diff --git a/Cargo.lock b/Cargo.lock index d574ec17..e465fc05 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2,9 +2,9 @@ # It is not intended for manual editing. [[package]] name = "aho-corasick" -version = "0.7.13" +version = "0.7.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "043164d8ba5c4c3035fec9bbee8647c0261d788f3474306f93bb65901cae0e86" +checksum = "b476ce7103678b0c6d3d395dbbae31d48ff910bd28be979ba5d48c6351131d0d" dependencies = [ "memchr", ] @@ -20,9 +20,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.32" +version = "1.0.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b602bfe940d21c130f3895acd65221e8a61270debe89d628b9cb4e3ccb8569b" +checksum = "a1fd36ffbb1fb7c834eac128ea8d0e310c5aeb635548f9d58861e1308d46e71c" [[package]] name = "arc-swap" @@ -113,9 +113,9 @@ checksum = "0e4cec68f03f32e44924783795810fa50a7035d8c8ebe78580ad7e6c703fba38" [[package]] name = "cc" -version = "1.0.60" +version = "1.0.61" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef611cc68ff783f18535d77ddd080185275713d852c4f5cbb6122c462a7a825c" +checksum = "ed67cbde08356238e75fc4656be4749481eeffb09e19f320a25237d5221c985d" [[package]] name = "cexpr" @@ -242,9 +242,9 @@ checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" [[package]] name = "hashbrown" -version = "0.9.0" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00d63df3d41950fb462ed38308eea019113ad1508da725bbedcd0fa5a85ef5f7" +checksum = "d7afe4a420e3fe79967a00898cc1f4db7c8a49a9333a29f8a4bd76a253d5cd04" [[package]] name = "heck" @@ -257,9 +257,9 @@ dependencies = [ [[package]] name = "hermit-abi" -version = "0.1.15" +version = "0.1.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3deed196b6e7f9e44a2ae8d94225d80302d81208b1bb673fd21fe634645c85a9" +checksum = "5aca5565f760fb5b220e499d72710ed156fdb74e631659e99377d9ebfbd13ae8" dependencies = [ "libc", ] @@ -318,9 +318,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.77" +version = "0.2.79" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f2f96b10ec2560088a8e76961b00d47107b3a625fecb76dedb29ee7ccbf98235" +checksum = "2448f6066e80e3bfc792e9c98bf705b4b0fc6e8ef5b43e5889aff0eaa9c58743" [[package]] name = "libloading" @@ -584,9 +584,9 @@ dependencies = [ [[package]] name = "picky-asn1-x509" -version = "0.3.2" +version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d79146ca2d1a8fdbe9f2653a04cc8914acd9e5702b052c08100d99f629b626bf" +checksum = "9666a5e794b326f5cf68e09144a89df3080b9fcf39b79df17b43ddc3f91431c5" dependencies = [ "base64", "oid", @@ -607,9 +607,9 @@ dependencies = [ [[package]] name = "pkg-config" -version = "0.3.18" +version = "0.3.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d36492546b6af1463394d46f0c834346f31548646f6ba10849802c9c9a27ac33" +checksum = "3831453b3449ceb48b6d9c7ad7c96d5ea673e9b470a1dc578c2ce6521230884c" [[package]] name = "ppv-lite86" @@ -643,9 +643,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.21" +version = "1.0.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36e28516df94f3dd551a587da5357459d9b36d945a7c37c3557928c1c2ff2a2c" +checksum = "1e0704ee1a7e00d7bb417d0770ea303c1bccbabf0ef1667dae92b5967f5f8a71" dependencies = [ "unicode-xid", ] @@ -799,9 +799,9 @@ checksum = "41cc0f7e4d5d4544e8861606a285bb08d3e70712ccc7d2b84d7c0ccfaf4b05ce" [[package]] name = "regex" -version = "1.3.9" +version = "1.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c3780fcf44b193bc4d09f36d2a3c87b251da4a046c87795a0d35f4f927ad8e6" +checksum = "8963b85b8ce3074fecffde43b4b0dded83ce2f367dc8d363afc56679f3ee820b" dependencies = [ "aho-corasick", "memchr", @@ -811,9 +811,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.6.18" +version = "0.6.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26412eb97c6b088a6997e05f69403a802a92d520de2f8e63c2b65f9e0f47c4e8" +checksum = "8cab7a364d15cde1e505267766a2d3c4e22a843e1a601f0fa7564c0f82ced11c" [[package]] name = "remove_dir_all" @@ -948,9 +948,9 @@ checksum = "8ea5119cdb4c55b55d432abb513a0429384878c15dde60cc77b1c99de1a95a6a" [[package]] name = "structopt" -version = "0.3.17" +version = "0.3.