Merge pull request #68 from wa5i/approle

Add the approle auth module

.github/workflows/rust.yml

@@ -29,6 +29,8 @@ jobs:
     - uses: actions/checkout@v3
     - name: Build
       run: cargo build --verbose
+    - name: ulimit -n
+      run: ulimit -n 65535
     - name: Run tests
       run: cargo test --verbose
 
@@ -83,6 +85,8 @@ jobs:
       run: diesel setup --database-url mysql://root:password@127.0.0.1:3306/vault
     - name: Build
       run: cargo build --features storage_mysql --verbose
+    - name: ulimit -n
+      run: ulimit -n 65535
     - name: Run tests
       run: cargo test --verbose
     - name: Build crate doc

Cargo.toml

@@ -58,6 +58,10 @@ glob = "0.3"
 serde_asn1_der = "0.8"
 base64 = "0.22"
 ipnetwork = "0.20"
+blake2b_simd = "1.0"
+derive_more = "0.99.17"
+dashmap = "5.5"
+tokio = "1.38"
 
 # optional dependencies
 openssl = { version = "0.10.64", optional = true }

src/cli/command/server.rs

@@ -17,12 +17,8 @@ use openssl::{
 use sysexits::ExitCode;
 
 use crate::{
-    cli::config,
-    core::Core,
-    errors::RvError,
-    http,
-    storage,
-    EXIT_CODE_INSUFFICIENT_PARAMS, EXIT_CODE_LOAD_CONFIG_FAILURE, EXIT_CODE_OK,
+    cli::config, core::Core, errors::RvError, http, storage, EXIT_CODE_INSUFFICIENT_PARAMS,
+    EXIT_CODE_LOAD_CONFIG_FAILURE, EXIT_CODE_OK,
 };
 
 pub const WORK_DIR_PATH_DEFAULT: &str = "/tmp/rusty_vault";

src/context.rs

@@ -3,27 +3,35 @@
 
 use std::{
     any::Any,
-    cell::RefCell,
-    collections::HashMap,
-    sync::{Arc, Mutex},
+    sync::{Arc, RwLock},
 };
 
+use dashmap::DashMap;
+
+#[derive(Debug)]
 pub struct Context {
-    data_map: Mutex<HashMap<String, Arc<RefCell<dyn Any>>>>,
+    data_map: DashMap<String, Arc<dyn Any + Send + Sync>>,
+    data_map_mut: DashMap<String, Arc<RwLock<dyn Any + Send + Sync>>>,
 }
 
 impl Context {
     pub fn new() -> Self {
-        Self { data_map: Mutex::new(HashMap::new()) }
+        Self { data_map: DashMap::new(), data_map_mut: DashMap::new() }
+    }
+
+    pub fn set_mut(&self, key: &str, data: Arc<RwLock<dyn Any + Send + Sync>>) {
+        self.data_map_mut.insert(key.to_string(), data);
+    }
+
+    pub fn get_mut(&self, key: &str) -> Option<Arc<RwLock<dyn Any + Send + Sync>>> {
+        self.data_map_mut.get(key).map(|r| Arc::clone(&r.value()))
     }
 
-    pub fn set(&self, key: &str, data: Arc<RefCell<dyn Any>>) {
-        let mut data_map = self.data_map.lock().unwrap();
-        data_map.insert(key.to_string(), data);
+    pub fn set(&self, key: &str, data: Arc<dyn Any + Send + Sync>) {
+        self.data_map.insert(key.to_string(), data);
     }
 
