server: Move the definition of UserId down to lldap_auth

2024-01-15 23:37:42 +01:00
parent 10609b25e9
commit 2ea17c04ba
18 changed files with 212 additions and 162 deletions
--- a/server/src/domain/sql_backend_handler.rs
+++ b/server/src/domain/sql_backend_handler.rs
@@ -63,7 +63,7 @@ pub mod tests {
            opaque::client::registration::start_registration(pass.as_bytes(), &mut rng).unwrap();
        let response = handler
            .registration_start(registration::ClientRegistrationStartRequest {
-                username: name.to_string(),
+                username: name.into(),
                registration_start_request: client_registration_start.message,
            })
            .await
--- a/server/src/domain/sql_opaque_handler.rs
+++ b/server/src/domain/sql_opaque_handler.rs
@@ -33,7 +33,7 @@ fn passwords_match(
        server_setup,
        Some(password_file),
        client_login_start_result.message,
-        username.as_str(),
+        username,
    )?;
    client::login::finish_login(
        client_login_start_result.state,
@@ -100,15 +100,13 @@ impl OpaqueHandler for SqlOpaqueHandler {
        &self,
        request: login::ClientLoginStartRequest,
    ) -> Result<login::ServerLoginStartResponse> {
+        let user_id = request.username;
        let maybe_password_file = self
-            .get_password_file_for_user(UserId::new(&request.username))
+            .get_password_file_for_user(user_id.clone())
            .await?
            .map(|bytes| {
                opaque::server::ServerRegistration::deserialize(&bytes).map_err(|_| {
-                    DomainError::InternalError(format!(
-                        "Corrupted password file for {}",
-                        &request.username
-                    ))
+                    DomainError::InternalError(format!("Corrupted password file for {}", &user_id))
                })
            })
            .transpose()?;
@@ -120,11 +118,11 @@ impl OpaqueHandler for SqlOpaqueHandler {
            self.config.get_server_setup(),
            maybe_password_file,
            request.login_start_request,
-            &request.username,
+            &user_id,
        )?;
        let secret_key = self.get_orion_secret_key()?;
        let server_data = login::ServerData {
-            username: request.username,
+            username: user_id,
            server_login: start_response.state,
        };
        let encrypted_state = orion::aead::seal(&secret_key, &bincode::serialize(&server_data)?)?;
@@ -151,7 +149,7 @@ impl OpaqueHandler for SqlOpaqueHandler {
            opaque::server::login::finish_login(server_login, request.credential_finalization)?
                .session_key;

-        Ok(UserId::new(&username))
+        Ok(username)
    }

    #[instrument(skip_all, level = "debug", err)]
@@ -191,7 +189,7 @@ impl OpaqueHandler for SqlOpaqueHandler {
            opaque::server::registration::get_password_file(request.registration_upload);
        // Set the user password to the new password.
        let user_update = model::users::ActiveModel {
-            user_id: ActiveValue::Set(UserId::new(&username)),
+            user_id: ActiveValue::Set(username),
            password_hash: ActiveValue::Set(Some(password_file.serialize())),
            ..Default::default()
        };
@@ -204,7 +202,7 @@ impl OpaqueHandler for SqlOpaqueHandler {
 #[instrument(skip_all, level = "debug", err, fields(username = %username.as_str()))]
 pub(crate) async fn register_password(
    opaque_handler: &SqlOpaqueHandler,
-    username: &UserId,
+    username: UserId,
    password: &SecUtf8,
 ) -> Result<()> {
    let mut rng = rand::rngs::OsRng;
@@ -213,7 +211,7 @@ pub(crate) async fn register_password(
        opaque::client::registration::start_registration(password.unsecure().as_bytes(), &mut rng)?;
    let start_response = opaque_handler
        .registration_start(ClientRegistrationStartRequest {
-            username: username.to_string(),
+            username,
            registration_start_request: registration_start.message,
        })
        .await?;
@@ -245,7 +243,7 @@ mod tests {
        let login_start = opaque::client::login::start_login(password, &mut rng)?;
        let start_response = opaque_handler
            .login_start(ClientLoginStartRequest {
-                username: username.to_string(),
+                username: UserId::new(username),
                login_start_request: login_start.message,
            })
            .await?;
@@ -276,7 +274,7 @@ mod tests {
            .unwrap_err();
        register_password(
            &opaque_handler,
-            &UserId::new("bob"),
+            UserId::new("bob"),
            &secstr::SecUtf8::from("bob00"),
        )
        .await?;
--- a/server/src/domain/types.rs
+++ b/server/src/domain/types.rs
@@ -2,6 +2,7 @@ use std::cmp::Ordering;

 use base64::Engine;
 use chrono::{NaiveDateTime, TimeZone};
+use lldap_auth::types::CaseInsensitiveString;
 use sea_orm::{
    entity::IntoActiveValue,
    sea_query::{value::ValueType, ArrayType, BlobSize, ColumnType, Nullable, ValueTypeErr},
@@ -11,6 +12,7 @@ use serde::{Deserialize, Serialize};
 use strum::{EnumString, IntoStaticStr};

 pub use super::model::UserColumn;
+pub use lldap_auth::types::UserId;

 #[derive(PartialEq, Hash, Eq, Clone, Debug, Default, Serialize, Deserialize, DeriveValueType)]
 #[serde(try_from = "&str")]
@@ -122,112 +124,6 @@ impl Serialized {
    }
 }

-#[derive(
-    PartialEq,
-    Eq,
-    PartialOrd,
-    Ord,
-    Clone,
-    Debug,
-    Default,
-    Hash,
-    Serialize,
-    Deserialize,
-    DeriveValueType,
-)]
-#[serde(from = "String")]
-pub struct CaseInsensitiveString(String);
-
-impl CaseInsensitiveString {
-    pub fn new(user_id: &str) -> Self {
-        Self(user_id.to_lowercase())
-    }
-
-    pub fn as_str(&self) -> &str {
-        self.0.as_str()
-    }
-
-    pub fn into_string(self) -> String {
-        self.0
-    }
-}
-
-impl From<String> for CaseInsensitiveString {
-    fn from(s: String) -> Self {
-        Self::new(&s)
-    }
-}
-
-macro_rules! make_case_insensitive_string {
-    ($c:ident) => {
-        #[derive(
-            PartialEq,
-            Eq,
-            PartialOrd,
-            Ord,
-            Clone,
-            Debug,
-            Default,
-            Hash,
-            Serialize,
-            Deserialize,
-            DeriveValueType,
-        )]
-        #[serde(from = "CaseInsensitiveString")]
-        pub struct $c(CaseInsensitiveString);
-
-        impl $c {
-            pub fn new(raw: &str) -> Self {
-                Self(CaseInsensitiveString::new(raw))
-            }
-
-            pub fn as_str(&self) -> &str {
-                self.0.as_str()
-            }
-
-            pub fn into_string(self) -> String {
-                self.0.into_string()
-            }
-        }
-
-        impl From<CaseInsensitiveString> for $c {
-            fn from(s: CaseInsensitiveString) -> Self {
-                Self(s)
-            }
-        }
-
-        impl From<String> for $c {
-            fn from(s: String) -> Self {
-                Self(CaseInsensitiveString::from(s))
-            }
-        }
-
-        impl From<&str> for $c {
-            fn from(s: &str) -> Self {
-                Self::new(s)
-            }
-        }
-
-        impl std::fmt::Display for $c {
-            fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
-                write!(f, "{}", self.0.as_str())
-            }
-        }
-
-        impl From<&$c> for Value {
-            fn from(user_id: &$c) -> Self {
-                user_id.as_str().into()
-            }
-        }
-
-        impl TryFromU64 for $c {
-            fn try_from_u64(_n: u64) -> Result<Self, DbErr> {
-                Err(DbErr::ConvertFromU64("$c cannot be constructed from u64"))
-            }
-        }
-    };
-}
-
 fn compare_str_case_insensitive(s1: &str, s2: &str) -> Ordering {
    let mut it_1 = s1.chars().flat_map(|c| c.to_lowercase());
    let mut it_2 = s2.chars().flat_map(|c| c.to_lowercase());
@@ -323,8 +219,58 @@ macro_rules! make_case_insensitive_comparable_string {
    };
 }

-make_case_insensitive_string!(UserId);
-make_case_insensitive_string!(AttributeName);
+#[derive(
+    PartialEq,
+    Eq,
+    PartialOrd,
+    Ord,
+    Clone,
+    Debug,
+    Default,
+    Hash,
+    Serialize,
+    Deserialize,
+    DeriveValueType,
+)]
+#[serde(from = "CaseInsensitiveString")]
+pub struct AttributeName(CaseInsensitiveString);
+
+impl AttributeName {
+    pub fn new(s: &str) -> Self {
+        s.into()
+    }
+    pub fn as_str(&self) -> &str {
+        self.0.as_str()
+    }
+    pub fn into_string(self) -> String {
+        self.0.into_string()
+    }
+}
+impl<T> From<T> for AttributeName
+where
+    T: Into<CaseInsensitiveString>,
+{
+    fn from(s: T) -> Self {
+        Self(s.into())
+    }
+}
+impl std::fmt::Display for AttributeName {
+    fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
+        write!(f, "{}", self.0.as_str())
+    }
+}
+impl From<&AttributeName> for Value {
+    fn from(attribute_name: &AttributeName) -> Self {
+        attribute_name.as_str().into()
+    }
+}
+impl TryFromU64 for AttributeName {
+    fn try_from_u64(_n: u64) -> Result<Self, DbErr> {
+        Err(DbErr::ConvertFromU64(
+            "AttributeName cannot be constructed from u64",
+        ))
+    }
+}
 make_case_insensitive_comparable_string!(Email);
 make_case_insensitive_comparable_string!(GroupName);

--- a/server/src/infra/auth_service.rs
+++ b/server/src/infra/auth_service.rs
@@ -428,13 +428,13 @@ async fn simple_login<Backend>(
 where
    Backend: TcpBackendHandler + BackendHandler + OpaqueHandler + LoginHandler + 'static,
 {
-    let user_id = UserId::new(&request.username);
+    let login::ClientSimpleLoginRequest { username, password } = request.into_inner();
    let bind_request = BindRequest {
-        name: user_id.clone(),
-        password: request.password.clone(),
+        name: username.clone(),
+        password,
    };
    data.get_login_handler().bind(bind_request).await?;
-    get_login_successful_response(&data, &user_id).await
+    get_login_successful_response(&data, &username).await
 }

 async fn simple_login_handler<Backend>(
@@ -500,14 +500,14 @@ where
        .await
        .map_err(|e| TcpError::BadRequest(format!("{:#?}", e)))?
        .into_inner();
-    let user_id = UserId::new(&registration_start_request.username);
+    let user_id = &registration_start_request.username;
    let user_is_admin = data
        .get_readonly_handler()
-        .get_user_groups(&user_id)
+        .get_user_groups(user_id)
        .await?
        .iter()
        .any(|g| g.display_name == "lldap_admin".into());
-    if !validation_result.can_change_password(&user_id, user_is_admin) {
+    if !validation_result.can_change_password(user_id, user_is_admin) {
        return Err(TcpError::UnauthorizedError(
            "Not authorized to change the user's password".to_string(),
        ));
--- a/server/src/infra/ldap_handler.rs
+++ b/server/src/infra/ldap_handler.rs
@@ -306,7 +306,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
    async fn change_password<B: OpaqueHandler>(
        &self,
        backend_handler: &B,
-        user: &UserId,
+        user: UserId,
        password: &[u8],
    ) -> Result<()> {
        use lldap_auth::*;
@@ -314,7 +314,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
        let registration_start_request =
            opaque::client::registration::start_registration(password, &mut rng)?;
        let req = registration::ClientRegistrationStartRequest {
-            username: user.to_string(),
+            username: user.clone(),
            registration_start_request: registration_start_request.message,
        };
        let registration_start_response = backend_handler.registration_start(req).await?;
@@ -371,7 +371,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
                                ),
                            })
                        } else if let Err(e) = self
-                            .change_password(self.get_opaque_handler(), &uid, password.as_bytes())
+                            .change_password(self.get_opaque_handler(), uid, password.as_bytes())
                            .await
                        {
                            Err(LdapError {
@@ -413,7 +413,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend

    async fn handle_modify_change(
        &mut self,
-        user_id: &UserId,
+        user_id: UserId,
        credentials: &ValidationResults,
        user_is_admin: bool,
        change: &LdapModify,
@@ -429,7 +429,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
                ),
            });
        }
-        if !credentials.can_change_password(user_id, user_is_admin) {
+        if !credentials.can_change_password(&user_id, user_is_admin) {
            return Err(LdapError {
                code: LdapResultCode::InsufficentAccessRights,
                message: format!(
@@ -488,7 +488,7 @@ impl<Backend: BackendHandler + LoginHandler + OpaqueHandler> LdapHandler<Backend
                    .iter()
                    .any(|g| g.display_name == "lldap_admin".into());
                for change in &request.changes {
-                    self.handle_modify_change(&uid, &credentials, user_is_admin, change)
+                    self.handle_modify_change(uid.clone(), &credentials, user_is_admin, change)
                        .await?
                }
                Ok(vec![make_modify_response(
@@ -2199,7 +2199,7 @@ mod tests {
            opaque::client::registration::start_registration("password".as_bytes(), &mut rng)
                .unwrap();
        let request = registration::ClientRegistrationStartRequest {
-            username: "bob".to_string(),
+            username: "bob".into(),
            registration_start_request: registration_start_request.message,
        };
        let start_response = opaque::server::registration::start_registration(
@@ -2247,7 +2247,7 @@ mod tests {
            opaque::client::registration::start_registration("password".as_bytes(), &mut rng)
                .unwrap();
        let request = registration::ClientRegistrationStartRequest {
-            username: "bob".to_string(),
+            username: "bob".into(),
            registration_start_request: registration_start_request.message,
        };
        let start_response = opaque::server::registration::start_registration(
@@ -2297,7 +2297,7 @@ mod tests {
            opaque::client::registration::start_registration("password".as_bytes(), &mut rng)
                .unwrap();
        let request = registration::ClientRegistrationStartRequest {
-            username: "bob".to_string(),
+            username: "bob".into(),
            registration_start_request: registration_start_request.message,
        };
        let start_response = opaque::server::registration::start_registration(
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -46,7 +46,9 @@ async fn create_admin_user(handler: &SqlBackendHandler, config: &Configuration)
            display_name: Some("Administrator".to_string()),
            ..Default::default()
        })
-        .and_then(|_| register_password(handler, &config.ldap_user_dn, &config.ldap_user_pass))
+        .and_then(|_| {
+            register_password(handler, config.ldap_user_dn.clone(), &config.ldap_user_pass)
+        })
        .await
        .context("Error creating admin user")?;
    let groups = handler
@@ -137,7 +139,7 @@ async fn set_up_server(config: Configuration) -> Result<ServerBuilder> {
        warn!("Forcing admin password reset to the config-provided password");
        register_password(
            &backend_handler,
-            &config.ldap_user_dn,
+            config.ldap_user_dn.clone(),
            &config.ldap_user_pass,
        )
        .await