mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

idprovider: Provide the keystore during auth (#2385)

Browse source 
Himmelblau requires access to the keystore at
auth time in order to store the id key modified
during a device join.

Signed-off-by: David Mulder <dmulder@samba.org>
Co-authored-by: Firstyear <william@blackhats.net.au>
This commit is contained in:
David Mulder 2023-12-22 10:06:25 -07:00 committed by GitHub
parent dfc4bb5b25
commit 53ef2552e1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
unix_integration/src/idprovider/interface.rs
View file

@ -134,11 +134,12 @@ pub trait IdProvider {
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError>; ) -> Result<(AuthRequest, AuthCredHandler), IdpError>;
async fn unix_user_online_auth_step( async fn unix_user_online_auth_step<D: KeyStoreTxn + Send>(
&self, &self,
_account_id: &str, _account_id: &str,
_cred_handler: &mut AuthCredHandler, _cred_handler: &mut AuthCredHandler,
_pam_next_req: PamAuthRequest, _pam_next_req: PamAuthRequest,
_keystore: &mut D,
_tpm: &mut tpm::BoxedDynTpm, _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError>; ) -> Result<(AuthResult, AuthCacheAction), IdpError>;

3
unix_integration/src/idprovider/kanidm.rs
View file

@ -200,11 +200,12 @@ impl IdProvider for KanidmProvider {
Ok((AuthRequest::Password, AuthCredHandler::Password)) Ok((AuthRequest::Password, AuthCredHandler::Password))
} }
async fn unix_user_online_auth_step( async fn unix_user_online_auth_step<D: KeyStoreTxn + Send>(
&self, &self,
account_id: &str, account_id: &str,
cred_handler: &mut AuthCredHandler, cred_handler: &mut AuthCredHandler,
pam_next_req: PamAuthRequest, pam_next_req: PamAuthRequest,
_keystore: &mut D,
_tpm: &mut tpm::BoxedDynTpm, _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError> { ) -> Result<(AuthResult, AuthCacheAction), IdpError> {

3
unix_integration/src/resolver.rs
View file

@ -944,6 +944,7 @@ where
CacheState::Online, CacheState::Online,
) => { ) => {
let mut hsm_lock = self.hsm.lock().await; let mut hsm_lock = self.hsm.lock().await;
let mut dbtxn = self.db.write().await;
let maybe_cache_action = self let maybe_cache_action = self
.client .client
@ -951,12 +952,14 @@ where
account_id, account_id,
cred_handler, cred_handler,
pam_next_req, pam_next_req,
&mut dbtxn,
hsm_lock.deref_mut(), hsm_lock.deref_mut(),
&self.machine_key, &self.machine_key,
) )
.await; .await;
drop(hsm_lock); drop(hsm_lock);
dbtxn.commit().map_err(|_| ())?;
match maybe_cache_action { match maybe_cache_action {
Ok((res, AuthCacheAction::None)) => Ok(res), Ok((res, AuthCacheAction::None)) => Ok(res),