Add an authenticator section in the configuration

hug-dev · hug-dev · commit 676509c00b85 · 2020-10-14T17:41:33.000+01:00
Signed-off-by: Hugues de Valon &lt;hugues.devalon@arm.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/config.toml b/config.toml
@@ -51,6 +51,19 @@ timeout = 200 # in milliseconds
 # socket file.
 #socket_path = "/run/parsec/parsec.sock"
 
+# (Required) Authenticator configuration.
+# WARNING: the authenticator MUST NOT be changed if there are existing keys stored in Parsec.
+# In a future version, Parsec might support multiple authenticators, see parallaxsecond/parsec#271
+# for details.
+[authenticator]
+# (Required) Type of authenticator that will be used to authenticate clients' authentication
+# payloads.
+# Possible values: "Direct" and "UnixPeerCredentials".
+# WARNING: The "Direct" authenticator is only secure under specific requirements. Please make sure
+# to read the Recommendations on a Secure Parsec Deployment at
+# https://parallaxsecond.github.io/parsec-book/parsec_security/secure_deployment.html
+auth_type = "UnixPeerCredentials"
+
 # (Required) Configuration for the components managing key info for providers.
 # Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables
 [[key_manager]]
diff --git a/e2e_tests/provider_cfg/all/config.toml b/e2e_tests/provider_cfg/all/config.toml
@@ -12,6 +12,9 @@ listener_type = "DomainSocket"
 timeout = 200 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/e2e_tests/provider_cfg/mbed-crypto/config.toml b/e2e_tests/provider_cfg/mbed-crypto/config.toml
@@ -14,6 +14,9 @@ listener_type = "DomainSocket"
 timeout = 3000 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/e2e_tests/provider_cfg/pkcs11/config.toml b/e2e_tests/provider_cfg/pkcs11/config.toml
@@ -14,6 +14,9 @@ listener_type = "DomainSocket"
 timeout = 3000 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/e2e_tests/provider_cfg/tpm/config.toml b/e2e_tests/provider_cfg/tpm/config.toml
@@ -14,6 +14,9 @@ listener_type = "DomainSocket"
 timeout = 3000 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/e2e_tests/tests/config/tomls/list_providers_1.toml b/e2e_tests/tests/config/tomls/list_providers_1.toml
@@ -8,6 +8,9 @@ listener_type = "DomainSocket"
 timeout = 200 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/e2e_tests/tests/config/tomls/list_providers_2.toml b/e2e_tests/tests/config/tomls/list_providers_2.toml
@@ -8,6 +8,9 @@ listener_type = "DomainSocket"
 timeout = 200 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/e2e_tests/tests/config/tomls/pkcs11_software.toml b/e2e_tests/tests/config/tomls/pkcs11_software.toml
@@ -14,6 +14,9 @@ listener_type = "DomainSocket"
 timeout = 3000 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/fuzz/config.toml b/fuzz/config.toml
@@ -5,6 +5,9 @@ listener_type = "DomainSocket"
 timeout = 200 # in milliseconds
 socket_path = "/tmp/parsec.sock"
 
+[authenticator]
+auth_type = "Direct"
+
 [[key_manager]]
 name = "on-disk-manager"
 manager_type = "OnDisk"
diff --git a/src/authenticators/mod.rs b/src/authenticators/mod.rs
@@ -17,6 +17,8 @@ use crate::front::listener::ConnectionMetadata;
 use parsec_interface::operations::list_authenticators;
 use parsec_interface::requests::request::RequestAuth;
 use parsec_interface::requests::Result;
+use serde::Deserialize;
+use zeroize::Zeroize;
 
 /// String wrapper for app names
 #[derive(Debug, Clone, Eq, PartialEq, Hash)]
@@ -64,3 +66,14 @@ impl std::fmt::Display for ApplicationName {
         write!(f, "{}", self.0)
     }
 }
+
+/// Authenticator configuration structure
+#[derive(Copy, Clone, Deserialize, Debug, Zeroize)]
+#[zeroize(drop)]
+#[serde(tag = "auth_type")]
+pub enum AuthenticatorConfig {
+    /// Direct authentication
+    Direct,
+    /// Unix Peer Credenditals authentication
+    UnixPeerCredentials,
+}
diff --git a/src/utils/service_builder.rs b/src/utils/service_builder.rs
@@ -6,7 +6,8 @@
 //! provided configuration.
 use super::global_config::GlobalConfigBuilder;
 use crate::authenticators::direct_authenticator::DirectAuthenticator;
-use crate::authenticators::Authenticate;
+use crate::authenticators::unix_peer_credentials_authenticator::UnixPeerCredentialsAuthenticator;
+use crate::authenticators::{Authenticate, AuthenticatorConfig};
 use crate::back::{
     backend_handler::{BackEndHandler, BackEndHandlerBuilder},
     dispatcher::DispatcherBuilder,
@@ -85,6 +86,7 @@ pub struct CoreSettings {
 pub struct ServiceConfig {
     pub core_settings: CoreSettings,
     pub listener: ListenerConfig,
+    pub authenticator: AuthenticatorConfig,
     pub key_manager: Option<Vec<KeyInfoManagerConfig>>,
     pub provider: Option<Vec<ProviderConfig>>,
 }
@@ -130,11 +132,7 @@ impl ServiceBuilder {
             return Err(Error::new(ErrorKind::InvalidData, "need one provider").into());
         }
 
-        // The authenticators supported by the Parsec service.
-        // NOTE: order here is important. The order in which the elements are added here is the
-        //       order in which they will be returned to any client requesting them!
-        let mut authenticators: Vec<(AuthType, Authenticator)> = Vec::new();
-        authenticators.push((AuthType::Direct, Box::from(DirectAuthenticator {})));
+        let authenticators = build_authenticators(&config.authenticator);
 
         let backend_handlers = build_backend_handlers(providers, &authenticators)?;
 
@@ -364,3 +362,24 @@ fn get_key_info_manager(config: &KeyInfoManagerConfig) -> Result<KeyInfoManager>
 
     Ok(Arc::new(RwLock::new(manager)))
 }
+
+fn build_authenticators(config: &AuthenticatorConfig) -> Vec<(AuthType, Authenticator)> {
+    // The authenticators supported by the Parsec service.
+    // NOTE: order here is important. The order in which the elements are added here is the
+    // order in which they will be returned to any client requesting them!
+    // Currently only one authenticator is allowed by the Parsec service
+    // See parallaxsecond/parsec#271
+    let mut authenticators: Vec<(AuthType, Authenticator)> = Vec::new();
+
+    match config {
+        AuthenticatorConfig::Direct => {
+            authenticators.push((AuthType::Direct, Box::from(DirectAuthenticator {})))
+        }
+        AuthenticatorConfig::UnixPeerCredentials => authenticators.push((
+            AuthType::UnixPeerCredentials,
+            Box::from(UnixPeerCredentialsAuthenticator {}),
+        )),
+    };
+
+    authenticators
+}
