From 6316e07a10f797b7c3b3d008f016e03269602424 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Thu, 27 Jul 2023 09:13:00 -0400 Subject: [PATCH] Addressing comments from HO --- authd.pb.go | 159 +++++++++--------------------- authd.proto | 8 +- authd_grpc.pb.go | 65 +++--------- internal/brokers/broker.go | 42 +++++--- internal/brokers/dbusbroker.go | 3 +- internal/brokers/examplebroker.go | 58 +++++------ internal/brokers/localbroker.go | 3 +- internal/brokers/responses.go | 13 +++ internal/services/pam/pam.go | 20 ---- pam/pam.go | 38 +------ 10 files changed, 137 insertions(+), 272 deletions(-) create mode 100644 internal/brokers/responses.go diff --git a/authd.pb.go b/authd.pb.go index 674269e2f..e16f8b681 100644 --- a/authd.pb.go +++ b/authd.pb.go @@ -753,53 +753,6 @@ func (x *ASRequest) GetUsername() string { return "" } -type CIARequest struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - SessionId string `protobuf:"bytes,1,opt,name=session_id,json=sessionId,proto3" json:"session_id,omitempty"` -} - -func (x *CIARequest) Reset() { - *x = CIARequest{} - if protoimpl.UnsafeEnabled { - mi := &file_authd_proto_msgTypes[13] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CIARequest) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CIARequest) ProtoMessage() {} - -func (x *CIARequest) ProtoReflect() protoreflect.Message { - mi := &file_authd_proto_msgTypes[13] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CIARequest.ProtoReflect.Descriptor instead. -func (*CIARequest) Descriptor() ([]byte, []int) { - return file_authd_proto_rawDescGZIP(), []int{13} -} - -func (x *CIARequest) GetSessionId() string { - if x != nil { - return x.SessionId - } - return "" -} - type ABResponse_BrokerInfo struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -813,7 +766,7 @@ type ABResponse_BrokerInfo struct { func (x *ABResponse_BrokerInfo) Reset() { *x = ABResponse_BrokerInfo{} if protoimpl.UnsafeEnabled { - mi := &file_authd_proto_msgTypes[14] + mi := &file_authd_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -826,7 +779,7 @@ func (x *ABResponse_BrokerInfo) String() string { func (*ABResponse_BrokerInfo) ProtoMessage() {} func (x *ABResponse_BrokerInfo) ProtoReflect() protoreflect.Message { - mi := &file_authd_proto_msgTypes[14] + mi := &file_authd_proto_msgTypes[13] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -875,7 +828,7 @@ type SBResponse_AuthenticationMode struct { func (x *SBResponse_AuthenticationMode) Reset() { *x = SBResponse_AuthenticationMode{} if protoimpl.UnsafeEnabled { - mi := &file_authd_proto_msgTypes[15] + mi := &file_authd_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -888,7 +841,7 @@ func (x *SBResponse_AuthenticationMode) String() string { func (*SBResponse_AuthenticationMode) ProtoMessage() {} func (x *SBResponse_AuthenticationMode) ProtoReflect() protoreflect.Message { - mi := &file_authd_proto_msgTypes[15] + mi := &file_authd_proto_msgTypes[14] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1011,34 +964,29 @@ var file_authd_proto_rawDesc = []byte{ 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, - 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x2b, 0x0a, 0x0a, 0x43, 0x49, 0x41, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, - 0x64, 0x32, 0xbc, 0x02, 0x0a, 0x03, 0x50, 0x41, 0x4d, 0x12, 0x2b, 0x0a, 0x10, 0x41, 0x76, 0x61, - 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x73, 0x12, 0x0a, 0x2e, - 0x41, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x41, 0x42, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, - 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x12, 0x0a, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, - 0x35, 0x0a, 0x18, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, - 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0b, 0x2e, 0x53, 0x41, - 0x4d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0c, 0x2e, 0x53, 0x41, 0x4d, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0c, 0x49, 0x73, 0x41, 0x75, 0x74, 0x68, - 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x0a, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, - 0x30, 0x0a, 