Skip to content
Snippets Groups Projects
Verified Commit f6189ced authored by Nik | Klampfradler's avatar Nik | Klampfradler
Browse files

Refactor OAuth utility code out into module

parent ce2f963e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/lib.rs
+ 1
0
View file @ f6189ced
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
mod cache; mod cache;
mod logging; mod logging;
mod config; mod config;
mod oauth;
// Module and macro imports for the PAM component // Module and macro imports for the PAM component
#[macro_use] extern crate pamsm; #[macro_use] extern crate pamsm;
......
src/nss.rs
+ 3
88
View file @ f6189ced
...@@ -15,24 +15,13 @@ ...@@ -15,24 +15,13 @@
use crate::config::{ use crate::config::{
get_config, get_config,
get_optional, get_optional
get_or_error
}; };
use config::Config; use config::Config;
use crate::logging::setup_log; use crate::logging::setup_log;
use oauth2::{ use crate::oauth::get_access_token;
AuthUrl,
ClientId,
ClientSecret,
RequestTokenError,
Scope,
TokenUrl
};
use oauth2::basic::BasicClient;
use oauth2::reqwest;
use oauth2::reqwest::http_client;
use libnss::interop::Response; use libnss::interop::Response;
use libnss::passwd::{PasswdHooks, Passwd}; use libnss::passwd::{PasswdHooks, Passwd};
...@@ -41,7 +30,7 @@ fn nss_hook_prepare() -> Config { ...@@ -41,7 +30,7 @@ fn nss_hook_prepare() -> Config {
let conf = get_config(None); let conf = get_config(None);
let mut log_level = log::LevelFilter::Error; let mut log_level = log::LevelFilter::Error;
if conf.get_bool("debug").unwrap_or_default() || conf.get_bool("nss.debug").unwrap_or_default() { if get_optional(&conf, "nss.debug").unwrap_or_default() {
log_level = log::LevelFilter::Debug; log_level = log::LevelFilter::Debug;
} }
setup_log(log_level); setup_log(log_level);
...@@ -49,80 +38,6 @@ fn nss_hook_prepare() -> Config { ...@@ -49,80 +38,6 @@ fn nss_hook_prepare() -> Config {
return conf; return conf;
} }
fn get_bearer_token<T>(config: Config) -> Result<String, Response<T>> {
let client_id = ClientId::new(get_or_error(&config, "nss.client_id", Response::Unavail)?);
let client_secret = match get_optional(&config, "nss.client_secret") {
Some(v) => Some(ClientSecret::new(v)),
None => None,
};
let auth_url = match AuthUrl::new(get_or_error(&config, "nss.auth_url", Response::Unavail)?) {
Ok(u) => u,
_ => {
error!("Could not parse authorization URL");
return Err(Response::Unavail);
},
};
let token_url = match get_optional(&config, "nss.token_url") {
Some(v) => match TokenUrl::new(v) {
Ok(u) => Some(u),
Err(_) => {
error!("Could not parse token URL");
return Err(Response::Unavail);
}
},
None => None,
};
let scopes: Vec<&str> = get_or_error(&config, "nss.scopes", Response::Unavail)?;
let client = BasicClient::new(client_id, client_secret, auth_url, token_url);
let mut request = client.exchange_client_credentials();
for scope in scopes {
request = request.add_scope(Scope::new(scope.to_string()));
}
let result = request.request(http_client);
match result {
Ok(t) => Ok("".to_string()),
Err(e) => match e {
RequestTokenError::Request(re) => match re {
reqwest::Error::Reqwest(ree) => {
error!("Request error requesting token: {}", ree);
return Err(Response::Unavail);
},
reqwest::Error::Http(he) => {
error!("HTTP error requesting token: {}", he);
return Err(Response::Unavail);
},
reqwest::Error::Io(ioe) => {
error!("IO error requesting token: {}", ioe);
return Err(Response::Unavail);
},
_ => {
error!("Unknown error: {}", re);
return Err(Response::Unavail);
},
},
RequestTokenError::ServerResponse(t) => {
error!("Authorization server returned error: {}", t);
return Err(Response::Unavail);
},
RequestTokenError::Parse(pe, _) => {
error!("Error parsing response: {}", pe);
return Err(Response::Unavail);
},
_ => {
error!("Unknown error: {}", e);
return Err(Response::Unavail);
},
},
}
}
fn do_json_request<T>(config: Config, url: String) -> Result<String, Response<T>> {
let token = get_bearer_token(config)?;
Ok("".to_string())
}
struct OidcPasswd; struct OidcPasswd;
impl PasswdHooks for OidcPasswd { impl PasswdHooks for OidcPasswd {
......
