From b86acd5ed06adbc59518cde78e5b6f31d4865197 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Wed, 24 Jan 2024 21:36:46 +0100 Subject: implemented business logic --- src/auth.rs | 242 +++++++++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 206 insertions(+), 36 deletions(-) diff --git a/src/auth.rs b/src/auth.rs index 05c88ce..697eff3 100644 --- a/src/auth.rs +++ b/src/auth.rs @@ -1,7 +1,6 @@ use std::net::SocketAddr; -use std::sync::Arc; -use anyhow::{Result, anyhow}; +use anyhow::{Result, anyhow, bail}; use futures::stream::{FuturesUnordered, StreamExt}; use tokio::io::BufStream; use tokio::io::{AsyncBufReadExt, AsyncWriteExt}; @@ -82,7 +81,7 @@ impl AuthServer { }; tracing::info!("AUTH: accepted connection from {}", remote_addr); - let conn = tokio::spawn(NetLoop::new(socket, must_exit.clone()).run_error()); + let conn = tokio::spawn(NetLoop::new(socket, self.login_provider.clone(), must_exit.clone()).run_error()); connections.push(conn); @@ -97,15 +96,23 @@ impl AuthServer { } struct NetLoop { + login: ArcLoginProvider, stream: BufStream, stop: watch::Receiver, + state: State, + read_buf: Vec, + write_buf: BytesMut, } impl NetLoop { - fn new(stream: TcpStream, stop: watch::Receiver) -> Self { + fn new(stream: TcpStream, login: ArcLoginProvider, stop: watch::Receiver) -> Self { Self { + login, stream: BufStream::new(stream), + state: State::Init, stop, + read_buf: Vec::new(), + write_buf: BytesMut::new(), } } @@ -117,25 +124,39 @@ impl NetLoop { } async fn run(mut self) -> Result<()> { - let mut resp_buff = BytesMut::new(); - let mut buff: Vec = Vec::new(); loop { - buff.clear(); tokio::select! { - read_res = self.stream.read_until(b'\n', &mut buff) => { + read_res = self.stream.read_until(b'\n', &mut self.read_buf) => { + // Detect EOF / socket close let bread = read_res?; if bread == 0 { tracing::info!("Reading buffer empty, connection has been closed. Exiting AUTH session."); return Ok(()) } - let (input, cmd) = client_command(&buff).map_err(|_| anyhow!("Unable to parse command"))?; - println!("input: {:?}, cmd: {:?}", input, cmd); - ServerCommand::Version { - major: 1, - minor: 2, - }.encode(&mut resp_buff)?; - self.stream.write_all(&resp_buff).await?; - self.stream.flush().await?; + + // Parse command + let (_, cmd) = client_command(&self.read_buf).map_err(|_| anyhow!("Unable to parse command"))?; + tracing::debug!(cmd=?cmd, "Received command"); + + // Make some progress in our local state + self.state.progress(cmd, &self.login).await; + if matches!(self.state, State::Error) { + bail!("Internal state is in error, previous logs explain what went wrong"); + } + + // Build response + let srv_cmds = self.state.response(); + srv_cmds.iter().try_for_each(|r| r.encode(&mut self.write_buf))?; + + // Send responses if at least one command response has been generated + if !srv_cmds.is_empty() { + self.stream.write_all(&self.write_buf).await?; + self.stream.flush().await?; + } + + // Reset buffers + self.read_buf.clear(); + self.write_buf.clear(); }, _ = self.stop.changed() => { tracing::debug!("Server is stopping, quitting this runner"); @@ -146,13 +167,150 @@ impl NetLoop { } } +// ----------------------------------------------------------------- +// +// BUSINESS LOGIC +// +// ----------------------------------------------------------------- +use rand::prelude::*; + +#[derive(Debug)] +enum AuthRes { + Success(String), + Failed(Option, Option), +} + +#[derive(Debug)] +enum State { + Error, + Init, + HandshakePart(Version), + HandshakeDone, + AuthPlainProgress { + id: u64, + }, + AuthDone { + id: u64, + res: AuthRes + }, +} + +const SERVER_MAJOR: u64 = 1; +const SERVER_MINOR: u64 = 2; +impl State { + async fn progress(&mut self, cmd: ClientCommand, login: &ArcLoginProvider) { + + let new_state = 'state: { + match (std::mem::replace(self, State::Error), cmd) { + (Self::Init, ClientCommand::Version(v)) => Self::HandshakePart(v), + (Self::HandshakePart(version), ClientCommand::Cpid(_cpid)) => { + if version.major != SERVER_MAJOR { + tracing::error!(client_major=version.major, server_major=SERVER_MAJOR, "Unsupported client major version"); + break 'state Self::Error + } + + Self::HandshakeDone + }, + (Self::HandshakeDone { .. }, ClientCommand::Auth { id, mech, .. }) | + (Self::AuthDone { .. }, ClientCommand::Auth { id, mech, ..}) => { + if mech != Mechanism::Plain { + tracing::error!(mechanism=?mech, "Unsupported Authentication Mechanism"); + break 'state Self::AuthDone { id, res: AuthRes::Failed(None, None) } + } + + Self::AuthPlainProgress { id } + }, + (Self::AuthPlainProgress { id }, ClientCommand::Cont { id: cid, data }) => { + // Check that ID matches + if cid != id { + tracing::error!(auth_id=id, cont_id=cid, "CONT id does not match AUTH id"); + break 'state Self::AuthDone { id, res: AuthRes::Failed(None, None) } + } + + // Check that we can extract user's login+pass + let (ubin, pbin) = match auth_plain(&data) { + Ok(([], ([], user, pass))) => (user, pass), + Ok(_) => { + tracing::error!("Impersonating user is not supported"); + break 'state Self::AuthDone { id, res: AuthRes::Failed(None, None) } + } + Err(e) => { + tracing::error!(err=?e, "Could not parse the SASL PLAIN data chunk"); + break 'state Self::AuthDone { id, res: AuthRes::Failed(None, None) } + }, + }; + + // Try to convert it to UTF-8 + let (user, password) = match (std::str::from_utf8(ubin), std::str::from_utf8(pbin)) { + (Ok(u), Ok(p)) => (u, p), + _ => { + tracing::error!("Username or password contain invalid UTF-8 characters"); + break 'state Self::AuthDone { id, res: AuthRes::Failed(None, None) } + } + }; + + // Try to connect user + match login.login(user, password).await { + Ok(_) => Self::AuthDone { id, res: AuthRes::Success(user.to_string())}, + Err(e) => { + tracing::warn!(err=?e, "login failed"); + Self::AuthDone { id, res: AuthRes::Failed(Some(user.to_string()), None) } + } + } + }, + _ => { + tracing::error!("This command is not valid in this context"); + Self::Error + }, + } + }; + tracing::debug!(state=?new_state, "Made progress"); + *self = new_state; + } + + fn response(&self) -> Vec { + let mut srv_cmd: Vec = Vec::new(); + + match self { + Self::HandshakeDone { .. } => { + srv_cmd.push(ServerCommand::Version(Version { major: SERVER_MAJOR, minor: SERVER_MINOR })); + srv_cmd.push(ServerCommand::Spid(1u64)); + srv_cmd.push(ServerCommand::Cuid(1u64)); + + let mut cookie = [0u8; 16]; + thread_rng().fill(&mut cookie); + srv_cmd.push(ServerCommand::Cookie(cookie)); + + srv_cmd.push(ServerCommand::Mech { + kind: Mechanism::Plain, + parameters: vec![MechanismParameters::PlainText], + }); + srv_cmd.push(ServerCommand::Done); + }, + Self::AuthPlainProgress { id } => { + srv_cmd.push(ServerCommand::Cont { id: *id, data: None }); + }, + Self::AuthDone { id, res: AuthRes::Success(user) } => { + srv_cmd.push(ServerCommand::Ok { id: *id, user_id: Some(user.to_string()), extra_parameters: vec![]}); + }, + Self::AuthDone { id, res: AuthRes::Failed(maybe_user, maybe_failcode) } => { + srv_cmd.push(ServerCommand::Fail { id: *id, user_id: maybe_user.clone(), code: maybe_failcode.clone(), extra_parameters: vec![]}); + }, + _ => (), + }; + + srv_cmd + } +} + + // ----------------------------------------------------------------- // // DOVECOT AUTH TYPES // -// ------------------------------------------------------------------ +// ----------------------------------------------------------------- -#[derive(Debug, Clone)] +#[derive(Debug, Clone, PartialEq)] enum Mechanism { Plain, Login, @@ -214,13 +372,16 @@ enum AuthOption { Resp(Vec), } +#[derive(Debug, Clone)] +struct Version { + major: u64, + minor: u64, +} + #[derive(Debug)] enum ClientCommand { /// Both client and server should check that they support the same major version number. If they don’t, the other side isn’t expected to be talking the same protocol and should be disconnected. Minor version can be ignored. This document specifies the version number 1.2. - Version { - major: u64, - minor: u64, - }, + Version(Version), /// CPID finishes the handshake from client. Cpid(u64), Auth { @@ -261,7 +422,7 @@ enum MechanismParameters { Private, } -#[derive(Debug)] +#[derive(Debug, Clone)] enum FailCode { /// This is a temporary internal failure, e.g. connection was lost to SQL database. TempFail, @@ -276,10 +437,7 @@ enum FailCode { #[derive(Debug)] enum ServerCommand { /// Both client and server should check that they support the same major version number. If they don’t, the other side isn’t expected to be talking the same protocol and should be disconnected. Minor version can be ignored. This document specifies the version number 1.2. - Version { - major: u64, - minor: u64, - }, + Version(Version), /// CPID and SPID specify client and server Process Identifiers (PIDs). They should be unique identifiers for the specific process. UNIX process IDs are good choices. /// SPID can be used by authentication client to tell master which server process handled the authentication. Spid(u64), @@ -298,18 +456,19 @@ enum ServerCommand { Fail { id: u64, user_id: Option, - code: FailCode, + code: Option, + extra_parameters: Vec>, }, Cont { id: u64, - data: Vec, + data: Option>, }, /// FAIL and OK may contain multiple unspecified parameters which authentication client may handle specially. /// The only one specified here is user= parameter, which should always be sent if the userid is known. Ok { id: u64, user_id: Option, - parameters: Vec, + extra_parameters: Vec>, }, } @@ -324,9 +483,9 @@ use nom::{ branch::alt, error::{ErrorKind, Error}, character::complete::{tab, u64, u16}, - bytes::complete::{tag, tag_no_case, take, take_while, take_while1}, + bytes::complete::{is_not, tag, tag_no_case, take, take_while, take_while1}, multi::{many1, separated_list0}, - combinator::{map, opt, recognize, value,}, + combinator::{map, opt, recognize, value, rest}, sequence::{pair, preceded, tuple}, }; use base64::Engine; @@ -341,7 +500,7 @@ fn version_command<'a>(input: &'a [u8]) -> IResult<&'a [u8], ClientCommand> { )); let (input, (_, _, major, _, minor)) = parser(input)?; - Ok((input, ClientCommand::Version { major, minor })) + Ok((input, ClientCommand::Version(Version { major, minor }))) } fn cpid_command<'a>(input: &'a [u8]) -> IResult<&'a [u8], ClientCommand> { @@ -510,6 +669,17 @@ fn server_command(buf: &u8) -> IResult<&u8, ServerCommand> { } */ +// ----------------------------------------------------------------- +// +// SASL DECODING +// +// ----------------------------------------------------------------- + +// impersonated user, login, password +fn auth_plain<'a>(input: &'a [u8]) -> IResult<&'a [u8], (&'a [u8], &'a [u8], &'a [u8])> { + tuple((is_not([0x0]), is_not([0x0]), rest))(input) +} + // ----------------------------------------------------------------- // // DOVECOT AUTH ENCODING @@ -531,7 +701,7 @@ fn lf_enc(out: &mut BytesMut) { impl Encode for ServerCommand { fn encode(&self, out: &mut BytesMut) -> Result<()> { match self { - Self::Version { major, minor } => { + Self::Version (Version { major, minor }) => { out.put(&b"VERSION"[..]); tab_enc(out); out.put(major.to_string().as_bytes()); @@ -544,9 +714,9 @@ impl Encode for ServerCommand { Self::Mech { kind, parameters } => unimplemented!(), Self::Cookie(v) => unimplemented!(), Self::Done => unimplemented!(), - Self::Fail {id, user_id, code } => unimplemented!(), Self::Cont { id, data } => unimplemented!(), - Self::Ok { id, user_id, parameters } => unimplemented!(), + Self::Ok { id, user_id, extra_parameters } => unimplemented!(), + Self::Fail {id, user_id, code, extra_parameters } => unimplemented!(), } Ok(()) } -- cgit v1.2.3