-    pub fn get(&self, key: &str) -> Option<Arc<RefCell<dyn Any>>> {
-        let data_map = self.data_map.lock().unwrap();
-        data_map.get(key).cloned()
+    pub fn get(&self, key: &str) -> Option<Arc<dyn Any + Send + Sync>> {
+        self.data_map.get(key).map(|r| Arc::clone(&*r))
     }
 }

src/core.rs

@@ -9,36 +9,38 @@
 
 use std::{
     collections::HashMap,
-    sync::{Arc, Mutex, RwLock},
     ops::{Deref, DerefMut},
+    sync::{Arc, Mutex, RwLock},
 };
 
 use as_any::Downcast;
 use go_defer::defer;
 use serde::{Deserialize, Serialize};
+use zeroize::Zeroizing;
 
 use crate::{
     cli::config::Config,
     errors::RvError,
     handler::Handler,
     logical::{Backend, Request, Response},
     module_manager::ModuleManager,
-    modules::{auth::AuthModule, credential::userpass::UserPassModule, pki::PkiModule},
+    modules::{
+        auth::AuthModule,
+        credential::{
+            userpass::UserPassModule,
+            approle::AppRoleModule,
+        },
+        pki::PkiModule,
+    },
     mount::MountTable,
     router::Router,
     shamir::{ShamirSecret, SHAMIR_OVERHEAD},
     storage::{
-        barrier::SecurityBarrier,
-        barrier_aes_gcm,
-        barrier_view::BarrierView,
-        physical,
-        Backend as PhysicalBackend,
-        BackendEntry as PhysicalBackendEntry,
+        barrier::SecurityBarrier, barrier_aes_gcm, barrier_view::BarrierView, physical, Backend as PhysicalBackend,
+        BackendEntry as PhysicalBackendEntry, Storage,
     },
 };
 
-use zeroize::Zeroizing;
-
 pub type LogicalBackendNewFunc = dyn Fn(Arc<RwLock<Core>>) -> Result<Arc<dyn Backend>, RvError> + Send + Sync;
 
 pub const SEAL_CONFIG_PATH: &str = "core/seal-config";
@@ -118,6 +120,10 @@ impl Core {
         let userpass_module = UserPassModule::new(self);
         self.module_manager.add_module(Arc::new(RwLock::new(Box::new(userpass_module))))?;
 
+        // add credential module: approle
+        let approle_module = AppRoleModule::new(self);
+        self.module_manager.add_module(Arc::new(RwLock::new(Box::new(approle_module))))?;
+
         Ok(())
     }
 
@@ -156,8 +162,11 @@ impl Core {
         if seal_config.secret_shares == 1 {
             init_result.secret_shares.deref_mut().push(master_key.deref().clone());
         } else {
-            init_result.secret_shares =
-                ShamirSecret::split(master_key.deref().as_slice(), seal_config.secret_shares, seal_config.secret_threshold)?;
+            init_result.secret_shares = ShamirSecret::split(
+                master_key.deref().as_slice(),
+                seal_config.secret_shares,
+                seal_config.secret_threshold,
+            )?;
         }
 
         log::debug!("master_key: {}", hex::encode(master_key.deref()));
@@ -197,6 +206,14 @@ impl Core {
         Ok(init_result)
     }
 
+    pub fn get_system_view(&self) -> Option<Arc<BarrierView>> {
+        self.system_view.clone()
+    }
+
+    pub fn get_system_storage(&self) -> &dyn Storage {
+        self.system_view.as_ref().unwrap().as_storage()
+    }
+
     pub fn get_logical_backend(&self, logical_type: &str) -> Result<Arc<LogicalBackendNewFunc>, RvError> {
         let logical_backends = self.logical_backends.lock().unwrap();
         if let Some(backend) = logical_backends.get(logical_type) {

src/http/logical.rs

@@ -18,7 +18,7 @@ use crate::{
     core::Core,
     errors::RvError,
     http::{request_auth, response_error, response_json_ok, response_ok, Connection},
-    logical::{Operation, Connection as ReqConnection, Response},
+    logical::{Connection as ReqConnection, Operation, Response},
 };
 
 #[derive(Debug, Clone, Serialize, Deserialize)]

src/lib.rs

@@ -35,11 +35,11 @@ pub mod module_manager;
 pub mod modules;
 pub mod mount;
 pub mod router;
+#[cfg(feature = "storage_mysql")]
+pub mod schema;
 pub mod shamir;
 pub mod storage;
 pub mod utils;
-#[cfg(feature = "storage_mysql")]
-pub mod schema;
 
 /// Exit ok
 pub const EXIT_CODE_OK: sysexits::ExitCode = sysexits::ExitCode::Ok;

src/logical/backend.rs

@@ -3,11 +3,13 @@ use std::{collections::HashMap, sync::Arc};
 use regex::Regex;
 use serde_json::{Map, Value};
 
-use super::{path::Path, request::Request, response::Response, secret::Secret, FieldType, Backend, Operation};
-use crate::errors::RvError;
+use super::{path::Path, request::Request, response::Response, secret::Secret, Backend, FieldType, Operation};
+use crate::{context::Context, errors::RvError};
 
 type BackendOperationHandler = dyn Fn(&dyn Backend, &mut Request) -> Result<Option<Response>, RvError> + Send + Sync;
 
+pub const CTX_KEY_BACKEND_PATH: &str = "backend.path";
+
 #[derive(Clone)]
 pub struct LogicalBackend {
     pub paths: Vec<Arc<Path>>,
@@ -17,6 +19,7 @@ pub struct LogicalBackend {
     pub help: String,
     pub secrets: Vec<Arc<Secret>>,
     pub auth_renew_handler: Option<Arc<BackendOperationHandler>>,
+    pub ctx: Arc<Context>,
 }
 
 impl Backend for LogicalBackend {
@@ -58,6 +61,10 @@ impl Backend for LogicalBackend {
         Some(self.root_paths.clone())
     }
 
+    fn get_ctx(&self) -> Option<Arc<Context>> {
+        Some(Arc::clone(&self.ctx))
+    }
+
     fn handle_request(&self, req: &mut Request) -> Result<Option<Response>, RvError> {
         if req.storage.is_none() {
             return Err(RvError::ErrRequestNotReady);
@@ -86,6 +93,7 @@ impl Backend for LogicalBackend {
             req.match_path = Some(path.clone());
             for operation in &path.operations {
                 if operation.op == req.operation {
+                    self.ctx.set(CTX_KEY_BACKEND_PATH, path.clone());
                     let ret = operation.handle_request(self, req);
                     self.clear_secret_field(req);
                     return ret;
@@ -113,6 +121,7 @@ impl LogicalBackend {
             help: String::new(),
             secrets: Vec::new(),
             auth_renew_handler: None,
+            ctx: Arc::new(Context::new()),
         }
     }
 
@@ -251,9 +260,8 @@ mod test {
 
     use super::*;
     use crate::{
-        logical::{Field, field::FieldTrait, FieldType, PathOperation},
-        new_fields, new_fields_internal, new_path, new_path_internal, new_secret, new_secret_internal,
-        storage,
+        logical::{field::FieldTrait, Field, FieldType, PathOperation},
+        new_fields, new_fields_internal, new_path, new_path_internal, new_secret, new_secret_internal, storage,
     };
 
     struct MyTest;
@@ -429,7 +437,10 @@ mod test {
             "mytype": 1,
             "mypath": "/pp",
             "mypassword": "123qwe",
-        }).as_object().unwrap().clone();
+        })
+        .as_object()
+        .unwrap()
+        .clone();
         req.body = Some(body);
         req.storage = Some(Arc::new(barrier));
         assert!(logical_backend.handle_request(&mut req).is_ok());

src/logical/connection.rs

@@ -7,9 +7,6 @@ pub struct Connection {
 
 impl Default for Connection {
     fn default() -> Self {
-        Self {
-            peer_addr: String::new(),
-            peer_tls_cert: None,
-        }
+        Self { peer_addr: String::new(), peer_tls_cert: None }
     }
 }