Skip to content
Snippets Groups Projects
Verified Commit 8c64e98c authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

[NSS] Use client credentials if user token is unavailable

parent 7b4e0070
No related branches found
No related tags found
No related merge requests found
...@@ -23,7 +23,7 @@ use crate::cache::get_cache; ...@@ -23,7 +23,7 @@ use crate::cache::get_cache;
use crate::logging::setup_log; use crate::logging::setup_log;
use crate::oauth::get_data_jq; use crate::oauth::{get_access_token_client, get_data_jq};
use serde::{Serialize, Deserialize}; use serde::{Serialize, Deserialize};
use libc::{getpwuid, geteuid}; use libc::{getpwuid, geteuid};
...@@ -75,16 +75,26 @@ impl PasswdHooks for OidcPasswd { ...@@ -75,16 +75,26 @@ impl PasswdHooks for OidcPasswd {
let mut cache = get_cache(); let mut cache = get_cache();
let user = get_current_user(); let user = get_current_user();
let ctc;
let token = match cache.load_user_token(&user) { let token = match cache.load_user_token(&user) {
Some(t) => t, Some(t) => t,
None => { None => {
// FIXME Implement fallback to system token // FIXME Implement caching of system token
error!("Could not find a user token for {} to request NSS data", user); debug!("Could not find a user token for {} to request NSS data; trying client credentials", user);
return Response::Unavail; match get_access_token_client(&conf, "nss", "", "") {
Ok(ct) => {
ctc = ct.clone();
&ctc
},
Err(_) => {
error!("Failed to get access token with client credentials");
return Response::Unavail;
}
}
} }
}; };
let data: Vec<PasswdHelper> = match get_data_jq(&conf, "nss", "passwd", token, true) { let data: Vec<PasswdHelper> = match get_data_jq(&conf, "nss", "passwd", &token, true) {
Ok(d) => d, Ok(d) => d,
Err(_) => { Err(_) => {
error!("Could not load JSON data for passwd"); error!("Could not load JSON data for passwd");
......
...@@ -49,7 +49,7 @@ fn full_key(parts: Vec<&str>) -> String { ...@@ -49,7 +49,7 @@ fn full_key(parts: Vec<&str>) -> String {
parts.join(".") parts.join(".")
} }
fn get_client<E: Copy>(conf: Config, prefix: &str, error_value: E) -> Result<BasicClient, E> { fn get_client<E: Copy>(conf: &Config, prefix: &str, error_value: E) -> Result<BasicClient, E> {
let client_id = ClientId::new(get_or_error(&conf, &full_key(vec![prefix, "client_id"]), error_value)?); let client_id = ClientId::new(get_or_error(&conf, &full_key(vec![prefix, "client_id"]), error_value)?);
let client_secret = match get_optional(&conf, &full_key(vec![prefix, "client_secret"])) { let client_secret = match get_optional(&conf, &full_key(vec![prefix, "client_secret"])) {
Some(v) => Some(ClientSecret::new(v)), Some(v) => Some(ClientSecret::new(v)),
...@@ -77,7 +77,7 @@ fn get_client<E: Copy>(conf: Config, prefix: &str, error_value: E) -> Result<Bas ...@@ -77,7 +77,7 @@ fn get_client<E: Copy>(conf: Config, prefix: &str, error_value: E) -> Result<Bas
return Ok(client); return Ok(client);
} }
pub fn get_access_token_client<E: Copy>(conf: Config, prefix: &str, error_value: E, unauth_value: E) -> Result<BasicTokenResponse, E> { pub fn get_access_token_client<E: Copy>(conf: &Config, prefix: &str, error_value: E, unauth_value: E) -> Result<BasicTokenResponse, E> {
let scopes: Vec<String> = match get_optional(&conf, &full_key(vec![prefix, "scopes"])) { let scopes: Vec<String> = match get_optional(&conf, &full_key(vec![prefix, "scopes"])) {
Some(v) => v, Some(v) => v,
None => vec![] None => vec![]
...@@ -105,7 +105,7 @@ pub fn get_access_token_client<E: Copy>(conf: Config, prefix: &str, error_value: ...@@ -105,7 +105,7 @@ pub fn get_access_token_client<E: Copy>(conf: Config, prefix: &str, error_value:
} }
} }
pub fn get_access_token_password<E: Copy>(conf: Config, prefix: &str, username: String, password: String, error_value: E, unauth_value: E) -> Result<BasicTokenResponse, E> { pub fn get_access_token_password<E: Copy>(conf: &Config, prefix: &str, username: String, password: String, error_value: E, unauth_value: E) -> Result<BasicTokenResponse, E> {
let scopes: Vec<String> = match get_optional(&conf, &full_key(vec![prefix, "scopes"])) { let scopes: Vec<String> = match get_optional(&conf, &full_key(vec![prefix, "scopes"])) {
Some(v) => v, Some(v) => v,
None => vec![] None => vec![]
......
...@@ -87,7 +87,7 @@ impl PamServiceModule for PamOidc { ...@@ -87,7 +87,7 @@ impl PamServiceModule for PamOidc {
}; };
debug!("Successfully got password"); debug!("Successfully got password");
match get_access_token_password(conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) { match get_access_token_password(&conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) {
Ok(t) => { Ok(t) => {
info!("Authenticated {} using Resource Owner Password Grant", username); info!("Authenticated {} using Resource Owner Password Grant", username);
get_cache().save_user_token(&username.to_string(), t.into()); get_cache().save_user_token(&username.to_string(), t.into());
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment