Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
N
nss-pam-webapi
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Model registry
Operate
Terraform modules
Monitor
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
magicfelix
nss-pam-webapi
Commits
9577388b
Verified
Commit
9577388b
authored
3 years ago
by
Nik | Klampfradler
Browse files
Options
Downloads
Patches
Plain Diff
[Cache] Fix some more reference passing, and access to original_euid
parent
169f0d9d
No related branches found
Branches containing commit
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
src/cache.rs
+43
-32
43 additions, 32 deletions
src/cache.rs
src/nss.rs
+25
-10
25 additions, 10 deletions
src/nss.rs
src/pam.rs
+1
-1
1 addition, 1 deletion
src/pam.rs
with
69 additions
and
43 deletions
src/cache.rs
+
43
−
32
View file @
9577388b
...
...
@@ -36,9 +36,9 @@ use serde_json;
const
USER_TOKEN_FILENAME
:
&
str
=
"user_token.json"
;
struct
UserInfo
<
'a
>
{
pub
struct
UserInfo
<
'a
>
{
uid
:
Option
<
uid_t
>
,
username
:
Option
<
&
'a
str
>
,
username
:
Option
<
String
>
,
passwd
:
Option
<
Passwd
<
'a
>>
,
access_token
:
Option
<
BasicTokenResponse
>
}
...
...
@@ -65,18 +65,18 @@ impl Cache<'_> {
impl
<
'a
>
UserInfo
<
'a
>
{
pub
fn
set_current_user
(
&
mut
self
)
{
self
.set_uid
(
original_euid
);
self
.set_uid
(
get_
original_euid
()
);
}
pub
fn
is_initialized
(
&
self
)
->
bool
{
self
.uid
.is_some
()
||
self
.username
.is_some
()
}
fn
try_resolve
(
&
mut
self
)
->
Result
<
&
Passwd
,
io
::
Error
>
{
// If we already have a full passwd struct,
return it as without resolv
ing
fn
try_resolve
(
&
mut
self
)
->
Result
<
()
,
io
::
Error
>
{
// If we already have a full passwd struct,
do noth
ing
if
self
.passwd
.is_some
()
{
debug!
(
"passwd entry for context user already resolved"
);
return
Ok
(
self
.passwd
.as_ref
()
.unwrap
());
return
Ok
(());
}
// If we cannot call getpwnam safely, return error (see `is_get_pwnam_safe`)
...
...
@@ -102,18 +102,19 @@ impl <'a>UserInfo<'a> {
Ok
(
passwd
)
=>
{
debug!
(
"Successfully resolved context user's passwd entry"
);
self
.passwd
=
Some
(
passwd
);
Ok
(
self
.passwd
.as_ref
()
.unwrap
())
Ok
(())
},
Err
(
e
)
=>
Err
(
e
)
}
}
pub
fn
get_uid
(
&
mut
self
)
->
Result
<
uid_t
,
io
::
Error
>
{
match
self
.try_resolve
()
{
Ok
(
passwd
)
=>
Ok
(
passwd
.pw_uid
),
Err
(
e
)
=>
match
self
.uid
{
self
.try_resolve
();
match
&
self
.passwd
{
Some
(
passwd
)
=>
Ok
(
passwd
.pw_uid
),
None
=>
match
self
.uid
{
Some
(
uid
)
=>
Ok
(
uid
),
None
=>
Err
(
e
)
None
=>
Err
(
io
::
Error
::
new
(
io
::
ErrorKind
::
InvalidInput
,
"foo"
)
)
}
}
}
...
...
@@ -125,17 +126,18 @@ impl <'a>UserInfo<'a> {
self
.try_resolve
();
}
pub
fn
get_username
(
&
mut
self
)
->
Result
<&
str
,
io
::
Error
>
{
match
self
.try_resolve
()
{
Ok
(
passwd
)
=>
Ok
(
passwd
.pw_name
),
Err
(
e
)
=>
match
self
.username
{
Some
(
username
)
=>
Ok
(
username
),
None
=>
Err
(
e
)
pub
fn
get_username
(
&
mut
self
)
->
Result
<
String
,
io
::
Error
>
{
self
.try_resolve
();
match
&
self
.passwd
{
Some
(
passwd
)
=>
Ok
(
passwd
.pw_name
.to_string
()),
None
=>
match
&
self
.username
{
Some
(
username
)
=>
Ok
(
username
.to_string
()),
None
=>
Err
(
io
::
Error
::
new
(
io
::
ErrorKind
::
InvalidInput
,
"foo"
))
}
}
}
pub
fn
set_username
(
&
mut
self
,
username
:
&
'a
str
)
{
pub
fn
set_username
(
&
mut
self
,
username
:
String
)
{
self
.username
=
Some
(
username
);
self
.uid
=
None
;
self
.passwd
=
None
;
...
