FabInfra-Mirror/borepin
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/borepin.git synced 2025-06-11 11:03:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

stuff

Browse Source
This commit is contained in:
Kai Jan Kriegel
2020-11-07 22:08:40 +01:00
parent ac7acc9f72
commit a69d76474f
8 changed files with 377 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

181
FabAccessAPI/Auth.cs Normal file
View File

@ -0,0 +1,181 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Text;
using System.Threading;
using System.Threading.Tasks;
using Capnp;
using Capnp.Rpc;
using FabAccessAPI.Schema;
using S22.Sasl;
namespace FabAccessAPI
{
/// Authentication Identity
///
/// Under the hood a string because the form depends heavily on the method
public struct AuthCId {
public string Id { get; private set; }
public AuthCId(string id) : this() { Id = id; }
}
/// Authorization Identity
///
/// This identity is internal to FabAccess and completely independent from the authentication
/// method or source
public struct AuthZId {
/// Main User ID. Generally an user name or similar
public string Uid;
/// Sub user ID.
///
/// Can change scopes for permissions, e.g. having a +admin account with more permissions than
/// the default account and +dashboard et.al. accounts that have restricted permissions for
/// their applications
public string Subuid;
/// Realm this account originates.
///
/// The Realm is usually described by a domain name but local policy may dictate an unrelated
/// mapping
public string Realm;
}
/// Authentication/Authorization user object.
///
/// This struct contains the user as is passed to the actual authentication/authorization
/// subsystems
///
public struct User {
/// Contains the Authentication ID used
///
/// The authentication ID is an identifier for the authentication exchange. This is different
/// than the ID of the user to be authenticated; for example when using x509 the authcid is
/// the dn of the certificate, when using GSSAPI the authcid is of form `<userid>@<REALM>`
public AuthCId Authcid;
/// Contains the Authorization ID
///
/// This is the identifier of the user to *authenticate as*. This in several cases is different
/// to the `authcid`:
/// If somebody wants to authenticate as somebody else, su-style.
/// If a person wants to authenticate as a higher-permissions account, e.g. foo may set authzid foo+admin
/// to split normal user and "admin" accounts.
/// If a method requires a specific authcid that is different from the identifier of the user
/// to authenticate as, e.g. GSSAPI, x509 client certificates, API TOKEN authentication.
public AuthZId Authzid;
/// Contains the authentication method used
///
/// For the most part this is the SASL method
public string AuthMethod;
/// Method-specific key-value pairs
///
/// Each method can use their own key-value pairs.
/// E.g. EXTERNAL encodes the actual method used (x509 client certs, UID/GID for unix sockets,
/// ...)
public Dictionary<string, string> Kvs;
}
// Authentication has two parts: Granting the authentication itself and then performing the
// authentication.
// Granting the authentication checks if
// a) the given authcid fits with the given (authMethod, kvs). In general a failure here indicates
// a programming failure — the authcid come from the same source as that tuple
// b) the given authcid may authenticate as the given authzid. E.g. if a given client certificate
// has been configured for that user, if a GSSAPI user maps to a given user,
public enum AuthError {
/// Authentication ID is bad/unknown/..
BadAuthcid,
/// Authorization ID is unknown/..
BadAuthzid,
/// Authorization ID is not of form user+uid@realm
MalformedAuthzid,
/// User may not use that authorization id
NotAllowedAuthzid,
}
class Auth {
private IAuthentication _authCap;
public Auth(IAuthentication authCap) {
_authCap = authCap;
}
public Task<IReadOnlyList<string>> GetMechanisms() {
return _authCap.Mechanisms();
}
public async Task<bool> Handshake() {
var host = "localhost";
var asm = typeof(Api).Assembly;
var program = $"{asm.FullName}-{asm.GetName().Version}";
var version = (0u, 1u);
var message = new Greeting() {
Host = host,
Major = version.Item1,
Minor = version.Item2,
Program = program
};
var msg = MessageBuilder.Create();
var root = msg.BuildRoot<Schema.Greeting.WRITER>();
message.serialize(root);
var pump = new FramePump(stream);
pump.Send(msg.Frame);
var frame = Framing.ReadSegments(stream);
var deserializer = DeserializerState.CreateRoot(frame);
var reader = new Greeting.READER(deserializer);
var serverInfo = reader;
Console.WriteLine($"Server: {serverInfo.Host}");
Console.WriteLine($"Version: {serverInfo.Program}");
Console.WriteLine($"API-Version: {serverInfo.Major}.{serverInfo.Minor}");
}
public async Task<object> Authenticate(string mech, Dictionary<string, object> properties) {
var m = SaslFactory.Create(mech);
foreach (KeyValuePair<string, object> entry in properties) {
m.Properties.Add(entry.Key, entry.Value);
}
var initialResponse = new Request.initialResponse();
if (m.HasInitial) {
initialResponse.Initial = m.GetResponse(new byte[0]);
}
var req = new Request {
Mechanism = m.Name,
InitialResponse = initialResponse
};
var resp = await _authCap.Start(req);
while (!m.IsCompleted) {
if (resp.which == Response.WHICH.Challence) {
var additional = m.GetResponse(resp.Challence.ToArray());
resp = await _authCap.Step(additional);
}
else {
break;
}
}
return null;
}
}
}

