mirror of
https://gitlab.com/fabinfra/fabaccess/bffh.git
synced 2024-12-22 19:53:49 +01:00
Updates schema
This commit is contained in:
parent
691338aca7
commit
36745683e0
2
schema
2
schema
@ -1 +1 @@
|
||||
Subproject commit 5b7a31b00528d535b8858289d1db685269ec9b7b
|
||||
Subproject commit 9fb856a4dbe8f1e68c77afa3dbff606a27342e7c
|
@ -196,7 +196,7 @@ impl PermissionsProvider {
|
||||
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
||||
let roleID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
||||
let role: Role = flexbuffers::from_slice(vbuf)?;
|
||||
let filename = format!("{:x}.yml", roleID);
|
||||
let filename = format!("{:x}.toml", roleID);
|
||||
path.set_file_name(filename);
|
||||
let mut fp = std::fs::File::create(&path)?;
|
||||
let out = toml::to_vec(&role)?;
|
||||
@ -213,7 +213,7 @@ impl PermissionsProvider {
|
||||
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
||||
let permID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
||||
let perm: Perm = flexbuffers::from_slice(vbuf)?;
|
||||
let filename = format!("{:x}.yml", permID);
|
||||
let filename = format!("{:x}.toml", permID);
|
||||
path.set_file_name(filename);
|
||||
let mut fp = std::fs::File::create(&path)?;
|
||||
let out = toml::to_vec(&perm)?;
|
||||
@ -230,7 +230,7 @@ impl PermissionsProvider {
|
||||
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
||||
let userID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
||||
let user: User = flexbuffers::from_slice(vbuf)?;
|
||||
let filename = format!("{:x}.yml", userID);
|
||||
let filename = format!("{:x}.toml", userID);
|
||||
path.set_file_name(filename);
|
||||
let mut fp = std::fs::File::create(&path)?;
|
||||
let out = toml::to_vec(&user)?;
|
||||
|
47
src/api.rs
47
src/api.rs
@ -1,63 +1,52 @@
|
||||
// module needs to be top level for generated functions to be in scope:
|
||||
// https://github.com/capnproto/capnproto-rust/issues/16
|
||||
pub mod api_capnp {
|
||||
include!(concat!(env!("OUT_DIR"), "/schema/api_capnp.rs"));
|
||||
}
|
||||
|
||||
use smol::net::TcpStream;
|
||||
use futures_util::FutureExt;
|
||||
|
||||
use slog::Logger;
|
||||
|
||||
use crate::error::Result;
|
||||
pub use crate::schema::api_capnp;
|
||||
|
||||
use capnp::capability::Promise;
|
||||
use capnp::Error;
|
||||
use capnp_rpc::RpcSystem;
|
||||
use capnp_rpc::twoparty::VatNetwork;
|
||||
use capnp_rpc::rpc_twoparty_capnp::Side;
|
||||
use capnp::capability::FromServer;
|
||||
|
||||
pub async fn handle_connection(log: Logger, socket: TcpStream) -> Result<()> {
|
||||
let client = DifAPI {};
|
||||
let api: api_capnp::diflouroborane::Client = capnp_rpc::new_client(client);
|
||||
|
||||
let mut message = capnp::message::Builder::new_default();
|
||||
let mut outer = message.init_root::<crate::connection::connection_capnp::message::Builder>();
|
||||
outer.set_api(api.clone());
|
||||
let mut api = outer.init_api();
|
||||
|
||||
let mapi = MachinesAPI {};
|
||||
api.set_machines(capnp_rpc::new_client(mapi));
|
||||
|
||||
let network = VatNetwork::new(socket.clone(), socket, Side::Server, Default::default());
|
||||
let rpc = RpcSystem::new(Box::new(network), Some(api.client)).map(|_| ());
|
||||
let rpc = RpcSystem::new(Box::new(network), None).map(|_| ());
|
||||
|
||||
rpc.await;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub struct DifAPI;
|
||||
|
||||
impl api_capnp::diflouroborane::Server for DifAPI {
|
||||
fn machines(&mut self,
|
||||
_params: api_capnp::diflouroborane::MachinesParams,
|
||||
mut results: api_capnp::diflouroborane::MachinesResults)
|
||||
-> Promise<(), Error>
|
||||
{
|
||||
let mut b = results.get();
|
||||
let mach = capnp_rpc::new_client(MachinesAPI);
|
||||
b.set_mach(mach);
|
||||
Promise::ok(())
|
||||
}
|
||||
}
|
||||
|
||||
pub struct MachinesAPI;
|
||||
|
||||
impl api_capnp::machines::Server for MachinesAPI {
|
||||
fn list(&mut self,
|
||||
_params: api_capnp::machines::ListParams,
|
||||
mut results: api_capnp::machines::ListResults)
|
||||
fn list_machines(&mut self,
|
||||
_params: api_capnp::machines::ListMachinesParams,
|
||||
mut results: api_capnp::machines::ListMachinesResults)
|
||||
-> Promise<(), Error>
|
||||
{
|
||||
let mut l = results.get();
|
||||
l.init_machines(0);
|
||||
Promise::ok(())
|
||||
}
|
||||
|
||||
fn get_machine(&mut self,
|
||||
_params: api_capnp::machines::GetMachineParams,
|
||||
mut results: api_capnp::machines::GetMachineResults)
|
||||
-> Promise<(), Error>
|
||||
{
|
||||
Promise::ok(())
|
||||
}
|
||||
}
|
||||
|
84
src/auth.rs
84
src/auth.rs
@ -11,9 +11,7 @@ use rsasl::sys::{Gsasl, Gsasl_session};
|
||||
use crate::error::Result;
|
||||
use crate::config::Settings;
|
||||
|
||||
pub mod auth_capnp {
|
||||
include!(concat!(env!("OUT_DIR"), "/schema/auth_capnp.rs"));
|
||||
}
|
||||
pub use crate::schema::auth_capnp;
|
||||
|
||||
extern "C" fn callback(ctx: *mut Gsasl, sctx: *mut Gsasl_session, prop: Property) -> i32 {
|
||||
let sasl = SASL::from_ptr(ctx);
|
||||
@ -56,3 +54,83 @@ impl Auth {
|
||||
pub async fn init(log: Logger, config: Settings) -> Result<Auth> {
|
||||
Ok(Auth::new())
|
||||
}
|
||||
|
||||
// Use the newtype pattern here to make the type system work for us; even though AuthCId is for all
|
||||
// intents and purposes just a String the compiler will still complain if you return or more
|
||||
// importantly pass a String intead of a AuthCId. This prevents bugs where you get an object from
|
||||
// somewhere and pass it somewhere else and in between don't check if it's the right type and
|
||||
// accidentally pass the authzid where the authcid should have gone.
