Add Unix peer credentials authenticator

This authenticator uses Unix peer credentials for authentication. Unix
peer credentials provide direct access to the (effective) uid/gid on the
other end of a domain socket connect, without cooperation between the
endpoints. This means that we can determine the uid/gid of the
connecting process, and therefore infer the username of the user that
owns said process.

This authenticator:

- grabs the (uid, gid) pair of the connecting process.
- grabs the self-declared uid sent in the authentication request.
- verifies that authentication is successful by checking that the
  self-declared uid in the authentication request is equal to the actual
  uid from the peer credentials.
- if authentication was successful, creates an `ApplicationName` based
  on the uid.

The authenticator is hidden behind the Cargo feature
`uds-authenticator`.

Note that this patch depends on the following PR being merged:

    rust-lang/rust#75148

At the time of writing, this PR is currently under review and is not
merged into the Rust stdlib. This patch therefore will not build with
the current a stable/nightly compiler.

Signed-off-by: Joe Ellis <[email protected]>

Author: Joe Ellis

Cargo.toml

@@ -69,6 +69,7 @@ mbed-crypto-provider = ["psa-crypto"]
 pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509"]
 all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider"]
+uds-authenticator = []
 # The Mbed provider is not included in the docs because of 2 reasons:
 # 1) it is currently impossible for it to be built inside the docs.rs build system (as it has dependencies
 # that cannot be fulfilled)

src/authenticators/mod.rs

@@ -8,11 +8,12 @@
 //! used throughout the service for identifying the request initiator. The input to an authentication
 //! is the `RequestAuth` field of a request, which is parsed by the authenticator specified in the header.
 //! The authentication functionality is abstracted through an `Authenticate` trait.
-//!
-//! Currently only a simple Direct Authenticator component is implemented.
 
 pub mod direct_authenticator;
 
+#[cfg(feature = "uds-authenticator")]
+pub mod uds_authenticator;
+
 use crate::front::listener::ConnectionMetadata;
 use parsec_interface::requests::request::RequestAuth;
 use parsec_interface::requests::Result;

src/authenticators/uds_authenticator/mod.rs

@@ -0,0 +1,165 @@
+// Copyright 2020 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! Unix domain socket (UDS) peer credentials authenticator
+//!
+//! The `UDSAuthenticator` uses peer credentials from Unix domain sockets to perform
+//! authentication. As such, it uses the UID/GID to grab a username for the owner of the connecting
+//! process. This is used as the application name.
+
+use super::ApplicationName;
+use super::Authenticate;
+use crate::front::listener::ConnectionMetadata;
+use log::error;
+use parsec_interface::requests::request::RequestAuth;
+use parsec_interface::requests::{ResponseStatus, Result};
+use parsec_interface::secrecy::ExposeSecret;
+use std::str;
+
+#[derive(Copy, Clone, Debug)]
+pub struct UDSAuthenticator;
+
+impl Authenticate for UDSAuthenticator {
+    fn authenticate(
+        &self,
+        auth: &RequestAuth,
+        meta: Option<ConnectionMetadata>,
+    ) -> Result<ApplicationName> {
+        // Parse authentication request.
+        let expected_uid = auth.buffer.expose_secret();
+        if expected_uid.is_empty() {
+            error!("Expected UID in authentication request, but it is empty.");
+            return Err(ResponseStatus::AuthenticationError);
+        }
+
+        let expected_uid = match str::from_utf8(expected_uid) {
+            Ok(expected_uid) => expected_uid,
+            Err(_) => {
+                error!("Error parsing the authentication value as a UTF-8 string.");
+                return Err(ResponseStatus::AuthenticationError);
+            }
+        };
+
+        // Get request metadata.
+        let meta = match meta {
+            Some(meta) => meta,
+            None => {
+                error!("Authenticator did not receive any metadata; cannot authenticate.");
+                return Err(ResponseStatus::AuthenticationError);
+            }
+        };
+
+        let (uid, _gid) = match meta {
+            ConnectionMetadata::PeerCredentials { uid, gid } => (uid, gid),
+            // TODO: add wildcard pattern when `ConnectionMetadata` has more possibilities.
+        };
+
+        let uid = uid.to_string();
+
+        // Authentication is successful if the _actual_ UID from the peer credentials equals the
+        // self-declared UID in the authentication request.
+        if uid == expected_uid {
+            Ok(ApplicationName(uid))
+        } else {
+            error!("Declared UID in authentication request does not match the process's UID.");
+            Err(ResponseStatus::AuthenticationError)
+        }
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::super::Authenticate;
+    use super::UDSAuthenticator;
+    use crate::front::listener::ConnectionMetadata;
+    use parsec_interface::requests::request::RequestAuth;
+    use parsec_interface::requests::ResponseStatus;
+    use rand::Rng;
+    use std::os::unix::net::UnixStream;
+    use users::get_current_uid;
+
+    #[test]
+    fn successful_authentication() {
+        // This test should PASS; we are verifying that our username gets set as the application
+        // secret when using UDS authentication.
+
+        // Create two connected sockets.
+        let (sock_a, _sock_b) = UnixStream::pair().unwrap();
+        let (cred_a, _cred_b) = (sock_a.peer_cred().unwrap(), _sock_b.peer_cred().unwrap());
+
+        let authenticator = UDSAuthenticator {};
+
+        let req_auth_data = cred_a.uid.to_string().as_bytes().to_vec();
+        let req_auth = RequestAuth::new(req_auth_data);
+        let conn_metadata = Some(ConnectionMetadata::PeerCredentials {
+            uid: cred_a.uid,
+            gid: cred_a.gid,
+        });
+
+        let auth_name = authenticator
+            .authenticate(&req_auth, conn_metadata)
+            .expect("Failed to authenticate");
+
+        assert_eq!(auth_name.get_name(), get_current_uid().to_string());
+    }
+
+    #[test]
+    fn unsuccessful_authentication_wrong_declared_uid() {
+        // This test should FAIL; we are trying to authenticate, but we are declaring the wrong
+        // UID.
+
+        // Create two connected sockets.
+        let (sock_a, _sock_b) = UnixStream::pair().unwrap();
+        let (cred_a, _cred_b) = (sock_a.peer_cred().unwrap(), _sock_b.peer_cred().unwrap());
+
+        let authenticator = UDSAuthenticator {};
+
+        let wrong_uid = cred_a.uid + 1;
+        let wrong_req_auth_data = wrong_uid.to_string().as_bytes().to_vec();
+        let req_auth = RequestAuth::new(wrong_req_auth_data);
+        let conn_metadata = Some(ConnectionMetadata::PeerCredentials {
+            uid: cred_a.uid,
+            gid: cred_a.gid,
+        });
+
+        let auth_result = authenticator.authenticate(&req_auth, conn_metadata);
+        assert_eq!(auth_result, Err(ResponseStatus::AuthenticationError));
+    }
+
+    #[test]
+    fn unsuccessful_authentication_garbage_data() {
+        // This test should FAIL; we are sending garbage (random) data in the request.
+
+        // Create two connected sockets.
+        let (sock_a, _sock_b) = UnixStream::pair().unwrap();
+        let (cred_a, _cred_b) = (sock_a.peer_cred().unwrap(), _sock_b.peer_cred().unwrap());
+
+        let authenticator = UDSAuthenticator {};
+
+        let garbage_data = rand::thread_rng().gen::<[u8; 32]>().to_vec();
+        let req_auth = RequestAuth::new(garbage_data);
+        let conn_metadata = Some(ConnectionMetadata::PeerCredentials {
+            uid: cred_a.uid,
+            gid: cred_a.gid,
+        });
+
+        let auth_result = authenticator.authenticate(&req_auth, conn_metadata);
+        assert_eq!(auth_result, Err(ResponseStatus::AuthenticationError));
+    }
+
+    #[test]
+    fn unsuccessful_authentication_no_metadata() {
+        let authenticator = UDSAuthenticator {};
+        let req_auth = RequestAuth::new("secret".into());
+
+        let conn_metadata = None;
+        let auth_result = authenticator.authenticate(&req_auth, conn_metadata);
+        assert_eq!(auth_result, Err(ResponseStatus::AuthenticationError));
+    }
+
+    #[test]
+    fn unsuccessful_authentication_wrong_metadata() {
+        // TODO: this test needs implementing when we have more than one metadata type in
+        // `PeerCredentials::ConnectionMetadata`. At the moment, the compiler just complains with
+        // an 'unreachable branch' message.
+    }
+}