87
FabAccessAPI/Connection.cs
View File

@ -2,82 +2,31 @@
using System.Collections.Generic;
using System.IO;
using System.Text;
using System.Threading.Tasks;
using Capnp;
using Capnp.Rpc;
using FabAccessAPI.Schema;
using S22.Sasl;
namespace FabAccessAPI
{
class Connection
{
public bool Connect(Greeting clientInfo, Stream stream)
{
var message = new Message()
class Connection {
private TcpRpcClient _rpcClient;
private IBootstrap _bootstrapCap;
private User _user;
private Auth _auth;
{
Greet = clientInfo,
which = Message.WHICH.Greet,
};
var msg = MessageBuilder.Create();
var root = msg.BuildRoot<Schema.Message.WRITER>();
message.serialize(root);
var pump = new FramePump(stream);
pump.Send(msg.Frame);
var frame = Framing.ReadSegments(stream);
var deserializer = DeserializerState.CreateRoot(frame);
var reader = new Message.READER(deserializer);
switch (reader.which)
{
case Message.WHICH.Greet:
var serverInfo = reader.Greet;
Console.WriteLine($"Server: {serverInfo.Host}");
Console.WriteLine($"Version: {serverInfo.Program}");
Console.WriteLine($"API-Version: {serverInfo.Major}.{serverInfo.Minor}");
break;
case Message.WHICH.Leave:
var leave_inner = reader.Leave;
switch (leave_inner.TheReason)
{
case Leave.Reason.incompatible:
Console.WriteLine($"Connection aborted due to incompatible API: {leave_inner.Message}");
break;
case Leave.Reason.other:
Console.WriteLine($"Connection aborted: {leave_inner.Message}");
break;
default:
Console.WriteLine($"Got invalid This should never happen: {leave_inner.Message}");
break;
}
return false;
default:
Console.WriteLine($"Got unexpected message: {reader.which}");
break;
}
//FIXME: Replace the hardcoded credentials
SaslMechanism m = SaslFactory.Create("PLAIN");
m.Properties.Add("Username", "test");
m.Properties.Add("Password", "secret");
var authRequest = new Request()
{
Mechanism = m.Name,
};
var auth = new AuthMessage()
{
};
return true;
/// <summary>
///
/// </summary>
/// <param name="rpcClient">Should be an already configured and connected TcpRpcClient</param>
public Connection(TcpRpcClient rpcClient) {
_rpcClient = rpcClient;
_bootstrapCap = _rpcClient.GetMain<IBootstrap>();
}
async Task Auth(string mech, Dictionary<string, string> kvs) {
_auth = new Auth(await _bootstrapCap.Auth());
var mechs = await _auth.GetMechanisms().ConfigureAwait(false);
}
}
}

5
FabAccessAPI/FabAccessAPI.cs
View File

@ -1,8 +1,11 @@
using System;
using S22.Sasl;
namespace FabAccessAPI
{
public class Class1
public class Api
{
}
}

10
FabAccessAPI/InjectableTcpRpcClient.cs Normal file
View File

@ -0,0 +1,10 @@
using System;
using System.Collections.Generic;
using System.Text;
using Capnp.Rpc;
namespace FabAccessAPI {
class InjectableTcpRpcClient : TcpRpcClient {
}
}