diff --git a/Cargo.lock b/Cargo.lock index e88e8cd6d..5518d1464 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2994,9 +2994,7 @@ dependencies = [ [[package]] name = "kanidm-hsm-crypto" -version = "0.1.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d325d5f7a3978ad1451f8bad2fdea1cc70a7b33dcaa8bbff7617a80d4c36c449" +version = "0.1.4" dependencies = [ "argon2", "hex", diff --git a/Cargo.toml b/Cargo.toml index fe6a96f72..285729ea2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -84,7 +84,7 @@ kanidmd_lib_macros = { path = "./server/lib-macros", version = "1.1.0-rc.15-dev" kanidmd_testkit = { path = "./server/testkit", version = "1.1.0-rc.15-dev" } kanidm_build_profiles = { path = "./libs/profiles", version = "1.1.0-rc.15-dev" } kanidm_client = { path = "./libs/client", version = "1.1.0-rc.15-dev" } -kanidm-hsm-crypto = "^0.1.3" +kanidm-hsm-crypto = "^0.1.5" kanidm_lib_crypto = { path = "./libs/crypto", version = "1.1.0-rc.15-dev" } kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "1.1.0-rc.15-dev" } kanidm_proto = { path = "./proto", version = "1.1.0-rc.15-dev" } @@ -115,7 +115,7 @@ clap = { version = "^4.4.8", features = ["derive", "env"] } clap_complete = "^4.4.4" # Forced by saffron/cron chrono = "^0.4.31" -compact_jwt = { version = "^0.3.2", default-features = false } +compact_jwt = { version = "^0.3.3", default-features = false } concread = "^0.4.3" cron = "0.12.0" crossbeam = "0.8.1" diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs index b11599212..3ba804187 100644 --- a/unix_integration/src/daemon.rs +++ b/unix_integration/src/daemon.rs @@ -49,7 +49,7 @@ use tokio::sync::oneshot; use tokio::time; use tokio_util::codec::{Decoder, Encoder, Framed}; -use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm}; +use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm}; use notify_debouncer_full::{new_debouncer, notify::RecursiveMode, notify::Watcher}; @@ -791,9 +791,9 @@ async fn main() -> ExitCode { } }; - let mut hsm: Box = match cfg.hsm_type { + let mut hsm: BoxedDynTpm = match cfg.hsm_type { HsmType::Soft => { - Box::new(SoftTpm::new()) + BoxedDynTpm::new(SoftTpm::new()) } HsmType::Tpm => { error!("TPM not supported ... yet"); diff --git a/unix_integration/src/idprovider/interface.rs b/unix_integration/src/idprovider/interface.rs index d0f48a964..26a724fd0 100644 --- a/unix_integration/src/idprovider/interface.rs +++ b/unix_integration/src/idprovider/interface.rs @@ -98,7 +98,7 @@ pub trait IdProvider { async fn configure_hsm_keys( &self, _keystore: &mut D, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, _machine_key: &tpm::MachineKey, ) -> Result<(), IdpError> { Ok(()) @@ -117,21 +117,20 @@ pub trait IdProvider { } */ - async fn provider_authenticate(&self, _tpm: &mut (dyn tpm::Tpm + Send)) - -> Result<(), IdpError>; + async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError>; async fn unix_user_get( &self, _id: &Id, _token: Option<&UserToken>, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, ) -> Result; async fn unix_user_online_auth_init( &self, _account_id: &str, _token: Option<&UserToken>, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, _machine_key: &tpm::MachineKey, ) -> Result<(AuthRequest, AuthCredHandler), IdpError>; @@ -140,7 +139,7 @@ pub trait IdProvider { _account_id: &str, _cred_handler: &mut AuthCredHandler, _pam_next_req: PamAuthRequest, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, _machine_key: &tpm::MachineKey, ) -> Result<(AuthResult, AuthCacheAction), IdpError>; @@ -177,6 +176,6 @@ pub trait IdProvider { async fn unix_group_get( &self, id: &Id, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, ) -> Result; } diff --git a/unix_integration/src/idprovider/kanidm.rs b/unix_integration/src/idprovider/kanidm.rs index ab3476c29..0c4cb2a48 100644 --- a/unix_integration/src/idprovider/kanidm.rs +++ b/unix_integration/src/idprovider/kanidm.rs @@ -7,6 +7,7 @@ use tokio::sync::RwLock; use super::interface::{ // KeyStore, tpm, + tpm::Tpm, AuthCacheAction, AuthCredHandler, AuthRequest, @@ -86,7 +87,7 @@ impl IdProvider for KanidmProvider { async fn configure_hsm_keys( &self, keystore: &mut D, - tpm: &mut (dyn tpm::Tpm + Send), + tpm: &mut tpm::BoxedDynTpm, machine_key: &tpm::MachineKey, ) -> Result<(), IdpError> { let id_key: Option = @@ -115,10 +116,7 @@ impl IdProvider for KanidmProvider { } // Needs .read on all types except re-auth. - async fn provider_authenticate( - &self, - _tpm: &mut (dyn tpm::Tpm + Send), - ) -> Result<(), IdpError> { + async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError> { match self.client.write().await.auth_anonymous().await { Ok(_uat) => Ok(()), Err(err) => { @@ -132,7 +130,7 @@ impl IdProvider for KanidmProvider { &self, id: &Id, _token: Option<&UserToken>, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, ) -> Result { match self .client @@ -195,7 +193,7 @@ impl IdProvider for KanidmProvider { &self, _account_id: &str, _token: Option<&UserToken>, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, _machine_key: &tpm::MachineKey, ) -> Result<(AuthRequest, AuthCredHandler), IdpError> { // Not sure that I need to do much here? @@ -207,7 +205,7 @@ impl IdProvider for KanidmProvider { account_id: &str, cred_handler: &mut AuthCredHandler, pam_next_req: PamAuthRequest, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, _machine_key: &tpm::MachineKey, ) -> Result<(AuthResult, AuthCacheAction), IdpError> { match (cred_handler, pam_next_req) { @@ -314,7 +312,7 @@ impl IdProvider for KanidmProvider { async fn unix_group_get( &self, id: &Id, - _tpm: &mut (dyn tpm::Tpm + Send), + _tpm: &mut tpm::BoxedDynTpm, ) -> Result { match self .client diff --git a/unix_integration/src/resolver.rs b/unix_integration/src/resolver.rs index 31a869224..8d87e378d 100644 --- a/unix_integration/src/resolver.rs +++ b/unix_integration/src/resolver.rs @@ -26,7 +26,7 @@ use crate::idprovider::interface::{ use crate::unix_config::{HomeAttr, UidAttr}; use crate::unix_proto::{HomeDirectoryInfo, NssGroup, NssUser, PamAuthRequest, PamAuthResponse}; -use kanidm_hsm_crypto::{HmacKey, MachineKey, Tpm}; +use kanidm_hsm_crypto::{BoxedDynTpm, HmacKey, MachineKey, Tpm}; const NXCACHE_SIZE: NonZeroUsize = unsafe { NonZeroUsize::new_unchecked(128) }; @@ -58,7 +58,7 @@ where { // Generic / modular types. db: Db, - hsm: Mutex>, + hsm: Mutex, machine_key: MachineKey, hmac_key: HmacKey, client: I, @@ -94,7 +94,7 @@ where pub async fn new( db: Db, client: I, - hsm: Box, + hsm: BoxedDynTpm, machine_key: MachineKey, // cache timeout timeout_seconds: u64, @@ -146,8 +146,7 @@ where // let mut ks = KeyStore::new(&mut dbtxn); let result = client - // .configure_hsm_keys(&mut ks, &mut **hsm_lock.deref_mut(), &machine_key) - .configure_hsm_keys(&mut dbtxn, &mut **hsm_lock.deref_mut(), &machine_key) + .configure_hsm_keys(&mut dbtxn, hsm_lock.deref_mut(), &machine_key) .await; // drop(ks); @@ -453,7 +452,7 @@ where let mut dbtxn = self.db.write().await; let mut hsm_txn = self.hsm.lock().await; dbtxn - .update_account_password(a_uuid, cred, &mut **hsm_txn, &self.hmac_key) + .update_account_password(a_uuid, cred, hsm_txn.deref_mut(), &self.hmac_key) .and_then(|x| dbtxn.commit().map(|_| x)) .map_err(|_| ()) } @@ -462,7 +461,7 @@ where let mut dbtxn = self.db.write().await; let mut hsm_txn = self.hsm.lock().await; dbtxn - .check_account_password(a_uuid, cred, &mut **hsm_txn, &self.hmac_key) + .check_account_password(a_uuid, cred, hsm_txn.deref_mut(), &self.hmac_key) .and_then(|x| dbtxn.commit().map(|_| x)) .map_err(|_| ()) } @@ -476,7 +475,7 @@ where let user_get_result = self .client - .unix_user_get(account_id, token.as_ref(), &mut **hsm_lock.deref_mut()) + .unix_user_get(account_id, token.as_ref(), hsm_lock.deref_mut()) .await; drop(hsm_lock); @@ -535,7 +534,7 @@ where let group_get_result = self .client - .unix_group_get(grp_id, &mut **hsm_lock.deref_mut()) + .unix_group_get(grp_id, hsm_lock.deref_mut()) .await; drop(hsm_lock); @@ -881,7 +880,7 @@ where .unix_user_online_auth_init( account_id, token.as_ref(), - &mut **hsm_lock.deref_mut(), + hsm_lock.deref_mut(), &self.machine_key, ) .await @@ -946,7 +945,7 @@ where account_id, cred_handler, pam_next_req, - &mut **hsm_lock.deref_mut(), + hsm_lock.deref_mut(), &self.machine_key, ) .await; @@ -1153,7 +1152,7 @@ where let prov_auth_result = self .client - .provider_authenticate(&mut **hsm_lock.deref_mut()) + .provider_authenticate(hsm_lock.deref_mut()) .await; drop(hsm_lock); diff --git a/unix_integration/tests/cache_layer_test.rs b/unix_integration/tests/cache_layer_test.rs index 8b04cfa24..b7be6bb95 100644 --- a/unix_integration/tests/cache_layer_test.rs +++ b/unix_integration/tests/cache_layer_test.rs @@ -20,7 +20,7 @@ use kanidmd_testkit::{is_free_port, PORT_ALLOC}; use tokio::task; use tracing::log::{debug, trace}; -use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm}; +use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm}; const ADMIN_TEST_USER: &str = "admin"; const ADMIN_TEST_PASSWORD: &str = "integration test admin password"; @@ -109,7 +109,7 @@ async fn setup_test(fix_fn: Fixture) -> (Resolver, KanidmClient) .and_then(|_| dbtxn.commit()) .expect("Unable to migrate cache db"); - let mut hsm: Box = Box::new(SoftTpm::new()); + let mut hsm = BoxedDynTpm::new(SoftTpm::new()); let auth_value = AuthValue::ephemeral().unwrap();