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6cc388d94ffabf39b5ed5fadddc40147cb21e605f53db6f8f36a625d27489ac5" +checksum = "126d630294ec449fae0b16f964e35bf3c74f940da9dca17ee9b905f7b3112eb8" dependencies = [ "clap", "lazy_static", @@ -959,9 +959,9 @@ dependencies = [ [[package]] name = "structopt-derive" -version = "0.4.10" +version = "0.4.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e2513111825077552a6751dfad9e11ce0fba07d7276a3943a037d7e93e64c5f" +checksum = "65e51c492f9e23a220534971ff5afc14037289de430e3c83f9daf6a1b6ae91e8" dependencies = [ "heck", "proc-macro-error", @@ -972,9 +972,9 @@ dependencies = [ [[package]] name = "syn" -version = "1.0.41" +version = "1.0.44" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6690e3e9f692504b941dc6c3b188fd28df054f7fb8469ab40680df52fdcc842b" +checksum = "e03e57e4fcbfe7749842d53e24ccb9aa12b7252dbe5e91d2acad31834c8b8fdd" dependencies = [ "proc-macro2", "quote", @@ -1045,9 +1045,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.5.6" +version = "0.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffc92d160b1eef40665be3a05630d003936a3bc7da7421277846c2613e92c71a" +checksum = "75cf45bb0bef80604d001caaec0d09da99611b3c0fd39d3080468875cdb65645" dependencies = [ "serde", ] diff --git a/config.toml b/config.toml index 5084ce38..1c5f8438 100644 --- a/config.toml +++ b/config.toml @@ -51,6 +51,19 @@ timeout = 200 # in milliseconds # socket file. #socket_path = "/run/parsec/parsec.sock" +# (Required) Authenticator configuration. +# WARNING: the authenticator MUST NOT be changed if there are existing keys stored in Parsec. +# In a future version, Parsec might support multiple authenticators, see parallaxsecond/parsec#271 +# for details. +[authenticator] +# (Required) Type of authenticator that will be used to authenticate clients' authentication +# payloads. +# Possible values: "Direct" and "UnixPeerCredentials". +# WARNING: The "Direct" authenticator is only secure under specific requirements. Please make sure +# to read the Recommendations on a Secure Parsec Deployment at +# https://parallaxsecond.github.io/parsec-book/parsec_security/secure_deployment.html +auth_type = "UnixPeerCredentials" + # (Required) Configuration for the components managing key info for providers. # Defined as an array of tables: https://github.com/toml-lang/toml#user-content-array-of-tables [[key_manager]] diff --git a/e2e_tests/provider_cfg/all/config.toml b/e2e_tests/provider_cfg/all/config.toml index 386991ba..b000bd13 100644 --- a/e2e_tests/provider_cfg/all/config.toml +++ b/e2e_tests/provider_cfg/all/config.toml @@ -12,6 +12,9 @@ listener_type = "DomainSocket" timeout = 200 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/e2e_tests/provider_cfg/mbed-crypto/config.toml b/e2e_tests/provider_cfg/mbed-crypto/config.toml index f4358668..c8d42341 100644 --- a/e2e_tests/provider_cfg/mbed-crypto/config.toml +++ b/e2e_tests/provider_cfg/mbed-crypto/config.toml @@ -14,6 +14,9 @@ listener_type = "DomainSocket" timeout = 3000 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/e2e_tests/provider_cfg/pkcs11/config.toml b/e2e_tests/provider_cfg/pkcs11/config.toml index 3b84a2ac..2cceebcb 100644 --- a/e2e_tests/provider_cfg/pkcs11/config.toml +++ b/e2e_tests/provider_cfg/pkcs11/config.toml @@ -14,6 +14,9 @@ listener_type = "DomainSocket" timeout = 3000 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/e2e_tests/provider_cfg/tpm/config.toml b/e2e_tests/provider_cfg/tpm/config.toml index 5f1fba36..5420a239 100644 --- a/e2e_tests/provider_cfg/tpm/config.toml +++ b/e2e_tests/provider_cfg/tpm/config.toml @@ -14,6 +14,9 @@ listener_type = "DomainSocket" timeout = 3000 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/e2e_tests/tests/config/tomls/list_providers_1.toml b/e2e_tests/tests/config/tomls/list_providers_1.toml index 582ea5d0..035e75d0 100644 --- a/e2e_tests/tests/config/tomls/list_providers_1.toml +++ b/e2e_tests/tests/config/tomls/list_providers_1.toml @@ -8,6 +8,9 @@ listener_type = "DomainSocket" timeout = 200 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/e2e_tests/tests/config/tomls/list_providers_2.toml b/e2e_tests/tests/config/tomls/list_providers_2.toml index 78a8aae7..cf3f3b78 100644 --- a/e2e_tests/tests/config/tomls/list_providers_2.toml +++ b/e2e_tests/tests/config/tomls/list_providers_2.toml @@ -8,6 +8,9 @@ listener_type = "DomainSocket" timeout = 200 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/e2e_tests/tests/config/tomls/pkcs11_software.toml b/e2e_tests/tests/config/tomls/pkcs11_software.toml index d5b58cfd..394c1b2e 100644 --- a/e2e_tests/tests/config/tomls/pkcs11_software.toml +++ b/e2e_tests/tests/config/tomls/pkcs11_software.toml @@ -14,6 +14,9 @@ listener_type = "DomainSocket" timeout = 3000 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/fuzz/config.toml b/fuzz/config.toml index da8e91e7..1035a455 100644 --- a/fuzz/config.toml +++ b/fuzz/config.toml @@ -5,6 +5,9 @@ listener_type = "DomainSocket" timeout = 200 # in milliseconds socket_path = "/tmp/parsec.sock" +[authenticator] +auth_type = "Direct" + [[key_manager]] name = "on-disk-manager" manager_type = "OnDisk" diff --git a/src/authenticators/mod.rs b/src/authenticators/mod.rs index 5ac29025..7f448834 100644 --- a/src/authenticators/mod.rs +++ b/src/authenticators/mod.rs @@ -17,6 +17,8 @@ use crate::front::listener::ConnectionMetadata; use parsec_interface::operations::list_authenticators; use parsec_interface::requests::request::RequestAuth; use parsec_interface::requests::Result; +use serde::Deserialize; +use zeroize::Zeroize; /// String wrapper for app names #[derive(Debug, Clone, Eq, PartialEq, Hash)] @@ -64,3 +66,14 @@ impl std::fmt::Display for ApplicationName { write!(f, "{}", self.0) } } + +/// Authenticator configuration structure +#[derive(Copy, Clone, Deserialize, Debug, Zeroize)] +#[zeroize(drop)] +#[serde(tag = "auth_type")] +pub enum AuthenticatorConfig { + /// Direct authentication + Direct, + /// Unix Peer Credenditals authentication + UnixPeerCredentials, +} diff --git a/src/utils/service_builder.rs b/src/utils/service_builder.rs index edd530a3..7d9610eb 100644 --- a/src/utils/service_builder.rs +++ b/src/utils/service_builder.rs @@ -6,7 +6,8 @@ //! provided configuration. use super::global_config::GlobalConfigBuilder; use crate::authenticators::direct_authenticator::DirectAuthenticator; -use crate::authenticators::Authenticate; +use crate::authenticators::unix_peer_credentials_authenticator::UnixPeerCredentialsAuthenticator; +use crate::authenticators::{Authenticate, AuthenticatorConfig}; use crate::back::{ backend_handler::{BackEndHandler, BackEndHandlerBuilder}, dispatcher::DispatcherBuilder, @@ -85,6 +86,7 @@ pub struct CoreSettings { pub struct ServiceConfig { pub core_settings: CoreSettings, pub listener: ListenerConfig, + pub authenticator: AuthenticatorConfig, pub key_manager: Option>, pub provider: Option>, } @@ -130,11 +132,7 @@ impl ServiceBuilder { return Err(Error::new(ErrorKind::InvalidData, "need one provider").into()); } - // The authenticators supported by the Parsec service. - // NOTE: order here is important. The order in which the elements are added here is the - // order in which they will be returned to any client requesting them! - let mut authenticators: Vec<(AuthType, Authenticator)> = Vec::new(); - authenticators.push((AuthType::Direct, Box::from(DirectAuthenticator {}))); + let authenticators = build_authenticators(&config.authenticator); let backend_handlers = build_backend_handlers(providers, &authenticators)?; @@ -364,3 +362,24 @@ fn get_key_info_manager(config: &KeyInfoManagerConfig) -> Result Ok(Arc::new(RwLock::new(manager))) } + +fn build_authenticators(config: &AuthenticatorConfig) -> Vec<(AuthType, Authenticator)> { + // The authenticators supported by the Parsec service. + // NOTE: order here is important. The order in which the elements are added here is the + // order in which they will be returned to any client requesting them! + // Currently only one authenticator is allowed by the Parsec service + // See parallaxsecond/parsec#271 + let mut authenticators: Vec<(AuthType, Authenticator)> = Vec::new(); + + match config { + AuthenticatorConfig::Direct => { + authenticators.push((AuthType::Direct, Box::from(DirectAuthenticator {}))) + } + AuthenticatorConfig::UnixPeerCredentials => authenticators.push(( + AuthType::UnixPeerCredentials, + Box::from(UnixPeerCredentialsAuthenticator {}), + )), + }; + + authenticators +}