src/front/domain_socket.rs

@@ -5,8 +5,8 @@
 //! Expose Parsec functionality using Unix domain sockets as an IPC layer.
 //! The local socket is created at a predefined location.
 use super::listener;
-use listener::Connection;
 use listener::Listen;
+use listener::{Connection, ConnectionMetadata, GetMetadata};
 use log::error;
 #[cfg(not(feature = "no-parsec-user-and-clients-group"))]
 use std::ffi::CString;
@@ -16,6 +16,7 @@ use std::io::{Error, ErrorKind, Result};
 use std::os::unix::fs::PermissionsExt;
 use std::os::unix::io::FromRawFd;
 use std::os::unix::net::UnixListener;
+use std::os::unix::net::UnixStream;
 use std::path::Path;
 use std::time::Duration;
 
@@ -202,11 +203,10 @@ impl Listen for DomainSocketListener {
                     format_error!("Failed to set stream as blocking", err);
                     None
                 } else {
+                    let metadata = stream.metadata();
                     Some(Connection {
                         stream: Box::new(stream),
-                        // TODO: when possible, we want to replace this with the (uid, gid, pid)
-                        // triple for peer credentials. See listener.rs.
-                        metadata: None,
+                        metadata: metadata,
                     })
                 }
             }
@@ -245,3 +245,15 @@ impl DomainSocketListenerBuilder {
         })?)
     }
 }
+
+impl GetMetadata for UnixStream {
+    fn metadata(&self) -> Option<ConnectionMetadata> {
+        let ucred = self
+            .peer_cred()
+            .expect("Failed to get peer credentials for Unix domain socket connection.");
+        Some(ConnectionMetadata::PeerCredentials {
+            uid: ucred.uid,
+            gid: ucred.gid,
+        })
+    }
+}

src/front/listener.rs

@@ -29,7 +29,7 @@ pub struct ListenerConfig {
 /// Specifies metadata associated with a connection, if any.
 #[derive(Copy, Clone, Debug)]
 pub enum ConnectionMetadata {
-    // TODO: nothing here right now. Metadata types will be added as needed.
+    PeerCredentials { uid: u32, gid: u32 },
 }
 
 /// Represents a connection to a single client. Contains a stream, used for communication with the
@@ -65,3 +65,9 @@ pub trait Listen {
     /// If the listener has not been initialised before, with the `init` method.
     fn accept(&self) -> Option<Connection>;
 }
+
+/// Get metadata for a particular object.
+pub trait GetMetadata {
+    /// Get the metadata associated with this object.
+    fn metadata(&self) -> Option<ConnectionMetadata>;
+}

src/lib.rs

@@ -36,6 +36,9 @@
 )]
 // This one is hard to avoid.
 #![allow(clippy::multiple_crate_versions)]
+// TODO: remove this if/when the Unix peer credentials PR gets merged. Link
+//       here for reference: https://github.com/rust-lang/rust/pull/75148
+#![feature(peer_credentials_unix_socket)]
 
 #[allow(unused)]
 macro_rules! format_error {