From 89d53c4fe0eafb6c428f09585fa7de49ea65dfa8 Mon Sep 17 00:00:00 2001
From: candifloss <candifloss@candifloss.cc>
Date: Mon, 22 Dec 2025 14:00:54 +0530
Subject: [PATCH] Minimal PAM auth module - Test without screen lock or input
 grab - CLI

---
 glock/Cargo.toml  |  3 +++
 glock/src/auth.rs | 36 ++++++++++++++++++++++++++++++++++++
 glock/src/main.rs | 27 +++++++++++++++++++++++++--
 3 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 glock/src/auth.rs

diff --git a/glock/Cargo.toml b/glock/Cargo.toml
index 54f22cf..a920a3b 100644
--- a/glock/Cargo.toml
+++ b/glock/Cargo.toml
@@ -6,3 +6,6 @@ description = "Screen locker for your desktop"
 
 [dependencies]
 glock-conf = { version = "0.1.0", path = "../glock-conf" }
+pam = "0.8.0"
+rpassword = "7.4.0"
+uzers = "0.12.2"
diff --git a/glock/src/auth.rs b/glock/src/auth.rs
new file mode 100644
index 0000000..1a63fe2
--- /dev/null
+++ b/glock/src/auth.rs
@@ -0,0 +1,36 @@
+use pam::Client;
+use std::error::Error;
+use uzers::get_current_username;
+
+/// Authenticate the current user using PAM.
+///
+/// The caller provides the password. This function:
+/// - resolves the current username securely
+/// - runs PAM authentication
+/// - returns Ok on success
+/// - returns Err on failure
+///
+/// UI code should not care how PAM works internally.
+pub fn authenticate(password: &str) -> Result<(), Box<dyn Error>> {
+    // Resolve the current user via the kernel and NSS.
+    // Environment variables are not trusted.
+    let username = get_current_username()
+        .ok_or("Failed to resolve current username")?
+        .to_string_lossy()
+        .into_owned();
+
+    // Initialize PAM with the `login` service.
+    // This will later be replaced by a dedicated `glock` service.
+    let mut client = Client::with_password("login")?;
+
+    // Supply credentials to the PAM conversation.
+    // PAM will request these during authentication.
+    client
+        .conversation_mut()
+        .set_credentials(username, password.to_owned());
+
+    // Perform authentication.
+    client.authenticate()?;
+
+    Ok(())
+}
diff --git a/glock/src/main.rs b/glock/src/main.rs
index e7a11a9..3864a69 100644
--- a/glock/src/main.rs
+++ b/glock/src/main.rs
@@ -1,3 +1,26 @@
-fn main() {
-    println!("Hello, world!");
+use rpassword::prompt_password;
+use std::error::Error;
+
+mod auth;
+
+fn main() -> Result<(), Box<dyn Error>> {
+    println!("glock PAM test");
+
+    loop {
+        // Prompt for password without echo.
+        let password = prompt_password("Password: ")?;
+
+        // Authenticate.
+        match auth::authenticate(&password) {
+            Ok(()) => {
+                println!("Authentication successful");
+                break;
+            }
+            Err(_) => {
+                println!("Authentication failed\n");
+            }
+        }
+    }
+
+    Ok(())
 }