src/oauth.rs 0 → 100644
+ 129
0
View file @ f6189ced
/* Copyright 2021 Dominik George <dominik.george@teckids.org>
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
use crate::config::{
get_or_error,
get_optional
};
use config::Config;
use oauth2::{
AuthUrl,
ClientId,
ClientSecret,
RequestTokenError,
ResourceOwnerUsername,
ResourceOwnerPassword,
Scope,
TokenUrl
};
use oauth2::basic::{
BasicClient,
BasicTokenResponse
};
use oauth2::reqwest::http_client;
fn full_key(prefix: &str, key: &str) -> String {
let parts = vec![prefix.to_string(), key.to_string()];
let full_key = parts.join(".");
return full_key;
}
fn get_client<E: Copy>(conf: Config, prefix: &str, error_value: E) -> Result<BasicClient, E> {
let client_id = ClientId::new(get_or_error(&conf, &full_key(prefix, "client_secret"), error_value)?);
let client_secret = match get_optional(&conf, &full_key(prefix, "client_secret")) {
Some(v) => Some(ClientSecret::new(v)),
None => None,
};
let auth_url = match AuthUrl::new(get_or_error(&conf, &full_key(prefix, "auth_url"), error_value)?) {
Ok(u) => u,
_ => {
error!("Could not parse authorization URL");
return Err(error_value);
},
};
let token_url = match get_optional(&conf, &full_key(prefix, "token_url")) {
Some(v) => match TokenUrl::new(v) {
Ok(u) => Some(u),
Err(_) => {
error!("Could not parse token URL");
return Err(error_value);
}
},
None => None,
};
let client = BasicClient::new(client_id, client_secret, auth_url, token_url);
return Ok(client);
}
pub fn get_access_token<E: Copy>(conf: Config, prefix: &str, error_value: E, unauth_value: E) -> Result<BasicTokenResponse, E> {
let scopes: Vec<&str> = get_or_error(&conf, &full_key(prefix, "scopes"), error_value)?;
let client = get_client(conf, prefix, error_value)?;
let mut request = client.exchange_client_credentials();
for scope in scopes {
request = request.add_scope(Scope::new(scope.to_string()));
}
let result = request.request(http_client);
match result {
Ok(t) => Ok(t),
Err(e) => match e {
RequestTokenError::ServerResponse(t) => {
error!("Authorization server returned error: {}", t);
return Err(unauth_value);
},
_ => {
error!("Error fetchin access token: {}", e);
return Err(error_value);
},
},
}
}
pub fn get_access_token_password<E: Copy>(conf: Config, prefix: &str, username: String, password: String, error_value: E, unauth_value: E) -> Result<String, E> {
let scopes: Vec<&str> = get_or_error(&conf, &full_key(prefix, "scopes"), error_value)?;
let res_username = ResourceOwnerUsername::new(username);
let res_password = ResourceOwnerPassword::new(password);
let client = get_client(conf, prefix, error_value)?;
let mut request = client.exchange_password(&res_username, &res_password);
for scope in scopes {
request = request.add_scope(Scope::new(scope.to_string()));
}
let result = request.request(http_client);
match result {
Ok(t) => Ok("".to_string()),
Err(e) => match e {
RequestTokenError::ServerResponse(t) => {
error!("Authorization server returned error: {}", t);
return Err(unauth_value);
},
_ => {
error!("Error fetchin access token: {}", e);
return Err(error_value);
},
},
}
}
fn do_json_request<E: Copy>(conf: Config, url: String, error_value: E, unauth_value: E) -> Result<String, E> {
let token = get_access_token(conf, "nss", error_value, unauth_value)?;
Ok("".to_string())
}
src/pam.rs
+ 3
91
View file @ f6189ced
...@@ -17,103 +17,15 @@ use crate::config::{ ...@@ -17,103 +17,15 @@ use crate::config::{
argv_to_config, argv_to_config,
get_config, get_config,
get_optional, get_optional,
get_or_error
