1use crate::common::ToClientError;
2use std::cmp::Reverse;
3use std::collections::BTreeMap;
4use std::fs::{create_dir, File};
5use std::io::{self, BufReader, BufWriter, ErrorKind, IsTerminal, Write};
6use std::path::PathBuf;
7use std::str::FromStr;
8
9use compact_jwt::{
10 traits::JwsVerifiable, Jwk, JwsCompact, JwsEs256Verifier, JwsVerifier, JwtError,
11};
12use dialoguer::theme::ColorfulTheme;
13use dialoguer::Select;
14use kanidm_client::{ClientError, KanidmClient};
15use kanidm_proto::cli::OpType;
16use kanidm_proto::internal::UserAuthToken;
17use kanidm_proto::v1::{AuthAllowed, AuthResponse, AuthState};
18#[cfg(target_family = "unix")]
19use libc::umask;
20use webauthn_authenticator_rs::prelude::RequestChallengeResponse;
21
22use crate::common::prompt_for_username_get_username;
23use crate::webauthn::get_authenticator;
24use crate::{KanidmClientParser, LoginOpt, LogoutOpt, SessionOpt};
25
26use serde::{Deserialize, Serialize};
27
28static TOKEN_DIR: &str = "~/.cache";
29
30#[derive(Debug, Serialize, Clone, Deserialize, Default)]
31pub struct TokenInstance {
32 keys: BTreeMap<String, Jwk>,
33 tokens: BTreeMap<String, JwsCompact>,
34}
35
36impl TokenInstance {
37 pub fn tokens(&self) -> &BTreeMap<String, JwsCompact> {
38 &self.tokens
39 }
40
41 pub fn keys(&self) -> &BTreeMap<String, Jwk> {
42 &self.keys
43 }
44
45 pub fn valid_uats(&self) -> BTreeMap<String, UserAuthToken> {
46 self.tokens
47 .iter()
48 .filter_map(|(u, jwsc)| {
49 let key_id = jwsc.kid()?;
51
52 let pub_jwk = self.keys.get(key_id)?;
54
55 let jws_verifier = JwsEs256Verifier::try_from(pub_jwk)
56 .map_err(|e| {
57 error!(?e, "Unable to configure jws verifier");
58 })
59 .ok()?;
60
61 jws_verifier
62 .verify(jwsc)
63 .and_then(|jws| {
64 jws.from_json::<UserAuthToken>().map_err(|serde_err| {
65 error!(?serde_err);
66 JwtError::InvalidJwt
67 })
68 })
69 .map_err(|e| {
70 error!(?e, "Unable to verify token signature, may be corrupt");
71 })
72 .map(|uat| (u.clone(), uat))
73 .ok()
74 })
75 .collect()
76 }
77
78 pub fn cleanup(&mut self, now: time::OffsetDateTime) -> usize {
79 let retain = self.valid_uats();
81
82 let start_len = self.tokens.len();
83
84 self.tokens.retain(|spn, _tonk| {
85 if let Some(uat) = retain.get(spn) {
86 if let Some(exp) = uat.expiry {
87 exp > now
89 } else {
90 true
91 }
92 } else {
93 false
94 }
95 });
96
97 start_len - self.tokens.len()
98 }
99}
100
101#[derive(Debug, Serialize, Clone, Deserialize, Default)]
102pub struct TokenStore {
103 instances: BTreeMap<String, TokenInstance>,
104}
105
106impl TokenStore {
107 pub fn instances(&self, name: &Option<String>) -> Option<&TokenInstance> {
108 let n_lookup = name.clone().unwrap_or_default();
109
110 self.instances.get(&n_lookup)
111 }
112
113 pub fn instances_mut(&mut self, name: &Option<String>) -> Option<&mut TokenInstance> {
114 let n_lookup = name.clone().unwrap_or_default();
115
116 self.instances.get_mut(&n_lookup)
117 }
118}
119
120#[allow(clippy::result_unit_err)]
121pub fn read_tokens(token_path: &str) -> Result<TokenStore, ()> {
122 let token_path = PathBuf::from(shellexpand::tilde(token_path).into_owned());
123 if !token_path.exists() {
124 debug!(
125 "Token cache file path {:?} does not exist, returning an empty token store.",
126 token_path
127 );
128 return Ok(Default::default());
129 }
130
131 debug!("Attempting to read tokens from {:?}", &token_path);
132 let file = match File::open(&token_path) {
134 Ok(f) => f,
135 Err(e) => {
136 match e.kind() {
137 ErrorKind::PermissionDenied => {
138 error!(
140 "Permission denied reading token store file {:?}",
141 &token_path
142 );
143 return Err(());
144 }
145 _ => {
147 warn!(
148 "Cannot read tokens from {} due to error: {:?} ... continuing.",
149 token_path.display(),
150 e
151 );
152 return Ok(Default::default());
153 }
154 };
155 }
156 };
157 let reader = BufReader::new(file);
158
159 serde_json::from_reader(reader).map_err(|e| {
161 warn!(
162 "JSON/IO error reading tokens from {:?} -> {:?}",
163 &token_path, e
164 );
165 })
166}
167
168#[allow(clippy::result_unit_err)]
169pub fn write_tokens(tokens: &TokenStore, token_path: &str) -> Result<(), ()> {
170 let token_dir = PathBuf::from(shellexpand::tilde(TOKEN_DIR).into_owned());
171 let token_path = PathBuf::from(shellexpand::tilde(token_path).into_owned());
172
173 token_dir
174 .parent()
175 .ok_or_else(|| {
176 error!(
177 "Parent directory to {} is invalid (root directory?).",
178 TOKEN_DIR
179 );
180 })
181 .and_then(|parent_dir| {
182 if parent_dir.exists() {
183 Ok(())
184 } else {
185 error!("Parent directory to {} does not exist.", TOKEN_DIR);
186 Err(())
187 }
188 })?;
189
190 if !token_dir.exists() {
191 create_dir(token_dir).map_err(|e| {
192 error!("Unable to create directory - {} {:?}", TOKEN_DIR, e);
193 })?;
194 }
195
196 #[cfg(target_family = "unix")]
198 let before = unsafe { umask(0o177) };
199
200 let file = File::create(&token_path).map_err(|e| {
201 #[cfg(target_family = "unix")]
202 let _ = unsafe { umask(before) };
203 error!("Can not write to {} -> {:?}", token_path.display(), e);
204 })?;
205
206 #[cfg(target_family = "unix")]
207 let _ = unsafe { umask(before) };
208
209 let writer = BufWriter::new(file);
210 serde_json::to_writer_pretty(writer, tokens).map_err(|e| {
211 error!(
212 "JSON/IO error writing tokens to file {:?} -> {:?}",
213 &token_path, e
214 );
215 })
216}
217
218fn get_index_choice_dialoguer(msg: &str, options: &[String]) -> usize {
220 let user_select = Select::with_theme(&ColorfulTheme::default())
221 .with_prompt(msg)
222 .default(0)
223 .items(options)
224 .interact();
225
226 let selection = match user_select {
227 Err(error) => {
228 error!("Failed to handle user input: {:?}", error);
229 std::process::exit(1);
230 }
231 Ok(value) => value,
232 };
233 debug!("Index of the chosen menu item: {:?}", selection);
234
235 selection
236}
237
238async fn do_password(
239 client: &mut KanidmClient,
240 password: &Option<String>,
241) -> Result<AuthResponse, ClientError> {
242 let password = match password {
243 Some(password) => {
244 trace!("User provided password directly, don't need to prompt.");
245 password.to_owned()
246 }
247 None => dialoguer::Password::new()
248 .with_prompt("Enter password")
249 .interact()
250 .unwrap_or_else(|e| {
251 error!("Failed to create password prompt -- {:?}", e);
252 std::process::exit(1);
253 }),
254 };
255 client.auth_step_password(password.as_str()).await
256}
257
258async fn do_backup_code(client: &mut KanidmClient) -> Result<AuthResponse, ClientError> {
259 print!("Enter Backup Code: ");
260 #[allow(clippy::unwrap_used)]
262 io::stdout().flush().unwrap();
263 let mut backup_code = String::new();
264 loop {
265 if let Err(e) = io::stdin().read_line(&mut backup_code) {
266 error!("Failed to read from stdin -> {:?}", e);
267 return Err(ClientError::SystemError);
268 };
269 if !backup_code.trim().is_empty() {
270 break;
271 };
272 }
273 client.auth_step_backup_code(backup_code.trim()).await
274}
275
276async fn do_totp(client: &mut KanidmClient) -> Result<AuthResponse, ClientError> {
