feat: add support of pam authentication

Add naive implementation of user password check by calling su command.
Also change some authentication method to require username to be string
instead of optional string

docs/ahriman.core.auth.rst

@@ -36,6 +36,14 @@ ahriman.core.auth.oauth module
    :no-undoc-members:
    :show-inheritance:
 
+ahriman.core.auth.pam module
+----------------------------
+
+.. automodule:: ahriman.core.auth.pam
+   :members:
+   :no-undoc-members:
+   :show-inheritance:
+
 Module contents
 ---------------
 

docs/ahriman.core.rst

@@ -52,6 +52,14 @@ ahriman.core.tree module
    :no-undoc-members:
    :show-inheritance:
 
+ahriman.core.util module
+------------------------
+
+.. automodule:: ahriman.core.util
+   :members:
+   :no-undoc-members:
+   :show-inheritance:
+
 ahriman.core.utils module
 -------------------------
 

docs/configuration.rst

@@ -61,15 +61,17 @@ libalpm and AUR related configuration. Group name can refer to architecture, e.g
 
 Base authorization settings. ``OAuth`` provider requires ``aioauth-client`` library to be installed.
 
-* ``target`` - specifies authorization provider, string, optional, default ``disabled``. Allowed values are ``disabled``, ``configuration``, ``oauth``.
+* ``target`` - specifies authorization provider, string, optional, default ``disabled``. Allowed values are ``disabled``, ``configuration``, ``oauth``, ``pam``.
 * ``allow_read_only`` - allow requesting status APIs without authorization, boolean, required.
 * ``client_id`` - OAuth2 application client ID, string, required in case if ``oauth`` is used.
 * ``client_secret`` - OAuth2 application client secret key, string, required in case if ``oauth`` is used.
 * ``cookie_secret_key`` - secret key which will be used for cookies encryption, string, optional. It must be 32 bytes URL-safe base64-encoded and can be generated as following ``base64.urlsafe_b64encode(os.urandom(32)).decode("utf8")``. If not set, it will be generated automatically; note, however, that in this case, all sessions will be automatically invalidated during the service restart.
+* ``full_access_group`` - name of the secondary group (e.g. ``wheel``) to be used as admin group in the service, string, required in case if ``pam`` is used.
 * ``max_age`` - parameter which controls both cookie expiration and token expiration inside the service in seconds, integer, optional, default is 7 days.
 * ``oauth_icon`` - OAuth2 login button icon, string, optional, default is ``google``. Must be valid `Bootstrap icon <https://icons.getbootstrap.com/>`__ name.
 * ``oauth_provider`` - OAuth2 provider class name as is in ``aioauth-client`` (e.g. ``GoogleClient``, ``GithubClient`` etc), string, required in case if ``oauth`` is used.
 * ``oauth_scopes`` - scopes list for OAuth2 provider, which will allow retrieving user email (which is used for checking user permissions), e.g. ``https://www.googleapis.com/auth/userinfo.email`` for ``GoogleClient`` or ``user:email`` for ``GithubClient``, space separated list of strings, required in case if ``oauth`` is used.
+* ``permit_root_login`` - allow login as root user, boolean, optional, default ``no``.
 * ``salt`` - additional password hash salt, string, optional.
 
 Authorized users are stored inside internal database, if any of external providers (e.g. ``oauth``) are used, the password field for non-service users must be empty.

docs/faq.rst

@@ -1348,6 +1348,19 @@ How to enable basic authorization
 #.
    Restart web service ``systemctl restart ahriman-web``.
 
+Using PAM authentication
+""""""""""""""""""""""""
+
+There is also ability to allow system users to log in. To do so, the following configuration have to be set:
+
+.. code-block:: ini
+
+   [auth]
+   target = pam
+   full_access_group = wheel
+
+With this setup, every user (except root) will be able to log in by using system password. If user belongs to the ``wheel`` group, the full access will be automatically granted. It is also possible to manually add, block user or change user rights via usual user management process.
+
 How to enable OAuth authorization
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^