idprovider: Provide the keystore during auth (#2385)

Himmelblau requires access to the keystore at auth time in order to store the id key modified during a device join. Signed-off-by: David Mulder <dmulder@samba.org> Co-authored-by: Firstyear <william@blackhats.net.au>
2025-02-23 12:37:00 +01:00 · 2023-12-22 10:06:25 -07:00 · 2023-12-22 10:06:25 -07:00 · 53ef2552e1
parent dfc4bb5b25
commit 53ef2552e1
3 changed files with 7 additions and 2 deletions
--- a/unix_integration/src/idprovider/interface.rs
+++ b/unix_integration/src/idprovider/interface.rs
@ -134,11 +134,12 @@ pub trait IdProvider {
        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthRequest, AuthCredHandler), IdpError>;

-    async fn unix_user_online_auth_step(
+    async fn unix_user_online_auth_step<D: KeyStoreTxn + Send>(
        &self,
        _account_id: &str,
        _cred_handler: &mut AuthCredHandler,
        _pam_next_req: PamAuthRequest,
+        _keystore: &mut D,
        _tpm: &mut tpm::BoxedDynTpm,
        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthResult, AuthCacheAction), IdpError>;
--- a/unix_integration/src/idprovider/kanidm.rs
+++ b/unix_integration/src/idprovider/kanidm.rs
@ -200,11 +200,12 @@ impl IdProvider for KanidmProvider {
        Ok((AuthRequest::Password, AuthCredHandler::Password))
    }

-    async fn unix_user_online_auth_step(
+    async fn unix_user_online_auth_step<D: KeyStoreTxn + Send>(
        &self,
        account_id: &str,
        cred_handler: &mut AuthCredHandler,
        pam_next_req: PamAuthRequest,
+        _keystore: &mut D,
        _tpm: &mut tpm::BoxedDynTpm,
        _machine_key: &tpm::MachineKey,
    ) -> Result<(AuthResult, AuthCacheAction), IdpError> {
--- a/unix_integration/src/resolver.rs
+++ b/unix_integration/src/resolver.rs
@ -944,6 +944,7 @@ where
                CacheState::Online,
            ) => {
                let mut hsm_lock = self.hsm.lock().await;
+                let mut dbtxn = self.db.write().await;

                let maybe_cache_action = self
                    .client
@ -951,12 +952,14 @@ where
                        account_id,
                        cred_handler,
                        pam_next_req,
+                        &mut dbtxn,
                        hsm_lock.deref_mut(),
                        &self.machine_key,
                    )
                    .await;

                drop(hsm_lock);
+                dbtxn.commit().map_err(|_| ())?;

                match maybe_cache_action {
                    Ok((res, AuthCacheAction::None)) => Ok(res),