mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 12:37:00 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix handling of TPM in some trait contexts (#2347)

Browse source
This commit is contained in:
Firstyear 2023-12-03 15:33:25 +10:00 committed by GitHub
parent 7d7e3b5478
commit 85022e5e8a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 32 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Cargo.lock generated
View file

@ -2994,9 +2994,7 @@ dependencies = [
[[package]]
name = "kanidm-hsm-crypto"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d325d5f7a3978ad1451f8bad2fdea1cc70a7b33dcaa8bbff7617a80d4c36c449"
version = "0.1.4"
dependencies = [
"argon2",
"hex",

4
Cargo.toml
View file

@ -84,7 +84,7 @@ kanidmd_lib_macros = { path = "./server/lib-macros", version = "1.1.0-rc.15-dev"
kanidmd_testkit = { path = "./server/testkit", version = "1.1.0-rc.15-dev" }
kanidm_build_profiles = { path = "./libs/profiles", version = "1.1.0-rc.15-dev" }
kanidm_client = { path = "./libs/client", version = "1.1.0-rc.15-dev" }
kanidm-hsm-crypto = "^0.1.3"
kanidm-hsm-crypto = "^0.1.5"
kanidm_lib_crypto = { path = "./libs/crypto", version = "1.1.0-rc.15-dev" }
kanidm_lib_file_permissions = { path = "./libs/file_permissions", version = "1.1.0-rc.15-dev" }
kanidm_proto = { path = "./proto", version = "1.1.0-rc.15-dev" }
@ -115,7 +115,7 @@ clap = { version = "^4.4.8", features = ["derive", "env"] }
clap_complete = "^4.4.4"
# Forced by saffron/cron
chrono = "^0.4.31"
compact_jwt = { version = "^0.3.2", default-features = false }
compact_jwt = { version = "^0.3.3", default-features = false }
concread = "^0.4.3"
cron = "0.12.0"
crossbeam = "0.8.1"

6
unix_integration/src/daemon.rs
View file

@ -49,7 +49,7 @@ use tokio::sync::oneshot;
use tokio::time;
use tokio_util::codec::{Decoder, Encoder, Framed};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
use notify_debouncer_full::{new_debouncer, notify::RecursiveMode, notify::Watcher};
@ -791,9 +791,9 @@ async fn main() -> ExitCode {
}
};
let mut hsm: Box<dyn Tpm + Send> = match cfg.hsm_type {
let mut hsm: BoxedDynTpm = match cfg.hsm_type {
HsmType::Soft => {
Box::new(SoftTpm::new())
BoxedDynTpm::new(SoftTpm::new())
}
HsmType::Tpm => {
error!("TPM not supported ... yet");

13
unix_integration/src/idprovider/interface.rs
View file

@ -98,7 +98,7 @@ pub trait IdProvider {
async fn configure_hsm_keys<D: KeyStoreTxn + Send>(
&self,
_keystore: &mut D,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey,
) -> Result<(), IdpError> {
Ok(())
@ -117,21 +117,20 @@ pub trait IdProvider {
}
*/
async fn provider_authenticate(&self, _tpm: &mut (dyn tpm::Tpm + Send))
-> Result<(), IdpError>;
async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError>;
async fn unix_user_get(
&self,
_id: &Id,
_token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
) -> Result<UserToken, IdpError>;
async fn unix_user_online_auth_init(
&self,
_account_id: &str,
_token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError>;
@ -140,7 +139,7 @@ pub trait IdProvider {
_account_id: &str,
_cred_handler: &mut AuthCredHandler,
_pam_next_req: PamAuthRequest,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError>;
@ -177,6 +176,6 @@ pub trait IdProvider {
async fn unix_group_get(
&self,
id: &Id,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
) -> Result<GroupToken, IdpError>;
}

16
unix_integration/src/idprovider/kanidm.rs
View file

@ -7,6 +7,7 @@ use tokio::sync::RwLock;
use super::interface::{
// KeyStore,
tpm,
tpm::Tpm,
AuthCacheAction,
AuthCredHandler,
AuthRequest,
@ -86,7 +87,7 @@ impl IdProvider for KanidmProvider {
async fn configure_hsm_keys<D: KeyStoreTxn + Send>(
&self,
keystore: &mut D,
tpm: &mut (dyn tpm::Tpm + Send),
tpm: &mut tpm::BoxedDynTpm,
machine_key: &tpm::MachineKey,
) -> Result<(), IdpError> {
let id_key: Option<tpm::LoadableIdentityKey> =
@ -115,10 +116,7 @@ impl IdProvider for KanidmProvider {
}
// Needs .read on all types except re-auth.
async fn provider_authenticate(
&self,
_tpm: &mut (dyn tpm::Tpm + Send),
) -> Result<(), IdpError> {
async fn provider_authenticate(&self, _tpm: &mut tpm::BoxedDynTpm) -> Result<(), IdpError> {
match self.client.write().await.auth_anonymous().await {
Ok(_uat) => Ok(()),
Err(err) => {
@ -132,7 +130,7 @@ impl IdProvider for KanidmProvider {
&self,
id: &Id,
_token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
) -> Result<UserToken, IdpError> {
match self
.client
@ -195,7 +193,7 @@ impl IdProvider for KanidmProvider {
&self,
_account_id: &str,
_token: Option<&UserToken>,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey,
) -> Result<(AuthRequest, AuthCredHandler), IdpError> {
// Not sure that I need to do much here?
@ -207,7 +205,7 @@ impl IdProvider for KanidmProvider {
account_id: &str,
cred_handler: &mut AuthCredHandler,
pam_next_req: PamAuthRequest,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
_machine_key: &tpm::MachineKey,
) -> Result<(AuthResult, AuthCacheAction), IdpError> {
match (cred_handler, pam_next_req) {
@ -314,7 +312,7 @@ impl IdProvider for KanidmProvider {
async fn unix_group_get(
&self,
id: &Id,
_tpm: &mut (dyn tpm::Tpm + Send),
_tpm: &mut tpm::BoxedDynTpm,
) -> Result<GroupToken, IdpError> {
match self
.client

