mirror of
https://gitlab.com/fabinfra/fabaccess/bffh.git
synced 2024-11-21 22:47:55 +01:00
(Unfinished) v2 implementation
This commit is contained in:
parent
73134d2fe9
commit
6152639564
@ -27,5 +27,7 @@ serde = { version = "1.0", features = ["derive"] }
|
|||||||
|
|
||||||
casbin = "0.2"
|
casbin = "0.2"
|
||||||
|
|
||||||
|
uuid = { version = "0.8", features = ["serde", "v4"] }
|
||||||
|
|
||||||
[build-dependencies]
|
[build-dependencies]
|
||||||
capnpc = "0.12"
|
capnpc = "0.12"
|
||||||
|
@ -44,8 +44,18 @@ interface Diflouroborane {
|
|||||||
}
|
}
|
||||||
|
|
||||||
struct UUID {
|
struct UUID {
|
||||||
lsg @0 :UInt64; # least significant
|
# UUID type used to identify machines.
|
||||||
msg @1 :UInt64; # most significant
|
# Since the exact value has no meaning the encoding rules are not too relevant, but it is
|
||||||
|
# paramount that you are consistent when encoding and decoding this type.
|
||||||
|
#
|
||||||
|
# Consider using this algorithm for assembling the 128-bit integer:
|
||||||
|
# uint128_t uuid = (uuid1 << 64) + uuid0;
|
||||||
|
# And then respectively this code for deconstructing it:
|
||||||
|
# uint64_t uuid0 = (uint64_t num);
|
||||||
|
# uint64_t uuid1 = (uint64_t (num >> 64));
|
||||||
|
|
||||||
|
uuid0 @0 :UInt64;
|
||||||
|
uuid1 @1 :UInt64;
|
||||||
}
|
}
|
||||||
|
|
||||||
interface Machines {
|
interface Machines {
|
||||||
|
@ -5,17 +5,38 @@ use casbin::prelude::*;
|
|||||||
|
|
||||||
use super::config::Config;
|
use super::config::Config;
|
||||||
|
|
||||||
|
use futures_signals::signal::Mutable;
|
||||||
|
|
||||||
use crate::api::api;
|
use crate::api::api;
|
||||||
|
use crate::auth::Authentication;
|
||||||
|
use crate::error::Result;
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct Permissions;
|
pub struct Permissions {
|
||||||
|
pdb: Mutable<Enforcer>,
|
||||||
|
auth: Authentication,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Permissions {
|
||||||
|
pub fn new(pdb: Mutable<Enforcer>, auth: Authentication) -> Self {
|
||||||
|
Self { pdb, auth }
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn enforce(&self, object: &str, action: &str) -> bool {
|
||||||
|
if let Some(actor) = self.auth.get_authzid() {
|
||||||
|
self.pdb.lock_ref().enforce(vec![&actor,object,action]).unwrap()
|
||||||
|
} else {
|
||||||
|
false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
impl api::permissions::Server for Permissions {
|
impl api::permissions::Server for Permissions {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// This line documents init
|
/// This line documents init
|
||||||
pub async fn init(config: &Config) -> Result<Enforcer, Box<dyn std::error::Error>> {
|
pub async fn init(config: &Config) -> std::result::Result<Enforcer, Box<dyn std::error::Error>> {
|
||||||
let model = Model::from_file(config.access.model.clone()).await?;
|
let model = Model::from_file(config.access.model.clone()).await?;
|
||||||
let adapter = Box::new(FileAdapter::new(config.access.policy.clone()));
|
let adapter = Box::new(FileAdapter::new(config.access.policy.clone()));
|
||||||
|
|
||||||
|
44
src/auth.rs
44
src/auth.rs
@ -9,6 +9,7 @@ use std::error::Error;
|
|||||||
use std::path::Path;
|
use std::path::Path;
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io::{Read, Write};
|
use std::io::{Read, Write};
|
||||||
|
use std::ops::Deref;
|
||||||
|
|
||||||
use futures_signals::signal::Mutable;
|
use futures_signals::signal::Mutable;
|
||||||
use casbin::Enforcer;
|
use casbin::Enforcer;
|
||||||
@ -50,7 +51,7 @@ pub fn open_passdb(path: &Path) -> Option<PassDB> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
struct Plain {
|
pub struct Plain {
|
||||||
// FIXME: I don't want to store passwords.
|
// FIXME: I don't want to store passwords.
|
||||||
passdb: Mutable<PassDB>,
|
passdb: Mutable<PassDB>,
|
||||||
enforcer: Mutable<Enforcer>,
|
enforcer: Mutable<Enforcer>,
|
||||||
@ -102,16 +103,14 @@ pub fn split_nul(string: &str) -> Option<(&str, &str, &str)> {
|
|||||||
Some((a,b,c))
|
Some((a,b,c))
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone)]
|
|
||||||
pub struct Authentication {
|
pub struct AuthenticationProvider {
|
||||||
state: Option<String>,
|
pub plain: Plain,
|
||||||
plain: Plain,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Authentication {
|
impl AuthenticationProvider {
|
||||||
pub fn new(passdb: Mutable<PassDB>, enforcer: Mutable<Enforcer>) -> Self {
|
pub fn new(passdb: Mutable<PassDB>, enforcer: Mutable<Enforcer>) -> Self {
|
||||||
Authentication {
|
Self {
|
||||||
state: None,
|
|
||||||
plain: Plain { passdb, enforcer }
|
plain: Plain { passdb, enforcer }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -121,6 +120,29 @@ impl Authentication {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Clone)]
|
||||||
|
pub struct Authentication {
|
||||||
|
state: Mutable<Option<String>>,
|
||||||
|
provider: Mutable<AuthenticationProvider>,
|
||||||
|
}
|
||||||
|
impl Authentication {
|
||||||
|
pub fn new(provider: Mutable<AuthenticationProvider>) -> Self {
|
||||||
|
Self {
|
||||||
|
state: Mutable::new(None),
|
||||||
|
provider: provider,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn get_authzid(&self) -> Option<String> {
|
||||||
|
self.state.lock_ref().clone()
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn mechs(&self) -> Vec<&'static str> {
|
||||||
|
self.provider.lock_ref().mechs()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
use crate::api::api;
|
use crate::api::api;
|
||||||
|
|
||||||
impl api::authentication::Server for Authentication {
|
impl api::authentication::Server for Authentication {
|
||||||
@ -154,11 +176,11 @@ impl api::authentication::Server for Authentication {
|
|||||||
let data = pry!(params.get_initial_data());
|
let data = pry!(params.get_initial_data());
|
||||||
if let Ok(Which::Some(data)) = data.which() {
|
if let Ok(Which::Some(data)) = data.which() {
|
||||||
let data = pry!(data);
|
let data = pry!(data);
|
||||||
if let Ok((b, name)) = self.plain.step(data) {
|
if let Ok((b, name)) = self.provider.lock_ref().plain.step(data) {
|
||||||
|
|
||||||
// If login was successful, also set the current authzid
|
// If login was successful, also set the current authzid
|
||||||
if b {
|
if b {
|
||||||
self.state = Some(name.to_string());
|
self.state.lock_mut().replace(name.to_string());
|
||||||
}
|
}
|
||||||
|
|
||||||
let outcome = Outcome::value(b);
|
let outcome = Outcome::value(b);
|
||||||
@ -188,7 +210,7 @@ impl api::authentication::Server for Authentication {
|
|||||||
mut results: api::authentication::GetAuthzidResults)
|
mut results: api::authentication::GetAuthzidResults)
|
||||||
-> ::capnp::capability::Promise<(), ::capnp::Error>
|
-> ::capnp::capability::Promise<(), ::capnp::Error>
|
||||||
{
|
{
|
||||||
if let Some(zid) = &self.state {
|
if let Some(zid) = self.state.lock_ref().deref() {
|
||||||
results.get().set_authzid(zid);
|
results.get().set_authzid(zid);
|
||||||
} else {
|
} else {
|
||||||
results.get().set_authzid("");
|
results.get().set_authzid("");
|
||||||
|
133
src/machine.rs
133
src/machine.rs
@ -3,15 +3,23 @@ use std::fs::File;
|
|||||||
use std::path::Path;
|
use std::path::Path;
|
||||||
use std::io::{Read, Write};
|
use std::io::{Read, Write};
|
||||||
|
|
||||||
|
use slog::Logger;
|
||||||
|
|
||||||
use serde::{Serialize, Deserialize};
|
use serde::{Serialize, Deserialize};
|
||||||
use toml;
|
use toml;
|
||||||
|
|
||||||
use futures_signals::signal::{ReadOnlyMutable};
|
use futures_signals::signal::Mutable;
|
||||||
use casbin::Enforcer;
|
|
||||||
|
|
||||||
use crate::error::Result;
|
use crate::error::Result;
|
||||||
use crate::config::Config;
|
use crate::config::Config;
|
||||||
use crate::api::api;
|
use crate::api::api;
|
||||||
|
use crate::access::Permissions;
|
||||||
|
|
||||||
|
use capnp::capability::Promise;
|
||||||
|
use capnp::Error;
|
||||||
|
use capnp_rpc::Server;
|
||||||
|
|
||||||
|
use uuid::Uuid;
|
||||||
|
|
||||||
/// Status of a Machine
|
/// Status of a Machine
|
||||||
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)]
|
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)]
|
||||||
@ -25,37 +33,146 @@ pub enum Status {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[derive(Clone)]
|
#[derive(Clone)]
|
||||||
pub struct Machines;
|
pub struct Machines {
|
||||||
|
log: Logger,
|
||||||
|
mdb: Mutable<MachineDB>,
|
||||||
|
perm: Permissions
|
||||||
|
}
|
||||||
|
|
||||||
|
impl Machines {
|
||||||
|
pub fn new(log: Logger, mdb: Mutable<MachineDB>, perm: Permissions) -> Self {
|
||||||
|
Self { log, mdb, perm }
|
||||||
|
}
|
||||||
|
}
|
||||||
impl api::machines::Server for Machines {
|
impl api::machines::Server for Machines {
|
||||||
|
fn manage(&mut self,
|
||||||
|
params: api::machines::ManageParams,
|
||||||
|
mut results: api::machines::ManageResults)
|
||||||
|
-> Promise<(), Error>
|
||||||
|
{
|
||||||
|
let params = pry!(params.get());
|
||||||
|
let uuid_s = pry!(params.get_uuid());
|
||||||
|
|
||||||
|
let uuid = uuid_from_api(uuid_s);
|
||||||
|
|
||||||
|
let db = self.mdb.lock_ref();
|
||||||
|
|
||||||
|
if let Some(m) = db.get(&uuid) {
|
||||||
|
let manager = MachineManager::new(uuid, self.mdb.clone());
|
||||||
|
|
||||||
|
if self.perm.enforce(&m.perm, "manage") {
|
||||||
|
let mut b = results.get();
|
||||||
|
let mngr = api::machines::manage::ToClient::new(manager).into_client::<Server>();
|
||||||
|
b.set_manage(mngr);
|
||||||
|
Promise::ok(())
|
||||||
|
} else {
|
||||||
|
Promise::err(Error::failed("Permission denied".to_string()))
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
Promise::err(Error::failed("No such machine".to_string()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn use_(&mut self,
|
||||||
|
params: api::machines::UseParams,
|
||||||
|
mut results: api::machines::UseResults)
|
||||||
|
-> Promise<(), Error>
|
||||||
|
{
|
||||||
|
let params = pry!(params.get());
|
||||||
|
let uuid_s = pry!(params.get_uuid());
|
||||||
|
let uuid = uuid_from_api(uuid_s);
|
||||||
|
|
||||||
|
let mdb = self.mdb.lock_ref();
|
||||||
|
if let Some(m) = mdb.get(&uuid) {
|
||||||
|
Promise::ok(())
|
||||||
|
} else {
|
||||||
|
Promise::err(Error::failed("No such machine".to_string()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// FIXME: Test this exhaustively!
|
||||||
|
fn uuid_from_api(uuid: api::u_u_i_d::Reader) -> Uuid {
|
||||||
|
let uuid0 = uuid.get_uuid0() as u128;
|
||||||
|
let uuid1 = uuid.get_uuid1() as u128;
|
||||||
|
let num: u128 = (uuid1 << 64) + uuid0;
|
||||||
|
Uuid::from_u128(num)
|
||||||
|
}
|
||||||
|
fn api_from_uuid(uuid: Uuid, mut wr: api::u_u_i_d::Builder) {
|
||||||
|
let num = uuid.to_u128_le();
|
||||||
|
let uuid0 = num as u64;
|
||||||
|
let uuid1 = (num >> 64) as u64;
|
||||||
|
wr.set_uuid0(uuid0);
|
||||||
|
wr.set_uuid1(uuid1);
|
||||||
|
}
|
||||||
|
|
||||||
|
#[derive(Clone)]
|
||||||
|
pub struct MachineManager {
|
||||||
|
mdb: Mutable<MachineDB>,
|
||||||
|
uuid: Uuid,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl MachineManager {
|
||||||
|
pub fn new(uuid: Uuid, mdb: Mutable<MachineDB>) -> Self {
|
||||||
|
Self { mdb, uuid }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
impl api::machines::manage::Server for MachineManager {
|
||||||
|
fn set_blocked(&mut self,
|
||||||
|
params: api::machines::manage::SetBlockedParams,
|
||||||
|
mut results: api::machines::manage::SetBlockedResults)
|
||||||
|
-> Promise<(), Error>
|
||||||
|
{
|
||||||
|
let mut db = self.mdb.lock_mut();
|
||||||
|
if let Some(m) = db.get_mut(&self.uuid) {
|
||||||
|
let params = pry!(params.get());
|
||||||
|
let blocked = params.get_blocked();
|
||||||
|
|
||||||
|
m.set_blocked(blocked);
|
||||||
|
Promise::ok(())
|
||||||
|
} else {
|
||||||
|
