fabaccess-bffh/bffhd/authentication/mod.rs

use crate::users::Users;
use miette::{IntoDiagnostic, WrapErr};
use std::sync::Arc;
use rsasl::callback::{CallbackError, Request, SessionCallback, SessionData, Context};
use rsasl::mechanism::SessionError;
use rsasl::prelude::{Mechname, SASLConfig, SASLServer, Session, Validation};
use rsasl::property::{AuthId, AuthzId, Password};
use rsasl::validate::{Validate, ValidationError};

use crate::authentication::fabfire::FabFireCardKey;
use crate::users::db::User;

mod fabfire;

struct Callback {
    users: Users,
    span: tracing::Span,
}
impl Callback {
    pub fn new(users: Users) -> Self {
        let span = tracing::info_span!("SASL callback");
        Self { users, span }
    }
}
impl SessionCallback for Callback {
    fn callback(&self, session_data: &SessionData, context: &Context, request: &mut Request) -> Result<(), SessionError> {
        if let Some(authid) = context.get_ref::<AuthId>() {
            request.satisfy_with::<FabFireCardKey, _>(|| {
                let user = self.users.get_user(authid).ok_or(CallbackError::NoValue)?;
                let kv = user.userdata.kv.get("cardkey").ok_or(CallbackError::NoValue)?;
                let card_key = <[u8; 16]>::try_from(
                    hex::decode(kv).map_err(|_| CallbackError::NoValue)?,
                ).map_err(|_| CallbackError::NoValue)?;
                Ok(card_key)
            })?;
        }
        Ok(())
    }

    fn validate(&self, session_data: &SessionData, context: &Context, validate: &mut Validate<'_>) -> Result<(), ValidationError> {
        let span = tracing::info_span!(parent: &self.span, "validate");
        let _guard = span.enter();
        if validate.is::<V>() {
            match session_data.mechanism().mechanism.as_str() {
                "PLAIN" => {
                    let authcid = context.get_ref::<AuthId>()
                        .ok_or(ValidationError::MissingRequiredProperty)?;
                    let authzid = context.get_ref::<AuthzId>();
                    let password = context.get_ref::<Password>()
                        .ok_or(ValidationError::MissingRequiredProperty)?;

                    if authzid.is_some() {
                        return Ok(())
                    }

                    if let Some(user) = self.users.get_user(authcid) {
                        match user.check_password(password) {
                            Ok(true) => {
                                validate.finalize::<V>(user)
                            }
                            Ok(false) => {
                                tracing::warn!(authid=%authcid, "AUTH FAILED: bad password");
                            }
                            Err(error) => {
                                tracing::warn!(authid=%authcid, "Bad DB entry: {}", error);
                            }
                        }
                    } else {
                        tracing::warn!(authid=%authcid, "AUTH FAILED: no such user");
                    }
                }
                _ => {}
            }
        }
        Ok(())
    }
}

pub struct V;
impl Validation for V {
    type Value = User;
}

#[derive(Clone)]
struct Inner {
    rsasl: Arc<SASLConfig>,
}
impl Inner {
    pub fn new(rsasl: Arc<SASLConfig>) -> Self {
        Self { rsasl }
    }
}

#[derive(Clone)]
pub struct AuthenticationHandle {
    inner: Inner,
}

impl AuthenticationHandle {
    pub fn new(userdb: Users) -> Self {
        let span = tracing::debug_span!("authentication");
        let _guard = span.enter();

        let config = SASLConfig::builder()
            .with_defaults()
            .with_callback(Callback::new(userdb))
            .unwrap();

        let mechs: Vec<&'static str> = SASLServer::<V>::new(config.clone())
            .get_available()
            .into_iter()
            .map(|m| m.mechanism.as_str())
            .collect();
        tracing::info!(available_mechs = mechs.len(), "initialized sasl backend");
        tracing::debug!(?mechs, "available mechs");

