vmario/fabaccess-bffh
1
0
Fork 0
mirror of https://gitlab.com/fabinfra/fabaccess/bffh.git synced 2024-09-21 11:40:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Status commit

Browse Source
This commit is contained in:
Gregor Reitzenstein 2020-11-24 14:16:22 +01:00
parent 9227b632e4
commit b203edf206
10 changed files with 580 additions and 588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

995
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

5
Cargo.toml
View File

@ -55,5 +55,10 @@ lmdb-rkv = "0.14"
async-trait = "0.1"
lazy_static = "1.4.0"
rust-argon2 = "0.8"
rand = "0.7"
[build-dependencies]
capnpc = "0.13"

52
src/api/auth.rs
View File

@ -172,58 +172,34 @@ impl auth_capnp::authentication::Server for Auth {
// somewhere and pass it somewhere else and in between don't check if it's the right type and
// accidentally pass the authzid where the authcid should have gone.
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
/// Authentication Identity
///
/// Under the hood a string because the form depends heavily on the method
struct AuthCId(String);
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
/// Authorization Identity
///
/// This identity is internal to FabAccess and completely independent from the authentication
/// method or source
struct AuthZId {
/// Main User ID. Generally an user name or similar
uid: String,
/// Sub user ID.
///
/// Can change scopes for permissions, e.g. having a +admin account with more permissions than
/// the default account and +dashboard et.al. accounts that have restricted permissions for
/// their applications
subuid: String,
/// Realm this account originates.
///
/// The Realm is usually described by a domain name but local policy may dictate an unrelated
/// mapping
realm: String,
}
// What is a man?! A miserable little pile of secrets!
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
/// Authentication/Authorization user object.
///
/// This struct contains the user as is passed to the actual authentication/authorization
/// subsystems
/// This struct describes the user as can be gathered from API authentication exchanges.
/// Specifically this is the value bffh gets after a successful authentication.
///
pub struct User {
pub struct AuthenticationData {
/// Contains the Authentication ID used
///
/// The authentication ID is an identifier for the authentication exchange. This is different
/// than the ID of the user to be authenticated; for example when using x509 the authcid is
/// the dn of the certificate, when using GSSAPI the authcid is of form `<userid>@<REALM>`
authcid: AuthCId,
/// The authentication ID is an identifier for the authentication exchange. This is
/// conceptually different than the ID of the user to be authenticated; for example when using
/// x509 the authcid is the dn of the certificate, when using GSSAPI the authcid is of form
/// `<ID>@<REALM>`
authcid: String,
/// Contains the Authorization ID
/// Authorization ID
///
/// This is the identifier of the user to *authenticate as*. This in several cases is different
/// to the `authcid`:
/// The authzid represents the identity that a client wants to act as. In our case this is
/// always an user id. If unset no preference is indicated and the server will authenticate the
/// client as whatever user — if any — they associate with the authcid. Setting the authzid is
/// useful in a number if situations:
/// If somebody wants to authenticate as somebody else, su-style.
/// If a person wants to authenticate as a higher-permissions account, e.g. foo may set authzid foo+admin
/// to split normal user and "admin" accounts.
/// If a method requires a specific authcid that is different from the identifier of the user
/// to authenticate as, e.g. GSSAPI, x509 client certificates, API TOKEN authentication.
authzid: AuthZId,
authzid: String,
/// Contains the authentication method used
///

21
src/connection.rs
View File

@ -13,20 +13,33 @@ use capnp_rpc::{twoparty, rpc_twoparty_capnp};
use crate::schema::connection_capnp;
use crate::db::Databases;
use crate::db::access::{AccessControl, Permission};
use crate::builtin;
#[derive(Debug, Clone)]
/// Connection context
// TODO this should track over several connections
pub struct Session {
// Session-spezific log
pub log: Logger,
pub user: Option<auth::User>,
authz_data: Option<AuthorizationContext>,
accessdb: Arc<AccessControl>,
}
impl Session {
pub fn new(log: Logger) -> Self {
pub fn new(log: Logger, accessdb: Arc<AccessControl>) -> Self {
let user = None;
Session { log, user }
Session { log, user, accessdb }
}
/// Check if the current session has a certain permission
pub async fn check_permission<P: AsRef<Permission>>(&self, perm: &P) -> Result<bool> {
if let Some(user) = self.user.as_ref() {
self.accessdb.check(user, perm).await
} else {
self.accessdb.check_roles(builtin::DEFAULT_ROLEIDS, perm).await
}
}
}
@ -61,7 +74,7 @@ pub async fn handle_connection(log: Logger, mut stream: TcpStream, db: Databases
handshake(&log, &mut stream).await?;
info!(log, "New connection from on {:?}", stream);
let session = Arc::new(Session::new(log));
let session = Arc::new(Session::new(log, db.access.clone()));
let boots = Bootstrap::new(session, db);
let rpc: connection_capnp::bootstrap::Client = capnp_rpc::new_client(boots);

3
src/db.rs
View File

@ -15,6 +15,9 @@ pub mod user;
/// Stores&Retrieves Machines
pub mod machine;
/// Authenticate users
pub mod pass;
#[derive(Clone)]
pub struct Databases {
pub access: Arc<access::AccessControl>,

