From 9ac23e5fd16264cf2cd6a7dfdd8e5de71f4a4136 Mon Sep 17 00:00:00 2001 From: Sven Rademakers Date: Tue, 19 Sep 2023 08:17:42 +0100 Subject: [PATCH] Implement token and basic authentication NOTE: this Service is not resilient against brute-force attacks in such it does not implement rate limiting on authentication nor authorization requests. * Uses Linux users to authorize requests. * no authorization roles or scopes are implemented yet. * token based authentication is implemented with the Redfish session login authentication in mind. That is, when we would implement Redfish it should be easy to append the current implementation * token timeout gets reset on every use of the token. * basic authentication: The authentication service expects a 'Authorization' header containing the following format: 'Basic >' --- Cargo.lock | 186 ++++++++++-- bmcd/Cargo.toml | 4 +- .../authentication/authentication_context.rs | 277 ++++++++++++++++++ .../authentication/authentication_errors.rs | 57 ++++ .../authentication/authentication_service.rs | 164 +++++++++++ .../src/authentication/linux_authenticator.rs | 90 ++++++ bmcd/src/authentication/mod.rs | 5 + bmcd/src/authentication/passwd_validator.rs | 21 ++ bmcd/src/main.rs | 67 +++-- 9 files changed, 823 insertions(+), 48 deletions(-) create mode 100644 bmcd/src/authentication/authentication_context.rs create mode 100644 bmcd/src/authentication/authentication_errors.rs create mode 100644 bmcd/src/authentication/authentication_service.rs create mode 100644 bmcd/src/authentication/linux_authenticator.rs create mode 100644 bmcd/src/authentication/mod.rs create mode 100644 bmcd/src/authentication/passwd_validator.rs diff --git a/Cargo.lock b/Cargo.lock index dc7a57f..981a72b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -256,9 +256,9 @@ dependencies = [ [[package]] name = "aho-corasick" -version = "1.1.0" +version = "1.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f2135563fb5c609d2b2b87c1e8ce7bc41b0b45430fa9661f457981503dd5bf0" +checksum = "ea5d730647d4fadd988536d06fecce94b7b4f2a7efdae548f1cf4b63205518ab" dependencies = [ "memchr", ] @@ -413,6 +413,15 @@ dependencies = [ "wyz", ] +[[package]] +name = "block-buffer" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4152116fd6e9dadb291ae18fc1ec3575ed6d84c29642d97890f4b4a3417297e4" +dependencies = [ + "generic-array", +] + [[package]] name = "block-buffer" version = "0.10.4" @@ -422,6 +431,17 @@ dependencies = [ "generic-array", ] +[[package]] +name = "blowfish" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32fa6a061124e37baba002e496d203e23ba3d7b73750be82dbfbc92913048a5b" +dependencies = [ + "byteorder", + "cipher", + "opaque-debug", +] + [[package]] name = "bmcd" version = "1.3.0" @@ -429,6 +449,7 @@ dependencies = [ "actix-files", "actix-web", "anyhow", + "base64", "build-time", "clap", "futures", @@ -436,6 +457,7 @@ dependencies = [ "log", "nix 0.26.4", "openssl", + "pwhash", "rand 0.8.5", "serde", "serde_json", @@ -486,6 +508,12 @@ version = "3.14.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f30e7476521f6f8af1a1c4c0b8cc94f0bee37d91763d0ca2665f299b6cd8aec" +[[package]] +name = "byteorder" +version = "1.4.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "14c189c53d098945499cdfa7ecc63567cf3886b3332b312a5b4585d8d3a6a610" + [[package]] name = "bytes" version = "1.5.0" @@ -529,20 +557,29 @@ dependencies = [ "windows-targets 0.48.5", ] +[[package]] +name = "cipher" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "12f8e7987cbd042a63249497f41aed09f8e65add917ea6566effbc56578d6801" +dependencies = [ + "generic-array", +] + [[package]] name = "clap" -version = "4.4.4" +version = "4.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b1d7b8d5ec32af0fadc644bf1fd509a688c2103b185644bb1e29d164e0703136" +checksum = "824956d0dca8334758a5b7f7e50518d66ea319330cbceedcf76905c2f6ab30e3" dependencies = [ "clap_builder", ] [[package]] name = "clap_builder" -version = "4.4.4" +version = "4.4.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5179bb514e4d7c2051749d8fcefa2ed6d06a9f4e6d69faf3805f5d80b8cf8d56" +checksum = "122ec64120a49b4563ccaedcbea7818d069ed8e9aa6d829b82d8a4128936b2ab" dependencies = [ "anstream", "anstyle", @@ -639,6 +676,16 @@ dependencies = [ "typenum", ] +[[package]] +name = "crypto-mac" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bff07008ec701e8028e2ceb8f83f0e4274ee62bd2dbdc4fefff2e9a91824081a" +dependencies = [ + "generic-array", + "subtle", +] + [[package]] name = "deranged" version = "0.3.8" @@ -658,13 +705,22 @@ dependencies = [ "syn 1.0.109", ] +[[package]] +name = "digest" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066" +dependencies = [ + "generic-array", +] + [[package]] name = "digest" version = "0.10.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" dependencies = [ - "block-buffer", + "block-buffer 0.10.4", "crypto-common", ] @@ -951,6 +1007,16 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d77f7ec81a6d05a3abb01ab6eb7590f6083d08449fe5a1c8b1e620283546ccb7" +[[package]] +name = "hmac" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c1441c6b1e930e2817404b5046f1f989899143a12bf92de603b69f4e0aee1e15" +dependencies = [ + "crypto-mac", + "digest 0.9.0", +] + [[package]] name = "http" version = "0.2.9" @@ -1162,6 +1228,17 @@ version = "0.4.20" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b5e6163cb8c49088c2c36f57875e58ccd8c87c7427f7fbd50ea6710b2f3f2e8f" +[[package]] +name = "md-5" +version = "0.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7b5a279bb9607f9f53c22d496eade00d138d1bdcccd07d74650387cf94942a15" +dependencies = [ + "block-buffer 0.9.0", + "digest 0.9.0", + "opaque-debug", +] + [[package]] name = "memchr" version = "2.6.3" @@ -1313,6 +1390,12 @@ version = "1.18.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d" +[[package]] +name = "opaque-debug" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5" + [[package]] name = "openssl" version = "0.10.57" @@ -1429,6 +1512,21 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "pwhash" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "419a3ad8fa9f9d445e69d9b185a24878ae6e6f55c96e4512f4a0e28cd3bc5c56" +dependencies = [ + "blowfish", + "byteorder", + "hmac", + "md-5", + "rand 0.8.5", + "sha-1", + "sha2", +] + [[package]] name = "quote" version = "1.0.33" @@ -1575,9 +1673,9 @@ dependencies = [ [[package]] name = "rockfile" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e492654d9f624d21df4f0eb765c9174a4a577c4d47680803ffe09b6ae55b3d02" +checksum = "7e89194db9752ec1f052472debd3990f77bec4ca0732d9dd28163f95fed1455a" dependencies = [ "bytes", ] @@ -1622,9 +1720,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.13" +version = "0.38.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d7db8590df6dfcd144d22afd1b83b36c21a18d7cbc1dc4bb5295a8712e9eb662" +checksum = "747c788e9ce8e92b12cd485c49ddf90723550b654b32508f979b71a7b1ecda4f" dependencies = [ "bitflags 2.4.0", "errno", @@ -1647,9 +1745,9 @@ dependencies = [ [[package]] name = "rustls-webpki" -version = "0.101.5" +version = "0.101.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45a27e3b59326c16e23d30aeb7a36a24cc0d29e71d68ff611cdfb4a01d013bed" +checksum = "3c7d5dece342910d9ba34d259310cae3e0154b873b35408b787b59bce53d34fe" dependencies = [ "ring", "untrusted", @@ -1688,9 +1786,9 @@ dependencies = [ [[package]] name = "semver" -version = "1.0.18" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0293b4b29daaf487284529cc2f5675b8e57c61f70167ba415a463651fd6a918" +checksum = "ad977052201c6de01a8ef2aa3378c4bd23217a056337d1d6da40468d267a4fb0" [[package]] name = "serde" @@ -1748,15 +1846,41 @@ dependencies = [ "unsafe-libyaml", ] +[[package]] +name = "sha-1" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "99cd6713db3cf16b6c84e06321e049a9b9f699826e16096d23bbcc44d15d51a6" +dependencies = [ + "block-buffer 0.9.0", + "cfg-if", + "cpufeatures", + "digest 0.9.0", + "opaque-debug", +] + [[package]] name = "sha1" -version = "0.10.5" +version = "0.10.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f04293dc80c3993519f2d7f6f511707ee7094fe0c6d3406feb330cdb3540eba3" +checksum = "e3bf829a2d51ab4a5ddf1352d8470c140cadc8301b2ae1789db023f01cedd6ba" dependencies = [ "cfg-if", "cpufeatures", - "digest", + "digest 0.10.7", +] + +[[package]] +name = "sha2" +version = "0.9.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4d58a1e1bf39749807d89cf2d98ac2dfa0ff1cb3faa38fbb64dd88ac8013d800" +dependencies = [ + "block-buffer 0.9.0", + "cfg-if", + "cpufeatures", + "digest 0.9.0", + "opaque-debug", ] [[package]] @@ -1791,9 +1915,9 @@ dependencies = [ [[package]] name = "smallvec" -version = "1.11.0" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9" +checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" [[package]] name = "socket2" @@ -1817,6 +1941,12 @@ version = "0.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623" +[[package]] +name = "subtle" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" + [[package]] name = "syn" version = "1.0.109" @@ -1877,9 +2007,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.28" +version = "0.3.29" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "17f6bb557fd245c28e6411aa56b6403c689ad95061f50e4be16c274e70a17e48" +checksum = "426f806f4089c493dcac0d24c29c01e2c38baf8e30f1b716ee37e83d200b18fe" dependencies = [ "deranged", "itoa", @@ -1892,15 +2022,15 @@ dependencies = [ [[package]] name = "time-core" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb" +checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3" [[package]] name = "time-macros" -version = "0.2.14" +version = "0.2.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a942f44339478ef67935ab2bbaec2fb0322496cf3cbe84b261e06ac3814c572" +checksum = "4ad70d68dba9e1f8aceda7aa6711965dfec1cac869f311a51bd08b3a2ccbce20" dependencies = [ "time-core", ] @@ -1964,9 +2094,9 @@ dependencies = [ [[package]] name = "tokio-util" -version = "0.7.8" +version = "0.7.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d" +checksum = "1d68074620f57a0b21594d9735eb2e98ab38b17f80d3fcb189fca266771ca60d" dependencies = [ "bytes", "futures-core", diff --git a/bmcd/Cargo.toml b/bmcd/Cargo.toml index e368561..821b7b1 100644 --- a/bmcd/Cargo.toml +++ b/bmcd/Cargo.toml @@ -15,6 +15,9 @@ serde_yaml = "0.9.25" tpi_rs = { path = "../tpi_rs" } clap = { version = "4.4.2", features = ["cargo"] } openssl = "0.10.57" +rand = "0.8.5" +pwhash = "1.0.0" +base64 = "0.21.4" anyhow.workspace = true log.workspace = true @@ -23,4 +26,3 @@ tokio.workspace = true tokio-util.workspace = true futures.workspace = true serde.workspace = true -rand = "0.8.5" diff --git a/bmcd/src/authentication/authentication_context.rs b/bmcd/src/authentication/authentication_context.rs new file mode 100644 index 0000000..44a6ed3 --- /dev/null +++ b/bmcd/src/authentication/authentication_context.rs @@ -0,0 +1,277 @@ +use super::authentication_errors::AuthenticationError; +use super::passwd_validator::PasswordValidator; +use super::passwd_validator::UnixValidator; +use base64::{engine::general_purpose, Engine as _}; +use rand::distributions::Alphanumeric; +use rand::thread_rng; +use rand::Rng; +use serde::Deserialize; +use serde::Serialize; +use std::collections::HashMap; +use std::marker::PhantomData; +use tokio::sync::Mutex; +use tokio::time::{Duration, Instant}; + +pub struct AuthenticationContext

+where + P: PasswordValidator + 'static, +{ + token_store: Mutex>, + passwds: HashMap, + password_validator: PhantomData

, + expire_timeout: Duration, +} + +impl

AuthenticationContext

+where + P: PasswordValidator + 'static, +{ + pub fn with_unix_validator( + password_entries: impl Iterator, + expire_timeout: Duration, + ) -> AuthenticationContext { + AuthenticationContext:: { + token_store: Mutex::new(HashMap::new()), + passwds: HashMap::from_iter(password_entries), + password_validator: PhantomData::, + expire_timeout, + } + } + + /// This function piggy-backs removes of expired tokens on an authentication + /// request. This imposes a small penalty on each request. Its deemed not + /// significant enough to justify optimalization given the expected volume + /// of incoming requests. + async fn new_and_remove_expired_tokens(&self, key: String) { + let mut store = self.token_store.lock().await; + + store.retain(|_, last_access| { + let duration = Instant::now().saturating_duration_since(*last_access); + duration <= self.expire_timeout + }); + + store.insert(key, Instant::now()); + } + + async fn authorize_bearer(&self, token: &str) -> Result<(), AuthenticationError> { + let mut store = self.token_store.lock().await; + let Some(last_access) = store.get_mut(token) else { + return Err(AuthenticationError::NoMatch(token.to_string())); + }; + + let instant = *last_access; + let duration = Instant::now().saturating_duration_since(instant); + if duration < self.expire_timeout { + *last_access = Instant::now(); + return Ok(()); + } + + store.remove(token); + Err(AuthenticationError::TokenExpired(instant)) + } + + fn validate_credentials( + &self, + username: &str, + password: &str, + ) -> Result<(), AuthenticationError> { + let Some(pass) = self.passwds.get(username) else { + log::debug!("user {} not in database", username); + return Err(AuthenticationError::IncorrectCredentials); + }; + + P::validate(pass, password) + } + + async fn authorize_basic(&self, credentials: &str) -> Result<(), AuthenticationError> { + let decoded = general_purpose::STANDARD.decode(credentials)?; + let utf8 = std::str::from_utf8(&decoded)?; + let Some((user, pass)) = utf8.split_once(':') else { + return Err(AuthenticationError::ParseError("basic authorization formatted wrong".to_string())); + }; + + self.validate_credentials(user, pass) + } + + pub async fn authorize_request( + &self, + http_authorization_line: &str, + ) -> Result<(), AuthenticationError> { + match http_authorization_line.split_once(' ') { + Some(("Bearer", token)) => self.authorize_bearer(token).await, + Some(("Basic", credentials)) => self.authorize_basic(credentials).await, + Some((auth, _)) => Err(AuthenticationError::SchemeNotSupported(auth.to_string())), + None => Err(AuthenticationError::HttpParseError( + http_authorization_line.to_string(), + )), + } + } + + pub async fn authenticate_request(&self, body: &[u8]) -> Result { + let credentials = serde_json::from_slice::(body)?; + + self.validate_credentials(&credentials.username, &credentials.password)?; + + let token: String = thread_rng() + .sample_iter(&Alphanumeric) + .take(64) + .map(char::from) + .collect(); + self.new_and_remove_expired_tokens(token.clone()).await; + + Ok(Session { + id: token, // according Redfish spec, id refers to the session id. + // which is not equal to the access-token. for now use + // the token. + name: "User Session".to_string(), + description: "User Session".to_string(), + username: credentials.username, + }) + } +} + +#[derive(Debug, Deserialize, Serialize)] +pub struct Session { + pub id: String, + name: String, + description: String, + username: String, +} + +#[derive(Debug, Deserialize, Serialize)] +struct Login { + username: String, + password: String, +} + +#[cfg(test)] +pub mod tests { + use super::*; + use std::ops::Sub; + + pub struct DummyValidator {} + impl PasswordValidator for DummyValidator { + fn validate( + _: &str, + _: &str, + ) -> Result<(), crate::authentication::authentication_errors::AuthenticationError> { + Ok(()) + } + } + + pub struct FalseValidator {} + impl PasswordValidator for FalseValidator { + fn validate( + _: &str, + _: &str, + ) -> Result<(), crate::authentication::authentication_errors::AuthenticationError> { + Err(AuthenticationError::IncorrectCredentials) + } + } + + pub fn build_test_context( + token_data: impl IntoIterator, + user_data: impl IntoIterator, + ) -> AuthenticationContext { + AuthenticationContext { + token_store: Mutex::new(HashMap::from_iter(token_data)), + passwds: HashMap::from_iter(user_data), + password_validator: PhantomData::, + expire_timeout: Duration::from_secs(20), + } + } + + #[actix_web::test] + async fn test_token_failures() { + let now = Instant::now(); + let twenty_sec_ago = now.sub(Duration::from_secs(20)); + let context = build_test_context( + [("123".to_string(), now), ("2".to_string(), twenty_sec_ago)], + Vec::new(), + ); + + assert_eq!( + context.authorize_request("Bearer 1234").await.unwrap_err(), + AuthenticationError::NoMatch("1234".to_string()) + ); + + assert_eq!( + context.authorize_request("Bearer 2").await.unwrap_err(), + AuthenticationError::TokenExpired(twenty_sec_ago) + ); + + // After expired error, the token gets removed. Subsequent calls for that token will + // therefore return "NoMatch" + assert_eq!( + context.authorize_request("Bearer 2").await.unwrap_err(), + AuthenticationError::NoMatch("2".to_string()) + ); + } + + #[actix_web::test] + async fn test_happy_flow() { + let context = build_test_context( + [ + ("123".to_string(), Instant::now()), + ("2".to_string(), Instant::now().sub(Duration::from_secs(20))), + ], + Vec::new(), + ); + assert_eq!(Ok(()), context.authorize_request("Bearer 123").await); + } + + #[actix_web::test] + async fn authentication_errors() { + let context = build_test_context( + Vec::new(), + [("test_user".to_string(), "password".to_string())], + ); + + assert!(matches!( + context + .authenticate_request(b"{not a valid json") + .await + .unwrap_err(), + AuthenticationError::ParseError(_) + )); + + let json = serde_json::to_vec(&Login { + username: "John".to_string(), + password: "1234".to_string(), + }) + .unwrap(); + + assert_eq!( + context.authenticate_request(&json).await.unwrap_err(), + AuthenticationError::IncorrectCredentials + ); + let json = serde_json::to_vec(&Login { + username: "test_user".to_string(), + password: "1234".to_string(), + }) + .unwrap(); + + assert_eq!( + context.authenticate_request(&json).await.unwrap_err(), + AuthenticationError::IncorrectCredentials + ); + } + + #[actix_web::test] + async fn pass_authentication() { + let context = build_test_context( + Vec::new(), + [("test_user".to_string(), "password".to_string())], + ); + let json = serde_json::to_vec(&Login { + username: "test_user".to_string(), + password: "password".to_string(), + }) + .unwrap(); + + assert_eq!( + context.authenticate_request(&json).await.unwrap_err(), + AuthenticationError::IncorrectCredentials + ); + } +} diff --git a/bmcd/src/authentication/authentication_errors.rs b/bmcd/src/authentication/authentication_errors.rs new file mode 100644 index 0000000..7fab00b --- /dev/null +++ b/bmcd/src/authentication/authentication_errors.rs @@ -0,0 +1,57 @@ +use std::{fmt::Display, str::Utf8Error}; +use tokio::time::Instant; + +#[derive(Debug, PartialEq)] +pub enum AuthenticationError { + ParseError(String), + IncorrectCredentials, + TokenExpired(Instant), + NoMatch(String), + HttpParseError(String), + SchemeNotSupported(String), + Empty, +} + +impl Display for AuthenticationError { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + match self { + AuthenticationError::ParseError(e) => { + write!(f, "error trying to parse credentials: {}", e) + } + AuthenticationError::IncorrectCredentials => write!(f, "credentials incorrect"), + AuthenticationError::TokenExpired(instant) => write!( + f, + "token expired {}s ago", + Instant::now().duration_since(*instant).as_secs() + ), + AuthenticationError::NoMatch(token) => write!(f, "token {} is not registered", token), + AuthenticationError::Empty => write!(f, "no authorization header provided"), + AuthenticationError::HttpParseError(token) => { + write!(f, "cannot parse authorization header: {}", token) + } + AuthenticationError::SchemeNotSupported(scheme) => { + write!(f, "{} authentication not supported", scheme) + } + } + } +} + +impl std::error::Error for AuthenticationError {} + +impl From for AuthenticationError { + fn from(value: serde_json::Error) -> Self { + Self::ParseError(value.to_string()) + } +} + +impl From for AuthenticationError { + fn from(value: base64::DecodeError) -> Self { + Self::ParseError(value.to_string()) + } +} + +impl From for AuthenticationError { + fn from(value: Utf8Error) -> Self { + Self::ParseError(value.to_string()) + } +} diff --git a/bmcd/src/authentication/authentication_service.rs b/bmcd/src/authentication/authentication_service.rs new file mode 100644 index 0000000..78f898c --- /dev/null +++ b/bmcd/src/authentication/authentication_service.rs @@ -0,0 +1,164 @@ +use super::{ + authentication_context::AuthenticationContext, authentication_errors::AuthenticationError, + passwd_validator::UnixValidator, +}; +use actix_web::{ + body::{EitherBody, MessageBody}, + dev::{Service, ServiceRequest, ServiceResponse}, + http::header::{self}, + Error, HttpRequest, HttpResponse, +}; +use futures::future::LocalBoxFuture; +use futures::StreamExt; +use serde::Serialize; +use std::{ + net::{IpAddr, Ipv4Addr, Ipv6Addr}, + rc::Rc, + sync::Arc, +}; + +const LOCALHOSTV4: IpAddr = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)); +const LOCALHOSTV6: IpAddr = IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)); + +/// This authentication service is designed to prepare for implementing "Redfish +/// Session Login Authentication" as good as possible. Redfish is not yet +/// implemented in this product, until then this session based, token +/// authentication service is used to provide authentication. +#[derive(Clone)] +pub struct AuthenticationService { + service: Rc, + context: Arc>, + authentication_path: &'static str, +} + +impl AuthenticationService { + pub fn new( + service: Rc, + context: Arc>, + authentication_path: &'static str, + ) -> Self { + AuthenticationService { + service, + context, + authentication_path, + } + } +} + +impl Service for AuthenticationService +where + S: Service, Error = Error> + 'static, + S::Future: 'static, + B: MessageBody + 'static, +{ + type Response = ServiceResponse>; + type Error = Error; + type Future = LocalBoxFuture<'static, Result>; + + actix_web::dev::forward_ready!(service); + + fn call(&self, mut request: ServiceRequest) -> Self::Future { + let service = self.service.clone(); + + // drop authentication for requests on loopback interface + if request + .head() + .peer_addr + .is_some_and(|addr| addr.ip() == LOCALHOSTV6 || addr.ip() == LOCALHOSTV4) + { + return Box::pin(async move { + service + .call(request) + .await + .map(ServiceResponse::map_into_left_body) + }); + } + + let context = self.context.clone(); + let auth_path = self.authentication_path; + + Box::pin(async move { + if request.request().uri().path() == auth_path { + log::debug!("authentication request"); + let mut buffer = Vec::new(); + while let Some(Ok(bytes)) = request.parts_mut().1.next().await { + buffer.extend_from_slice(&bytes); + } + + let response = match context.authenticate_request(&buffer).await { + Ok(session) => { + authenticated_response(request.request(), session.id.clone(), session) + } + Err(error) => forbidden_response(request.request(), error), + }; + + return response; + } + + log::debug!("authorize request"); + let parse_result = request + .headers() + .get(header::AUTHORIZATION) + .ok_or(AuthenticationError::Empty) + .and_then(|auth| { + auth.to_str() + .map_err(|e| AuthenticationError::HttpParseError(e.to_string())) + }); + + let auth = match parse_result { + Ok(p) => p, + Err(e) => return unauthorized_response(request.request(), e), + }; + + if let Err(e) = context.authorize_request(auth).await { + unauthorized_response(request.request(), e) + } else { + service + .call(request) + .await + .map(ServiceResponse::map_into_left_body) + } + }) + } +} + +fn forbidden_response( + request: &HttpRequest, + response_text: E, +) -> Result>, Error> { + Ok(ServiceResponse::new( + request.clone(), + HttpResponse::Forbidden() + .body(response_text.to_string()) + .map_into_right_body(), + )) +} + +fn authenticated_response( + request: &HttpRequest, + token: String, + body: impl Serialize, +) -> Result>, Error> { + let text = serde_json::to_string(&body)?; + Ok(ServiceResponse::new( + request.clone(), + HttpResponse::Ok() + .insert_header(("X-Auth-Token", token)) + .body(text) + .map_into_right_body(), + )) +} + +fn unauthorized_response( + request: &HttpRequest, + response_text: E, +) -> Result>, Error> { + let bearer_str = format!( + "Bearer error=invalid_token, error_description={}", + response_text.to_string() + ); + let response = HttpResponse::Unauthorized() + .insert_header((header::WWW_AUTHENTICATE, bearer_str)) + .body(response_text.to_string()); + Ok(ServiceResponse::new(request.clone(), response)).map(ServiceResponse::map_into_right_body) +} diff --git a/bmcd/src/authentication/linux_authenticator.rs b/bmcd/src/authentication/linux_authenticator.rs new file mode 100644 index 0000000..0e6b863 --- /dev/null +++ b/bmcd/src/authentication/linux_authenticator.rs @@ -0,0 +1,90 @@ +use super::{ + authentication_context::AuthenticationContext, authentication_service::AuthenticationService, + passwd_validator::UnixValidator, +}; +use actix_web::{ + body::{EitherBody, MessageBody}, + dev::{Service, ServiceRequest, ServiceResponse, Transform}, + Error, +}; +use std::{ + future::{ready, Ready}, + io, + time::Duration, +}; +use std::{rc::Rc, sync::Arc}; +use tokio::{ + fs::OpenOptions, + io::{AsyncBufReadExt, BufReader}, +}; + +type LinuxContext = AuthenticationContext; + +pub struct LinuxAuthenticator { + context: Arc, + authentication_path: &'static str, +} + +impl LinuxAuthenticator { + pub async fn new(authentication_path: &'static str) -> io::Result { + let password_entries = Self::parse_shadow_file().await?; + Ok(Self { + context: Arc::new(LinuxContext::with_unix_validator( + password_entries, + Duration::from_secs(24 * 60 * 60), + )), + authentication_path, + }) + } +} + +impl LinuxAuthenticator { + async fn parse_shadow_file() -> io::Result> { + let file = OpenOptions::new().read(true).open("/etc/shadow").await?; + + let mut password_hashes: Vec<(String, String)> = Vec::new(); + let mut read_buffer = BufReader::new(file); + + loop { + let mut line = String::new(); + let bytes_read = read_buffer.read_line(&mut line).await?; + if bytes_read == 0 { + break; + } + + let mut items = line.splitn(3, ':'); + let username = items.next(); + let password = items.next(); + let (Some(user), Some(pass)) = (username, password) else { + break; + }; + + if !pass.starts_with('*') { + password_hashes.push((user.to_string(), pass.to_string())); + log::debug!("loaded user {user}"); + } + } + Ok(password_hashes.into_iter()) + } +} + +impl Transform for LinuxAuthenticator +where + S: Service, Error = Error> + 'static, + S::Future: 'static, + B: MessageBody + 'static, +{ + type Response = ServiceResponse>; + type Error = Error; + type InitError = (); + type Transform = AuthenticationService; + type Future = Ready>; + + fn new_transform(&self, service: S) -> Self::Future { + ready(Ok(AuthenticationService::new( + Rc::new(service), + self.context.clone(), + self.authentication_path, + ))) + } +} diff --git a/bmcd/src/authentication/mod.rs b/bmcd/src/authentication/mod.rs new file mode 100644 index 0000000..1d78965 --- /dev/null +++ b/bmcd/src/authentication/mod.rs @@ -0,0 +1,5 @@ +pub mod authentication_context; +pub mod authentication_errors; +pub mod authentication_service; +pub mod linux_authenticator; +pub mod passwd_validator; diff --git a/bmcd/src/authentication/passwd_validator.rs b/bmcd/src/authentication/passwd_validator.rs new file mode 100644 index 0000000..70887f2 --- /dev/null +++ b/bmcd/src/authentication/passwd_validator.rs @@ -0,0 +1,21 @@ +use super::authentication_errors::AuthenticationError; + +pub trait PasswordValidator { + fn validate(hash: &str, password: &str) -> Result<(), AuthenticationError>; +} + +pub struct UnixValidator {} + +impl PasswordValidator for UnixValidator { + fn validate(hash: &str, password: &str) -> Result<(), AuthenticationError> { + log::debug!( + "computed={}", + pwhash::unix::crypt(password, hash).unwrap_or_default() + ); + if !pwhash::unix::verify(password, hash) { + Err(AuthenticationError::IncorrectCredentials) + } else { + Ok(()) + } + } +} diff --git a/bmcd/src/main.rs b/bmcd/src/main.rs index 1a073a2..88ad732 100644 --- a/bmcd/src/main.rs +++ b/bmcd/src/main.rs @@ -1,4 +1,8 @@ -use crate::{flash_service::FlashService, legacy::info_config}; +use crate::config::Config; +use crate::{ + authentication::linux_authenticator::LinuxAuthenticator, flash_service::FlashService, + legacy::info_config, +}; use actix_files::Files; use actix_web::{ http::{self, KeepAlive}, @@ -9,15 +13,21 @@ use actix_web::{ use anyhow::Context; use clap::{command, value_parser, Arg}; use log::LevelFilter; -use openssl::ssl::SslAcceptorBuilder; -use std::path::{Path, PathBuf}; +use openssl::pkey::{PKey, Private}; +use openssl::ssl::{SslAcceptor, SslAcceptorBuilder, SslMethod}; +use openssl::x509::X509; +use std::fs::OpenOptions; +use std::io::Read; +use std::{ + path::{Path, PathBuf}, + sync::Arc, +}; use tpi_rs::app::{bmc_application::BmcApplication, event_application::run_event_listener}; +pub mod authentication; pub mod config; mod flash_service; mod into_legacy_response; mod legacy; -use crate::config::Config; -use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; const HTTPS_PORT: u16 = 443; const HTTP_PORT: u16 = 80; @@ -25,24 +35,21 @@ const HTTP_PORT: u16 = 80; #[actix_web::main] async fn main() -> anyhow::Result<()> { init_logger(); - - let config = Config::try_from(config_path()).context("Error parsing config file")?; - let tls = load_tls_configuration(&config.tls.private_key, &config.tls.certificate)?; - let tls6 = load_tls_configuration(&config.tls.private_key, &config.tls.certificate)?; - + let (tls, tls6) = load_config()?; let bmc = Data::new(BmcApplication::new().await?); run_event_listener(bmc.clone().into_inner())?; let flash_service = Data::new(FlashService::new()); + let authentication = Arc::new(LinuxAuthenticator::new("/api/bmc/authenticate").await?); let run_server = HttpServer::new(move || { App::new() - // Shared state: BmcApplication instance .app_data(bmc.clone()) .app_data(flash_service.clone()) - // Legacy API - .configure(legacy::config) // Enable logger .wrap(middleware::Logger::default()) + .wrap(authentication.clone()) + // Legacy API + .configure(legacy::config) // Serve a static tree of files of the web UI. Must be the last item. .service(Files::new("/", "/mnt/var/www/").index_file("index.html")) }) @@ -111,12 +118,34 @@ fn config_path() -> PathBuf { .into() } -fn load_tls_configuration>( +fn load_keys_from_pem>( private_key: P, certificate: P, -) -> anyhow::Result { - let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; - builder.set_private_key_file(private_key.as_ref(), SslFiletype::PEM)?; - builder.set_certificate_chain_file(certificate.as_ref())?; - Ok(builder) +) -> anyhow::Result<(PKey, X509)> { + let mut pkey = Vec::new(); + let mut cert = Vec::new(); + OpenOptions::new() + .read(true) + .open(private_key)? + .read_to_end(&mut pkey)?; + OpenOptions::new() + .read(true) + .open(certificate)? + .read_to_end(&mut cert)?; + + let rsa_key = PKey::private_key_from_pem(&pkey)?; + let x509 = X509::from_pem(&cert)?; + Ok((rsa_key, x509)) +} + +fn load_config() -> anyhow::Result<(SslAcceptorBuilder, SslAcceptorBuilder)> { + let config = Config::try_from(config_path()).context("Error parsing config file")?; + let (private_key, cert) = load_keys_from_pem(&config.tls.private_key, &config.tls.certificate)?; + let mut tls = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; + tls.set_private_key(&private_key)?; + tls.set_certificate(&cert)?; + let mut tls6 = SslAcceptor::mozilla_intermediate(SslMethod::tls())?; + tls6.set_private_key(&private_key)?; + tls6.set_certificate(&cert)?; + Ok((tls, tls6)) }