Skip to main content

kanidmd_lib/valueset/
ssh.rs

1use crate::be::dbvalue::DbValueTaggedStringV1;
2use crate::prelude::*;
3use crate::schema::SchemaAttribute;
4use crate::utils::trigraph_iter;
5use crate::valueset::{
6    DbValueSetV2, ScimResolveStatus, ValueSet, ValueSetResolveStatus, ValueSetScimPut,
7};
8use kanidm_proto::scim_v1::JsonValue;
9use kanidm_proto::scim_v1::ScimSshPublicKey;
10use sshkey_attest::proto::PublicKey as SshPublicKey;
11use std::collections::btree_map::Entry as BTreeEntry;
12use std::collections::BTreeMap;
13
14#[derive(Debug, Clone)]
15pub struct ValueSetSshKey {
16    map: BTreeMap<String, SshPublicKey>,
17}
18
19impl ValueSetSshKey {
20    pub fn new(t: String, k: SshPublicKey) -> Box<Self> {
21        let mut map = BTreeMap::new();
22        map.insert(t, k);
23        Box::new(ValueSetSshKey { map })
24    }
25
26    pub fn push(&mut self, t: String, k: SshPublicKey) -> bool {
27        self.map.insert(t, k).is_none()
28    }
29
30    pub fn from_dbvs2(data: Vec<DbValueTaggedStringV1>) -> Result<ValueSet, OperationError> {
31        let map = data
32            .into_iter()
33            .filter_map(|DbValueTaggedStringV1 { tag, data }| {
34                SshPublicKey::from_string(&data)
35                    .map_err(|err| {
36                        warn!(%tag, ?err, "discarding corrupted ssh public key");
37                    })
38                    .map(|pk| {
39                        if tag.is_empty() {
40                            // No tag was known - use the hash of the key to guarantee it's unique.
41                            // New keys can't be created with empty strs
42                            (pk.fingerprint().hash, pk)
43                        } else {
44                            (tag, pk)
45                        }
46                    })
47                    .ok()
48            })
49            .collect();
50        Ok(Box::new(ValueSetSshKey { map }))
51    }
52
53    // We need to allow this, because rust doesn't allow us to impl FromIterator on foreign
54    // types, and tuples are always foreign.
55    #[allow(clippy::should_implement_trait)]
56    pub fn from_iter<T>(iter: T) -> Option<Box<Self>>
57    where
58        T: IntoIterator<Item = (String, SshPublicKey)>,
59    {
60        let map = iter.into_iter().collect();
61        Some(Box::new(ValueSetSshKey { map }))
62    }
63}
64
65impl ValueSetScimPut for ValueSetSshKey {
66    fn from_scim_json_put(value: JsonValue) -> Result<ValueSetResolveStatus, OperationError> {
67        let value: Vec<ScimSshPublicKey> = serde_json::from_value(value).map_err(|err| {
68            error!(?err, "SCIM Ssh Public Key syntax invalid");
69            OperationError::SC0024SshPublicKeySyntaxInvalid
70        })?;
71
72        let map = value
73            .into_iter()
74            .map(|ScimSshPublicKey { label, value }| (label, value))
75            .collect();
76
77        Ok(ValueSetResolveStatus::Resolved(Box::new(ValueSetSshKey {
78            map,
79        })))
80    }
81}
82
83impl ValueSetT for ValueSetSshKey {
84    fn insert_checked(&mut self, value: Value) -> Result<bool, OperationError> {
85        match value {
86            Value::SshKey(t, k) => {
87                if let BTreeEntry::Vacant(e) = self.map.entry(t) {
88                    e.insert(k);
89                    Ok(true)
90                } else {
91                    Ok(false)
92                }
93            }
94            _ => Err(OperationError::InvalidValueState),
95        }
96    }
97
98    fn clear(&mut self) {
99        self.map.clear();
100    }
101
102    fn remove(&mut self, pv: &PartialValue, _cid: &Cid) -> bool {
103        match pv {
104            PartialValue::SshKey(t) => self.map.remove(t.as_str()).is_some(),
105            _ => false,
106        }
107    }
108
109    fn contains(&self, pv: &PartialValue) -> bool {
110        match pv {
111            PartialValue::SshKey(t) => self.map.contains_key(t.as_str()),
112            _ => false,
113        }
114    }
115
116    fn substring(&self, _pv: &PartialValue) -> bool {
117        false
118    }
119
120    fn startswith(&self, _pv: &PartialValue) -> bool {
121        false
122    }
123
124    fn endswith(&self, _pv: &PartialValue) -> bool {
125        false
126    }
127
128    fn lessthan(&self, _pv: &PartialValue) -> bool {
129        false
130    }
131
132    fn len(&self) -> usize {
133        self.map.len()
134    }
135
136    fn generate_idx_eq_keys(&self) -> Vec<String> {
137        self.map.keys().cloned().collect()
138    }
139
140    fn generate_idx_sub_keys(&self) -> Vec<String> {
141        let lower: Vec<_> = self.map.keys().map(|s| s.to_lowercase()).collect();
142        let mut trigraphs: Vec<_> = lower.iter().flat_map(|v| trigraph_iter(v)).collect();
143
144        trigraphs.sort_unstable();
145        trigraphs.dedup();
146
147        trigraphs.into_iter().map(String::from).collect()
148    }
149
150    fn syntax(&self) -> SyntaxType {
151        SyntaxType::SshKey
152    }
153
154    fn validate(&self, _schema_attr: &SchemaAttribute) -> bool {
155        self.map.iter().all(|(s, _key)| {
156            !s.is_empty() &&
157            Value::validate_str_escapes(s)
158                // && Value::validate_iname(s)
159                && Value::validate_singleline(s)
160        })
161    }
162
163    fn to_proto_string_clone_iter(&self) -> Box<dyn Iterator<Item = String> + '_> {
164        Box::new(self.map.iter().map(|(tag, pk)| format!("{tag}: {pk}")))
165    }
166
167    fn to_scim_value(&self) -> Option<ScimResolveStatus> {
168        Some(ScimResolveStatus::Resolved(ScimValueKanidm::from(
169            self.map
170                .iter()
171                .map(|(label, value)| ScimSshPublicKey {