32
src/db/access.rs
View File

@ -58,9 +58,33 @@ impl AccessControl {
return Ok(false);
}
pub async fn check_roles<P: AsRef<Permission>>(&self, roles: &[RoleIdentifier], perm: &P)
-> Result<bool>
{
for v in self.sources.values() {
if v.check_roles(roles, perm.as_ref())? {
return Ok(true);
}
}
return Ok(false);
}
}
impl fmt::Debug for AccessControl {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let b = f.debug_struct("AccessControl");
for (name, roledb) in self.sources.iter() {
b.field(name, &roledb.get_type_name().to_string());
}
b.finish()
}
}
pub trait RoleDB {
fn get_type_name(&self) -> &'static str;
fn get_role(&self, roleID: &RoleIdentifier) -> Result<Option<Role>>;
/// Check if a given user has the given permission
@ -130,8 +154,6 @@ pub trait RoleDB {
/// assign to all users.
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub struct Role {
name: String,
// If a role doesn't define parents, default to an empty Vec.
#[serde(default, skip_serializing_if = "Vec::is_empty")]
/// A Role can have parents, inheriting all permissions
@ -328,6 +350,10 @@ impl PermissionBuf {
Self { inner }
}
pub fn from_perm(perm: &Permission) -> Self {
Self { inner: perm.inner.to_string() }
}
pub fn into_string(self) -> String {
self.inner
}
@ -368,7 +394,7 @@ pub struct Permission {
inner: str
}
impl Permission {
pub fn new<S: AsRef<str> + ?Sized>(s: &S) -> &Permission {
pub const fn new<S: AsRef<str> + ?Sized>(s: &S) -> &Permission {
unsafe { &*(s.as_ref() as *const str as *const Permission) }
}

4
src/db/access/internal.rs
View File

@ -150,6 +150,10 @@ impl Internal {
}
impl RoleDB for Internal {
fn get_type_name(&self) -> &'static str {
"Internal"
}
fn check(&self, user: &User, perm: &Permission) -> Result<bool> {
let txn = self.env.begin_ro_txn()?;
self._check(&txn, user, &perm)

48
src/db/user.rs
View File

@ -5,7 +5,7 @@ use std::collections::HashMap;
/// A Person, from the Authorization perspective
#[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)]
pub struct User {
pub struct AuthzContext {
/// The identification of this user.
pub id: UserIdentifier,
@ -18,37 +18,16 @@ pub struct User {
kv: HashMap<Box<[u8]>, Box<[u8]>>,
}
/// Locally unique identifier for an user
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
pub struct UserIdentifier {
/// Main UID. Must be unique in this instance so that the tuple (uid, location) is globally
/// unique.
uid: String,
/// Subordinate ID. Must be unique for this user, i.e. the tuple (uid, subuid) must be unique
/// but two different uids can have the same subuid. `None` means no subuid is set and the ID
/// refers to the main users
subuid: Option<String>,
/// Location of the instance the user comes from. `None` means the local instance.
location: Option<String>,
}
impl UserIdentifier {
pub fn new(uid: String, subuid: Option<String>, location: Option<String>) -> Self {
Self { uid, subuid, location }
}
}
impl fmt::Display for UserIdentifier {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let r = write!(f, "{}", self.uid);
let r = write!(f, "{}", self.uid)?;
if let Some(ref s) = self.subuid {
write!(f, "+{}", s)?;
}
if let Some(ref l) = self.location {
write!(f, "@{}", l)?;
}
r
Ok(r)
}
}
@ -56,24 +35,3 @@ impl fmt::Display for UserIdentifier {
pub trait UserDB {
fn get_user(&self, uid: UserIdentifier) -> Option<User>;
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn format_uid_test() {
let uid = "testuser".to_string();
let suid = "testsuid".to_string();
let location = "testloc".to_string();
assert_eq!("testuser",
format!("{}", UserIdentifier::new(uid.clone(), None, None)));
assert_eq!("testuser+testsuid",
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
assert_eq!("testuser+testsuid",
format!("{}", UserIdentifier::new(uid.clone(), Some(suid.clone()), None)));
assert_eq!("testuser+testsuid@testloc",
format!("{}", UserIdentifier::new(uid, Some(suid), Some(location))));
}
}

7
src/error.rs
View File

@ -24,6 +24,7 @@ pub enum Error {
MQTT(mqtt::Error),
Config(config::ConfigError),
BadVersion((u32,u32)),
Argon2(argon2::Error)
}
impl fmt::Display for Error {
@ -144,4 +145,10 @@ impl From<config::ConfigError> for Error {
}
}
impl From<argon2::Error> for Error {
fn from(e: argon2::Error) -> Error {
Error::Argon2(e)
}
}
pub(crate) type Result<T> = std::result::Result<T, Error>;

1
src/main.rs
View File

@ -17,6 +17,7 @@ mod registries;
mod schema;
mod db;
mod machine;
mod builtin;
use clap::{App, Arg};