seuss 0.3.1

A batteries-included framework for implementing Redfish-compliant services.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

use core::fmt;
use redfish_codegen::models::redfish;
use redfish_core::{
    auth::{insufficient_privilege, AuthenticatedUser},
    privilege::Role,
};
use std::{collections::HashMap, error, ffi::OsStr};
use users::Group;

use super::{BasicAuthentication, SessionAuthentication};

const DEFAULT_PAM_SERVICE: &str = "redfish";

#[derive(Debug)]
pub struct MissingGroupError(String);
impl fmt::Display for MissingGroupError {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        write!(f, "Group {} does not exist", &self.0)
    }
}

impl error::Error for MissingGroupError {
    fn source(&self) -> Option<&(dyn error::Error + 'static)> {
        None
    }
}

#[derive(Clone)]
pub struct LinuxPamAuthenticator {
    service: String,
    role_map: HashMap<Role, Group>,
}

impl LinuxPamAuthenticator {
    pub fn new(group_names: HashMap<Role, String>) -> Result<Self, MissingGroupError> {
        let role_map = group_names
            .iter()
            .map(|(role, name)| match users::get_group_by_name(&name) {
                Some(group) => Ok((*role, group)),
                None => Err(MissingGroupError(name.clone())),
            })
            .collect::<Result<HashMap<Role, Group>, MissingGroupError>>()?;
        Ok(LinuxPamAuthenticator {
            service: DEFAULT_PAM_SERVICE.to_string(),
            role_map,
        })
    }

    fn get_user_role(&self, username: &str) -> Result<Role, redfish::Error> {
        let gid = users::get_user_by_name(username)
            .ok_or_else(insufficient_privilege)?
            .primary_group_id();
        let groups = users::get_user_groups(&username, gid).ok_or_else(insufficient_privilege)?;
        let group_names = groups
            .iter()
            .map(|group| group.name())
            .collect::<Vec<&OsStr>>();

        let (role, _) = self
            .role_map
            .iter()
            .find(|(_, group)| group_names.contains(&group.name()))
            .ok_or_else(insufficient_privilege)?;

        Ok(*role)
    }
}

impl BasicAuthentication for LinuxPamAuthenticator {
    fn authenticate(
        &self,
        username: String,
        password: String,
    ) -> Result<AuthenticatedUser, redfish::Error> {
        let mut auth = pam::Authenticator::with_password(&self.service).unwrap();
        auth.get_handler().set_credentials(&username, &password);
        if auth.authenticate().is_err() {
            return Err(insufficient_privilege());
        }

        let role = self.get_user_role(&username)?;
        Ok(AuthenticatedUser { username, role })
    }
}

impl SessionAuthentication for LinuxPamAuthenticator {
    fn open_session(
        &self,
        username: String,
        password: String,
    ) -> Result<AuthenticatedUser, redfish::Error> {
        let mut auth = pam::Authenticator::with_password(&self.service).unwrap();
        auth.get_handler().set_credentials(&username, &password);
        // As opposed to the basic handler, we also invoke a PAM session
        if auth.authenticate().is_err() || auth.open_session().is_err() {
            return Err(insufficient_privilege());
        }

        let role = self.get_user_role(&username)?;
        Ok(AuthenticatedUser { username, role })
    }

    fn close_session(&self) -> Result<(), redfish::Error> {
        todo!()
    }
}