...
@@ -143,13 +145,14 @@ impl <'a>UserInfo<'a> {
}
pub
fn
get_home_directory
(
&
mut
self
)
->
Result
<&
str
,
io
::
Error
>
{
match
self
.try_resolve
()
{
Ok
(
passwd
)
=>
Ok
(
passwd
.pw_dir
),
Err
(
e
)
=>
Err
(
e
)
self
.try_resolve
();
match
&
self
.passwd
{
Some
(
passwd
)
=>
Ok
(
passwd
.pw_dir
),
None
=>
Err
(
io
::
Error
::
new
(
io
::
ErrorKind
::
InvalidInput
,
"foo"
))
}
}
fn
drop_privileges
(
&
self
)
->
Result
<
uid_t
,
io
::
Error
>
{
fn
drop_privileges
(
&
mut
self
)
->
Result
<
uid_t
,
io
::
Error
>
{
let
current_euid
=
unsafe
{
geteuid
()
};
...
...
@@ -185,13 +188,13 @@ impl <'a>UserInfo<'a> {
geteuid
()
};
if
current_euid
!=
original_euid
{
if
current_euid
!=
get_
original_euid
()
{
debug!
(
"Restoring privileges"
);
let
res
=
unsafe
{
seteuid
(
original_euid
)
seteuid
(
get_
original_euid
()
)
};
if
res
!=
0
{
panic!
(
"Could not restore privileges to {}"
,
original_euid
);
panic!
(
"Could not restore privileges to {}"
,
get_
original_euid
()
);
}
}
else
{
debug!
(
"No need to restore privileges, already running as original user"
);
...
...
@@ -204,7 +207,7 @@ impl <'a>UserInfo<'a> {
// Determine user ID to find out whether we should override $HOME
let
uid
=
self
.get_uid
()
?
;
if
uid
!=
original_euid
{
if
uid
!=
get_
original_euid
()
{
let
user_home
=
self
.get_home_directory
()
?
;
env
::
set_var
(
"HOME"
,
user_home
);
debug!
(
"Home directory for UID {} is {}"
,
uid
,
user_home
);
...
...
@@ -217,7 +220,7 @@ impl <'a>UserInfo<'a> {
};
// Restore $HOME to original if we changed it earlier
if
uid
!=
original_euid
{
if
uid
!=
get_
original_euid
()
{
if
saved_home
!=
None
{
env
::
set_var
(
"HOME"
,
saved_home
.unwrap
());
}
else
{
...
...
@@ -235,7 +238,7 @@ impl <'a>UserInfo<'a> {
}
}
pub
fn
get_access_token
(
&
mut
self
)
->
Option
<
BasicTokenResponse
>
{
pub
fn
get_access_token
(
&
mut
self
)
->
&
Option
<
BasicTokenResponse
>
{
// Try to load our acess token if none is known
if
self
.access_token
.is_none
()
{
debug!
(
"No token in memory, trying to load from file"
);
...
...
@@ -250,7 +253,7 @@ impl <'a>UserInfo<'a> {
self
.restore_privileges
();
}
return
self
.access_token
;
return
&
self
.access_token
;
}
pub
fn
set_access_token
(
&
mut
self
,
token
:
BasicTokenResponse
)
->
Result
<
(),
io
::
Error
>
{
...
...
@@ -296,9 +299,17 @@ fn is_getpwnam_safe() -> bool {
return
true
;
}
static
original_euid
:
uid_t
=
unsafe
{
geteuid
()
};
static
mut
original_euid
:
uid_t
=
uid_t
::
MAX
;
static
mut
original_euid_set
:
bool
=
false
;
fn
get_original_euid
()
->
uid_t
{
unsafe
{
if
!
original_euid_set
{
original_euid
=
geteuid
();
original_euid_set
=
true
;
}
original_euid
}
}
lazy_static!
