Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide keyutils with persistence-after-reboot using secret-service #222

Merged
merged 20 commits into from
Oct 26, 2024
Merged
Show file tree
Hide file tree
Changes from 15 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ jobs:
- "async-secret-service,async-io,crypto-rust"
- "async-secret-service,tokio,crypto-openssl"
- "async-secret-service,async-io,crypto-openssl"
- "linux-native-sync-persistent,crypto-rust"
- "linux-native-sync-persistent,crypto-openssl"
- "linux-native-async-persistent,tokio,crypto-rust"
- "linux-native-async-persistent,async-io,crypto-rust"
- "linux-native-async-persistent,tokio,crypto-openssl"
- "linux-native-async-persistent,async-io,crypto-openssl"

steps:
- name: Install CI dependencies
Expand Down
2 changes: 2 additions & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ linux-native = ["dep:linux-keyutils"]
apple-native = ["dep:security-framework"]
windows-native = ["dep:windows-sys", "dep:byteorder"]

linux-native-sync-persistent = ["linux-native", "sync-secret-service"]
linux-native-async-persistent = ["linux-native", "async-secret-service"]
sync-secret-service = ["dep:dbus-secret-service"]
async-secret-service = ["dep:secret-service", "dep:zbus"]
crypto-rust = ["dbus-secret-service?/crypto-rust", "secret-service?/crypto-rust"]
Expand Down
125 changes: 125 additions & 0 deletions src/keyutils_persistent.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
/*!

# keyutils-persistent credential store

TODO

*/
use log::debug;

use super::credential::{
Credential, CredentialApi, CredentialBuilder, CredentialBuilderApi, CredentialPersistence,
};
use super::error::{Error, Result};
use super::keyutils::KeyutilsCredential;
use super::secret_service::SsCredential;

#[derive(Debug, Clone)]
pub struct KeyutilsPersistentCredential {
keyutils: KeyutilsCredential,
ss: SsCredential,
}

impl CredentialApi for KeyutilsPersistentCredential {
fn set_password(&self, password: &str) -> Result<()> {
self.set_secret(password.as_bytes())
}

fn set_secret(&self, secret: &[u8]) -> Result<()> {
let prev_secret = self.keyutils.get_secret()?;
self.keyutils.set_secret(secret)?;

if let Err(err) = self.ss.set_secret(secret) {
self.keyutils.set_secret(&prev_secret)?;
return Err(err);
}

Ok(())
}
soywod marked this conversation as resolved.
Show resolved Hide resolved

fn get_password(&self) -> Result<String> {
if let Ok(password) = self.keyutils.get_password() {
return Ok(password);
}

let password = self.ss.get_password().map_err(ambigous_to_no_entry)?;
self.keyutils.set_password(&password)?;
soywod marked this conversation as resolved.
Show resolved Hide resolved

Ok(password)
}

fn get_secret(&self) -> Result<Vec<u8>> {
if let Ok(secret) = self.keyutils.get_secret() {
return Ok(secret);
}

let secret = self.ss.get_secret().map_err(ambigous_to_no_entry)?;
self.keyutils.set_secret(&secret)?;
soywod marked this conversation as resolved.
Show resolved Hide resolved

Ok(secret)
}

fn delete_credential(&self) -> Result<()> {
if let Err(err) = self.keyutils.delete_credential() {
debug!("cannot delete keyutils credential: {err}");
}
self.ss.delete_credential()
}

fn as_any(&self) -> &dyn std::any::Any {
self
}

fn debug_fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
std::fmt::Debug::fmt(self, f)
}
}

impl KeyutilsPersistentCredential {
pub fn new_with_target(target: Option<&str>, service: &str, user: &str) -> Result<Self> {
let ss = SsCredential::new_with_target(target, service, user)?;
let keyutils = KeyutilsCredential::new_with_target(target, service, user)?;
Ok(Self { keyutils, ss })
}
}
soywod marked this conversation as resolved.
Show resolved Hide resolved

/// The builder for secret-service-with-keyutils credentials
#[derive(Debug, Default)]
pub struct KeyutilsPersistentCredentialBuilder {}

/// Returns an instance of the secret-service-with-keyutils credential builder.
///
/// If secret-service-with-keyutils is the default credential store,
/// this is called once when an entry is first created.
pub fn default_credential_builder() -> Box<CredentialBuilder> {
Box::new(KeyutilsPersistentCredentialBuilder {})
}

impl CredentialBuilderApi for KeyutilsPersistentCredentialBuilder {
/// Build an [KeyutilsPersistentCredential] for the given target, service, and user.
fn build(&self, target: Option<&str>, service: &str, user: &str) -> Result<Box<Credential>> {
Ok(Box::new(SsCredential::new_with_target(
target, service, user,
)?))
}

/// Return the underlying builder object with an `Any` type so that it can
/// be downgraded to an [KeyutilsPersistentCredentialBuilder] for platform-specific processing.
fn as_any(&self) -> &dyn std::any::Any {
self
}

/// Since this keystore keeps credentials in kernel memory,
/// they vanish on reboot
fn persistence(&self) -> CredentialPersistence {
CredentialPersistence::UntilDelete
}
}

fn ambigous_to_no_entry(err: Error) -> Error {
if let Error::Ambiguous(_) = err {
return Error::NoEntry;
};

err
}
58 changes: 37 additions & 21 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -184,50 +184,67 @@ pub mod mock;
//
// can't use both sync and async secret service
//
#[cfg(all(feature = "sync-secret-service", feature = "async-secret-service"))]
compile_error!("This crate cannot use the secret-service both synchronously and asynchronously");
#[cfg(any(
all(feature = "sync-secret-service", feature = "async-secret-service"),
all(
feature = "linux-native-sync-persistent",
feature = "linux-native-async-persistent",
)
))]
compile_error!("This crate cannot use both the sync and async versions of any credential store");

//
// pick the *nix keystore
//

#[cfg(all(target_os = "linux", feature = "linux-native"))]
pub mod keyutils;
// use keyutils as default if secret-service is not available
#[cfg(all(
target_os = "linux",
feature = "linux-native",
not(any(feature = "sync-secret-service", feature = "async-secret-service"))
not(feature = "sync-secret-service"),
not(feature = "async-secret-service"),
))]
soywod marked this conversation as resolved.
Show resolved Hide resolved
pub use keyutils as default;

#[cfg(all(
any(target_os = "linux", target_os = "freebsd", target_os = "openbsd"),
any(feature = "sync-secret-service", feature = "async-secret-service")
any(feature = "sync-secret-service", feature = "async-secret-service"),
))]
pub mod secret_service;
// use secret-service as default if it's available
#[cfg(all(
any(target_os = "linux", target_os = "freebsd", target_os = "openbsd"),
any(feature = "sync-secret-service", feature = "async-secret-service"),
not(any(
feature = "linux-native-sync-persistent",
feature = "linux-native-async-persistent",
)),
))]
pub use secret_service as default;

// fallback to mock if neither keyutils nor secret service is available
#[cfg(any(
all(
target_os = "linux",
not(any(
feature = "linux-native",
feature = "sync-secret-service",
feature = "async-secret-service"
))
),
all(
any(target_os = "freebsd", target_os = "openbsd"),
not(any(feature = "sync-secret-service", feature = "async-secret-service"))
#[cfg(all(
target_os = "linux",
any(
feature = "linux-native-sync-persistent",
feature = "linux-native-async-persistent",
)
))]
pub mod keyutils_persistent;
#[cfg(all(
target_os = "linux",
any(
feature = "linux-native-sync-persistent",
feature = "linux-native-async-persistent",
),
))]
pub use keyutils_persistent as default;

// fallback to mock if neither keyutils nor secret service is available
#[cfg(all(
any(target_os = "linux", target_os = "freebsd", target_os = "openbsd"),
not(feature = "linux-native"),
not(feature = "sync-secret-service"),
not(feature = "async-secret-service"),
))]
soywod marked this conversation as resolved.
Show resolved Hide resolved
pub use mock as default;

//
Expand All @@ -250,7 +267,6 @@ pub use mock as default;
//
// pick the Windows keystore
//

#[cfg(all(target_os = "windows", feature = "windows-native"))]
pub mod windows;
#[cfg(all(target_os = "windows", not(feature = "windows-native")))]
Expand Down