277 let totp = loop {
278 print!("Enter TOTP: ");
279 if let Err(e) = io::stdout().flush() {
281 error!("Somehow we failed to flush stdout: {:?}", e);
282 };
283 let mut buffer = String::new();
284 if let Err(e) = io::stdin().read_line(&mut buffer) {
285 error!("Failed to read from stdin -> {:?}", e);
286 return Err(ClientError::SystemError);
287 };
288
289 let response = buffer.trim();
290 match response.parse::<u32>() {
291 Ok(i) => break i,
292 Err(_) => eprintln!("Invalid Number"),
293 };
294 };
295 client.auth_step_totp(totp).await
296}
297
298async fn do_passkey(
299 client: &mut KanidmClient,
300 pkr: RequestChallengeResponse,
301) -> Result<AuthResponse, ClientError> {
302 let mut wa = get_authenticator();
303 println!("If your authenticator is not attached, attach it now.");
304 println!("Your authenticator will then flash/prompt for confirmation.");
305 #[cfg(target_os = "macos")]
306 println!("Note: TouchID is not currently supported on the CLI 🫤");
307 let auth = wa
308 .do_authentication(client.get_origin().clone(), pkr)
309 .map(Box::new)
310 .unwrap_or_else(|e| {
311 error!("Failed to interact with webauthn device. -- {:?}", e);
312 std::process::exit(1);
313 });
314
315 client.auth_step_passkey_complete(auth).await
316}
317
318async fn do_securitykey(
319 client: &mut KanidmClient,
320 pkr: RequestChallengeResponse,
321) -> Result<AuthResponse, ClientError> {
322 let mut wa = get_authenticator();
323 println!("Your authenticator will now flash for you to interact with it.");
324 let auth = wa
325 .do_authentication(client.get_origin().clone(), pkr)
326 .map(Box::new)
327 .unwrap_or_else(|e| {
328 error!("Failed to interact with webauthn device. -- {:?}", e);
329 std::process::exit(1);
330 });
331
332 client.auth_step_securitykey_complete(auth).await
333}
334
335pub(crate) async fn process_auth_state(
336 mut allowed: Vec<AuthAllowed>,
337 mut client: KanidmClient,
338 maybe_password: &Option<String>,
339 instance_name: &Option<String>,
340) {
341 loop {
342 debug!("Allowed mechanisms -> {:?}", allowed);
343 let choice = match allowed.len() {
345 0 => {
346 error!("Error during authentication phase: Server offered no method to proceed");
347 std::process::exit(1);
348 }
349 1 =>
350 {
351 #[allow(clippy::expect_used)]
352 allowed
353 .first()
354 .expect("can not fail - bounds already checked.")
355 }
356 _ => {
357 let mut options = Vec::new();
358 allowed.sort_unstable_by(|a, b| Reverse(a).cmp(&Reverse(b)));
360 for val in allowed.iter() {
361 options.push(val.to_string());
362 }
363 let msg = "Please choose which credential to provide:";
364 let selection = get_index_choice_dialoguer(msg, &options);
365
366 #[allow(clippy::expect_used)]
367 allowed
368 .get(selection)
369 .expect("Failed to select an authentication option!")
370 }
371 };
372
373 let res = match choice {
374 AuthAllowed::Anonymous => client.auth_step_anonymous().await,
375 AuthAllowed::Password => do_password(&mut client, maybe_password).await,
376 AuthAllowed::BackupCode => do_backup_code(&mut client).await,
377 AuthAllowed::Totp => do_totp(&mut client).await,
378 AuthAllowed::Passkey(chal) => do_passkey(&mut client, chal.clone()).await,
379 AuthAllowed::SecurityKey(chal) => do_securitykey(&mut client, chal.clone()).await,
380 };
381
382 let state = res
384 .unwrap_or_else(|e| {
385 error!("Error in authentication phase: {:?}", e);
386 std::process::exit(1);
387 })
388 .state;
389
390 allowed = match &state {
392 AuthState::Continue(allowed) => allowed.to_vec(),
393 AuthState::Success(_token) => break,