{
static
ref
CACHE
:
Mutex
<
Cache
<
'static
>>
=
Mutex
::
new
(
Cache
::
new
());
...
...
This diff is collapsed.
Click to expand it.
src/nss.rs
+
25
−
10
View file @
9577388b
...
...
@@ -65,12 +65,17 @@ impl PasswdHooks for OidcPasswd {
if
!
get_cache
()
.context_user
.is_initialized
()
{
get_cache
()
.context_user
.set_current_user
();
}
let
token
=
match
get_cache
()
.context_user
.get_access_token
()
{
let
mut
cache
=
get_cache
();
let
user_token_res
=
cache
.context_user
.get_access_token
();
// FIXME Implement caching of system token
let
system_token_res
=
get_access_token_client
(
&
conf
,
"nss"
,
""
,
""
);
let
system_token_res
=
system_token_res
.as_ref
();
let
token
=
match
user_token_res
{
Some
(
t
)
=>
t
,
None
=>
{
// FIXME Implement caching of system token
debug!
(
"Could not find a user token to request NSS data; trying client credentials"
);
match
get_access_token_client
(
&
conf
,
"nss"
,
""
,
""
)
{
match
system_token_res
{
Ok
(
ct
)
=>
ct
,
Err
(
e
)
=>
{
error!
(
"Failed to get access token with client credentials: {}"
,
e
);
...
...
@@ -96,12 +101,17 @@ impl PasswdHooks for OidcPasswd {
if
!
get_cache
()
.context_user
.is_initialized
()
{
get_cache
()
.context_user
.set_current_user
();
}
let
token
=
match
get_cache
()
.context_user
.get_access_token
()
{
let
mut
cache
=
get_cache
();
let
user_token_res
=
cache
.context_user
.get_access_token
();
// FIXME Implement caching of system token
let
system_token_res
=
get_access_token_client
(
&
conf
,
"nss"
,
""
,
""
);
let
system_token_res
=
system_token_res
.as_ref
();
let
token
=
match
user_token_res
{
Some
(
t
)
=>
t
,
None
=>
{
// FIXME Implement caching of system token
debug!
(
"Could not find a user token to request NSS data; trying client credentials"
);
match
get_access_token_client
(
&
conf
,
"nss"
,
""
,
""
)
{
match
system_token_res
{
Ok
(
ct
)
=>
ct
,
Err
(
e
)
=>
{
error!
(
"Failed to get access token with client credentials: {}"
,
e
);
...
...
@@ -126,12 +136,17 @@ impl PasswdHooks for OidcPasswd {
if
!
get_cache
()
.context_user
.is_initialized
()
{
get_cache
()
.context_user
.set_current_user
();
}
let
token
=
match
get_cache
()
.context_user
.get_access_token
()
{
let
mut
cache
=
get_cache
();
let
user_token_res
=
cache
.context_user
.get_access_token
();
// FIXME Implement caching of system token
let
system_token_res
=
get_access_token_client
(
&
conf
,
"nss"
,
""
,
""
);
let
system_token_res
=
system_token_res
.as_ref
();
let
token
=
match
user_token_res
{
Some
(
t
)
=>
t
,
None
=>
{
// FIXME Implement caching of system token
debug!
(
"Could not find a user token for to request NSS data; trying client credentials"
);
match
get_access_token_client
(
&
conf
,
"nss"
,
""
,
""
)
{
debug!
(
"Could not find a user token to request NSS data; trying client credentials"
);
match
system_token_res
{
Ok
(
ct
)
=>
ct
,
Err
(
e
)
=>
{
error!
(
"Failed to get access token with client credentials: {}"
,
e
);
...
...
This diff is collapsed.
Click to expand it.
src/pam.rs
+
1
−
1
View file @
9577388b
...
...
@@ -90,7 +90,7 @@ impl PamServiceModule for PamOidc {
match
get_access_token_password
(
&
conf
,
"pam"
,
username
.to_string
(),
password
.to_string
(),
PamError
::
SERVICE_ERR
,
PamError
::
AUTH_ERR
)
{
Ok
(
t
)
=>
{
info!
(
"Authenticated {} using Resource Owner Password Grant"
,
username
);
get_cache
()
.context_user
.set_username
(
username
);
get_cache
()
.context_user
.set_username
(
username
.to_string
()
);
get_cache
()
.context_user
.set_access_token
(
t
);
return
PamError
::
SUCCESS
;
},
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment