From 9aa3d50b26a1904a9272f8ab5c44108b26d75604 Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 14:55:07 +0200 Subject: [PATCH 01/11] Add first step user info validation in broker This is to ensure that we will validate any type of response from the broker. Co-authored-by: Jean-Baptiste Lallement --- internal/brokers/broker.go | 46 +++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/internal/brokers/broker.go b/internal/brokers/broker.go index d3d2596f0..c0dc20050 100644 --- a/internal/brokers/broker.go +++ b/internal/brokers/broker.go @@ -11,6 +11,7 @@ import ( "github.com/godbus/dbus/v5" "github.com/ubuntu/authd/internal/brokers/responses" + "github.com/ubuntu/authd/internal/cache" "github.com/ubuntu/authd/internal/log" "github.com/ubuntu/decorate" "golang.org/x/exp/slices" @@ -153,12 +154,51 @@ func (b Broker) IsAuthenticated(ctx context.Context, sessionID, authenticationDa return "", "", fmt.Errorf("invalid access authentication key: %v", access) } - // Validate json if data == "" { data = "{}" } - if !json.Valid([]byte(data)) { - return "", "", fmt.Errorf("invalid user information (not json formatted): %v", data) + + // TODO: validate response from broker + switch access { + case responses.AuthGranted: + var returnedData map[string]json.RawMessage + err = json.Unmarshal([]byte(data), &returnedData) + if err != nil { + return "", "", fmt.Errorf("response returned by the broker is not a valid json: %v\nBroker returned: %v", err, data) + } + + rawUserInfo, ok := returnedData["userinfo"] + if !ok { + return "", "", fmt.Errorf("missing userinfo key in granted user access, got: %v", data) + } + + var uInfo struct { + cache.UserInfo + UUID string + UGID string + Groups []struct { + Name string + UGID string + } + } + err := json.Unmarshal(rawUserInfo, &uInfo) + if err != nil { + return "", "", fmt.Errorf("invalid user information (not json formatted): %v", err) + } + // TODO: transform UUID and UGID into UID and GID and validates that any required fields are here. + uInfo.UID = 65536 + len(b.ID+uInfo.UUID) // should not be above 100000 + for _, g := range uInfo.Groups { + uInfo.UserInfo.Groups = append(uInfo.UserInfo.Groups, cache.GroupInfo{ + Name: g.Name, + GID: 65536 + len(b.ID+g.UGID), + }) + } + + d, err := json.Marshal(uInfo.UserInfo) + if err != nil { + return "", "", fmt.Errorf("can't marshal UserInfo: %v", err) + } + data = string(d) } return access, data, nil From 75d4c2ab06a168b6b9b025a949817da0cadc180b Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 14:58:40 +0200 Subject: [PATCH 02/11] Make mock broker more realistic with the expected answers Ensure we pass names, uuids and other informations as expected from our new broker implementation. Co-authored-by: Jean-Baptiste Lallement --- internal/testutils/broker.go | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/internal/testutils/broker.go b/internal/testutils/broker.go index c100b7ba6..e7bc3cfd2 100644 --- a/internal/testutils/broker.go +++ b/internal/testutils/broker.go @@ -1,8 +1,10 @@ package testutils import ( + "bytes" "context" "fmt" + "html/template" "os" "path/filepath" "strings" @@ -221,7 +223,7 @@ func (b *BrokerBusMock) IsAuthenticated(sessionID, authenticationData string) (a }() access = responses.AuthGranted - data = `{"mock_answer": "authentication granted by default"}` + data = fmt.Sprintf(`{"mock_answer": "authentication granted by default", "userinfo": %s}`, userInfoFromName(parsedID)) if parsedID == "IA_invalid" { access = "invalid" } @@ -232,21 +234,22 @@ func (b *BrokerBusMock) IsAuthenticated(sessionID, authenticationData string) (a case "IA_timeout": time.Sleep(time.Second) access = "denied" - data = `{"mock_answer": "denied by time out"}` + data = `{"message": "denied by time out"}` case "IA_wait": <-ctx.Done() access = "cancelled" - data = `{"mock_answer": "cancelled by user"}` + data = `{"message": "cancelled by user"}` case "IA_second_call": select { case <-ctx.Done(): access = "cancelled" - data = `{"mock_answer": "cancelled by user"}` + data = `{"message": "cancelled by user"}` case <-time.After(2 * time.Second): access = responses.AuthGranted - data = `{"mock_answer": "authentication granted by timeout"}` + data = fmt.Sprintf(`{"mock_answer": "authentication granted by mock timeout", "userinfo": %s}`, userInfoFromName(parsedID)) } } + //TODO: Add cases for the new access types close(done) }() @@ -293,3 +296,25 @@ func parseSessionID(sessionID string) string { } return strings.TrimSuffix(cut[len(cut)-1], "-session_id") } + +// userInfoFromName transform a given name to the strinfigy userinfo string. +func userInfoFromName(name string) string { + user := struct { + Name string + }{Name: name} + + var buf bytes.Buffer + + // only used for tests, we can ignore the template execution error as the returned data will be failing. + _ = template.Must(template.New("").Parse(`{ + "name": "{{.Name}}", + "uuid": "uuid-{{.Name}}", + "gecos": "gecos for {{.Name}}", + "dir": "/home/{{.Name}}", + "shell": "/bin/sh/{{.Name}}", + "avatar": "avatar for {{.Name}}", + "groups": [ {"name": "group-{{.Name}}", "ugid": "group-{{.Name}}"} ] + }`)).Execute(&buf, user) + + return buf.String() +} From 3bf365e78f0ab1803c472f737ef928eec7696646 Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 15:15:15 +0200 Subject: [PATCH 03/11] Update tests and golden files for new broker behaviour We now are starting to get interest from the returned fields. We will ignore then the mock entry, and ensure we have a userinfo in case of success for now. Co-authored-by: Jean-Baptiste Lallement --- internal/brokers/broker_test.go | 7 +++---- .../golden/denies_authentication_when_broker_times_out | 2 +- .../golden/empty_data_gets_json_formatted | 4 ---- .../golden/error_on_empty_data_even_if_granted | 4 ++++ .../golden/error_when_broker_returns_invalid_data | 3 ++- ...alling_isauthenticated_a_second_time_without_cancelling | 2 +- .../TestIsAuthenticated/golden/successfully_authenticate | 2 +- .../successfully_authenticate_after_cancelling_first_call | 4 ++-- 8 files changed, 14 insertions(+), 14 deletions(-) delete mode 100644 internal/brokers/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted create mode 100644 internal/brokers/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted diff --git a/internal/brokers/broker_test.go b/internal/brokers/broker_test.go index 11b74e969..03a7900d9 100644 --- a/internal/brokers/broker_test.go +++ b/internal/brokers/broker_test.go @@ -214,13 +214,12 @@ func TestIsAuthenticated(t *testing.T) { "Successfully authenticate after cancelling first call": {sessionID: "IA_second_call", secondCall: true}, "Denies authentication when broker times out": {sessionID: "IA_timeout"}, - "Empty data gets JSON formatted": {sessionID: "IA_empty_data"}, - // broker errors "Error when authenticating": {sessionID: "IA_error"}, "Error when broker returns invalid access": {sessionID: "IA_invalid"}, "Error when broker returns invalid data": {sessionID: "IA_invalid_data"}, "Error when calling IsAuthenticated a second time without cancelling": {sessionID: "IA_second_call", secondCall: true, cancelFirstCall: true}, + "Error on empty data even if granted": {sessionID: "IA_empty_data"}, } for name, tc := range tests { tc := tc @@ -239,7 +238,7 @@ func TestIsAuthenticated(t *testing.T) { go func() { defer close(done) access, gotData, err := b.IsAuthenticated(ctx, tc.sessionID, "password") - firstCallReturn = fmt.Sprintf("FIRST CALL:\n\taccess: %s\n\tdata: %s\n\terr: %v\n", access, gotData, err) + firstCallReturn = fmt.Sprintf("FIRST CALL:\n\taccess: %s\n\tdata: %+v\n\terr: %v\n", access, gotData, err) }() // Give some time for the first call to block @@ -251,7 +250,7 @@ func TestIsAuthenticated(t *testing.T) { <-done } access, gotData, err := b.IsAuthenticated(context.Background(), tc.sessionID, "password") - secondCallReturn = fmt.Sprintf("SECOND CALL:\n\taccess: %s\n\tdata: %s\n\terr: %v\n", access, gotData, err) + secondCallReturn = fmt.Sprintf("SECOND CALL:\n\taccess: %s\n\tdata: %+v\n\terr: %v\n", access, gotData, err) } <-done diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out b/internal/brokers/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out index 77f439999..ada61c725 100644 --- a/internal/brokers/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out +++ b/internal/brokers/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out @@ -1,4 +1,4 @@ FIRST CALL: access: denied - data: {"mock_answer": "denied by time out"} + data: {"message": "denied by time out"} err: diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted b/internal/brokers/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted deleted file mode 100644 index d1e3660f2..000000000 --- a/internal/brokers/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted +++ /dev/null @@ -1,4 +0,0 @@ -FIRST CALL: - access: granted - data: {} - err: diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted b/internal/brokers/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted new file mode 100644 index 000000000..d9209c760 --- /dev/null +++ b/internal/brokers/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted @@ -0,0 +1,4 @@ +FIRST CALL: + access: + data: + err: missing userinfo key in granted user access, got: {} diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data b/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data index 24228baf0..3870ab197 100644 --- a/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data +++ b/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data @@ -1,4 +1,5 @@ FIRST CALL: access: data: - err: invalid user information (not json formatted): invalid + err: response returned by the broker is not a valid json: invalid character 'i' looking for beginning of value +Broker returned: invalid diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_calling_isauthenticated_a_second_time_without_cancelling b/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_calling_isauthenticated_a_second_time_without_cancelling index 7e0e840f5..f0017c1d3 100644 --- a/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_calling_isauthenticated_a_second_time_without_cancelling +++ b/internal/brokers/testdata/TestIsAuthenticated/golden/error_when_calling_isauthenticated_a_second_time_without_cancelling @@ -1,6 +1,6 @@ FIRST CALL: access: granted - data: {"mock_answer": "authentication granted by timeout"} + data: {"Name":"IA_second_call","UID":65565,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":65566}]} err: SECOND CALL: access: diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate b/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate index 4d1f432d0..b42899715 100644 --- a/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate +++ b/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate @@ -1,4 +1,4 @@ FIRST CALL: access: granted - data: {"mock_answer": "authentication granted by default"} + data: {"Name":"success","UID":65558,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","Groups":[{"Name":"group-success","GID":65559}]} err: diff --git a/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate_after_cancelling_first_call b/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate_after_cancelling_first_call index 193a9473c..6675f23cf 100644 --- a/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate_after_cancelling_first_call +++ b/internal/brokers/testdata/TestIsAuthenticated/golden/successfully_authenticate_after_cancelling_first_call @@ -1,8 +1,8 @@ FIRST CALL: access: cancelled - data: {"mock_answer": "cancelled by user"} + data: {"message": "cancelled by user"} err: SECOND CALL: access: granted - data: {"mock_answer": "authentication granted by timeout"} + data: {"Name":"IA_second_call","UID":65565,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":65566}]} err: From eecca6edeb30144661b911bc006bba9add6f5c77 Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 15:22:09 +0200 Subject: [PATCH 04/11] Update example broker to return auth data as in the spec Ensure we return userinfo and message in IsAuthenticated(). Co-authored-by: Jean-Baptiste Lallement --- internal/brokers/examplebroker/broker.go | 49 ++++++++++++++++++------ 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/internal/brokers/examplebroker/broker.go b/internal/brokers/examplebroker/broker.go index a5045a1f5..087b04a86 100644 --- a/internal/brokers/examplebroker/broker.go +++ b/internal/brokers/examplebroker/broker.go @@ -2,12 +2,14 @@ package examplebroker import ( + "bytes" "context" "crypto/aes" "encoding/hex" "encoding/json" "errors" "fmt" + "html/template" "math/rand" "sort" "strings" @@ -517,23 +519,24 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI switch sessionInfo.selectedMode { case "password": if authData["challenge"] != "goodpass" { - return responses.AuthRetry, "", nil + return responses.AuthRetry, `{"message": "invalid password, should be goodpass"}`, nil } case "pincode": if authData["challenge"] != "4242" { - return responses.AuthRetry, "", nil + return responses.AuthRetry, `{"message": "invalid pincode, should be 4242"}`, nil } case "totp_with_button", "totp": wantedCode := sessionInfo.allModes[sessionInfo.selectedMode]["wantedCode"] if authData["challenge"] != wantedCode { - return responses.AuthRetry, "", nil + return responses.AuthRetry, `{"message": "invalid totp code"}`, nil } case "phoneack1": + // TODO: should this be an error rather (not expected data from the PAM module? if authData["wait"] != "true" { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "phoneack1 should have wait set to true"}`, nil } // Send notification to phone1 and wait on server signal to return if OK or not select { @@ -544,20 +547,20 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI case "phoneack2": if authData["wait"] != "true" { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "phoneack2 should have wait set to true"}`, nil } // This one is failing remotely as an example select { case <-time.After(2 * time.Second): - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "Timeout reached"}`, nil case <-ctx.Done(): return responses.AuthCancelled, "", nil } case "fidodevice1": if authData["wait"] != "true" { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "fidodevice1 should have wait set to true"}`, nil } // simulate direct exchange with the FIDO device @@ -569,7 +572,7 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI case "qrcodewithtypo": if authData["wait"] != "true" { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "qrcodewithtypo should have wait set to true"}`, nil } // Simulate connexion with remote server to check that the correct code was entered select { @@ -585,7 +588,7 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI if authData["challenge"] != "" { // validate challenge given manually by the user if authData["challenge"] != "aaaaa" { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "invalid challenge, should be aaaaa"}`, nil } } else if authData["wait"] == "true" { // we are simulating clicking on the url signal received by the broker @@ -596,16 +599,16 @@ func (b *Broker) handleIsAuthenticated(ctx context.Context, sessionInfo sessionI return responses.AuthCancelled, "", nil } } else { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "challenge timeout "}`, nil } } user, exists := exampleUsers[sessionInfo.username] if !exists { - return responses.AuthDenied, "", nil + return responses.AuthDenied, `{"message": "user not found"}`, nil } - return responses.AuthGranted, user.String(), nil + return responses.AuthGranted, userInfoFromName(user.Name), nil } // EndSession ends the requested session and triggers the necessary clean up steps, if any. @@ -719,3 +722,25 @@ func (b *Broker) updateSession(sessionID string, info sessionInfo) error { b.currentSessions[sessionID] = info return nil } + +// userInfoFromName transform a given name to the strinfigy userinfo string. +func userInfoFromName(name string) string { + user := struct { + Name string + }{Name: name} + + var buf bytes.Buffer + + // only used for the example, we can ignore the template execution error as the returned data will be failing. + _ = template.Must(template.New("").Parse(`{ + "name": "{{.Name}}", + "uuid": "uuid-{{.Name}}", + "gecos": "gecos for {{.Name}}", + "dir": "/home/{{.Name}}", + "shell": "/bin/sh/{{.Name}}", + "avatar": "avatar for {{.Name}}", + "groups": [ {"name": "group-{{.Name}}", "ugid": "group-{{.Name}}"} ] + }`)).Execute(&buf, user) + + return buf.String() +} From 72c3c14a7ea73e8e7ab53da8d243ba828963769b Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 15:38:50 +0200 Subject: [PATCH 05/11] Update to Go 1.21.1 to avoid vulnerability in text template. Co-authored-by: Jean-Baptiste Lallement --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 16a2c95f0..60e357e72 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/ubuntu/authd -go 1.21.0 +go 1.21.1 require ( github.com/charmbracelet/bubbles v0.16.1 From c9e6f790510940e8a03026f4a986876380556231 Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 15:47:57 +0200 Subject: [PATCH 06/11] Refresh pam service tests with new mock behaviour Co-authored-by: Jean-Baptiste Lallement --- internal/services/pam/pam_test.go | 5 ++--- .../golden/denies_authentication_when_broker_times_out | 2 +- .../golden/empty_data_gets_json_formatted | 4 ---- .../golden/error_on_empty_data_even_if_granted | 4 ++++ .../golden/error_when_broker_returns_invalid_data | 3 ++- .../golden/error_when_calling_second_time_without_cancelling | 2 +- .../TestIsAuthenticated/golden/successfully_authenticate | 2 +- .../successfully_authenticate_if_first_call_is_canceled | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) delete mode 100644 internal/services/pam/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted create mode 100644 internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted diff --git a/internal/services/pam/pam_test.go b/internal/services/pam/pam_test.go index be6c5358c..3ab79eee6 100644 --- a/internal/services/pam/pam_test.go +++ b/internal/services/pam/pam_test.go @@ -315,18 +315,17 @@ func TestIsAuthenticated(t *testing.T) { secondCall bool cancelFirstCall bool }{ - "Successfully authenticate": {}, + "Successfully authenticate": {username: "success"}, "Successfully authenticate if first call is canceled": {username: "IA_second_call", secondCall: true, cancelFirstCall: true}, "Denies authentication when broker times out": {username: "IA_timeout"}, - "Empty data gets JSON formatted": {username: "IA_empty_data"}, - // service errors "Error when sessionID is empty": {sessionID: "-"}, "Error when there is no broker": {sessionID: "invalid-session"}, // broker errors "Error when authenticating": {username: "IA_error"}, + "Error on empty data even if granted": {username: "IA_empty_data"}, "Error when broker returns invalid access": {username: "IA_invalid"}, "Error when broker returns invalid data": {username: "IA_invalid_data"}, "Error when calling second time without cancelling": {username: "IA_second_call", secondCall: true}, diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out b/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out index 77f439999..ada61c725 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out @@ -1,4 +1,4 @@ FIRST CALL: access: denied - data: {"mock_answer": "denied by time out"} + data: {"message": "denied by time out"} err: diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted b/internal/services/pam/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted deleted file mode 100644 index d1e3660f2..000000000 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/empty_data_gets_json_formatted +++ /dev/null @@ -1,4 +0,0 @@ -FIRST CALL: - access: granted - data: {} - err: diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted new file mode 100644 index 000000000..d1d8d9538 --- /dev/null +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted @@ -0,0 +1,4 @@ +FIRST CALL: + access: + data: + err: rpc error: code = Unknown desc = can't check authentication: missing userinfo key in granted user access, got: {} diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data index c68819472..88d31fb1e 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data @@ -1,4 +1,5 @@ FIRST CALL: access: data: - err: rpc error: code = Unknown desc = can't check authentication: invalid user information (not json formatted): invalid + err: rpc error: code = Unknown desc = can't check authentication: response returned by the broker is not a valid json: invalid character 'i' looking for beginning of value +Broker returned: invalid diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling index 9a0b56864..d98cd00b2 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling @@ -1,6 +1,6 @@ FIRST CALL: access: granted - data: {"mock_answer": "authentication granted by timeout"} + data: {"Name":"IA_second_call","UID":65565,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":65566}]} err: SECOND CALL: access: diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate index 4d1f432d0..b42899715 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate @@ -1,4 +1,4 @@ FIRST CALL: access: granted - data: {"mock_answer": "authentication granted by default"} + data: {"Name":"success","UID":65558,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","Groups":[{"Name":"group-success","GID":65559}]} err: diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled index 10df77326..8d9e14483 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled @@ -4,5 +4,5 @@ FIRST CALL: err: rpc error: code = Canceled desc = context canceled SECOND CALL: access: granted - data: {"mock_answer": "authentication granted by timeout"} + data: {"Name":"IA_second_call","UID":65565,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":65566}]} err: From 8fac5386cdf659adf7208c03ce4fd73e1efd59a0 Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 15:58:45 +0200 Subject: [PATCH 07/11] Change returned data from IsAuthenticated to msg We only return messages in IsAuthenticated and never any other kind of data as userinfo will be not transmitted to the PAM module. We will use it to update the database information. Co-authored-by: Jean-Baptiste Lallement --- authd.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authd.proto b/authd.proto index 920f6f2cd..79b35b2df 100644 --- a/authd.proto +++ b/authd.proto @@ -96,7 +96,7 @@ message IARequest { message IAResponse { string access = 1; - string data = 2; + string msg = 2; } message SDBFURequest { From 9e0b8b528b2df42124a1737b516358afda37bf4d Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 15:59:44 +0200 Subject: [PATCH 08/11] Regenerate GRPC files Co-authored-by: Jean-Baptiste Lallement --- authd.pb.go | 252 ++++++++++++++++++++++++++-------------------------- 1 file changed, 126 insertions(+), 126 deletions(-) diff --git a/authd.pb.go b/authd.pb.go index f8483ce16..21081f72a 100644 --- a/authd.pb.go +++ b/authd.pb.go @@ -719,7 +719,7 @@ type IAResponse struct { unknownFields protoimpl.UnknownFields Access string `protobuf:"bytes,1,opt,name=access,proto3" json:"access,omitempty"` - Data string `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` + Msg string `protobuf:"bytes,2,opt,name=msg,proto3" json:"msg,omitempty"` } func (x *IAResponse) Reset() { @@ -761,9 +761,9 @@ func (x *IAResponse) GetAccess() string { return "" } -func (x *IAResponse) GetData() string { +func (x *IAResponse) GetMsg() string { if x != nil { - return x.Data + return x.Msg } return "" } @@ -1576,132 +1576,132 @@ var file_authd_proto_rawDesc = []byte{ 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x12, 0x2f, 0x0a, 0x13, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x61, 0x75, 0x74, 0x68, 0x65, - 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x22, 0x38, 0x0a, + 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x22, 0x36, 0x0a, 0x0a, 0x49, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x63, - 0x65, 0x73, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x64, 0x61, 0x74, 0x61, 0x22, 0x47, 0x0a, 0x0c, 0x53, 0x44, 0x42, 0x46, 0x55, - 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x62, 0x72, 0x6f, 0x6b, 0x65, - 0x72, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x62, 0x72, 0x6f, 0x6b, - 0x65, 0x72, 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, - 0x22, 0x2a, 0x0a, 0x09, 0x45, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, - 0x0a, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x22, 0x26, 0x0a, 0x10, - 0x47, 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x20, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x49, 0x44, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0d, 0x52, 0x02, 0x69, 0x64, 0x22, 0xa3, 0x01, 0x0a, 0x0b, 0x50, 0x61, 0x73, 0x73, 0x77, - 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x61, - 0x73, 0x73, 0x77, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x61, 0x73, 0x73, - 0x77, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, - 0x03, 0x75, 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x0d, 0x52, 0x03, 0x67, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x67, 0x65, 0x63, 0x6f, 0x73, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x67, 0x65, 0x63, 0x6f, 0x73, 0x12, 0x18, 0x0a, 0x07, - 0x68, 0x6f, 0x6d, 0x65, 0x64, 0x69, 0x72, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x68, - 0x6f, 0x6d, 0x65, 0x64, 0x69, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x18, - 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x22, 0x3d, 0x0a, 0x0d, - 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x0a, - 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, - 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0x64, 0x0a, 0x0a, 0x47, - 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, - 0x06, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, - 0x61, 0x73, 0x73, 0x77, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, - 0x28, 0x0d, 0x52, 0x03, 0x67, 0x69, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x6d, 0x62, 0x65, - 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x6d, 0x62, 0x65, 0x72, - 0x73, 0x22, 0x3b, 0x0a, 0x0c, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, - 0x73, 0x12, 0x2b, 0x0a, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0xa7, - 0x02, 0x0a, 0x0b, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x12, + 0x65, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x73, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x03, 0x6d, 0x73, 0x67, 0x22, 0x47, 0x0a, 0x0c, 0x53, 0x44, 0x42, 0x46, 0x55, 0x52, 0x65, + 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x5f, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x72, + 0x49, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x2a, + 0x0a, 0x09, 0x45, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x73, + 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x09, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x49, 0x64, 0x22, 0x26, 0x0a, 0x10, 0x47, 0x65, + 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, - 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x06, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x6c, 0x61, - 0x73, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, - 0x0a, 0x6c, 0x61, 0x73, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x63, - 0x68, 0x61, 0x6e, 0x67, 0x65, 0x5f, 0x6d, 0x69, 0x6e, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x04, - 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4d, 0x69, 0x6e, 0x44, - 0x61, 0x79, 0x73, 0x12, 0x26, 0x0a, 0x0f, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x5f, 0x6d, 0x61, - 0x78, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x63, 0x68, - 0x61, 0x6e, 0x67, 0x65, 0x4d, 0x61, 0x78, 0x44, 0x61, 0x79, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x63, - 0x68, 0x61, 0x6e, 0x67, 0x65, 0x5f, 0x77, 0x61, 0x72, 0x6e, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, - 0x06, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x57, 0x61, 0x72, - 0x6e, 0x44, 0x61, 0x79, 0x73, 0x12, 0x30, 0x0a, 0x14, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x5f, - 0x69, 0x6e, 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x07, 0x20, - 0x01, 0x28, 0x05, 0x52, 0x12, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x49, 0x6e, 0x61, 0x63, 0x74, - 0x69, 0x76, 0x65, 0x44, 0x61, 0x79, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x78, 0x70, 0x69, 0x72, - 0x65, 0x5f, 0x64, 0x61, 0x74, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x65, 0x78, - 0x70, 0x69, 0x72, 0x65, 0x44, 0x61, 0x74, 0x65, 0x22, 0x3d, 0x0a, 0x0d, 0x53, 0x68, 0x61, 0x64, - 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x07, 0x65, 0x6e, 0x74, - 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x61, 0x75, 0x74, - 0x68, 0x64, 0x2e, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, - 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x32, 0xd3, 0x03, 0x0a, 0x03, 0x50, 0x41, 0x4d, 0x12, - 0x33, 0x0a, 0x10, 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x72, 0x6f, 0x6b, - 0x65, 0x72, 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, - 0x79, 0x1a, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x41, 0x42, 0x52, 0x65, 0x73, 0x70, - 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x50, 0x72, 0x65, 0x76, 0x69, - 0x6f, 0x75, 0x73, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x12, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, - 0x64, 0x2e, 0x47, 0x50, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, - 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x50, 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, - 0x12, 0x33, 0x0a, 0x0c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, - 0x12, 0x10, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x73, - 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, - 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x73, 0x12, - 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x41, 0x4d, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x41, 0x4d, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x18, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, - 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, - 0x64, 0x65, 0x12, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x41, 0x4d, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x41, - 0x4d, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x36, 0x0a, 0x0f, 0x49, 0x73, 0x41, - 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x10, 0x2e, 0x61, - 0x75, 0x74, 0x68, 0x64, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, - 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, - 0x65, 0x12, 0x2c, 0x0a, 0x0a, 0x45, 0x6e, 0x64, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, - 0x10, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, - 0x3c, 0x0a, 0x17, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x42, 0x72, 0x6f, - 0x6b, 0x65, 0x72, 0x46, 0x6f, 0x72, 0x55, 0x73, 0x65, 0x72, 0x12, 0x13, 0x2e, 0x61, 0x75, 0x74, - 0x68, 0x64, 0x2e, 0x53, 0x44, 0x42, 0x46, 0x55, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, - 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x32, 0xe1, 0x03, - 0x0a, 0x03, 0x4e, 0x53, 0x53, 0x12, 0x3e, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x50, 0x61, 0x73, 0x73, - 0x77, 0x64, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, - 0x2e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, - 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x3b, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x50, 0x61, 0x73, 0x73, - 0x77, 0x64, 0x42, 0x79, 0x55, 0x49, 0x44, 0x12, 0x15, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, - 0x47, 0x65, 0x74, 0x42, 0x79, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, - 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x12, 0x36, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, - 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, - 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, - 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x3c, 0x0a, 0x0e, 0x47, 0x65, - 0x74, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x2e, 0x61, - 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, - 0x6f, 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x39, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x47, - 0x72, 0x6f, 0x75, 0x70, 0x42, 0x79, 0x47, 0x49, 0x44, 0x12, 0x15, 0x2e, 0x61, 0x75, 0x74, 0x68, - 0x64, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, - 0x1a, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x12, 0x34, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, - 