FabInfra-Mirror/borepin
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/borepin.git synced 2025-03-12 14:51:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added: New API Connection

Browse Source
This commit is contained in:
TheJoKlLa 2022-03-12 22:52:28 +01:00
parent eaa18af8c2
commit 2eebf91aab
9 changed files with 184 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.editorconfig
View File

@ -2,3 +2,4 @@
# MA0003: Add argument name to improve readability # MA0003: Add argument name to improve readability
dotnet_diagnostic.MA0003.severity = none dotnet_diagnostic.MA0003.severity = none
csharp_style_prefer_switch_expression=false:suggestion

181
FabAccessAPI/Auth.cs
View File

@ -1,175 +1,78 @@
using FabAccessAPI.Schema; using FabAccessAPI.Schema;
using S22.Sasl; using S22.Sasl;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks; using System.Threading.Tasks;
using Exception = System.Exception; using FabAccessAPI.Exceptions;
using System.Linq;
namespace FabAccessAPI namespace FabAccessAPI
{ {
/// Authentication Identity
///
/// Under the hood a string because the form depends heavily on the method
public struct AuthCId
{
public string Id { get; private set; }
public AuthCId(string id) : this() { Id = id; }
}
/// Authorization Identity
///
/// This identity is internal to FabAccess and completely independent from the authentication
/// method or source
public struct AuthZId
{
/// Main User ID. Generally an user name or similar
public string Uid;
/// Sub user ID.
///
/// Can change scopes for permissions, e.g. having a +admin account with more permissions than
/// the default account and +dashboard et.al. accounts that have restricted permissions for
/// their applications
public string Subuid;
/// Realm this account originates.
///
/// The Realm is usually described by a domain name but local policy may dictate an unrelated
/// mapping
public string Realm;
}
/// Authentication/Authorization user object.
///
/// This struct contains the user as is passed to the actual authentication/authorization
/// subsystems
///
public struct AuthUser
{
/// Contains the Authentication ID used
///
/// The authentication ID is an identifier for the authentication exchange. This is different
/// than the ID of the user to be authenticated; for example when using x509 the authcid is
/// the dn of the certificate, when using GSSAPI the authcid is of form `<userid>@<REALM>`
public AuthCId Authcid;
/// Contains the Authorization ID
///
/// This is the identifier of the user to *authenticate as*. This in several cases is different
/// to the `authcid`:
/// If somebody wants to authenticate as somebody else, su-style.
/// If a person wants to authenticate as a higher-permissions account, e.g. foo may set authzid foo+admin
/// to split normal user and "admin" accounts.
/// If a method requires a specific authcid that is different from the identifier of the user
/// to authenticate as, e.g. GSSAPI, x509 client certificates, API TOKEN authentication.
public AuthZId Authzid;
/// Contains the authentication method used
///
/// For the most part this is the SASL method
public string AuthMethod;
/// Method-specific key-value pairs
///
/// Each method can use their own key-value pairs.
/// E.g. EXTERNAL encodes the actual method used (x509 client certs, UID/GID for unix sockets,
/// ...)
public Dictionary<string, string> Kvs;
}
// Authentication has two parts: Granting the authentication itself and then performing the
// authentication.
// Granting the authentication checks if
// a) the given authcid fits with the given (authMethod, kvs). In general a failure here indicates
// a programming failure — the authcid come from the same source as that tuple
// b) the given authcid may authenticate as the given authzid. E.g. if a given client certificate
// has been configured for that user, if a GSSAPI user maps to a given user,
public enum AuthError
{
/// Authentication ID is bad/unknown/..
BadAuthcid,
/// Authorization ID is unknown/..
BadAuthzid,
/// Authorization ID is not of form user+uid@realm
MalformedAuthzid,
/// User may not use that authorization id
NotAllowedAuthzid,
}
public class UnauthorizedException : Exception { }
public class UnsupportedMechanismException : Exception { }
/// <summary> /// <summary>
/// THIS IS VERY INCOMPLETE! /// Authenticate with SASL
/// </summary> /// </summary>
public class Auth public class Auth
{ {
#region Log #region Private Fields
//private static readonly log4net.ILog _Log = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType); private readonly IAuthentication _AuthCap;
#endregion #endregion
private readonly IAuthenticationSystem _AuthCap; #region Constructors
public Auth(IAuthenticationSystem authCap) public Auth(IAuthentication authCap)
{ {
_AuthCap = authCap; _AuthCap = authCap;
} }
#endregion
public Task<IReadOnlyList<string>> GetMechanisms() #region Methods
public async Task<Session> Authenticate(string mech, Dictionary<string, object> properties)
{ {
return _AuthCap.Mechanisms(); SaslMechanism? saslMechanism = SaslFactory.Create(mech);
}
public async Task<bool> Authenticate(string mech, Dictionary<string, object> properties)
{
SaslMechanism? m = SaslFactory.Create(mech);
foreach (KeyValuePair<string, object> entry in properties) foreach (KeyValuePair<string, object> entry in properties)
{ {
m.Properties.Add(entry.Key, entry.Value); saslMechanism.Properties.Add(entry.Key, entry.Value);
} }
Request.initialResponse? initialResponse = new Request.initialResponse(); byte[] data = new byte[0];
if (m.HasInitial)
if (saslMechanism.HasInitial)
{ {
initialResponse.Initial = m.GetResponse(new byte[0]); data = saslMechanism.GetResponse(new byte[0]);
} }
Request? req = new Request Response? response = await _AuthCap.Step(data);
while (!saslMechanism.IsCompleted)
{ {
Mechanism = m.Name, if(response.Failed != null)
InitialResponse = initialResponse
};
Response? resp = await _AuthCap.Start(req);
while (!m.IsCompleted)
{
if (resp.which == Response.WHICH.Challence)
{ {
byte[]? additional = m.GetResponse(resp.Challence.ToArray()); switch (response.Failed.Code)
resp = await _AuthCap.Step(additional); {
case Response.Error.badMechanism:
throw new BadMechanismException();
case Response.Error.invalidCredentials:
throw new InvalidCredentialsException();
case Response.Error.aborted:
case Response.Error.failed:
default:
throw new AuthenticationFailedException(response.Failed.AdditionalData.ToArray());
}
}
if(response.Successful != null)
{
return response.Successful.Session;
}
if(response.Challenge != null)
{
byte[]? additional = saslMechanism.GetResponse(response.Challenge.ToArray());
response = await _AuthCap.Step(additional);
} }
else else
{ {
break; throw new AuthenticationFailedException();
} }
} }
if (resp.which == Response.WHICH.Outcome) throw new AuthenticationFailedException();
{
if (resp.Outcome.Result == Response.Result.successful)
{
return true;
}
else
{
//TODO: Provide meaningful info about auth failure
return false;
}
}
return false;
} }
#endregion
} }
} }

47
FabAccessAPI/Connection.cs
View File

@ -1,4 +1,5 @@
using Capnp.Rpc; using Capnp.Rpc;
using FabAccessAPI.Exceptions;
using FabAccessAPI.Schema; using FabAccessAPI.Schema;
using System; using System;
using System.Collections.Generic; using System.Collections.Generic;
@ -24,12 +25,13 @@ namespace FabAccessAPI
{ {
RpcClient = rpcClient; RpcClient = rpcClient;
_BootstrapCap = RpcClient.GetMain<IBootstrap>(); _BootstrapCap = RpcClient.GetMain<IBootstrap>();
//_Log.Debug($"Done bootstraping API connection.");
} }
#endregion #endregion
#region Fields #region Fields
public TcpRpcClient? RpcClient { get; } = null; public TcpRpcClient? RpcClient { get; } = null;
public Session? Session { get; private set; } = null;
#endregion #endregion
#region Methods #region Methods
@ -40,48 +42,21 @@ namespace FabAccessAPI
/// <param name="mech">The desired authentication mechanism</param> /// <param name="mech">The desired authentication mechanism</param>
/// <param name="kvs">Key-Value data specific to the mechanism</param> /// <param name="kvs">Key-Value data specific to the mechanism</param>
/// <returns></returns> /// <returns></returns>
public async Task<bool> Auth(string mech, Dictionary<string, object> kvs, CancellationToken cancellationToken_ = default) public async Task Auth(string mech, Dictionary<string, object> kvs, CancellationToken cancellationToken_ = default)
{ {
if(_Auth == null) IReadOnlyList<string>? mechs = await _BootstrapCap.Mechanisms();
{
IAuthenticationSystem? authCap = await _BootstrapCap.AuthenticationSystem(cancellationToken_).ConfigureAwait(false);
_Auth = new Auth(authCap);
}
IReadOnlyList<string>? mechs = await _Auth.GetMechanisms();
if (!mechs.Contains(mech)) if (!mechs.Contains(mech))
{ {
throw new UnsupportedMechanismException(); throw new UnsupportedMechanismException();
} }
return await _Auth.Authenticate(mech, kvs); if (_Auth == null)
} {
IAuthentication? authCap = await _BootstrapCap.CreateSession(mech, cancellationToken_).ConfigureAwait(false);
_Auth = new Auth(authCap);
}
/// <summary> Session = await _Auth.Authenticate(mech, kvs);
/// Get a wrapped capability to interact with machines
/// </summary>
/// <returns>A wrapped capability to interact with machines</returns>
public async Task<IMachineSystem> AccessMachineSystem()
{
return await _BootstrapCap.MachineSystem();
}
/// <summary>
/// Get a wrapped capability to interact with users
/// </summary>
/// <returns>A wrapped capability to interact with users</returns>
public async Task<IUserSystem> AccessUserSystem()
{
return await _BootstrapCap.UserSystem();
}
/// <summary>
/// Get a wrapped capability to interact with permissions
/// </summary>
/// <returns>A wrapped capability to interact with permissions</returns>
public async Task<IPermissionSystem> AccessPermissionSystem()
{
return await _BootstrapCap.PermissionSystem();
} }
#endregion #endregion
} }