}; };
use config::Config; use config::Config;
use crate::logging::setup_log; use crate::oauth::get_access_token_password;
use oauth2::{ use crate::logging::setup_log;
AuthUrl,
ClientId,
ClientSecret,
RequestTokenError,
ResourceOwnerPassword,
ResourceOwnerUsername,
Scope,
TokenUrl
};
use oauth2::basic::{
BasicClient,
BasicTokenResponse
};
use oauth2::reqwest;
use oauth2::reqwest::http_client;
use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt}; use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt};
fn do_legacy_auth(username: String, password: String, config: Config) -> Result<BasicTokenResponse, PamError> {
let client_id = ClientId::new(get_or_error(&config, "pam.client_id", PamError::SERVICE_ERR)?);
let client_secret = match get_optional(&config, "pam.client_secret") {
Some(v) => Some(ClientSecret::new(v)),
None => None,
};
let auth_url = match AuthUrl::new(get_or_error(&config, "pam.auth_url", PamError::SERVICE_ERR)?) {
Ok(u) => u,
_ => {
error!("Could not parse authorization URL");
return Err(PamError::SERVICE_ERR);
},
};
let token_url = match get_optional(&config, "pam.token_url") {
Some(v) => match TokenUrl::new(v) {
Ok(u) => Some(u),
Err(_) => {
error!("Could not parse token URL");
return Err(PamError::SERVICE_ERR);
}
},
None => None,
};
let scopes: Vec<&str> = get_or_error(&config, "pam.scopes", PamError::SERVICE_ERR)?;
let res_username = ResourceOwnerUsername::new(username);
let res_password = ResourceOwnerPassword::new(password);
let client = BasicClient::new(client_id, client_secret, auth_url, token_url);
let mut request = client.exchange_password(&res_username, &res_password);
for scope in scopes {
request = request.add_scope(Scope::new(scope.to_string()));
}
let result = request.request(http_client);
match result {
Ok(t) => Ok(t),
Err(e) => match e {
RequestTokenError::Request(re) => match re {
reqwest::Error::Reqwest(ree) => {
error!("Request error requesting token: {}", ree);
return Err(PamError::AUTHINFO_UNAVAIL);
},
reqwest::Error::Http(he) => {
error!("HTTP error requesting token: {}", he);
return Err(PamError::AUTHINFO_UNAVAIL);
},
reqwest::Error::Io(ioe) => {
error!("IO error requesting token: {}", ioe);
return Err(PamError::SYSTEM_ERR);
},
_ => {
error!("Unknown error: {}", re);
return Err(PamError::SERVICE_ERR);
},
},
RequestTokenError::ServerResponse(t) => {
error!("Authorization server returned error: {}", t);
return Err(PamError::AUTH_ERR);
},
RequestTokenError::Parse(pe, _) => {
error!("Error parsing response: {}", pe);
return Err(PamError::SERVICE_ERR);
},
_ => {
error!("Unknown error: {}", e);
return Err(PamError::SERVICE_ERR);
},
},
}
}
fn pam_sm_prepare(argv: &Vec<String>) -> Config { fn pam_sm_prepare(argv: &Vec<String>) -> Config {
let conf_args = argv_to_config(argv); let conf_args = argv_to_config(argv);
let conf = get_config(Some(conf_args)); let conf = get_config(Some(conf_args));
...@@ -173,7 +85,7 @@ impl PamServiceModule for PamOidc { ...@@ -173,7 +85,7 @@ impl PamServiceModule for PamOidc {
}; };
debug!("Successfully got password"); debug!("Successfully got password");
match do_legacy_auth(username.to_string(), password.to_string(), conf) { match get_access_token_password(conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) {
Ok(_) => { Ok(_) => {
info!("Authenticated {} using Resource Owner Password Grant", username); info!("Authenticated {} using Resource Owner Password Grant", username);
return PamError::SUCCESS; return PamError::SUCCESS;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment