mirror of
https://github.com/Start9Labs/start-os.git
synced 2026-03-31 04:23:40 +00:00
fix registry auth
This commit is contained in:
Aiden McClelland
@@ -81,22 +81,23 @@ impl<C: Context> Middleware<C> for Auth<C> {
|
|||||||
) -> Result<(), RpcResponse> {
|
) -> Result<(), RpcResponse> {
|
||||||
let m: Metadata =
|
let m: Metadata =
|
||||||
from_value(metadata.clone()).map_err(|e| RpcResponse::from_result(Err(e)))?;
|
from_value(metadata.clone()).map_err(|e| RpcResponse::from_result(Err(e)))?;
|
||||||
if m.authenticated {
|
let mut err = None;
|
||||||
let mut err = None;
|
for middleware in self.0.iter_mut() {
|
||||||
for middleware in self.0.iter_mut() {
|
if let Err(e) = middleware
|
||||||
if let Err(e) = middleware
|
.process_rpc_request(context, metadata.clone(), request)
|
||||||
.process_rpc_request(context, metadata.clone(), request)
|
.await
|
||||||
.await
|
{
|
||||||
{
|
if m.authenticated {
|
||||||
err = Some(e);
|
err = Some(e);
|
||||||
} else {
|
|
||||||
return Ok(());
|
|
||||||
}
|
}
|
||||||
}
|
} else {
|
||||||
if let Some(e) = err {
|
return Ok(());
|
||||||
return Err(e);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if let Some(e) = err {
|
||||||
|
return Err(e);
|
||||||
|
}
|
||||||
|
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
async fn process_rpc_response(&mut self, context: &C, response: &mut RpcResponse) {
|
async fn process_rpc_response(&mut self, context: &C, response: &mut RpcResponse) {
|
||||||
|
|||||||
@@ -174,26 +174,11 @@ impl CallRemote<RegistryContext> for CliContext {
|
|||||||
params: Value,
|
params: Value,
|
||||||
_: Empty,
|
_: Empty,
|
||||||
) -> Result<Value, RpcError> {
|
) -> Result<Value, RpcError> {
|
||||||
let mut has_cookie = false;
|
let cookie = read_file_to_string(RegistryContext::LOCAL_AUTH_COOKIE_PATH).await;
|
||||||
if let Ok(local) = read_file_to_string(RegistryContext::LOCAL_AUTH_COOKIE_PATH).await {
|
|
||||||
self.cookie_store
|
|
||||||
.lock()
|
|
||||||
.unwrap()
|
|
||||||
.insert_raw(
|
|
||||||
&Cookie::build(("local", local))
|
|
||||||
.domain("localhost")
|
|
||||||
.expires(Expiration::Session)
|
|
||||||
.same_site(SameSite::Strict)
|
|
||||||
.build(),
|
|
||||||
&"http://localhost".parse()?,
|
|
||||||
)
|
|
||||||
.with_kind(crate::ErrorKind::Network)?;
|
|
||||||
has_cookie = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
let url = if let Some(url) = self.registry_url.clone() {
|
let url = if let Some(url) = self.registry_url.clone() {
|
||||||
url
|
url
|
||||||
} else if has_cookie || !self.registry_hostname.is_empty() {
|
} else if cookie.is_ok() || !self.registry_hostname.is_empty() {
|
||||||
let mut url: Url = format!(
|
let mut url: Url = format!(
|
||||||
"http://{}",
|
"http://{}",
|
||||||
self.registry_listen.unwrap_or(DEFAULT_REGISTRY_LISTEN)
|
self.registry_listen.unwrap_or(DEFAULT_REGISTRY_LISTEN)
|
||||||
@@ -201,7 +186,8 @@ impl CallRemote<RegistryContext> for CliContext {
|
|||||||
.parse()
|
.parse()
|
||||||
.map_err(Error::from)?;
|
.map_err(Error::from)?;
|
||||||
url.path_segments_mut()
|
url.path_segments_mut()
|
||||||
.map_err(|_| Error::new(eyre!("cannot extend URL path"), ErrorKind::ParseUrl))?
|
.map_err(|_| eyre!("Url cannot be base"))
|
||||||
|
.with_kind(crate::ErrorKind::ParseUrl)?
