diff options
-rw-r--r-- | src/config.rs | 2 | ||||
-rw-r--r-- | src/login/ldap_provider.rs | 90 | ||||
-rw-r--r-- | src/login/static_provider.rs | 38 | ||||
-rw-r--r-- | src/storage/garage.rs | 9 |
4 files changed, 80 insertions, 59 deletions
diff --git a/src/config.rs b/src/config.rs index 477968e..34940f2 100644 --- a/src/config.rs +++ b/src/config.rs @@ -31,7 +31,7 @@ pub struct StaticGarageConfig { pub aws_access_key_id: String, pub aws_secret_access_key: String, - pub bucket: Option<String>, + pub bucket: String, } #[derive(Serialize, Deserialize, Debug, Clone)] diff --git a/src/login/ldap_provider.rs b/src/login/ldap_provider.rs index 2eeb6d9..561b1c2 100644 --- a/src/login/ldap_provider.rs +++ b/src/login/ldap_provider.rs @@ -5,10 +5,9 @@ use log::debug; use crate::config::*; use crate::login::*; +use crate::storage; pub struct LdapLoginProvider { - k2v_region: Region, - s3_region: Region, ldap_server: String, pre_bind_on_login: bool, @@ -19,12 +18,9 @@ pub struct LdapLoginProvider { username_attr: String, mail_attr: String, - aws_access_key_id_attr: String, - aws_secret_access_key_attr: String, + storage_specific: StorageSpecific, user_secret_attr: String, alternate_user_secrets_attr: Option<String>, - - bucket_source: BucketSource, } enum BucketSource { @@ -32,8 +28,13 @@ enum BucketSource { Attr(String), } +enum StorageSpecific { + InMemory, + Garage { from_config: LdapGarageConfig, bucket_source: BucketSource }, +} + impl LdapLoginProvider { - pub fn new(config: LoginLdapConfig, k2v_region: Region, s3_region: Region) -> Result<Self> { + pub fn new(config: LoginLdapConfig) -> Result<Self> { let bind_dn_and_pw = match (config.bind_dn, config.bind_password) { (Some(dn), Some(pw)) => Some((dn, pw)), (None, None) => None, @@ -42,12 +43,6 @@ impl LdapLoginProvider { ), }; - let bucket_source = match (config.bucket, config.bucket_attr) { - (Some(b), None) => BucketSource::Constant(b), - (None, Some(a)) => BucketSource::Attr(a), - _ => bail!("Must set `bucket` or `bucket_attr`, but not both"), - }; - if config.pre_bind_on_login && bind_dn_and_pw.is_none() { bail!("Cannot use `pre_bind_on_login` without setting `bind_dn` and `bind_password`"); } @@ -55,20 +50,34 @@ impl LdapLoginProvider { let mut attrs_to_retrieve = vec![ config.username_attr.clone(), config.mail_attr.clone(), - config.aws_access_key_id_attr.clone(), - config.aws_secret_access_key_attr.clone(), config.user_secret_attr.clone(), ]; + if let Some(a) = &config.alternate_user_secrets_attr { attrs_to_retrieve.push(a.clone()); } - if let BucketSource::Attr(a) = &bucket_source { - attrs_to_retrieve.push(a.clone()); - } + + // storage specific + let specific = match config.storage { + LdapStorage::InMemory => StorageSpecific::InMemory, + LdapStorage::Garage(grgconf) => { + let bucket_source = match (grgconf.default_bucket.clone(), grgconf.bucket_attr.clone()) { + (Some(b), None) => BucketSource::Constant(b), + (None, Some(a)) => BucketSource::Attr(a), + _ => bail!("Must set `bucket` or `bucket_attr`, but not both"), + }; + + if let BucketSource::Attr(a) = &bucket_source { + attrs_to_retrieve.push(a.clone()); + } + + StorageSpecific::Garage { from_config: grgconf, bucket_source } + }, + }; + + Ok(Self { - k2v_region, - s3_region, ldap_server: config.ldap_server, pre_bind_on_login: config.pre_bind_on_login, bind_dn_and_pw, @@ -76,29 +85,36 @@ impl LdapLoginProvider { attrs_to_retrieve, username_attr: config.username_attr, mail_attr: config.mail_attr, - aws_access_key_id_attr: config.aws_access_key_id_attr, - aws_secret_access_key_attr: config.aws_secret_access_key_attr, + storage_specific: specific, user_secret_attr: config.user_secret_attr, alternate_user_secrets_attr: config.alternate_user_secrets_attr, - bucket_source, }) } - fn storage_creds_from_ldap_user(&self, user: &SearchEntry) -> Result<StorageCredentials> { - let aws_access_key_id = get_attr(user, &self.aws_access_key_id_attr)?; - let aws_secret_access_key = get_attr(user, &self.aws_secret_access_key_attr)?; - let bucket = match &self.bucket_source { - BucketSource::Constant(b) => b.clone(), - BucketSource::Attr(a) => get_attr(user, a)?, + fn storage_creds_from_ldap_user(&self, user: &SearchEntry) -> Result<Builders> { + let storage: Builders = match &self.storage_specific { + StorageSpecific::InMemory => Box::new(storage::in_memory::FullMem {}), + StorageSpecific::Garage { from_config, bucket_source } => { + let aws_access_key_id = get_attr(user, &from_config.aws_access_key_id_attr)?; + let aws_secret_access_key = get_attr(user, &from_config.aws_secret_access_key_attr)?; + let bucket = match bucket_source { + BucketSource::Constant(b) => b.clone(), + BucketSource::Attr(a) => get_attr(user, &a)?, + }; + + + Box::new(storage::garage::GrgCreds { + region: from_config.aws_region.clone(), + s3_endpoint: from_config.s3_endpoint.clone(), + k2v_endpoint: from_config.k2v_endpoint.clone(), + aws_access_key_id, + aws_secret_access_key, + bucket + }) + }, }; - Ok(StorageCredentials { - k2v_region: self.k2v_region.clone(), - s3_region: self.s3_region.clone(), - aws_access_key_id, - aws_secret_access_key, - bucket, - }) + Ok(storage) } } @@ -204,7 +220,7 @@ impl LoginProvider for LdapLoginProvider { let storage = self.storage_creds_from_ldap_user(&user)?; drop(ldap); - let k2v_client = storage.k2v_client()?; + let k2v_client = storage.row_store()?; let (_, public_key) = CryptoKeys::load_salt_and_public(&k2v_client).await?; Ok(PublicCredentials { diff --git a/src/login/static_provider.rs b/src/login/static_provider.rs index bd22060..0b726cb 100644 --- a/src/login/static_provider.rs +++ b/src/login/static_provider.rs @@ -52,9 +52,16 @@ impl LoginProvider for StaticLoginProvider { } tracing::debug!(user=%username, "fetch keys"); - let storage: storage::Builders = match user.storage { + let storage: storage::Builders = match &user.storage { StaticStorage::InMemory => Box::new(storage::in_memory::FullMem {}), - StaticStorage::Garage(c) => Box::new(storage::garage::GrgCreds {}), + StaticStorage::Garage(grgconf) => Box::new(storage::garage::GrgCreds { + region: grgconf.aws_region.clone(), + k2v_endpoint: grgconf.k2v_endpoint.clone(), + s3_endpoint: grgconf.s3_endpoint.clone(), + aws_access_key_id: grgconf.aws_access_key_id.clone(), + aws_secret_access_key: grgconf.aws_secret_access_key.clone(), + bucket: grgconf.bucket.clone(), + }), }; let keys = match (&user.master_key, &user.secret_key) { @@ -87,25 +94,16 @@ impl LoginProvider for StaticLoginProvider { Some(u) => u, }; - /* - let bucket = user - .bucket - .clone() - .or_else(|| self.default_bucket.clone()) - .ok_or(anyhow!( - "No bucket configured and no default bucket specieid" - ))?; - - let storage = StorageCredentials { - k2v_region: self.k2v_region.clone(), - s3_region: self.s3_region.clone(), - aws_access_key_id: user.aws_access_key_id.clone(), - aws_secret_access_key: user.aws_secret_access_key.clone(), - bucket, - };*/ - let storage: storage::Builders = match user.storage { + let storage: storage::Builders = match &user.storage { StaticStorage::InMemory => Box::new(storage::in_memory::FullMem {}), - StaticStorage::Garage(c) => Box::new(storage::garage::GrgCreds {}), + StaticStorage::Garage(grgconf) => Box::new(storage::garage::GrgCreds { + region: grgconf.aws_region.clone(), + k2v_endpoint: grgconf.k2v_endpoint.clone(), + s3_endpoint: grgconf.s3_endpoint.clone(), + aws_access_key_id: grgconf.aws_access_key_id.clone(), + aws_secret_access_key: grgconf.aws_secret_access_key.clone(), + bucket: grgconf.bucket.clone(), + }), }; let k2v_client = storage.row_store()?; diff --git a/src/storage/garage.rs b/src/storage/garage.rs index d9c768f..052e812 100644 --- a/src/storage/garage.rs +++ b/src/storage/garage.rs @@ -1,7 +1,14 @@ use crate::storage::*; #[derive(Clone, Debug, Hash)] -pub struct GrgCreds {} +pub struct GrgCreds { + pub region: String, + pub s3_endpoint: String, + pub k2v_endpoint: String, + pub aws_access_key_id: String, + pub aws_secret_access_key: String, + pub bucket: String, +} pub struct GrgStore {} pub struct GrgRef {} pub struct GrgValue {} |