Expose machine key in auth phase (#2340)

2025-02-23 12:37:00 +01:00 · 2023-11-29 14:59:16 +10:00 · 2023-11-29 14:59:16 +10:00 · 4b097d8fdc
parent 31b939fca3
commit 4b097d8fdc
3 changed files with 13 additions and 3 deletions
--- a/unix_integration/src/idprovider/interface.rs
+++ b/unix_integration/src/idprovider/interface.rs
@ -132,6 +132,7 @@ pub trait IdProvider {
        _account_id: &str,
        _token: Option<&UserToken>,
        _tpm: &mut (dyn tpm::Tpm + Send),
+        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthRequest, AuthCredHandler), IdpError>;

    async fn unix_user_online_auth_step(
@ -140,6 +141,7 @@ pub trait IdProvider {
        _cred_handler: &mut AuthCredHandler,
        _pam_next_req: PamAuthRequest,
        _tpm: &mut (dyn tpm::Tpm + Send),
+        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthResult, AuthCacheAction), IdpError>;

    async fn unix_user_offline_auth_init(
--- a/unix_integration/src/idprovider/kanidm.rs
+++ b/unix_integration/src/idprovider/kanidm.rs
@ -196,6 +196,7 @@ impl IdProvider for KanidmProvider {
        _account_id: &str,
        _token: Option<&UserToken>,
        _tpm: &mut (dyn tpm::Tpm + Send),
+        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthRequest, AuthCredHandler), IdpError> {
        // Not sure that I need to do much here?
        Ok((AuthRequest::Password, AuthCredHandler::Password))
@ -207,6 +208,7 @@ impl IdProvider for KanidmProvider {
        cred_handler: &mut AuthCredHandler,
        pam_next_req: PamAuthRequest,
        _tpm: &mut (dyn tpm::Tpm + Send),
+        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthResult, AuthCacheAction), IdpError> {
        match (cred_handler, pam_next_req) {
            (AuthCredHandler::Password, PamAuthRequest::Password { cred }) => {
--- a/unix_integration/src/resolver.rs
+++ b/unix_integration/src/resolver.rs
@ -59,7 +59,7 @@ where
    // Generic / modular types.
    db: Db,
    hsm: Mutex<Box<dyn Tpm + Send>>,
-    // machine_key: MachineKey,
+    machine_key: MachineKey,
    hmac_key: HmacKey,
    client: I,
    // Types to update still.
@ -168,7 +168,7 @@ where
        Ok(Resolver {
            db,
            hsm,
-            // machine_key,
+            machine_key,
            hmac_key,
            client,
            state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())),
@ -878,7 +878,12 @@ where
        let maybe_err = if online_at_init {
            let mut hsm_lock = self.hsm.lock().await;
            self.client
-                .unix_user_online_auth_init(account_id, token.as_ref(), &mut **hsm_lock.deref_mut())
+                .unix_user_online_auth_init(
+                    account_id,
+                    token.as_ref(),
+                    &mut **hsm_lock.deref_mut(),
+                    &self.machine_key,
+                )
                .await
        } else {
            // Can the auth proceed offline?
@ -942,6 +947,7 @@ where
                        cred_handler,
                        pam_next_req,
                        &mut **hsm_lock.deref_mut(),
+                        &self.machine_key,
                    )
                    .await;