mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix handling of TPM in some trait contexts (#2347)

Browse source
This commit is contained in:
Firstyear 2023-12-03 15:33:25 +10:00 committed by GitHub
parent 7d7e3b5478
commit 85022e5e8a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 32 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Cargo.lock generated
View file

@ -2994,9 +2994,7 @@ dependencies = [
[[package]] [[package]]
name = "kanidm-hsm-crypto" name = "kanidm-hsm-crypto"
version = "0.1.3" version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d325d5f7a3978ad1451f8bad2fdea1cc70a7b33dcaa8bbff7617a80d4c36c449"
dependencies = [ dependencies = [
"argon2", "argon2",
"hex", "hex",

4
Cargo.toml
View file

@ -84,7 +84,7 @@ kanidmd_lib_macros = { path = "./server/lib-macros", version = "1.1.0-rc.15-dev"
kanidmd_testkit = { path = "./server/testkit", version = "1.1.0-rc.15-dev" } kanidmd_testkit = { path = "./server/testkit", version = "1.1.0-rc.15-dev" }
kanidm_build_profiles = { path = "./libs/profiles", version = "1.1.0-rc.15-dev" } kanidm_build_profiles = { path = "./libs/profiles", version = "1.1.0-rc.15-dev" }
kanidm_client = { path = "./libs/client", version = "1.1.0-rc.15-dev" } kanidm_client = { path = "./libs/client", version = "1.1.0-rc.15-dev" }
kanidm-hsm-crypto = "^0.1.3" kanidm-hsm-crypto = "^0.1.5"
kanidm_lib_crypto = { path = "./libs/crypto", version = "1.1.0-rc.15-dev" } kanidm_lib_crypto = { path = "./libs/crypto", version = "1.1.0-rc.15-dev" }
kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "1.1.0-rc.15-dev" } kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "1.1.0-rc.15-dev" }
kanidm_proto = { path = "./proto", version = "1.1.0-rc.15-dev" } kanidm_proto = { path = "./proto", version = "1.1.0-rc.15-dev" }
@ -115,7 +115,7 @@ clap = { version = "^4.4.8", features = ["derive", "env"] }
clap_complete = "^4.4.4" clap_complete = "^4.4.4"
# Forced by saffron/cron # Forced by saffron/cron
chrono = "^0.4.31" chrono = "^0.4.31"
compact_jwt = { version = "^0.3.2", default-features = false } compact_jwt = { version = "^0.3.3", default-features = false }
concread = "^0.4.3" concread = "^0.4.3"
cron = "0.12.0" cron = "0.12.0"
crossbeam = "0.8.1" crossbeam = "0.8.1"

6
unix_integration/src/daemon.rs
View file

@ -49,7 +49,7 @@ use tokio::sync::oneshot;
use tokio::time; use tokio::time;
use tokio_util::codec::{Decoder, Encoder, Framed}; use tokio_util::codec::{Decoder, Encoder, Framed};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm}; use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
use notify_debouncer_full::{new_debouncer, notify::RecursiveMode, notify::Watcher}; use notify_debouncer_full::{new_debouncer, notify::RecursiveMode, notify::Watcher};
@ -791,9 +791,9 @@ async fn main() -> ExitCode {
} }
}; };
let mut hsm: Box<dyn Tpm + Send> = match cfg.hsm_type { let mut hsm: BoxedDynTpm = match cfg.hsm_type {
HsmType::Soft => { HsmType::Soft => {
Box::new(SoftTpm::new()) BoxedDynTpm::new(SoftTpm::new())
} }
HsmType::Tpm => { HsmType::Tpm => {
error!("TPM not supported ... yet"); error!("TPM not supported ... yet");

13
unix_integration/src/idprovider/interface.rs
View file

@ -98,7 +98,7 @@ pub trait IdProvider {
async fn configure_hsm_keys<D: KeyStoreTxn + Send>( async fn configure_hsm_keys<D: KeyStoreTxn + Send>(
&self, &self,
_keystore: &mut D, _keystore: &mut D,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(), IdpError> { ) -> Result<(), IdpError> {
Ok(()) Ok(())
@ -117,21 +117,20 @@ pub trait IdProvider {
} }
*/ */
async fn provider_authenticate(&self, _tpm: &mut (dyn tpm::Tpm + Send)) async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError>;
-> Result<(), IdpError>;
async fn unix_user_get( async fn unix_user_get(
&self, &self,
_id: &Id, _id: &Id,
_token: Option<&UserToken>, _token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
) -> Result<UserToken, IdpError>; ) -> Result<UserToken, IdpError>;
async fn unix_user_online_auth_init( async fn unix_user_online_auth_init(
&self, &self,
_account_id: &str, _account_id: &str,
_token: Option<&UserToken>, _token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError>; ) -> Result<(AuthRequest, AuthCredHandler), IdpError>;
@ -140,7 +139,7 @@ pub trait IdProvider {
_account_id: &str, _account_id: &str,
_cred_handler: &mut AuthCredHandler, _cred_handler: &mut AuthCredHandler,
_pam_next_req: PamAuthRequest, _pam_next_req: PamAuthRequest,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError>; ) -> Result<(AuthResult, AuthCacheAction), IdpError>;
@ -177,6 +176,6 @@ pub trait IdProvider {
async fn unix_group_get( async fn unix_group_get(
&self, &self,
id: &Id, id: &Id,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
) -> Result<GroupToken, IdpError>; ) -> Result<GroupToken, IdpError>;
} }

16
unix_integration/src/idprovider/kanidm.rs
View file

@ -7,6 +7,7 @@ use tokio::sync::RwLock;
use super::interface::{ use super::interface::{
// KeyStore, // KeyStore,
tpm, tpm,
tpm::Tpm,
AuthCacheAction, AuthCacheAction,
AuthCredHandler, AuthCredHandler,
AuthRequest, AuthRequest,
@ -86,7 +87,7 @@ impl IdProvider for KanidmProvider {
async fn configure_hsm_keys<D: KeyStoreTxn + Send>( async fn configure_hsm_keys<D: KeyStoreTxn + Send>(
&self, &self,
keystore: &mut D, keystore: &mut D,
tpm: &mut (dyn tpm::Tpm + Send), tpm: &mut tpm::BoxedDynTpm,
machine_key: &tpm::MachineKey, machine_key: &tpm::MachineKey,
) -> Result<(), IdpError> { ) -> Result<(), IdpError> {
let id_key: Option<tpm::LoadableIdentityKey> = let id_key: Option<tpm::LoadableIdentityKey> =
@ -115,10 +116,7 @@ impl IdProvider for KanidmProvider {
} }
// Needs .read on all types except re-auth. // Needs .read on all types except re-auth.
async fn provider_authenticate( async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError> {
&self,
_tpm: &mut (dyn tpm::Tpm + Send),
) -> Result<(), IdpError> {
match self.client.write().await.auth_anonymous().await { match self.client.write().await.auth_anonymous().await {
Ok(_uat) => Ok(()), Ok(_uat) => Ok(()),
Err(err) => { Err(err) => {
@ -132,7 +130,7 @@ impl IdProvider for KanidmProvider {
&self, &self,
id: &Id, id: &Id,
_token: Option<&UserToken>, _token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
) -> Result<UserToken, IdpError> { ) -> Result<UserToken, IdpError> {
match self match self
.client .client
@ -195,7 +193,7 @@ impl IdProvider for KanidmProvider {
&self, &self,
_account_id: &str, _account_id: &str,
_token: Option<&UserToken>, _token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError> { ) -> Result<(AuthRequest, AuthCredHandler), IdpError> {
// Not sure that I need to do much here? // Not sure that I need to do much here?
@ -207,7 +205,7 @@ impl IdProvider for KanidmProvider {
account_id: &str, account_id: &str,
cred_handler: &mut AuthCredHandler, cred_handler: &mut AuthCredHandler,
pam_next_req: PamAuthRequest, pam_next_req: PamAuthRequest,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey, _machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError> { ) -> Result<(AuthResult, AuthCacheAction), IdpError> {
match (cred_handler, pam_next_req) { match (cred_handler, pam_next_req) {
@ -314,7 +312,7 @@ impl IdProvider for KanidmProvider {
async fn unix_group_get( async fn unix_group_get(
&self, &self,
id: &Id, id: &Id,
_tpm: &mut (dyn tpm::Tpm + Send), _tpm: &mut tpm::BoxedDynTpm,
) -> Result<GroupToken, IdpError> { ) -> Result<GroupToken, IdpError> {
match self match self
.client .client

