Message ID | 1ee4ef44362d20518fe69da7b6c37df5@airmail.cc |
---|---|
State | New |
Headers | show |
Series | [bug#40878] services: mpd: Allow authentication and permissions to be configured. | expand |
Context | Check | Description |
---|---|---|
cbaines/applying patch | fail | View Laminar job |
Hi, On 2020-04-26 21:16, pinoaffe@airmail.cc wrote: > * gnu/services/audio.scm (mpd-credential): New public variable. > * gnu/services/audio.scm (mpd-configuration): Add credentials > and permissions. > --- > doc/guix.texi | 23 ++++++++++++ > gnu/services/audio.scm | 79 ++++++++++++++++++++++++++++++------------ > 2 files changed, 80 insertions(+), 22 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index 6613a4af13..1693d938f1 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -23271,12 +23271,35 @@ an absolute path can be specified here. > @item @code{outputs} (default: @code{"(list (mpd-output))"}) > The audio outputs that MPD can use. By default this is a single output using pulseaudio. > > +@item @code{default-permissions} (default: @code{'(read add control admin)}) > +The permissions a user that connected to the mpd server without a password should enjoy. > +Should be a subset of @code{'(read add control admin)}. > + > +@item @code{credentials} (default: @code{'()}) > +The list of credentials one can use to sign in to mpd and gain extra permissions. By > +default this is an empty list. > + > @end table > @end deftp > > +@deftp {Data Type} mpd-credential > +Data type representing an @command{mpd} password/permissions pair. > + > @deftp {Data Type} mpd-output > Data type representing an @command{mpd} audio output. > > +@table @asis > +@item @code{password} (default: @code{""}) > +The password used to authenticate. The password may not contain "@". > + > +@item @code{permissions} (default: @code{'()}) > +The permissions one gains after authenticating to the server using @code{password}. > +This should be a subset of @code{'(read add control admin)}, as in > +@code{default-permissions}. > + > +@end table > +@end deftp > + > @table @asis > @item @code{name} (default: @code{"MPD"}) > The name of the audio output. > diff --git a/gnu/services/audio.scm b/gnu/services/audio.scm > index 345d8225b2..9a6dc8db94 100644 > --- a/gnu/services/audio.scm > +++ b/gnu/services/audio.scm > @@ -26,6 +26,8 @@ > #:use-module (ice-9 match) > #:export (mpd-output > mpd-output? > + mpd-credential > + mpd-credential? > mpd-configuration > mpd-configuration? > mpd-service-type)) > @@ -36,6 +38,16 @@ > ;;; > ;;; Code: > > +(define-record-type* <mpd-credential> > + mpd-credential make-mpd-credential > + mpd-credential? > + (password mpd-credential-password > + ;; valid: any string that does not contain #\@ > + (default "")) > + (permissions mpd-credential-permissions > + ;; valid: any subset of read, add, control and admin > + (default '()))) > + > (define-record-type* <mpd-output> > mpd-output make-mpd-output > mpd-output? > @@ -58,24 +70,41 @@ > (define-record-type* <mpd-configuration> > mpd-configuration make-mpd-configuration > mpd-configuration? > - (user mpd-configuration-user > - (default "mpd")) > - (music-dir mpd-configuration-music-dir > - (default "~/Music")) > - (playlist-dir mpd-configuration-playlist-dir > - (default "~/.mpd/playlists")) > - (db-file mpd-configuration-db-file > - (default "~/.mpd/tag_cache")) > - (state-file mpd-configuration-state-file > - (default "~/.mpd/state")) > - (sticker-file mpd-configuration-sticker-file > - (default "~/.mpd/sticker.sql")) > - (port mpd-configuration-port > - (default "6600")) > - (address mpd-configuration-address > - (default "any")) > - (outputs mpd-configuration-outputs > - (default (list (mpd-output))))) > + (user mpd-configuration-user > + (default "mpd")) > + (music-dir mpd-configuration-music-dir > + (default "~/Music")) > + (playlist-dir mpd-configuration-playlist-dir > + (default "~/.mpd/playlists")) > + (db-file mpd-configuration-db-file > + (default "~/.mpd/tag_cache")) > + (state-file mpd-configuration-state-file > + (default "~/.mpd/state")) > + (sticker-file mpd-configuration-sticker-file > + (default "~/.mpd/sticker.sql")) > + (port mpd-configuration-port > + (default "6600")) > + (address mpd-configuration-address > + (default "any")) > + (credentials mpd-configuration-credentials > + (default '())) > + (default-permissions mpd-configuration-default-permissions > + (default '(read add control admin))) > + (outputs mpd-configuration-outputs > + (default (list (mpd-output))))) > + > +(define (mpd-permissions->string permissions) > + (string-join (map symbol->string > + permissions) > + ",")) > + > +(define (mpd-credential->string credential) > + "Convert the USER of type <mpd-credential> to a configuration file snippet." > + (format #f > + "password \"~a@~a\"\n" > + (mpd-credential-password credential) > + (mpd-permissions->string > + (mpd-credential-permissions credential)))) > > (define (mpd-output->string output) > "Convert the OUTPUT of type <mpd-output> to a configuration file snippet." > @@ -110,8 +139,14 @@ audio_output { > (apply > mixed-text-file "mpd.conf" > "pid_file \"" (mpd-file-name config "pid") "\"\n" > + "default_permissions \"" > + (mpd-permissions->string > + (mpd-configuration-default-permissions config)) > + "\"\n" > (append (map mpd-output->string > (mpd-configuration-outputs config)) > + (map mpd-credential->string > + (mpd-configuration-credentials config)) > (map (match-lambda > ((config-name config-val) > (string-append config-name " \"" (config-val config) "\"\n"))) > @@ -143,10 +178,10 @@ audio_output { > #:environment-variables > ;; Required to detect PulseAudio when run under a user account. > '(#$(string-append > - "XDG_RUNTIME_DIR=/run/user/" > - (number->string > - (passwd:uid > - (getpwnam (mpd-configuration-user config)))))) > + "XDG_RUNTIME_DIR=/run/user/" > + (number->string > + (passwd:uid > + (getpwnam (mpd-configuration-user config)))))) > #:log-file #$(mpd-file-name config "log"))) > (stop #~(make-kill-destructor)))) > I know it's rather late to reply to this patch, yet I believe it's worth stating: 1. mpd-service-type has gone through extensive refactoring, which makes this patch no longer apply. 2. This kind of change poses a problem, your credentials will get stored under /gnu/store, which is world readable. Hardly the place you want to use to store secrets like credential data. As such, the best course of action is to use a "include …" directive, which you can via the 'extra-options' field, and point it at a file containing the credentials (which you have to provision manually). Cheers, Bruno
diff --git a/doc/guix.texi b/doc/guix.texi index 6613a4af13..1693d938f1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -23271,12 +23271,35 @@ an absolute path can be specified here. @item @code{outputs} (default: @code{"(list (mpd-output))"}) The audio outputs that MPD can use. By default this is a single output using pulseaudio. +@item @code{default-permissions} (default: @code{'(read add control admin)}) +The permissions a user that connected to the mpd server without a password should enjoy. +Should be a subset of @code{'(read add control admin)}. + +@item @code{credentials} (default: @code{'()}) +The list of credentials one can use to sign in to mpd and gain extra permissions. By +default this is an empty list. + @end table @end deftp +@deftp {Data Type} mpd-credential +Data type representing an @command{mpd} password/permissions pair. + @deftp {Data Type} mpd-output Data type representing an @command{mpd} audio output. +@table @asis +@item @code{password} (default: @code{""}) +The password used to authenticate. The password may not contain "@". + +@item @code{permissions} (default: @code{'()}) +The permissions one gains after authenticating to the server using @code{password}. +This should be a subset of @code{'(read add control admin)}, as in +@code{default-permissions}. + +@end table +@end deftp + @table @asis @item @code{name} (default: @code{"MPD"}) The name of the audio output. diff --git a/gnu/services/audio.scm b/gnu/services/audio.scm index 345d8225b2..9a6dc8db94 100644 --- a/gnu/services/audio.scm +++ b/gnu/services/audio.scm @@ -26,6 +26,8 @@ #:use-module (ice-9 match) #:export (mpd-output mpd-output? + mpd-credential + mpd-credential? mpd-configuration mpd-configuration? mpd-service-type)) @@ -36,6 +38,16 @@ ;;; ;;; Code: +(define-record-type* <mpd-credential> + mpd-credential make-mpd-credential + mpd-credential? + (password mpd-credential-password + ;; valid: any string that does not contain #\@ + (default "")) + (permissions mpd-credential-permissions + ;; valid: any subset of read, add, control and admin + (default '()))) + (define-record-type* <mpd-output> mpd-output make-mpd-output mpd-output? @@ -58,24 +70,41 @@ (define-record-type* <mpd-configuration> mpd-configuration make-mpd-configuration mpd-configuration? - (user mpd-configuration-user - (default "mpd")) - (music-dir mpd-configuration-music-dir - (default "~/Music")) - (playlist-dir mpd-configuration-playlist-dir - (default "~/.mpd/playlists")) - (db-file mpd-configuration-db-file - (default "~/.mpd/tag_cache")) - (state-file mpd-configuration-state-file - (default "~/.mpd/state")) - (sticker-file mpd-configuration-sticker-file - (default "~/.mpd/sticker.sql")) - (port mpd-configuration-port - (default "6600")) - (address mpd-configuration-address - (default "any")) - (outputs mpd-configuration-outputs - (default (list (mpd-output))))) + (user mpd-configuration-user + (default "mpd")) + (music-dir mpd-configuration-music-dir + (default "~/Music")) + (playlist-dir mpd-configuration-playlist-dir + (default "~/.mpd/playlists")) + (db-file mpd-configuration-db-file + (default "~/.mpd/tag_cache")) + (state-file mpd-configuration-state-file + (default "~/.mpd/state")) + (sticker-file mpd-configuration-sticker-file + (default "~/.mpd/sticker.sql")) + (port mpd-configuration-port + (default "6600")) + (address mpd-configuration-address + (default "any")) + (credentials mpd-configuration-credentials + (default '())) + (default-permissions mpd-configuration-default-permissions + (default '(read add control admin))) + (outputs mpd-configuration-outputs + (default (list (mpd-output))))) + +(define (mpd-permissions->string permissions) + (string-join (map symbol->string + permissions) + ",")) + +(define (mpd-credential->string credential) + "Convert the USER of type <mpd-credential> to a configuration file snippet." + (format #f + "password \"~a@~a\"\n" + (mpd-credential-password credential) + (mpd-permissions->string + (mpd-credential-permissions credential)))) (define (mpd-output->string output)