feat : methods for adding and deleting ssh keys

needs testing and changes to error handling - match statements?
This commit is contained in:
daragh 2023-12-30 03:38:36 +00:00
parent 91dcb021a9
commit 0492bffe61
No known key found for this signature in database
2 changed files with 130 additions and 54 deletions

View file

@ -1,44 +1,44 @@
use skynet_ldap_backend::{ use skynet_ldap_backend::{
db_init, get_config, db_init, get_config,
methods::{account_new, account_recover, account_update, account_ssh}, methods::{account_new, account_recover, account_update, account_ssh},
State, State,
}; };
#[async_std::main] #[async_std::main]
async fn main() -> tide::Result<()> { async fn main() -> tide::Result<()> {
let config = get_config(); let config = get_config();
let db = db_init(&config).await?; let db = db_init(&config).await?;
let host_port = config.host_port.clone(); let host_port = config.host_port.clone();
tide::log::start(); tide::log::start();
let state = State { let state = State {
db, db,
config, config,
}; };
let mut app = tide::with_state(state); let mut app = tide::with_state(state);
// for users to update their own profile // for users to update their own profile
app.at("/ldap/update").post(account_update::submit); app.at("/ldap/update").post(account_update::submit);
// for new users // for new users
app.at("/ldap/new/email").post(account_new::email::submit); app.at("/ldap/new/email").post(account_new::email::submit);
app.at("/ldap/new/account").post(account_new::account::submit); app.at("/ldap/new/account").post(account_new::account::submit);
// for folks who forget password/username // for folks who forget password/username
app.at("/ldap/recover/password").post(account_recover::password::reset); app.at("/ldap/recover/password").post(account_recover::password::reset);
app.at("/ldap/recover/password/auth").post(account_recover::password::auth); app.at("/ldap/recover/password/auth").post(account_recover::password::auth);
app.at("/ldap/recover/username").post(account_recover::username::submit); app.at("/ldap/recover/username").post(account_recover::username::submit);
app.at("/ldap/recover/ssh/request").post(account_recover::ssh::request); app.at("/ldap/recover/ssh/request").post(account_recover::ssh::request);
app.at("/ldap/recover/ssh/verify").post(account_recover::ssh::verify); app.at("/ldap/recover/ssh/verify").post(account_recover::ssh::verify);
//for getting current ssh keys associated with the account //for getting current ssh keys associated with the account
app.at("/ldap/ssh").post(account_ssh::get_ssh_keys); app.at("/ldap/ssh").post(account_ssh::get_ssh_keys);
//app.at("/ldap/ssh").delete(account_ssh::remove_key); app.at("/ldap/ssh").delete(account_ssh::remove_ssh_key);
//app.at("/ldap/ssh/add").post(account_ssh::add_ssh_key); app.at("/ldap/ssh/add").post(account_ssh::add_ssh_key);
app.listen(host_port).await?; app.listen(host_port).await?;
Ok(()) Ok(())
} }

View file

@ -1,47 +1,123 @@
use crate::{methods::account_new::email::get_wolves_mail, update_group, Accounts, Config, State}; use std::collections::HashSet;
use ldap3::{exop::PasswordModify, LdapConn, LdapResult, Mod, ResultEntry, Scope, SearchEntry}; use crate::{State, LdapAuthResult, LdapAuth};
use ldap3::{LdapConn, Mod, Scope, SearchEntry};
use tide::{ use tide::{
prelude::{json, Deserialize, Serialize}, prelude::{json, Deserialize},
Request, Request,
}; };
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
pub struct User { pub struct SSHKey {
user: String, auth: LdapAuth,
pass: String, key: String,
}
pub async fn add_ssh_key(mut req: Request<State>) -> tide::Result {
let SSHKey {
auth,
key,
} = req.body_json().await?;
let config = &req.state().config;
let mut ldap = LdapConn::new(&config.ldap_host)?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", auth.user);
ldap.simple_bind(&dn, &auth.pass)?.success()?;
let LdapAuthResult {
mut ldap,
dn,
is_skynet_user: _,
} = match crate::auth_user(&auth, config).await {
None => return Ok(json!({"result": "error", "error": "Failed to authenticate"}).into()),
Some(x) => x,
};
let mods = vec![
Mod::Add("sshPublicKey".to_string(), HashSet::from([key])),
];
match ldap.modify(&dn, mods) {
Ok(_) => {
ldap.unbind()?;
Ok(json!({"result": "success"}).into())
}
Err(e) => {
dbg!(e);
ldap.unbind()?;
Ok(json!({"result": "error", "error": "Failed to add key"}).into())
}
}
}
pub async fn remove_ssh_key(mut req: Request<State>) -> tide::Result {
let SSHKey {
auth,
key,
} = req.body_json().await?;
let config = &req.state().config;
let mut ldap = LdapConn::new(&config.ldap_host)?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", auth.user);
match ldap.simple_bind(&dn, &auth.pass) {
Ok(_) => {}
Err(e) => {
dbg!(e);
return Ok(json!({"result": "error", "error": "Failed to bind"}).into());
}
}
let LdapAuthResult {
mut ldap,
dn,
is_skynet_user: _
} = match crate::auth_user(&auth, config).await {
None => return Ok(json!({"result": "error", "error": "Failed to authenticate"}).into()),
Some(x) => x,
};
let mods = vec![
Mod::Delete("sshPublicKey".to_string(), HashSet::from([key])),
];
match ldap.modify(&dn, mods) {
Ok(_) => {
ldap.unbind()?;
Ok(json!({"result": "success"}).into())
}
Err(e) => {
dbg!(e);
ldap.unbind()?;
Ok(json!({"result": "error", "error": "Failed to remove key"}).into())
}
}
} }
pub async fn get_ssh_keys(mut req: Request<State>) -> tide::Result { pub async fn get_ssh_keys(mut req: Request<State>) -> tide::Result {
let User { let LdapAuth {
user, user,
pass pass
} = req.body_json().await?; } = req.body_json().await?;
let config = &req.state().config; let config = &req.state().config;
// easier to give each request its own connection
let mut ldap = LdapConn::new(&config.ldap_host)?; let mut ldap = LdapConn::new(&config.ldap_host)?;
let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user); let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user);
ldap.simple_bind(&dn, &pass)?.success()?; ldap.simple_bind(&dn, &pass)?.success()?;
// always assume insecure let LdapAuthResult {
let mut is_skynet_user = false; mut ldap,
dn,
// get the users current password hash is_skynet_user: _,
let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword", "memberOf"])?.success()?; } = match crate::auth_user(&LdapAuth { user, pass }, config).await {
if !rs.is_empty() { None => return Ok(json!({"result": "error", "error": "Failed to authenticate"}).into()),
let tmp = SearchEntry::construct(rs[0].clone()); Some(x) => if x.is_skynet_user {
if tmp.attrs.contains_key("memberOf") { x
for group in tmp.attrs["memberOf"].clone() { } else {
if group.contains("skynet-users") { return Ok(json!({"result": "error", "error": "Not a skynet user"}).into());
is_skynet_user = true;
}
}
} }
} };
if !is_skynet_user {
return Ok(json!({"result": "error", "error": "Invalid username or password"}).into())
}
let mut keys: Vec<String> = vec![]; let mut keys: Vec<String> = vec![];
let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["sshPublicKey"])?.success()?; let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["sshPublicKey"])?.success()?;