fabaccess-bffh/bffhd/authentication/mod.rs

use crate::users::Users;
use miette::{Context, IntoDiagnostic};
use std::sync::Arc;
use rsasl::callback::{CallbackError, Request, SessionCallback, SessionData};
use rsasl::mechanism::SessionError;
use rsasl::prelude::{Mechname, SASLConfig, SASLServer, Session};
use rsasl::property::AuthId;

use crate::authentication::fabfire::FabFireCardKey;

mod fabfire;

struct Callback {
    users: Users,
    span: tracing::Span,
}
impl Callback {
    pub fn new(users: Users) -> Self {
        let span = tracing::info_span!("SASL callback");
        Self { users, span }
    }
}
impl SessionCallback for Callback {
    fn callback(&self, session_data: &SessionData, context: &rsasl::callback::Context, request: &mut Request) -> Result<(), SessionError> {
        if let Some(authid) = context.get_ref::<AuthId>() {
            request.satisfy_with::<FabFireCardKey, _>(|| {
                let user = self.users.get_user(authid).ok_or(CallbackError::NoValue)?;
                let kv = user.userdata.kv.get("cardkey").ok_or(CallbackError::NoValue)?;
                let card_key = <[u8; 16]>::try_from(
                    hex::decode(kv).map_err(|_| CallbackError::NoValue)?,
                ).map_err(|_| CallbackError::NoValue)?;
                Ok(card_key)
            })?;
        }
        Ok(())
    }

    /*fn validate(
        &self,
        session: &mut SessionData,
        validation: Validation,
        _mechanism: &Mechname,
    ) -> Result<(), SessionError> {
        let span = tracing::info_span!(parent: &self.span, "validate");
        let _guard = span.enter();
        match validation {
            validations::SIMPLE => {
                let authnid = session
                    .get_property::<AuthId>()
                    .ok_or(SessionError::no_property::<AuthId>())?;
                tracing::debug!(authid=%authnid, "SIMPLE validation requested");

                if let Some(user) = self.users.get_user(authnid.as_str()) {
                    let passwd = session
                        .get_property::<Password>()
                        .ok_or(SessionError::no_property::<Password>())?;

                    if user
                        .check_password(passwd.as_bytes())
                        .map_err(|_e| SessionError::AuthenticationFailure)?
                    {
                        return Ok(());
                    } else {
                        tracing::warn!(authid=%authnid, "AUTH FAILED: bad password");
                    }
                } else {
                    tracing::warn!(authid=%authnid, "AUTH FAILED: no such user '{}'", authnid);
                }

                Err(SessionError::AuthenticationFailure)
            }
            _ => {
                tracing::error!(?validation, "Unimplemented validation requested");
                Err(SessionError::no_validate(validation))
            }
        }
    }*/
}

struct Inner {
    rsasl: Arc<SASLConfig>,
}
impl Inner {
    pub fn new(rsasl: Arc<SASLConfig>) -> Self {
        Self { rsasl }
    }
}

#[derive(Clone)]
pub struct AuthenticationHandle {
    inner: Inner,
}

impl AuthenticationHandle {
    pub fn new(userdb: Users) -> Self {
        let span = tracing::debug_span!("authentication");
        let _guard = span.enter();

        let config = SASLConfig::builder()
            .with_defaults()
            .with_callback(Callback::new(userdb))
            .unwrap();

        let mechs: Vec<&'static str> = SASLServer::new(config.clone())
            .get_available()
            .into_iter()
            .map(|m| m.mechanism.as_str())
            .collect();
        tracing::info!(available_mechs = mechs.len(), "initialized sasl backend");
        tracing::debug!(?mechs, "available mechs");

