kanidm_cli/
session.rs

1use crate::common::ToClientError;
2use std::cmp::Reverse;
3use std::collections::BTreeMap;
4use std::fs::{create_dir, File};
5use std::io::{self, BufReader, BufWriter, ErrorKind, IsTerminal, Write};
6use std::path::PathBuf;
7use std::str::FromStr;
8
9use compact_jwt::{
10    traits::JwsVerifiable, Jwk, JwsCompact, JwsEs256Verifier, JwsVerifier, JwtError,
11};
12use dialoguer::theme::ColorfulTheme;
13use dialoguer::Select;
14use kanidm_client::{ClientError, KanidmClient};
15use kanidm_proto::cli::OpType;
16use kanidm_proto::internal::UserAuthToken;
17use kanidm_proto::v1::{AuthAllowed, AuthResponse, AuthState};
18#[cfg(target_family = "unix")]
19use libc::umask;
20use webauthn_authenticator_rs::prelude::RequestChallengeResponse;
21
22use crate::common::prompt_for_username_get_username;
23use crate::webauthn::get_authenticator;
24use crate::{KanidmClientParser, LoginOpt, LogoutOpt, SessionOpt};
25
26use serde::{Deserialize, Serialize};
27
28static TOKEN_DIR: &str = "~/.cache";
29
30#[derive(Debug, Serialize, Clone, Deserialize, Default)]
31pub struct TokenInstance {
32    keys: BTreeMap<String, Jwk>,
33    tokens: BTreeMap<String, JwsCompact>,
34}
35
36impl TokenInstance {
37    pub fn tokens(&self) -> &BTreeMap<String, JwsCompact> {
38        &self.tokens
39    }
40
41    pub fn keys(&self) -> &BTreeMap<String, Jwk> {
42        &self.keys
43    }
44
45    pub fn valid_uats(&self) -> BTreeMap<String, UserAuthToken> {
46        self.tokens
47            .iter()
48            .filter_map(|(u, jwsc)| {
49                // Ignore if it has no key id.
50                let key_id = jwsc.kid()?;
51
52                // Ignore if we can't verify
53                let pub_jwk = self.keys.get(key_id)?;
54
55                let jws_verifier = JwsEs256Verifier::try_from(pub_jwk)
56                    .map_err(|e| {
57                        error!(?e, "Unable to configure jws verifier");
58                    })
59                    .ok()?;
60
61                jws_verifier
62                    .verify(jwsc)
63                    .and_then(|jws| {
64                        jws.from_json::<UserAuthToken>().map_err(|serde_err| {
65                            error!(?serde_err);
66                            JwtError::InvalidJwt
67                        })
68                    })
69                    .map_err(|e| {
70                        error!(?e, "Unable to verify token signature, may be corrupt");
71                    })
72                    .map(|uat| (u.clone(), uat))
73                    .ok()
74            })
75            .collect()
76    }
77
78    pub fn cleanup(&mut self, now: time::OffsetDateTime) -> usize {
79        // It's not optimal to do this in this way, but we can't double borrow.
80        let retain = self.valid_uats();
81
82        let start_len = self.tokens.len();
83
84        self.tokens.retain(|spn, _tonk| {
85            if let Some(uat) = retain.get(spn) {
86                if let Some(exp) = uat.expiry {
87                    // Retain if expiry is in future aka greater than now
88                    exp > now
89                } else {
90                    true
91                }
92            } else {
93                false
94            }
95        });
96
97        start_len - self.tokens.len()
98    }
99}
100
101#[derive(Debug, Serialize, Clone, Deserialize, Default)]
102pub struct TokenStore {
103    instances: BTreeMap<String, TokenInstance>,
104}
105
106impl TokenStore {
107    pub fn instances(&self, name: &Option<String>) -> Option<&TokenInstance> {
108        let n_lookup = name.clone().unwrap_or_default();
109
110        self.instances.get(&n_lookup)
111    }
112
113    pub fn instances_mut(&mut self, name: &Option<String>) -> Option<&mut TokenInstance> {
114        let n_lookup = name.clone().unwrap_or_default();
115
116        self.instances.get_mut(&n_lookup)
117    }
118}
119
120#[allow(clippy::result_unit_err)]
121pub fn read_tokens(token_path: &str) -> Result<TokenStore, ()> {
122    let token_path = PathBuf::from(shellexpand::tilde(token_path).into_owned());
123    if !token_path.exists() {
124        debug!(
125            "Token cache file path {:?} does not exist, returning an empty token store.",
126            token_path
127        );
128        return Ok(Default::default());
129    }
130
131    debug!("Attempting to read tokens from {:?}", &token_path);
132    // If the file does not exist, return Ok<map>
133    let file = match File::open(&token_path) {
134        Ok(f) => f,
135        Err(e) => {
136            match e.kind() {
137                ErrorKind::PermissionDenied => {
138                    // we bail here because you won't be able to write them back...
