From 113258d52332c9a9ca5da4246fb0643b1f99faae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 6 Mar 2023 13:57:21 +1000 Subject: [PATCH] chore(deps): bump base64 from 0.13.1 to 0.21.0 (#1350) * chore(deps): bump base64 from 0.13.1 to 0.21.0 Bumps [base64](https://github.com/marshallpierce/rust-base64) from 0.13.1 to 0.21.0. - [Release notes](https://github.com/marshallpierce/rust-base64/releases) - [Changelog](https://github.com/marshallpierce/rust-base64/blob/master/RELEASE-NOTES.md) - [Commits](https://github.com/marshallpierce/rust-base64/compare/v0.13.1...v0.21.0) --- updated-dependencies: - dependency-name: base64 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * base64 fixes * fmt fixes --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: James Hodgkinson --- Cargo.lock | 6 +++--- Cargo.toml | 2 +- libs/crypto/src/lib.rs | 32 ++++++++++++++++++++----------- libs/profiles/build.rs | 4 +++- libs/profiles/src/lib.rs | 4 +++- server/lib/src/be/dbvalue.rs | 5 +++-- server/lib/src/idm/oauth2.rs | 37 ++++++++++++++++++++++++------------ server/lib/src/value.rs | 4 +++- 8 files changed, 62 insertions(+), 32 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0c096d31d..0e497dd0d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2273,7 +2273,7 @@ dependencies = [ name = "kanidm_lib_crypto" version = "0.1.0" dependencies = [ - "base64 0.13.1", + "base64 0.21.0", "base64urlsafedata", "hex", "kanidm_proto", @@ -2410,7 +2410,7 @@ name = "kanidmd_lib" version = "1.1.0-alpha.12-dev" dependencies = [ "async-trait", - "base64 0.13.1", + "base64 0.21.0", "base64urlsafedata", "compact_jwt", "concread", @@ -3426,7 +3426,7 @@ dependencies = [ name = "profiles" version = "1.1.0-alpha.12-dev" dependencies = [ - "base64 0.13.1", + "base64 0.21.0", "serde", "toml", ] diff --git a/Cargo.toml b/Cargo.toml index 18b8975fd..3d2ee6479 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,7 +40,7 @@ repository = "https://github.com/kanidm/kanidm/" [workspace.dependencies] async-trait = "^0.1.62" base32 = "^0.4.0" -base64 = "^0.13.1" +base64 = "^0.21.0" base64urlsafedata = "0.1.3" bytes = "^1.3.0" clap = { version = "^3.2", features = ["derive"] } diff --git a/libs/crypto/src/lib.rs b/libs/crypto/src/lib.rs index 682356998..1ca99d5c1 100644 --- a/libs/crypto/src/lib.rs +++ b/libs/crypto/src/lib.rs @@ -1,5 +1,8 @@ +use base64::engine::GeneralPurpose; +use base64::{alphabet, Engine}; use tracing::{debug, error, warn}; +use base64::engine::general_purpose; use base64urlsafedata::Base64UrlSafeData; use rand::Rng; use serde::{Deserialize, Serialize}; @@ -235,7 +238,7 @@ impl TryFrom<&str> for Password { "pbkdf2_sha256" => { let c = cost.parse::().map_err(|_| ())?; let s: Vec<_> = salt.as_bytes().to_vec(); - let h = base64::decode(hash).map_err(|_| ())?; + let h = general_purpose::STANDARD.decode(hash).map_err(|_| ())?; if h.len() < PBKDF2_MIN_NIST_KEY_LEN { return Err(()); } @@ -255,7 +258,10 @@ impl TryFrom<&str> for Password { } }; - let h = base64::decode_config(nt_md4, base64::STANDARD_NO_PAD).map_err(|_| ())?; + let h = base64::engine::general_purpose::STANDARD_NO_PAD + .decode(nt_md4) + .map_err(|_| ())?; + return Ok(Password { material: Kdf::NT_MD4(h), }); @@ -277,7 +283,9 @@ impl TryFrom<&str> for Password { // Test 389ds formats if let Some(ds_ssha512) = value.strip_prefix("{SSHA512}") { - let sh = base64::decode(ds_ssha512).map_err(|_| ())?; + let sh = general_purpose::STANDARD + .decode(ds_ssha512) + .map_err(|_| ())?; let (h, s) = sh.split_at(DS_SSHA512_HASH_LEN); if s.len() != DS_SSHA512_SALT_LEN { return Err(()); @@ -309,16 +317,18 @@ impl TryFrom<&str> for Password { let c = cost.parse::().map_err(|_| ())?; let s = ab64_to_b64!