        Self {
            inner: Inner::new(config),
        }
    }

    pub fn start(&self, mechanism: &Mechname) -> miette::Result<Session> {
        Ok(SASLServer::new(self.inner.rsasl.clone())
            .start_suggested(mechanism)
            .into_diagnostic()
            .wrap_err("Failed to start a SASL authentication with the given mechanism")?)
    }

    pub fn list_available_mechs(&self) -> impl IntoIterator<Item = &Mechname> {
        SASLServer::new(self.inner.rsasl.clone())
            .get_available()
            .into_iter()
            .map(|m| m.mechanism)
    }
}
Session initialization 2022-03-15 17:52:47 +01:00			`use crate::users::Users;`
Switch out anyhow for miette 2022-06-02 17:46:26 +02:00			`use miette::{Context, IntoDiagnostic};`
Session initialization 2022-03-15 17:52:47 +01:00			`use std::sync::Arc;`
Port rsasl 2022-10-05 17:28:47 +02:00			`use rsasl::callback::{CallbackError, Request, SessionCallback, SessionData};`
			`use rsasl::mechanism::SessionError;`
			`use rsasl::prelude::{Mechname, SASLConfig, SASLServer, Session};`
			`use rsasl::property::AuthId;`
ran cargo fix 2022-04-26 23:21:43 +02:00
fix fabfire mechanism integration and improve logging 2022-03-19 06:00:21 +01:00			`use crate::authentication::fabfire::FabFireCardKey;`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00
			`mod fabfire;`
Module refactor part 2 2022-03-08 18:52:49 +01:00
User db & loading 2022-03-13 22:50:37 +01:00			`struct Callback {`
			`users: Users,`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`span: tracing::Span,`
User db & loading 2022-03-13 22:50:37 +01:00			`}`
			`impl Callback {`
			`pub fn new(users: Users) -> Self {`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`let span = tracing::info_span!("SASL callback");`
			`Self { users, span }`
User db & loading 2022-03-13 22:50:37 +01:00			`}`
			`}`
Port rsasl 2022-10-05 17:28:47 +02:00			`impl SessionCallback for Callback {`
			`fn callback(&self, session_data: &SessionData, context: &rsasl::callback::Context, request: &mut Request) -> Result<(), SessionError> {`
			`if let Some(authid) = context.get_ref::<AuthId>() {`
			`request.satisfy_with::<FabFireCardKey, _>(\|\| {`
			`let user = self.users.get_user(authid).ok_or(CallbackError::NoValue)?;`
			`let kv = user.userdata.kv.get("cardkey").ok_or(CallbackError::NoValue)?;`
Run rustfmt 2022-05-05 15:50:44 +02:00			`let card_key = <[u8; 16]>::try_from(`
Port rsasl 2022-10-05 17:28:47 +02:00			`hex::decode(kv).map_err(\|_\| CallbackError::NoValue)?,`
			`).map_err(\|_\| CallbackError::NoValue)?;`
			`Ok(card_key)`
			`})?;`
fix fabfire mechanism integration and improve logging 2022-03-19 06:00:21 +01:00			`}`
Port rsasl 2022-10-05 17:28:47 +02:00			`Ok(())`
fix fabfire mechanism integration and improve logging 2022-03-19 06:00:21 +01:00			`}`

Port rsasl 2022-10-05 17:28:47 +02:00			`/*fn validate(`
Session initialization 2022-03-15 17:52:47 +01:00			`&self,`
			`session: &mut SessionData,`
			`validation: Validation,`
Cargo fix 2022-03-15 20:00:43 +01:00			`_mechanism: &Mechname,`
Session initialization 2022-03-15 17:52:47 +01:00			`) -> Result<(), SessionError> {`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`let span = tracing::info_span!(parent: &self.span, "validate");`
			`let _guard = span.enter();`
Session initialization 2022-03-15 17:52:47 +01:00			`match validation {`
			`validations::SIMPLE => {`
			`let authnid = session`
			`.get_property::<AuthId>()`
			`.ok_or(SessionError::no_property::<AuthId>())?;`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`tracing::debug!(authid=%authnid, "SIMPLE validation requested");`

