Merge pull request #321 from himmelblau-idm/stable-0.7.x_hello_pin_ch…

…ange Stable 0.7.x Hello Pin changes via `passwd` command
himmelblau-idm · Dec 10, 2024 · fe7972e · fe7972e
2 parents 9d4b750 + 8a0a641
commit fe7972e
Show file tree

Hide file tree

Showing 23 changed files with 615 additions and 136 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -48,7 +48,15 @@ jobs:
             autoconf \
             gettext \
             libdbus-1-dev \
-            libutf8proc-dev
+            libutf8proc-dev \
+            libgirepository1.0-dev \
+            libcairo2-dev \
+            libgdk-pixbuf2.0-dev \
+            libsoup-3.0-dev \
+            libpango1.0-dev \
+            libatk1.0-dev \
+            libgtk-3-dev \
+            libwebkit2gtk-4.1-dev
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml
@@ -41,16 +41,22 @@ jobs:
             tpm-udev \
             libtss2-dev \
             libcap-dev \
-            libtalloc-dev \
-            libtevent-dev \
-            libldb-dev \
             libdhash-dev \
             libkrb5-dev \
             libpcre2-dev \
             libclang-13-dev \
             autoconf \
             gettext \
-            libdbus-1-dev
+            libdbus-1-dev \
+            libutf8proc-dev \
+            libgirepository1.0-dev \
+            libcairo2-dev \
+            libgdk-pixbuf2.0-dev \
+            libsoup-3.0-dev \
+            libpango1.0-dev \
+            libatk1.0-dev \
+            libgtk-3-dev \
+            libwebkit2gtk-4.1-dev
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -48,7 +48,15 @@ jobs:
             autoconf \
             gettext \
             libdbus-1-dev \
-            libutf8proc-dev
+            libutf8proc-dev \
+            libgirepository1.0-dev \
+            libcairo2-dev \
+            libgdk-pixbuf2.0-dev \
+            libsoup-3.0-dev \
+            libpango1.0-dev \
+            libatk1.0-dev \
+            libgtk-3-dev \
+            libwebkit2gtk-4.1-dev
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

diff --git a/Cargo.toml b/Cargo.toml
@@ -19,7 +19,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.7.10"
+version = "0.7.11"
 authors = [
     "David Mulder <[email protected]>"
 ]
@@ -40,7 +40,7 @@ tracing-subscriber = "^0.3.17"
 tracing = "^0.1.37"
 himmelblau_unix_common = { path = "src/common" }
 kanidm_unix_common = { path = "src/glue" }
-libhimmelblau = { version = "0.4.2" }
+libhimmelblau = { version = "0.4.4" }
 clap = { version = "^4.5", features = ["derive", "env"] }
 clap_complete = "^4.4.1"
 reqwest = { version = "^0.12.2", features = ["json"] }

diff --git a/README.md b/README.md
@@ -67,7 +67,7 @@ sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau
 
 The following packages are required on openSUSE to build and test this package.
 
-    sudo zypper in make cargo git gcc sqlite3-devel libopenssl-3-devel pam-devel libcap-devel libtalloc-devel libtevent-devel libldb-devel libdhash-devel krb5-devel pcre2-devel libclang13 autoconf make automake  gettext-tools clang
+    sudo zypper in make cargo git gcc sqlite3-devel libopenssl-3-devel pam-devel libcap-devel libtalloc-devel libtevent-devel libldb-devel libdhash-devel krb5-devel pcre2-devel libclang13 autoconf make automake  gettext-tools clang dbus-1-devel utf8proc-devel gobject-introspection-devel cairo-devel gdk-pixbuf-devel libsoup-devel pango-devel atk-devel gtk3-devel webkit2gtk3-devel
 
 
 Or on Debian based systems:

diff --git a/images/rpm/Dockerfile.fedora41 b/images/rpm/Dockerfile.fedora41
@@ -22,7 +22,14 @@ RUN dnf -y update && \
     gettext \
     sqlite-devel \
     utf8proc-devel \
-    cargo && \
+    cargo \
+    gobject-introspection-devel \
+    cairo-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel && \
     dnf clean all
 