23
unix_integration/src/resolver.rs
View file

@ -26,7 +26,7 @@ use crate::idprovider::interface::{
use crate::unix_config::{HomeAttr, UidAttr};
use crate::unix_proto::{HomeDirectoryInfo, NssGroup, NssUser, PamAuthRequest, PamAuthResponse};
use kanidm_hsm_crypto::{HmacKey, MachineKey, Tpm};
use kanidm_hsm_crypto::{BoxedDynTpm, HmacKey, MachineKey, Tpm};
const NXCACHE_SIZE: NonZeroUsize = unsafe { NonZeroUsize::new_unchecked(128) };
@ -58,7 +58,7 @@ where
{
// Generic / modular types.
db: Db,
hsm: Mutex<Box<dyn Tpm + Send>>,
hsm: Mutex<BoxedDynTpm>,
machine_key: MachineKey,
hmac_key: HmacKey,
client: I,
@ -94,7 +94,7 @@ where
pub async fn new(
db: Db,
client: I,
hsm: Box<dyn Tpm + Send>,
hsm: BoxedDynTpm,
machine_key: MachineKey,
// cache timeout
timeout_seconds: u64,
@ -146,8 +146,7 @@ where
// let mut ks = KeyStore::new(&mut dbtxn);
let result = client
// .configure_hsm_keys(&mut ks, &mut **hsm_lock.deref_mut(), &machine_key)
.configure_hsm_keys(&mut dbtxn, &mut **hsm_lock.deref_mut(), &machine_key)
.configure_hsm_keys(&mut dbtxn, hsm_lock.deref_mut(), &machine_key)
.await;
// drop(ks);
@ -453,7 +452,7 @@ where
let mut dbtxn = self.db.write().await;
let mut hsm_txn = self.hsm.lock().await;
dbtxn
.update_account_password(a_uuid, cred, &mut **hsm_txn, &self.hmac_key)
.update_account_password(a_uuid, cred, hsm_txn.deref_mut(), &self.hmac_key)
.and_then(|x| dbtxn.commit().map(|_| x))
.map_err(|_| ())
}
@ -462,7 +461,7 @@ where
let mut dbtxn = self.db.write().await;
let mut hsm_txn = self.hsm.lock().await;
dbtxn
.check_account_password(a_uuid, cred, &mut **hsm_txn, &self.hmac_key)
.check_account_password(a_uuid, cred, hsm_txn.deref_mut(), &self.hmac_key)
.and_then(|x| dbtxn.commit().map(|_| x))
.map_err(|_| ())
}
@ -476,7 +475,7 @@ where
let user_get_result = self
.client
.unix_user_get(account_id, token.as_ref(), &mut **hsm_lock.deref_mut())
.unix_user_get(account_id, token.as_ref(), hsm_lock.deref_mut())
.await;
drop(hsm_lock);
@ -535,7 +534,7 @@ where
let group_get_result = self
.client
.unix_group_get(grp_id, &mut **hsm_lock.deref_mut())
.unix_group_get(grp_id, hsm_lock.deref_mut())
.await;
drop(hsm_lock);
@ -881,7 +880,7 @@ where
.unix_user_online_auth_init(
account_id,
token.as_ref(),
&mut **hsm_lock.deref_mut(),
hsm_lock.deref_mut(),
&self.machine_key,
)
.await
@ -946,7 +945,7 @@ where
account_id,
cred_handler,
pam_next_req,
&mut **hsm_lock.deref_mut(),
hsm_lock.deref_mut(),
&self.machine_key,
)
.await;
@ -1153,7 +1152,7 @@ where
let prov_auth_result = self
.client
.provider_authenticate(&mut **hsm_lock.deref_mut())
.provider_authenticate(hsm_lock.deref_mut())
.await;
drop(hsm_lock);

4
unix_integration/tests/cache_layer_test.rs
View file

@ -20,7 +20,7 @@ use kanidmd_testkit::{is_free_port, PORT_ALLOC};
use tokio::task;
use tracing::log::{debug, trace};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, Tpm};
use kanidm_hsm_crypto::{soft::SoftTpm, AuthValue, BoxedDynTpm, Tpm};
const ADMIN_TEST_USER: &str = "admin";
const ADMIN_TEST_PASSWORD: &str = "integration test admin password";
@ -109,7 +109,7 @@ async fn setup_test(fix_fn: Fixture) -> (Resolver<KanidmProvider>, KanidmClient)
.and_then(|_| dbtxn.commit())
.expect("Unable to migrate cache db");
let mut hsm: Box<dyn Tpm + Send> = Box::new(SoftTpm::new());
let mut hsm = BoxedDynTpm::new(SoftTpm::new());
let auth_value = AuthValue::ephemeral().unwrap();