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, - 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x13, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, - 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x3e, 0x0a, 0x0f, 0x47, 0x65, 0x74, - 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x2e, 0x61, - 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, - 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x68, - 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x36, 0x0a, 0x10, 0x47, 0x65, 0x74, - 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x0c, 0x2e, - 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x61, 0x75, - 0x74, 0x68, 0x64, 0x2e, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, - 0x73, 0x42, 0x19, 0x5a, 0x17, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x75, 0x62, 0x75, 0x6e, 0x74, 0x75, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x64, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x6d, 0x65, 0x22, 0x20, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x49, 0x44, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, + 0x52, 0x02, 0x69, 0x64, 0x22, 0xa3, 0x01, 0x0a, 0x0b, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x61, 0x73, 0x73, + 0x77, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, + 0x12, 0x10, 0x0a, 0x03, 0x75, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x75, + 0x69, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x52, + 0x03, 0x67, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x67, 0x65, 0x63, 0x6f, 0x73, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x05, 0x67, 0x65, 0x63, 0x6f, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x68, 0x6f, + 0x6d, 0x65, 0x64, 0x69, 0x72, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x68, 0x6f, 0x6d, + 0x65, 0x64, 0x69, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x18, 0x07, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x05, 0x73, 0x68, 0x65, 0x6c, 0x6c, 0x22, 0x3d, 0x0a, 0x0d, 0x50, 0x61, + 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x07, 0x65, + 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x61, + 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, + 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0x64, 0x0a, 0x0a, 0x47, 0x72, 0x6f, + 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, + 0x61, 0x73, 0x73, 0x77, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x61, 0x73, + 0x73, 0x77, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x67, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, + 0x52, 0x03, 0x67, 0x69, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, + 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x6d, 0x62, 0x65, 0x72, 0x73, 0x22, + 0x3b, 0x0a, 0x0c, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, + 0x2b, 0x0a, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, + 0x74, 0x72, 0x79, 0x52, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x22, 0xa7, 0x02, 0x0a, + 0x0b, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x12, 0x0a, 0x04, + 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, + 0x12, 0x16, 0x0a, 0x06, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x06, 0x70, 0x61, 0x73, 0x73, 0x77, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x6c, 0x61, 0x73, 0x74, + 0x5f, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x6c, + 0x61, 0x73, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x26, 0x0a, 0x0f, 0x63, 0x68, 0x61, + 0x6e, 0x67, 0x65, 0x5f, 0x6d, 0x69, 0x6e, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x04, 0x20, 0x01, + 0x28, 0x05, 0x52, 0x0d, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x4d, 0x69, 0x6e, 0x44, 0x61, 0x79, + 0x73, 0x12, 0x26, 0x0a, 0x0f, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x5f, 0x6d, 0x61, 0x78, 0x5f, + 0x64, 0x61, 0x79, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x63, 0x68, 0x61, 0x6e, + 0x67, 0x65, 0x4d, 0x61, 0x78, 0x44, 0x61, 0x79, 0x73, 0x12, 0x28, 0x0a, 0x10, 0x63, 0x68, 0x61, + 0x6e, 0x67, 0x65, 0x5f, 0x77, 0x61, 0x72, 0x6e, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x06, 0x20, + 0x01, 0x28, 0x05, 0x52, 0x0e, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x57, 0x61, 0x72, 0x6e, 0x44, + 0x61, 0x79, 0x73, 0x12, 0x30, 0x0a, 0x14, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x5f, 0x69, 0x6e, + 0x61, 0x63, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x64, 0x61, 0x79, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, + 0x05, 0x52, 0x12, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x49, 0x6e, 0x61, 0x63, 0x74, 0x69, 0x76, + 0x65, 0x44, 0x61, 0x79, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x5f, + 0x64, 0x61, 0x74, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0a, 0x65, 0x78, 0x70, 0x69, + 0x72, 0x65, 0x44, 0x61, 0x74, 0x65, 0x22, 0x3d, 0x0a, 0x0d, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, + 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x07, 0x65, 0x6e, 0x74, 0x72, 0x69, + 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, + 0x2e, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x07, 0x65, 0x6e, + 0x74, 0x72, 0x69, 0x65, 0x73, 0x32, 0xd3, 0x03, 0x0a, 0x03, 0x50, 0x41, 0x4d, 0x12, 0x33, 0x0a, + 0x10, 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, + 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, + 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x41, 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, + 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x50, 0x72, 0x65, 0x76, 0x69, 0x6f, 0x75, + 0x73, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x12, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, + 0x47, 0x50, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, + 0x68, 0x64, 0x2e, 0x47, 0x50, 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x33, + 0x0a, 0x0c, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x42, 0x72, 0x6f, 0x6b, 0x65, 0x72, 0x12, 0x10, + 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x42, 0x52, 0x65, 0x73, 0x70, 0x6f, + 0x6e, 0x73, 0x65, 0x12, 0x3f, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, + 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, 0x73, 0x12, 0x11, 0x2e, + 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x41, 0x4d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, + 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x41, 0x4d, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x41, 0x0a, 0x18, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x41, 0x75, + 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x6f, 