mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Resolve incorrect handling of tokens in logout flow (#2795)

Browse source
This commit is contained in:
Firstyear 2024-05-28 16:01:19 +10:00 committed by GitHub
parent a8b9dc8ee8
commit f669f5a0e8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 43 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

70
tools/cli/src/cli/session.rs
View file

@ -589,7 +589,17 @@ impl LogoutOpt {
} }
pub async fn exec(&self) { pub async fn exec(&self) {
let mut tokens = read_tokens(&self.copt.get_token_cache_path()).unwrap_or_else(|_| {
error!("Error retrieving authentication token store");
std::process::exit(1);
});
let instance_name = &self.copt.instance; let instance_name = &self.copt.instance;
let n_lookup = instance_name.clone().unwrap_or_default();
let Some(token_instance) = tokens.instances.get_mut(&n_lookup) else {
println!("No sessions for instance {}", n_lookup);
return;
};
let spn: String = if self.local_only { let spn: String = if self.local_only {
// For now we just remove this from the token store. // For now we just remove this from the token store.
@ -624,63 +634,65 @@ impl LogoutOpt {
std::process::exit(1); std::process::exit(1);
} }
}; };
// Parse it for the username.
if let Err(e) = client.logout().await {
error!("Failed to logout - {:?}", e);
std::process::exit(1);
}
// Server acked the logout, lets proceed with the local cleanup now.
// Parse it for the SPN. Annoying but it's what we have to do
// because we don't know what token was used in the lower to client calls.
let jwsc = match JwsCompact::from_str(&token) { let jwsc = match JwsCompact::from_str(&token) {
Ok(j) => j, Ok(j) => j,
Err(err) => { Err(err) => {
error!(?err, "Unable to parse token"); error!(?err, "Unable to parse token");
info!("The token can be removed locally with `--local-only`");
std::process::exit(1); std::process::exit(1);
} }
}; };
let jws_verifier = if let Some(pub_jwk) = jwsc.get_jwk_pubkey() { let Some(key_id) = jwsc.kid() else {
match JwsEs256Verifier::try_from(pub_jwk) { error!("Invalid token, missing KeyID");
Ok(verifier) => verifier, info!("The token can be removed locally with `--local-only`");
Err(err) => {
error!(?err, "Unable to configure jws verifier");
std::process::exit(1);
}
}
} else {
error!("Unable to access token public key");
std::process::exit(1); std::process::exit(1);
}; };
let Some(pub_jwk) = token_instance.keys().get(key_id) else {
error!("Invalid instance, no signing keys are available");
info!("The token can be removed locally with `--local-only`");
std::process::exit(1);
};
let jws_verifier = match JwsEs256Verifier::try_from(pub_jwk) {
Ok(verifier) => verifier,
Err(err) => {
error!(?err, "Unable to configure jws verifier");
info!("The token can be removed locally with `--local-only`");
std::process::exit(1);
}
};
let uat = match jws_verifier.verify(&jwsc).and_then(|jws| { let uat = match jws_verifier.verify(&jwsc).and_then(|jws| {
jws.from_json::<UserAuthToken>().map_err(|serde_err| { jws.from_json::<UserAuthToken>().map_err(|serde_err| {
error!(?serde_err); error!(?serde_err);
info!("The token can be removed locally with `--local-only`");
JwtError::InvalidJwt JwtError::InvalidJwt
}) })
}) { }) {
Ok(uat) => uat, Ok(uat) => uat,
Err(e) => { Err(e) => {
error!(?e, "Unable to verify token signature, may be corrupt"); error!(?e, "Unable to verify token signature, may be corrupt");
info!("The token can be removed locally with `--local-only`");
std::process::exit(1); std::process::exit(1);
} }
}; };
// Now we know we have a valid(ish) token, call the server to do the logout.
if let Err(e) = client.logout().await {
error!("Failed to logout - {:?}", e);
std::process::exit(1);
}
// Server acked the logout, lets proceed with the local cleanup now, return
// the spn so the outer parts know what to remove.
uat.spn uat.spn
}; };
let mut tokens = read_tokens(&self.copt.get_token_cache_path()).unwrap_or_else(|_| {
error!("Error retrieving authentication token store");
std::process::exit(1);
});
let n_lookup = instance_name.clone().unwrap_or_default();
let Some(token_instance) = tokens.instances.get_mut(&n_lookup) else {
println!("No sessions for {}", spn);
return;
};
// Remove our old one // Remove our old one
if token_instance.tokens.remove(&spn).is_some() { if token_instance.tokens.remove(&spn).is_some() {
// write them out. // write them out.

4
tools/cli/src/opt/kanidm.rs
View file

@ -782,8 +782,8 @@ pub struct ReauthOpt {
pub struct LogoutOpt { pub struct LogoutOpt {
#[clap(flatten)] #[clap(flatten)]
copt: CommonOpt, copt: CommonOpt,
#[clap(short, long, hide = true)] #[clap(short, long)]
/// Do not send the logout to the server - only remove the session token locally /// Do not send a logout request to the server - only remove the session token locally.
local_only: bool, local_only: bool,
} }