mirror of
https://gitlab.com/fabinfra/fabaccess/bffh.git
synced 2024-11-26 08:34:55 +01:00
Updates schema
This commit is contained in:
parent
691338aca7
commit
36745683e0
2
schema
2
schema
@ -1 +1 @@
|
|||||||
Subproject commit 5b7a31b00528d535b8858289d1db685269ec9b7b
|
Subproject commit 9fb856a4dbe8f1e68c77afa3dbff606a27342e7c
|
@ -196,7 +196,7 @@ impl PermissionsProvider {
|
|||||||
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
||||||
let roleID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
let roleID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
||||||
let role: Role = flexbuffers::from_slice(vbuf)?;
|
let role: Role = flexbuffers::from_slice(vbuf)?;
|
||||||
let filename = format!("{:x}.yml", roleID);
|
let filename = format!("{:x}.toml", roleID);
|
||||||
path.set_file_name(filename);
|
path.set_file_name(filename);
|
||||||
let mut fp = std::fs::File::create(&path)?;
|
let mut fp = std::fs::File::create(&path)?;
|
||||||
let out = toml::to_vec(&role)?;
|
let out = toml::to_vec(&role)?;
|
||||||
@ -213,7 +213,7 @@ impl PermissionsProvider {
|
|||||||
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
||||||
let permID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
let permID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
||||||
let perm: Perm = flexbuffers::from_slice(vbuf)?;
|
let perm: Perm = flexbuffers::from_slice(vbuf)?;
|
||||||
let filename = format!("{:x}.yml", permID);
|
let filename = format!("{:x}.toml", permID);
|
||||||
path.set_file_name(filename);
|
path.set_file_name(filename);
|
||||||
let mut fp = std::fs::File::create(&path)?;
|
let mut fp = std::fs::File::create(&path)?;
|
||||||
let out = toml::to_vec(&perm)?;
|
let out = toml::to_vec(&perm)?;
|
||||||
@ -230,7 +230,7 @@ impl PermissionsProvider {
|
|||||||
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
let (kbytes, _rest) = kbuf.split_at(std::mem::size_of::<u64>());
|
||||||
let userID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
let userID = u64::from_ne_bytes(kbytes.try_into().unwrap());
|
||||||
let user: User = flexbuffers::from_slice(vbuf)?;
|
let user: User = flexbuffers::from_slice(vbuf)?;
|
||||||
let filename = format!("{:x}.yml", userID);
|
let filename = format!("{:x}.toml", userID);
|
||||||
path.set_file_name(filename);
|
path.set_file_name(filename);
|
||||||
let mut fp = std::fs::File::create(&path)?;
|
let mut fp = std::fs::File::create(&path)?;
|
||||||
let out = toml::to_vec(&user)?;
|
let out = toml::to_vec(&user)?;
|
||||||
|
47
src/api.rs
47
src/api.rs
@ -1,63 +1,52 @@
|
|||||||
// module needs to be top level for generated functions to be in scope:
|
|
||||||
// https://github.com/capnproto/capnproto-rust/issues/16
|
|
||||||
pub mod api_capnp {
|
|
||||||
include!(concat!(env!("OUT_DIR"), "/schema/api_capnp.rs"));
|
|
||||||
}
|
|
||||||
|
|
||||||
use smol::net::TcpStream;
|
use smol::net::TcpStream;
|
||||||
use futures_util::FutureExt;
|
use futures_util::FutureExt;
|
||||||
|
|
||||||
use slog::Logger;
|
use slog::Logger;
|
||||||
|
|
||||||
use crate::error::Result;
|
use crate::error::Result;
|
||||||
|
pub use crate::schema::api_capnp;
|
||||||
|
|
||||||
use capnp::capability::Promise;
|
use capnp::capability::Promise;
|
||||||
use capnp::Error;
|
use capnp::Error;
|
||||||
use capnp_rpc::RpcSystem;
|
use capnp_rpc::RpcSystem;
|
||||||
use capnp_rpc::twoparty::VatNetwork;
|
use capnp_rpc::twoparty::VatNetwork;
|
||||||
use capnp_rpc::rpc_twoparty_capnp::Side;
|
use capnp_rpc::rpc_twoparty_capnp::Side;
|
||||||
|
use capnp::capability::FromServer;
|
||||||
|
|
||||||
pub async fn handle_connection(log: Logger, socket: TcpStream) -> Result<()> {
|
pub async fn handle_connection(log: Logger, socket: TcpStream) -> Result<()> {
|
||||||
let client = DifAPI {};
|
|
||||||
let api: api_capnp::diflouroborane::Client = capnp_rpc::new_client(client);
|
|
||||||
|
|
||||||
let mut message = capnp::message::Builder::new_default();
|
let mut message = capnp::message::Builder::new_default();
|
||||||
let mut outer = message.init_root::<crate::connection::connection_capnp::message::Builder>();
|
let mut outer = message.init_root::<crate::connection::connection_capnp::message::Builder>();
|
||||||
outer.set_api(api.clone());
|
let mut api = outer.init_api();
|
||||||
|
|
||||||
|
let mapi = MachinesAPI {};
|
||||||
|
api.set_machines(capnp_rpc::new_client(mapi));
|
||||||
|
|
||||||
let network = VatNetwork::new(socket.clone(), socket, Side::Server, Default::default());
|
let network = VatNetwork::new(socket.clone(), socket, Side::Server, Default::default());
|
||||||
let rpc = RpcSystem::new(Box::new(network), Some(api.client)).map(|_| ());
|
let rpc = RpcSystem::new(Box::new(network), None).map(|_| ());
|
||||||
|
|
||||||
rpc.await;
|
rpc.await;
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
pub struct DifAPI;
|
|
||||||
|
|
||||||
impl api_capnp::diflouroborane::Server for DifAPI {
|
|
||||||
fn machines(&mut self,
|
|
||||||
_params: api_capnp::diflouroborane::MachinesParams,
|
|
||||||
mut results: api_capnp::diflouroborane::MachinesResults)
|
|
||||||
-> Promise<(), Error>
|
|
||||||
{
|
|
||||||
let mut b = results.get();
|
|
||||||
let mach = capnp_rpc::new_client(MachinesAPI);
|
|
||||||
b.set_mach(mach);
|
|
||||||
Promise::ok(())
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
pub struct MachinesAPI;
|
pub struct MachinesAPI;
|
||||||
|
|
||||||
impl api_capnp::machines::Server for MachinesAPI {
|
impl api_capnp::machines::Server for MachinesAPI {
|
||||||
fn list(&mut self,
|
fn list_machines(&mut self,
|
||||||
_params: api_capnp::machines::ListParams,
|
_params: api_capnp::machines::ListMachinesParams,
|
||||||
mut results: api_capnp::machines::ListResults)
|
mut results: api_capnp::machines::ListMachinesResults)
|
||||||
-> Promise<(), Error>
|
-> Promise<(), Error>
|
||||||
{
|
{
|
||||||
let mut l = results.get();
|
let mut l = results.get();
|
||||||
l.init_machines(0);
|
l.init_machines(0);
|
||||||
Promise::ok(())
|
Promise::ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn get_machine(&mut self,
|
||||||
|
_params: api_capnp::machines::GetMachineParams,
|
||||||
|
mut results: api_capnp::machines::GetMachineResults)
|
||||||
|
-> Promise<(), Error>
|
||||||
|
{
|
||||||
|
Promise::ok(())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
84
src/auth.rs
84
src/auth.rs
@ -11,9 +11,7 @@ use rsasl::sys::{Gsasl, Gsasl_session};
|
|||||||
use crate::error::Result;
|
use crate::error::Result;
|
||||||
use crate::config::Settings;
|
use crate::config::Settings;
|
||||||
|
|
||||||
pub mod auth_capnp {
|
pub use crate::schema::auth_capnp;
|
||||||
include!(concat!(env!("OUT_DIR"), "/schema/auth_capnp.rs"));
|
|
||||||
}
|
|
||||||
|
|
||||||
extern "C" fn callback(ctx: *mut Gsasl, sctx: *mut Gsasl_session, prop: Property) -> i32 {
|
extern "C" fn callback(ctx: *mut Gsasl, sctx: *mut Gsasl_session, prop: Property) -> i32 {
|
||||||
let sasl = SASL::from_ptr(ctx);
|
let sasl = SASL::from_ptr(ctx);
|
||||||
@ -56,3 +54,83 @@ impl Auth {
|
|||||||
pub async fn init(log: Logger, config: Settings) -> Result<Auth> {
|
pub async fn init(log: Logger, config: Settings) -> Result<Auth> {
|
||||||
Ok(Auth::new())
|
Ok(Auth::new())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Use the newtype pattern here to make the type system work for us; even though AuthCId is for all
|
||||||
|
// intents and purposes just a String the compiler will still complain if you return or more
|
||||||
|
// importantly pass a String intead of a AuthCId. This prevents bugs where you get an object from
|
||||||
|
// somewhere and pass it somewhere else and in between don't check if it's the right type and
|
||||||
|
// accidentally pass the authzid where the authcid should have gone.
|
||||||
|
|
||||||
|
/// Authentication Identity
|
||||||
|
///
|
||||||
|
/// Under the hood a string because the form depends heavily on the method
|
||||||
|
struct AuthCId(String);
|
||||||
|
/// Authorization Identity
|
||||||
|
///
|
||||||
|
/// This identity is internal to FabAccess and completely independent from the authentication
|
||||||
|
/// method or source
|
||||||
|
struct AuthZId {
|
||||||
|
uid: String,
|
||||||
|
subuid: String,
|
||||||
|
domain: String,
|
||||||
|
}
|
||||||
|
|
||||||
|
// What is a man?! A miserable little pile of secrets!
|
||||||
|
/// Authentication/Authorization user object.
|
||||||
|
///
|
||||||
|
/// This struct contains the user as is passed to the actual authentication/authorization
|
||||||
|
/// subsystems
|
||||||
|
///
|
||||||
|
struct User {
|
||||||
|
/// Contains the Authentication ID used
|
||||||
|
///
|
||||||
|
/// The authentication ID is an identifier for the authentication exchange. This is different
|
||||||
|
/// than the ID of the user to be authenticated; for example when using x509 the authcid is
|
||||||
|
/// the dn of the certificate, when using GSSAPI the authcid is of form `<userid>@<REALM>`
|
||||||
|
authcid: AuthCId,
|
||||||
|
|
||||||
|
/// Contains the Authorization ID
|
||||||
|
///
|
||||||
|
/// This is the identifier of the user to *authenticate as*. This in several cases is different
|
||||||
|
/// to the `authcid`:
|
||||||
|
/// If somebody wants to authenticate as somebody else, su-style.
|
||||||
|
/// If a person wants to authenticate as a higher-permissions account, e.g. foo may set authzid foo+admin
|
||||||
|
/// to split normal user and "admin" accounts.
|
||||||
|
/// If a method requires a specific authcid that is different from the identifier of the user
|
||||||
|
/// to authenticate as, e.g. GSSAPI, x509 client certificates, API TOKEN authentication.
|
||||||
|
authzid: AuthZId,
|
||||||
|
|
||||||
|
/// Contains the authentication method used
|
||||||
|
///
|
||||||
|
/// For the most part this is the SASL method
|
||||||
|
authMethod: String,
|
||||||
|
|
||||||
|
/// Method-specific key-value pairs
|
||||||
|
///
|
||||||
|
/// Each method can use their own key-value pairs.
|
||||||
|
/// E.g. EXTERNAL encodes the actual method used (x509 client certs, UID/GID for unix sockets,
|
||||||
|
/// ...)
|
||||||
|
kvs: Box<[(String, String)]>,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Authentication has two parts: Granting the authentication itself and then performing the
|
||||||
|
// authentication.
|
||||||
|
// Granting the authentication checks if
|
||||||
|
// a) the given authcid fits with the given (authMethod, kvs). In general a failure here indicates
|
||||||
|
// a programming failure — the authcid come from the same source as that tuple
|
||||||
|
// b) the given authcid may authenticate as the given authzid. E.g. if a given client certificate
|
||||||
|
// has been configured for that user, if a GSSAPI user maps to a given user,
|
||||||
|
|
||||||
|
enum AuthError {
|
||||||
|
/// Authentication ID is bad/unknown/..
|
||||||
|
BadAuthcid,
|
||||||
|
/// Authorization ID is bad/unknown/..
|
||||||
|
BadAuthzid,
|
||||||
|
/// User may not use that authorization id
|
||||||
|
NotAllowedAuthzid,
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
fn grant_auth(user: User) -> std::result::Result<(), AuthError> {
|
||||||
|
unimplemented!()
|
||||||
|
}
|
||||||
|
@ -6,9 +6,7 @@ use crate::error::Result;
|
|||||||
use crate::auth;
|
use crate::auth;
|
||||||
use crate::api;
|
use crate::api;
|
||||||
|
|
||||||
pub mod connection_capnp {
|
pub use crate::schema::connection_capnp;
|
||||||
include!(concat!(env!("OUT_DIR"), "/schema/connection_capnp.rs"));
|
|
||||||
}
|
|
||||||
|
|
||||||
pub async fn handle_connection(log: Logger, mut stream: TcpStream) -> Result<()> {
|
pub async fn handle_connection(log: Logger, mut stream: TcpStream) -> Result<()> {
|
||||||
let host = "localhost";
|
let host = "localhost";
|
||||||
|
@ -18,6 +18,7 @@ mod machine;
|
|||||||
mod connection;
|
mod connection;
|
||||||
mod registries;
|
mod registries;
|
||||||
mod network;
|
mod network;
|
||||||
|
mod schema;
|
||||||
|
|
||||||
use clap::{App, Arg};
|
use clap::{App, Arg};
|
||||||
|
|
||||||
|
11
src/schema.rs
Normal file
11
src/schema.rs
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
pub mod auth_capnp {
|
||||||
|
include!(concat!(env!("OUT_DIR"), "/schema/auth_capnp.rs"));
|
||||||
|
}
|
||||||
|
|
||||||
|
pub mod api_capnp {
|
||||||
|
include!(concat!(env!("OUT_DIR"), "/schema/api_capnp.rs"));
|
||||||
|
}
|
||||||
|
|
||||||
|
pub mod connection_capnp {
|
||||||
|
include!(concat!(env!("OUT_DIR"), "/schema/connection_capnp.rs"));
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user