23
unix_integration/src/resolver.rs
View file

@ -26,7 +26,7 @@ use crate::idprovider::interface::{
use crate::unix_config::{HomeAttr, UidAttr}; use crate::unix_config::{HomeAttr, UidAttr};
use crate::unix_proto::{HomeDirectoryInfo, NssGroup, NssUser, PamAuthRequest, PamAuthResponse}; use crate::unix_proto::{HomeDirectoryInfo, NssGroup, NssUser, PamAuthRequest, PamAuthResponse};
use kanidm_hsm_crypto::{HmacKey, MachineKey, Tpm}; use kanidm_hsm_crypto::{BoxedDynTpm, HmacKey, MachineKey, Tpm};
const NXCACHE_SIZE: NonZeroUsize = unsafe { NonZeroUsize::new_unchecked(128) }; const NXCACHE_SIZE: NonZeroUsize = unsafe { NonZeroUsize::new_unchecked(128) };
@ -58,7 +58,7 @@ where
{ {
// Generic / modular types. // Generic / modular types.
db: Db, db: Db,
hsm: Mutex<Box<dyn Tpm + Send>>, hsm: Mutex<BoxedDynTpm>,
machine_key: MachineKey, machine_key: MachineKey,
hmac_key: HmacKey, hmac_key: HmacKey,
client: I, client: I,
@ -94,7 +94,7 @@ where
pub async fn new( pub async fn new(
db: Db, db: Db,
client: I, client: I,
hsm: Box<dyn Tpm + Send>, hsm: BoxedDynTpm,
machine_key: MachineKey, machine_key: MachineKey,
// cache timeout // cache timeout
timeout_seconds: u64, timeout_seconds: u64,
@ -146,8 +146,7 @@ where
// let mut ks = KeyStore::new(&mut dbtxn); // let mut ks = KeyStore::new(&mut dbtxn);
let result = client let result = client
// .configure_hsm_keys(&mut ks, &mut **hsm_lock.deref_mut(), &machine_key) .configure_hsm_keys(&mut dbtxn, hsm_lock.deref_mut(), &machine_key)
.configure_hsm_keys(&mut dbtxn, &mut **hsm_lock.deref_mut(), &machine_key)
.await; .await;
// drop(ks); // drop(ks);
@ -453,7 +452,7 @@ where
let mut dbtxn = self.db.write().await; let mut dbtxn = self.db.write().await;
let mut hsm_txn = self.hsm.lock().await; let mut hsm_txn = self.hsm.lock().await;
dbtxn dbtxn
.update_account_password(a_uuid, cred, &mut **hsm_txn, &self.hmac_key) .update_account_password(a_uuid, cred, hsm_txn.deref_mut(), &self.hmac_key)
.and_then(|x| dbtxn.commit().map(|_| x)) .and_then(|x| dbtxn.commit().map(|_| x))
.map_err(|_| ()) .map_err(|_| ())
} }
@ -462,7 +461,7 @@ where
let mut dbtxn = self.db.write().await; let mut dbtxn = self.db.write().await;
let mut hsm_txn = self.hsm.lock().await; let mut hsm_txn = self.hsm.lock().await;
dbtxn dbtxn
.check_account_password(a_uuid, cred, &mut **hsm_txn, &self.hmac_key) .check_account_password(a_uuid, cred, hsm_txn.deref_mut(), &self.hmac_key)
.and_then(|x| dbtxn.commit().map(|_| x)) .and_then(|x| dbtxn.commit().map(|_| x))
.map_err(|_| ()) .map_err(|_| ())
} }
@ -476,7 +475,7 @@ where
let user_get_result = self let user_get_result = self
.client .client
.unix_user_get(account_id, token.as_ref(), &mut **hsm_lock.deref_mut()) .unix_user_get(account_id, token.as_ref(), hsm_lock.deref_mut())
.await; .await;
drop(hsm_lock); drop(hsm_lock);
@ -535,7 +534,7 @@ where
let group_get_result = self let group_get_result = self
.client .client
.unix_group_get(grp_id, &mut **hsm_lock.deref_mut()) .unix_group_get(grp_id, hsm_lock.deref_mut())
.await; .await;
drop(hsm_lock); drop(hsm_lock);
@ -881,7 +880,7 @@ where
.unix_user_online_auth_init( .unix_user_online_auth_init(
account_id, account_id,
token.as_ref(), token.as_ref(),
&mut **hsm_lock.deref_mut(), hsm_lock.deref_mut(),
&self.machine_key, &self.machine_key,
) )
.await .await
@ -946,7 +945,7 @@ where
account_id, account_id,
cred_handler, cred_handler,
pam_next_req, pam_next_req,
&mut **hsm_lock.deref_mut(), hsm_lock.deref_mut(),
&self.machine_key, &self.machine_key,
) )
.await; .await;
@ -1153,7 +1152,7 @@ where
let prov_auth_result = self let prov_auth_result = self
.client .client
.provider_authenticate(&mut **hsm_lock.deref_mut()) .provider_authenticate(hsm_lock.deref_mut())
.await; .await;
drop(hsm_lock); drop(hsm_lock);

4
unix_integration/tests/cache_layer_test.rs
View file

@ -20,7 +20,7 @@ use kanidmd_testkit::{is_free_port, PORT_ALLOC};
use tokio::task; use tokio::task;
use tracing::log::{debug, trace}; use tracing::log::{debug, trace};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm}; use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
const ADMIN_TEST_USER: &str = "admin"; const ADMIN_TEST_USER: &str = "admin";
const ADMIN_TEST_PASSWORD: &str = "integration test admin password"; const ADMIN_TEST_PASSWORD: &str = "integration test admin password";
@ -109,7 +109,7 @@ async fn setup_test(fix_fn: Fixture) -> (Resolver<KanidmProvider>, KanidmClient)
.and_then(|_| dbtxn.commit()) .and_then(|_| dbtxn.commit())
.expect("Unable to migrate cache db"); .expect("Unable to migrate cache db");
let mut hsm: Box<dyn Tpm + Send> = Box::new(SoftTpm::new()); let mut hsm = BoxedDynTpm::new(SoftTpm::new());
let auth_value = AuthValue::ephemeral().unwrap(); let auth_value = AuthValue::ephemeral().unwrap();