(Unfinished) v2 implementation

This commit is contained in:
Gregor Reitzenstein 2020-02-17 14:56:43 +01:00
parent 73134d2fe9
commit 6152639564
6 changed files with 203 additions and 31 deletions

View File

@ -27,5 +27,7 @@ serde = { version = "1.0", features = ["derive"] }
casbin = "0.2" casbin = "0.2"
uuid = { version = "0.8", features = ["serde", "v4"] }
[build-dependencies] [build-dependencies]
capnpc = "0.12" capnpc = "0.12"

View File

@ -44,8 +44,18 @@ interface Diflouroborane {
} }
struct UUID { struct UUID {
lsg @0 :UInt64; # least significant # UUID type used to identify machines.
msg @1 :UInt64; # most significant # Since the exact value has no meaning the encoding rules are not too relevant, but it is
# paramount that you are consistent when encoding and decoding this type.
#
# Consider using this algorithm for assembling the 128-bit integer:
# uint128_t uuid = (uuid1 << 64) + uuid0;
# And then respectively this code for deconstructing it:
# uint64_t uuid0 = (uint64_t num);
# uint64_t uuid1 = (uint64_t (num >> 64));
uuid0 @0 :UInt64;
uuid1 @1 :UInt64;
} }
interface Machines { interface Machines {

View File

@ -5,17 +5,38 @@ use casbin::prelude::*;
use super::config::Config; use super::config::Config;
use futures_signals::signal::Mutable;
use crate::api::api; use crate::api::api;
use crate::auth::Authentication;
use crate::error::Result;
#[derive(Clone)] #[derive(Clone)]
pub struct Permissions; pub struct Permissions {
pdb: Mutable<Enforcer>,
auth: Authentication,
}
impl Permissions {
pub fn new(pdb: Mutable<Enforcer>, auth: Authentication) -> Self {
Self { pdb, auth }
}
pub fn enforce(&self, object: &str, action: &str) -> bool {
if let Some(actor) = self.auth.get_authzid() {
self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap()
} else {
false
}
}
}
impl api::permissions::Server for Permissions { impl api::permissions::Server for Permissions {
} }
/// This line documents init /// This line documents init
pub async fn init(config: &Config) -> Result<Enforcer, Box<dyn std::error::Error>> { pub async fn init(config: &Config) -> std::result::Result<Enforcer, Box<dyn std::error::Error>> {
let model = Model::from_file(config.access.model.clone()).await?; let model = Model::from_file(config.access.model.clone()).await?;
let adapter = Box::new(FileAdapter::new(config.access.policy.clone())); let adapter = Box::new(FileAdapter::new(config.access.policy.clone()));

View File

@ -9,6 +9,7 @@ use std::error::Error;
use std::path::Path; use std::path::Path;
use std::fs::File; use std::fs::File;
use std::io::{Read, Write}; use std::io::{Read, Write};
use std::ops::Deref;
use futures_signals::signal::Mutable; use futures_signals::signal::Mutable;
use casbin::Enforcer; use casbin::Enforcer;
@ -50,7 +51,7 @@ pub fn open_passdb(path: &Path) -> Option<PassDB> {
} }
#[derive(Clone)] #[derive(Clone)]
struct Plain { pub struct Plain {
// FIXME: I don't want to store passwords. // FIXME: I don't want to store passwords.
passdb: Mutable<PassDB>, passdb: Mutable<PassDB>,
enforcer: Mutable<Enforcer>, enforcer: Mutable<Enforcer>,
@ -102,16 +103,14 @@ pub fn split_nul(string: &str) -> Option<(&str, &str, &str)> {
Some((a,b,c)) Some((a,b,c))
} }
#[derive(Clone)]
pub struct Authentication { pub struct AuthenticationProvider {
state: Option<String>, pub plain: Plain,
plain: Plain,
} }
impl Authentication { impl AuthenticationProvider {
pub fn new(passdb: Mutable<PassDB>, enforcer: Mutable<Enforcer>) -> Self { pub fn new(passdb: Mutable<PassDB>, enforcer: Mutable<Enforcer>) -> Self {
Authentication { Self {
state: None,
plain: Plain { passdb, enforcer } plain: Plain { passdb, enforcer }
} }
} }
@ -121,6 +120,29 @@ impl Authentication {
} }
} }
#[derive(Clone)]
pub struct Authentication {
state: Mutable<Option<String>>,
provider: Mutable<AuthenticationProvider>,
}
impl Authentication {
pub fn new(provider: Mutable<AuthenticationProvider>) -> Self {
Self {
state: Mutable::new(None),
provider: provider,
}
}
pub fn get_authzid(&self) -> Option<String> {
self.state.lock_ref().clone()
}
pub fn mechs(&self) -> Vec<&'static str> {
self.provider.lock_ref().mechs()
}
}
use crate::api::api; use crate::api::api;
impl api::authentication::Server for Authentication { impl api::authentication::Server for Authentication {
@ -154,11 +176,11 @@ impl api::authentication::Server for Authentication {
let data = pry!(params.get_initial_data()); let data = pry!(params.get_initial_data());
if let Ok(Which::Some(data)) = data.which() { if let Ok(Which::Some(data)) = data.which() {
let data = pry!(data); let data = pry!(data);
if let Ok((b, name)) = self.plain.step(data) { if let Ok((b, name)) = self.provider.lock_ref().plain.step(data) {
// If login was successful, also set the current authzid // If login was successful, also set the current authzid
if b { if b {
self.state = Some(name.to_string()); self.state.lock_mut().replace(name.to_string());
} }
let outcome = Outcome::value(b); let outcome = Outcome::value(b);
@ -188,7 +210,7 @@ impl api::authentication::Server for Authentication {
mut results: api::authentication::GetAuthzidResults) mut results: api::authentication::GetAuthzidResults)
-> ::capnp::capability::Promise<(), ::capnp::Error> -> ::capnp::capability::Promise<(), ::capnp::Error>
{ {
if let Some(zid) = &self.state { if let Some(zid) = self.state.lock_ref().deref() {
results.get().set_authzid(zid); results.get().set_authzid(zid);
} else { } else {
results.get().set_authzid(""); results.get().set_authzid("");

