diff options
author | Katharina Fey <kookie@spacekookie.de> | 2018-08-06 15:46:57 +0200 |
---|---|---|
committer | Katharina Fey <kookie@spacekookie.de> | 2018-08-06 15:46:57 +0200 |
commit | 24da2df81265ddfbbeb7dd10fd59eb828afa41b8 (patch) | |
tree | ced252085b35d8fc24f36c18d9eb07e6d375b3d4 | |
parent | 0231f3963c655e8ed99b6139a98aa15f018d7227 (diff) |
Doing some file management, moving stuff around
-rw-r--r-- | lockchain-core/src/crypto/keystore.rs | 8 | ||||
-rw-r--r-- | lockchain-core/src/crypto/mod.rs | 9 | ||||
-rw-r--r-- | lockchain-core/src/crypto/passwords/mod.rs | 7 | ||||
-rw-r--r-- | lockchain-core/src/crypto/secrets.rs | 25 | ||||
-rw-r--r-- | lockchain-core/src/crypto/store.rs | 15 | ||||
-rw-r--r-- | lockchain-core/src/crypto/utils/encoding.rs (renamed from lockchain-core/src/crypto/encoding.rs) | 0 | ||||
-rw-r--r-- | lockchain-core/src/crypto/utils/hashing.rs (renamed from lockchain-core/src/crypto/hashing.rs) | 0 | ||||
-rw-r--r-- | lockchain-core/src/crypto/utils/mod.rs | 5 | ||||
-rw-r--r-- | lockchain-core/src/crypto/utils/random.rs (renamed from lockchain-core/src/crypto/random.rs) | 0 | ||||
-rw-r--r-- | lockchain-core/src/lib.rs | 78 | ||||
-rw-r--r-- | lockchain-core/src/users/auth.rs | 65 | ||||
-rw-r--r-- | lockchain-core/src/users/mod.rs | 6 | ||||
-rw-r--r-- | lockchain-crypto/Cargo.toml | 2 | ||||
-rw-r--r-- | lockchain-server/Cargo.toml | 2 |
14 files changed, 136 insertions, 86 deletions
diff --git a/lockchain-core/src/crypto/keystore.rs b/lockchain-core/src/crypto/keystore.rs index 0f19e30..71d7be2 100644 --- a/lockchain-core/src/crypto/keystore.rs +++ b/lockchain-core/src/crypto/keystore.rs @@ -1,4 +1,10 @@ -//! A utility keystore module for the lockchain ecosystem +//! A keystore is a specific implementation of a metadata store +//! +//! At it's core it provides three simple functions +//! +//! - Adding keys for a user +//! - Removing keys +//! - Retrieving keys use traits::{AutoEncoder, Base64AutoEncoder}; use {crypto::Key, meta::MetaDomain}; diff --git a/lockchain-core/src/crypto/mod.rs b/lockchain-core/src/crypto/mod.rs index 671cff0..ad9c0e1 100644 --- a/lockchain-core/src/crypto/mod.rs +++ b/lockchain-core/src/crypto/mod.rs @@ -2,7 +2,6 @@ //! //! -mod data; /// We re-export keybob's API here mod keys { @@ -13,11 +12,11 @@ mod keys { impl AutoEncoder for KeyType {} } -// pub mod passwords; -pub mod encoding; +mod data; +mod utils; +pub use utils::*; pub mod keystore; -pub mod hashing; -pub mod random; +pub mod store; pub use self::data::PackedData; pub use self::keystore::KeyStore; diff --git a/lockchain-core/src/crypto/passwords/mod.rs b/lockchain-core/src/crypto/passwords/mod.rs deleted file mode 100644 index 331ec9d..0000000 --- a/lockchain-core/src/crypto/passwords/mod.rs +++ /dev/null @@ -1,7 +0,0 @@ -//! A series of password generators for user-facing applications - - - -pub enum PwType { - -} diff --git a/lockchain-core/src/crypto/secrets.rs b/lockchain-core/src/crypto/secrets.rs new file mode 100644 index 0000000..87e2c13 --- /dev/null +++ b/lockchain-core/src/crypto/secrets.rs @@ -0,0 +1,25 @@ + +/// Specifies the type of secret that's used to derive a vault user secret +pub enum SecretType { + /// A simple password + Plain, + /// A keyfile that allows asymetric trust operations + Keyfile, + /// Signing a user password with the id of a yubikey + Combine, +} + +/// The backing secret for user authentication +/// +/// This is _always_ in a non-recoverable form, i.e. a hash +/// and salted password. **However** it does reveal something +/// about the user setup, i.e. the type of secret used. +/// +/// Depending on what secret is used, there are other operations that +/// might be supported to verify operations. For example, a `Keyfile` +/// secret can deposit the entire public key in the `content` field, +/// then use asymmetric operations to verify operations more thoroughly. +pub struct UserSecret { + type: SecretType, + content: String, +} diff --git a/lockchain-core/src/crypto/store.rs b/lockchain-core/src/crypto/store.rs new file mode 100644 index 0000000..f57359d --- /dev/null +++ b/lockchain-core/src/crypto/store.rs @@ -0,0 +1,15 @@ + +use std::collections::HashMap; + +/// A thin user keystore +/// +/// It's implementation can manage multiple keys per user, of various +/// types and constrained for limited access rights. +pub struct KeyStore { + +} + +struct StoreUser { + name: String, + HashMap< +}
