From 4b097d8fdc9d7d011c9e0425ba1fd68d03c512ef Mon Sep 17 00:00:00 2001 From: Firstyear Date: Wed, 29 Nov 2023 14:59:16 +1000 Subject: [PATCH] Expose machine key in auth phase (#2340) --- unix_integration/src/idprovider/interface.rs | 2 ++ unix_integration/src/idprovider/kanidm.rs | 2 ++ unix_integration/src/resolver.rs | 12 +++++++++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/unix_integration/src/idprovider/interface.rs b/unix_integration/src/idprovider/interface.rs index ef9721a49..d0f48a964 100644 --- a/unix_integration/src/idprovider/interface.rs +++ b/unix_integration/src/idprovider/interface.rs @@ -132,6 +132,7 @@ pub trait IdProvider { _account_id: &str, _token: Option<&UserToken>, _tpm: &mut (dyn tpm::Tpm + Send), + _machine_key: &tpm::MachineKey, ) -> Result<(AuthRequest, AuthCredHandler), IdpError>; async fn unix_user_online_auth_step( @@ -140,6 +141,7 @@ pub trait IdProvider { _cred_handler: &mut AuthCredHandler, _pam_next_req: PamAuthRequest, _tpm: &mut (dyn tpm::Tpm + Send), + _machine_key: &tpm::MachineKey, ) -> Result<(AuthResult, AuthCacheAction), IdpError>; async fn unix_user_offline_auth_init( diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs index 8ee01a96d..ab3476c29 100644 --- a/unix_integration/src/idprovider/kanidm.rs +++ b/unix_integration/src/idprovider/kanidm.rs @@ -196,6 +196,7 @@ impl IdProvider for KanidmProvider { _account_id: &str, _token: Option<&UserToken>, _tpm: &mut (dyn tpm::Tpm + Send), + _machine_key: &tpm::MachineKey, ) -> Result<(AuthRequest, AuthCredHandler), IdpError> { // Not sure that I need to do much here? Ok((AuthRequest::Password, AuthCredHandler::Password)) @@ -207,6 +208,7 @@ impl IdProvider for KanidmProvider { cred_handler: &mut AuthCredHandler, pam_next_req: PamAuthRequest, _tpm: &mut (dyn tpm::Tpm + Send), + _machine_key: &tpm::MachineKey, ) -> Result<(AuthResult, AuthCacheAction), IdpError> { match (cred_handler, pam_next_req) { (AuthCredHandler::Password, PamAuthRequest::Password { cred }) => { diff --git a/unix_integration/src/resolver.rs b/unix_integration/src/resolver.rs index bb5721246..31a869224 100644 --- a/unix_integration/src/resolver.rs +++ b/unix_integration/src/resolver.rs @@ -59,7 +59,7 @@ where // Generic / modular types. db: Db, hsm: Mutex>, - // machine_key: MachineKey, + machine_key: MachineKey, hmac_key: HmacKey, client: I, // Types to update still. @@ -168,7 +168,7 @@ where Ok(Resolver { db, hsm, - // machine_key, + machine_key, hmac_key, client, state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())), @@ -878,7 +878,12 @@ where let maybe_err = if online_at_init { let mut hsm_lock = self.hsm.lock().await; self.client - .unix_user_online_auth_init(account_id, token.as_ref(), &mut **hsm_lock.deref_mut()) + .unix_user_online_auth_init( + account_id, + token.as_ref(), + &mut **hsm_lock.deref_mut(), + &self.machine_key, + ) .await } else { // Can the auth proceed offline? @@ -942,6 +947,7 @@ where cred_handler, pam_next_req, &mut **hsm_lock.deref_mut(), + &self.machine_key, ) .await;