394 AuthState::Denied(reason) => {
395 error!("Authentication Denied: {:?}", reason);
396 std::process::exit(1);
397 }
398 _ => {
399 error!("Error in authentication phase: invalid authstate");
400 std::process::exit(1);
401 }
402 };
403 }
405
406 let mut tokens = read_tokens(&client.get_token_cache_path()).unwrap_or_default();
408
409 let n_lookup = instance_name.clone().unwrap_or_default();
411 let token_instance = tokens.instances.entry(n_lookup).or_default();
412
413 let (spn, tonk) = match client.get_token().await {
415 Some(t) => {
416 let jwsc = match JwsCompact::from_str(&t) {
417 Ok(j) => j,
418 Err(err) => {
419 error!(?err, "Unable to parse token");
420 std::process::exit(1);
421 }
422 };
423
424 let Some(key_id) = jwsc.kid() else {
425 error!("JWS invalid, not key id associated");
426 std::process::exit(1);
427 };
428
429 let pub_jwk = if let Some(pub_jwk) = token_instance.keys.get(key_id).cloned() {
431 pub_jwk
432 } else {
433 let pub_jwk = match client.get_public_jwk(key_id).await {
435 Ok(pj) => pj,
436 Err(err) => {
437 error!(?err, "Unable to retrieve jwk from server");
438 std::process::exit(1);
439 }
440 };
441 token_instance
442 .keys
443 .insert(key_id.to_string(), pub_jwk.clone());
444 pub_jwk
445 };
446
447 let jws_verifier = match JwsEs256Verifier::try_from(&pub_jwk) {
448 Ok(verifier) => verifier,
449 Err(err) => {
450 error!(?err, "Unable to configure jws verifier");
451 std::process::exit(1);
452 }
453 };
454
455 let tonk = match jws_verifier.verify(&jwsc).and_then(|jws| {
456 jws.from_json::<UserAuthToken>().map_err(|serde_err| {
457 error!(?serde_err);
458 JwtError::InvalidJwt
459 })
460 }) {
461 Ok(uat) => uat,
462 Err(err) => {
463 error!(?err, "Unable to verify token signature");
464 std::process::exit(1);
465 }
466 };
467
468 let spn = tonk.spn;
469 (spn, jwsc)
471 }
472 None => {
473 error!("Error retrieving client session");
474 std::process::exit(1);
475 }
476 };
477
478 token_instance.tokens.insert(spn.clone(), tonk);
479
480 if write_tokens(&tokens, &client.get_token_cache_path()).is_err() {
482 trace!(?tokens);
483 error!("Error persisting authentication token store");
484 std::process::exit(1);
485 };
486
487 println!("Login Success for {spn}");
489}
490
491impl LoginOpt {
492 pub async fn exec(&self, opt: KanidmClientParser) {
493 let client = opt.to_unauth_client();
494 let username = match opt.username.as_deref() {
495 Some(val) => val,
496 None => {
497 error!("Please specify a username with -D <USERNAME> to login.");
498 std::process::exit(1);
499 }
500 };
501
502 let mut mechs: Vec<_> = client
504 .auth_step_init(username)
505 .await
506 .unwrap_or_else(|e| {
507 error!("Error during authentication init phase: {:?}", e);
508 std::process::exit(1);
509 })
510 .into_iter()
511 .collect();
512
513 mechs.sort_unstable_by(|a, b| Reverse(a).cmp(&Reverse(b)));
514
515 let mech = match mechs.len() {
516 0 => {
517 error!("Error during authentication init phase: Server offered no authentication mechanisms");
518 std::process::exit(1);
519 }
520 1 =>
521 {
522 #[allow(clippy::expect_used)]
523 mechs
524 .first()
525 .expect("can not fail - bounds already checked.")
526 }
527 _ => {
528 let mut options = Vec::new();
529 for val in mechs.iter() {
530 options.push(val.to_string());
531 }
532 let msg = "Please choose how you want to authenticate:";
533 let selection = get_index_choice_dialoguer(msg, &options);
534
535 #[allow(clippy::expect_used)]
536 mechs
537 .get(selection)
538 .expect("can not fail - bounds already checked.")