0x17, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x42, 0x72, 0x6f, - 0x6b, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x55, 0x73, 0x65, 0x72, 0x12, 0x0d, 0x2e, 0x53, 0x44, 0x42, - 0x46, 0x55, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x06, 0x2e, 0x45, 0x6d, 0x70, 0x74, - 0x79, 0x12, 0x22, 0x0a, 0x0c, 0x41, 0x62, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x12, 0x0a, 0x2e, 0x41, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x06, 0x2e, - 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x29, 0x0a, 0x12, 0x43, 0x61, 0x6e, 0x63, 0x65, 0x6c, 0x49, - 0x73, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x0b, 0x2e, 0x43, 0x49, - 0x41, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x06, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, - 0x32, 0x29, 0x0a, 0x03, 0x4e, 0x53, 0x53, 0x12, 0x22, 0x0a, 0x07, 0x54, 0x65, 0x73, 0x74, 0x4e, - 0x53, 0x53, 0x12, 0x06, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x0f, 0x2e, 0x53, 0x74, 0x72, - 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x19, 0x5a, 0x17, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x75, 0x62, 0x75, 0x6e, 0x74, 0x75, - 0x2f, 0x61, 0x75, 0x74, 0x68, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x61, 0x6d, 0x65, 0x32, 0x91, 0x02, 0x0a, 0x03, 0x50, 0x41, 0x4d, 0x12, 0x2b, 0x0a, 0x10, + 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x73, + 0x12, 0x0a, 0x2e, 0x41, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x41, + 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0c, 0x53, 0x65, 0x6c, + 0x65, 0x63, 0x74, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x12, 0x0a, 0x2e, 0x53, 0x42, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x35, 0x0a, 0x18, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x41, 0x75, 0x74, 0x68, + 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0b, + 0x2e, 0x53, 0x41, 0x4d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0c, 0x2e, 0x53, 0x41, + 0x4d, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x27, 0x0a, 0x0c, 0x49, 0x73, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x65, 0x64, 0x12, 0x0a, 0x2e, 0x49, 0x41, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x41, 0x62, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x73, 0x73, 0x69, + 0x6f, 0x6e, 0x12, 0x0a, 0x2e, 0x41, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x06, + 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x30, 0x0a, 0x17, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, + 0x61, 0x75, 0x6c, 0x74, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x55, 0x73, 0x65, + 0x72, 0x12, 0x0d, 0x2e, 0x53, 0x44, 0x42, 0x46, 0x55, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x06, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x32, 0x29, 0x0a, 0x03, 0x4e, 0x53, 0x53, 0x12, + 0x22, 0x0a, 0x07, 0x54, 0x65, 0x73, 0x74, 0x4e, 0x53, 0x53, 0x12, 0x06, 0x2e, 0x45, 0x6d, 0x70, + 0x74, 0x79, 0x1a, 0x0f, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x42, 0x19, 0x5a, 0x17, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x75, 0x62, 0x75, 0x6e, 0x74, 0x75, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x64, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1053,7 +1001,7 @@ func file_authd_proto_rawDescGZIP() []byte { return file_authd_proto_rawDescData } -var file_authd_proto_msgTypes = make([]protoimpl.MessageInfo, 16) +var file_authd_proto_msgTypes = make([]protoimpl.MessageInfo, 15) var file_authd_proto_goTypes = []interface{}{ (*ABRequest)(nil), // 0: ABRequest (*ABResponse)(nil), // 1: ABResponse @@ -1068,33 +1016,30 @@ var file_authd_proto_goTypes = []interface{}{ (*IAResponse)(nil), // 10: IAResponse (*SDBFURequest)(nil), // 11: SDBFURequest (*ASRequest)(nil), // 12: ASRequest - (*CIARequest)(nil), // 13: CIARequest - (*ABResponse_BrokerInfo)(nil), // 14: ABResponse.BrokerInfo - (*SBResponse_AuthenticationMode)(nil), // 15: SBResponse.AuthenticationMode + (*ABResponse_BrokerInfo)(nil), // 13: ABResponse.BrokerInfo + (*SBResponse_AuthenticationMode)(nil), // 14: SBResponse.AuthenticationMode } var file_authd_proto_depIdxs = []int32{ - 14, // 0: ABResponse.brokers_infos:type_name -> ABResponse.BrokerInfo + 13, // 0: ABResponse.brokers_infos:type_name -> ABResponse.BrokerInfo 5, // 1: SBRequest.supported_ui_layouts:type_name -> UILayout - 15, // 2: SBResponse.authentication_modes:type_name -> SBResponse.AuthenticationMode + 14, // 2: SBResponse.authentication_modes:type_name -> SBResponse.AuthenticationMode 5, // 3: SAMResponse.ui_layout_info:type_name -> UILayout 0, // 4: PAM.AvailableBrokers:input_type -> ABRequest 4, // 5: PAM.SelectBroker:input_type -> SBRequest 7, // 6: PAM.SelectAuthenticationMode:input_type -> SAMRequest 9, // 7: PAM.IsAuthorized:input_type -> IARequest - 11, // 8: PAM.SetDefaultBrokerForUser:input_type -> SDBFURequest - 12, // 9: PAM.AbortSession:input_type -> ASRequest - 13, // 10: PAM.CancelIsAuthorized:input_type -> CIARequest - 2, // 11: NSS.TestNSS:input_type -> Empty - 1, // 12: PAM.AvailableBrokers:output_type -> ABResponse - 6, // 13: PAM.SelectBroker:output_type -> SBResponse - 8, // 14: PAM.SelectAuthenticationMode:output_type -> SAMResponse - 10, // 15: PAM.IsAuthorized:output_type -> IAResponse + 12, // 8: PAM.AbortSession:input_type -> ASRequest + 11, // 9: PAM.SetDefaultBrokerForUser:input_type -> SDBFURequest + 2, // 10: NSS.TestNSS:input_type -> Empty + 1, // 11: PAM.AvailableBrokers:output_type -> ABResponse + 6, // 12: PAM.SelectBroker:output_type -> SBResponse + 8, // 13: PAM.SelectAuthenticationMode:output_type -> SAMResponse + 10, // 14: PAM.IsAuthorized:output_type -> IAResponse + 2, // 15: PAM.AbortSession:output_type -> Empty 2, // 16: PAM.SetDefaultBrokerForUser:output_type -> Empty - 2, // 17: PAM.AbortSession:output_type -> Empty - 2, // 18: PAM.CancelIsAuthorized:output_type -> Empty - 3, // 19: NSS.TestNSS:output_type -> StringResponse - 12, // [12:20] is the sub-list for method output_type - 4, // [4:12] is the sub-list for method input_type + 3, // 17: NSS.TestNSS:output_type -> StringResponse + 11, // [11:18] is the sub-list for method output_type + 4, // [4:11] is the sub-list for method input_type 4, // [4:4] is the sub-list for extension type_name 4, // [4:4] is the sub-list for extension extendee 0, // [0:4] is the sub-list for field type_name @@ -1263,18 +1208,6 @@ func file_authd_proto_init() { } } file_authd_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CIARequest); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_authd_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*ABResponse_BrokerInfo); i { case 0: return &v.state @@ -1286,7 +1219,7 @@ func file_authd_proto_init() { return nil } } - file_authd_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} { + file_authd_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*SBResponse_AuthenticationMode); i { case 0: return &v.state @@ -1302,14 +1235,14 @@ func file_authd_proto_init() { file_authd_proto_msgTypes[0].OneofWrappers = []interface{}{} file_authd_proto_msgTypes[1].OneofWrappers = []interface{}{} file_authd_proto_msgTypes[5].OneofWrappers = []interface{}{} - file_authd_proto_msgTypes[14].OneofWrappers = []interface{}{} + file_authd_proto_msgTypes[13].OneofWrappers = []interface{}{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_authd_proto_rawDesc, NumEnums: 0, - NumMessages: 16, + NumMessages: 15, NumExtensions: 0, NumServices: 2, }, diff --git a/authd.proto b/authd.proto index c0d2e9dfd..08e75deb5 100644 --- a/authd.proto +++ b/authd.proto @@ -8,11 +8,9 @@ service PAM { rpc SelectBroker(SBRequest) returns (SBResponse); rpc SelectAuthenticationMode(SAMRequest) returns (SAMResponse); rpc IsAuthorized(IARequest) returns (IAResponse); + rpc AbortSession(ASRequest) returns (Empty); rpc SetDefaultBrokerForUser(SDBFURequest) returns (Empty); - - rpc AbortSession(ASRequest) returns (Empty); - rpc CancelIsAuthorized(CIARequest) returns (Empty); } service NSS { @@ -103,7 +101,3 @@ message ASRequest { string session_id = 1; string username = 2; } - -message CIARequest { - string session_id = 1; -} diff --git a/authd_grpc.pb.go b/authd_grpc.pb.go index 9f3ae8dc1..cc7233a5e 100644 --- a/authd_grpc.pb.go +++ b/authd_grpc.pb.go @@ -23,9 +23,8 @@ const ( PAM_SelectBroker_FullMethodName = "/PAM/SelectBroker" PAM_SelectAuthenticationMode_FullMethodName = "/PAM/SelectAuthenticationMode" PAM_IsAuthorized_FullMethodName = "/PAM/IsAuthorized" - PAM_SetDefaultBrokerForUser_FullMethodName = "/PAM/SetDefaultBrokerForUser" PAM_AbortSession_FullMethodName = "/PAM/AbortSession" - PAM_CancelIsAuthorized_FullMethodName = "/PAM/CancelIsAuthorized" + PAM_SetDefaultBrokerForUser_FullMethodName = "/PAM/SetDefaultBrokerForUser" ) // PAMClient is the client API for PAM service. @@ -36,9 +35,8 @@ type PAMClient interface { SelectBroker(ctx context.Context, in *SBRequest, opts ...grpc.CallOption) (*SBResponse, error) SelectAuthenticationMode(ctx context.Context, in *SAMRequest, opts ...grpc.CallOption) (*SAMResponse, error) IsAuthorized(ctx context.Context, in *IARequest, opts ...grpc.CallOption) (*IAResponse, error) - SetDefaultBrokerForUser(ctx context.Context, in *SDBFURequest, opts ...grpc.CallOption) (*Empty, error) AbortSession(ctx context.Context, in *ASRequest, opts ...grpc.CallOption) (*Empty, error) - CancelIsAuthorized(ctx context.Context, in *CIARequest, opts ...grpc.CallOption) (*Empty, error) + SetDefaultBrokerForUser(ctx context.Context, in *SDBFURequest, opts ...grpc.CallOption) (*Empty, error) } type pAMClient struct { @@ -85,15 +83,6 @@ func (c *pAMClient) IsAuthorized(ctx context.Context, in *IARequest, opts ...grp return out, nil } -func (c *pAMClient) SetDefaultBrokerForUser(ctx context.Context, in *SDBFURequest, opts ...grpc.CallOption) (*Empty, error) { - out := new(Empty) - err := c.cc.Invoke(ctx, PAM_SetDefaultBrokerForUser_FullMethodName, in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - func (c *pAMClient) AbortSession(ctx context.Context, in *ASRequest, opts ...grpc.CallOption) (*Empty, error) { out := new(Empty) err := c.cc.Invoke(ctx, PAM_AbortSession_FullMethodName, in, out, opts...) @@ -103,9 +92,9 @@ func (c *pAMClient) AbortSession(ctx context.Context, in *ASRequest, opts ...grp return out, nil } -func (c *pAMClient) CancelIsAuthorized(ctx context.Context, in *CIARequest, opts ...grpc.CallOption) (*Empty, error) { +func (c *pAMClient) SetDefaultBrokerForUser(ctx context.Context, in *SDBFURequest, opts ...grpc.CallOption) (*Empty, error) { out := new(Empty) - err := c.cc.Invoke(ctx, PAM_CancelIsAuthorized_FullMethodName, in, out, opts...) + err := c.cc.Invoke(ctx, PAM_SetDefaultBrokerForUser_FullMethodName, in, out, opts...) if err != nil { return nil, err } @@ -120,9 +109,8 @@ type PAMServer interface { SelectBroker(context.Context, *SBRequest) (*SBResponse, error) SelectAuthenticationMode(context.Context, *SAMRequest) (*SAMResponse, error) IsAuthorized(context.Context, *IARequest) (*IAResponse, error) - SetDefaultBrokerForUser(context.Context, *SDBFURequest) (*Empty, error) AbortSession(context.Context, *ASRequest) (*Empty, error) - CancelIsAuthorized(context.Context, *CIARequest) (*Empty, error) + SetDefaultBrokerForUser(context.Context, *SDBFURequest) (*Empty, error) mustEmbedUnimplementedPAMServer() } @@ -142,14 +130,11 @@ func (UnimplementedPAMServer) SelectAuthenticationMode(context.Context, *SAMRequ func (UnimplementedPAMServer) IsAuthorized(context.Context, *IARequest) (*IAResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method IsAuthorized not implemented") } -func (UnimplementedPAMServer) SetDefaultBrokerForUser(context.Context, *SDBFURequest) (*Empty, error) { - return nil, status.Errorf(codes.Unimplemented, "method SetDefaultBrokerForUser not implemented") -} func (UnimplementedPAMServer) AbortSession(context.Context, *ASRequest) (*Empty, error) { return nil, status.Errorf(codes.Unimplemented, "method AbortSession not implemented") } -func (UnimplementedPAMServer) CancelIsAuthorized(context.Context, *CIARequest) (*Empty, error) { - return nil, status.Errorf(codes.Unimplemented, "method CancelIsAuthorized not implemented") +func (UnimplementedPAMServer) SetDefaultBrokerForUser(context.Context, *SDBFURequest) (*Empty, error) { + return nil, status.Errorf(codes.Unimplemented, "method SetDefaultBrokerForUser not implemented") } func (UnimplementedPAMServer) mustEmbedUnimplementedPAMServer() {} @@ -236,24 +221,6 @@ func _PAM_IsAuthorized_Handler(srv interface{}, ctx context.Context, dec func(in return interceptor(ctx, in, info, handler) } -func _PAM_SetDefaultBrokerForUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(SDBFURequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(PAMServer).SetDefaultBrokerForUser(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: PAM_SetDefaultBrokerForUser_FullMethodName, - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(PAMServer).SetDefaultBrokerForUser(ctx, req.(*SDBFURequest)) - } - return interceptor(ctx, in, info, handler) -} - func _PAM_AbortSession_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(ASRequest) if err := dec(in); err != nil { @@ -272,20 +239,20 @@ func _PAM_AbortSession_Handler(srv interface{}, ctx context.Context, dec func(in return interceptor(ctx, in, info, handler) } -func _PAM_CancelIsAuthorized_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(CIARequest) +func _PAM_SetDefaultBrokerForUser_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(SDBFURequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(PAMServer).CancelIsAuthorized(ctx, in) + return srv.(PAMServer).SetDefaultBrokerForUser(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: PAM_CancelIsAuthorized_FullMethodName, + FullMethod: PAM_SetDefaultBrokerForUser_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(PAMServer).CancelIsAuthorized(ctx, req.(*CIARequest)) + return srv.(PAMServer).SetDefaultBrokerForUser(ctx, req.(*SDBFURequest)) } return interceptor(ctx, in, info, handler) } @@ -313,17 +280,13 @@ var PAM_ServiceDesc = grpc.ServiceDesc{ MethodName: "IsAuthorized", Handler: _PAM_IsAuthorized_Handler, }, - { - MethodName: "SetDefaultBrokerForUser", - Handler: _PAM_SetDefaultBrokerForUser_Handler, - }, { MethodName: "AbortSession", Handler: _PAM_AbortSession_Handler, }, { - MethodName: "CancelIsAuthorized", - Handler: _PAM_CancelIsAuthorized_Handler, + MethodName: "SetDefaultBrokerForUser", + Handler: _PAM_SetDefaultBrokerForUser_Handler, }, }, Streams: []grpc.StreamDesc{}, diff --git a/internal/brokers/broker.go b/internal/brokers/broker.go index 2950852b6..1a2095b24 100644 --- a/internal/brokers/broker.go +++ b/internal/brokers/broker.go @@ -23,7 +23,7 @@ type brokerer interface { SelectAuthenticationMode(ctx context.Context, sessionID, authenticationModeName string) (uiLayoutInfo map[string]string, err error) IsAuthorized(ctx context.Context, sessionID, authenticationData string) (access, infoUser string, err error) AbortSession(ctx context.Context, sessionID string) (err error) - CancelIsAuthorized(ctx context.Context, sessionID string) (err error) + CancelIsAuthorized(ctx context.Context, sessionID string) } type Broker struct { @@ -93,7 +93,7 @@ func (b Broker) GetAuthenticationModes(ctx context.Context, username, lang strin // SelectAuthenticationMode calls the broker corresponding method, stripping broker ID prefix from sessionID. func (b Broker) SelectAuthenticationMode(ctx context.Context, sessionID, authenticationModeName string) (uiLayoutInfo map[string]string, err error) { - sessionID = strings.TrimPrefix(sessionID, fmt.Sprintf("%s-", b.ID)) + sessionID = b.parseSessionID(sessionID) uiLayoutInfo, err = b.brokerer.SelectAuthenticationMode(ctx, sessionID, authenticationModeName) if err != nil { return nil, err @@ -104,15 +104,26 @@ func (b Broker) SelectAuthenticationMode(ctx context.Context, sessionID, authent // IsAuthorized calls the broker corresponding method, stripping broker ID prefix from sessionID. func (b Broker) IsAuthorized(ctx context.Context, sessionID, authenticationData string) (access string, userInfo string, err error) { - sessionID = strings.TrimPrefix(sessionID, fmt.Sprintf("%s-", b.ID)) + sessionID = b.parseSessionID(sessionID) - access, userInfo, err = b.brokerer.IsAuthorized(ctx, sessionID, authenticationData) - if err != nil { - return "", "", err + // monitor ctx in goroutine to call cancel + done := make(chan struct{}) + go func() { + access, userInfo, err = b.brokerer.IsAuthorized(ctx, sessionID, authenticationData) + close(done) + }() + + select { + case <-done: + if err != nil { + return "", "", err + } + case <-ctx.Done(): + b.CancelIsAuthorized(ctx, sessionID) } // Validate access authorization. - if !slices.Contains([]string{"allowed", "denied", "cancelled"}, access) { + if !slices.Contains(authReplies, access) { return "", "", fmt.Errorf("invalid access authorization key: %v", access) } @@ -129,14 +140,16 @@ func (b Broker) IsAuthorized(ctx context.Context, sessionID, authenticationData // AbortSession calls the broker corresponding method, stripping broker ID prefix from sessionID. func (b Broker) AbortSession(ctx context.Context, sessionID string) (err error) { - sessionID = strings.TrimPrefix(sessionID, fmt.Sprintf("%s-", b.ID)) + sessionID = b.parseSessionID(sessionID) return b.brokerer.AbortSession(ctx, sessionID) } -// CancelIsAuthorized calls the broker corresponding method, stripping broker ID prefix from sessionID. -func (b Broker) CancelIsAuthorized(ctx context.Context, sessionID string) (err error) { - sessionID = strings.TrimPrefix(sessionID, fmt.Sprintf("%s-", b.ID)) - return b.brokerer.CancelIsAuthorized(ctx, sessionID) +// CancelIsAuthorized calls the broker corresponding method. +// If the session does not have a pending IsAuthorized call, this is a no-op. +// +// Even though this is a public method, it should only be interacted with through IsAuthorized and ctx cancellation. +func (b Broker) CancelIsAuthorized(ctx context.Context, sessionID string) { + b.brokerer.CancelIsAuthorized(ctx, sessionID) } // validateUILayout validates the required fields and values for a given type. @@ -188,3 +201,8 @@ func validateUILayout(layout map[string]string) (r map[string]string, err error) return r, nil } + +// parseSessionID strips broker ID prefix from sessionID. +func (b Broker) parseSessionID(sessionID string) string { + return strings.TrimPrefix(sessionID, fmt.Sprintf("%s-", b.ID)) +} diff --git a/internal/brokers/dbusbroker.go b/internal/brokers/dbusbroker.go index 9a4d8dd2c..af64b5742 100644 --- a/internal/brokers/dbusbroker.go +++ b/internal/brokers/dbusbroker.go @@ -70,6 +70,5 @@ func (b dbusBroker) IsAuthorized(ctx context.Context, sessionID, authenticationD func (b dbusBroker) AbortSession(ctx context.Context, sessionID string) (err error) { return nil } -func (b dbusBroker) CancelIsAuthorized(ctx context.Context, sessionID string) (err error) { - return nil +func (b dbusBroker) CancelIsAuthorized(ctx context.Context, sessionID string) { } diff --git a/internal/brokers/examplebroker.go b/internal/brokers/examplebroker.go index d72adcb07..e430df085 100644 --- a/internal/brokers/examplebroker.go +++ b/internal/brokers/examplebroker.go @@ -16,11 +16,6 @@ import ( "golang.org/x/exp/slices" ) -const ( - authDenied = "denied" - authCancelled = "cancelled" -) - type sessionInfo struct { username string selectedMode string @@ -301,9 +296,9 @@ func (b *exampleBroker) IsAuthorized(ctx context.Context, sessionID, authenticat if _, exists := b.isAuthorizedCalls[sessionID]; exists { return "", "", fmt.Errorf("IsAuthorized already running for session %q", sessionID) } - cc, cancel := context.WithCancel(ctx) + ctx, cancel := context.WithCancel(ctx) b.isAuthorizedCallsMu.Lock() - b.isAuthorizedCalls[sessionID] = isAuthorizedCtx{cc, cancel} + b.isAuthorizedCalls[sessionID] = isAuthorizedCtx{ctx, cancel} b.isAuthorizedCallsMu.Unlock() // Cleans up the IsAuthorized context when the call is done. @@ -329,68 +324,67 @@ func (b *exampleBroker) handleIsAuthorized(ctx context.Context, sessionInfo sess switch sessionInfo.selectedMode { case "password": if authData["challenge"] != "goodpass" { - return authDenied, "", nil + return AuthDenied, "", nil } case "pincode": if authData["challenge"] != "4242" { - return authDenied, "", nil + return AuthDenied, "", nil } case "totp_with_button", "totp": if authData["challenge"] != "temporary pass" { - return authDenied, "", nil + return AuthDenied, "", nil } case "phoneack1": if authData["wait"] != "true" { - return authDenied, "", nil + return AuthDenied, "", nil } // Send notification to phone1 and wait on server signal to return if OK or not select { case <-time.After(5 * time.Second): - return authDenied, "", nil + return AuthDenied, "", nil case <-ctx.Done(): - return