        Self {
            inner: Inner::new(config),
        }
    }

    pub fn start(&self, mechanism: &Mechname) -> miette::Result<Session<V>> {
        Ok(SASLServer::new(self.inner.rsasl.clone())
            .start_suggested(mechanism)
            .into_diagnostic()
            .wrap_err("Failed to start a SASL authentication with the given mechanism")?)
    }

    pub fn sess(&self) -> SASLServer<V> {
        SASLServer::new(self.inner.rsasl.clone())
    }
}
Session initialization 2022-03-15 17:52:47 +01:00			`use crate::users::Users;`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`use miette::{IntoDiagnostic, WrapErr};`
Session initialization 2022-03-15 17:52:47 +01:00			`use std::sync::Arc;`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`use rsasl::callback::{CallbackError, Request, SessionCallback, SessionData, Context};`
Port rsasl 2022-10-05 17:28:47 +02:00			`use rsasl::mechanism::SessionError;`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`use rsasl::prelude::{Mechname, SASLConfig, SASLServer, Session, Validation};`
			`use rsasl::property::{AuthId, AuthzId, Password};`
			`use rsasl::validate::{Validate, ValidationError};`
ran cargo fix 2022-04-26 23:21:43 +02:00
fix fabfire mechanism integration and improve logging 2022-03-19 06:00:21 +01:00			`use crate::authentication::fabfire::FabFireCardKey;`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`use crate::users::db::User;`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00
			`mod fabfire;`
Module refactor part 2 2022-03-08 18:52:49 +01:00
User db & loading 2022-03-13 22:50:37 +01:00			`struct Callback {`
			`users: Users,`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`span: tracing::Span,`
User db & loading 2022-03-13 22:50:37 +01:00			`}`
			`impl Callback {`
			`pub fn new(users: Users) -> Self {`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`let span = tracing::info_span!("SASL callback");`
			`Self { users, span }`
User db & loading 2022-03-13 22:50:37 +01:00			`}`
			`}`
Port rsasl 2022-10-05 17:28:47 +02:00			`impl SessionCallback for Callback {`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`fn callback(&self, session_data: &SessionData, context: &Context, request: &mut Request) -> Result<(), SessionError> {`
Port rsasl 2022-10-05 17:28:47 +02:00			`if let Some(authid) = context.get_ref::<AuthId>() {`
			`request.satisfy_with::<FabFireCardKey, _>(\|\| {`
			`let user = self.users.get_user(authid).ok_or(CallbackError::NoValue)?;`
			`let kv = user.userdata.kv.get("cardkey").ok_or(CallbackError::NoValue)?;`
Run rustfmt 2022-05-05 15:50:44 +02:00			`let card_key = <[u8; 16]>::try_from(`
Port rsasl 2022-10-05 17:28:47 +02:00			`hex::decode(kv).map_err(\|_\| CallbackError::NoValue)?,`
			`).map_err(\|_\| CallbackError::NoValue)?;`
			`Ok(card_key)`
			`})?;`
fix fabfire mechanism integration and improve logging 2022-03-19 06:00:21 +01:00			`}`
Port rsasl 2022-10-05 17:28:47 +02:00			`Ok(())`
fix fabfire mechanism integration and improve logging 2022-03-19 06:00:21 +01:00			`}`

Update to latest rsasl 2022-11-01 10:47:51 +01:00			`fn validate(&self, session_data: &SessionData, context: &Context, validate: &mut Validate<'_>) -> Result<(), ValidationError> {`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`let span = tracing::info_span!(parent: &self.span, "validate");`
			`let _guard = span.enter();`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`if validate.is::<V>() {`
			`match session_data.mechanism().mechanism.as_str() {`
			`"PLAIN" => {`
			`let authcid = context.get_ref::<AuthId>()`
			`.ok_or(ValidationError::MissingRequiredProperty)?;`
			`let authzid = context.get_ref::<AuthzId>();`
			`let password = context.get_ref::<Password>()`
			`.ok_or(ValidationError::MissingRequiredProperty)?;`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`if authzid.is_some() {`
			`return Ok(())`
			`}`
Session initialization 2022-03-15 17:52:47 +01:00
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`if let Some(user) = self.users.get_user(authcid) {`
			`match user.check_password(password) {`
			`Ok(true) => {`
			`validate.finalize::<V>(user)`
			`}`
			`Ok(false) => {`
			`tracing::warn!(authid=%authcid, "AUTH FAILED: bad password");`
			`}`
			`Err(error) => {`
			`tracing::warn!(authid=%authcid, "Bad DB entry: {}", error);`
			`}`
			`}`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`} else {`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`tracing::warn!(authid=%authcid, "AUTH FAILED: no such user");`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`}`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`_ => {}`
Run rustfmt 2022-05-05 15:50:44 +02:00			`}`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`Ok(())`
			`}`
User db & loading 2022-03-13 22:50:37 +01:00			`}`

