mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions 16 Packages Projects Releases Wiki Activity

Display account_id during success/deny paths in unixd (#3253)

Browse source
This commit is contained in:
Firstyear 2024-11-30 13:57:01 +10:00 committed by GitHub
parent 974fec1d93
commit 52987ab8b2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 51 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

57
unix_integration/resolver/src/resolver.rs
View file

@ -57,11 +57,15 @@ pub enum AuthSession {
shutdown_rx: broadcast::Receiver<()>, shutdown_rx: broadcast::Receiver<()>,
}, },
Offline { Offline {
account_id: String,
id: Id,
client: Arc<dyn IdProvider + Sync + Send>, client: Arc<dyn IdProvider + Sync + Send>,
token: Box<UserToken>, token: Box<UserToken>,
cred_handler: AuthCredHandler, cred_handler: AuthCredHandler,
}, },
System { System {
account_id: String,
id: Id,
cred_handler: AuthCredHandler, cred_handler: AuthCredHandler,
shadow: Arc<Shadow>, shadow: Arc<Shadow>,
}, },
@ -818,7 +822,7 @@ impl Resolver {
match self.system_provider.auth_init(&id, current_time).await { match self.system_provider.auth_init(&id, current_time).await {
// The system provider will not take part in this authentication. // The system provider will not take part in this authentication.
SystemProviderAuthInit::Ignore => { SystemProviderAuthInit::Ignore => {
debug!("account unknown to system provider, continue."); debug!(?account_id, "account unknown to system provider, continue.");
} }
// The provider knows the account, and is unable to proceed, // The provider knows the account, and is unable to proceed,
// We return unknown here so that pam_kanidm can be skipped and fall back // We return unknown here so that pam_kanidm can be skipped and fall back
@ -853,6 +857,8 @@ impl Resolver {
shadow, shadow,
} => { } => {
let auth_session = AuthSession::System { let auth_session = AuthSession::System {
account_id: account_id.to_string(),
id,
shadow, shadow,
cred_handler, cred_handler,
}; };
@ -916,6 +922,8 @@ impl Resolver {
match init_result { match init_result {
Ok((next_req, cred_handler)) => { Ok((next_req, cred_handler)) => {
let auth_session = AuthSession::Offline { let auth_session = AuthSession::Offline {
account_id: account_id.to_string(),
id,
client, client,
token: Box::new(token), token: Box::new(token),
cred_handler, cred_handler,
@ -998,7 +1006,7 @@ impl Resolver {
ref shutdown_rx, ref shutdown_rx,
} => { } => {
let mut hsm_lock = self.hsm.lock().await; let mut hsm_lock = self.hsm.lock().await;
client let result = client
.unix_user_online_auth_step( .unix_user_online_auth_step(
account_id, account_id,
cred_handler, cred_handler,
@ -1006,9 +1014,26 @@ impl Resolver {
hsm_lock.deref_mut(), hsm_lock.deref_mut(),
shutdown_rx, shutdown_rx,
) )
.await .await;
match result {
Ok(AuthResult::Success { .. }) => {
info!(?account_id, "Authentication Success");
}
Ok(AuthResult::Denied) => {
info!(?account_id, "Authentication Denied");
}
Ok(AuthResult::Next(_)) => {
info!(?account_id, "Authentication Continue");
}
_ => {}
};
result
} }
&mut AuthSession::Offline { &mut AuthSession::Offline {
ref account_id,
id: _,
ref client, ref client,
ref token, ref token,
ref mut cred_handler, ref mut cred_handler,
@ -1016,16 +1041,33 @@ impl Resolver {
// We are offline, continue. Remember, authsession should have // We are offline, continue. Remember, authsession should have
// *everything you need* to proceed here! // *everything you need* to proceed here!
let mut hsm_lock = self.hsm.lock().await; let mut hsm_lock = self.hsm.lock().await;
client let result = client
.unix_user_offline_auth_step( .unix_user_offline_auth_step(
token, token,
cred_handler, cred_handler,
pam_next_req, pam_next_req,
hsm_lock.deref_mut(), hsm_lock.deref_mut(),
) )
.await .await;
match result {
Ok(AuthResult::Success { .. }) => {
info!(?account_id, "Authentication Success");
}
Ok(AuthResult::Denied) => {
info!(?account_id, "Authentication Denied");
}
Ok(AuthResult::Next(_)) => {
info!(?account_id, "Authentication Continue");
}
_ => {}
};
result
} }
&mut AuthSession::System { &mut AuthSession::System {
ref account_id,
id: _,
ref mut cred_handler, ref mut cred_handler,
ref shadow, ref shadow,
} => { } => {
@ -1036,11 +1078,15 @@ impl Resolver {
let next = match system_auth_result { let next = match system_auth_result {
SystemAuthResult::Denied => { SystemAuthResult::Denied => {
info!(?account_id, "Authentication Denied");
*auth_session = AuthSession::Denied; *auth_session = AuthSession::Denied;
Ok(PamAuthResponse::Denied) Ok(PamAuthResponse::Denied)
} }
SystemAuthResult::Success => { SystemAuthResult::Success => {
info!(?account_id, "Authentication Success");
*auth_session = AuthSession::Success; *auth_session = AuthSession::Success;
Ok(PamAuthResponse::Success) Ok(PamAuthResponse::Success)
@ -1057,7 +1103,6 @@ impl Resolver {
match maybe_err { match maybe_err {
// What did the provider direct us to do next? // What did the provider direct us to do next?
Ok(AuthResult::Success { mut token }) => { Ok(AuthResult::Success { mut token }) => {
debug!("provider authentication success.");
self.set_cache_usertoken(&mut token).await?; self.set_cache_usertoken(&mut token).await?;
*auth_session = AuthSession::Success; *auth_session = AuthSession::Success;