539 }
540 };
541
542 let allowed = client
543 .auth_step_begin((*mech).clone())
544 .await
545 .unwrap_or_else(|e| {
546 error!("Error during authentication begin phase: {:?}", e);
547 std::process::exit(1);
548 });
549
550 process_auth_state(allowed, client, &opt.password, &opt.instance).await;
552 }
553}
554
555impl LogoutOpt {
556 pub async fn exec(&self, opt: KanidmClientParser) {
557 let mut tokens = read_tokens(&opt.get_token_cache_path()).unwrap_or_else(|_| {
558 error!("Error retrieving authentication token store");
559 std::process::exit(1);
560 });
561
562 let n_lookup = opt.instance.clone().unwrap_or_default();
563 let Some(token_instance) = tokens.instances.get_mut(&n_lookup) else {
564 println!("No sessions for instance {n_lookup}");
565 return;
566 };
567
568 let spn: String = if self.local_only {
569 let mut _tmp_username = String::new();
571 match &opt.username {
572 Some(value) => value.clone(),
573 None => {
574 if std::io::stdin().is_terminal() {
576 match prompt_for_username_get_username(
577 &opt.get_token_cache_path(),
578 &opt.instance,
579 ) {
580 Ok(value) => value,
581 Err(msg) => {
582 error!("{}", msg);
583 std::process::exit(1);
584 }
585 }
586 } else {
587 eprintln!("Not running in interactive mode and no username specified, can't continue!");
588 return;
589 }
590 }
591 }
592 } else {
593 let client = match opt.try_to_client(OpType::Read).await {
594 Ok(c) => c,
595 Err(ToClientError::NeedLogin(_)) => {
596 std::process::exit(0);
598 }
599 Err(ToClientError::NeedReauth(_, _)) | Err(ToClientError::Other) => {
600 std::process::exit(1);
602 }
603 };
604
605 let token = match client.get_token().await {
606 Some(t) => t,
607 None => {
608 error!("Client token store is empty/corrupt");
609 std::process::exit(1);
610 }
611 };
612
613 let jwsc = match JwsCompact::from_str(&token) {
616 Ok(j) => j,
617 Err(err) => {
618 error!(?err, "Unable to parse token");
619 info!("The token can be removed locally with `--local-only`");
620 std::process::exit(1);
621 }
622 };
623
624 let Some(key_id) = jwsc.kid() else {
625 error!("Invalid token, missing KeyID");
626 info!("The token can be removed locally with `--local-only`");
627 std::process::exit(1);
628 };
629
630 let Some(pub_jwk) = token_instance.keys().get(key_id) else {
631 error!("Invalid instance, no signing keys are available");
632 info!("The token can be removed locally with `--local-only`");
633 std::process::exit(1);
634 };
635
636 let jws_verifier = match JwsEs256Verifier::try_from(pub_jwk) {
637 Ok(verifier) => verifier,
638 Err(err) => {
639 error!(?err, "Unable to configure jws verifier");
640 info!("The token can be removed locally with `--local-only`");
641 std::process::exit(1);
642 }
643 };
644
645 let uat = match jws_verifier.verify(&jwsc).and_then(|jws| {
646 jws.from_json::<UserAuthToken>().map_err(|serde_err| {
647 error!(?serde_err);
648 info!("The token can be removed locally with `--local-only`");
649 JwtError::InvalidJwt
650 })
651 }) {
652 Ok(uat) => uat,
653 Err(e) => {
654 error!(?e, "Unable to verify token signature, may be corrupt");
655 info!("The token can be removed locally with `--local-only`");
656 std::process::exit(1);
657 }
658 };
659
660 if let Err(e) = client.logout().await {
662 error!("Failed to logout - {:?}", e);
663 std::process::exit(1);
664 }
665
666 uat.spn
669 };
670
671 if token_instance.tokens.remove(&spn).is_some() {
673 if let Err(_e) = write_tokens(&tokens, &opt.get_token_cache_path()) {
675 error!("Error persisting authentication token store");
676 std::process::exit(1);
677 };
678 opt.output_mode
679 .print_message(format!("Removed session for {spn}"));
680 } else {
681 opt.output_mode
682 .print_message(format!("No sessions for {spn}"));
683 }
684 }
685}
686
687impl SessionOpt {
688 pub async fn exec(&self, opt: KanidmClientParser) {
689 match self {
690 SessionOpt::List => {
691 let token_store = read_tokens(&opt.get_token_cache_path()).unwrap_or_else(|_| {
692 error!("Error retrieving authentication token store");
693 std::process::exit(1);
694 });
695
696 let Some(token_instance) = token_store.instances(&opt.instance) else {
697 return;
698 };
699
700 for (_, uat) in token_instance.valid_uats() {
701 println!("---");
702 println!("{uat}");
703 }
704 }
705 SessionOpt::Cleanup => {
706 let mut token_store =
707 read_tokens(&opt.get_token_cache_path()).unwrap_or_else(|_| {
708 error!("Error retrieving authentication token store");
709 std::process::exit(1);
710 });
711
712 let instance_name = &opt.instance;
713
714 let Some(token_instance) = token_store.instances_mut(instance_name) else {
715 error!("No tokens for instance");
716 std::process::exit(1);
717 };
718
719 let now = time::OffsetDateTime::now_utc();
720 let change = token_instance.cleanup(now);
721
722 if let Err(_e) = write_tokens(&token_store, &opt.get_token_cache_path()) {
723 error!("Error persisting authentication token store");
724 std::process::exit(1);
725 };
726
727 println!("Removed {change} sessions");
728 }
729 }
730 }
731}