_id,\n client_secret,\n redirect_uri: redirect_uri.unwrap_or_else(|| \"http://localhost/\".to_owned()),\n refresh_at_least,\n refresh_before_expiry,\n refresh_retry,\n scopes: scopes.unwrap_or_default(),\n token_uri,\n })\n }\n\n /// Are the security relevant parts of this `Account` the same as `other`?\n ///\n /// Note that this is a weaker condition than \"is `self` equal to `other`\" because there are\n /// some parts of an `Account`'s configuration that are irrelevant from a security perspective.\n /// If you add new fields to, or change the semantics of existing fields in, `Account`, you\n /// must reconsider this function.\n pub fn secure_eq(&self, other: &Self) -> bool {\n // Our definition of \"are the security relevant parts of this `Account` the same as\n // `other`\" is roughly: if anything here changes could we end up giving out an access token\n // that the user might send to the wrong server? Note that it is better to be safe than\n // sorry: if in doubt, it is better to have more, rather than fewer, fields compared here.\n self.name == other.name\n && self.auth_uri == other.auth_uri\n && self.auth_uri_fields == other.auth_uri_fields\n && self.client_id == other.client_id\n && self.client_secret == other.client_secret\n && self.redirect_uri == other.redirect_uri\n && self.scopes == other.scopes\n && self.token_uri == other.token_uri\n }\n\n pub fn dump(&self) -> AccountDump {\n AccountDump {\n auth_uri: self.auth_uri.clone(),\n auth_uri_fields: self.auth_uri_fields.clone(),\n client_id: self.client_id.clone(),\n client_secret: self.client_secret.clone(),\n redirect_uri: self.redirect_uri.clone(),\n scopes: self.scopes.clone(),\n token_uri: self.token_uri.clone(),\n }\n }\n\n /// Can this account's tokenstate safely be restored from an [AccountDump] `act_dump`? Roughly\n /// speaking, if `act_dump` was converted into an `Account`, would that new `Account` compare\n /// equal with `secure_eq` to `self`? If `true`, then it is safe to restore the (`self`)\n /// `Account`'s tokenstate from a dump.\n pub fn secure_restorable(&self, act_dump: &AccountDump) -> bool {\n self.auth_uri == act_dump.auth_uri\n && self.auth_uri_fields == act_dump.auth_uri_fields\n && self.client_id == act_dump.client_id\n && self.client_secret == act_dump.client_secret\n && self.redirect_uri == act_dump.redirect_uri\n && self.scopes == act_dump.scopes\n && self.token_uri == act_dump.token_uri\n }\n\n pub fn redirect_uri(\n &self,\n http_port: Option,\n https_port: Option,\n ) -> Result> {\n assert!(http_port.is_some() || https_port.is_some());\n let mut url = Url::parse(&self.redirect_uri)?;\n if https_port.is_some() && self.redirect_uri.to_lowercase().starts_with(\"https\") {\n url.set_port(https_port)\n .map_err(|_| \"Cannot set https port\")?;\n } else {\n url.set_port(http_port)\n .map_err(|_| \"Cannot set http port\")?;\n }\n Ok(url)\n }\n\n pub fn refresh_at_least(&self, config: &Config) -> Duration {\n self.refresh_at_least\n .or(config.refresh_at_least)\n .unwrap_or(REFRESH_AT_LEAST_DEFAULT)\n }\n\n pub fn refresh_before_expiry(&self, config: &Config) -> Duration {\n self.refresh_before_expiry\n .or(config.refresh_before_expiry)\n .unwrap_or(REFRESH_BEFORE_EXPIRY_DEFAULT)\n }\n\n pub fn refresh_retry(&self, config: &Config) -> Duration {\n self.refresh_retry\n .or(config.refresh_retry)\n .unwrap_or(REFRESH_RETRY_DEFAULT)\n }\n}\n\n#[derive(Deserialize, Serialize, SchemaRead, SchemaWrite)]\npub struct AccountDump {\n auth_uri: String,\n auth_uri_fields: Vec<(String, String)>,\n client_id: String,\n client_secret: Option,\n redirect_uri: String,\n scopes: Vec,\n token_uri: String,\n}\n\n/// Given a time duration in the format `[0-9]+[dhms]` return a [Duration].