From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id yFORGxsMJmQ5QwEASxT56A (envelope-from ) for ; Fri, 31 Mar 2023 00:24:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id ADmNGxsMJmR/9QAA9RJhRA (envelope-from ) for ; Fri, 31 Mar 2023 00:24:27 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F303B2C77C for ; Fri, 31 Mar 2023 00:24:26 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pi0gf-0005Kh-7X; Thu, 30 Mar 2023 18:24:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pi0gc-0005KL-P8 for guix-patches@gnu.org; Thu, 30 Mar 2023 18:24:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pi0gc-0000SB-FC for guix-patches@gnu.org; Thu, 30 Mar 2023 18:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pi0gc-0001qN-1k for guix-patches@gnu.org; Thu, 30 Mar 2023 18:24:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#40878] [PATCH] services: mpd: Allow authentication and permissions to be configured. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 30 Mar 2023 22:24:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 40878 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: pinoaffe@airmail.cc Cc: 40878@debbugs.gnu.org Received: via spool by 40878-submit@debbugs.gnu.org id=B40878.16802150277051 (code B ref 40878); Thu, 30 Mar 2023 22:24:02 +0000 Received: (at 40878) by debbugs.gnu.org; 30 Mar 2023 22:23:47 +0000 Received: from localhost ([127.0.0.1]:59674 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pi0gN-0001pe-7J for submit@debbugs.gnu.org; Thu, 30 Mar 2023 18:23:47 -0400 Received: from smtpm2.myservices.hosting ([185.26.105.233]:54760) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pi0gH-0001pM-Gc for 40878@debbugs.gnu.org; Thu, 30 Mar 2023 18:23:45 -0400 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpm2.myservices.hosting (Postfix) with ESMTP id 3B85D20EC5; Fri, 31 Mar 2023 00:23:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id B63F08009C; Fri, 31 Mar 2023 00:23:39 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 8oE-npkwHU25; Fri, 31 Mar 2023 00:23:38 +0200 (CEST) Received: from [192.168.1.239] (unknown [10.192.1.83]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id 596948009B; Fri, 31 Mar 2023 00:23:38 +0200 (CEST) Message-ID: Date: Thu, 30 Mar 2023 23:23:33 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Content-Language: en-US References: <1ee4ef44362d20518fe69da7b6c37df5@airmail.cc> From: Bruno Victal In-Reply-To: <1ee4ef44362d20518fe69da7b6c37df5@airmail.cc> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1680215067; a=rsa-sha256; cv=none; b=HvCk+lD9YWN+1aLVDGXPgGsZ8H/GUnB0WUjI7x8CJWB1DHFxgZX4wcihKS77GrRz3uD89X vpEGWOoETU1G7fuIU059MmKk7/zMbcf3nl6Ag0l5p6iXJqM99jxlpWVYk1XyfZyXVMqrnt OXkbgiuOceH5WaeuEc9pOlRqgweX677OXTfdcAad09VawJS/aq/aawKFc/FtP74IzDpacN hDp09KH8xQkqej/Iu4RYs+g+QTTZqOkPHkReoBusd+tnwnn5dRuFM8W39N6e1gvV1wy06T 2KRVBxHAFqCnqtfEidkWSlcsrJIAp/jEI2hPB6L8bzhTR0OTUgoMnzC8Mc/1Jg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1680215067; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=iMbPRKgsTUuS26fK3QsxKQe+2vUxYYwba4obIya6IgM=; b=RHsExAsYz8IAclIWL6hdjR4hu/fBpWr5SWuVxfK/37kySHBjyKcwCeytUYiTcYJKKwTY+F EALDuzQe/9qakq7nvZWhzzVYRD4BIJyyTjuAKzZkzO/UEYf/0+/doK5q4mjYCdgegWBKdD RGgNbqUy0gc1FCd9oGszQJ9K/a2ScrQakV3sakjq/vlcvmcOOpCQO+NEdac2r2oedB+uBI ApaMNII7djhX7x3NUIKCm27r1PQHR21baE6TOzb5J2GXp6tB+nKYTGwMCmJqwRLyblvD88 KUm7LZk+T8wljphTVXj8gm4FhjLXiOdbuINN3J2c99Au37HDB3e0RKM4glttTw== Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Scanner: scn0.migadu.com X-Migadu-Spam-Score: -4.22 X-Spam-Score: -4.22 X-Migadu-Queue-Id: F303B2C77C X-TUID: az/yYj3dkTeI Hi, On 2020-04-26 21:16, pinoaffe@airmail.cc wrote: > * gnu/services/audio.scm (mpd-credential): New public variable. > * gnu/services/audio.scm (mpd-configuration): Add credentials > and permissions. > --- >  doc/guix.texi          | 23 ++++++++++++ >  gnu/services/audio.scm | 79 ++++++++++++++++++++++++++++++------------ >  2 files changed, 80 insertions(+), 22 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index 6613a4af13..1693d938f1 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -23271,12 +23271,35 @@ an absolute path can be specified here. >  @item @code{outputs} (default: @code{"(list (mpd-output))"}) >  The audio outputs that MPD can use.  By default this is a single output using pulseaudio. > > +@item @code{default-permissions} (default: @code{'(read add control admin)}) > +The permissions a user that connected to the mpd server without a password should enjoy. > +Should be a subset of @code{'(read add control admin)}. > + > +@item @code{credentials} (default: @code{'()}) > +The list of credentials one can use to sign in to mpd and gain extra permissions.  By > +default this is an empty list. > + >  @end table >  @end deftp > > +@deftp {Data Type} mpd-credential > +Data type representing an @command{mpd} password/permissions pair. > + >  @deftp {Data Type} mpd-output >  Data type representing an @command{mpd} audio output. > > +@table @asis > +@item @code{password} (default: @code{""}) > +The password used to authenticate.  The password may not contain "@". > + > +@item @code{permissions} (default: @code{'()}) > +The permissions one gains after authenticating to the server using @code{password}. > +This should be a subset of @code{'(read add control admin)}, as in > +@code{default-permissions}. > + > +@end table > +@end deftp > + >  @table @asis >  @item @code{name} (default: @code{"MPD"}) >  The name of the audio output. > diff --git a/gnu/services/audio.scm b/gnu/services/audio.scm > index 345d8225b2..9a6dc8db94 100644 > --- a/gnu/services/audio.scm > +++ b/gnu/services/audio.scm > @@ -26,6 +26,8 @@ >    #:use-module (ice-9 match) >    #:export (mpd-output >              mpd-output? > +            mpd-credential > +            mpd-credential? >              mpd-configuration >              mpd-configuration? >              mpd-service-type)) > @@ -36,6 +38,16 @@ >  ;;; >  ;;; Code: > > +(define-record-type* > +  mpd-credential make-mpd-credential > +  mpd-credential? > +  (password    mpd-credential-password > +               ;; valid: any string that does not contain #\@ > +               (default "")) > +  (permissions mpd-credential-permissions > +               ;; valid: any subset of read, add, control and admin > +               (default '()))) > + >  (define-record-type* >    mpd-output make-mpd-output >    mpd-output? > @@ -58,24 +70,41 @@ >  (define-record-type* >    mpd-configuration make-mpd-configuration >    mpd-configuration? > -  (user         mpd-configuration-user > -                (default "mpd")) > -  (music-dir    mpd-configuration-music-dir > -                (default "~/Music")) > -  (playlist-dir mpd-configuration-playlist-dir > -                (default "~/.mpd/playlists")) > -  (db-file      mpd-configuration-db-file > -                (default "~/.mpd/tag_cache")) > -  (state-file   mpd-configuration-state-file > -                (default "~/.mpd/state")) > -  (sticker-file mpd-configuration-sticker-file > -                (default "~/.mpd/sticker.sql")) > -  (port         mpd-configuration-port > -                (default "6600")) > -  (address      mpd-configuration-address > -                (default "any")) > -  (outputs      mpd-configuration-outputs > -                (default (list (mpd-output))))) > +  (user                mpd-configuration-user > +                       (default "mpd")) > +  (music-dir           mpd-configuration-music-dir > +                       (default "~/Music")) > +  (playlist-dir        mpd-configuration-playlist-dir > +                       (default "~/.mpd/playlists")) > +  (db-file             mpd-configuration-db-file > +                       (default "~/.mpd/tag_cache")) > +  (state-file          mpd-configuration-state-file > +                       (default "~/.mpd/state")) > +  (sticker-file        mpd-configuration-sticker-file > +                       (default "~/.mpd/sticker.sql")) > +  (port                mpd-configuration-port > +                       (default "6600")) > +  (address             mpd-configuration-address > +                       (default "any")) > +  (credentials         mpd-configuration-credentials > +                       (default '())) > +  (default-permissions mpd-configuration-default-permissions > +                       (default '(read add control admin))) > +  (outputs             mpd-configuration-outputs > +                       (default (list (mpd-output))))) > + > +(define (mpd-permissions->string permissions) > +  (string-join (map symbol->string > +                    permissions) > +               ",")) > + > +(define (mpd-credential->string credential) > +  "Convert the USER of type to a configuration file snippet." > +  (format #f > +          "password \"~a@~a\"\n" > +          (mpd-credential-password credential) > +          (mpd-permissions->string > +           (mpd-credential-permissions credential)))) > >  (define (mpd-output->string output) >    "Convert the OUTPUT of type to a configuration file snippet." > @@ -110,8 +139,14 @@ audio_output { >    (apply >     mixed-text-file "mpd.conf" >     "pid_file \"" (mpd-file-name config "pid") "\"\n" > +   "default_permissions \"" > +   (mpd-permissions->string > +    (mpd-configuration-default-permissions config)) > +   "\"\n" >     (append (map mpd-output->string >                  (mpd-configuration-outputs config)) > +           (map mpd-credential->string > +                (mpd-configuration-credentials config)) >             (map (match-lambda >                    ((config-name config-val) >                     (string-append config-name " \"" (config-val config) "\"\n"))) > @@ -143,10 +178,10 @@ audio_output { >               #:environment-variables >               ;; Required to detect PulseAudio when run under a user account. >               '(#$(string-append > -                   "XDG_RUNTIME_DIR=/run/user/" > -                   (number->string > -                     (passwd:uid > -                       (getpwnam (mpd-configuration-user config)))))) > +                  "XDG_RUNTIME_DIR=/run/user/" > +                  (number->string > +                   (passwd:uid > +                    (getpwnam (mpd-configuration-user config)))))) >               #:log-file #$(mpd-file-name config "log"))) >     (stop  #~(make-kill-destructor)))) > I know it's rather late to reply to this patch, yet I believe it's worth stating: 1. mpd-service-type has gone through extensive refactoring, which makes this patch no longer apply. 2. This kind of change poses a problem, your credentials will get stored under /gnu/store, which is world readable. Hardly the place you want to use to store secrets like credential data. As such, the best course of action is to use a "include …" directive, which you can via the 'extra-options' field, and point it at a file containing the credentials (which you have to provision manually). Cheers, Bruno