authCancelled, "", nil + return AuthCancelled, "", nil } case "phoneack2": if authData["wait"] != "true" { - return authDenied, "", nil + return AuthDenied, "", nil } // This one is failing remotely as an example select { case <-time.After(2 * time.Second): - return authDenied, "", nil + return AuthDenied, "", nil case <-ctx.Done(): - return authCancelled, "", nil - + return AuthCancelled, "", nil } case "fidodevice1": if authData["wait"] != "true" { - return authDenied, "", nil + return AuthDenied, "", nil } // simulate direct exchange with the FIDO device select { case <-time.After(5 * time.Second): - return authDenied, "", nil + return AuthDenied, "", nil case <-ctx.Done(): - return authCancelled, "", nil + return AuthCancelled, "", nil } case "qrcodewithtypo": if authData["wait"] != "true" { - return authDenied, "", nil + return AuthDenied, "", nil } // Simulate connexion with remote server to check that the correct code was entered select { case <-time.After(4 * time.Second): - return authDenied, "", nil + return AuthDenied, "", nil case <-ctx.Done(): - return authCancelled, "", nil + return AuthCancelled, "", nil } } @@ -400,28 +394,28 @@ func (b *exampleBroker) handleIsAuthorized(ctx context.Context, sessionInfo sess if authData["challenge"] != "" { // validate challenge given manually by the user if authData["challenge"] != "aaaaa" { - return authDenied, "", nil + return AuthDenied, "", nil } } else if authData["wait"] == "true" { // we are simulating clicking on the url signal received by the broker // this can be cancelled to resend a challenge select { case <-time.After(10 * time.Second): - return authDenied, "", nil + return AuthDenied, "", nil case <-ctx.Done(): - return authCancelled, "", nil + return AuthCancelled, "", nil } } else { - return authDenied, "", nil + return AuthDenied, "", nil } } infoUser, exists := users[sessionInfo.username] if !exists { - return authDenied, "", nil + return AuthDenied, "", nil } - return "allowed", infoUser, nil + return AuthAllowed, infoUser, nil } // AbortSession cancels the authentication flow for the specified session. @@ -436,16 +430,16 @@ func (b *exampleBroker) AbortSession(ctx context.Context, sessionID string) erro } // CancelIsAuthorized cancels the IsAuthorized request for the specified session. -func (b *exampleBroker) CancelIsAuthorized(ctx context.Context, sessionID string) error { +// If there is no pending IsAuthorized call for the session, this is a no-op. +func (b *exampleBroker) CancelIsAuthorized(ctx context.Context, sessionID string) { if _, exists := b.isAuthorizedCalls[sessionID]; !exists { - return fmt.Errorf("no IsAuthorized call associated with session %q", sessionID) + return } b.isAuthorizedCalls[sessionID].cancelFunc() b.isAuthorizedCallsMu.Lock() delete(b.isAuthorizedCalls, sessionID) b.isAuthorizedCallsMu.Unlock() - return nil } func mapToJson(input map[string]string) string { diff --git a/internal/brokers/localbroker.go b/internal/brokers/localbroker.go index 27e85c500..3907ff4d2 100644 --- a/internal/brokers/localbroker.go +++ b/internal/brokers/localbroker.go @@ -21,6 +21,5 @@ func (b localBroker) IsAuthorized(ctx context.Context, sessionID, authentication func (b localBroker) AbortSession(ctx context.Context, sessionID string) (err error) { return errors.New("AbortSession should never be called on local broker") } -func (b localBroker) CancelIsAuthorized(ctx context.Context, sessionID string) (err error) { - return errors.New("CancelIsAuthorized should never be called on local broker") +func (b localBroker) CancelIsAuthorized(ctx context.Context, sessionID string) { } diff --git a/internal/brokers/responses.go b/internal/brokers/responses.go new file mode 100644 index 000000000..83dedd5cf --- /dev/null +++ b/internal/brokers/responses.go @@ -0,0 +1,13 @@ +package brokers + +const ( + // AuthAllowed is the response when the authentication is allowed. + AuthAllowed = "allowed" + // AuthDenied is the response when the authentication is denied. + AuthDenied = "denied" + // AuthCancelled is the response when the authentication is cancelled. + AuthCancelled = "cancelled" +) + +// authReplies