\n///\n/// # Panics\n///\n/// If `t` is not in the format `[0-9]+[dhms]`.\nfn time_str_to_duration(t: &str) -> Result {\n fn inner(t: &str) -> Result> {\n let last_char_idx = t\n .chars()\n .filter(|c| c.is_numeric())\n .map(|c| c.len_utf8())\n .sum();\n debug_assert!(last_char_idx < t.len());\n let num = t[..last_char_idx].parse::()?;\n let secs = match t.chars().last().unwrap() {\n 'd' => num.checked_mul(86400).ok_or(\"Number too big\")?,\n 'h' => num.checked_mul(3600).ok_or(\"Number too big\")?,\n 'm' => num.checked_mul(60).ok_or(\"Number too big\")?,\n 's' => num,\n _ => unreachable!(),\n };\n Ok(Duration::from_secs(secs))\n }\n inner(t).map_err(|e| format!(\"Invalid time: {e}\"))\n}\n\n/// Take a quoted string from the config file and unescape it (i.e. strip the start and end quote\n/// (\") characters and process any escape characters in the string.)\nfn unescape_str(us: &str) -> String {\n // The regex in config.l should have guaranteed that strings start and finish with a\n // quote character.\n debug_assert!(us.starts_with('\"') && us.ends_with('\"'));\n let mut s = String::new();\n // We iterate over all characters except the opening and closing quote characters.\n let mut i = '\"'.len_utf8();\n while i < us.len() - '\"'.len_utf8() {\n let c = us[i..].chars().next().unwrap();\n if c == '\\\\' {\n // The regex in config.l should have guaranteed that there are no unescaped quote (\")\n // characters, but we check here just to be sure.\n debug_assert!(i < us.len() - '\"'.len_utf8());\n i += 1;\n let c2 = us[i..].chars().next().unwrap();\n debug_assert!(c2 == '\"' || c2 == '\\\\');\n s.push(c2);\n i += c2.len_utf8();\n } else {\n s.push(c);\n i += c.len_utf8();\n }\n }\n s\n}\n\n/// Return an error message pinpointing `span` as the culprit.\nfn error_at_span(\n lexer: &LRNonStreamingLexer>,\n span: Span,\n msg: &str,\n) -> String {\n let ((line_off, col), _) = lexer.line_col(span);\n let code = lexer\n .span_lines_str(span)\n .split('\\n')\n .next()\n .unwrap()\n .trim();\n format!(\n \"Line {}, column {}:\\n {}\\n{}\",\n line_off,\n col,\n code.trim(),\n msg\n )\n}\n\n#[cfg(test)]\nmod test {\n use super::*;\n use lrpar::Lexer;\n\n #[test]\n fn test_unescape_string() {\n assert_eq!(unescape_str(\"\\\"\\\"\"), \"\");\n assert_eq!(unescape_str(\"\\\"a\\\"\"), \"a\");\n assert_eq!(unescape_str(\"\\\"a\\\\\\\"\\\"\"), \"a\\\"\");\n assert_eq!(unescape_str(\"\\\"a\\\\\\\"b\\\"\"), \"a\\\"b\");\n assert_eq!(unescape_str(\"\\\"\\\\\\\\\\\"\"), \"\\\\\");\n }\n\n #[test]\n fn test_time_str_to_duration() {\n assert_eq!(time_str_to_duration(\"0s\").unwrap(), Duration::from_secs(0));\n assert_eq!(time_str_to_duration(\"1s\").unwrap(), Duration::from_secs(1));\n assert_eq!(time_str_to_duration(\"1m\").unwrap(), Duration::from_secs(60));\n assert_eq!(\n time_str_to_duration(\"2m\").unwrap(),\n Duration::from_secs(120)\n );\n assert_eq!(\n time_str_to_duration(\"1h\").unwrap(),\n Duration::from_secs(3600)\n );\n assert_eq!(\n time_str_to_duration(\"1d\").unwrap(),\n Duration::from_secs(86400)\n );\n\n assert!(time_str_to_duration(\"9223372036854775808m\").is_err());\n }\n\n #[test]\n fn string_escapes() {\n let lexerdef = config_l::lexerdef();\n let lexemes = lexerdef.lexer(\"\\\"\\\\\\\\\\\"\").iter().collect::>();\n assert_eq!(lexemes.len(), 1);\n let lexemes = lexerdef.lexer(\"\\\"\\\\\\\"\\\\\\\"\\\"\").iter().collect::>();\n assert_eq!(lexemes.len(), 1);\n let lexemes = lexerdef.lexer(\"\\\"\\\\n\\\"\").iter().collect::>();\n assert_eq!