[bug#40878] [PATCH] services: mpd: Allow authentication and permissions to be configured.

[Bruno Victal]

Hi,

On 2020-04-26 21:16, pinoaffe@airmail.cc wrote:
> * gnu/services/audio.scm (mpd-credential): New public variable.
> * gnu/services/audio.scm (mpd-configuration): Add credentials
> and permissions.
> ---
>  doc/guix.texi          | 23 ++++++++++++
>  gnu/services/audio.scm | 79 ++++++++++++++++++++++++++++++------------
>  2 files changed, 80 insertions(+), 22 deletions(-)
> 
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 6613a4af13..1693d938f1 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -23271,12 +23271,35 @@ an absolute path can be specified here.
>  @item @code{outputs} (default: @code{"(list (mpd-output))"})
>  The audio outputs that MPD can use.  By default this is a single output 
> using pulseaudio.
> 
> +@item @code{default-permissions} (default: @code{'(read add control admin)})
> +The permissions a user that connected to the mpd server without a password 
> should enjoy.
> +Should be a subset of @code{'(read add control admin)}.
> +
> +@item @code{credentials} (default: @code{'()})
> +The list of credentials one can use to sign in to mpd and gain extra 
> permissions.  By
> +default this is an empty list.
> +
>  @end table
>  @end deftp
> 
> +@deftp {Data Type} mpd-credential
> +Data type representing an @command{mpd} password/permissions pair.
> +
>  @deftp {Data Type} mpd-output
>  Data type representing an @command{mpd} audio output.
> 
> +@table @asis
> +@item @code{password} (default: @code{""})
> +The password used to authenticate.  The password may not contain "@".
> +
> +@item @code{permissions} (default: @code{'()})
> +The permissions one gains after authenticating to the server using 
> @code{password}.
> +This should be a subset of @code{'(read add control admin)}, as in
> +@code{default-permissions}.
> +
> +@end table
> +@end deftp
> +
>  @table @asis
>  @item @code{name} (default: @code{"MPD"})
>  The name of the audio output.
> diff --git a/gnu/services/audio.scm b/gnu/services/audio.scm
> index 345d8225b2..9a6dc8db94 100644
> --- a/gnu/services/audio.scm
> +++ b/gnu/services/audio.scm
> @@ -26,6 +26,8 @@
>    #:use-module (ice-9 match)
>    #:export (mpd-output
>              mpd-output?
> +            mpd-credential
> +            mpd-credential?
>              mpd-configuration
>              mpd-configuration?
>              mpd-service-type))
> @@ -36,6 +38,16 @@
>  ;;;
>  ;;; Code:
> 
> +(define-record-type* <mpd-credential>
> +  mpd-credential make-mpd-credential
> +  mpd-credential?
> +  (password    mpd-credential-password
> +               ;; valid: any string that does not contain #\@
> +               (default ""))
> +  (permissions mpd-credential-permissions
> +               ;; valid: any subset of read, add, control and admin
> +               (default '())))
> +
>  (define-record-type* <mpd-output>
>    mpd-output make-mpd-output
>    mpd-output?
> @@ -58,24 +70,41 @@
>  (define-record-type* <mpd-configuration>
>    mpd-configuration make-mpd-configuration
>    mpd-configuration?
> -  (user         mpd-configuration-user
> -                (default "mpd"))
> -  (music-dir    mpd-configuration-music-dir
> -                (default "~/Music"))
> -  (playlist-dir mpd-configuration-playlist-dir
> -                (default "~/.mpd/playlists"))
> -  (db-file      mpd-configuration-db-file
> -                (default "~/.mpd/tag_cache"))
> -  (state-file   mpd-configuration-state-file
> -                (default "~/.mpd/state"))
> -  (sticker-file mpd-configuration-sticker-file
> -                (default "~/.mpd/sticker.sql"))
> -  (port         mpd-configuration-port
> -                (default "6600"))
> -  (address      mpd-configuration-address
> -                (default "any"))
> -  (outputs      mpd-configuration-outputs
> -                (default (list (mpd-output)))))
> +  (user                mpd-configuration-user
> +                       (default "mpd"))
> +  (music-dir           mpd-configuration-music-dir
> +                       (default "~/Music"))
> +  (playlist-dir        mpd-configuration-playlist-dir
> +                       (default "~/.mpd/playlists"))
> +  (db-file             mpd-configuration-db-file
> +                       (default "~/.mpd/tag_cache"))
> +  (state-file          mpd-configuration-state-file
> +                       (default "~/.mpd/state"))
> +  (sticker-file        mpd-configuration-sticker-file
> +                       (default "~/.mpd/sticker.sql"))
> +  (port                mpd-configuration-port
> +                       (default "6600"))
> +  (address             mpd-configuration-address
> +                       (default "any"))
> +  (credentials         mpd-configuration-credentials
> +                       (default '()))
> +  (default-permissions mpd-configuration-default-permissions
> +                       (default '(read add control admin)))
> +  (outputs             mpd-configuration-outputs
> +                       (default (list (mpd-output)))))
> +
> +(define (mpd-permissions->string permissions)
> +  (string-join (map symbol->string
> +                    permissions)
> +               ","))
> +
> +(define (mpd-credential->string credential)
> +  "Convert the USER of type <mpd-credential> to a configuration file 
> snippet."
> +  (format #f
> +          "password \"~a@~a\"\n"
> +          (mpd-credential-password credential)
> +          (mpd-permissions->string
> +           (mpd-credential-permissions credential))))
> 
>  (define (mpd-output->string output)
>    "Convert the OUTPUT of type <mpd-output> to a configuration file snippet."
> @@ -110,8 +139,14 @@ audio_output {
>    (apply
>     mixed-text-file "mpd.conf"
>     "pid_file \"" (mpd-file-name config "pid") "\"\n"
> +   "default_permissions \""
> +   (mpd-permissions->string
> +    (mpd-configuration-default-permissions config))
> +   "\"\n"
>     (append (map mpd-output->string
>                  (mpd-configuration-outputs config))
> +           (map mpd-credential->string
> +                (mpd-configuration-credentials config))
>             (map (match-lambda
>                    ((config-name config-val)
>                     (string-append config-name " \"" (config-val config) 
> "\"\n")))
> @@ -143,10 +178,10 @@ audio_output {
>               #:environment-variables
>               ;; Required to detect PulseAudio when run under a user account.
>               '(#$(string-append
> -                   "XDG_RUNTIME_DIR=/run/user/"
> -                   (number->string
> -                     (passwd:uid
> -                       (getpwnam (mpd-configuration-user config))))))
> +                  "XDG_RUNTIME_DIR=/run/user/"
> +                  (number->string
> +                   (passwd:uid
> +                    (getpwnam (mpd-configuration-user config))))))
>               #:log-file #$(mpd-file-name config "log")))
>     (stop  #~(make-kill-destructor))))
> 

I know it's rather late to reply to this patch, yet I believe it's worth 
stating:

1. mpd-service-type has gone through extensive refactoring, which makes this 
patch no longer apply.
2. This kind of change poses a problem, your credentials will get stored under 
/gnu/store, which is
world readable. Hardly the place you want to use to store secrets like 
credential data.

As such, the best course of action is to use a "include …" directive, which you 
can via the 'extra-options'
field, and point it at a file containing the credentials (which you have to 
provision manually).


Cheers,
Bruno