139                    error!(
140                        "Permission denied reading token store file {:?}",
141                        &token_path
142                    );
143                    return Err(());
144                }
145                // other errors are OK to continue past
146                _ => {
147                    warn!(
148                        "Cannot read tokens from {} due to error: {:?} ... continuing.",
149                        token_path.display(),
150                        e
151                    );
152                    return Ok(Default::default());
153                }
154            };
155        }
156    };
157    let reader = BufReader::new(file);
158
159    // Else try to read
160    serde_json::from_reader(reader).map_err(|e| {
161        warn!(
162            "JSON/IO error reading tokens from {:?} -> {:?}",
163            &token_path, e
164        );
165    })
166}
167
168#[allow(clippy::result_unit_err)]
169pub fn write_tokens(tokens: &TokenStore, token_path: &str) -> Result<(), ()> {
170    let token_dir = PathBuf::from(shellexpand::tilde(TOKEN_DIR).into_owned());
171    let token_path = PathBuf::from(shellexpand::tilde(token_path).into_owned());
172
173    token_dir
174        .parent()
175        .ok_or_else(|| {
176            error!(
177                "Parent directory to {} is invalid (root directory?).",
178                TOKEN_DIR
179            );
180        })
181        .and_then(|parent_dir| {
182            if parent_dir.exists() {
183                Ok(())
184            } else {
185                error!("Parent directory to {} does not exist.", TOKEN_DIR);
186                Err(())
187            }
188        })?;
189
190    if !token_dir.exists() {
191        create_dir(token_dir).map_err(|e| {
192            error!("Unable to create directory - {} {:?}", TOKEN_DIR, e);
193        })?;
194    }
195
196    // Take away group/everyone read/write
197    #[cfg(target_family = "unix")]
198    let before = unsafe { umask(0o177) };
199
200    let file = File::create(&token_path).map_err(|e| {
201        #[cfg(target_family = "unix")]
202        let _ = unsafe { umask(before) };
203        error!("Can not write to {} -> {:?}", token_path.display(), e);
204    })?;
205
206    #[cfg(target_family = "unix")]
207    let _ = unsafe { umask(before) };
208
209    let writer = BufWriter::new(file);
210    serde_json::to_writer_pretty(writer, tokens).map_err(|e| {
211        error!(
212            "JSON/IO error writing tokens to file {:?} -> {:?}",
213            &token_path, e
214        );
215    })
216}
217
218/// An interactive dialog to choose from given options
219fn get_index_choice_dialoguer(msg: &str, options: &[String]) -> usize {
220    let user_select = Select::with_theme(&ColorfulTheme::default())
221        .with_prompt(msg)
222        .default(0)
223        .items(options)
224        .interact();
225
226    let selection = match user_select {
227        Err(error) => {
228            error!("Failed to handle user input: {:?}", error);
229            std::process::exit(1);
230        }
231        Ok(value) => value,
232    };
233    debug!("Index of the chosen menu item: {:?}", selection);
234
235    selection
236}
237
238async fn do_password(
239    client: &mut KanidmClient,
240    password: &Option<String>,
241) -> Result<AuthResponse, ClientError> {
242    let password = match password {
243        Some(password) => {
244            trace!("User provided password directly, don't need to prompt.");
245            password.to_owned()
246        }
247        None => dialoguer::Password::new()
248            .with_prompt("Enter password")
249            .interact()
250            .unwrap_or_else(|e| {
251                error!("Failed to create password prompt -- {:?}", e);
252                std::process::exit(1);
253            }),
254    };
255    client.auth_step_password(password.as_str()).await
256}
257
258async fn do_backup_code(client: &mut KanidmClient) -> Result<AuthResponse, ClientError> {
259    print!("Enter Backup Code: ");
260    // We flush stdout so it'll write the buffer to screen, continuing operation. Without it, the application halts.
261    #[allow(clippy::unwrap_used)]
262    io::stdout().flush().unwrap();
263    let mut backup_code = String::new();
264    loop {
265        if let Err(e) = io::stdin().read_line(&mut backup_code) {
266            error!("Failed to read from stdin -> {:?}", e);
267            return Err(ClientError::SystemError);
268        };
269        if !backup_code.trim().is_empty() {
270            break;
271        };
272    }
273    client.auth_step_backup_code(backup_code.trim()).await
274}
275
276async fn do_totp(client: &mut KanidmClient) -> Result<AuthResponse, ClientError> {
277    let totp = loop {
278        print!("Enter TOTP: ");
279        // We flush stdout so it'll write the buffer to screen, continuing operation. Without it, the application halts.
280        if let Err(e) = io::stdout().flush() {
281            error!("Somehow we failed to flush stdout: {:?}", e);
282        };
283        let mut buffer = String::new();
284        if let Err(e) = io::stdin().read_line(&mut buffer) {
285            error!("Failed to read from stdin -> {:?}", e);
286            return Err(ClientError::SystemError);
287        };
288
289        let response = buffer.trim();
290        match response.parse::<u32>() {
291            Ok(i) => break i,
292            Err(_) => eprintln!("Invalid Number"),
293        };
294    };
295    client.auth_step_totp(totp).await
296}
297
298async fn do_passkey(
299    client: &mut KanidmClient,
300    pkr: RequestChallengeResponse,
301) -> Result<AuthResponse, ClientError> {
302    let mut wa = get_authenticator();
303    println!("If your authenticator is not attached, attach it now.");
304    println!("Your authenticator will then flash/prompt for confirmation.");
305    #[cfg(target_os = "macos")]
306    println!("Note: TouchID is not currently supported on the CLI 🫤");
307    let auth = wa
308        .do_authentication(client.get_origin().clone(), pkr)
309        .map(Box::new)
310        .unwrap_or_else(|e| {
311            error!("Failed to interact with webauthn device. -- {:?}", e);
312            std::process::exit(1);
313        });
314
315    client.auth_step_passkey_complete(auth).await
316}
317
318async fn do_securitykey(
319    client: &mut KanidmClient,
320    pkr: RequestChallengeResponse,
321) -> Result<AuthResponse, ClientError> {
322    let mut wa = get_authenticator();
323    println!("Your authenticator will now flash for you to interact with it.");
324    let auth = wa
325        .do_authentication(client.get_origin().clone(), pkr)
326        .map(Box::new)
327        .unwrap_or_else(|e| {
328            error!("Failed to interact with webauthn device. -- {:?}", e);
329            std::process::exit(1);
330        });
331
332    client.auth_step_securitykey_complete(auth).await
333}
334
335pub(crate) async fn process_auth_state(
336    mut allowed: Vec<AuthAllowed>,
337    mut client: KanidmClient,
338    maybe_password: &Option<String>,
339    instance_name: &Option<String>,
340) {
341    loop {
342        debug!("Allowed mechanisms -> {:?}", allowed);
343        // What auth can proceed?
344        let choice = match allowed.len() {
345            0 => {
346                error!("Error during authentication phase: Server offered no method to proceed");
347                std::process::exit(1);
348            }
349            1 =>
350            {
351                #[allow(clippy::expect_used)]
352                allowed
353                    .first()
354                    .expect("can not fail - bounds already checked.")
355            }
356            _ => {
357                let mut options = Vec::new();
358                // because we want them in "most secure to least secure" order.
359                allowed.sort_unstable_by(|a, b| Reverse(a).cmp(&Reverse(b)));
360                for val in allowed.iter() {
361                    options.push(val.to_string());
362                }
363                let msg = "Please choose which credential to provide:";
364                let selection = get_index_choice_dialoguer(msg, &options);
365
366                #[allow(clippy::expect_used)]
367                allowed
368                    .get(selection)
369                    .expect("Failed to select an authentication option!")
370            }
371        };
372
373        let res = match choice {
374            AuthAllowed::Anonymous => client.auth_step_anonymous().await,
375            AuthAllowed::Password => do_password(&mut client, maybe_password).await,
376            AuthAllowed::BackupCode => do_backup_code(&mut client).await,
377            AuthAllowed::Totp => do_totp(&mut client).await,
378            AuthAllowed::Passkey(chal) => do_passkey(&mut client, chal.clone()).await,
379            AuthAllowed::SecurityKey(chal) => do_securitykey(&mut client, chal.clone()).await,
380        };
381
382        // Now update state.
383        let state = res
384            .unwrap_or_else(|e| {
385                error!("Error in authentication phase: {:?}", e);
386                std::process::exit(1);
387            })
388            .state;
389
390        // What auth state are we in?
391        allowed = match &state {
392            AuthState::Continue(allowed) => allowed.to_vec(),
393            AuthState::Success(_token) => break,
394            AuthState::Denied(reason) => {
395                error!("Authentication Denied: {:?}", reason);
396                std::process::exit(1);
397            }
398            _ => {
399                error!("Error in authentication phase: invalid authstate");
400                std::process::exit(1);
401            }
402        };
403        // Loop again.
404    }
405
406    // Read the current tokens. If we can't read them, IGNORE!!!
407    let mut tokens = read_tokens(&client.get_token_cache_path()).unwrap_or_default();
408
409    // Select our token instance. Create it if empty.
410    let n_lookup = instance_name.clone().unwrap_or_default();
411    let token_instance = tokens.instances.entry(n_lookup).or_default();
412
413    // Add our new one
414    let (spn, tonk) = match client.get_token().await {
415        Some(t) => {
416            let jwsc = match JwsCompact::from_str(&t) {
417                Ok(j) => j,
418                Err(err) => {
419                    error!(?err, "Unable to parse token");
420                    std::process::exit(1);
421                }
422            };
423
424            let Some(key_id) = jwsc.kid() else {
425                error!("JWS invalid, not key id associated");
426                std::process::exit(1);
427            };
428
429            // Okay, lets check the jwk now.
430            let pub_jwk = if let Some(pub_jwk) = token_instance.keys.get(key_id).cloned() {
431                pub_jwk
432            } else {
433                // Get it from the server.
434                let pub_jwk = match client.get_public_jwk(key_id).await {
435                    Ok(pj) => pj,
436                    Err(err) => {
437                        error!(?err, "Unable to retrieve jwk from server");
438                        std::process::exit(1);
439                    }
440                };
441                token_instance
442                    .keys
443                    .insert(key_id.to_string(), pub_jwk.clone());
444                pub_jwk
445            };
446
447            let jws_verifier = match JwsEs256Verifier::try_from(&pub_jwk) {
448                Ok(verifier) => verifier,
449                Err(err) => {
450                    error!(?err, "Unable to configure jws verifier");
451                    std::process::exit(1);
452                }
453            };
454
455            let tonk = match jws_verifier.verify(&jwsc).and_then(|jws| {
456                jws.from_json::<UserAuthToken>().map_err(|serde_err| {
457                    error!(?serde_err);
458                    JwtError::InvalidJwt
459                })
460            }) {
461                Ok(uat) => uat,
462                Err(err) => {
463                    error!(?err, "Unable to verify token signature");
464                    std::process::exit(1);
465                }
466            };
467
468            let spn = tonk.spn;
469            // Return the original jws
470            (spn, jwsc)
471        }
472        None => {
473            error!("Error retrieving client session");
474            std::process::exit(1);
475        }
476    };
477
478    token_instance.tokens.insert(spn.clone(), tonk);
479
480    // write them out.
481    if write_tokens(&tokens, &client.get_token_cache_path()).is_err() {
482        trace!(?tokens);
483        error!("Error persisting authentication token store");
484        std::process::exit(1);
485    };
486
487    // Success!
488    println!("Login Success for {spn}");
489}
490
491impl LoginOpt {
492    pub async fn exec(&self, opt: KanidmClientParser) {
493        let client = opt.to_unauth_client();
494        let username = match opt.username.as_deref() {
495            Some(val) => val,
496            None => {
497                error!("Please specify a username with -D <USERNAME> to login.");
498                std::process::exit(1);
499            }
500        };
501
502        // What auth mechanisms exist?
503        let mut mechs: Vec<_> = client
504            .auth_step_init(username)
505            .await
506            .unwrap_or_else(|e| {
507                error!("Error during authentication init phase: {:?}", e);
508                std::process::exit(1);
509            })
510            .into_iter()
511            .collect();
512
513        mechs.sort_unstable_by(|a, b| Reverse(a).cmp(&Reverse(b)));
514
515        let mech = match mechs.len() {
516            0 => {
517                error!("Error during authentication init phase: Server offered no authentication mechanisms");
518                std::process::exit(1);
519            }
520            1 =>
521            {
522                #[allow(clippy::expect_used)]
523                mechs
524                    .first()
525                    .expect("can not fail - bounds already checked.")
526            }
527            _ => {
528                let mut options = Vec::new();
529                for val in mechs.iter() {
530                    options.push(val.to_string());
531                }
532                let msg = "Please choose how you want to authenticate:";
533                let selection = get_index_choice_dialoguer(msg, &options);
534
535                #[allow(clippy::expect_used)]
536                mechs
537                    .get(selection)
538                    .expect("can not fail - bounds already checked.")
539            }
540        };
541
542        let allowed = client
543            .auth_step_begin((*mech).clone())
544            .await
545            .unwrap_or_else(|e| {
546                error!("Error during authentication begin phase: {:?}", e);
547                std::process::exit(1);
548            });
549
550        // We now have the first auth state, so we can proceed until complete.
551        process_auth_state(allowed, client, &opt.password, &opt.instance).await;
552    }
553}
554
555impl LogoutOpt {
556    pub async fn exec(&self, opt: KanidmClientParser) {
557        let mut tokens = read_tokens(&opt.get_token_cache_path()).unwrap_or_else(|_| {
558            error!("Error retrieving authentication token store");
559            std::process::exit(1);
560        });
561
562        let n_lookup = opt.instance.clone().unwrap_or_default();
563        let Some(token_instance) = tokens.instances.get_mut(&n_lookup) else {
564            println!("No sessions for instance {n_lookup}");
565            return;
566        };
567
568        let spn: String = if self.local_only {
569            // For now we just remove this from the token store.
570            let mut _tmp_username = String::new();
571            match &opt.username {
572                Some(value) => value.clone(),
573                None => {
574                    // check if we're in a tty
575                    if std::io::stdin().is_terminal() {
576                        match prompt_for_username_get_username(
577                            &opt.get_token_cache_path(),
578                            &opt.instance,
579                        ) {
580                            Ok(value) => value,
581                            Err(msg) => {
582                                error!("{}", msg);
583                                std::process::exit(1);
584                            }
585                        }
586                    } else {
587                        eprintln!("Not running in interactive mode and no username specified, can't continue!");
588                        return;
589                    }
590                }
591            }
592        } else {
593            let client = match opt.try_to_client(OpType::Read).await {
594                Ok(c) => c,
595                Err(ToClientError::NeedLogin(_)) => {
596                    // There are no session tokens, so return a success.
597                    std::process::exit(0);
598                }
599                Err(ToClientError::NeedReauth(_, _)) | Err(ToClientError::Other) => {
600                    // This can only occur in bad cases, so fail.
601                    std::process::exit(1);
602                }
603            };
604
605            let token = match client.get_token().await {
606                Some(t) => t,
607                None => {
608                    error!("Client token store is empty/corrupt");
609                    std::process::exit(1);
610                }
611            };
612
613            // Parse it for the SPN. Annoying but it's what we have to do
614            // because we don't know what token was used in the lower to client calls.
615            let jwsc = match JwsCompact::from_str(&token) {
616                Ok(j) => j,
617                Err(err) => {
618                    error!(?err, "Unable to parse token");
619                    info!("The token can be removed locally with `--local-only`");
620                    std::process::exit(1);
621                }
622            };
623
624            let Some(key_id) = jwsc.kid() else {
625                error!("Invalid token, missing KeyID");
626                info!("The token can be removed locally with `--local-only`");
627                std::process::exit(1);
628            };
629
630            let Some(pub_jwk) = token_instance.keys().get(key_id) else {
631                error!("Invalid instance, no signing keys are available");
632                info!("The token can be removed locally with `--local-only`");
633                std::process::exit(1);
634            };
635
636            let jws_verifier = match JwsEs256Verifier::try_from(pub_jwk) {
637                Ok(verifier) => verifier,
638                Err(err) => {
639                    error!(?err, "Unable to configure jws verifier");
640                    info!("The token can be removed locally with `--local-only`");
641                    std::process::exit(1);
642                }
643            };
644
645            let uat = match jws_verifier.verify(&jwsc).and_then(|jws| {
646                jws.from_json::<UserAuthToken>().map_err(|serde_err| {
647                    error!(?serde_err);
648                    info!("The token can be removed locally with `--local-only`");
649                    JwtError::InvalidJwt
650                })
651            }) {
652                Ok(uat) => uat,
653                Err(e) => {
654                    error!(?e, "Unable to verify token signature, may be corrupt");
655                    info!("The token can be removed locally with `--local-only`");
656                    std::process::exit(1);
657                }
658            };
659
660            // Now we know we have a valid(ish) token, call the server to do the logout.
661            if let Err(e) = client.logout().await {
662                error!("Failed to logout - {:?}", e);
663                std::process::exit(1);
664            }
665
666            // Server acked the logout, lets proceed with the local cleanup now, return
667            // the spn so the outer parts know what to remove.
668            uat.spn
669        };
670
671        // Remove our old one
672        if token_instance.tokens.remove(&spn).is_some() {
673            // write them out.
674            if let Err(_e) = write_tokens(&tokens, &opt.get_token_cache_path()) {
675                error!("Error persisting authentication token store");
676                std::process::exit(1);
677            };
678            opt.output_mode
679                .print_message(format!("Removed session for {spn}"));
680        } else {
681            opt.output_mode
682                .print_message(format!("No sessions for {spn}"));
683        }
684    }
685}
686
687impl SessionOpt {
688    pub async fn exec(&self, opt: KanidmClientParser) {
689        match self {
690            SessionOpt::List => {
691                let token_store = read_tokens(&opt.get_token_cache_path()).unwrap_or_else(|_| {
692                    error!("Error retrieving authentication token store");
693                    std::process::exit(1);
694                });
695
696                let Some(token_instance) = token_store.instances(&opt.instance) else {
697                    return;
698                };
699
700                for (_, uat) in token_instance.valid_uats() {
701                    println!("---");
702                    println!("{uat}");
703                }
704            }
705            SessionOpt::Cleanup => {
706                let mut token_store =
707                    read_tokens(&opt.get_token_cache_path()).unwrap_or_else(|_| {
708                        error!("Error retrieving authentication token store");
709                        std::process::exit(1);
710                    });
711
712                let instance_name = &opt.instance;
713
714                let Some(token_instance) = token_store.instances_mut(instance_name) else {
715                    error!("No tokens for instance");
716                    std::process::exit(1);
717                };
718
719                let now = time::OffsetDateTime::now_utc();
720                let change = token_instance.cleanup(now);
721
722                if let Err(_e) = write_tokens(&token_store, &opt.get_token_cache_path()) {
723                    error!("Error persisting authentication token store");
724                    std::process::exit(1);
725                };
726
727                println!("Removed {change} sessions");
728            }
729        }
730    }
731}