From f6189ced1b56eef792c9dc2df8c09c9b4bf054b6 Mon Sep 17 00:00:00 2001
From: Dominik George <dominik.george@teckids.org>
Date: Fri, 7 May 2021 15:10:30 +0200
Subject: [PATCH] Refactor OAuth utility code out into module
---
src/lib.rs | 1 +
src/nss.rs | 91 ++----------------------------------
src/oauth.rs | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++
src/pam.rs | 94 ++-----------------------------------
4 files changed, 136 insertions(+), 179 deletions(-)
create mode 100644 src/oauth.rs
diff --git a/src/lib.rs b/src/lib.rs
index 20d7cfe..c4eae87 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -3,6 +3,7 @@
mod cache;
mod logging;
mod config;
+mod oauth;
// Module and macro imports for the PAM component
#[macro_use] extern crate pamsm;
diff --git a/src/nss.rs b/src/nss.rs
index ea6fdb7..8b147d2 100644
--- a/src/nss.rs
+++ b/src/nss.rs
@@ -15,24 +15,13 @@
use crate::config::{
get_config,
- get_optional,
- get_or_error
+ get_optional
};
use config::Config;
use crate::logging::setup_log;
-use oauth2::{
- AuthUrl,
- ClientId,
- ClientSecret,
- RequestTokenError,
- Scope,
- TokenUrl
-};
-use oauth2::basic::BasicClient;
-use oauth2::reqwest;
-use oauth2::reqwest::http_client;
+use crate::oauth::get_access_token;
use libnss::interop::Response;
use libnss::passwd::{PasswdHooks, Passwd};
@@ -41,7 +30,7 @@ fn nss_hook_prepare() -> Config {
let conf = get_config(None);
let mut log_level = log::LevelFilter::Error;
- if conf.get_bool("debug").unwrap_or_default() || conf.get_bool("nss.debug").unwrap_or_default() {
+ if get_optional(&conf, "nss.debug").unwrap_or_default() {
log_level = log::LevelFilter::Debug;
}
setup_log(log_level);
@@ -49,80 +38,6 @@ fn nss_hook_prepare() -> Config {
return conf;
}
-fn get_bearer_token<T>(config: Config) -> Result<String, Response<T>> {
- let client_id = ClientId::new(get_or_error(&config, "nss.client_id", Response::Unavail)?);
- let client_secret = match get_optional(&config, "nss.client_secret") {
- Some(v) => Some(ClientSecret::new(v)),
- None => None,
- };
- let auth_url = match AuthUrl::new(get_or_error(&config, "nss.auth_url", Response::Unavail)?) {
- Ok(u) => u,
- _ => {
- error!("Could not parse authorization URL");
- return Err(Response::Unavail);
- },
- };
- let token_url = match get_optional(&config, "nss.token_url") {
- Some(v) => match TokenUrl::new(v) {
- Ok(u) => Some(u),
- Err(_) => {
- error!("Could not parse token URL");
- return Err(Response::Unavail);
- }
- },
- None => None,
- };
- let scopes: Vec<&str> = get_or_error(&config, "nss.scopes", Response::Unavail)?;
-
- let client = BasicClient::new(client_id, client_secret, auth_url, token_url);
- let mut request = client.exchange_client_credentials();
- for scope in scopes {
- request = request.add_scope(Scope::new(scope.to_string()));
- }
- let result = request.request(http_client);
-
- match result {
- Ok(t) => Ok("".to_string()),
- Err(e) => match e {
- RequestTokenError::Request(re) => match re {
- reqwest::Error::Reqwest(ree) => {
- error!("Request error requesting token: {}", ree);
- return Err(Response::Unavail);
- },
- reqwest::Error::Http(he) => {
- error!("HTTP error requesting token: {}", he);
- return Err(Response::Unavail);
- },
- reqwest::Error::Io(ioe) => {
- error!("IO error requesting token: {}", ioe);
- return Err(Response::Unavail);
- },
- _ => {
- error!("Unknown error: {}", re);
- return Err(Response::Unavail);
- },
- },
- RequestTokenError::ServerResponse(t) => {
- error!("Authorization server returned error: {}", t);
- return Err(Response::Unavail);
- },
- RequestTokenError::Parse(pe, _) => {
- error!("Error parsing response: {}", pe);
- return Err(Response::Unavail);
- },
- _ => {