(lexemes.len(), 4);\n }\n\n #[test]\n fn valid_config() {\n let c = Config::from_str(\n r#\"\n auth_notify_cmd = \"g\";\n auth_notify_interval = 88m;\n error_notify_cmd = \"j\";\n http_listen = \"127.0.0.1:56789\";\n transient_error_if_cmd = \"k\";\n token_event_cmd = \"q\";\n account \"x\" {\n // Mandatory fields\n auth_uri = \"http://a.com\";\n auth_uri_fields = {\"l\": \"m\", \"n\": \"o\", \"l\": \"p\"};\n client_id = \"b\";\n scopes = [\"c\", \"d\"];\n token_uri = \"http://f.com\";\n // Optional fields\n client_secret = \"h\";\n login_hint = \"i\";\n redirect_uri = \"http://e.com\";\n refresh_at_least = 43m;\n refresh_before_expiry = 42s;\n refresh_retry = 33s;\n }\n \"#,\n )\n .unwrap();\n assert_eq!(c.error_notify_cmd, Some(\"j\".to_owned()));\n assert_eq!(c.auth_notify_cmd, Some(\"g\".to_owned()));\n assert_eq!(c.auth_notify_interval, Duration::from_secs(88 * 60));\n assert_eq!(c.http_listen, Some(\"127.0.0.1:56789\".to_owned()));\n assert_eq!(c.transient_error_if_cmd, Some(\"k\".to_owned()));\n assert_eq!(c.token_event_cmd, Some(\"q\".to_owned()));\n\n let act = &c.accounts[\"x\"];\n assert_eq!(act.auth_uri, \"http://a.com\");\n assert_eq!(\n &act.auth_uri_fields,\n &[\n (\"l\".to_owned(), \"m\".to_owned()),\n (\"n\".to_owned(), \"o\".to_owned()),\n (\"l\".to_owned(), \"p\".to_owned())\n ]\n );\n assert_eq!(act.client_id, \"b\");\n assert_eq!(act.client_secret, Some(\"h\".to_owned()));\n assert_eq!(act.redirect_uri, \"http://e.com\");\n assert_eq!(act.token_uri, \"http://f.com\");\n assert_eq!(&act.scopes, &[\"c\".to_owned(), \"d\".to_owned()]);\n assert_eq!(act.refresh_at_least, Some(Duration::from_secs(43 * 60)));\n assert_eq!(act.refresh_before_expiry, Some(Duration::from_secs(42)));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(33));\n }\n\n #[test]\n fn at_least_one_account() {\n assert_eq!(\n Config::from_str(\"\").unwrap_err().as_str(),\n \"Must specify at least one account\"\n );\n }\n\n #[test]\n fn invalid_time() {\n match Config::from_str(\"auth_notify_interval = 18446744073709551616s;\") {\n Err(s) if s.contains(\"Invalid time: number too large\") => (),\n _ => panic!(),\n }\n }\n\n #[test]\n fn dup_fields() {\n match Config::from_str(r#\"auth_notify_cmd = \"a\"; auth_notify_cmd = \"a\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'auth_notify_cmd' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(\"auth_notify_interval = 1s; auth_notify_interval = 2s;\") {\n Err(s) if s.contains(\"Mustn't specify 'auth_notify_interval' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"error_notify_cmd = \"a\"; error_notify_cmd = \"a\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'error_notify_cmd' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"token_event_cmd = \"a\"; token_event_cmd = \"a\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'token_event_cmd' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"transient_error_if_cmd = \"a\"; transient_error_if_cmd = \"b\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'transient_error_if_cmd' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"http_listen = \"a\"; http_listen = \"b\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'http_listen' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"http_listen = none; http_listen = \"a\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'http_listen' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"https_listen = \"a\"; https_listen = \"b\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'https_listen' more than once\") => (),\n _ => panic!(),\n }\n match Config::from_str(r#\"https_listen = none; https_listen = \"a\";\"#) {\n Err(s) if s.contains(\"Mustn't specify 'https_listen' more than once\") => (),\n _ => panic!(),\n }\n\n fn account_dup(field: &str, values: &[&str]) {\n let c = format!(\n \"account \\\"x\\\" {{ {} }}\",\n values\n .iter()\n .map(|v| format!(\"{field:} = {v:};\"))\n .collect::>()\n .join(\" \")\n );\n match Config::from_str(&c) {\n Err(s) if s.contains(&format!(\"Mustn't specify '{field:}' more than once\")) => (),\n Err(e) => panic!(\"{e:}\"),\n _ => panic!(),\n }\n }\n\n account_dup(\"auth_uri\", &[r#\"\"http://a.com/\"\"#, r#\"\"http://b.com/\"\"#]);\n account_dup(\"auth_uri_fields\", &[r#\"{\"a\": \"b\"}\"#, r#\"{\"c\": \"d\"}\"#]);\n account_dup(\"client_id\", &[r#\"\"a\"\"#, r#\"\"b\"\"#]);\n account_dup(\"client_secret\", &[r#\"\"a\"\"#, r#\"\"b\"\"#]);\n account_dup(\"login_hint\", &[r#\"\"a\"\"#, r#\"\"b\"\"#]);\n account_dup(\n \"redirect_uri\",\n &[r#\"\"http://a.com/\"\"#, r#\"\"http://b.com/\"\"#],\n );\n account_dup(\"refresh_before_expiry\", &[\"1m\", \"2m\"]);\n account_dup(\"refresh_at_least\", &[\"1m\", \"2m\"]);\n account_dup(\"scopes\", &[r#\"[\"a\"]\"#, r#\"[\"b\"]\"#]);\n account_dup(\"token_uri\", &[r#\"\"http://a.com/\"\"#, r#\"\"http://b.com/\"\"#]);\n }\n\n #[test]\n fn one_of_http_or_https() {\n match Config::from_str(\n r#\"\n http_listen = none;\n https_listen = none;\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n token_uri = \"http://f.com\";\n }\n \"#,\n ) {\n Err(e) if e.contains(\"Cannot set both http_listen and https_listen to 'none'\") => (),\n Err(e) => panic!(\"{e:?}\"),\n _ => panic!(),\n }\n }\n\n #[test]\n fn http_or_https_redirect_uris_only() {\n match Config::from_str(\n r#\"\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n redirect_uri = \"httpx://\";\n token_uri = \"http://f.com\";\n }\n \"#,\n ) {\n Err(e) if e.contains(\"not a valid HTTP or HTTPS URI\") => (),\n Err(e) => panic!(\"{e:?}\"),\n _ => panic!(),\n }\n\n match Config::from_str(\n r#\"\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n redirect_uri = \"ftp://blah/\";\n token_uri = \"http://f.com\";\n }\n \"#,\n ) {\n Err(e) if e.contains(\"not a valid HTTP or HTTPS URI\") => (),\n Err(e) => panic!(\"{e:?}\"),\n _ => panic!(),\n }\n }\n\n #[test]\n fn correct_listen_for_account() {\n match Config::from_str(\n r#\"\n http_listen = none;\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n token_uri = \"http://f.com\";\n }\n \"#,\n ) {\n Err(e)\n if e.contains(\n \"Account x has an 'http' redirect but the HTTP server is set to 'none'\",\n ) =>\n {\n ()\n }\n Err(e) => panic!(\"{e:?}\"),\n _ => panic!(),\n }\n match Config::from_str(\n r#\"\n https_listen = none;\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n redirect_uri = \"https://c.com\";\n token_uri = \"http://f.com\";\n }\n \"#,\n ) {\n Err(e)\n if e.contains(\n \"Account x has an 'https' redirect but the HTTPS server is set to 'none'\",\n ) =>\n {\n ()\n }\n Err(e) => panic!(\"{e:?}\"),\n _ => panic!(),\n }\n }\n\n #[test]\n fn invalid_uris() {\n fn invalid_uri(field: &str) {\n let c = format!(r#\"account \"x\" {{ {field} = \"blah\"; }}\"#);\n match Config::from_str(&c) {\n Err(e) if e.contains(\"Invalid URI\") => (),\n Err(e) => panic!(\"{e:}\"),\n _ => panic!(),\n }\n }\n\n invalid_uri(\"auth_uri\");\n invalid_uri(\"redirect_uri\");\n invalid_uri(\"token_uri\");\n }\n\n #[test]\n fn valid_https_config() {\n let c = Config::from_str(\n r#\"\n https_listen = \"127.0.0.1:56789\";\n account \"x\" {\n // Mandatory fields\n auth_uri = \"http://a.com\";\n auth_uri_fields = {\"l\": \"m\", \"n\": \"o\", \"l\": \"p\"};\n client_id = \"b\";\n scopes = [\"c\", \"d\"];\n token_uri = \"http://f.com\";\n // Optional fields\n redirect_uri = \"https://e.com\";\n }\n \"#,\n )\n .unwrap();\n assert_eq!