hackclub/burrow
1
0
Fork 0
Code Pull requests Releases Packages Activity Actions 4

Start authentication flow

Browse source
This commit is contained in:
Conrad Kramer 2024-05-25 09:06:53 -07:00
parent abf1101484
commit bca07c33b8
15 changed files with 1104 additions and 437 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -3,6 +3,7 @@ xcuserdata
# Rust
target/
.env
.DS_STORE
.idea/

2
Apple/NetworkExtension/libburrow/build-rust.sh
View file

@ -70,7 +70,7 @@ fi
# Run cargo without the various environment variables set by Xcode.
# Those variables can confuse cargo and the build scripts it runs.
env -i PATH="$CARGO_PATH" CARGO_TARGET_DIR="${CONFIGURATION_TEMP_DIR}/target" cargo build "${CARGO_ARGS[@]}"
env -i PATH="$CARGO_PATH" CARGO_TARGET_DIR="${CONFIGURATION_TEMP_DIR}/target" IPHONEOS_DEPLOYMENT_TARGET="$IPHONEOS_DEPLOYMENT_TARGET" MACOSX_DEPLOYMENT_TARGET="$MACOSX_DEPLOYMENT_TARGET" cargo build "${CARGO_ARGS[@]}"
mkdir -p "${BUILT_PRODUCTS_DIR}"

1153
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

5
Cargo.toml
View file

@ -2,3 +2,8 @@
members = ["burrow", "tun"]
resolver = "2"
exclude = ["burrow-gtk"]
[profile.release]
lto = true
panic = "abort"
opt-level = "z"

