kanidmd_lib/idm/
authentication.rs

1use crate::prelude::{OperationError, Url};
2use crate::server::identity::Source;
3use compact_jwt::JwsCompact;
4use crypto_glue::{s256::Sha256Output, x509::Certificate};
5use kanidm_proto::{
6    internal::UserAuthToken,
7    oauth2::{AccessTokenRequest, AccessTokenResponse, AuthorisationRequest},
8    v1::{
9        AuthAllowed, AuthCredential as ProtoAuthCredential, AuthIssueSession, AuthMech,
10        AuthStep as ProtoAuthStep,
11    },
12};
13use std::fmt;
14use webauthn_rs::prelude::PublicKeyCredential;
15
16#[derive(Debug)]
17pub enum AuthStep {
18    Init(String),
19    Init2 {
20        username: String,
21        issue: AuthIssueSession,
22        privileged: bool,
23    },
24    Begin(AuthMech),
25    Cred(AuthCredential),
26}
27
28impl From<ProtoAuthStep> for AuthStep {
29    fn from(proto: ProtoAuthStep) -> Self {
30        match proto {
31            ProtoAuthStep::Init(name) => Self::Init(name),
32            ProtoAuthStep::Init2 {
33                username,
34                issue,
35                privileged,
36            } => Self::Init2 {
37                username,
38                issue,
39                privileged,
40            },
41            ProtoAuthStep::Begin(mech) => Self::Begin(mech),
42            ProtoAuthStep::Cred(proto_cred) => Self::Cred(AuthCredential::from(proto_cred)),
43        }
44    }
45}
46
47pub enum AuthExternal {
48    OAuth2AuthorisationRequest {
49        authorisation_url: Url,
50        request: AuthorisationRequest,
51    },
52    OAuth2AccessTokenRequest {
53        token_url: Url,
54        client_id: String,
55        client_secret: String,
56        request: AccessTokenRequest,
57    },
58}
59
60impl fmt::Debug for AuthExternal {
61    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
62        match self {
63            Self::OAuth2AuthorisationRequest { .. } => write!(f, "OAuth2AuthorisationRequest"),
64            Self::OAuth2AccessTokenRequest { .. } => write!(f, "OAuth2AccessTokenRequest"),
65        }
66    }
67}
68
69// We have to allow large enum variant here because else we can't match on External
70// due to boxing.
71#[allow(clippy::large_enum_variant)]
72pub enum AuthState {
73    Choose(Vec<AuthMech>),
74    Continue(Vec<AuthAllowed>),
75
76    /// Execute an authentication flow via an external provider.
77    /// For example, we may need to issue a redirect to an external OAuth2.
78    /// provider, or we may need to do a background query of some kind to proceed.
79    External(AuthExternal),
80    /// Denied authentication, with a reason.
81    Denied(String),
82    Success(Box<JwsCompact>, AuthIssueSession),
83}
84
85impl fmt::Debug for AuthState {
86    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
87        match self {
88            AuthState::Choose(mechs) => write!(f, "AuthState::Choose({mechs:?})"),
89            AuthState::Continue(allow) => write!(f, "AuthState::Continue({allow:?})"),
90            AuthState::External(allow) => write!(f, "AuthState::External({allow:?})"),
91            AuthState::Denied(reason) => write!(f, "AuthState::Denied({reason:?})"),
92            AuthState::Success(_token, issue) => {
93                write!(f, "AuthState::Success({})", issue)
94            }
95        }
96    }
97}
98
99pub enum AuthCredential {
100    Anonymous,
101    Password(String),
102    Totp(u32),
103    SecurityKey(Box<PublicKeyCredential>),
104    BackupCode(String),
105    Passkey(Box<PublicKeyCredential>),
106
107    // Internal Credential Types
108    OAuth2AuthorisationResponse { code: String, state: Option<String> },
109    OAuth2AccessTokenResponse { response: AccessTokenResponse },
110}
111
112impl From<ProtoAuthCredential> for AuthCredential {
113    fn from(proto: ProtoAuthCredential) -> Self {
114        match proto {
115            ProtoAuthCredential::Anonymous => AuthCredential::Anonymous,
116            ProtoAuthCredential::Password(p) => AuthCredential::Password(p),
117            ProtoAuthCredential::Totp(t) => AuthCredential::Totp(t),
118            ProtoAuthCredential::SecurityKey(sk) => AuthCredential::SecurityKey(sk),
119            ProtoAuthCredential::BackupCode(bc) => AuthCredential::BackupCode(bc),
120            ProtoAuthCredential::Passkey(pkc) => AuthCredential::Passkey(pkc),
121        }
122    }
123}
124
125impl fmt::Debug for AuthCredential {
126    fn fmt(&self, fmt: &mut fmt::Formatter) -> fmt::Result {
127        match self {
128            AuthCredential::Anonymous => write!(fmt, "Anonymous"),
129            AuthCredential::Password(_) => write!(fmt, "Password(_)"),
130            AuthCredential::Totp(_) => write!(fmt, "TOTP(_)"),
131            AuthCredential::SecurityKey(_) => write!(fmt, "SecurityKey(_)"),
132            AuthCredential::BackupCode(_) => write!(fmt, "BackupCode(_)"),
133            AuthCredential::Passkey(_) => write!(fmt, "Passkey(_)"),
134            AuthCredential::OAuth2AuthorisationResponse { .. } => {
135                write!(fmt, "OAuth2AuthorisationResponse{{..}}")
136            }
137            AuthCredential::OAuth2AccessTokenResponse { .. } => {
138                write!(fmt, "OAuth2AccessTokenResponse{{..}}")
139            }
140        }
141    }
142}
143
144#[derive(Debug, Clone, Default)]
145pub(crate) enum PreValidatedTokenStatus {
146    #[default]
147    None,
148    Valid(Box<UserAuthToken>),
149    NotAuthenticated,
150    SessionExpired,
151}
152
153#[derive(Debug, Clone)]
154pub struct ClientAuthInfo {
155    pub(crate) source: Source,
156    pub(crate) client_cert: Option<ClientCertInfo>,
157    pub(crate) bearer_token: Option<JwsCompact>,
158    pub(crate) basic_authz: Option<String>,
159    pub(crate) pre_validated_token: PreValidatedTokenStatus,
160}
161
162impl ClientAuthInfo {
163    pub fn new(
164        source: Source,
165        client_cert: Option<ClientCertInfo>,
166        bearer_token: Option<JwsCompact>,
167        basic_authz: Option<String>,
168    ) -> Self {
169        Self {
170            source,
171            client_cert,
172            bearer_token,
173            basic_authz,
174            pre_validated_token: Default::default(),
175        }
176    }
177
178    pub fn bearer_token(&self) -> Option<&JwsCompact> {
179        self.bearer_token.as_ref()
180    }
181
182    pub fn pre_validated_uat(&self) -> Result<&UserAuthToken, OperationError> {
183        match &self.pre_validated_token {
184            PreValidatedTokenStatus::Valid(uat) => Ok(uat),
185            PreValidatedTokenStatus::None => Err(OperationError::AU0008ClientAuthInfoPrevalidation),
186            PreValidatedTokenStatus::NotAuthenticated => Err(OperationError::NotAuthenticated),
187            PreValidatedTokenStatus::SessionExpired => Err(OperationError::SessionExpired),
188        }
189    }
190
191    pub(crate) fn set_pre_validated_uat(&mut self, status: PreValidatedTokenStatus) {
192        self.pre_validated_token = status
193    }
194}
195
196#[derive(Debug, Clone)]
197pub struct ClientCertInfo {
198    pub public_key_s256: Sha256Output,
199    pub certificate: Certificate,
200}
201
202#[cfg(test)]
203impl ClientAuthInfo {
204    pub(crate) fn none() -> Self {
205        ClientAuthInfo {
206            source: Source::Internal,
207            client_cert: None,
208            bearer_token: None,
209            basic_authz: None,
210            pre_validated_token: Default::default(),
211        }
212    }
213}
214
215#[cfg(test)]
216impl From<Source> for ClientAuthInfo {
217    fn from(value: Source) -> ClientAuthInfo {
218        ClientAuthInfo {
219            source: value,
220            client_cert: None,
221            bearer_token: None,
222            basic_authz: None,
223            pre_validated_token: Default::default(),
224        }
225    }
226}
227
228#[cfg(test)]
229impl From<JwsCompact> for ClientAuthInfo {
230    fn from(value: JwsCompact) -> ClientAuthInfo {
231        ClientAuthInfo {
232            source: Source::Internal,
233            client_cert: None,
234            bearer_token: Some(value),
235            basic_authz: None,
236            pre_validated_token: Default::default(),
237        }
238    }
239}
240
241#[cfg(test)]
242impl From<ClientCertInfo> for ClientAuthInfo {
243    fn from(value: ClientCertInfo) -> ClientAuthInfo {
244        ClientAuthInfo {
245            source: Source::Internal,
246            client_cert: Some(value),
247            bearer_token: None,
248            basic_authz: None,
249            pre_validated_token: Default::default(),
250        }
251    }
252}
253
254#[cfg(test)]
255impl From<&str> for ClientAuthInfo {
256    fn from(value: &str) -> ClientAuthInfo {
257        ClientAuthInfo {
258            source: Source::Internal,
259            client_cert: None,
260            bearer_token: None,
261            basic_authz: Some(value.to_string()),
262            pre_validated_token: Default::default(),
263        }
264    }
265}
266
267#[cfg(test)]
268impl ClientAuthInfo {
269    pub(crate) fn encode_basic(id: &str, secret: &str) -> ClientAuthInfo {
270        use base64::{engine::general_purpose, Engine as _};
271        let value = format!("{id}:{secret}");
272        let value = general_purpose::STANDARD.encode(&value);
273        ClientAuthInfo {
274            source: Source::Internal,
275            client_cert: None,
276            bearer_token: None,
277            basic_authz: Some(value),
278            pre_validated_token: Default::default(),
279        }
280    }
281}
kanidmd_lib/idm/authentication.rs

kanidmd_lib/idm/
authentication.rs
