Update systemd unit file with new hierarchy

Signed-off-by: Hugues de Valon <[email protected]>

Author: hug-dev

Cargo.toml

@@ -52,7 +52,6 @@ features = ["pkcs11-provider", "tpm-provider", "tss-esapi/docs", "mbed-crypto-pr
 
 [features]
 default = []
-no-parsec-user-and-clients-group = []
 mbed-crypto-provider = ["psa-crypto"]
 pkcs11-provider = ["pkcs11", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "psa-crypto", "rand"]
 tpm-provider = ["tss-esapi", "picky-asn1-der", "picky-asn1", "picky-asn1-x509", "hex"]

ci.sh

@@ -67,10 +67,10 @@ while [ "$#" -gt 0 ]; do
             PROVIDER_NAME=$1
             cp $(pwd)/e2e_tests/provider_cfg/$1/config.toml $CONFIG_PATH
             if [ "$PROVIDER_NAME" = "all" ]; then
-                FEATURES="--features=all-providers,no-parsec-user-and-clients-group"
+                FEATURES="--features=all-providers"
                 TEST_FEATURES="--features=all-providers"
             else
-                FEATURES="--features=$1-provider,no-parsec-user-and-clients-group"
+                FEATURES="--features=$1-provider"
                 TEST_FEATURES="--features=$1-provider"
             fi
         ;;

config.toml

@@ -44,6 +44,12 @@ listener_type = "DomainSocket"
 # timeout expires, the connection is dropped.
 timeout = 200 # in milliseconds
 
+# Specify the Unix Domain Socket path. The path is fixed and should always be the default one for
+# clients to connect. However, it is useful to change it for tests.
+# WARNING: If a file already exists at that path, the service will remove it before creating the
+# socket file.
+#socket_path = "/run/parsec/parsec.sock"
+
 # (Required) Configuration for the components managing key info for providers.
 # Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
 [[key_manager]]
@@ -54,7 +60,7 @@ name = "on-disk-manager"
 manager_type = "OnDisk"
 
 # Path to the location where the mapping will be persisted (in this case, the filesystem path)
-#store_path = "./mappings"
+#store_path = "/var/lib/parsec/mappings"
 
 # (Required) Provider configurations.
 # Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables

e2e_tests/Cargo.toml

@@ -18,6 +18,10 @@ parsec-client = { version = "0.9.0", features = ["testing"] }
 log = "0.4.11"
 rand = "0.7.3"
 
+[patch.crates-io]
+# Just to make the CI pass, update with the newest version
+parsec-client = { git = 'https://github.com/hug-dev/parsec-client-rust', branch = 'new-socket-path' }
+
 [dev-dependencies]
 ring = "0.16.15"
 env_logger = "0.7.1"

e2e_tests/provider_cfg/all/config.toml

@@ -10,10 +10,12 @@ allow_root = true
 [listener]
 listener_type = "DomainSocket"
 timeout = 200 # in milliseconds
+socket_path = "/tmp/parsec.sock"
 
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
+store_path = "./mappings"
 
 [[provider]]
 provider_type = "MbedCrypto"

e2e_tests/provider_cfg/mbed-crypto/config.toml

@@ -12,10 +12,12 @@ listener_type = "DomainSocket"
 # The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
 # that the service does not hang for very big values of body or authentication length.
 timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
 
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
+store_path = "./mappings"
 
 [[provider]]
 provider_type = "MbedCrypto"

e2e_tests/provider_cfg/pkcs11/config.toml

@@ -12,10 +12,12 @@ listener_type = "DomainSocket"
 # The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
 # that the service does not hang for very big values of body or authentication length.
 timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
 
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
+store_path = "./mappings"
 
 [[provider]]
 provider_type = "Pkcs11"

e2e_tests/provider_cfg/tpm/config.toml

@@ -12,10 +12,12 @@ listener_type = "DomainSocket"
 # The timeout needs to be smaller than the test client timeout (five seconds) as it is testing
 # that the service does not hang for very big values of body or authentication length.
 timeout = 3000 # in milliseconds
+socket_path = "/tmp/parsec.sock"
 