(c.https_listen, Some(\"127.0.0.1:56789\".to_owned()));\n let act = &c.accounts[\"x\"];\n assert_eq!(act.redirect_uri, \"https://e.com\");\n let uri = act.redirect_uri(Some(0), Some(56789)).unwrap();\n assert_eq!(uri.scheme(), \"https\");\n assert_eq!(uri.port(), Some(56789));\n assert_eq!(uri.host_str(), Some(\"e.com\"));\n }\n\n #[test]\n fn mandatory_account_fields() {\n let fields = &[\n (\"auth_uri\", r#\"\"http://a.com/\"\"#),\n (\"client_id\", r#\"\"a\"\"#),\n (\"token_uri\", r#\"\"http://b.com/\"\"#),\n ];\n\n fn combine(fields: &[(&str, &str)]) -> String {\n fields\n .iter()\n .map(|(k, v)| format!(\"{k:} = {v:};\"))\n .collect::>()\n .join(\"\\n\")\n }\n\n assert!(Config::from_str(&format!(r#\"account \"a\" {{ {} }}\"#, combine(fields))).is_ok());\n for i in 0..fields.len() {\n let mut f = fields.to_vec();\n f.remove(i);\n match Config::from_str(&format!(r#\"account \"a\" {{ {} }}\"#, combine(&f))) {\n Err(e) if e.contains(\"not specified\") => (),\n Err(e) => panic!(\"{e:}\"),\n e => panic!(\"{e:?}\"),\n }\n }\n }\n\n #[test]\n fn local_overrides() {\n // Defaults only\n let c = Config::from_str(\n r#\"\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n scopes = [\"c\"];\n token_uri = \"http://d.com\";\n }\n \"#,\n )\n .unwrap();\n assert_eq!(c.transient_error_if_cmd, None);\n assert_eq!(c.refresh_at_least, None);\n assert_eq!(c.refresh_before_expiry, None);\n assert_eq!(c.refresh_retry, None);\n\n let act = &c.accounts[\"x\"];\n assert_eq!(act.refresh_at_least(&c), REFRESH_AT_LEAST_DEFAULT);\n assert_eq!(act.refresh_before_expiry(&c), REFRESH_BEFORE_EXPIRY_DEFAULT);\n assert_eq!(act.refresh_retry(&c), REFRESH_RETRY_DEFAULT);\n\n // Global only\n let c = Config::from_str(\n r#\"\n transient_error_if_cmd = \"e\";\n refresh_at_least = 1s;\n refresh_before_expiry = 2s;\n refresh_retry = 3s;\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n scopes = [\"c\"];\n token_uri = \"http://d.com\";\n }\n \"#,\n )\n .unwrap();\n assert_eq!(c.transient_error_if_cmd, Some(\"e\".to_owned()));\n assert_eq!(c.refresh_at_least, Some(Duration::from_secs(1)));\n assert_eq!(c.refresh_before_expiry, Some(Duration::from_secs(2)));\n assert_eq!(c.refresh_retry, Some(Duration::from_secs(3)));\n\n let act = &c.accounts[\"x\"];\n assert_eq!(act.refresh_at_least(&c), Duration::from_secs(1));\n assert_eq!(act.refresh_before_expiry(&c), Duration::from_secs(2));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(3));\n\n // Local only\n let c = Config::from_str(\n r#\"\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n scopes = [\"c\"];\n token_uri = \"http://d.com\";\n refresh_at_least = 1s;\n refresh_before_expiry = 2s;\n refresh_retry = 3s;\n }\n \"#,\n )\n .unwrap();\n\n assert_eq!(c.transient_error_if_cmd, None);\n assert_eq!(c.refresh_at_least, None);\n assert_eq!(c.refresh_before_expiry, None);\n assert_eq!(c.refresh_retry, None);\n\n let act = &c.accounts[\"x\"];\n assert_eq!(act.refresh_at_least(&c), Duration::from_secs(1));\n assert_eq!(act.refresh_before_expiry(&c), Duration::from_secs(2));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(3));\n\n // Local overrides global\n let c = Config::from_str(\n r#\"\n transient_error_if_cmd = \"e\";\n refresh_at_least = 1s;\n refresh_before_expiry = 2s;\n refresh_retry = 3s;\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n scopes = [\"c\"];\n token_uri = \"http://d.com\";\n refresh_at_least = 4s;\n refresh_before_expiry = 5s;\n refresh_retry = 6s;\n }\n \"#,\n )\n .unwrap();\n assert_eq!