Add Unix peer credentials authenticator

Joe Ellis · Joe Ellis · commit 9a65b4064750 · 2020-08-06T11:59:06.000+01:00
This authenticator uses Unix peer credentials for authentication. Unix peer credentials provide direct access to the (effective) uid/gid on the other end of a domain socket connect, without cooperation between the endpoints. This means that we can determine the uid/gid of the connecting process, and therefore infer the username of the user that owns said process. This authenticator: - grabs the (uid, gid) pair of the connecting process. - determine the username of the owner of the connecting process based on the uid. - creates an `ApplicationName` based on the username. Note that this patch depends on the following PR being merged: rust-lang/rust#75148 At the time of writing, this PR is currently under review and is not merged into the Rust stdlib. This patch therefore will not build with the current a stable/nightly compiler. Signed-off-by: Joe Ellis <joe.ellis@arm.com>
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -49,6 +49,7 @@ libc = "0.2.72"
 [dev-dependencies]
 ring = "0.16.12"
 lazy_static = "1.4.0"
+whoami = "0.9.0"
 
 [build-dependencies]
 bindgen = "0.54.0"
diff --git a/README.md b/README.md
@@ -114,6 +114,7 @@ This project uses the following third party crates:
 * picky (MIT and Apache-2.0)
 * users (MIT)
 * libc (MIT and Apache-2.0)
+* whoami (MIT or BSL-1.0)
 
 This project uses the following third party libraries:
 * [**Mbed Crypto**](https://github.com/ARMmbed/mbed-crypto) (Apache-2.0)
diff --git a/src/authenticators/mod.rs b/src/authenticators/mod.rs
@@ -12,6 +12,7 @@
 //! Currently only a simple Direct Authenticator component is implemented.
 
 pub mod direct_authenticator;
+pub mod uds_authenticator;
 
 use crate::front::listener::ConnectionMetadata;
 use parsec_interface::requests::request::RequestAuth;
diff --git a/src/authenticators/uds_authenticator/mod.rs b/src/authenticators/uds_authenticator/mod.rs
@@ -0,0 +1,129 @@
+// Copyright 2019 Contributors to the Parsec project.
+// SPDX-License-Identifier: Apache-2.0
+//! Unix domain socket (UDS) peer credentials authenticator
+//!
+//! The `UDSAuthenticator` uses peer credentials from Unix domain sockets to perform
+//! authentication. As such, it uses the UID/GID to grab a username for the owner of the connecting
+//! process. This is used as the application name.
+
+use super::ApplicationName;
+use super::Authenticate;
+use crate::front::listener::ConnectionMetadata;
+use log::error;
+use parsec_interface::requests::request::RequestAuth;
+use parsec_interface::requests::{ResponseStatus, Result};
+use users::get_user_by_uid;
+
+#[derive(Copy, Clone, Debug)]
+pub struct UDSAuthenticator;
+
+impl Authenticate for UDSAuthenticator {
+    fn authenticate(
+        &self,
+        _auth: &RequestAuth,
+        meta: Option<ConnectionMetadata>,
+    ) -> Result<ApplicationName> {
+        let meta = match meta {
+            Some(meta) => meta,
+            None => {
+                error!("Authenticator did not receive any metadata; cannot authenticate.");
+                return Err(ResponseStatus::AuthenticationError);
+            }
+        };
+
+        let ucred = match meta {
+            ConnectionMetadata::PeerCredentials(ucred) => ucred,
+            // TODO: add wildcard pattern when `ConnectionMetadata` has more possibilities.
+        };
+
+        let user = match get_user_by_uid(ucred.uid) {
+            Some(user) => user,
+            None => {
+                error!("Couldn't get username for UID!");
+                return Err(ResponseStatus::AuthenticationError);
+            }
+        };
+
+        let username = match user.name().to_str() {
+            Some(username) => username,
+            None => {
+                error!("Couldn't get username for user!");
+                return Err(ResponseStatus::AuthenticationError);
+            }
+        };
+
+        Ok(ApplicationName(String::from(username)))
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::super::Authenticate;
+    use super::UDSAuthenticator;
+    use crate::front::listener::ConnectionMetadata;
+    use parsec_interface::requests::request::RequestAuth;
+    use parsec_interface::requests::ResponseStatus;
+    use std::os::unix::net::UCred;
+    use std::os::unix::net::UnixStream;
+
+    #[test]
+    fn successful_authentication() {
+        // This test should PASS; we are verifying that our username gets set as the application
+        // secret when using UDS authentication.
+
+        // Create two connected sockets.
+        let (sock_a, _sock_b) = UnixStream::pair().unwrap();
+        let (cred_a, _cred_b) = (sock_a.peer_cred().unwrap(), _sock_b.peer_cred().unwrap());
+
+        let authenticator = UDSAuthenticator {};
+
+        let req_auth = RequestAuth::new("secret".into());
+        let conn_metadata = Some(ConnectionMetadata::PeerCredentials(cred_a));
+
+        let auth_name = authenticator
+            .authenticate(&req_auth, conn_metadata)
+            .expect("Failed to authenticate");
+
+        assert_eq!(auth_name.get_name(), whoami::username());
+    }
+
+    #[test]
+    fn unsuccessful_authentication_no_user() {
+        // This test should FAIL; we're trying to use a non-existent user for authentication.
+        let authenticator = UDSAuthenticator {};
+
+        let req_auth = RequestAuth::new("secret".into());
+        let bogus_ucred = UCred {
+            // 65535 is a special UID. This value is unused/avoided because it was the API error return
+            // value when uid_t was 16 bits. We should be safe to use this to represent a user that
+            // does not exist.
+            uid: 65535,
+            // 65534 is a special GID that many Linux distributions map to the group name
+            // `nogroup`.
+            gid: 65534,
+        };
+        let conn_metadata = Some(ConnectionMetadata::PeerCredentials(bogus_ucred));
+
+        let auth_result = authenticator.authenticate(&req_auth, conn_metadata);
+
+        assert_eq!(auth_result, Err(ResponseStatus::AuthenticationError));
+    }
+
+    #[test]
+    fn unsuccessful_authentication_no_metadata() {
+        // Create two connected sockets.
+        let authenticator = UDSAuthenticator {};
+        let req_auth = RequestAuth::new("secret".into());
+
+        let conn_metadata = None;
+        let auth_result = authenticator.authenticate(&req_auth, conn_metadata);
+        assert_eq!(auth_result, Err(ResponseStatus::AuthenticationError));
+    }
+
+    #[test]
+    fn unsuccessful_authentication_wrong_metadata() {
+        // TODO: this test needs implementing when we have more than one metadata type in
+        // `PeerCredentials::ConnectionMetadata`. At the moment, the compiler just complains with
+        // an 'unreachable branch' message.
+    }
+}
diff --git a/src/front/domain_socket.rs b/src/front/domain_socket.rs
@@ -5,8 +5,8 @@
 //! Expose Parsec functionality using Unix domain sockets as an IPC layer.
 //! The local socket is created at a predefined location.
 use super::listener;
-use listener::Connection;
 use listener::Listen;
+use listener::{Connection, ConnectionMetadata};
 use log::error;
 #[cfg(not(feature = "no-parsec-user-and-clients-group"))]
 use std::ffi::CString;
@@ -202,11 +202,12 @@ impl Listen for DomainSocketListener {
                     format_error!("Failed to set stream as blocking", err);
                     None
                 } else {
+                    let ucred = stream.peer_cred().expect(
+                        "Failed to get peer credentials for Unix domain socket connection.",
+                    );
                     Some(Connection {
                         stream: Box::new(stream),
-                        // TODO: when possible, we want to replace this with the (uid, gid, pid)
-                        // triple for peer credentials. See listener.rs.
-                        metadata: None,
+                        metadata: Some(ConnectionMetadata::PeerCredentials(ucred)),
                     })
                 }
             }
diff --git a/src/front/listener.rs b/src/front/listener.rs
@@ -7,6 +7,7 @@
 //! of the IPC mechanism used as a Parsec front.
 use derivative::Derivative;
 use serde::Deserialize;
+use std::os::unix::net::UCred;
 use std::time::Duration;
 
 // This trait is created to allow the iterator returned by incoming to iterate over a trait object
@@ -29,7 +30,7 @@ pub struct ListenerConfig {
 /// Specifies metadata associated with a connection, if any.
 #[derive(Copy, Clone, Debug)]
 pub enum ConnectionMetadata {
-    // TODO: nothing here right now. Metadata types will be added as needed.
+    PeerCredentials(UCred),
 }
 
 /// Represents a connection to a single client. Contains a stream, used for communication with the
diff --git a/src/lib.rs b/src/lib.rs
@@ -36,6 +36,9 @@
 )]
 // This one is hard to avoid.
 #![allow(clippy::multiple_crate_versions)]
+// TODO: remove this if/when the Unix peer credentials PR gets merged. Link
+//       here for reference: https://github.com/rust-lang/rust/pull/75148
+#![feature(peer_credentials_unix_socket)]
 
 #[allow(unused)]
 macro_rules! format_error {