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
+store_path = "./mappings"
 
 [[provider]]
 provider_type = "Tpm"

e2e_tests/src/lib.rs

@@ -22,11 +22,15 @@ use parsec_client::core::interface::operations::psa_key_attributes::{
     Attributes, EccFamily, Lifetime, Policy, Type, UsageFlags,
 };
 use parsec_client::core::interface::requests::{Opcode, ProviderID, ResponseStatus, Result};
+use parsec_client::core::ipc_handler::unix_socket;
 use parsec_client::core::secrecy::{ExposeSecret, Secret};
 use parsec_client::error::Error;
 use std::collections::HashSet;
 use std::time::Duration;
 
+const TEST_SOCKET_PATH: &str = "/tmp/parsec.sock";
+const TEST_TIMEOUT: Duration = Duration::from_secs(1);
+
 /// Client structure automatically choosing a provider and high-level operation functions.
 #[derive(Debug)]
 pub struct TestClient {
@@ -58,6 +62,9 @@ impl TestClient {
             created_keys: Some(HashSet::new()),
         };
 
+        let ipc_handler = unix_socket::Handler::new(TEST_SOCKET_PATH.into(), Some(TEST_TIMEOUT));
+        client.basic_client.set_ipc_handler(Box::from(ipc_handler));
+
         let crypto_provider = client.find_crypto_provider();
         client.set_provider(crypto_provider);
         client

e2e_tests/src/raw_request.rs

@@ -13,7 +13,7 @@ const MAX_BODY_SIZE: usize = 1 << 31;
 #[derive(Copy, Clone, Debug)]
 pub struct RawRequestClient;
 
-static SOCKET_PATH: &str = "/run/parsec/parsec.sock";
+static SOCKET_PATH: &str = "/tmp/parsec.sock";
 const TIMEOUT: Duration = Duration::from_secs(5);
 
 #[allow(clippy::new_without_default)]

e2e_tests/tests/per_provider/normal_tests/export_key.rs

@@ -91,14 +91,14 @@ fn export_without_create() {
 }
 
 #[test]
-fn import_and_export_public_key() -> Result<()> {
+fn import_and_export_key() -> Result<()> {
     let mut client = TestClient::new();
 
     if !client.is_operation_supported(Opcode::PsaExportKey) {
         return Ok(());
     }
 
-    let key_name = String::from("import_and_export_public_key");
+    let key_name = String::from("import_and_export_key");
     let key_data = vec![
         48, 129, 137, 2, 129, 129, 0, 153, 165, 220, 135, 89, 101, 254, 229, 28, 33, 138, 247, 20,
         102, 253, 217, 247, 246, 142, 107, 51, 40, 179, 149, 45, 117, 254, 236, 161, 109, 16, 81,

e2e_tests/tests/per_provider/normal_tests/ping.rs

@@ -7,6 +7,8 @@ use parsec_client::core::interface::requests::Opcode;
 use parsec_client::core::interface::requests::ProviderID;
 use parsec_client::core::interface::requests::ResponseStatus;
 use parsec_client::core::interface::requests::Result;
+use parsec_client::core::ipc_handler::unix_socket;
+use std::time::Duration;
 
 #[test]
 fn test_ping() -> Result<()> {
@@ -20,7 +22,13 @@ fn test_ping() -> Result<()> {
 
 #[test]
 fn mangled_ping() {
-    let client = RequestClient::default();
+    let client = RequestClient {
+        ipc_handler: Box::from(unix_socket::Handler::new(
+            "/tmp/parsec.sock".into(),
+            Some(Duration::from_secs(1)),
+        )),
+        ..Default::default()
+    };
     let mut req = Request::new();
     req.header.provider = ProviderID::Core;
     req.header.opcode = Opcode::Ping;

fuzz/config.toml

@@ -3,10 +3,12 @@
 [listener]
 listener_type = "DomainSocket"
 timeout = 200 # in milliseconds
+socket_path = "/tmp/parsec.sock"
 
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
+store_path = "./mappings"
 
 # [[provider]]
 # provider_type = "MbedCryptoProvider"

src/front/domain_socket.rs

@@ -7,22 +7,19 @@
 use super::listener;
 use listener::Listen;
 use listener::{Connection, ConnectionMetadata};
-use log::error;
-#[cfg(not(feature = "no-parsec-user-and-clients-group"))]
-use std::ffi::CString;
+use log::{error, warn};
 use std::fs;
 use std::fs::Permissions;
 use std::io::{Error, ErrorKind, Result};
+use std::os::unix::fs::FileTypeExt;
 use std::os::unix::fs::PermissionsExt;
 use std::os::unix::io::FromRawFd;
 use std::os::unix::net::UnixListener;
-use std::path::Path;
+use std::path::PathBuf;
 use std::time::Duration;
 
-static SOCKET_PATH: &str = "/run/parsec/parsec.sock";
-#[cfg(not(feature = "no-parsec-user-and-clients-group"))]
+static DEFAULT_SOCKET_PATH: &str = "/run/parsec/parsec.sock";
 const PARSEC_USERNAME: &str = "parsec";
-#[cfg(not(feature = "no-parsec-user-and-clients-group"))]
 const PARSEC_GROUPNAME: &str = "parsec-clients";
 
 /// Unix Domain Socket IPC manager
@@ -38,29 +35,37 @@ pub struct DomainSocketListener {
 
 impl DomainSocketListener {
     /// Initialise the connection to the Unix socket.
-    pub fn new(timeout: Duration) -> Result<Self> {
-        #[cfg(not(feature = "no-parsec-user-and-clients-group"))]
-        DomainSocketListener::check_user_details()?;
+    pub fn new(timeout: Duration, socket_path: PathBuf) -> Result<Self> {
+        DomainSocketListener::check_user_details();
 
         // If Parsec was service activated or not started under systemd, this
         // will return `0`. `1` will be returned in case Parsec is socket activated.
         let listener = match sd_notify::listen_fds()? {
             0 => {
-                let socket = Path::new(SOCKET_PATH);
-                let parent_dir = socket.parent().unwrap();
-                if !parent_dir.exists() {
-                    fs::create_dir_all(parent_dir)?;
-                } else if socket.exists() {
-                    fs::remove_file(&socket)?;
+                if socket_path.exists() {
+                    let meta = fs::metadata(&socket_path)?;
+                    if meta.file_type().is_socket() {
+                        warn!(
+                            "Removing the existing socket file at {}.",
+                            socket_path.display()
+                        );
+                        fs::remove_file(&socket_path)?;
+                    } else {
+                        error!(
+                            "A file exists at {} but is not a Unix Domain Socket.",
+                            socket_path.display()
+                        );
+                    }
                 }
 
-                let listener = UnixListener::bind(SOCKET_PATH)?;
+                // Will fail if a file already exists at the path.
+                let listener = UnixListener::bind(&socket_path)?;
                 listener.set_nonblocking(true)?;
 
                 // Set the socket's permission to 666 to allow clients of different user to
                 // connect.
                 let permissions = Permissions::from_mode(0o666);
-                fs::set_permissions(SOCKET_PATH, permissions)?;
+                fs::set_permissions(socket_path, permissions)?;
 
                 listener
             }
@@ -88,53 +93,17 @@ impl DomainSocketListener {
         Ok(Self { listener, timeout })
     }
 
-    #[cfg(not(feature = "no-parsec-user-and-clients-group"))]
-    fn check_user_details() -> Result<()> {
+    fn check_user_details() {
         // Check Parsec is running as parsec user
         if users::get_current_username() != Some(PARSEC_USERNAME.into()) {
-            error!(
-                "Incorrect user. Parsec should be run as user {}.",
+            warn!(
+                "Incorrect user. Parsec should be run as user {}. Follow recommendations to install Parsec securely or clients might not be able to connect.",
                 PARSEC_USERNAME
             );
-            return Err(Error::new(
-                ErrorKind::PermissionDenied,
-                "Parsec run as incorrect user",
-            ));
         }
-        // Check Parsec client group exists and parsec user is a member of it
-        if let Some(parsec_clients_group) = users::get_group_by_name(PARSEC_GROUPNAME) {
-            if let Some(groups) = users::get_user_groups(PARSEC_USERNAME, users::get_current_gid())
-            {
-                // Split to make `clippy` happy
-                let parsec_user_in_parsec_clients_group = groups.into_iter().any(|group| {
-                    group.gid() == parsec_clients_group.gid()
-                        && group.name() == parsec_clients_group.name()
-                });
-                // Check the parsec user is a member of the parsec clients group
-                if parsec_user_in_parsec_clients_group {
-                    return Ok(());
-                }
-                error!(
-                    "{} user not a member of {}.",
-                    PARSEC_USERNAME, PARSEC_GROUPNAME
-                );
-                Err(Error::new(
-                    ErrorKind::PermissionDenied,
-                    "User permissions incorrect",
-                ))
-            } else {
-                error!("Retrieval of groups for user {} failed.", PARSEC_USERNAME);
-                Err(Error::new(
-                    ErrorKind::InvalidInput,
-                    "Failed to retrieve user groups",
-                ))
-            }
-        } else {
-            error!("{} group does not exist.", PARSEC_GROUPNAME);
-            Err(Error::new(
-                ErrorKind::PermissionDenied,
-                "Group permissions incorrect",
-            ))
+        // Check Parsec client group exists
+        if users::get_group_by_name(PARSEC_GROUPNAME).is_none() {
+            warn!("{} group does not exist. Follow recommendations to install Parsec securely or clients might not be able to connect.", PARSEC_GROUPNAME);
         }
     }
 }
@@ -190,15 +159,19 @@ impl Listen for DomainSocketListener {
 }
 
 /// Builder for `DomainSocketListener`
-#[derive(Copy, Clone, Debug, Default)]
+#[derive(Clone, Debug, Default)]
 pub struct DomainSocketListenerBuilder {
     timeout: Option<Duration>,
+    socket_path: Option<PathBuf>,
 }
 
 impl DomainSocketListenerBuilder {
     /// Create a new DomainSocketListener builder
     pub fn new() -> Self {
-        DomainSocketListenerBuilder { timeout: None }
+        DomainSocketListenerBuilder {
+            timeout: None,
+            socket_path: None,
+        }
     }
 
     /// Add a timeout on the Unix Domain Socket used
@@ -207,12 +180,22 @@ impl DomainSocketListenerBuilder {
         self
     }
 
+    /// Specify the Unix Domain Socket path
+    pub fn with_socket_path(mut self, socket_path: PathBuf) -> Self {
+        self.socket_path = Some(socket_path);
+        self
+    }
+
     /// Build the builder into the listener
     pub fn build(self) -> Result<DomainSocketListener> {
-        DomainSocketListener::new(self.timeout.ok_or_else(|| {
-            error!("The listener timeout was not set.");
-            Error::new(ErrorKind::InvalidInput, "listener timeout missing")
-        })?)
+        DomainSocketListener::new(
+            self.timeout.ok_or_else(|| {
+                error!("The listener timeout was not set.");
+                Error::new(ErrorKind::InvalidInput, "listener timeout missing")
+            })?,
+            self.socket_path
+                .unwrap_or_else(|| DEFAULT_SOCKET_PATH.into()),
+        )
     }
 }
 

src/front/front_end.rs

@@ -107,7 +107,7 @@ impl FrontEndHandler {
                 if crate::utils::GlobalConfig::log_error_details() {
                     if let Some(app_name_string) = app_name {
                         info!(
-                            "Response from application name \"{}\" sent back",
+                            "Response for application name \"{}\" sent back",
                             app_name_string
                         );
                     } else {