mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

Expose machine key in auth phase (#2340)

Browse source
This commit is contained in:
Firstyear 2023-11-29 14:59:16 +10:00 committed by GitHub
parent 31b939fca3
commit 4b097d8fdc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
unix_integration/src/idprovider/interface.rs
View file

@ -132,6 +132,7 @@ pub trait IdProvider {
_account_id: &str, _account_id: &str,
_token: Option<&UserToken>, _token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut (dyn tpm::Tpm + Send),
_machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError>; ) -> Result<(AuthRequest, AuthCredHandler), IdpError>;
async fn unix_user_online_auth_step( async fn unix_user_online_auth_step(
@ -140,6 +141,7 @@ pub trait IdProvider {
_cred_handler: &mut AuthCredHandler, _cred_handler: &mut AuthCredHandler,
_pam_next_req: PamAuthRequest, _pam_next_req: PamAuthRequest,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut (dyn tpm::Tpm + Send),
_machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError>; ) -> Result<(AuthResult, AuthCacheAction), IdpError>;
async fn unix_user_offline_auth_init( async fn unix_user_offline_auth_init(

2
unix_integration/src/idprovider/kanidm.rs
View file

@ -196,6 +196,7 @@ impl IdProvider for KanidmProvider {
_account_id: &str, _account_id: &str,
_token: Option<&UserToken>, _token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut (dyn tpm::Tpm + Send),
_machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError> { ) -> Result<(AuthRequest, AuthCredHandler), IdpError> {
// Not sure that I need to do much here? // Not sure that I need to do much here?
Ok((AuthRequest::Password, AuthCredHandler::Password)) Ok((AuthRequest::Password, AuthCredHandler::Password))
@ -207,6 +208,7 @@ impl IdProvider for KanidmProvider {
cred_handler: &mut AuthCredHandler, cred_handler: &mut AuthCredHandler,
pam_next_req: PamAuthRequest, pam_next_req: PamAuthRequest,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut (dyn tpm::Tpm + Send),
_machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError> { ) -> Result<(AuthResult, AuthCacheAction), IdpError> {
match (cred_handler, pam_next_req) { match (cred_handler, pam_next_req) {
(AuthCredHandler::Password, PamAuthRequest::Password { cred }) => { (AuthCredHandler::Password, PamAuthRequest::Password { cred }) => {

12
unix_integration/src/resolver.rs
View file

@ -59,7 +59,7 @@ where
// Generic / modular types. // Generic / modular types.
db: Db, db: Db,
hsm: Mutex<Box<dyn Tpm + Send>>, hsm: Mutex<Box<dyn Tpm + Send>>,
// machine_key: MachineKey, machine_key: MachineKey,
hmac_key: HmacKey, hmac_key: HmacKey,
client: I, client: I,
// Types to update still. // Types to update still.
@ -168,7 +168,7 @@ where
Ok(Resolver { Ok(Resolver {
db, db,
hsm, hsm,
// machine_key, machine_key,
hmac_key, hmac_key,
client, client,
state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())), state: Mutex::new(CacheState::OfflineNextCheck(SystemTime::now())),
@ -878,7 +878,12 @@ where
let maybe_err = if online_at_init { let maybe_err = if online_at_init {
let mut hsm_lock = self.hsm.lock().await; let mut hsm_lock = self.hsm.lock().await;
self.client self.client
.unix_user_online_auth_init(account_id, token.as_ref(), &mut **hsm_lock.deref_mut()) .unix_user_online_auth_init(
account_id,
token.as_ref(),
&mut **hsm_lock.deref_mut(),
&self.machine_key,
)
.await .await
} else { } else {
// Can the auth proceed offline? // Can the auth proceed offline?
@ -942,6 +947,7 @@ where
cred_handler, cred_handler,
pam_next_req, pam_next_req,
&mut **hsm_lock.deref_mut(), &mut **hsm_lock.deref_mut(),
&self.machine_key,
) )
.await; .await;