From 61526395647eb7e1166af2f6ccf88adce1de2584 Mon Sep 17 00:00:00 2001 From: Gregor Reitzenstein Date: Mon, 17 Feb 2020 14:56:43 +0100 Subject: [PATCH] (Unfinished) v2 implementation --- Cargo.toml | 2 + schema/api.capnp | 14 ++++- src/access.rs | 25 ++++++++- src/auth.rs | 44 ++++++++++++---- src/machine.rs | 133 ++++++++++++++++++++++++++++++++++++++++++++--- src/main.rs | 16 +++--- 6 files changed, 203 insertions(+), 31 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index fdf03b7..b15bd3b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -27,5 +27,7 @@ serde = { version = "1.0", features = ["derive"] } casbin = "0.2" +uuid = { version = "0.8", features = ["serde", "v4"] } + [build-dependencies] capnpc = "0.12" diff --git a/schema/api.capnp b/schema/api.capnp index 6b3fdc6..6f64c24 100644 --- a/schema/api.capnp +++ b/schema/api.capnp @@ -44,8 +44,18 @@ interface Diflouroborane { } struct UUID { - lsg @0 :UInt64; # least significant - msg @1 :UInt64; # most significant + # UUID type used to identify machines. + # Since the exact value has no meaning the encoding rules are not too relevant, but it is + # paramount that you are consistent when encoding and decoding this type. + # + # Consider using this algorithm for assembling the 128-bit integer: + # uint128_t uuid = (uuid1 << 64) + uuid0; + # And then respectively this code for deconstructing it: + # uint64_t uuid0 = (uint64_t num); + # uint64_t uuid1 = (uint64_t (num >> 64)); + + uuid0 @0 :UInt64; + uuid1 @1 :UInt64; } interface Machines { diff --git a/src/access.rs b/src/access.rs index 1bcd83c..ce071a3 100644 --- a/src/access.rs +++ b/src/access.rs @@ -5,17 +5,38 @@ use casbin::prelude::*; use super::config::Config; +use futures_signals::signal::Mutable; + use crate::api::api; +use crate::auth::Authentication; +use crate::error::Result; #[derive(Clone)] -pub struct Permissions; +pub struct Permissions { + pdb: Mutable, + auth: Authentication, +} + +impl Permissions { + pub fn new(pdb: Mutable, auth: Authentication) -> Self { + Self { pdb, auth } + } + + pub fn enforce(&self, object: &str, action: &str) -> bool { + if let Some(actor) = self.auth.get_authzid() { + self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap() + } else { + false + } + } +} impl api::permissions::Server for Permissions { } /// This line documents init -pub async fn init(config: &Config) -> Result> { +pub async fn init(config: &Config) -> std::result::Result> { let model = Model::from_file(config.access.model.clone()).await?; let adapter = Box::new(FileAdapter::new(config.access.policy.clone())); diff --git a/src/auth.rs b/src/auth.rs index 65f0be2..b4fc3ff 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -9,6 +9,7 @@ use std::error::Error; use std::path::Path; use std::fs::File; use std::io::{Read, Write}; +use std::ops::Deref; use futures_signals::signal::Mutable; use casbin::Enforcer; @@ -50,7 +51,7 @@ pub fn open_passdb(path: &Path) -> Option { } #[derive(Clone)] -struct Plain { +pub struct Plain { // FIXME: I don't want to store passwords. passdb: Mutable, enforcer: Mutable, @@ -102,16 +103,14 @@ pub fn split_nul(string: &str) -> Option<(&str, &str, &str)> { Some((a,b,c)) } -#[derive(Clone)] -pub struct Authentication { - state: Option, - plain: Plain, + +pub struct AuthenticationProvider { + pub plain: Plain, } -impl Authentication { +impl AuthenticationProvider { pub fn new(passdb: Mutable, enforcer: Mutable) -> Self { - Authentication { - state: None, + Self { plain: Plain { passdb, enforcer } } } @@ -121,6 +120,29 @@ impl Authentication { } } +#[derive(Clone)] +pub struct Authentication { + state: Mutable>, + provider: Mutable, +} +impl Authentication { + pub fn new(provider: Mutable) -> Self { + Self { + state: Mutable::new(None), + provider: provider, + } + } + + pub fn get_authzid(&self) -> Option { + self.state.lock_ref().clone() + } + + pub fn mechs(&self) -> Vec<&'static str> { + self.provider.lock_ref().mechs() + } +} + + use crate::api::api; impl api::authentication::Server for Authentication { @@ -154,11 +176,11 @@ impl api::authentication::Server for Authentication { let data = pry!(params.get_initial_data()); if let Ok(Which::Some(data)) = data.which() { let data = pry!(data); - if let Ok((b, name)) = self.plain.step(data) { + if let Ok((b, name)) = self.provider.lock_ref().plain.step(data) { // If login was successful, also set the current authzid if b { - self.state = Some(name.to_string()); + self.state.lock_mut().replace(name.to_string()); } let outcome = Outcome::value(b); @@ -188,7 +210,7 @@ impl api::authentication::Server for Authentication { mut results: api::authentication::GetAuthzidResults) -> ::capnp::capability::Promise<(), ::capnp::Error> { - if let Some(zid) = &self.state { + if let Some(zid) = self.state.lock_ref().deref() { results.get().set_authzid(zid); } else { results.get().set_authzid(""); diff --git a/src/machine.rs b/src/machine.rs index ad172a4..5eee400 100644 --- a/src/machine.rs +++ b/src/machine.rs @@ -3,15 +3,23 @@ use std::fs::File; use std::path::Path; use std::io::{Read, Write}; +use slog::Logger; + use serde::{Serialize, Deserialize}; use toml; -use futures_signals::signal::{ReadOnlyMutable}; -use casbin::Enforcer; +use futures_signals::signal::Mutable; use crate::error::Result; use crate::config::Config; use crate::api::api; +use crate::access::Permissions; + +use capnp::capability::Promise; +use capnp::Error; +use capnp_rpc::Server; + +use uuid::Uuid; /// Status of a Machine #[derive(PartialEq, Eq, Debug, Serialize, Deserialize)] @@ -25,37 +33,146 @@ pub enum Status { } #[derive(Clone)] -pub struct Machines; +pub struct Machines { + log: Logger, + mdb: Mutable, + perm: Permissions +} +impl Machines { + pub fn new(log: Logger, mdb: Mutable, perm: Permissions) -> Self { + Self { log, mdb, perm } + } +} impl api::machines::Server for Machines { + fn manage(&mut self, + params: api::machines::ManageParams, + mut results: api::machines::ManageResults) + -> Promise<(), Error> + { + let params = pry!(params.get()); + let uuid_s = pry!(params.get_uuid()); + + let uuid = uuid_from_api(uuid_s); + + let db = self.mdb.lock_ref(); + + if let Some(m) = db.get(&uuid) { + let manager = MachineManager::new(uuid, self.mdb.clone()); + + if self.perm.enforce(&m.perm, "manage") { + let mut b = results.get(); + let mngr = api::machines::manage::ToClient::new(manager).into_client::(); + b.set_manage(mngr); + Promise::ok(()) + } else { + Promise::err(Error::failed("Permission denied".to_string())) + } + } else { + Promise::err(Error::failed("No such machine".to_string())) + } + } + + fn use_(&mut self, + params: api::machines::UseParams, + mut results: api::machines::UseResults) + -> Promise<(), Error> + { + let params = pry!(params.get()); + let uuid_s = pry!(params.get_uuid()); + let uuid = uuid_from_api(uuid_s); + + let mdb = self.mdb.lock_ref(); + if let Some(m) = mdb.get(&uuid) { + Promise::ok(()) + } else { + Promise::err(Error::failed("No such machine".to_string())) + } + } +} + +// FIXME: Test this exhaustively! +fn uuid_from_api(uuid: api::u_u_i_d::Reader) -> Uuid { + let uuid0 = uuid.get_uuid0() as u128; + let uuid1 = uuid.get_uuid1() as u128; + let num: u128 = (uuid1 << 64) + uuid0; + Uuid::from_u128(num) +} +fn api_from_uuid(uuid: Uuid, mut wr: api::u_u_i_d::Builder) { + let num = uuid.to_u128_le(); + let uuid0 = num as u64; + let uuid1 = (num >> 64) as u64; + wr.set_uuid0(uuid0); + wr.set_uuid1(uuid1); +} + +#[derive(Clone)] +pub struct MachineManager { + mdb: Mutable, + uuid: Uuid, +} + +impl MachineManager { + pub fn new(uuid: Uuid, mdb: Mutable) -> Self { + Self { mdb, uuid } + } +} + +impl api::machines::manage::Server for MachineManager { + fn set_blocked(&mut self, + params: api::machines::manage::SetBlockedParams, + mut results: api::machines::manage::SetBlockedResults) + -> Promise<(), Error> + { + let mut db = self.mdb.lock_mut(); + if let Some(m) = db.get_mut(&self.uuid) { + let params = pry!(params.get()); + let blocked = params.get_blocked(); + + m.set_blocked(blocked); + Promise::ok(()) + } else { + Promise::err(Error::failed("No such machine".to_string())) + } + } } #[derive(PartialEq, Eq, Debug, Serialize, Deserialize)] pub struct Machine { + pub name: String, pub location: String, pub status: Status, + pub perm: String, } impl Machine { - pub fn new(location: String) -> Machine { + pub fn new(name: String, location: String, perm: String) -> Machine { Machine { + name: name, location: location, status: Status::Free, + perm: perm, + } + } + + pub fn set_blocked(&mut self, blocked: bool) { + if blocked { + self.status = Status::Blocked; + } else { + self.status = Status::Free; } } } -pub type MachineDB = HashMap; - -type Name = String; +pub type MachineDB = HashMap; pub fn init(config: &Config) -> Result { if config.machinedb.is_file() { let mut fp = File::open(&config.machinedb)?; let mut content = String::new(); fp.read_to_string(&mut content)?; - let map: HashMap = toml::from_str(&content)?; + let map = toml::from_str(&content)?; return Ok(map); } else { return Ok(HashMap::new()); diff --git a/src/main.rs b/src/main.rs index d4b9620..56b1f26 100644 --- a/src/main.rs +++ b/src/main.rs @@ -13,8 +13,6 @@ mod config; mod error; mod machine; -use std::ops::Deref; - use api::api as api_capnp; use futures::prelude::*; @@ -45,10 +43,8 @@ fn main() { let p = auth::open_passdb(&config.passdb).unwrap(); let p = Mutable::new(p); - let auth = auth::Authentication::new(p, enf.clone()); - - let perm = access::Permissions; - let mach = machine::Machines; + let authp = auth::AuthenticationProvider::new(p, enf.clone()); + let authp = Mutable::new(authp); use std::net::ToSocketAddrs; let args: Vec = ::std::env::args().collect(); @@ -66,8 +62,12 @@ fn main() { let mut incoming = listener.incoming(); while let Some(socket) = incoming.next().await { let socket = socket?; - let rpc_system = api::process_socket(auth.clone(), perm.clone(), mach.clone(), socket); - machine::save(&config, &m.lock_ref()).expect("MachineDB save"); + // TODO: Prettify session handling + let auth = auth::Authentication::new(authp.clone()); + let perm = access::Permissions::new(enf.clone(), auth.clone()); + let mach = machine::Machines::new(m.clone(), perm.clone()); + + let rpc_system = api::process_socket(auth, perm, mach, socket); spawner.spawn_local_obj( Box::pin(rpc_system.map_err(|e| println!("error: {:?}", e)).map(|_|())).into()).expect("spawn") }