is the list of all possible authentication replies. +var authReplies = []string{AuthAllowed, AuthDenied, AuthCancelled} diff --git a/internal/services/pam/pam.go b/internal/services/pam/pam.go index a4592f7f3..25a3b1a95 100644 --- a/internal/services/pam/pam.go +++ b/internal/services/pam/pam.go @@ -202,26 +202,6 @@ func (s Service) AbortSession(ctx context.Context, req *authd.ASRequest) (empty return &authd.Empty{}, s.brokerManager.AbortSession(ctx, sessionID) } -// CancelIsAuthorized cancels the IsAuthorized request related to the specified session. -func (s Service) CancelIsAuthorized(ctx context.Context, req *authd.CIARequest) (empty *authd.Empty, err error) { - decorate.OnError(&err, "could not cancel IsAuthorized") - - sessionID := req.GetSessionId() - if sessionID == "" { - return nil, errors.New("no session id given") - } - - b, err := s.brokerManager.BrokerForSessionID(sessionID) - if err != nil { - return nil, err - } - if b == nil { - return nil, errors.New("no broker found") - } - - return &authd.Empty{}, b.CancelIsAuthorized(ctx, sessionID) -} - func uiLayoutToMap(layout *authd.UILayout) (mapLayout map[string]string, err error) { if layout.GetType() == "" { return nil, fmt.Errorf("invalid layout option: type is required, got: %v", layout) diff --git a/pam/pam.go b/pam/pam.go index 59fc70592..b539c5725 100644 --- a/pam/pam.go +++ b/pam/pam.go @@ -16,7 +16,6 @@ import ( "errors" "fmt" "os" - "os/signal" "strconv" "strings" "syscall" @@ -24,6 +23,7 @@ import ( "github.com/skip2/go-qrcode" "github.com/ubuntu/authd" + "github.com/ubuntu/authd/internal/brokers" "github.com/ubuntu/authd/internal/consts" "github.com/ubuntu/authd/internal/log" "golang.org/x/sys/unix" @@ -184,9 +184,6 @@ func pam_sm_authenticate(pamh *C.pam_handle_t, flags, argc C.int, argv **C.char) var iaResp *authd.IAResponse var err error - //TODO: Consider IsAuthorized cancelling when refactoring the UI. - go cancelIsAuthorizedWatcher(client, sessionID) - switch uiLayout.Type { case "form": iaResp, err = formChallenge(client, sessionID, encryptionKey, uiLayout) @@ -213,7 +210,7 @@ func pam_sm_authenticate(pamh *C.pam_handle_t, flags, argc C.int, argv **C.char) // Check if authorized switch strings.ToLower(iaResp.Access) { - case "denied": + case brokers.AuthDenied: fmt.Println("Access Denied") challengeRetry++ if challengeRetry < maxChallengeRetries { @@ -221,10 +218,10 @@ func pam_sm_authenticate(pamh *C.pam_handle_t, flags, argc C.int, argv **C.char) continue } return C.PAM_AUTH_ERR - case "allowed": + case brokers.AuthAllowed: fmt.Printf("Welcome:\n%s\n", iaResp.UserInfo) return C.PAM_SUCCESS - case "cancelled": + case brokers.AuthCancelled: currentAuthModeName = "" stage = StageAuthenticationMode continue @@ -237,27 +234,6 @@ func pam_sm_authenticate(pamh *C.pam_handle_t, flags, argc C.int, argv **C.char) } } -// cancelIsAuthorizedWatcher starts watching for a single SIGINT that will cancel the IsAuthorized call related to the -// provided sessionID. -// -// This is a test function (for now) and it times out after 30 seconds. -func cancelIsAuthorizedWatcher(client authd.PAMClient, sessionID string) { - ch := make(chan os.Signal, 1) - signal.Notify(ch, syscall.SIGINT) - defer signal.Stop(ch) - - select { - case <-ch: - // Ask broker to cancel current authentication mode. - if _, err := client.CancelIsAuthorized(context.TODO(), &authd.CIARequest{SessionId: sessionID}); err != nil { - log.Errorf(context.Background(), "couldn't cancel authentication mode: %v", err) - } - case <-time.After(30 * time.Second): - signal.Stop(ch) - close(ch) - } -} - // selectBroker allows interactive broker selection. // Only one choice will be returned immediately. func selectBrokerInteractive(brokersInfo []*authd.ABResponse_BrokerInfo) (brokerID, brokerName string, err error) { @@ -430,12 +406,8 @@ func formChallenge(client authd.PAMClient, sessionID, encryptionKey string, uiLa SessionId: sessionID, AuthenticationData: `{"wait": "true"}`, }) - - // No more processing if entry has been filed. - select { - case <-waitCtx.Done(): + if iaResp.Access == brokers.AuthCancelled { return - default: } cancelTerm()