\ No newline at end of file diff --git a/lockchain-core/src/crypto/encoding.rs b/lockchain-core/src/crypto/utils/encoding.rs index 0c49490..0c49490 100644 --- a/lockchain-core/src/crypto/encoding.rs +++ b/lockchain-core/src/crypto/utils/encoding.rs diff --git a/lockchain-core/src/crypto/hashing.rs b/lockchain-core/src/crypto/utils/hashing.rs index 4a24a17..4a24a17 100644 --- a/lockchain-core/src/crypto/hashing.rs +++ b/lockchain-core/src/crypto/utils/hashing.rs diff --git a/lockchain-core/src/crypto/utils/mod.rs b/lockchain-core/src/crypto/utils/mod.rs new file mode 100644 index 0000000..d57689c --- /dev/null +++ b/lockchain-core/src/crypto/utils/mod.rs @@ -0,0 +1,5 @@ +//! A collection of common cryptography utilities. + +pub mod encoding; +pub mod random; +pub mod hashing;
\ No newline at end of file diff --git a/lockchain-core/src/crypto/random.rs b/lockchain-core/src/crypto/utils/random.rs index 7d31992..7d31992 100644 --- a/lockchain-core/src/crypto/random.rs +++ b/lockchain-core/src/crypto/utils/random.rs diff --git a/lockchain-core/src/lib.rs b/lockchain-core/src/lib.rs index cb02caf..a7b5b0c 100644 --- a/lockchain-core/src/lib.rs +++ b/lockchain-core/src/lib.rs @@ -1,27 +1,81 @@ -//! Common library types used in lockchain crates -#![feature(external_doc)] -#![doc(include = "../README.md")] +//! A common set of functions & types for the `lockchain` ecosystem. +//! +//! This crate by itself doesn't do much. It is meant to be used as the central +//! adapter between a variety of other crates from the `lockchain` ecosystem, +//! that all plug and interact with types and functions defined in this library. +//! +//! This documentation is meant as an outline of what the core crate does and how +//! you can use it, in combination with other libraries, in your application. +//! +//! ## Overview +//! +//! At it's centre, `lockchain-core` defines storage traits. These come in a few +//! forms, from `Vault`, being a very generic interface over what is meant as a +//! secure storage collection, to `Record`, being an individual record in such a +//! system. This means that both the nature of `Vault` and `Record` are generic +//! implementation details, left to you to pick for your application, depending on +//! what fits your needs. +//! +//! Additionally there are of course crypto primitives. `lockchain-core` exposes the +//! `keybob` API for generation and verification of clear text secrets that can be +//! padded to generate AES encryption keys. It adds a user management layer that provides +//! login, permissions as well as second-factor authentication (such as a yubikey). And it +//! provides an easy to use keystore, which binds encrypted keys to user identities, so that +//! encryption never has to be done outside of the users scope. +//! +//! --- +//! +//! ## Usage +//! +//! This means that there's no one way of using `lockchain-core`, instead there are other crates +//! that plug into it. Following is a list of crates, maintained by the `lockchain` team that +//! were designed to work seemlessly with `lockchain-core`. +//! +//! - `lockchain-crypto` is an adapter layer that adds the ability to stream-decrypt records from +//! any kind of vault +//! - `lockchain-files` is a storage adapter which implements a file-storage layer for a vault +//! - `lockchain-memory` is a storage adapter which implements a vault only in memory +//! - `lockchain-client` provides a shim layer between a common client interface and several server-facing +//! communication interfaces, such as `http` or `unix-sockets` +//! - `lockchain-http` provides an http shim on top of the core lockchain API's +//! - `lockchain-unix` provides a unix socket API shim, similar to the http layer +//! +//! The core principle behind lockchain's design was that the server can store encrypted files, without +//! having the capability of being made to decrypt them. That means that the code required +//! is physically not contained in the binary. +//! +//! Primarily this means that crypto is always done on the "client side", however this is up to _you_ to define. +//! Your application might have different needs than were envisioned for lockchain, and as such you can pick +//! and choose from features across the entire `lockchain` ecosystem to which fit your usecase best. +//! +//! ## Something missing? +//! +//! This crate ecosystem is still in active development. There are several projects that aim to use +//! the `lockchain` ecosystem for secure storage needs. As such, we hope to have covered most use cases +//! already. +//! +//! If we missed something, please let us know! #[macro_use] extern crate serde_derive; -extern crate serde_json; -extern crate serde; -extern crate chrono; -extern crate bcrypt; extern crate base64; +extern crate bcrypt; extern crate blake2; -extern crate rand; +extern crate chrono; extern crate keybob; extern crate nix; extern crate pam_auth; +extern crate rand; +extern crate serde; +extern crate serde_json; -pub mod errors; -pub mod traits; pub mod crypto; -pub mod users; +pub mod errors; mod meta; mod record; +pub mod traits; +pub mod users; pub use self::crypto::PackedData; -pub use self::record::{Header, Payload, Record, EncryptedBody}; pub use self::meta::{MetaDomain, VaultMetadata}; +pub use self::record::{EncryptedBody, Header, Payload, Record}; diff --git a/lockchain-core/src/users/auth.rs b/lockchain-core/src/users/auth.rs index aee3be1..1a8758c 100644 --- a/lockchain-core/src/users/auth.rs +++ b/lockchain-core/src/users/auth.rs @@ -3,9 +3,6 @@ //! The way a user is authenticated is via the `lockchain` group //! and a simple writing/ deleting of a lock file. -// use nix::sys::wait::*; -// use nix::unistd::{fork, ForkResult}; - use pam_auth::Authenticator; use errors::AuthError; @@ -23,60 +20,10 @@ use errors::AuthError; /// yet due to issues in the `pam-auth` dependency. #[allow(unused_variables)] pub fn pam_authenticate(username: &str, password: &str) -> Result<(), AuthError> { - // Err(AuthError::FailedPAM) - - // match fork().map_err(|_| AuthError::FailedFork)? { - // ForkResult::Parent { child } => { - // waitpid(child, None).unwrap(); - // // kill(child, SIGKILL).expect("kill failed"); - // } - // ForkResult::Child => { - // let mut auth = Authenticator::new("lockchain").ok_or(AuthError::FailedPAM)?; - - use std::error::Error; - let service = "lockchain-core"; - - println!("Username: {}", username); - println!("Password: {}", password); - println!("Service: {}", service); - - let mut auth = Authenticator::new(service).unwrap(); - auth.set_credentials(username, password); - - match auth.authenticate() { - Ok(()) => println!("authenticate() OK!"), - Err(e) => { - println!("authenticate() FAILED!"); - println!("{}", e.description()); - println!("{:#?}", e.cause()); - } - } - - match auth.open_session() { - Ok(()) => println!("open_session() OK!"), - Err(e) => { - println!("open_session() FAILED!"); - println!("{}", e.description()); - println!("{:#?}", e.cause()); - } - } - - Ok(()) - - // auth.set_credentials(username, password); - // auth.authenticate().map_err(|_| AuthError::InvalidUser)?; - // auth.open_session().map_err(|_| AuthError::FailedPAM)?; - - // use std::process::Command; - // let output = Command::new("su") - // .arg(username) - // .output() - // .expect("failed to execute process"); - // println!("whoami: {:#?}", String::from_utf8(output.stdout).unwrap()); - - // ::std::process::exit(255); - // } - // } - - // Ok(()) + unimplemented!() } + +/// Tbd... +pub fn yubikey_authenticate(username: &str, yubi_id: &str) -> Result<(), AuthError> { + unimplemented!() +}
\ No newline at end of file diff --git a/lockchain-core/src/users/mod.rs b/lockchain-core/src/users/mod.rs index 03cbcb4..338cc5e 100644 --- a/lockchain-core/src/users/mod.rs +++ b/lockchain-core/src/users/mod.rs @@ -82,6 +82,12 @@ impl User { pub fn verify(&self, pw: &str) -> bool { self.pw_hash == encoding::base64_encode(&hashing::blake2(pw, &self.name).to_vec()) } + /// Provides a hook to use second-factor authentication to authorise + /// + /// This is meant to be used with an external Yubikey + pub fn second_auth_verify(&mut self) -> bool { + unimplemented!() + } /// Generate a token unique to this user (or return the existing one) pub fn token(&mut self) -> String { if self.token.is_none() { diff --git a/lockchain-crypto/Cargo.toml b/lockchain-crypto/Cargo.toml index acf31b5..656f60f 100644 --- a/lockchain-crypto/Cargo.toml +++ b/lockchain-crypto/Cargo.toml @@ -9,7 +9,7 @@ version = "0.8.1-alpha.0" authors = ["Katharina Fey <kookie@spacekookie.de>"] [dependencies] -lockchain-core = { version = "0.9.0" } #, path = "../lockchain-core" } +lockchain-core = { version = "0.9.0", path = "../lockchain-core" } serde_derive = "1.0" serde = "1.0" diff --git a/lockchain-server/Cargo.toml b/lockchain-server/Cargo.toml index 7398ea2..1fa3a32 100644 --- a/lockchain-server/Cargo.toml +++ b/lockchain-server/Cargo.toml @@ -5,7 +5,7 @@ authors = ["Katharina Fey <kookie@spacekookie.de>"] [dependencies] lockchain-core = { path = "../lockchain-core" } -lockchain-files ={ path = "../lockchain-files" } +lockchain-files = { path = "../lockchain-files" } lockchain-http = { path = "../lockchain-http" } clap = "2.0" |