(salt); - let s = base64::decode_config(s, base64::STANDARD.decode_allow_trailing_bits(true)) - .map_err(|e| { - error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); - })?; + let base64_decoder_config = general_purpose::GeneralPurposeConfig::new() + .with_decode_allow_trailing_bits(true); + let base64_decoder = + GeneralPurpose::new(&alphabet::STANDARD, base64_decoder_config); + let s = base64_decoder.decode(s).map_err(|e| { + error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); + })?; let h = ab64_to_b64!(hash); - let h = base64::decode_config(h, base64::STANDARD.decode_allow_trailing_bits(true)) - .map_err(|e| { - error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); - })?; + let h = base64_decoder.decode(h).map_err(|e| { + error!(?e, "Invalid base64 in oldap pbkdf2-sha1"); + })?; // This is just sha1 in a trenchcoat. if value.strip_prefix("{PBKDF2}").is_some() diff --git a/libs/profiles/build.rs b/libs/profiles/build.rs index 115b2c1e0..8ac628113 100644 --- a/libs/profiles/build.rs +++ b/libs/profiles/build.rs @@ -1,6 +1,8 @@ use std::path::PathBuf; use std::{env, fs}; +use base64::{engine::general_purpose, Engine as _}; + fn main() { println!("cargo:rerun-if-env-changed=KANIDM_BUILD_PROFILE"); @@ -13,7 +15,7 @@ fn main() { let data = fs::read(&profile_path).unwrap_or_else(|_| panic!("Failed to read {:?}", profile_path)); - let contents = base64::encode(data); + let contents = general_purpose::STANDARD.encode(data); println!("cargo:rerun-if-changed={}", profile_path.to_str().unwrap()); diff --git a/libs/profiles/src/lib.rs b/libs/profiles/src/lib.rs index ed8d30405..fc79c588e 100644 --- a/libs/profiles/src/lib.rs +++ b/libs/profiles/src/lib.rs @@ -1,5 +1,6 @@ use std::env; +use base64::{engine::general_purpose, Engine as _}; use serde::Deserialize; #[derive(Debug, Deserialize)] @@ -52,7 +53,8 @@ pub fn apply_profile() { let profile = env!("KANIDM_BUILD_PROFILE"); let contents = env!("KANIDM_BUILD_PROFILE_TOML"); - let data = base64::decode(contents) + let data = general_purpose::STANDARD + .decode(contents) .unwrap_or_else(|_| panic!("Failed to parse profile - {} - {}", profile, contents)); let profile_cfg: ProfileConfig = toml::from_slice(&data) diff --git a/server/lib/src/be/dbvalue.rs b/server/lib/src/be/dbvalue.rs index 8489469c8..6a8b7b48d 100644 --- a/server/lib/src/be/dbvalue.rs +++ b/server/lib/src/be/dbvalue.rs @@ -660,6 +660,7 @@ impl DbValueSetV2 { #[cfg(test)] mod tests { + use base64::{engine::general_purpose, Engine as _}; use serde::{Deserialize, Serialize}; use uuid::Uuid; @@ -707,10 +708,10 @@ mod tests { uuid: Uuid::new_v4(), }; let data = serde_cbor::to_vec(&dbcred).unwrap(); - let s = base64::encode(data); + let s = general_purpose::STANDARD.encode(data); */ let s = "o2hwYXNzd29yZKFmUEJLREYygwCBAIEAZmNsYWltc4BkdXVpZFAjkHFm4q5M86UcNRi4hBjN"; - let data = base64::decode(s).unwrap(); + let data = general_purpose::STANDARD.decode(s).unwrap(); let dbcred: DbCredV1 = serde_cbor::from_slice(data.as_slice()).unwrap(); // Test converting to the new enum format diff --git a/server/lib/src/idm/oauth2.rs b/server/lib/src/idm/oauth2.rs index 48c6b95c7..39f022554 100644 --- a/server/lib/src/idm/oauth2.rs +++ b/server/lib/src/idm/oauth2.rs @@ -10,6 +10,8 @@ use std::fmt; use std::sync::Arc; use std::time::Duration; +use base64::{engine::general_purpose, Engine as _}; + use base64urlsafedata::Base64UrlSafeData; pub use compact_jwt::{JwkKeySet, OidcToken}; use compact_jwt::{JwsSigner, OidcClaims, OidcSubject}; @@ -1545,7 +1547,8 @@ impl<'a> IdmServerProxyReadTransaction<'a> { fn parse_basic_authz(client_authz: &str) -> Result<(String, String), Oauth2Error> { // Check the client_authz - let authz = base64::decode(client_authz) + let authz = general_purpose::STANDARD + .decode(client_authz) .map_err(|_| { admin_error!("Basic authz invalid base64"); Oauth2Error::AuthenticationRequired @@ -1616,6 +1619,7 @@ fn extra_claims_for_account( #[cfg(test)] mod tests { + use base64::{engine::general_purpose, Engine as _}; use std::convert::TryFrom; use std::str::FromStr; use std::time::Duration; @@ -2181,7 +2185,8 @@ mod tests { ); // * doesn't have : - let client_authz = Some(base64::encode(format!