1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411
//! Authentication and unauthentication.
use std::borrow::Borrow;
use std::fs::File;
use std::io::Write;
use std::path::{Path, PathBuf};
use tokio::io::{AsyncRead, AsyncWrite};
use tokio_util::codec::Framed;
use serde::Deserialize;
use blather::Telegram;
use crate::utils;
use crate::Error;
#[derive(Debug, Default)]
pub struct Builder {
name: Option<String>,
pass_file: Option<String>,
pass: Option<String>,
token_file: Option<String>,
token: Option<String>
}
impl Builder {
pub fn new() -> Self {
Self::default()
}
pub fn name<N>(mut self, nm: N) -> Self
where
N: ToString
{
self.name = Some(nm.to_string());
self
}
pub fn pass_file<P>(mut self, p: P) -> Self
where
P: ToString
{
self.pass_file = Some(p.to_string());
self
}
pub fn pass<P>(mut self, p: P) -> Self
where
P: ToString
{
self.pass = Some(p.to_string());
self
}
pub fn token_file<T>(mut self, t: T) -> Self
where
T: ToString
{
self.token_file = Some(t.to_string());
self
}
pub fn token<T>(mut self, t: T) -> Self
where
T: ToString
{
self.token = Some(t.to_string());
self
}
/// Construct an [`Auth`] buffer.
pub fn build(self) -> Result<Auth, Error> {
// ToDo: Validate parameters
Ok(Auth {
name: self.name,
pass_file: self.pass_file,
pass: self.pass,
token_file: self.token_file,
token: self.token
})
}
}
/// Authentication context used to signal how to authenticate a connection.
#[derive(Clone, Debug, Default, Deserialize)]
pub struct Auth {
/// Account name used to authenticate.
pub name: Option<String>,
/// Load raw account passphrase from the specified filename.
#[serde(rename = "pass-file")]
pub pass_file: Option<String>,
/// Raw account passphrase to authenticate with. Only used if `name` has
/// been set.
pub pass: Option<String>,
/// Use the specified file for authentication token storage.
#[serde(rename = "token-file")]
pub token_file: Option<String>,
/// Authentication token.
pub token: Option<String>
}
impl Auth {
/// Return `true` if there's either a raw passphrase set in `pass` or a
/// passphrase file has beeen set in `pass_file`. This function does not
/// validate if the passphrase file exists or is accessible.
pub fn have_pass(&self) -> bool {
self.pass.is_some() || self.pass_file.is_some()
}
/// Get passphrase.
///
/// Return the raw `pass` field if set. Otherwise, load the `pass_file` if
/// set, and return error if the passphrase could not be loaded from the
/// file.
///
/// If neither `pass` nor `pass_file` have been set, return an error.
pub fn get_pass(&self) -> Result<String, Error> {
// 1. Return raw passphrase if set
// 2. Load raw passphrase from file, if set. Return error if file could
// not be read.
// 3. Return `Ok(None)`
if let Some(pass) = &self.pass {
Ok(pass.clone())
} else if let Some(fname) = &self.pass_file {
if let Some(pass) = utils::read_single_line(fname) {
Ok(pass)
} else {
return Err(Error::invalid_cred(
"Unable to read passphrase from file"
));
}
} else {
Err(Error::invalid_cred("Missing passphrase"))
}
}
/// Get authentication token.
///
/// Return the raw `token` field if set. Otherwise, check if `token_file` is
/// set. If it is, then attempt to load the token from it. If the file
/// _does not_ exist, then:
/// - Return `Ok(None)` if account name and pass(file) have been set.
/// - Return error if account name has not been set.
pub fn get_token(&self) -> Result<Option<String>, Error> {
// 1. Return raw token if set.
// 2. If a token file has been specified, then:
// - If file exists, then read token from it.
// - If file does not exist, then:
// - If username is set and pass(file) is set, then return `Ok(None)`,
// assuming the caller wants to request a token and store it in the
// specified file.
// - If neither username nor pass(file) is set, then return an error,
// since the token file is missing.
if let Some(tkn) = &self.token {
Ok(Some(tkn.clone()))
} else if let Some(fname) = &self.token_file {
let fname = Path::new(&fname);
if fname.exists() {
// Token file exists, attempt to load token from it
if let Some(tkn) = utils::read_single_line(fname) {
// Got it, hopefully. The server will validate it.
Ok(Some(tkn))
} else {
// Unable to read file.
Err(Error::invalid_cred("Unable to read token from file"))
}
} else if self.name.is_none() {
// Missing account name, so clearly the authentication call won't be
// able to request a token to be stored in the non-existent file.
Err(Error::invalid_cred("Unable to read token from file"))
} else if self.pass.is_none() && self.pass_file.is_none() {
// Have account name, but no passphrase, so authentication can't
// succeed.
Err(Error::invalid_cred("Missing passphrase for token request"))
} else {
// Token file does not exist, but an account name and pass(file) was
// specified, so assume the caller will request an authentication token
// and store to the specified location.
Ok(None)
}
} else {
// Neither token nor token file was specified
Ok(None)
}
}
/// Helper function for authenticating a connection.
///
/// Authenticates the connection specified in `conn`, using the credentials
/// stored in the `Auth` buffer using the following logic:
///
/// 1. If a raw token has been supplied in the `token` field, then attempt to
/// authenticate with it and return the results.
/// 2. If a `token_file` has been been set, then:
/// - If the file exists, try to load the authentication token,
/// authenticate with it, and return the results.
/// - If the file does not exist, then:
/// - If account name and/or passphrase have not been set, then return
/// error.
/// - If account name and passphrase have been set, then continue.
/// 3. Make sure that an account name and a passphrase has been set. The
/// passphrase is either set from the `pass` field or by loading the
/// contents of the file in `pass_file`. Return error account name or
/// passphrase can not be acquired.
/// 4. Authenticate using account name and passphrase. If a `token_file` was
/// specified, then request an authentication token and store it in
/// `token_file` on success. Return error on failure.
pub async fn authenticate<C>(
&self,
conn: &mut Framed<C, blather::Codec>
) -> Result<Option<String>, Error>
where
C: AsyncRead + AsyncWrite + Unpin
{
// Attempt to get token.
// This will return Ok(None) if there's no token to be added to the `Auth`
// server request, but it can also mean that the caller wants a token to be
// *requested* (the `token_file` field needs to be checked for this).
let tkn = self.get_token()?;
// Special case: The user can all this function without supplying
// any authentication credentials. If this happens, then just return
// Ok(None). This is just to avoid having to write logic in application
// code to check if credentials have been set.
if self.name.is_none() && tkn.is_none() {
return Ok(None);
}
if let Some(tkn) = tkn {
// Authenticate using the token
token(conn, CredStore::Buf(tkn)).await?;
// Token authentications do not yield new tokens
return Ok(None);
}
// If a token authentication wasn't performed, then require an account.
if let Some(accname) = &self.name {
// Get required passphrase. (Note that this will return error if a
// password can't be retrieved).
let pass = self.get_pass()?;
// Authenticate using account name and passphrase. If a token file has
// been set, then at this point it is safe to assume the caller wants to
// request a token.
let opttkn = accpass(
conn,
accname,
CredStore::Buf(pass),
self.token_file.is_some()
)
.await?;
// If a token was returned, and a token file was specified, then attempt
// to write the token to the file.
if let Some(tkn) = opttkn {
// (token_file should always be Some() if an opttkn was returned)
if let Some(fname) = &self.token_file {
let mut f = File::create(fname)?;
f.write_all(tkn.as_bytes())?;
}
return Ok(Some(tkn));
}
// Successfully authenticated using user name and passphrase
return Ok(None);
}
// Token authetication failed and no account name/password was passed, so
// error out.
Err(Error::invalid_cred("Missing credentials"))
}
}
/// Choose where an a token/passphrase is fetched from.
pub enum CredStore {
/// Credential is stored in a string.
Buf(String),
/// Credential is stored in a file.
File(PathBuf)
}
/// Attempt to authenticate using an authentication token.
///
/// The token can be stored in either a string buffer or file.
pub async fn token<T, O>(
conn: &mut Framed<T, blather::Codec>,
tkn: O
) -> Result<(), Error>
where
O: Borrow<CredStore>,
T: AsyncRead + AsyncWrite + Unpin
{
let tkn = match tkn.borrow() {
CredStore::Buf(s) => s.clone(),
CredStore::File(p) => {
if let Some(t) = utils::read_single_line(p) {
t
} else {
return Err(Error::invalid_cred("Unable to read token from file"));
}
}
};
let mut tg = Telegram::new_topic("Auth")?;
tg.add_param("Tkn", tkn)?;
crate::sendrecv(conn, &tg).await?;
Ok(())
}
/// Attempt to authenticate using an account name and a passphrase.
///
/// Optionally request an authentication token.
///
/// On success, return `Ok(None)` if authentication token was not requested.
/// Return `Ok(Some(String))` with the token string if it was requested.
pub async fn accpass<T, A, P>(
conn: &mut Framed<T, blather::Codec>,
accname: A,
pass: P,
reqtkn: bool
) -> Result<Option<String>, Error>
where
A: AsRef<str>,
P: Borrow<CredStore>,
T: AsyncRead + AsyncWrite + Unpin
{
let mut tg = Telegram::new_topic("Auth")?;
tg.add_param("AccName", accname.as_ref())?;
let pass = match pass.borrow() {
CredStore::Buf(s) => s.clone(),
CredStore::File(p) => {
if let Some(pass) = utils::read_single_line(p) {
pass
} else {
return Err(Error::invalid_cred(
"Unable to read passphrase from file"
));
}
}
};
tg.add_param("Pass", pass)?;
if reqtkn {
tg.add_param("ReqTkn", "True")?;
}
let params = crate::sendrecv(conn, &tg).await?;
if reqtkn {
let s = params.get_str("Tkn");
if let Some(s) = s {
Ok(Some(s.to_string()))
} else {
Ok(None)
}
} else {
Ok(None)
}
}
/// Return ownership of a connection to the built-in _unauthenticated_ account.
///
/// # Examples
/// ```no_run
/// use ddmw_client::{conn, auth};
/// async fn test() {
/// let pa = protwrap::ProtAddr::Tcp("127.0.0.1:8777".to_string());
/// let auth = auth::Builder::new()
/// .name("elena")
/// .pass("secret")
/// .build().expect("Unable to build Auth buffer");
/// let mut frm = conn::connect(&pa, Some(&auth)).await
/// .expect("Connection failed");
///
/// let w = conn::whoami(&mut frm).await.expect("whoami failed");
/// assert_eq!(&w.name, "elena");
///
/// auth::unauthenticate(&mut frm).await.expect("unauthenticate failed");
/// let w = conn::whoami(&mut frm).await.expect("whoami failed");
/// assert_eq!(&w.name, "unauthenticated");
/// }
/// ```
pub async fn unauthenticate<T>(
conn: &mut Framed<T, blather::Codec>
) -> Result<(), Error>
where
T: AsyncRead + AsyncWrite + Unpin
{
let tg = Telegram::new_topic("Unauth")?;
crate::sendrecv(conn, &tg).await?;
Ok(())
}
// vim: set ft=rust et sw=2 ts=2 sts=2 cinoptions=2 tw=79 :