28
FabAccessAPI/Exceptions/AuthenticationFailedException.cs Normal file
View File

@ -0,0 +1,28 @@
using System;
namespace FabAccessAPI.Exceptions
{
public class AuthenticationFailedException : Exception
{
#region Constructors
public AuthenticationFailedException(byte[] additionalData = null)
{
AdditionalData = additionalData;
}
public AuthenticationFailedException(byte[] additionalData, string message) : base(message)
{
AdditionalData = additionalData;
}
public AuthenticationFailedException(byte[] additionalData, string message, Exception inner) : base(message, inner)
{
AdditionalData = additionalData;
}
#endregion
#region Fields
public byte[]? AdditionalData { get; }
#endregion
}
}

22
FabAccessAPI/Exceptions/BadMechanismException.cs Normal file
View File

@ -0,0 +1,22 @@
using System;
namespace FabAccessAPI.Exceptions
{
public class BadMechanismException : Exception
{
public BadMechanismException()
{
}
public BadMechanismException(string message) : base(message)
{
}
public BadMechanismException(string message, Exception inner) : base(message, inner)
{
}
}
}

22
FabAccessAPI/Exceptions/InvalidCredentialsException.cs Normal file
View File

@ -0,0 +1,22 @@
using System;
namespace FabAccessAPI.Exceptions
{
public class InvalidCredentialsException : Exception
{
public InvalidCredentialsException()
{
}
public InvalidCredentialsException(string message) : base(message)
{
}
public InvalidCredentialsException(string message, Exception inner) : base(message, inner)
{
}
}
}

22
FabAccessAPI/Exceptions/UnsupportedMechanismException.cs Normal file
View File

@ -0,0 +1,22 @@
using System;
namespace FabAccessAPI.Exceptions
{
public class UnsupportedMechanismException : Exception
{
public UnsupportedMechanismException()
{
}
public UnsupportedMechanismException(string message) : base(message)
{
}
public UnsupportedMechanismException(string message, Exception inner) : base(message, inner)
{
}
}
}

2
FabAccessAPI/schema

@ -1 +1 @@
Subproject commit c855646a90958ae575d58be074d187acb9f8f4fa Subproject commit c9283ebd696ed6dd428a7c3d24820889f7ab4bf3

35
FabAccessAPI_Test/Connection_Test.cs Normal file
View File

@ -0,0 +1,35 @@
using Capnp.Rpc;
using FabAccessAPI;
using NUnit.Framework;
using System;
using System.Collections.Generic;
using System.Threading.Tasks;
namespace FabAccessAPI_Test
{
public class Connection_Test
{
[TestCase("test.fab-access.org", 59661)]
public async Task Connect(string host, int port)
{
TcpRpcClient tcpRpcClient = new TcpRpcClient();
tcpRpcClient.Connect(host, port);
await tcpRpcClient.WhenConnected;
Connection connection = new Connection(tcpRpcClient);
}
[TestCase("test.fab-access.org", 59661, "Testuser", "secret")]
public async Task Authenticate_PLAIN(string host, int port, string username, string password)
{
TcpRpcClient tcpRpcClient = new TcpRpcClient();
tcpRpcClient.Connect(host, port);
await tcpRpcClient.WhenConnected;
Connection connection = new Connection(tcpRpcClient);
await connection.Auth("PLAIN", new Dictionary<string, object>(StringComparer.Ordinal) { { "Username", username }, { "Password", password } });
Assert.IsNotNull(connection.Session);
}
}
}