From patchwork Thu Nov 22 23:36:28 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sam Mendoza-Jonas <sam@mendozajonas.com>
X-Patchwork-Id: 1002071
Return-Path: 
 <petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 431G9Q4kFTz9s3C
	for <incoming@patchwork.ozlabs.org>;
	Fri, 23 Nov 2018 10:38:50 +1100 (AEDT)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=mendozajonas.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com
	header.b="oqONAubC";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=messagingengine.com
	header.i=@messagingengine.com header.b="BPMWKLfC";
	dkim-atps=neutral
Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3])
	by lists.ozlabs.org (Postfix) with ESMTP id 431G9Q2yLqzDqSN
	for <incoming@patchwork.ozlabs.org>;
	Fri, 23 Nov 2018 10:38:50 +1100 (AEDT)
Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none)
	header.from=mendozajonas.com
Authentication-Results: lists.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com
	header.b="oqONAubC";
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=messagingengine.com
	header.i=@messagingengine.com header.b="BPMWKLfC";
	dkim-atps=neutral
X-Original-To: petitboot@lists.ozlabs.org
Delivered-To: petitboot@lists.ozlabs.org
Authentication-Results: lists.ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=mendozajonas.com
	(client-ip=66.111.4.28; helo=out4-smtp.messagingengine.com;
	envelope-from=sam@mendozajonas.com; receiver=<UNKNOWN>)
Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none)
	header.from=mendozajonas.com
Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=mendozajonas.com header.i=@mendozajonas.com
	header.b="oqONAubC"; dkim=pass (2048-bit key;
	unprotected) header.d=messagingengine.com
	header.i=@messagingengine.com
	header.b="BPMWKLfC"; dkim-atps=neutral
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com
	[66.111.4.28])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by lists.ozlabs.org (Postfix) with ESMTPS id 431G7L70JvzDqS5
	for <petitboot@lists.ozlabs.org>;
	Fri, 23 Nov 2018 10:37:02 +1100 (AEDT)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42])
	by mailout.nyi.internal (Postfix) with ESMTP id 90FB921B88;
	Thu, 22 Nov 2018 18:37:00 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
	by compute2.internal (MEProxy); Thu, 22 Nov 2018 18:37:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	mendozajonas.com; h=from:to:cc:subject:date:message-id
	:in-reply-to:references:mime-version:content-transfer-encoding;
	s=fm1; bh=oz0GLpEFYNRb/Fk5sHaZr35g1L/lmJ6hB1bZxCz+4yA=; b=oqONA
	ubC4PsbtB32uRAL3mmfu0LcXtWKRgGIlGCocDjz3LdV5KgqnQCzS8+CMcqMj1p+i
	+QLUqyL7MW0TKDuqXuhpBfV3c4FpFtzWO3Mzt0YZ8oxc1zpgB7UhNYakOy+0zXwe
	aotZzWfIP5elvtQMiAe2EbubxQ+Q+l/vpOH/wl+zf7KiQK2wmbNRrTCHTqktARbv
	nMF7cM7dqrv871TiOU37elZv+eSyiNQEwO1x8W/qGbKMPd2cfC3q90GK+OkZ83vc
	B1y89Ql2/epJxFLy3r3pkkja2OamvriKUkDbbrqF7p38sCoewJ2JW7kV7Yy6mDnS
	aNxYLg5yvzr1XY0CA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-transfer-encoding:date:from
	:in-reply-to:message-id:mime-version:references:subject:to
	:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm1; bh=oz0GLpEFYNRb/Fk5sHaZr35g1L/lmJ6hB1bZxCz+4yA=; b=BPMWKLfC
	YSqVwj783AqXjC3xnuov9TKn0mrgsI3QcLdL+3q3M2pSKtATskeWVrzPPBHO89Li
	xGTXLkxdiBPrMvbQB3k/Tvk5lUHqOhcVaMGSKOOjxu4y4+oKvXdFn9Uc+MXvYmDR
	D0C37EGlIzT5NQCCp5CBtW2r3u4VsYTm3PL7FC+6JYso/g4BVN/ho5l7JWRXlfQ0
	Z8P2PDLvQy0nZHSdnGsy1wZlOyChYONMO2rZwL9ZIyFC+9iOSv2FY19+d1ZYHVt0
	FdeO+/+tm18PuKU7TJlqVUTkX8dmpsB0Dddky7uJYm8F8f7lipzkYll2WBXsHBa1
	5l7PkAedfiWMtw==
X-ME-Sender: <xms:nD33W19eguB-jW-DT9STzya1-DR-h0EvDn3tWNA8Oc7vKdLWdFafhQ>
X-ME-Proxy: <xmx:nD33WwTkViaEjM8ZBacnyu7hQtrxGua_PzRlgnPOqIbpnaH944bc6Q>
	<xmx:nD33W4EqZf81vBvvCTavqpRMRjjjCutNVaERyTbw3wJMOpzhLptJsQ>
	<xmx:nD33W4HpjmyBmQ23d6giMpTWYBQ7qZabhOWOMw01H3KrIERP1s6ufQ>
	<xmx:nD33W6RGQaXpSh3t73qBvOmzGVqz6MhH0JyaYT3DHlcZEd6F3eJH6g>
	<xmx:nD33W66R7r9srQVTT6mH5CgfwOcxF2axvU9exGPK_ylDNcUpi2CXkA>
	<xmx:nD33W1z9794LySueGS0oRwNlZ3N_aMHKLd1RUiT28eKqhiE5rpjiiQ>
Received: from v4.ozlabs.ibm.com (unknown [122.99.82.10])
	by mail.messagingengine.com (Postfix) with ESMTPA id 25C49102DE;
	Thu, 22 Nov 2018 18:36:58 -0500 (EST)
From: Samuel Mendoza-Jonas <sam@mendozajonas.com>
To: petitboot@lists.ozlabs.org
Subject: [PATCH 11/13] ui/common: Client authentication helpers
Date: Fri, 23 Nov 2018 10:36:28 +1100
Message-Id: <20181122233630.6303-12-sam@mendozajonas.com>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181122233630.6303-1-sam@mendozajonas.com>
References: <20181122233630.6303-1-sam@mendozajonas.com>
MIME-Version: 1.0
X-BeenThere: petitboot@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Petitboot bootloader development <petitboot.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/petitboot>,
	<mailto:petitboot-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/petitboot/>
List-Post: <mailto:petitboot@lists.ozlabs.org>
List-Help: <mailto:petitboot-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/petitboot>,
	<mailto:petitboot-request@lists.ozlabs.org?subject=subscribe>
Cc: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Errors-To: petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Petitboot"
	<petitboot-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Track the client's authentication status and provide methods for the
client to send authentication requests to the server.

Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
---
 ui/common/discover-client.c | 81 +++++++++++++++++++++++++++++++++++++
 ui/common/discover-client.h | 12 ++++++
 2 files changed, 93 insertions(+)

diff --git a/ui/common/discover-client.c b/ui/common/discover-client.c
index d9414976..e7dfb831 100644
--- a/ui/common/discover-client.c
+++ b/ui/common/discover-client.c
@@ -1,4 +1,8 @@
 
+#if defined(HAVE_CONFIG_H)
+#include "config.h"
+#endif
+
 #include <assert.h>
 #include <errno.h>
 #include <unistd.h>
@@ -22,6 +26,7 @@ struct discover_client {
 	struct discover_client_ops ops;
 	int n_devices;
 	struct device **devices;
+	bool authenticated;
 };
 
 static int discover_client_destructor(void *arg)
@@ -171,6 +176,7 @@ static int discover_client_process(void *arg)
 {
 	struct discover_client *client = arg;
 	struct pb_protocol_message *message;
+	struct auth_message *auth_msg;
 	struct plugin_option *p_opt;
 	struct system_info *sysinfo;
 	struct boot_option *opt;
@@ -266,6 +272,20 @@ static int discover_client_process(void *arg)
 	case PB_PROTOCOL_ACTION_PLUGINS_REMOVE:
 		plugins_remove(client);
 		break;
+	case PB_PROTOCOL_ACTION_AUTHENTICATE:
+		auth_msg = talloc_zero(ctx, struct auth_message);
+
+		rc = pb_protocol_deserialise_authenticate(auth_msg, message);
+		if (rc || auth_msg->op != AUTH_MSG_RESPONSE) {
+			pb_log("%s: invalid auth message? (%d)\n",
+					__func__, rc);
+			goto out;
+		}
+
+		pb_log("Client %sauthenticated by server\n",
+				client->authenticated ? "" : "un");
+		client->authenticated = auth_msg->authenticated;
+		break;
 	default:
 		pb_log_fn("unknown action %d\n", message->action);
 	}
@@ -311,6 +331,13 @@ struct discover_client* discover_client_init(struct waitset *waitset,
 	waiter_register_io(waitset, client->fd, WAIT_IN,
 			discover_client_process, client);
 
+	/* Assume this client can't make changes if crypt support is enabled */
+#ifdef CRYPT_SUPPORT
+	client->authenticated = false;
+#else
+	client->authenticated = true;
+#endif
+
 	return client;
 
 out_err:
@@ -333,6 +360,11 @@ struct device *discover_client_get_device(struct discover_client *client,
 	return client->devices[index];
 }
 
+bool discover_client_authenticated(struct discover_client *client)
+{
+	return client->authenticated;
+}
+
 static void create_boot_command(struct boot_command *command,
 		const struct device *device __attribute__((unused)),
 		const struct boot_option *boot_option,
@@ -471,3 +503,52 @@ int discover_client_send_temp_autoboot(struct discover_client *client,
 
 	return pb_protocol_write_message(client->fd, message);
 }
+
+int discover_client_send_authenticate(struct discover_client *client,
+		char *password)
+{
+	struct pb_protocol_message *message;
+	struct auth_message auth_msg;
+	int len;
+
+	auth_msg.op = AUTH_MSG_REQUEST;
+	auth_msg.password = password;
+
+	len = pb_protocol_authenticate_len(&auth_msg);
+
+	message = pb_protocol_create_message(client,
+				PB_PROTOCOL_ACTION_AUTHENTICATE, len);
+	if (!message)
+		return -1;
+
+	pb_log("serialising auth message..\n");
+	pb_protocol_serialise_authenticate(&auth_msg, message->payload, len);
+
+	pb_log("sending auth message..\n");
+	return pb_protocol_write_message(client->fd, message);
+}
+
+int discover_client_send_set_password(struct discover_client *client,
+		char *password, char *new_password)
+{
+	struct pb_protocol_message *message;
+	struct auth_message auth_msg;
+	int len;
+
+	auth_msg.op = AUTH_MSG_SET;
+	auth_msg.set_password.password = password;
+	auth_msg.set_password.new_password = new_password;
+
+	len = pb_protocol_authenticate_len(&auth_msg);
+
+	message = pb_protocol_create_message(client,
+				PB_PROTOCOL_ACTION_AUTHENTICATE, len);
+	if (!message)
+		return -1;
+
+	pb_log("serialising auth message..\n");
+	pb_protocol_serialise_authenticate(&auth_msg, message->payload, len);
+
+	pb_log("sending auth message..\n");
+	return pb_protocol_write_message(client->fd, message);
+}
diff --git a/ui/common/discover-client.h b/ui/common/discover-client.h
index 2a2ea288..9b56dcb7 100644
--- a/ui/common/discover-client.h
+++ b/ui/common/discover-client.h
@@ -71,6 +71,12 @@ int discover_client_device_count(struct discover_client *client);
 struct device *discover_client_get_device(struct discover_client *client,
 		int index);
 
+/**
+ * Get the client's authentication status. This is only useful if Petitboot
+ * has been built with crypt support.
+ */
+bool discover_client_authenticated(struct discover_client *client);
+
 /* Tell the discover server to boot an image
  * @param client A pointer to the discover client
  * @param boot_command The command to boot
@@ -101,6 +107,12 @@ int discover_client_send_url(struct discover_client *client, char *url);
 /* Send plugin file path to discover server to install */
 int discover_client_send_plugin_install(struct discover_client *client,
 		char *file);
+/* Authenticate with pb-discover to allow modification */
+int discover_client_send_authenticate(struct discover_client *client,
+		char *password);
+/* Set a new system password, authenticating with the current password */
+int discover_client_send_set_password(struct discover_client *client,
+		char *password, char *new_password);
 
 /* send a temporary autoboot override */
 int discover_client_send_temp_autoboot(struct discover_client *client,