("test_resource_server {secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server {secret}"))); assert!( idms_prox_read .check_oauth2_token_exchange(client_authz.as_deref(), &token_req, ct) @@ -2190,7 +2195,8 @@ mod tests { ); // * invalid client_id - let client_authz = Some(base64::encode(format!("NOT A REAL SERVER:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("NOT A REAL SERVER:{secret}"))); assert!( idms_prox_read .check_oauth2_token_exchange(client_authz.as_deref(), &token_req, ct) @@ -2199,7 +2205,7 @@ mod tests { ); // * valid client_id, but invalid secret - let client_authz = Some(base64::encode("test_resource_server:12345")); + let client_authz = Some(general_purpose::STANDARD.encode("test_resource_server:12345")); assert!( idms_prox_read .check_oauth2_token_exchange(client_authz.as_deref(), &token_req, ct) @@ -2208,7 +2214,8 @@ mod tests { ); // ✅ Now the valid client_authz is in place. - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); // * expired exchange code (took too long) assert!( idms_prox_read @@ -2291,7 +2298,8 @@ mod tests { let ct = Duration::from_secs(TEST_CURRENT_TIME); let (secret, uat, ident, _) = setup_oauth2_resource_server(idms, ct, true, false, false).await; - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); let mut idms_prox_read = idms.proxy_read().await; @@ -2395,7 +2403,8 @@ mod tests { let ct = Duration::from_secs(TEST_CURRENT_TIME); let (secret, uat, ident, _) = setup_oauth2_resource_server(idms, ct, true, false, false).await; - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); let mut idms_prox_read = idms.proxy_read().await; @@ -2473,7 +2482,7 @@ mod tests { // First, the revoke needs basic auth. Provide incorrect auth, and we fail. let mut idms_prox_write = idms.proxy_write(ct).await; - let bad_client_authz = Some(base64::encode("test_resource_server:12345")); + let bad_client_authz = Some(general_purpose::STANDARD.encode("test_resource_server:12345")); let revoke_request = TokenRevokeRequest { token: oauth2_token.access_token.clone(), token_type_hint: None, @@ -2557,7 +2566,8 @@ mod tests { let ct = Duration::from_secs(TEST_CURRENT_TIME); let (secret, uat, ident, _) = setup_oauth2_resource_server(idms, ct, true, false, false).await; - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); let mut idms_prox_read = idms.proxy_read().await; @@ -2892,7 +2902,8 @@ mod tests { let ct = Duration::from_secs(TEST_CURRENT_TIME); let (secret, uat, ident, _) = setup_oauth2_resource_server(idms, ct, true, false, false).await; - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); let mut idms_prox_read = idms.proxy_read().await; @@ -3024,7 +3035,8 @@ mod tests { let ct = Duration::from_secs(TEST_CURRENT_TIME); let (secret, uat, ident, _) = setup_oauth2_resource_server(idms, ct, true, false, true).await; - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); let mut idms_prox_read = idms.proxy_read().await; @@ -3117,7 +3129,8 @@ mod tests { let ct = Duration::from_secs(TEST_CURRENT_TIME); let (secret, uat, ident, _) = setup_oauth2_resource_server(idms, ct, true, false, true).await; - let client_authz = Some(base64::encode(format!("test_resource_server:{secret}"))); + let client_authz = + Some(general_purpose::STANDARD.encode(format!("test_resource_server:{secret}"))); let mut idms_prox_read = idms.proxy_read().await; diff --git a/server/lib/src/value.rs b/server/lib/src/value.rs index 4ff527bf2..94f8ba1d6 100644 --- a/server/lib/src/value.rs +++ b/server/lib/src/value.rs @@ -11,6 +11,8 @@ use std::fmt; use std::str::FromStr; use std::time::Duration; +#[cfg(test)] +use base64::{engine::general_purpose, Engine as _}; use compact_jwt::JwsSigner; use hashbrown::HashSet; use kanidm_proto::v1::ApiTokenPurpose; @@ -1290,7 +1292,7 @@ impl Value { #[cfg(test)] pub fn new_privatebinary_base64(der: &str) -> Self { - let der = base64::decode(der).unwrap(); + let der = general_purpose::STANDARD.decode(der).unwrap(); Value::PrivateBinary(der) }