Run rustfmt 2022-05-05 15:50:44 +02:00			`if let Some(user) = self.users.get_user(authnid.as_str()) {`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`let passwd = session`
			`.get_property::<Password>()`
			`.ok_or(SessionError::no_property::<Password>())?;`
Session initialization 2022-03-15 17:52:47 +01:00
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`if user`
			`.check_password(passwd.as_bytes())`
			`.map_err(\|_e\| SessionError::AuthenticationFailure)?`
			`{`
			`return Ok(());`
			`} else {`
			`tracing::warn!(authid=%authnid, "AUTH FAILED: bad password");`
			`}`
Session initialization 2022-03-15 17:52:47 +01:00			`} else {`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`tracing::warn!(authid=%authnid, "AUTH FAILED: no such user '{}'", authnid);`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00
			`Err(SessionError::AuthenticationFailure)`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Better error reporting for auth Fixes: #49 2022-04-30 20:17:17 +02:00			`_ => {`
			`tracing::error!(?validation, "Unimplemented validation requested");`
			`Err(SessionError::no_validate(validation))`
Run rustfmt 2022-05-05 15:50:44 +02:00			`}`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Port rsasl 2022-10-05 17:28:47 +02:00			`}*/`
User db & loading 2022-03-13 22:50:37 +01:00			`}`

Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`struct Inner {`
Port rsasl 2022-10-05 17:28:47 +02:00			`rsasl: Arc<SASLConfig>,`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`}`
			`impl Inner {`
Port rsasl 2022-10-05 17:28:47 +02:00			`pub fn new(rsasl: Arc<SASLConfig>) -> Self {`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`Self { rsasl }`
			`}`
			`}`
Let's try to get this as the next v0.3 2022-03-10 20:52:34 +01:00
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`#[derive(Clone)]`
Implement more API 2022-03-12 17:31:53 +01:00			`pub struct AuthenticationHandle {`
Port rsasl 2022-10-05 17:28:47 +02:00			`inner: Inner,`
Let's try to get this as the next v0.3 2022-03-10 20:52:34 +01:00			`}`

Implement more API 2022-03-12 17:31:53 +01:00			`impl AuthenticationHandle {`
User db & loading 2022-03-13 22:50:37 +01:00			`pub fn new(userdb: Users) -> Self {`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00			`let span = tracing::debug_span!("authentication");`
			`let _guard = span.enter();`

Port rsasl 2022-10-05 17:28:47 +02:00			`let config = SASLConfig::builder()`
			`.with_defaults()`
			`.with_callback(Callback::new(userdb))`
			`.unwrap();`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00
Port rsasl 2022-10-05 17:28:47 +02:00			`let mechs: Vec<&'static str> = SASLServer::new(config.clone())`
			`.get_available()`
Run rustfmt 2022-05-05 15:50:44 +02:00			`.into_iter()`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00			`.map(\|m\| m.mechanism.as_str())`
			`.collect();`
Run rustfmt 2022-05-05 15:50:44 +02:00			`tracing::info!(available_mechs = mechs.len(), "initialized sasl backend");`
Importing X-FABFIRE auth mechanism 2022-03-16 19:29:36 +01:00			`tracing::debug!(?mechs, "available mechs");`

Session initialization 2022-03-15 17:52:47 +01:00			`Self {`
Port rsasl 2022-10-05 17:28:47 +02:00			`inner: Inner::new(config),`
Session initialization 2022-03-15 17:52:47 +01:00			`}`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`}`
Let's try to get this as the next v0.3 2022-03-10 20:52:34 +01:00
Switch out anyhow for miette 2022-06-02 17:46:26 +02:00			`pub fn start(&self, mechanism: &Mechname) -> miette::Result<Session> {`
Port rsasl 2022-10-05 17:28:47 +02:00			`Ok(SASLServer::new(self.inner.rsasl.clone())`
			`.start_suggested(mechanism)`
Switch out anyhow for miette 2022-06-02 17:46:26 +02:00			`.into_diagnostic()`
			`.wrap_err("Failed to start a SASL authentication with the given mechanism")?)`
Implement more API 2022-03-12 17:31:53 +01:00			`}`

Session initialization 2022-03-15 17:52:47 +01:00			`pub fn list_available_mechs(&self) -> impl IntoIterator<Item = &Mechname> {`
Port rsasl 2022-10-05 17:28:47 +02:00			`SASLServer::new(self.inner.rsasl.clone())`
			`.get_available()`
Session initialization 2022-03-15 17:52:47 +01:00			`.into_iter()`
			`.map(\|m\| m.mechanism)`
Pull more things from 0.3.2 2022-03-12 01:27:58 +01:00			`}`
Session initialization 2022-03-15 17:52:47 +01:00			`}`