55
Dockerfile
View file

@ -1,4 +1,4 @@
FROM docker.io/library/rust:1.76.0-slim-bookworm AS builder
FROM docker.io/library/rust:1.77-slim-bookworm AS builder
ARG TARGETPLATFORM
ARG LLVM_VERSION=16
@ -8,7 +8,7 @@ ENV KEYRINGS /etc/apt/keyrings
RUN set -eux && \
mkdir -p $KEYRINGS && \
apt-get update && \
apt-get install --no-install-recommends -y gpg curl musl-dev && \
apt-get install --no-install-recommends -y gpg curl busybox make musl-dev && \
curl --proto '=https' --tlsv1.2 -sSf https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dearmor --output $KEYRINGS/llvm.gpg && \
echo "deb [signed-by=$KEYRINGS/llvm.gpg] http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list && \
apt-get update && \
@ -24,30 +24,31 @@ RUN set -eux && \
apt-get remove -y --auto-remove && \
rm -rf /var/lib/apt/lists/*
ARG SQLITE_VERSION=3400100
RUN case $TARGETPLATFORM in \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
*) exit 1 ;; \
esac && \
rustup target add $LLVM_TARGET
ARG SQLITE_VERSION=3460000
RUN case $TARGETPLATFORM in \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl MUSL_TARGET=aarch64-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl MUSL_TARGET=x86_64-linux-musl ;; \
*) exit 1 ;; \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl MUSL_TARGET=aarch64-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl MUSL_TARGET=x86_64-linux-musl ;; \
*) exit 1 ;; \
esac && \
rustup target add $LLVM_TARGET && \
curl --proto '=https' --tlsv1.2 -sSfO https://www.sqlite.org/2022/sqlite-autoconf-$SQLITE_VERSION.tar.gz && \
curl --proto '=https' --tlsv1.2 -sSfO https://www.sqlite.org/2024/sqlite-autoconf-$SQLITE_VERSION.tar.gz && \
tar xf sqlite-autoconf-$SQLITE_VERSION.tar.gz && \
rm sqlite-autoconf-$SQLITE_VERSION.tar.gz && \
cd sqlite-autoconf-$SQLITE_VERSION && \
./configure --disable-shared \
CC="clang-$LLVM_VERSION -target $LLVM_TARGET" \
CFLAGS="-I/usr/local/include -I/usr/include/$MUSL_TARGET" \
LDFLAGS="-L/usr/local/lib -L/usr/lib/$MUSL_TARGET -L/lib/$MUSL_TARGET" && \
./configure --disable-shared --disable-dependency-tracking \
CC="clang-$LLVM_VERSION -target $LLVM_TARGET" \
CFLAGS="-I/usr/local/include -I/usr/include/$MUSL_TARGET" \
LDFLAGS="-L/usr/local/lib -L/usr/lib/$MUSL_TARGET -L/lib/$MUSL_TARGET" && \
make && \
make install && \
cd .. && \
rm -rf sqlite-autoconf-$SQLITE_VERSION
ENV SQLITE3_STATIC=1 \
SQLITE3_INCLUDE_DIR=/usr/local/include \
SQLITE3_LIB_DIR=/usr/local/lib
rm -rf sqlite-autoconf-$SQLITE_VERSION sqlite-autoconf-$SQLITE_VERSION.tar.gz
ENV CC_x86_64_unknown_linux_musl=clang-$LLVM_VERSION \
AR_x86_64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
@ -55,14 +56,17 @@ ENV CC_x86_64_unknown_linux_musl=clang-$LLVM_VERSION \
AR_aarch64_unknown_linux_musl=llvm-ar-$LLVM_VERSION \
CARGO_TARGET_X86_64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/x86_64-linux-musl -L/lib/x86_64-linux-musl -C linker=rust-lld" \
CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_RUSTFLAGS="-L/usr/lib/aarch64-linux-musl -L/lib/aarch64-linux-musl -C linker=rust-lld" \
CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse
CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse \
SQLITE3_STATIC=1 \
SQLITE3_INCLUDE_DIR=/usr/local/include \
SQLITE3_LIB_DIR=/usr/local/lib
COPY . .
RUN case $TARGETPLATFORM in \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
*) exit 1 ;; \
"linux/arm64") LLVM_TARGET=aarch64-unknown-linux-musl ;; \
"linux/amd64") LLVM_TARGET=x86_64-unknown-linux-musl ;; \
*) exit 1 ;; \
esac && \
cargo install --path burrow --target $LLVM_TARGET
@ -71,7 +75,8 @@ WORKDIR /tmp/rootfs
RUN set -eux && \
mkdir -p ./bin ./etc ./tmp ./data && \
mv /usr/local/cargo/bin/burrow ./bin/burrow && \
echo 'burrow:x:10001:10001::/tmp:/sbin/nologin' > ./etc/passwd && \
cp /bin/busybox ./bin/busybox && \
echo 'burrow:x:10001:10001::/tmp:/bin/busybox' > ./etc/passwd && \
echo 'burrow:x:10001:' > ./etc/group && \
chown -R 10001:10001 ./tmp ./data && \
chmod 0777 ./tmp
@ -90,4 +95,6 @@ USER 10001:10001
COPY --from=builder /tmp/rootfs /
WORKDIR /data
ENTRYPOINT ["/bin/burrow"]
EXPOSE 8080
CMD ["/bin/burrow", "auth-server"]

15
burrow/Cargo.toml
View file

@ -10,12 +10,13 @@ crate-type = ["lib", "staticlib"]
[dependencies]
anyhow = "1.0"
tokio = { version = "1.21", features = [
tokio = { version = "1.37", features = [
"rt",
"macros",
"sync",
"io-util",
"rt-multi-thread",
"signal",
"time",
"tracing",
] }
@ -24,7 +25,7 @@ clap = { version = "4.4", features = ["derive"] }
tracing = "0.1"
tracing-log = "0.1"
tracing-oslog = { git = "https://github.com/Stormshield-robinc/tracing-oslog" }
tracing-subscriber = { version = "0.3" , features = ["std", "env-filter"] }
tracing-subscriber = { version = "0.3", features = ["std", "env-filter"] }
log = "0.4"
serde = { version = "1", features = ["derive"] }
serde_json = "1.0"
@ -50,9 +51,13 @@ futures = "0.3.28"
once_cell = "1.19"
console-subscriber = { version = "0.2.0", optional = true }
console = "0.15.8"
[dependencies.rusqlite]
version = "0.31.0"
axum = "0.7.4"
reqwest = { version = "0.12", default-features = false, features = [
"json",
"rustls-tls",
] }
rusqlite = "0.31.0"
dotenv = "0.15.0"
[target.'cfg(target_os = "linux")'.dependencies]
caps = "0.5"

24
burrow/src/auth/client.rs Normal file
View file

@ -0,0 +1,24 @@
use std::env::var;
use anyhow::Result;
use reqwest::Url;
pub async fn login() -> Result<()> {
let state = "vt :P";
let nonce = "no";
let mut url = Url::parse("https://slack.com/openid/connect/authorize")?;
let mut q = url.query_pairs_mut();
q.append_pair("response_type", "code");
q.append_pair("scope", "openid profile email");
q.append_pair("client_id", &var("CLIENT_ID")?);
q.append_pair("state", state);
q.append_pair("team", &var("SLACK_TEAM_ID")?);
q.append_pair("nonce", nonce);
q.append_pair("redirect_uri", "https://burrow.rs/callback");
drop(q);
println!("Continue auth in your browser:\n{}", url.as_str());
Ok(())
}

2
burrow/src/auth/mod.rs Normal file
View file

@ -0,0 +1,2 @@
pub mod client;
pub mod server;

89
burrow/src/auth/server/db.rs Normal file
View file

@ -0,0 +1,89 @@
use anyhow::Result;
pub static PATH: &str = "./server.sqlite3";
pub fn init_db() -> Result<()> {
let conn = rusqlite::Connection::open(PATH)?;
conn.execute(
"CREATE TABLE IF NOT EXISTS user (
id PRIMARY KEY,
created_at TEXT NOT NULL
)",
(),
)?;
conn.execute(
"CREATE TABLE IF NOT EXISTS user_connection (
user_id INTEGER REFERENCES user(id) ON DELETE CASCADE,
openid_provider TEXT NOT NULL,
openid_user_id TEXT NOT NULL,
openid_user_name TEXT NOT NULL,
access_token TEXT NOT NULL,
refresh_token TEXT,
PRIMARY KEY (openid_provider, openid_user_id)
)",
(),
)?;
conn.execute(
"CREATE TABLE IF NOT EXISTS device (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT,
public_key TEXT NOT NULL,
apns_token TEXT UNIQUE,
user_id INT REFERENCES user(id) ON DELETE CASCADE,
created_at TEXT NOT NULL DEFAULT (datetime('now')) CHECK(created_at IS datetime(created_at)),
ipv4 TEXT NOT NULL UNIQUE,
ipv6 TEXT NOT NULL UNIQUE,
access_token TEXT NOT NULL UNIQUE,
refresh_token TEXT NOT NULL UNIQUE,
expires_at TEXT NOT NULL DEFAULT (datetime('now', '+7 days')) CHECK(expires_at IS datetime(expires_at))
)",
()
).unwrap();
Ok(())
}
pub fn store_connection(
openid_user: super::providers::OpenIdUser,
openid_provider: &str,
access_token: &str,
refresh_token: Option<&str>,
) -> Result<()> {
log::debug!("Storing openid user {:#?}", openid_user);
let conn = rusqlite::Connection::open(PATH)?;
conn.execute(
"INSERT OR IGNORE INTO user (id, created_at) VALUES (?, datetime('now'))",
(&openid_user.sub,),
)?;
conn.execute(
"INSERT INTO user_connection (user_id, openid_provider, openid_user_id, openid_user_name, access_token, refresh_token) VALUES (
(SELECT id FROM user WHERE id = ?),
?,
?,
?,
?,
?
)",
(&openid_user.sub, &openid_provider, &openid_user.sub, &openid_user.name, access_token, refresh_token),
)?;
Ok(())
}
pub fn store_device(
openid_user: super::providers::OpenIdUser,
openid_provider: &str,
access_token: &str,
refresh_token: Option<&str>,
) -> Result<()> {
log::debug!("Storing openid user {:#?}", openid_user);
let conn = rusqlite::Connection::open(PATH)?;
// TODO
Ok(())
}

62
burrow/src/auth/server/mod.rs Normal file
View file

@ -0,0 +1,62 @@
pub mod db;
pub mod providers;
use anyhow::Result;
use axum::{http::StatusCode, routing::post, Router};
use providers::slack::auth;
use tokio::signal;
pub async fn serve() -> Result<()> {
db::init_db()?;
let app = Router::new()
.route("/slack-auth", post(auth))
.route("/device/new", post(device_new));
let listener = tokio::net::TcpListener::bind("0.0.0.0:8080").await.unwrap();
log::info!("Starting auth server on port 8080");
axum::serve(listener, app)
.with_graceful_shutdown(shutdown_signal())
.await
.unwrap();
Ok(())
}
async fn device_new() -> StatusCode {
StatusCode::OK
}
async fn shutdown_signal() {
let ctrl_c = async {
signal::ctrl_c()
.await
.expect("failed to install Ctrl+C handler");
};
#[cfg(unix)]
let terminate = async {
signal::unix::signal(signal::unix::SignalKind::terminate())
.expect("failed to install signal handler")
.recv()
.await;
};
#[cfg(not(unix))]
let terminate = std::future::pending::<()>();
tokio::select! {
_ = ctrl_c => {},
_ = terminate => {},
}
}
// mod db {
// use rusqlite::{Connection, Result};
// #[derive(Debug)]
// struct User {
// id: i32,
// created_at: String,
// }
// }

8
burrow/src/auth/server/providers/mod.rs Normal file
View file

@ -0,0 +1,8 @@
pub mod slack;
pub use super::db;
#[derive(serde::Deserialize, Default, Debug)]
pub struct OpenIdUser {
pub sub: String,
pub name: String,
}

102
burrow/src/auth/server/providers/slack.rs Normal file
View file

@ -0,0 +1,102 @@
use anyhow::Result;
use axum::{
extract::Json,
http::StatusCode,
routing::{get, post},
};
use reqwest::header::AUTHORIZATION;
use serde::Deserialize;
use super::db::store_connection;
#[derive(Deserialize)]
pub struct SlackToken {
slack_token: String,
}
pub async fn auth(Json(payload): Json<SlackToken>) -> (StatusCode, String) {
let slack_user = match fetch_slack_user(&payload.slack_token).await {
Ok(user) => user,
Err(e) => {
log::error!("Failed to fetch Slack user: {:?}", e);
return (StatusCode::UNAUTHORIZED, String::new());
}
};
log::info!(
"Slack user {} ({}) logged in.",
slack_user.name,
slack_user.sub
);
let conn = match store_connection(slack_user, "slack", &payload.slack_token, None) {
Ok(user) => user,
Err(e) => {
log::error!("Failed to fetch Slack user: {:?}", e);
return (StatusCode::UNAUTHORIZED, String::new());
}
};
(StatusCode::OK, String::new())
}
async fn fetch_slack_user(access_token: &str) -> Result<super::OpenIdUser> {
let client = reqwest::Client::new();
let res = client
.get("https://slack.com/api/openid.connect.userInfo")
.header(AUTHORIZATION, format!("Bearer {}", access_token))
.send()
.await?
.json::<serde_json::Value>()
.await?;
let res_ok = res
.get("ok")
.and_then(|v| v.as_bool())
.ok_or(anyhow::anyhow!("Slack user object not ok!"))?;
if !res_ok {
return Err(anyhow::anyhow!("Slack user object not ok!"));
}
Ok(serde_json::from_value(res)?)
}
// async fn fetch_save_slack_user_data(query: Query<CallbackQuery>) -> anyhow::Result<()> {
// let client = reqwest::Client::new();
// log::trace!("Code was {}", &query.code);
// let mut url = Url::parse("https://slack.com/api/openid.connect.token")?;
// {
// let mut q = url.query_pairs_mut();
// q.append_pair("client_id", &var("CLIENT_ID")?);
// q.append_pair("client_secret", &var("CLIENT_SECRET")?);
// q.append_pair("code", &query.code);
// q.append_pair("grant_type", "authorization_code");
// q.append_pair("redirect_uri", "https://burrow.rs/callback");
// }
// let data = client
// .post(url)
// .send()
// .await?
// .json::<slack::CodeExchangeResponse>()
// .await?;
// if !data.ok {
// return Err(anyhow::anyhow!("Slack code exchange response not ok!"));
// }
// if let Some(access_token) = data.access_token {
// log::trace!("Access token is {access_token}");
// let user = slack::fetch_slack_user(&access_token)
// .await
// .map_err(|err| anyhow::anyhow!("Failed to fetch Slack user info {:#?}", err))?;
// db::store_user(user, access_token, String::new())
// .map_err(|_| anyhow::anyhow!("Failed to store user in db"))?;
// Ok(())
// } else {
// Err(anyhow::anyhow!("Access token not found in response"))
// }
// }

2
burrow/src/lib.rs
View file

@ -5,6 +5,8 @@ pub mod wireguard;
mod daemon;
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
pub mod database;
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
mod auth;
pub(crate) mod tracing;
#[cfg(target_vendor = "apple")]

12
burrow/src/main.rs
View file

@ -7,6 +7,9 @@ pub(crate) mod tracing;
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
mod wireguard;
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
mod auth;
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
use daemon::{DaemonClient, DaemonCommand, DaemonStartOptions};
use tun::TunOptions;
@ -47,12 +50,15 @@ enum Commands {
ServerConfig,
/// Reload Config
ReloadConfig(ReloadConfigArgs),
/// Authentication server
AuthServer,
}
#[derive(Args)]
struct ReloadConfigArgs {
#[clap(long, short)]
interface_id: String,
}
#[derive(Args)]
@ -133,9 +139,10 @@ async fn try_reloadconfig(interface_id: String) -> Result<()> {
}
#[cfg(any(target_os = "linux", target_vendor = "apple"))]
#[tokio::main(flavor = "current_thread")]
#[tokio::main]
async fn main() -> Result<()> {
tracing::initialize();
dotenv::dotenv().ok();
let cli = Cli::parse();
match &cli.command {
@ -145,6 +152,7 @@ async fn main() -> Result<()> {
Commands::ServerInfo => try_serverinfo().await?,
Commands::ServerConfig => try_serverconfig().await?,
Commands::ReloadConfig(args) => try_reloadconfig(args.interface_id.clone()).await?,
Commands::AuthServer => crate::auth::server::serve().await?,
}
Ok(())
@ -152,5 +160,5 @@ async fn main() -> Result<()> {
#[cfg(not(any(target_os = "linux", target_vendor = "apple")))]
pub fn main() {
eprintln!("This platform is not supported currently.")
eprintln!("This platform is not supported")
}

9
tun/Cargo.toml
View file

@ -8,7 +8,7 @@ libc = "0.2"
fehler = "1.0"
nix = { version = "0.26", features = ["ioctl"] }
socket2 = "0.5"
tokio = { version = "1.28", features = [] }
tokio = { version = "1.37", default-features = false, optional = true }
byteorder = "1.4"
tracing = "0.1"
log = "0.4"
@ -19,10 +19,7 @@ futures = { version = "0.3.28", optional = true }
[features]
serde = ["dep:serde", "dep:schemars"]
tokio = ["tokio/net", "dep:futures"]
[target.'cfg(feature = "tokio")'.dev-dependencies]
tokio = { features = ["rt", "macros"] }
tokio = ["tokio/net", "dep:tokio", "dep:futures"]
[target.'cfg(windows)'.dependencies]
lazy_static = "1.4"
@ -37,7 +34,7 @@ windows = { version = "0.48", features = [
[target.'cfg(windows)'.build-dependencies]
anyhow = "1.0"
bindgen = "0.65"
reqwest = { version = "0.11", features = ["native-tls"] }
reqwest = { version = "0.11" }
ssri = { version = "9.0", default-features = false }
tokio = { version = "1.28", features = ["rt", "macros"] }
zip = { version = "0.6", features = ["deflate"] }