View File

@ -3,15 +3,23 @@ use std::fs::File;
use std::path::Path; use std::path::Path;
use std::io::{Read, Write}; use std::io::{Read, Write};
use slog::Logger;
use serde::{Serialize, Deserialize}; use serde::{Serialize, Deserialize};
use toml; use toml;
use futures_signals::signal::{ReadOnlyMutable}; use futures_signals::signal::Mutable;
use casbin::Enforcer;
use crate::error::Result; use crate::error::Result;
use crate::config::Config; use crate::config::Config;
use crate::api::api; use crate::api::api;
use crate::access::Permissions;
use capnp::capability::Promise;
use capnp::Error;
use capnp_rpc::Server;
use uuid::Uuid;
/// Status of a Machine /// Status of a Machine
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)] #[derive(PartialEq, Eq, Debug, Serialize, Deserialize)]
@ -25,37 +33,146 @@ pub enum Status {
} }
#[derive(Clone)] #[derive(Clone)]
pub struct Machines; pub struct Machines {
log: Logger,
mdb: Mutable<MachineDB>,
perm: Permissions
}
impl Machines {
pub fn new(log: Logger, mdb: Mutable<MachineDB>, perm: Permissions) -> Self {
Self { log, mdb, perm }
}
}
impl api::machines::Server for Machines { impl api::machines::Server for Machines {
fn manage(&mut self,
params: api::machines::ManageParams,
mut results: api::machines::ManageResults)
-> Promise<(), Error>
{
let params = pry!(params.get());
let uuid_s = pry!(params.get_uuid());
let uuid = uuid_from_api(uuid_s);
let db = self.mdb.lock_ref();
if let Some(m) = db.get(&uuid) {
let manager = MachineManager::new(uuid, self.mdb.clone());
if self.perm.enforce(&m.perm, "manage") {
let mut b = results.get();
let mngr = api::machines::manage::ToClient::new(manager).into_client::<Server>();
b.set_manage(mngr);
Promise::ok(())
} else {
Promise::err(Error::failed("Permission denied".to_string()))
}
} else {
Promise::err(Error::failed("No such machine".to_string()))
}
}
fn use_(&mut self,
params: api::machines::UseParams,
mut results: api::machines::UseResults)
-> Promise<(), Error>
{
let params = pry!(params.get());
let uuid_s = pry!(params.get_uuid());
let uuid = uuid_from_api(uuid_s);
let mdb = self.mdb.lock_ref();
if let Some(m) = mdb.get(&uuid) {
Promise::ok(())
} else {
Promise::err(Error::failed("No such machine".to_string()))
}
}
}
// FIXME: Test this exhaustively!
fn uuid_from_api(uuid: api::u_u_i_d::Reader) -> Uuid {
let uuid0 = uuid.get_uuid0() as u128;
let uuid1 = uuid.get_uuid1() as u128;
let num: u128 = (uuid1 << 64) + uuid0;
Uuid::from_u128(num)
}
fn api_from_uuid(uuid: Uuid, mut wr: api::u_u_i_d::Builder) {
let num = uuid.to_u128_le();
let uuid0 = num as u64;
let uuid1 = (num >> 64) as u64;
wr.set_uuid0(uuid0);
wr.set_uuid1(uuid1);
}
#[derive(Clone)]
pub struct MachineManager {
mdb: Mutable<MachineDB>,
uuid: Uuid,
}
impl MachineManager {
pub fn new(uuid: Uuid, mdb: Mutable<MachineDB>) -> Self {
Self { mdb, uuid }
}
}
impl api::machines::manage::Server for MachineManager {
fn set_blocked(&mut self,
params: api::machines::manage::SetBlockedParams,
mut results: api::machines::manage::SetBlockedResults)
-> Promise<(), Error>
{
let mut db = self.mdb.lock_mut();
if let Some(m) = db.get_mut(&self.uuid) {
let params = pry!(params.get());
let blocked = params.get_blocked();
m.set_blocked(blocked);
Promise::ok(())
} else {
Promise::err(Error::failed("No such machine".to_string()))
}
}
} }
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)] #[derive(PartialEq, Eq, Debug, Serialize, Deserialize)]
pub struct Machine { pub struct Machine {
pub name: String,
pub location: String, pub location: String,
pub status: Status, pub status: Status,
pub perm: String,
} }
impl Machine { impl Machine {
pub fn new(location: String) -> Machine { pub fn new(name: String, location: String, perm: String) -> Machine {
Machine { Machine {
name: name,
location: location, location: location,
status: Status::Free, status: Status::Free,
perm: perm,
}
}
pub fn set_blocked(&mut self, blocked: bool) {
if blocked {
self.status = Status::Blocked;
} else {
self.status = Status::Free;
} }
} }
} }
pub type MachineDB = HashMap<Name, Machine>; pub type MachineDB = HashMap<Uuid, Machine>;
type Name = String;
pub fn init(config: &Config) -> Result<MachineDB> { pub fn init(config: &Config) -> Result<MachineDB> {
if config.machinedb.is_file() { if config.machinedb.is_file() {
let mut fp = File::open(&config.machinedb)?; let mut fp = File::open(&config.machinedb)?;
let mut content = String::new(); let mut content = String::new();
fp.read_to_string(&mut content)?; fp.read_to_string(&mut content)?;
let map: HashMap<Name, Machine> = toml::from_str(&content)?; let map = toml::from_str(&content)?;
return Ok(map); return Ok(map);
} else { } else {
return Ok(HashMap::new()); return Ok(HashMap::new());

