diff options
author | Katharina Fey <kookie@spacekookie.de> | 2018-07-02 00:02:22 +0200 |
---|---|---|
committer | Katharina Fey <kookie@spacekookie.de> | 2018-07-02 00:02:22 +0200 |
commit | 99ff8f0ebae37069de690936f79c4d599851f952 (patch) | |
tree | 06d33db20cdd065e74334fef20096806a5b4f5d9 /lockchain-core | |
parent | d99d8bb4d9fb695f15256a8fe9a85136959e556b (diff) |
Big code change & refactoring commit
Move `token` into user module for lockchain-core. Start work on
a PAM authentication module which replaces the second layer
UserStore in API layer state (http being the only one for now).
This brings the `nix` and `pam-auth` dependencies, which unfortunately
currently don't work :(
Diffstat (limited to 'lockchain-core')
-rw-r--r-- | lockchain-core/Cargo.toml | 3 | ||||
-rw-r--r-- | lockchain-core/src/auth.rs | 88 | ||||
-rw-r--r-- | lockchain-core/src/lib.rs | 5 | ||||
-rw-r--r-- | lockchain-core/src/traits.rs | 12 | ||||
-rw-r--r-- | lockchain-core/src/users/mod.rs (renamed from lockchain-core/src/users.rs) | 4 | ||||
-rw-r--r-- | lockchain-core/src/users/tokens.rs (renamed from lockchain-core/src/users/auth.rs) | 0 |
6 files changed, 109 insertions, 3 deletions
diff --git a/lockchain-core/Cargo.toml b/lockchain-core/Cargo.toml index cfddc0f..87d3f65 100644 --- a/lockchain-core/Cargo.toml +++ b/lockchain-core/Cargo.toml @@ -14,6 +14,9 @@ serde_derive = "1.0" serde_json = "1.0" serde = "1.0" +nix = "0.11" +pam-auth = "0.5" + base64 = "0.8" bcrypt = "0.2" rand = "0.4" diff --git a/lockchain-core/src/auth.rs b/lockchain-core/src/auth.rs new file mode 100644 index 0000000..eceece0 --- /dev/null +++ b/lockchain-core/src/auth.rs @@ -0,0 +1,88 @@ +//! Provides an authentication module backed by PAM +//! +//! The way a user is authenticated is via the `lockchain` group +//! and a simple writing/ deleting of a lock file. + +use nix::sys::wait::*; +use nix::unistd::{fork, ForkResult}; + +use pam_auth::{self, Authenticator, PamError, Result as PamResult}; + +#[derive(Debug)] +pub enum AuthError { + FailedFork, + FailedPAM, + InvalidUser, + UserNotAuthorised, +} + +/// Simple way to authenticate a user for administrative actions +/// +/// Attempts to open a PAM session for the provided user/pw combination +/// then attempts to write to a tmpfile in the lockchain config directory. +/// If this action is successful the user is either the same running the +/// lockchain server *or* has access to the file via group permissions. +/// +/// This does rely on `lockchain` being properly configured on the server +/// i.e. not using public permissions for the configuration/ state directory. +/// +/// **Note** as of `lockchain v0.9.0` this function has not been implemented +/// yet due to issues in the `pam-auth` dependency. +#[allow(unused_variables)] +pub fn pam_authenticate(username: &str, password: &str) -> Result<(), AuthError> { + Err(AuthError::FailedPAM) + + + // match fork().map_err(|_| AuthError::FailedFork)? { + // ForkResult::Parent { child } => { + // waitpid(child, None).unwrap(); + // // kill(child, SIGKILL).expect("kill failed"); + // } + // ForkResult::Child => { + // let mut auth = Authenticator::new("lockchain").ok_or(AuthError::FailedPAM)?; + + // use std::error::Error; + // let service = "login"; + + // println!("Username: {}", username); + // println!("Password: {}", password); + // println!("Service: {}", service); + + // let mut auth = Authenticator::new(service).unwrap(); + // auth.set_credentials(username, password); + + // match auth.authenticate() { + // Ok(()) => println!("authenticate() OK!"), + // Err(e) => { + // println!("authenticate() FAILED!"); + // println!("{}", e.description()); + // println!("{:#?}", e.cause()); + // } + // } + + // match auth.open_session() { + // Ok(()) => println!("open_session() OK!"), + // Err(e) => { + // println!("open_session() FAILED!"); + // println!("{}", e.description()); + // println!("{:#?}", e.cause()); + // } + // } + + // auth.set_credentials(username, password); + // auth.authenticate().map_err(|_| AuthError::InvalidUser)?; + // auth.open_session().map_err(|_| AuthError::FailedPAM)?; + + // use std::process::Command; + // let output = Command::new("su") + // .arg(username) + // .output() + // .expect("failed to execute process"); + // println!("whoami: {:#?}", String::from_utf8(output.stdout).unwrap()); + + // ::std::process::exit(255); + // } + // } + + // Ok(()) +} diff --git a/lockchain-core/src/lib.rs b/lockchain-core/src/lib.rs index 465f145..2c5b0d7 100644 --- a/lockchain-core/src/lib.rs +++ b/lockchain-core/src/lib.rs @@ -1,7 +1,6 @@ //! Common library types used in lockchain crates #![feature(external_doc)] #![doc(include = "../README.md")] -#![feature(non_modrs_mods)] #[macro_use] extern crate serde_derive; @@ -13,6 +12,8 @@ extern crate base64; extern crate blake2; extern crate rand; extern crate keybob; +extern crate nix; +extern crate pam_auth; pub mod errors; pub mod traits; @@ -20,7 +21,9 @@ pub mod crypto; pub mod users; mod meta; mod record; +mod auth; pub use self::crypto::PackedData; pub use self::record::{Header, Payload, Record, EncryptedBody}; pub use self::meta::{MetaDomain, VaultMetadata}; +pub use self::auth::pam_authenticate;
\ No newline at end of file diff --git a/lockchain-core/src/traits.rs b/lockchain-core/src/traits.rs index 96a2034..4e66d8f 100644 --- a/lockchain-core/src/traits.rs +++ b/lockchain-core/src/traits.rs @@ -178,3 +178,15 @@ impl Base64AutoEncoder for String { String::from_utf8(base64::decode(base64).unwrap()).unwrap() } } + +impl Base64AutoEncoder for Vec<u8> { + /// Automatically encode this string to base64 + fn to_base64(&self) -> String { + base64::encode(self) + } + + /// Craft a string from an existing base64 string slice + fn from_base64(base64: &str) -> String { + String::from_utf8(base64::decode(base64).unwrap()).unwrap() + } +} diff --git a/lockchain-core/src/users.rs b/lockchain-core/src/users/mod.rs index ab40c43..29be002 100644 --- a/lockchain-core/src/users.rs +++ b/lockchain-core/src/users/mod.rs @@ -13,8 +13,8 @@ //! `User` is also a serialisable struct which contains important //! data to load and store them into a metadata store. -mod auth; -pub use self::auth::Token; +mod tokens; +pub use self::tokens::Token; use crypto::{encoding, hashing, random}; use std::collections::HashMap; diff --git a/lockchain-core/src/users/auth.rs b/lockchain-core/src/users/tokens.rs index e6e4854..e6e4854 100644 --- a/lockchain-core/src/users/auth.rs +++ b/lockchain-core/src/users/tokens.rs |