- error!("Unknown error: {}", e);
- return Err(Response::Unavail);
- },
- },
- }
-}
-
-fn do_json_request<T>(config: Config, url: String) -> Result<String, Response<T>> {
- let token = get_bearer_token(config)?;
- Ok("".to_string())
-}
-
struct OidcPasswd;
impl PasswdHooks for OidcPasswd {
diff --git a/src/oauth.rs b/src/oauth.rs
new file mode 100644
index 0000000..392e72e
--- /dev/null
+++ b/src/oauth.rs
@@ -0,0 +1,129 @@
+/* Copyright 2021 Dominik George <dominik.george@teckids.org>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+use crate::config::{
+ get_or_error,
+ get_optional
+};
+
+use config::Config;
+
+use oauth2::{
+ AuthUrl,
+ ClientId,
+ ClientSecret,
+ RequestTokenError,
+ ResourceOwnerUsername,
+ ResourceOwnerPassword,
+ Scope,
+ TokenUrl
+};
+use oauth2::basic::{
+ BasicClient,
+ BasicTokenResponse
+};
+use oauth2::reqwest::http_client;
+
+fn full_key(prefix: &str, key: &str) -> String {
+ let parts = vec![prefix.to_string(), key.to_string()];
+ let full_key = parts.join(".");
+ return full_key;
+}
+
+fn get_client<E: Copy>(conf: Config, prefix: &str, error_value: E) -> Result<BasicClient, E> {
+ let client_id = ClientId::new(get_or_error(&conf, &full_key(prefix, "client_secret"), error_value)?);
+ let client_secret = match get_optional(&conf, &full_key(prefix, "client_secret")) {
+ Some(v) => Some(ClientSecret::new(v)),
+ None => None,
+ };
+ let auth_url = match AuthUrl::new(get_or_error(&conf, &full_key(prefix, "auth_url"), error_value)?) {
+ Ok(u) => u,
+ _ => {
+ error!("Could not parse authorization URL");
+ return Err(error_value);
+ },
+ };
+ let token_url = match get_optional(&conf, &full_key(prefix, "token_url")) {
+ Some(v) => match TokenUrl::new(v) {
+ Ok(u) => Some(u),
+ Err(_) => {
+ error!("Could not parse token URL");
+ return Err(error_value);
+ }
+ },
+ None => None,
+ };
+
+ let client = BasicClient::new(client_id, client_secret, auth_url, token_url);
+ return Ok(client);
+}
+
+pub fn get_access_token<E: Copy>(conf: Config, prefix: &str, error_value: E, unauth_value: E) -> Result<BasicTokenResponse, E> {
+ let scopes: Vec<&str> = get_or_error(&conf, &full_key(prefix, "scopes"), error_value)?;
+
+ let client = get_client(conf, prefix, error_value)?;
+ let mut request = client.exchange_client_credentials();
+ for scope in scopes {
+ request = request.add_scope(Scope::new(scope.to_string()));
+ }
+
+ let result = request.request(http_client);
+ match result {
+ Ok(t) => Ok(t),
+ Err(e) => match e {
+ RequestTokenError::ServerResponse(t) => {
+ error!("Authorization server returned error: {}", t);
+ return Err(unauth_value);
+ },
+ _ => {
+ error!("Error fetchin access token: {}", e);
+ return Err(error_value);
+ },
+ },
+ }
+}
+
+pub fn get_access_token_password<E: Copy>(conf: Config, prefix: &str, username: String, password: String, error_value: E, unauth_value: E) -> Result<String, E> {
+ let scopes: Vec<&str> = get_or_error(&conf, &full_key(prefix, "scopes"), error_value)?;
+
+ let res_username = ResourceOwnerUsername::new(username);
+ let res_password = ResourceOwnerPassword::new(password);
+
+ let client = get_client(conf, prefix, error_value)?;
+ let mut request = client.exchange_password(&res_username, &res_password);
+ for scope in scopes {
+ request = request.add_scope(Scope::new(scope.to_string()));
+ }
+
+ let result = request.request(http_client);
+ match result {
+ Ok(t) => Ok("".to_string()),
+ Err(e) => match e {
+ RequestTokenError::ServerResponse(t) => {
+ error!("Authorization server returned error: {}", t);
+ return Err(unauth_value);
+ },
+ _ => {
+ error!("Error fetchin access token: {}", e);
+ return Err(error_value);
+ },
+ },
+ }
+}
+