|
||||
|
||||
/// Authentication Identity
|
||||
///
|
||||
/// Under the hood a string because the form depends heavily on the method
|
||||
struct AuthCId(String);
|
||||
/// Authorization Identity
|
||||
///
|
||||
/// This identity is internal to FabAccess and completely independent from the authentication
|
||||
/// method or source
|
||||
struct AuthZId {
|
||||
uid: String,
|
||||
subuid: String,
|
||||
domain: String,
|
||||
}
|
||||
|
||||
// What is a man?! A miserable little pile of secrets!
|
||||
/// Authentication/Authorization user object.
|
||||
///
|
||||
/// This struct contains the user as is passed to the actual authentication/authorization
|
||||
/// subsystems
|
||||
///
|
||||
struct User {
|
||||
/// Contains the Authentication ID used
|
||||
///
|
||||
/// The authentication ID is an identifier for the authentication exchange. This is different
|
||||
/// than the ID of the user to be authenticated; for example when using x509 the authcid is
|
||||
/// the dn of the certificate, when using GSSAPI the authcid is of form `<userid>@<REALM>`
|
||||
authcid: AuthCId,
|
||||
|
||||
/// Contains the Authorization ID
|
||||
///
|
||||
/// This is the identifier of the user to *authenticate as*. This in several cases is different
|
||||
/// to the `authcid`:
|
||||
/// If somebody wants to authenticate as somebody else, su-style.
|
||||
/// If a person wants to authenticate as a higher-permissions account, e.g. foo may set authzid foo+admin
|
||||
/// to split normal user and "admin" accounts.
|
||||
/// If a method requires a specific authcid that is different from the identifier of the user
|
||||
/// to authenticate as, e.g. GSSAPI, x509 client certificates, API TOKEN authentication.
|
||||
authzid: AuthZId,
|
||||
|
||||
/// Contains the authentication method used
|
||||
///
|
||||
/// For the most part this is the SASL method
|
||||
authMethod: String,
|
||||
|
||||
/// Method-specific key-value pairs
|
||||
///
|
||||
/// Each method can use their own key-value pairs.
|
||||
/// E.g. EXTERNAL encodes the actual method used (x509 client certs, UID/GID for unix sockets,
|
||||
/// ...)
|
||||
kvs: Box<[(String, String)]>,
|
||||
}
|
||||
|
||||
// Authentication has two parts: Granting the authentication itself and then performing the
|
||||
// authentication.
|
||||
// Granting the authentication checks if
|
||||
// a) the given authcid fits with the given (authMethod, kvs). In general a failure here indicates
|
||||
// a programming failure — the authcid come from the same source as that tuple
|
||||
// b) the given authcid may authenticate as the given authzid. E.g. if a given client certificate
|
||||
// has been configured for that user, if a GSSAPI user maps to a given user,
|
||||
|
||||
enum AuthError {
|
||||
/// Authentication ID is bad/unknown/..
|
||||
BadAuthcid,
|
||||
/// Authorization ID is bad/unknown/..
|
||||
BadAuthzid,
|
||||
/// User may not use that authorization id
|
||||
NotAllowedAuthzid,
|
||||
|
||||
}
|
||||
|
||||
fn grant_auth(user: User) -> std::result::Result<(), AuthError> {
|
||||
unimplemented!()
|
||||
}
|
||||
|
@ -6,9 +6,7 @@ use crate::error::Result;
|
||||
use crate::auth;
|
||||
use crate::api;
|
||||
|
||||
pub mod connection_capnp {
|
||||
include!(concat!(env!("OUT_DIR"), "/schema/connection_capnp.rs"));
|
||||
}
|
||||
pub use crate::schema::connection_capnp;
|
||||
|
||||
pub async fn handle_connection(log: Logger, mut stream: TcpStream) -> Result<()> {
|
||||
let host = "localhost";
|
||||
|
@ -18,6 +18,7 @@ mod machine;
|
||||
mod connection;
|
||||
mod registries;
|
||||
mod network;
|
||||
mod schema;
|
||||
|
||||
use clap::{App, Arg};
|
||||
|
||||
|
11
src/schema.rs
Normal file
11
src/schema.rs
Normal file
@ -0,0 +1,11 @@
|
||||
pub mod auth_capnp {
|
||||
include!(concat!(env!("OUT_DIR"), "/schema/auth_capnp.rs"));
|
||||
}
|
||||
|
||||
pub mod api_capnp {
|
||||
include!(concat!(env!("OUT_DIR"), "/schema/api_capnp.rs"));
|
||||
}
|
||||
|
||||
pub mod connection_capnp {
|
||||
include!(concat!(env!("OUT_DIR"), "/schema/connection_capnp.rs"));
|
||||
}
|
Loading…
Reference in New Issue
Block a user