View File

@ -13,8 +13,6 @@ mod config;
mod error; mod error;
mod machine; mod machine;
use std::ops::Deref;
use api::api as api_capnp; use api::api as api_capnp;
use futures::prelude::*; use futures::prelude::*;
@ -45,10 +43,8 @@ fn main() {
let p = auth::open_passdb(&config.passdb).unwrap(); let p = auth::open_passdb(&config.passdb).unwrap();
let p = Mutable::new(p); let p = Mutable::new(p);
let auth = auth::Authentication::new(p, enf.clone()); let authp = auth::AuthenticationProvider::new(p, enf.clone());
let authp = Mutable::new(authp);
let perm = access::Permissions;
let mach = machine::Machines;
use std::net::ToSocketAddrs; use std::net::ToSocketAddrs;
let args: Vec<String> = ::std::env::args().collect(); let args: Vec<String> = ::std::env::args().collect();
@ -66,8 +62,12 @@ fn main() {
let mut incoming = listener.incoming(); let mut incoming = listener.incoming();
while let Some(socket) = incoming.next().await { while let Some(socket) = incoming.next().await {
let socket = socket?; let socket = socket?;
let rpc_system = api::process_socket(auth.clone(), perm.clone(), mach.clone(), socket); // TODO: Prettify session handling
machine::save(&config, &m.lock_ref()).expect("MachineDB save"); let auth = auth::Authentication::new(authp.clone());
let perm = access::Permissions::new(enf.clone(), auth.clone());
let mach = machine::Machines::new(m.clone(), perm.clone());
let rpc_system = api::process_socket(auth, perm, mach, socket);
spawner.spawn_local_obj( spawner.spawn_local_obj(
Box::pin(rpc_system.map_err(|e| println!("error: {:?}", e)).map(|_|())).into()).expect("spawn") Box::pin(rpc_system.map_err(|e| println!("error: {:?}", e)).map(|_|())).into()).expect("spawn")
} }