+fn do_json_request<E: Copy>(conf: Config, url: String, error_value: E, unauth_value: E) -> Result<String, E> {
+ let token = get_access_token(conf, "nss", error_value, unauth_value)?;
+ Ok("".to_string())
+}
diff --git a/src/pam.rs b/src/pam.rs
index 339739e..c455f03 100644
--- a/src/pam.rs
+++ b/src/pam.rs
@@ -17,103 +17,15 @@ use crate::config::{
argv_to_config,
get_config,
get_optional,
- get_or_error
};
use config::Config;
-use crate::logging::setup_log;
+use crate::oauth::get_access_token_password;
-use oauth2::{
- AuthUrl,
- ClientId,
- ClientSecret,
- RequestTokenError,
- ResourceOwnerPassword,
- ResourceOwnerUsername,
- Scope,
- TokenUrl
-};
-use oauth2::basic::{
- BasicClient,
- BasicTokenResponse
-};
-use oauth2::reqwest;
-use oauth2::reqwest::http_client;
+use crate::logging::setup_log;
use pamsm::{PamServiceModule, Pam, PamFlag, PamError, PamLibExt};
-fn do_legacy_auth(username: String, password: String, config: Config) -> Result<BasicTokenResponse, PamError> {
- let client_id = ClientId::new(get_or_error(&config, "pam.client_id", PamError::SERVICE_ERR)?);
- let client_secret = match get_optional(&config, "pam.client_secret") {
- Some(v) => Some(ClientSecret::new(v)),
- None => None,
- };
- let auth_url = match AuthUrl::new(get_or_error(&config, "pam.auth_url", PamError::SERVICE_ERR)?) {
- Ok(u) => u,
- _ => {
- error!("Could not parse authorization URL");
- return Err(PamError::SERVICE_ERR);
- },
- };
- let token_url = match get_optional(&config, "pam.token_url") {
- Some(v) => match TokenUrl::new(v) {
- Ok(u) => Some(u),
- Err(_) => {
- error!("Could not parse token URL");
- return Err(PamError::SERVICE_ERR);
- }
- },
- None => None,
- };
- let scopes: Vec<&str> = get_or_error(&config, "pam.scopes", PamError::SERVICE_ERR)?;
-
- let res_username = ResourceOwnerUsername::new(username);
- let res_password = ResourceOwnerPassword::new(password);
-
- let client = BasicClient::new(client_id, client_secret, auth_url, token_url);
- let mut request = client.exchange_password(&res_username, &res_password);
- for scope in scopes {
- request = request.add_scope(Scope::new(scope.to_string()));
- }
- let result = request.request(http_client);
-
- match result {
- Ok(t) => Ok(t),
- Err(e) => match e {
- RequestTokenError::Request(re) => match re {
- reqwest::Error::Reqwest(ree) => {
- error!("Request error requesting token: {}", ree);
- return Err(PamError::AUTHINFO_UNAVAIL);
- },
- reqwest::Error::Http(he) => {
- error!("HTTP error requesting token: {}", he);
- return Err(PamError::AUTHINFO_UNAVAIL);
- },
- reqwest::Error::Io(ioe) => {
- error!("IO error requesting token: {}", ioe);
- return Err(PamError::SYSTEM_ERR);
- },
- _ => {
- error!("Unknown error: {}", re);
- return Err(PamError::SERVICE_ERR);
- },
- },
- RequestTokenError::ServerResponse(t) => {
- error!("Authorization server returned error: {}", t);
- return Err(PamError::AUTH_ERR);
- },
- RequestTokenError::Parse(pe, _) => {
- error!("Error parsing response: {}", pe);
- return Err(PamError::SERVICE_ERR);
- },
- _ => {
- error!("Unknown error: {}", e);
- return Err(PamError::SERVICE_ERR);
- },
- },
- }
-}
-
fn pam_sm_prepare(argv: &Vec<String>) -> Config {
let conf_args = argv_to_config(argv);
let conf = get_config(Some(conf_args));
@@ -173,7 +85,7 @@ impl PamServiceModule for PamOidc {
};
debug!("Successfully got password");
- match do_legacy_auth(username.to_string(), password.to_string(), conf) {
+ match get_access_token_password(conf, "pam", username.to_string(), password.to_string(), PamError::SERVICE_ERR, PamError::AUTH_ERR) {
Ok(_) => {
info!("Authenticated {} using Resource Owner Password Grant", username);
return PamError::SUCCESS;
--
GitLab