172                    label: label.clone(),
173                    value: value.clone(),
174                })
175                .collect::<Vec<_>>(),
176        )))
177    }
178
179    fn to_db_valueset_v2(&self) -> DbValueSetV2 {
180        DbValueSetV2::SshKey(
181            self.map
182                .iter()
183                .map(|(tag, key)| DbValueTaggedStringV1 {
184                    tag: tag.clone(),
185                    data: key.to_string(),
186                })
187                .collect(),
188        )
189    }
190
191    fn to_partialvalue_iter(&self) -> Box<dyn Iterator<Item = PartialValue> + '_> {
192        Box::new(self.map.keys().cloned().map(PartialValue::SshKey))
193    }
194
195    fn to_value_iter(&self) -> Box<dyn Iterator<Item = Value> + '_> {
196        Box::new(
197            self.map
198                .iter()
199                .map(|(t, k)| Value::SshKey(t.clone(), k.clone())),
200        )
201    }
202
203    fn equal(&self, other: &ValueSet) -> bool {
204        if let Some(other) = other.as_sshkey_map() {
205            &self.map == other
206        } else {
207            debug_assert!(false);
208            false
209        }
210    }
211
212    fn merge(&mut self, other: &ValueSet) -> Result<(), OperationError> {
213        if let Some(b) = other.as_sshkey_map() {
214            mergemaps!(self.map, b)
215        } else {
216            debug_assert!(false);
217            Err(OperationError::InvalidValueState)
218        }
219    }
220
221    fn as_sshkey_map(&self) -> Option<&BTreeMap<String, SshPublicKey>> {
222        Some(&self.map)
223    }
224
225    fn get_ssh_tag(&self, tag: &str) -> Option<&SshPublicKey> {
226        self.map.get(tag)
227    }
228
229    fn as_sshpubkey_string_iter(&self) -> Option<Box<dyn Iterator<Item = String> + '_>> {
230        Some(Box::new(self.map.values().map(|pk| pk.to_string())))
231    }
232}
233
234#[cfg(test)]
235mod tests {
236    use super::{SshPublicKey, ValueSetSshKey};
237    use crate::prelude::ValueSet;
238
239    #[test]
240    fn test_scim_ssh_public_key() {
241        let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
242        "tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
243        "zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== william@a",
244        "methyst");
245
246        let vs: ValueSet = ValueSetSshKey::new(
247            "label".to_string(),
248            SshPublicKey::from_string(ecdsa).unwrap(),
249        );
250
251        let data = r#"
252[
253  {
254    "label": "label",
255    "value": "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3BtOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81lzPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== william@amethyst"
256  }
257]
258        "#;
259        crate::valueset::scim_json_reflexive(&vs, data);
260
261        // Test that we can parse json values into a valueset.
262        crate::valueset::scim_json_put_reflexive::<ValueSetSshKey>(&vs, &[])
263    }
264
265    #[test]
266    /// this is a test case for bad characters in SSH keys
267    fn test_invalid_character() {
268        let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEÀAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
269        //                                                                      ^ note the À here
270        "tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
271        "zPrVSdrYEDldxH9+a86dBZhdm0è15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== william@a",
272        "methyst");
273        println!("bytes of À {:?}", "À".as_bytes());
274        let found_index = ecdsa.find("À").expect("Failed to find è in string");
275        assert_eq!(found_index, 51, "Expected index 51");
276        let bad_ssh_error = SshPublicKey::from_string(ecdsa);
277
278        assert!(
279            bad_ssh_error.is_err(),
280            "Expected error, but got: {bad_ssh_error:?}"
281        );
282        if let Err(err) = bad_ssh_error {
283            assert_eq!(
284                err.to_string(),
285                format!("Invalid symbol 195, offset {}.", found_index - 20)
286            ); // the offset is 31 because the string has a 20 character leading key type plus the space
287        }
288    }
289
290    #[test]
291    /// this is a test case for bad characters in SSH keys
292    fn test_assert_comments() {
293        // Comment is okay.
294        let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
295        "tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
296        "zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag== william@a",
297        "methyst");
298
299        let _ = SshPublicKey::from_string(ecdsa).unwrap();
300
301        // No comment is okay.
302        let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
303        "tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
304        "zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag==");
305
306        let _ = SshPublicKey::from_string(ecdsa).unwrap();
307
308        // No comment is okay (spaces to end of line)
309        let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
310        "tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
311        "zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag==     ");
312
313        let _ = SshPublicKey::from_string(ecdsa).unwrap();
314
315        // Comment may have spaces
316        let ecdsa = concat!("ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGyIY7o3B",
317        "tOzRiJ9vvjj96bRImwmyy5GvFSIUPlK00HitiAWGhiO1jGZKmK7220Oe4rqU3uAwA00a0758UODs+0OQHLMDRtl81l",
318        "zPrVSdrYEDldxH9+a86dBZhdm0e15+ODDts2LHUknsJCRRldO4o9R9VrohlF7cbyBlnhJQrR4S+Oag==  I'm a giraffe! ");
319
320        let _ = SshPublicKey::from_string(ecdsa).unwrap();
321    }
322}