(c.transient_error_if_cmd, Some(\"e\".to_owned()));\n assert_eq!(c.refresh_at_least, Some(Duration::from_secs(1)));\n assert_eq!(c.refresh_before_expiry, Some(Duration::from_secs(2)));\n assert_eq!(c.refresh_retry, Some(Duration::from_secs(3)));\n\n let act = &c.accounts[\"x\"];\n assert_eq!(act.refresh_at_least(&c), Duration::from_secs(4));\n assert_eq!(act.refresh_before_expiry(&c), Duration::from_secs(5));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(6));\n\n // Local overrides global\n let c = Config::from_str(\n r#\"\n transient_error_if_cmd = \"e\";\n refresh_at_least = 1s;\n refresh_before_expiry = 2s;\n refresh_retry = 3s;\n account \"x\" {\n auth_uri = \"http://a.com\";\n client_id = \"b\";\n scopes = [\"c\"];\n token_uri = \"http://d.com\";\n refresh_at_least = 4s;\n refresh_before_expiry = 5s;\n refresh_retry = 6s;\n }\n account \"y\" {\n auth_uri = \"http://g.com\";\n client_id = \"h\";\n scopes = [\"i\"];\n token_uri = \"http://j.com\";\n refresh_at_least = 7s;\n refresh_before_expiry = 8s;\n refresh_retry = 9s;\n }\n account \"z\" {\n auth_uri = \"http://g.com\";\n client_id = \"h\";\n scopes = [\"i\"];\n token_uri = \"http://j.com\";\n }\n \"#,\n )\n .unwrap();\n assert_eq!(c.transient_error_if_cmd, Some(\"e\".to_owned()));\n assert_eq!(c.refresh_at_least, Some(Duration::from_secs(1)));\n assert_eq!(c.refresh_before_expiry, Some(Duration::from_secs(2)));\n assert_eq!(c.refresh_retry, Some(Duration::from_secs(3)));\n\n let act = &c.accounts[\"x\"];\n assert_eq!(act.refresh_at_least(&c), Duration::from_secs(4));\n assert_eq!(act.refresh_before_expiry(&c), Duration::from_secs(5));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(6));\n\n let act = &c.accounts[\"y\"];\n assert_eq!(act.refresh_at_least(&c), Duration::from_secs(7));\n assert_eq!(act.refresh_before_expiry(&c), Duration::from_secs(8));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(9));\n\n let act = &c.accounts[\"z\"];\n assert_eq!(act.refresh_at_least(&c), Duration::from_secs(1));\n assert_eq!(act.refresh_before_expiry(&c), Duration::from_secs(2));\n assert_eq!(act.refresh_retry(&c), Duration::from_secs(3));\n }\n\n #[test]\n fn login_hint_mutually_exclusive_query_field() {\n let c = r#\"account \"x\" {\n auth_uri = \"http://a.com/\";\n auth_uri_fields = { \"login_hint\": \"e\" };\n client_id = \"b\";\n token_uri = \"https://c.com/\";\n login_hint = \"d\";\n }\"#;\n match Config::from_str(c) {\n Err(e) if e.contains(\"Both the 'login_hint' attribute and a 'auth_uri_fields' field with the name 'login_hint' are specified. The 'login_hint' attribute is deprecated so remove it.\") => (),\n Err(e) => panic!(\"{e:}\"),\n _ => panic!(),\n }\n }\n\n #[test]\n fn endpoints_no_fragment() {\n let c = r#\"account \"x\" {\n auth_uri = \"http://a.com/#a\";\n auth_uri_fields = { \"login_hint\": \"e\" };\n client_id = \"b\";\n token_uri = \"https://c.com/\";\n login_hint = \"d\";\n }\"#;\n match Config::from_str(c) {\n Err(e) if e.contains(\"URI fragments ('#...') are not allowed\") => (),\n Err(e) => panic!(\"{e:}\"),\n _ => panic!(),\n }\n\n let c = r#\"account \"x\" {\n auth_uri = \"http://a.com/\";\n auth_uri_fields = { \"login_hint\": \"e\" };\n client_id = \"b\";\n token_uri = \"https://c.com/#c\";\n login_hint = \"d\";\n }\"#;\n match Config::from_str(c) {\n Err(e) if e.contains(\"URI fragments ('#...') are not allowed\") => (),\n Err(e) => panic!(\"{e:}\"),\n _ => panic!(),\n }\n }\n}\n" }, { "path": "src/config.y", "content": "%start TopLevels\n%avoid_insert \"STRING\"\n%epp TIME \"