Promise::err(Error::failed("No such machine".to_string()))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)]
|
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)]
|
||||||
pub struct Machine {
|
pub struct Machine {
|
||||||
|
pub name: String,
|
||||||
pub location: String,
|
pub location: String,
|
||||||
pub status: Status,
|
pub status: Status,
|
||||||
|
pub perm: String,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Machine {
|
impl Machine {
|
||||||
pub fn new(location: String) -> Machine {
|
pub fn new(name: String, location: String, perm: String) -> Machine {
|
||||||
Machine {
|
Machine {
|
||||||
|
name: name,
|
||||||
location: location,
|
location: location,
|
||||||
status: Status::Free,
|
status: Status::Free,
|
||||||
|
perm: perm,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
pub fn set_blocked(&mut self, blocked: bool) {
|
||||||
|
if blocked {
|
||||||
|
self.status = Status::Blocked;
|
||||||
|
} else {
|
||||||
|
self.status = Status::Free;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub type MachineDB = HashMap<Name, Machine>;
|
pub type MachineDB = HashMap<Uuid, Machine>;
|
||||||
|
|
||||||
type Name = String;
|
|
||||||
|
|
||||||
pub fn init(config: &Config) -> Result<MachineDB> {
|
pub fn init(config: &Config) -> Result<MachineDB> {
|
||||||
if config.machinedb.is_file() {
|
if config.machinedb.is_file() {
|
||||||
let mut fp = File::open(&config.machinedb)?;
|
let mut fp = File::open(&config.machinedb)?;
|
||||||
let mut content = String::new();
|
let mut content = String::new();
|
||||||
fp.read_to_string(&mut content)?;
|
fp.read_to_string(&mut content)?;
|
||||||
let map: HashMap<Name, Machine> = toml::from_str(&content)?;
|
let map = toml::from_str(&content)?;
|
||||||
return Ok(map);
|
return Ok(map);
|
||||||
} else {
|
} else {
|
||||||
return Ok(HashMap::new());
|
return Ok(HashMap::new());
|
||||||
|
16
src/main.rs
16
src/main.rs
@ -13,8 +13,6 @@ mod config;
|
|||||||
mod error;
|
mod error;
|
||||||
mod machine;
|
mod machine;
|
||||||
|
|
||||||
use std::ops::Deref;
|
|
||||||
|
|
||||||
use api::api as api_capnp;
|
use api::api as api_capnp;
|
||||||
|
|
||||||
use futures::prelude::*;
|
use futures::prelude::*;
|
||||||
@ -45,10 +43,8 @@ fn main() {
|
|||||||
|
|
||||||
let p = auth::open_passdb(&config.passdb).unwrap();
|
let p = auth::open_passdb(&config.passdb).unwrap();
|
||||||
let p = Mutable::new(p);
|
let p = Mutable::new(p);
|
||||||
let auth = auth::Authentication::new(p, enf.clone());
|
let authp = auth::AuthenticationProvider::new(p, enf.clone());
|
||||||
|
let authp = Mutable::new(authp);
|
||||||
let perm = access::Permissions;
|
|
||||||
let mach = machine::Machines;
|
|
||||||
|
|
||||||
use std::net::ToSocketAddrs;
|
use std::net::ToSocketAddrs;
|
||||||
let args: Vec<String> = ::std::env::args().collect();
|
let args: Vec<String> = ::std::env::args().collect();
|
||||||
@ -66,8 +62,12 @@ fn main() {
|
|||||||
let mut incoming = listener.incoming();
|
let mut incoming = listener.incoming();
|
||||||
while let Some(socket) = incoming.next().await {
|
while let Some(socket) = incoming.next().await {
|
||||||
let socket = socket?;
|
let socket = socket?;
|
||||||
let rpc_system = api::process_socket(auth.clone(), perm.clone(), mach.clone(), socket);
|
// TODO: Prettify session handling
|
||||||
machine::save(&config, &m.lock_ref()).expect("MachineDB save");
|
let auth = auth::Authentication::new(authp.clone());
|
||||||
|
let perm = access::Permissions::new(enf.clone(), auth.clone());
|
||||||
|
let mach = machine::Machines::new(m.clone(), perm.clone());
|
||||||
|
|
||||||
|
let rpc_system = api::process_socket(auth, perm, mach, socket);
|
||||||
spawner.spawn_local_obj(
|
spawner.spawn_local_obj(
|
||||||
Box::pin(rpc_system.map_err(|e| println!("error: {:?}", e)).map(|_|())).into()).expect("spawn")
|
Box::pin(rpc_system.map_err(|e| println!("error: {:?}", e)).map(|_|())).into()).expect("spawn")
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user