Skip to content
Snippets Groups Projects
Verified Commit 1dca24a6 authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

Refactor access toke nretrieval of existing tokens into oauth module

parent 93ccf690
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/nss.rs
+ 10
37
View file @ 1dca24a6
......@@ -24,7 +24,7 @@ use crate::cache::get_context_user;
use crate::logging::setup_log;
use crate::oauth::{get_access_token_client, get_data_jq};
use crate::oauth::{get_data_jq, get_usable_token};
use serde::{Serialize, Deserialize};
use libnss::interop::Response;
......@@ -69,20 +69,11 @@ impl PasswdHooks for OidcPasswd {
let conf = nss_hook_prepare();
info!("[NSS] passwd.get_all_entries called");
let user_token_res = get_context_user().get_access_token();
// FIXME Implement caching of system token
let system_token_res = get_access_token_client(&conf, "nss", "", "");
let token = match user_token_res {
let token = match get_usable_token(&conf, "nss", &mut get_context_user()) {
Some(t) => t,
None => {
debug!("Could not find a user token to request NSS data; trying client credentials");
match system_token_res {
Ok(ct) => ct,
Err(e) => {
error!("Failed to get access token with client credentials: {}", e);
return Response::Unavail;
}
}
error!("Failed to get usable access token");
return Response::Unavail;
}
};
......@@ -100,20 +91,11 @@ impl PasswdHooks for OidcPasswd {
let conf = nss_hook_prepare();
info!("[NSS] passwd.get_entry_by_uid called for {}", uid);
let user_token_res = get_context_user().get_access_token();
// FIXME Implement caching of system token
let system_token_res = get_access_token_client(&conf, "nss", "", "");
let token = match user_token_res {
let token = match get_usable_token(&conf, "nss", &mut get_context_user()) {
Some(t) => t,
None => {
debug!("Could not find a user token to request NSS data; trying client credentials");
match system_token_res {
Ok(ct) => ct,
Err(e) => {
error!("Failed to get access token with client credentials: {}", e);
return Response::Unavail;
}
}
error!("Failed to get usable access token");
return Response::Unavail;
}
};
......@@ -131,20 +113,11 @@ impl PasswdHooks for OidcPasswd {
let conf = nss_hook_prepare();
info!("[NSS] passwd.get_entry_by_name called for {}", name);
let user_token_res = get_context_user().get_access_token();
// FIXME Implement caching of system token
let system_token_res = get_access_token_client(&conf, "nss", "", "");
let token = match user_token_res {
let token = match get_usable_token(&conf, "nss", &mut get_context_user()) {
Some(t) => t,
None => {
debug!("Could not find a user token to request NSS data; trying client credentials");
match system_token_res {
Ok(ct) => ct,
Err(e) => {
error!("Failed to get access token with client credentials: {}", e);
return Response::Unavail;
}
}
error!("Failed to get usable access token");
return Response::Unavail;
}
};
......
src/oauth.rs
+ 33
0
View file @ 1dca24a6
......@@ -24,6 +24,8 @@ use crate::config::{
use config::Config;
use crate::cache::UserInfo;
use oauth2::{
AuthUrl,
ClientId,
......@@ -240,6 +242,37 @@ fn get_jq_prog(conf: &Config, prefix: &str, endpoint: &str, multi: bool, rev: bo
jq_rs::compile(&jq_code)
}
/// Get a usable access token for the passed user and prefix
///
/// Will return the user's personal token, or a system token, or None,
/// in that order.
///
/// Arguments
/// ---------
///
/// `conf` - reference to the config object
/// `user` - reference to a user info object to get a token for
/// `prefix` - current prefix (probably `nss` or `pam`)
pub fn get_usable_token(conf: &Config, prefix: &str, user: &mut UserInfo) -> Option<BasicTokenResponse> {
let user_token_res = user.get_access_token();
// FIXME Implement caching of system token
let system_token_res = get_access_token_client(&conf, prefix, "", "");
match user_token_res {
Some(t) => Some(t),
None => {
debug!("Could not find a user token; trying client credentials");
match system_token_res {
Ok(ct) => Some(ct),
Err(e) => {
error!("Failed to get access token with client credentials: {}", e);
None
}
}
}
}
}
/// Retrieve JSON data from a configured endpoint, transforming using configured jq programs
///
/// This function takes a prefix (probably `nss` or `pam`, and an endpoint name to lookup
......
src/pam.rs
+ 7
6
View file @ 1dca24a6
......@@ -22,7 +22,7 @@ use crate::config::{
};
use config::Config;
use crate::oauth::{get_access_token_password, get_data_jq};
use crate::oauth::{get_access_token_password, get_data_jq, get_usable_token};
use crate::logging::setup_log;
......@@ -143,13 +143,14 @@ impl PamServiceModule for PamOidc {
// Retrieve access token (as acquired in the auth stage, probably)
set_is_getpwnam_safe(false);
// FIXME implement fallback to system token
let res = get_context_user().get_access_token();
set_is_getpwnam_safe(true);
let token = match res {
let token = match get_usable_token(&conf, "pam", &mut get_context_user()) {
Some(t) => t,
None => return PamError::CRED_UNAVAIL
None => {
error!("Failed to get usable access token");
return PamError::CRED_UNAVAIL;
}
};
set_is_getpwnam_safe(true);
// Get and transform data from API
let data: bool = match get_data_jq(&conf, "pam", "authz", "".to_string(), &token, true) {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment