lilo-im-core 0.1.1

Identity Matters core: Authorizer trait, Principal types, peer credential extraction (Helioy v1 IAM)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

#[cfg(target_os = "macos")]
use std::os::fd::{AsRawFd, BorrowedFd};

#[cfg(target_os = "linux")]
use nix::sys::socket::{getsockopt, sockopt};
#[cfg(unix)]
use tokio::net::UnixStream;

use crate::{AuthzError, Principal};

#[cfg(target_os = "macos")]
pub async fn extract(stream: &UnixStream) -> Result<Principal, AuthzError> {
    let raw_fd = stream.as_raw_fd();
    let uid = tokio::task::spawn_blocking(move || {
        // Safety: `extract` borrows the stream until this task is awaited, so the fd stays open.
        let fd = unsafe { BorrowedFd::borrow_raw(raw_fd) };
        nix::unistd::getpeereid(fd).map(|(uid, _gid)| uid.as_raw())
    })
    .await
    .map_err(|error| internal_error("peer credential task failed", error))?
    .map_err(|error| internal_error("getpeereid failed", error))?;

    Ok(principal_from_uid(uid))
}

#[cfg(target_os = "linux")]
pub async fn extract(stream: &UnixStream) -> Result<Principal, AuthzError> {
    let credentials = getsockopt(stream, sockopt::PeerCredentials)
        .map_err(|error| internal_error("SO_PEERCRED failed", error))?;

    Ok(principal_from_uid(credentials.uid()))
}

#[cfg(all(unix, not(any(target_os = "macos", target_os = "linux"))))]
pub async fn extract(_stream: &UnixStream) -> Result<Principal, AuthzError> {
    Err(unsupported_platform_error())
}

fn principal_from_uid(uid: u32) -> Principal {
    Principal::Local(uid)
}

fn internal_error(context: &str, error: impl std::fmt::Display) -> AuthzError {
    AuthzError::Internal {
        message: format!("peer credential extraction {context}: {error}"),
    }
}

#[cfg(any(test, all(unix, not(any(target_os = "macos", target_os = "linux")))))]
fn unsupported_platform_error() -> AuthzError {
    AuthzError::Internal {
        message: "peer credential extraction unsupported on this platform".to_owned(),
    }
}

#[cfg(test)]
mod tests {
    use super::{principal_from_uid, unsupported_platform_error};
    use crate::{AuthzError, Principal};

    #[test]
    fn principal_from_uid_preserves_edge_uids() {
        assert_eq!(principal_from_uid(0), Principal::Local(0));
        assert_eq!(principal_from_uid(u32::MAX), Principal::Local(u32::MAX));
    }

    #[test]
    fn unsupported_platform_error_is_descriptive() {
        let error = unsupported_platform_error();

        assert!(matches!(
            error,
            AuthzError::Internal { message }
                if message.contains("unsupported on this platform")
        ));
    }
}