 # Set environment for Rust
@@ -37,4 +44,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
diff --git a/images/rpm/Dockerfile.rawhide b/images/rpm/Dockerfile.rawhide
@@ -22,7 +22,14 @@ RUN dnf -y update && \
     gettext \
     sqlite-devel \
     utf8proc-devel \
-    cargo && \
+    cargo \
+    gobject-introspection-devel \
+    cairo-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel && \
     dnf clean all
 
 # Set environment for Rust
@@ -37,4 +44,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
diff --git a/images/rpm/Dockerfile.rocky9 b/images/rpm/Dockerfile.rocky9
@@ -28,6 +28,14 @@ RUN yum update -y && yum install -y \
     gettext \
     sqlite-devel \
     utf8proc-devel \
+    gobject-introspection-devel \
+    cairo-devel \
+    gdk-pixbuf-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel \
     && yum clean all
 
 # Install Rust (latest stable)
@@ -45,4 +53,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
diff --git a/images/rpm/Dockerfile.tumbleweed b/images/rpm/Dockerfile.tumbleweed
@@ -24,6 +24,14 @@ RUN zypper --non-interactive refresh && zypper --non-interactive update && \
     sqlite3-devel \
     utf8proc-devel \
     cargo \
+    gobject-introspection-devel \
+    cairo-devel \
+    gdk-pixbuf-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel \
     && zypper clean --all
 
 # Set environment for Rust
@@ -38,4 +46,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
diff --git a/images/ubuntu/Dockerfile.22.04 b/images/ubuntu/Dockerfile.22.04
@@ -32,6 +32,15 @@ RUN apt-get update && apt-get install -y \
     cargo \
     libsqlite3-dev \
     libutf8proc-dev \
+    libgirepository1.0-dev \
+    libcairo2-dev \
+    libgdk-pixbuf2.0-dev \
+    libsoup-3.0-dev \
+    libpango1.0-dev \
+    libatk1.0-dev \
+    libgtk-3-dev \
+    libwebkit2gtk-4.1-dev \
+    libjavascriptcoregtk-4.1-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Rust (latest stable)

diff --git a/images/ubuntu/Dockerfile.24.04 b/images/ubuntu/Dockerfile.24.04
@@ -32,6 +32,14 @@ RUN apt-get update && apt-get install -y \
     cargo \
     libsqlite3-dev \
     libutf8proc-dev \
+    libgirepository1.0-dev \
+    libcairo2-dev \
+    libgdk-pixbuf2.0-dev \
+    libsoup-3.0-dev \
+    libpango1.0-dev \
+    libatk1.0-dev \
+    libgtk-3-dev \
+    libwebkit2gtk-4.1-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Rust (latest stable)

diff --git a/src/common/src/idprovider/himmelblau.rs b/src/common/src/idprovider/himmelblau.rs
@@ -237,6 +237,38 @@ impl IdProvider for HimmelblauMultiProvider {
         }
     }
 
+    async fn change_auth_token<D: KeyStoreTxn + Send>(
+        &self,
+        account_id: &str,
+        token: &UnixUserToken,
+        new_tok: &str,
+        keystore: &mut D,
+        tpm: &mut tpm::BoxedDynTpm,
+        machine_key: &tpm::MachineKey,
+    ) -> Result<bool, IdpError> {
+        match split_username(account_id) {
+            Some((_sam, domain)) => {
+                let providers = self.providers.read().await;
+                match providers.get(domain) {
+                    Some(provider) => {
+                        provider
+                            .change_auth_token(
+                                account_id,
+                                token,
+                                new_tok,
+                                keystore,
+                                tpm,
+                                machine_key,
+                            )
+                            .await
+                    }
+                    None => Err(IdpError::NotFound),
+                }
+            }
+            None => Err(IdpError::NotFound),
+        }
+    }
+
     async fn unix_user_get(
         &self,
         id: &Id,
@@ -515,6 +547,54 @@ impl IdProvider for HimmelblauProvider {
             })
     }
 
+    async fn change_auth_token<D: KeyStoreTxn + Send>(
+        &self,
+        account_id: &str,
+        token: &UnixUserToken,
+        new_tok: &str,
+        keystore: &mut D,
+        tpm: &mut tpm::BoxedDynTpm,
+        machine_key: &tpm::MachineKey,
+    ) -> Result<bool, IdpError> {
+        let hello_tag = self.fetch_hello_key_tag(account_id);
+
+        // Ensure the user is setting the token for the account it has authenticated to
+        if account_id.to_string().to_lowercase()
+            != token
+                .spn()
+                .map_err(|e| {
+                    error!("Failed checking the spn on the user token: {:?}", e);
+                    IdpError::BadRequest
+                })?
+                .to_lowercase()
+        {
+            error!("A hello key may only be set by the authenticated user!");
+            return Err(IdpError::BadRequest);
+        }
+
+        // Set the hello pin
+        let hello_key = match self
+            .client
+            .write()
+            .await
+            .provision_hello_for_business_key(token, tpm, machine_key, new_tok)
+            .await
+        {
+            Ok(hello_key) => hello_key,
+            Err(e) => {
+                error!("Failed to provision hello key: {:?}", e);
+                return Ok(false);
+            }
+        };
+        keystore
+            .insert_tagged_hsm_key(&hello_tag, &hello_key)
+            .map_err(|e| {
+                error!("Failed to provision hello key: {:?}", e);
+                IdpError::Tpm
+            })?;
+        Ok(true)
+    }
+
     async fn unix_user_get(
         &self,
         id: &Id,

diff --git a/src/common/src/idprovider/interface.rs b/src/common/src/idprovider/interface.rs
@@ -188,6 +188,16 @@ pub trait IdProvider {
         _machine_key: &tpm::MachineKey,
     ) -> Result<String, IdpError>;
 
+    async fn change_auth_token<D: KeyStoreTxn + Send>(
+        &self,
+        _account_id: &str,
+        _token: &UnixUserToken,
+        _new_tok: &str,
+        _keystore: &mut D,
+        _tpm: &mut tpm::BoxedDynTpm,
+        _machine_key: &tpm::MachineKey,
+    ) -> Result<bool, IdpError>;
+
     async fn unix_user_online_auth_init<D: KeyStoreTxn + Send>(
         &self,
         _account_id: &str,

diff --git a/src/common/src/resolver.rs b/src/common/src/resolver.rs
@@ -679,6 +679,35 @@ where
         }
     }
 
+    pub async fn change_auth_token(
+        &self,
+        account_id: &str,
+        token: &UnixUserToken,
+        new_tok: &str,
+    ) -> Result<bool, ()> {
+        let mut hsm_lock = self.hsm.lock().await;
+        let mut dbtxn = self.db.write().await;
+
+        let res = self
+            .client
+            .change_auth_token(
+                account_id,
+                token,
+                new_tok,
+                &mut dbtxn,
+                hsm_lock.deref_mut(),
+                &self.machine_key,
+            )
+            .await;
+
+        drop(hsm_lock);
+        dbtxn.commit().map_err(|_| ())?;
+
+        res.map_err(|e| {
+            debug!("change_auth_token error -> {:?}", e);
+        })
+    }
+
     pub async fn get_usertoken(&self, account_id: Id) -> Result<Option<UserToken>, ()> {
         debug!("get_usertoken");
         // get the item from the cache

diff --git a/src/common/src/unix_proto.rs b/src/common/src/unix_proto.rs
@@ -73,6 +73,7 @@ pub enum ClientRequest {
     PamAuthenticateStep(PamAuthRequest),
     PamAccountAllowed(String),
     PamAccountBeginSession(String),
+    PamChangeAuthToken(String, String, String, String),
     InvalidateCache,
     ClearCache,
     Status,
@@ -94,6 +95,9 @@ impl ClientRequest {
                 format!("PamAccountAllowed({})", id)
             }
             ClientRequest::PamAccountBeginSession(_) => "PamAccountBeginSession".to_string(),
+            ClientRequest::PamChangeAuthToken(id, _, _, _) => {
+                format!("PamChangeAuthToken({}, ...)", id)
+            }
             ClientRequest::InvalidateCache => "InvalidateCache".to_string(),
             ClientRequest::ClearCache => "ClearCache".to_string(),
             ClientRequest::Status => "Status".to_string(),

diff --git a/src/daemon/Cargo.toml b/src/daemon/Cargo.toml
@@ -42,6 +42,7 @@ kanidm_lib_file_permissions.workspace = true
 identity_dbus_broker.workspace = true
 base64.workspace = true
 async-trait = "0.1.83"
+libhimmelblau.workspace = true
 
 [package.metadata.deb]
 name = "himmelblau"