feat(kanidm-secret-manipulator): allow rewriting account credentials

2025-10-10 23:00:39 +02:00 · 2023-08-23 00:49:13 +02:00 · 2023-08-23 00:49:13 +02:00 · 6063da387b
commit 6063da387b
parent 5d934bddf0
3 changed files with 298 additions and 34 deletions
--- a/pkgs/kanidm-secret-manipulator/Cargo.lock
+++ b/pkgs/kanidm-secret-manipulator/Cargo.lock
@ -25,18 +25,101 @@ version = "1.0.75"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6"

+[[package]]
+name = "argon2"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b2e554a8638bdc1e4eae9984845306cc95f8a9208ba8d49c3859fd958b46774d"
+dependencies = [
+ "base64ct",
+ "blake2",
+ "cpufeatures",
+ "password-hash",
+]
+
+[[package]]
+name = "base64"
+version = "0.21.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d"
+
+[[package]]
+name = "base64ct"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b"
+
+[[package]]
+name = "base64urlsafedata"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "18b3d30abb74120a9d5267463b9e0045fdccc4dd152e7249d966612dc1721384"
+dependencies = [
+ "base64",
+ "serde",
+ "serde_json",
+]
+
 [[package]]
 name = "bitflags"
 version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4682ae6287fcf752ecaabbfcc7b6f9b72aa33933dc23a554d853aea8eea8635"

+[[package]]
+name = "blake2"
+version = "0.10.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
+dependencies = [
+ "digest",
+]
+
+[[package]]
+name = "block-buffer"
+version = "0.10.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"

+[[package]]
+name = "cpufeatures"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a17b76ff3a4162b0b27f354a0c87015ddad39d35f9c0c36607a3bdd175dde1f1"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "crypto-common"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
+dependencies = [
+ "generic-array",
+ "typenum",
+]
+
+[[package]]
+name = "digest"
+version = "0.10.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
+dependencies = [
+ "block-buffer",
+ "crypto-common",
+ "subtle",
+]
+
 [[package]]
 name = "fallible-iterator"
 version = "0.2.0"
@ -49,6 +132,27 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"

+[[package]]
+name = "generic-array"
+version = "0.14.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
+dependencies = [
+ "typenum",
+ "version_check",
+]
+
+[[package]]
+name = "getrandom"
+version = "0.2.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "be4136b2a15dd319360be1c07d9933517ccf0be8f16bf62a3bee4f0d618df427"
+dependencies = [
+ "cfg-if",
+ "libc",
+ "wasi",
+]
+
 [[package]]
 name = "hashbrown"
 version = "0.14.0"
@ -79,11 +183,20 @@ name = "kanidm-secret-manipulator"
 version = "1.0.0"
 dependencies = [
 "anyhow",
+ "argon2",
+ "base64urlsafedata",
+ "rand",
 "rusqlite",
 "serde",
 "serde_json",
 ]

+[[package]]
+name = "libc"
+version = "0.2.147"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3"
+
 [[package]]
 name = "libsqlite3-sys"
 version = "0.26.0"
@ -100,12 +213,29 @@ version = "1.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "dd8b5dd2ae5ed71462c540258bedcb51965123ad7e7ccf4b9a8cafaa4a63576d"

+[[package]]
+name = "password-hash"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
+dependencies = [
+ "base64ct",
+ "rand_core",
+ "subtle",
+]
+
 [[package]]
 name = "pkg-config"
 version = "0.3.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26072860ba924cbfa98ea39c8c19b4dd6a4a25423dbdf219c1eca91aa0cf6964"

+[[package]]
+name = "ppv-lite86"
+version = "0.2.17"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.66"
@ -124,6 +254,36 @@ dependencies = [
 "proc-macro2",
 ]

+[[package]]
+name = "rand"
+version = "0.8.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
+dependencies = [
+ "libc",
+ "rand_chacha",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_chacha"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
+dependencies = [
+ "ppv-lite86",
+ "rand_core",
+]
+
+[[package]]
+name = "rand_core"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
+dependencies = [
+ "getrandom",
+]
+
 [[package]]
 name = "rusqlite"
 version = "0.29.0"
@ -181,6 +341,12 @@ version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "62bb4feee49fdd9f707ef802e22365a35de4b7b299de4763d44bfea899442ff9"

+[[package]]
+name = "subtle"
+version = "2.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+
 [[package]]
 name = "syn"
 version = "2.0.29"
@ -192,6 +358,12 @@ dependencies = [
 "unicode-ident",
 ]

+[[package]]
+name = "typenum"
+version = "1.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "497961ef93d974e23eb6f433eb5fe1b7930b659f06d12dec6fc44a8f554c0bba"
+
 [[package]]
 name = "unicode-ident"
 version = "1.0.11"
@ -209,3 +381,9 @@ name = "version_check"
 version = "0.9.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
+
+[[package]]
+name = "wasi"
+version = "0.11.0+wasi-snapshot-preview1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
--- a/pkgs/kanidm-secret-manipulator/Cargo.toml
+++ b/pkgs/kanidm-secret-manipulator/Cargo.toml
@ -8,6 +8,9 @@ license = "MIT"

 [dependencies]
 anyhow = "1.0.75"
+argon2 = "0.5.1"
+base64urlsafedata = "0.1.3"
+rand = "0.8.5"
 rusqlite = "0.29.0"
 serde = { version = "1.0.183", features = ["derive"] }
 serde_json = "1.0.105"
--- a/pkgs/kanidm-secret-manipulator/src/main.rs
+++ b/pkgs/kanidm-secret-manipulator/src/main.rs
@ -1,14 +1,35 @@
-use anyhow::{Context, Result};
+use anyhow::{anyhow, Context, Result};
+use argon2::{Algorithm, Argon2};
+use base64urlsafedata::Base64UrlSafeData;
+use rand::Rng;
 use rusqlite::{params, Connection};
-use serde::Deserialize;
+use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::fs::File;

+#[derive(Debug, Deserialize, Serialize)]
+struct Argon2IDHash {
+    m: u32,
+    t: u32,
+    p: u32,
+    v: u32,
+    s: Base64UrlSafeData,
+    k: Base64UrlSafeData,
+}
+
 #[derive(Debug, Deserialize)]
 struct SecretMappings {
+    account_credentials: HashMap<String, String>,
    oauth2_basic_secrets: HashMap<String, String>,
 }

+const ACCOUNT_NAME_PATH: &str = "/ent/V2/attrs/name/N8/0";
+const ACCOUNT_PRIMARY_CREDENTIAL_PATH: &str =
+    "/ent/V2/attrs/primary_credential/CR/0/d/password/ARGON2ID";
+
+const OAUTH2_BASIC_SECRET_PATH: &str = "/ent/V2/attrs/oauth2_rs_basic_secret/RU";
+const OAUTH2_NAME_PATH: &str = "/ent/V2/attrs/oauth2_rs_name/N8/0";
+
 fn main() -> Result<()> {
    // Read command-line arguments
    let args: Vec<String> = std::env::args().collect();
@ -50,39 +71,16 @@ fn main() -> Result<()> {
        let (id, data) = row?;
        let mut json_data: serde_json::Value = serde_json::from_slice(&data)?;

-        // Clone paths for updating
-        let oauth2_rs_name_path = json_data
-            .pointer("/ent/V2/attrs/oauth2_rs_name/N8/0")
-            .and_then(|value| value.as_str())
-            .map(|value| value.to_string()); // Clone the value
-        let oauth2_rs_basic_secret_path = "/ent/V2/attrs/oauth2_rs_basic_secret/RU";
+        let mut any_changes = false;
+        any_changes |=
+            rewrite_account_credentials(&mut secret_mappings, &mut json_data).unwrap_or(false);
+        any_changes |= rewrite_oauth2_secret(&mut secret_mappings, &mut json_data).unwrap_or(false);

-        if let Some(oauth2_rs_name) = oauth2_rs_name_path {
-            if let Some(secret_path) = secret_mappings.oauth2_basic_secrets.remove(&oauth2_rs_name)
-            {
-                match std::fs::read_to_string(&secret_path) {
-                    Ok(secret) => {
-                        let secret = secret.trim();
-
-                        // Update the cloned JSON data
-                        if let Some(value) = json_data.pointer_mut(oauth2_rs_basic_secret_path) {
-                            *value = serde_json::Value::String(secret.to_string());
-                        }
-
-                        // Update the row in the database
-                        update_stmt
-                            .execute(params![serde_json::to_vec(&json_data)?, id])
-                            .context(
-                                "Failed to update oauth2 service '{oauth2_rs_name}' in database",
-                            )?;
-
-                        println!("oauth2: Updated {oauth2_rs_name}");
-                    }
-                    Err(e) => eprintln!(
-                        "oauth2: Could not update {oauth2_rs_name} with {secret_path}: {e}"
-                    ),
-                }
-            }
+        // Update the row in the database if necessary
+        if any_changes {
+            update_stmt
+                .execute(params![serde_json::to_vec(&json_data)?, id])
+                .context("Failed to update oauth2 service '{oauth2_rs_name}' in database")?;
        }
    }

@ -101,3 +99,88 @@ fn main() -> Result<()> {

    Ok(())
 }
+
+fn hash_argon2_id(password: &str, salt: Option<Vec<u8>>) -> Result<Argon2IDHash> {
+    let salt_len: usize = 16;
+    let key_len: usize = 32;
+    let version: argon2::Version = argon2::Version::V0x13;
+    let m_cost: u32 = 8192;
+    let t_cost: u32 = 2;
+    let p_cost: u32 = 1;
+
+    let params = argon2::Params::new(m_cost, t_cost, p_cost, None).unwrap_or_default();
+    let argon = Argon2::new(Algorithm::Argon2id, version, params);
+
+    let mut rng = rand::thread_rng();
+    let salt: Vec<u8> = salt.unwrap_or_else(|| (0..salt_len).map(|_| rng.gen()).collect());
+    let mut key: Vec<u8> = (0..key_len).map(|_| 0).collect();
+    argon
+        .hash_password_into(password.as_bytes(), salt.as_slice(), key.as_mut_slice())
+        .map_err(|_| anyhow!("Failed to create argon2id hash of password"))?;
+
+    Ok(Argon2IDHash {
+        m: m_cost,
+        t: t_cost,
+        p: p_cost,
+        v: version as u32,
+        s: salt.into(),
+        k: key.into(),
+    })
+}
+
+fn rewrite_account_credentials(
+    secret_mappings: &mut SecretMappings,
+    json_data: &mut serde_json::Value,
+) -> Result<bool> {
+    if let Some(name) = json_data
+        .pointer(ACCOUNT_NAME_PATH)
+        .and_then(|value| value.as_str())
+        .map(|value| value.to_string())
+    {
+        if let Some(secret_path) = secret_mappings.account_credentials.remove(&name) {
+            let secret = std::fs::read_to_string(&secret_path).context(format!(
+                "account: Could not update credential for {name} with {secret_path}",
+            ))?;
+            if let Some(value) = json_data.pointer_mut(ACCOUNT_PRIMARY_CREDENTIAL_PATH) {
+                let secret = secret.trim().to_string();
+                let current_hash: Argon2IDHash = serde_json::from_value(value.clone())
+                    .map_err(|e| anyhow!("Failed to load current argon2id hash: {e}"))?;
+                let test_hash = hash_argon2_id(&secret, Some(current_hash.s.into()))?;
+
+                if current_hash.k != test_hash.k {
+                    let new_hash = hash_argon2_id(&secret, None)?;
+                    *value = serde_json::to_value(new_hash)?;
+                    println!("account: Updated credential for {name}");
+                    return Ok(true);
+                }
+            }
+        }
+    }
+    Ok(false)
+}
+
+fn rewrite_oauth2_secret(
+    secret_mappings: &mut SecretMappings,
+    json_data: &mut serde_json::Value,
+) -> Result<bool> {
+    if let Some(name) = json_data
+        .pointer(OAUTH2_NAME_PATH)
+        .and_then(|value| value.as_str())
+        .map(|value| value.to_string())
+    {
+        if let Some(secret_path) = secret_mappings.oauth2_basic_secrets.remove(&name) {
+            let secret = std::fs::read_to_string(&secret_path).context(format!(
+                "oauth2: Could not update basic secret for {name} with {secret_path}"
+            ))?;
+            if let Some(value) = json_data.pointer_mut(OAUTH2_BASIC_SECRET_PATH) {
+                let secret = secret.trim().to_string();
+                if *value != secret {
+                    *value = serde_json::Value::String(secret);
+                    println!("oauth2: Updated basic secret for {name}");
+                    return Ok(true);
+                }
+            }
+        }
+    }
+    Ok(false)
+}