Update to latest rsasl 2022-11-01 10:47:51 +01:00			`pub struct V;`
			`impl Validation for V {`
			`type Value = User;`
			`}`

			`#[derive(Clone)]`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`struct Inner {`
Port rsasl 2022-10-05 17:28:47 +02:00			`rsasl: Arc<SASLConfig>,`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`}`
			`impl Inner {`
Port rsasl 2022-10-05 17:28:47 +02:00			`pub fn new(rsasl: Arc<SASLConfig>) -> Self {`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`Self { rsasl }`
			`}`
			`}`
Let's try to get this as the next v0.3 2022-03-10 20:52:34 +01:00
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`#[derive(Clone)]`
Implement more API 2022-03-12 17:31:53 +01:00			`pub struct AuthenticationHandle {`
Port rsasl 2022-10-05 17:28:47 +02:00			`inner: Inner,`
Let's try to get this as the next v0.3 2022-03-10 20:52:34 +01:00			`}`

Implement more API 2022-03-12 17:31:53 +01:00			`impl AuthenticationHandle {`
User db & loading 2022-03-13 22:50:37 +01:00			`pub fn new(userdb: Users) -> Self {`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00			`let span = tracing::debug_span!("authentication");`
			`let _guard = span.enter();`

Port rsasl 2022-10-05 17:28:47 +02:00			`let config = SASLConfig::builder()`
			`.with_defaults()`
			`.with_callback(Callback::new(userdb))`
			`.unwrap();`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`let mechs: Vec<&'static str> = SASLServer::<V>::new(config.clone())`
Port rsasl 2022-10-05 17:28:47 +02:00			`.get_available()`
Run rustfmt 2022-05-05 15:50:44 +02:00			`.into_iter()`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00			`.map(\|m\| m.mechanism.as_str())`
			`.collect();`
Run rustfmt 2022-05-05 15:50:44 +02:00			`tracing::info!(available_mechs = mechs.len(), "initialized sasl backend");`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00			`tracing::debug!(?mechs, "available mechs");`

Session initialization 2022-03-15 17:52:47 +01:00			`Self {`
Port rsasl 2022-10-05 17:28:47 +02:00			`inner: Inner::new(config),`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`}`
Let's try to get this as the next v0.3 2022-03-10 20:52:34 +01:00
Update to latest rsasl 2022-11-01 10:47:51 +01:00			`pub fn start(&self, mechanism: &Mechname) -> miette::Result<Session<V>> {`
Port rsasl 2022-10-05 17:28:47 +02:00			`Ok(SASLServer::new(self.inner.rsasl.clone())`
			`.start_suggested(mechanism)`
Switch out anyhow for miette 2022-06-02 17:46:26 +02:00			`.into_diagnostic()`
			`.wrap_err("Failed to start a SASL authentication with the given mechanism")?)`
Implement more API 2022-03-12 17:31:53 +01:00			`}`

Update to latest rsasl 2022-11-01 10:47:51 +01:00			`pub fn sess(&self) -> SASLServer<V> {`
Port rsasl 2022-10-05 17:28:47 +02:00			`SASLServer::new(self.inner.rsasl.clone())`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`}`
Session initialization 2022-03-15 17:52:47 +01:00			`}`