|
||||||
.push("rpc")
|
.push("rpc")
|
||||||
.push("v0");
|
.push("v0");
|
||||||
url
|
url
|
||||||
@@ -211,6 +197,26 @@ impl CallRemote<RegistryContext> for CliContext {
|
|||||||
);
|
);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
if let Ok(local) = cookie {
|
||||||
|
let cookie_url = match url.host() {
|
||||||
|
Some(url::Host::Ipv4(ip)) if ip.is_loopback() => url.clone(),
|
||||||
|
Some(url::Host::Ipv6(ip)) if ip.is_loopback() => url.clone(),
|
||||||
|
_ => format!("http://{DEFAULT_REGISTRY_LISTEN}").parse()?,
|
||||||
|
};
|
||||||
|
self.cookie_store
|
||||||
|
.lock()
|
||||||
|
.unwrap()
|
||||||
|
.insert_raw(
|
||||||
|
&Cookie::build(("local", local))
|
||||||
|
.domain(cookie_url.host_str().unwrap_or("localhost"))
|
||||||
|
.expires(Expiration::Session)
|
||||||
|
.same_site(SameSite::Strict)
|
||||||
|
.build(),
|
||||||
|
&cookie_url,
|
||||||
|
)
|
||||||
|
.with_kind(crate::ErrorKind::Network)?;
|
||||||
|
}
|
||||||
|
|
||||||
method = method.strip_prefix("registry.").unwrap_or(method);
|
method = method.strip_prefix("registry.").unwrap_or(method);
|
||||||
let sig_context = self
|
let sig_context = self
|
||||||
.registry_hostname
|
.registry_hostname
|
||||||
@@ -302,17 +308,14 @@ impl SignatureAuthContext for RegistryContext {
|
|||||||
pubkey: Option<&AnyVerifyingKey>,
|
pubkey: Option<&AnyVerifyingKey>,
|
||||||
metadata: Self::AdditionalMetadata,
|
metadata: Self::AdditionalMetadata,
|
||||||
) -> Result<Self::CheckPubkeyRes, Error> {
|
) -> Result<Self::CheckPubkeyRes, Error> {
|
||||||
if metadata.admin {
|
if let Some(pubkey) = pubkey {
|
||||||
if let Some(pubkey) = pubkey {
|
let (guid, admin) = db.as_index().as_signers().get_signer_info(pubkey)?;
|
||||||
let (guid, admin) = db.as_index().as_signers().get_signer_info(pubkey)?;
|
if !metadata.admin || db.as_admins().de()?.contains(&guid) {
|
||||||
if db.as_admins().de()?.contains(&guid) {
|
return Ok(Some((pubkey.clone(), admin)));
|
||||||
return Ok(Some((pubkey.clone(), admin)));
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
Err(Error::new(eyre!("UNAUTHORIZED"), ErrorKind::Authorization))
|
|
||||||
} else {
|
|
||||||
Ok(None)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Err(Error::new(eyre!("UNAUTHORIZED"), ErrorKind::Authorization))
|
||||||
}
|
}
|
||||||
async fn post_auth_hook(
|
async fn post_auth_hook(
|
||||||
&self,
|
&self,
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ pub fn info_api<C: Context>() -> ParentHandler<C, WithIoFormat<Empty>> {
|
|||||||
ParentHandler::<C, WithIoFormat<Empty>>::new()
|
ParentHandler::<C, WithIoFormat<Empty>>::new()
|
||||||
.root_handler(
|
.root_handler(
|
||||||
from_fn_async(get_info)
|
from_fn_async(get_info)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_about("Display registry name, icon, and package categories")
|
.with_about("Display registry name, icon, and package categories")
|
||||||
.with_call_remote::<CliContext>(),
|
.with_call_remote::<CliContext>(),
|
||||||
|
|||||||
@@ -24,21 +24,36 @@ use crate::util::io::{AtomicFile, open_file};
|
|||||||
|
|
||||||
pub fn get_api<C: Context>() -> ParentHandler<C> {
|
pub fn get_api<C: Context>() -> ParentHandler<C> {
|
||||||
ParentHandler::new()
|
ParentHandler::new()
|
||||||
.subcommand("iso", from_fn_async(get_iso).no_cli())
|
.subcommand(
|
||||||
|
"iso",
|
||||||
|
from_fn_async(get_iso)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
|
.no_cli(),
|
||||||
|
)
|
||||||
.subcommand(
|
.subcommand(
|
||||||
"iso",
|
"iso",
|
||||||
from_fn_async(cli_get_os_asset)
|
from_fn_async(cli_get_os_asset)
|
||||||
.no_display()
|
.no_display()
|
||||||
.with_about("Download iso"),
|
.with_about("Download iso"),
|
||||||
)
|
)
|
||||||
.subcommand("img", from_fn_async(get_img).no_cli())
|
.subcommand(
|
||||||
|
"img",
|
||||||
|
from_fn_async(get_img)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
|
.no_cli(),
|
||||||
|
)
|
||||||
.subcommand(
|
.subcommand(
|
||||||
"img",
|
"img",
|
||||||
from_fn_async(cli_get_os_asset)
|
from_fn_async(cli_get_os_asset)
|
||||||
.no_display()
|
.no_display()
|
||||||
.with_about("Download img"),
|
.with_about("Download img"),
|
||||||
)
|
)
|
||||||
.subcommand("squashfs", from_fn_async(get_squashfs).no_cli())
|
.subcommand(
|
||||||
|
"squashfs",
|
||||||
|
from_fn_async(get_squashfs)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
|
.no_cli(),
|
||||||
|
)
|
||||||
.subcommand(
|
.subcommand(
|
||||||
"squashfs",
|
"squashfs",
|
||||||
from_fn_async(cli_get_os_asset)
|
from_fn_async(cli_get_os_asset)
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
|
use rpc_toolkit::{Context, HandlerExt, ParentHandler, from_fn_async};
|
||||||
|
|
||||||
use crate::context::CliContext;
|
use crate::context::CliContext;
|
||||||
|
use crate::prelude::*;
|
||||||
use crate::util::serde::HandlerExtSerde;
|
use crate::util::serde::HandlerExtSerde;
|
||||||
|
|
||||||
pub const SIG_CONTEXT: &str = "startos";
|
pub const SIG_CONTEXT: &str = "startos";
|
||||||
@@ -14,6 +15,7 @@ pub fn os_api<C: Context>() -> ParentHandler<C> {
|
|||||||
.subcommand(
|
.subcommand(
|
||||||
"index",
|
"index",
|
||||||
from_fn_async(index::get_os_index)
|
from_fn_async(index::get_os_index)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_about("List index of OS versions")
|
.with_about("List index of OS versions")
|
||||||
.with_call_remote::<CliContext>(),
|
.with_call_remote::<CliContext>(),
|
||||||
|
|||||||
@@ -45,6 +45,7 @@ pub fn version_api<C: Context>() -> ParentHandler<C> {
|
|||||||
.subcommand(
|
.subcommand(
|
||||||
"get",
|
"get",
|
||||||
from_fn_async(get_version)
|
from_fn_async(get_version)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_metadata("get_device_info", Value::Bool(true))
|
.with_metadata("get_device_info", Value::Bool(true))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_custom_display_fn(|handle, result| {
|
.with_custom_display_fn(|handle, result| {
|
||||||
|
|||||||
@@ -35,6 +35,7 @@ pub fn signer_api<C: Context>() -> ParentHandler<C> {
|
|||||||
.subcommand(
|
.subcommand(
|
||||||
"list",
|
"list",
|
||||||
from_fn_async(list_version_signers)
|
from_fn_async(list_version_signers)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_custom_display_fn(|handle, result| display_signers(handle.params, result))
|
.with_custom_display_fn(|handle, result| display_signers(handle.params, result))
|
||||||
.with_about("List version signers and related signer info")
|
.with_about("List version signers and related signer info")
|
||||||
|
|||||||
@@ -50,6 +50,7 @@ pub fn category_api<C: Context>() -> ParentHandler<C> {
|
|||||||
.subcommand(
|
.subcommand(
|
||||||
"list",
|
"list",
|
||||||
from_fn_async(list_categories)
|
from_fn_async(list_categories)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_custom_display_fn(|params, categories| {
|
.with_custom_display_fn(|params, categories| {
|
||||||
display_categories(params.params, categories)
|
display_categories(params.params, categories)
|
||||||
|
|||||||
@@ -15,6 +15,7 @@ pub fn package_api<C: Context>() -> ParentHandler<C> {
|
|||||||
.subcommand(
|
.subcommand(
|
||||||
"index",
|
"index",
|
||||||
from_fn_async(index::get_package_index)
|
from_fn_async(index::get_package_index)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_about("List packages and categories")
|
.with_about("List packages and categories")
|
||||||
.with_call_remote::<CliContext>(),
|
.with_call_remote::<CliContext>(),
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ pub fn signer_api<C: Context>() -> ParentHandler<C> {
|
|||||||
.subcommand(
|
.subcommand(
|
||||||
"list",
|
"list",
|
||||||
from_fn_async(list_package_signers)
|
from_fn_async(list_package_signers)
|
||||||
|
.with_metadata("authenticated", Value::Bool(false))
|
||||||
.with_display_serializable()
|
.with_display_serializable()
|
||||||
.with_custom_display_fn(|handle, result| {
|
.with_custom_display_fn(|handle, result| {
|
||||||
display_package_signers(handle.params, result)
|
display_package_signers(handle.params, result)
|
||||||
|
|||||||
Reference in New Issue
Block a user