From 7872791b07bb71f2d4c9d0cdeb3cd439adbc84ac Mon Sep 17 00:00:00 2001 From: Katharina Fey Date: Mon, 6 Aug 2018 18:48:36 +0200 Subject: Adding login/logout functions to the vault trait --- lockchain-core/src/traits.rs | 38 +++++++++++++++++++++++++++----------- lockchain-core/src/users/auth.rs | 8 +++----- lockchain-core/src/users/tokens.rs | 2 +- 3 files changed, 31 insertions(+), 17 deletions(-) diff --git a/lockchain-core/src/traits.rs b/lockchain-core/src/traits.rs index 6498ac3..14f8310 100644 --- a/lockchain-core/src/traits.rs +++ b/lockchain-core/src/traits.rs @@ -14,6 +14,7 @@ use meta::{MetaDomain, VaultMetadata}; use record::{EncryptedBody, Header, Payload, Record}; use serde::{de::DeserializeOwned, Serialize}; +use users::Token; use base64; use serde_json::{self, Error as SerdeError}; @@ -63,6 +64,7 @@ pub trait Encryptable: AutoEncoder {} /// /// Encryption is never done directly on the bodies, only via /// this scheduler type with the help of the [[Encryptable]] trait. +#[deprecated] pub trait EncryptionHandler where T: Encryptable + AutoEncoder + Body, @@ -99,22 +101,36 @@ pub trait FileIO: AutoEncoder { } } -/// Trait for an in-memory representation of a lockchain vault. +/// A comprehensive trait describing a generic vault /// -/// By itself it represents vault metadata (name, users, location) -/// as well as a list of record headers. +/// It describes the workflow around a vault, no matter how it +/// is implemented or what backing storage it's using. /// -/// To provide on-disk functionality it requires the `-storage` -/// trait library and for encrypted file access the `-crypto` -/// crate. +/// A vault is, at it's core, a collection of records and a collcetion +/// of metadata items, including users, keys and autherisation info. Both +/// the userstore and keystore are implemented via the metadata +/// system, which is a simplification of a record. /// -/// The body backend is being being generic with the `Body` trait. -pub trait Vault: Send +/// The vault API **is stateful** which means that a user needs to be +/// authenticated to aquire a token which is then used to verify all +/// future transactions. In case the vault is in-memory only, the +/// authentication will need to be backed by some persistence layer +/// (i.e. lockchain-files) +/// +/// +pub trait Vault: Send + LoadRecord where T: Body, { /// A shared constructor for all vault implementations fn new(name: &str, location: &str) -> Self; + /// Load and open an existing vault + fn load(name: &str, location: &str) -> Self; + /// Unlock the vault for a specific user + fn authenticate(&mut self, username: &str, secret: &str) -> Token; + /// End a specific user session + fn deauthenticate(&mut self, username: &str, _: Token); + /// Get basic vault metadata fn metadata(&self) -> VaultMetadata; /// Fetch metadata headers for all records @@ -123,6 +139,7 @@ where fn pull(&mut self, name: &str); /// Sync all changes back to the backend fn sync(&mut self); + /// Get a complete record from this vault fn get_record(&self, name: &str) -> Option<&Record>; /// Probe if a record is contained @@ -131,14 +148,13 @@ where fn add_record(&mut self, key: &str, category: &str, tags: Vec<&str>); /// Delete a record from this vault fn delete_record(&mut self, record: &str) -> Option>; + /// Add data to an existing record, overwriting existing fields fn add_data(&mut self, record: &str, key: &str, data: Payload) -> Option<()>; /// Get the (latest) value of a specific record data field fn get_data(&self, record: &str, key: &str) -> Option<&Payload>; + /// Adds a domain space to the metadata store inside the vault - /// - /// A domain is a collection metadata files that can be - /// returned with a single pull request fn meta_add_domain(&mut self, domain: &str) -> Option<()>; /// Returns all records from a meta domain fn meta_pull_domain(&self, domain: &str) -> Option<&MetaDomain>; diff --git a/lockchain-core/src/users/auth.rs b/lockchain-core/src/users/auth.rs index 1a8758c..e5e8178 100644 --- a/lockchain-core/src/users/auth.rs +++ b/lockchain-core/src/users/auth.rs @@ -3,7 +3,6 @@ //! The way a user is authenticated is via the `lockchain` group //! and a simple writing/ deleting of a lock file. -use pam_auth::Authenticator; use errors::AuthError; /// Simple way to authenticate a user for administrative actions @@ -23,7 +22,6 @@ pub fn pam_authenticate(username: &str, password: &str) -> Result<(), AuthError> unimplemented!() } -/// Tbd... -pub fn yubikey_authenticate(username: &str, yubi_id: &str) -> Result<(), AuthError> { - unimplemented!() -} \ No newline at end of file +// pub fn yubikey_authenticate(username: &str, yubi_id: &str) -> Result<(), AuthError> { +// unimplemented!() +// } \ No newline at end of file diff --git a/lockchain-core/src/users/tokens.rs b/lockchain-core/src/users/tokens.rs index e6e4854..32a6e01 100644 --- a/lockchain-core/src/users/tokens.rs +++ b/lockchain-core/src/users/tokens.rs @@ -1,11 +1,11 @@ use crypto::random; +use traits::AutoEncoder; const TOK_SIZE: usize = 64; /// An authentication token that can be compared in constant time /// /// ``` -/// /// use lockchain_core::users::auth::Token; /// let t1 = Token::new(); /// let t2 = Token::new(); -- cgit v1.2.3