0x64, 0x65, + 0x12, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x41, 0x4d, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x41, 0x4d, 0x52, + 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x36, 0x0a, 0x0f, 0x49, 0x73, 0x41, 0x75, 0x74, + 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x65, 0x64, 0x12, 0x10, 0x2e, 0x61, 0x75, 0x74, + 0x68, 0x64, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x61, + 0x75, 0x74, 0x68, 0x64, 0x2e, 0x49, 0x41, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, + 0x2c, 0x0a, 0x0a, 0x45, 0x6e, 0x64, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x2e, + 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x53, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x12, 0x3c, 0x0a, + 0x17, 0x53, 0x65, 0x74, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x42, 0x72, 0x6f, 0x6b, 0x65, + 0x72, 0x46, 0x6f, 0x72, 0x55, 0x73, 0x65, 0x72, 0x12, 0x13, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, + 0x2e, 0x53, 0x44, 0x42, 0x46, 0x55, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0c, 0x2e, + 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x32, 0xe1, 0x03, 0x0a, 0x03, + 0x4e, 0x53, 0x53, 0x12, 0x3e, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, + 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, + 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, + 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, + 0x74, 0x72, 0x79, 0x12, 0x3b, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, + 0x42, 0x79, 0x55, 0x49, 0x44, 0x12, 0x15, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x65, + 0x74, 0x42, 0x79, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, + 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, + 0x12, 0x36, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x50, 0x61, 0x73, 0x73, 0x77, 0x64, 0x45, 0x6e, 0x74, + 0x72, 0x69, 0x65, 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, + 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x50, 0x61, 0x73, 0x73, 0x77, + 0x64, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x3c, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x47, + 0x72, 0x6f, 0x75, 0x70, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x2e, 0x61, 0x75, 0x74, + 0x68, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x11, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, 0x75, + 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x39, 0x0a, 0x0d, 0x47, 0x65, 0x74, 0x47, 0x72, 0x6f, + 0x75, 0x70, 0x42, 0x79, 0x47, 0x49, 0x44, 0x12, 0x15, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, + 0x47, 0x65, 0x74, 0x42, 0x79, 0x49, 0x44, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x11, + 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x12, 0x34, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x45, 0x6e, 0x74, + 0x72, 0x69, 0x65, 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, + 0x74, 0x79, 0x1a, 0x13, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, + 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x3e, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x53, 0x68, + 0x61, 0x64, 0x6f, 0x77, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x17, 0x2e, 0x61, 0x75, 0x74, + 0x68, 0x64, 0x2e, 0x47, 0x65, 0x74, 0x42, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x64, 0x2e, 0x53, 0x68, 0x61, 0x64, + 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x36, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x53, 0x68, + 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x12, 0x0c, 0x2e, 0x61, 0x75, + 0x74, 0x68, 0x64, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x14, 0x2e, 0x61, 0x75, 0x74, 0x68, + 0x64, 0x2e, 0x53, 0x68, 0x61, 0x64, 0x6f, 0x77, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, 0x42, + 0x19, 0x5a, 0x17, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x75, 0x62, + 0x75, 0x6e, 0x74, 0x75, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( From 6982c2dbd3aaaa9bc1ddd048ab27429d5662756b Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 16:01:39 +0200 Subject: [PATCH 09/11] Change authentication Data to Msg in the PAM exchange As we are only passing messages instead of data, align with it. Co-authored-by: Jean-Baptiste Lallement --- internal/services/pam/pam.go | 2 +- internal/services/pam/pam_test.go | 8 ++++---- pam/authentication.go | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/internal/services/pam/pam.go b/internal/services/pam/pam.go index 228ce8599..45147f953 100644 --- a/internal/services/pam/pam.go +++ b/internal/services/pam/pam.go @@ -179,7 +179,7 @@ func (s Service) IsAuthenticated(ctx context.Context, req *authd.IARequest) (res return &authd.IAResponse{ Access: access, - Data: data, + Msg: data, }, nil } diff --git a/internal/services/pam/pam_test.go b/internal/services/pam/pam_test.go index 3ab79eee6..53137ffc9 100644 --- a/internal/services/pam/pam_test.go +++ b/internal/services/pam/pam_test.go @@ -360,9 +360,9 @@ func TestIsAuthenticated(t *testing.T) { AuthenticationData: "some data", } iaResp, err := client.IsAuthenticated(ctx, iaReq) - firstCall = fmt.Sprintf("FIRST CALL:\n\taccess: %s\n\tdata: %s\n\terr: %v\n", + firstCall = fmt.Sprintf("FIRST CALL:\n\taccess: %s\n\tmsg: %s\n\terr: %v\n", iaResp.GetAccess(), - iaResp.GetData(), + iaResp.GetMsg(), err, ) }() @@ -380,9 +380,9 @@ func TestIsAuthenticated(t *testing.T) { AuthenticationData: "some data", } iaResp, err := client.IsAuthenticated(context.Background(), iaReq) - secondCall = fmt.Sprintf("SECOND CALL:\n\taccess: %s\n\tdata: %s\n\terr: %v\n", + secondCall = fmt.Sprintf("SECOND CALL:\n\taccess: %s\n\tmsg: %s\n\terr: %v\n", iaResp.GetAccess(), - iaResp.GetData(), + iaResp.GetMsg(), err, ) } diff --git a/pam/authentication.go b/pam/authentication.go index 4e686a521..b3e4dff20 100644 --- a/pam/authentication.go +++ b/pam/authentication.go @@ -35,7 +35,7 @@ func sendIsAuthenticated(ctx context.Context, client authd.PAMClient, sessionID, return isAuthenticatedResultReceived{ access: res.Access, - data: res.Data, + msg: res.Msg, } } } @@ -50,7 +50,7 @@ type isAuthenticatedRequested struct { // and data that was retrieved. type isAuthenticatedResultReceived struct { access string - data string + msg string } // reselectAuthMode signals to restart auth mode selection with the same id (to resend sms or @@ -116,12 +116,12 @@ func (m *authenticationModel) Update(msg tea.Msg) (authenticationModel, tea.Cmd) return *m, sendEvent(pamSuccess{brokerID: m.currentBrokerID}) case responses.AuthRetry: - m.errorMsg = dataToMsg(msg.data) + m.errorMsg = dataToMsg(msg.msg) return *m, sendEvent(startAuthentication{}) case responses.AuthDenied: errMsg := "Access denied" - if err := dataToMsg(msg.data); err != "" { + if err := dataToMsg(msg.msg); err != "" { errMsg = err } return *m, sendEvent(pamAuthError{msg: errMsg}) From d6f460fb402f48aea82e066ac9e647507211be37 Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 17:15:31 +0200 Subject: [PATCH 10/11] Do not leak user data from PAM service Those data are only used to update the internal database. Co-authored-by: Jean-Baptiste Lallement --- internal/services/pam/pam.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/services/pam/pam.go b/internal/services/pam/pam.go index 45147f953..369385f13 100644 --- a/internal/services/pam/pam.go +++ b/internal/services/pam/pam.go @@ -8,6 +8,7 @@ import ( "github.com/ubuntu/authd" "github.com/ubuntu/authd/internal/brokers" + "github.com/ubuntu/authd/internal/brokers/responses" "github.com/ubuntu/authd/internal/log" "github.com/ubuntu/decorate" ) @@ -177,6 +178,10 @@ func (s Service) IsAuthenticated(ctx context.Context, req *authd.IARequest) (res return nil, err } + if access == responses.AuthGranted { + data = "" + } + return &authd.IAResponse{ Access: access, Msg: data, From 5fca75bbee103aa4d30b5c8943ca937c1ed9134e Mon Sep 17 00:00:00 2001 From: Didier Roche Date: Tue, 19 Sep 2023 16:08:02 +0200 Subject: [PATCH 11/11] Refresh TestIsAuthenticated golden files in pam services Co-authored-by: Jean-Baptiste Lallement --- .../golden/denies_authentication_when_broker_times_out | 2 +- .../golden/error_on_empty_data_even_if_granted | 2 +- .../TestIsAuthenticated/golden/error_when_authenticating | 2 +- .../golden/error_when_broker_returns_invalid_access | 2 +- .../golden/error_when_broker_returns_invalid_data | 2 +- .../golden/error_when_calling_second_time_without_cancelling | 4 ++-- .../TestIsAuthenticated/golden/error_when_sessionid_is_empty | 2 +- .../TestIsAuthenticated/golden/error_when_there_is_no_broker | 2 +- .../TestIsAuthenticated/golden/successfully_authenticate | 2 +- .../successfully_authenticate_if_first_call_is_canceled | 4 ++-- 10 files changed, 12 insertions(+), 12 deletions(-) diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out b/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out index ada61c725..58f130447 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/denies_authentication_when_broker_times_out @@ -1,4 +1,4 @@ FIRST CALL: access: denied - data: {"message": "denied by time out"} + msg: {"message": "denied by time out"} err: diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted index d1d8d9538..e5ce8d020 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_on_empty_data_even_if_granted @@ -1,4 +1,4 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: missing userinfo key in granted user access, got: {} diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_authenticating b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_authenticating index 27076e52e..4ad08cee6 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_authenticating +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_authenticating @@ -1,4 +1,4 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: Broker "BrokerMock": IsAuthenticated errored out diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_access b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_access index 881e146f5..a5af96d43 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_access +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_access @@ -1,4 +1,4 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: invalid access authentication key: invalid diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data index 88d31fb1e..d7d92758c 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_broker_returns_invalid_data @@ -1,5 +1,5 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: response returned by the broker is not a valid json: invalid character 'i' looking for beginning of value Broker returned: invalid diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling index d98cd00b2..e71a6370d 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_calling_second_time_without_cancelling @@ -1,8 +1,8 @@ FIRST CALL: access: granted - data: {"Name":"IA_second_call","UID":65565,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":65566}]} + msg: err: SECOND CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: Broker "BrokerMock": IsAuthenticated already running for session "TestIsAuthenticated/Error_when_calling_second_time_without_cancelling_separator_IA_second_call-session_id" diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_sessionid_is_empty b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_sessionid_is_empty index c307aa810..6c833ca1f 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_sessionid_is_empty +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_sessionid_is_empty @@ -1,4 +1,4 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: no session ID provided diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_there_is_no_broker b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_there_is_no_broker index d02e6143a..542cb40bb 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_there_is_no_broker +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/error_when_there_is_no_broker @@ -1,4 +1,4 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Unknown desc = can't check authentication: no broker found for session "invalid-session" diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate index b42899715..0db1ac049 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate @@ -1,4 +1,4 @@ FIRST CALL: access: granted - data: {"Name":"success","UID":65558,"Gecos":"gecos for success","Dir":"/home/success","Shell":"/bin/sh/success","Groups":[{"Name":"group-success","GID":65559}]} + msg: err: diff --git a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled index 8d9e14483..573cc2d04 100644 --- a/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled +++ b/internal/services/pam/testdata/TestIsAuthenticated/golden/successfully_authenticate_if_first_call_is_canceled @@ -1,8 +1,8 @@ FIRST CALL: access: - data: + msg: err: rpc error: code = Canceled desc = context canceled SECOND CALL: access: granted - data: {"Name":"IA_second_call","UID":65565,"Gecos":"gecos for IA_second_call","Dir":"/home/IA_second_call","Shell":"/bin/sh/IA_second_call","Groups":[{"Name":"group-IA_second_call","GID":65566}]} + msg: err: