Big code change & refactoring commit

Move `token` into user module for lockchain-core. Start work on
a PAM authentication module which replaces the second layer
UserStore in API layer state (http being the only one for now).

This brings the `nix` and `pam-auth` dependencies, which unfortunately
currently don't work :(

6 files changed, 109 insertions, 3 deletions

diff --git a/lockchain-core/Cargo.toml b/lockchain-core/Cargo.toml
index cfddc0f..87d3f65 100644
--- a/lockchain-core/Cargo.toml
+++ b/lockchain-core/Cargo.toml
@@ -14,6 +14,9 @@ serde_derive = "1.0"
 serde_json = "1.0"
 serde = "1.0"
 
+nix = "0.11"
+pam-auth = "0.5"
+
 base64 = "0.8"
 bcrypt = "0.2"
 rand = "0.4"
diff --git a/lockchain-core/src/auth.rs b/lockchain-core/src/auth.rs
new file mode 100644
index 0000000..eceece0
--- /dev/null
+++ b/lockchain-core/src/auth.rs
@@ -0,0 +1,88 @@
+//! Provides an authentication module backed by PAM
+//!
+//! The way a user is authenticated is via the `lockchain` group
+//! and a simple writing/ deleting of a lock file.
+
+use nix::sys::wait::*;
+use nix::unistd::{fork, ForkResult};
+
+use pam_auth::{self, Authenticator, PamError, Result as PamResult};
+
+#[derive(Debug)]
+pub enum AuthError {
+    FailedFork,
+    FailedPAM,
+    InvalidUser,
+    UserNotAuthorised,
+}
+
+/// Simple way to authenticate a user for administrative actions
+/// 
+/// Attempts to open a PAM session for the provided user/pw combination
+/// then attempts to write to a tmpfile in the lockchain config directory.
+/// If this action is successful the user is either the same running the
+/// lockchain server *or* has access to the file via group permissions.
+/// 
+/// This does rely on `lockchain` being properly configured on the server
+/// i.e. not using public permissions for the configuration/ state directory.
+/// 
+/// **Note** as of `lockchain v0.9.0` this function has not been implemented
+/// yet due to issues in the `pam-auth` dependency.
+#[allow(unused_variables)]
+pub fn pam_authenticate(username: &str, password: &str) -> Result<(), AuthError> {
+    Err(AuthError::FailedPAM)
+
+
+    // match fork().map_err(|_| AuthError::FailedFork)? {
+    //     ForkResult::Parent { child } => {
+    //         waitpid(child, None).unwrap();
+    //         // kill(child, SIGKILL).expect("kill failed");
+    //     }
+    //     ForkResult::Child => {
+    // let mut auth = Authenticator::new("lockchain").ok_or(AuthError::FailedPAM)?;
+
+    // use std::error::Error;
+    // let service = "login";
+
+    // println!("Username: {}", username);
+    // println!("Password: {}", password);
+    // println!("Service:  {}", service);
+
+    // let mut auth = Authenticator::new(service).unwrap();
+    // auth.set_credentials(username, password);
+
+    // match auth.authenticate() {
+    //     Ok(()) => println!("authenticate() OK!"),
+    //     Err(e) => {
+    //         println!("authenticate() FAILED!");
+    //         println!("{}", e.description());
+    //         println!("{:#?}", e.cause());
+    //     }
+    // }
+
+    // match auth.open_session() {
+    //     Ok(()) => println!("open_session() OK!"),
+    //     Err(e) => {
+    //         println!("open_session() FAILED!");
+    //         println!("{}", e.description());
+    //         println!("{:#?}", e.cause());
+    //     }
+    // }
+
+    // auth.set_credentials(username, password);
+    // auth.authenticate().map_err(|_| AuthError::InvalidUser)?;
+    // auth.open_session().map_err(|_| AuthError::FailedPAM)?;
+
+    // use std::process::Command;
+    // let output = Command::new("su")
+    //     .arg(username)
+    //     .output()
+    //     .expect("failed to execute process");
+    // println!("whoami: {:#?}", String::from_utf8(output.stdout).unwrap());
+
+    // ::std::process::exit(255);
+    //     }
+    // }
+
+    // Ok(())
+}
diff --git a/lockchain-core/src/lib.rs b/lockchain-core/src/lib.rs
index 465f145..2c5b0d7 100644
--- a/lockchain-core/src/lib.rs
+++ b/lockchain-core/src/lib.rs
@@ -1,7 +1,6 @@
 //! Common library types used in lockchain crates
 #![feature(external_doc)]
 #![doc(include = "../README.md")]
-#![feature(non_modrs_mods)]
 
 #[macro_use]
 extern crate serde_derive;
@@ -13,6 +12,8 @@ extern crate base64;
 extern crate blake2;
 extern crate rand;
 extern crate keybob;
+extern crate nix;
+extern crate pam_auth;
 
 pub mod errors;
 pub mod traits;
@@ -20,7 +21,9 @@ pub mod crypto;
 pub mod users;
 mod meta;
 mod record;
+mod auth;
 
 pub use self::crypto::PackedData;
 pub use self::record::{Header, Payload, Record, EncryptedBody};
 pub use self::meta::{MetaDomain, VaultMetadata};
+pub use self::auth::pam_authenticate;
\ No newline at end of file
diff --git a/lockchain-core/src/traits.rs b/lockchain-core/src/traits.rs
index 96a2034..4e66d8f 100644
--- a/lockchain-core/src/traits.rs
+++ b/lockchain-core/src/traits.rs
@@ -178,3 +178,15 @@ impl Base64AutoEncoder for String {
         String::from_utf8(base64::decode(base64).unwrap()).unwrap()
     }
 }
+
+impl Base64AutoEncoder for Vec<u8> {
+    /// Automatically encode this string to base64
+    fn to_base64(&self) -> String {
+        base64::encode(self)
+    }
+
+    /// Craft a string from an existing base64 string slice
+    fn from_base64(base64: &str) -> String {
+        String::from_utf8(base64::decode(base64).unwrap()).unwrap()
+    }
+}
diff --git a/lockchain-core/src/users.rs b/lockchain-core/src/users/mod.rs
index ab40c43..29be002 100644
--- a/lockchain-core/src/users.rs
+++ b/lockchain-core/src/users/mod.rs
@@ -13,8 +13,8 @@
 //! `User` is also a serialisable struct which contains important
 //! data to load and store them into a metadata store.
 
-mod auth;
-pub use self::auth::Token;
+mod tokens;
+pub use self::tokens::Token;
 
 use crypto::{encoding, hashing, random};
 use std::collections::HashMap;
diff --git a/lockchain-core/src/users/auth.rs b/lockchain-core/src/users/tokens.rs
index e6e4854..e6e4854 100644
--- a/lockchain-core/src/users/auth.rs
+++ b/lockchain-core/src/users/tokens.rs