From 1645f3314c751e985de4c56b4e86a14197c0ed2e Mon Sep 17 00:00:00 2001
From: aiju <devnull@localhost>
Date: Fri, 24 Feb 2017 00:54:40 +0100
Subject: [PATCH] add auth/asaudit

---
 sys/src/cmd/auth/asaudit.c | 106 +++++++++++++++++++++++++++++++++++++
 sys/src/cmd/auth/mkfile    |   1 +
 2 files changed, 107 insertions(+)
 create mode 100644 sys/src/cmd/auth/asaudit.c

diff --git a/sys/src/cmd/auth/asaudit.c b/sys/src/cmd/auth/asaudit.c
new file mode 100644
index 000000000..12c5e4e8c
--- /dev/null
+++ b/sys/src/cmd/auth/asaudit.c
@@ -0,0 +1,106 @@
+#include <u.h>
+#include <libc.h>
+#include <bio.h>
+#include <authsrv.h>
+#include <ndb.h>
+
+int havenvram;
+Nvrsafe nvr;
+char eve[128];
+Ndb *db;
+
+void
+geteve(void)
+{
+	int fd;
+	
+	fd = open("#c/hostowner", OREAD);
+	if(fd < 0) sysfatal("open: %r");
+	memset(eve, 0, sizeof(eve));
+	if(read(fd, eve, sizeof(eve)-1) < 0) sysfatal("read: %r");
+	close(fd);
+	if(strcmp(getuser(), eve) != 0) print("hostowner is %#q, but running as %#q\n", eve, getuser());
+}
+
+void
+ndb(void)
+{
+	db = ndbopen(nil);
+	if(db == nil){
+		print("ndbopen: %r");
+		return;
+	}
+}
+
+void
+nvram(void)
+{
+	char *auth;
+
+	if(readnvram(&nvr, 0) < 0){
+		print("readnvram: %r\n");
+		return;
+	}
+	havenvram = 1;
+	print("found nvram key for user '%s@%s'\n", nvr.authid, nvr.authdom);
+	if(strcmp(eve, nvr.authid) != 0) print("nvram authid doesn't match hostowner %#q\n", eve);
+	if(db != nil){
+		auth = ndbgetvalue(db, nil, "authdom", nvr.authdom, "auth", nil);
+		if(auth == nil) print("authdom %#q not found in ndb\n", nvr.authdom);
+		else{
+			print("ndb says authdom %#q corresponds to auth server %#q\n", nvr.authdom, auth);
+			free(auth);
+		}
+	}
+}
+
+void
+keyfs(void)
+{
+	char *buf;
+	int fd;
+	char aes[AESKEYLEN];
+
+	if(!havenvram) return;
+	if(access("/adm/keys", AREAD) < 0){
+		print("no access to /adm/keys\n");
+		return;
+	}
+	print("starting keyfs\n");
+	rfork(RFNAMEG);
+	switch(fork()){
+	case -1:
+		sysfatal("fork: %r");
+	case 0:
+		if(execl("/bin/auth/keyfs", "auth/keyfs", "-r", nil) < 0)
+			sysfatal("execl: %r");
+	}
+	waitpid();
+	buf = smprint("/mnt/keys/%s/aeskey", nvr.authid);
+	fd = open(buf, OREAD);
+	if(fd < 0){
+		print("can't get key from keyfs: %r");
+		return;
+	}
+	werrstr("short read");
+	if(read(fd, aes, sizeof(aes)) < sizeof(aes)){
+		print("read: %r");
+		close(fd);
+		return;
+	}
+	if(memcmp(nvr.aesmachkey, aes, AESKEYLEN) != 0)
+		print("key in keyfs does not match nvram\n");
+	else
+		print("key in keyfs matches nvram\n");
+	close(fd);
+}
+
+void
+main()
+{
+	quotefmtinstall();
+	geteve();
+	ndb();
+	nvram();
+	keyfs();
+}
diff --git a/sys/src/cmd/auth/mkfile b/sys/src/cmd/auth/mkfile
index 3bb30b84f..c9c8a1c4b 100644
--- a/sys/src/cmd/auth/mkfile
+++ b/sys/src/cmd/auth/mkfile
@@ -4,6 +4,7 @@
 #
 TARG=\
 	as\
+	asaudit\
 	asn12dsa\
 	asn12rsa\
 	authsrv\