From 8e59ec88f0d32e83a6b356f4541329194028fb4c Mon Sep 17 00:00:00 2001 From: Bartosz Wieczorek Date: Fri, 6 Oct 2023 07:46:01 +0200 Subject: [PATCH] Add more detailed logs --- CMakeLists.txt | 4 ++-- PAM/ssh/include/rublon/core_handler.hpp | 10 +++++++++- PAM/ssh/include/rublon/curl.hpp | 8 -------- .../rublon/method/passcode_based_auth.hpp | 13 ++++++++---- PAM/ssh/lib/pam.cpp | 20 +++++++++---------- 5 files changed, 30 insertions(+), 25 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 78f635b..38648ae 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -14,8 +14,8 @@ set(CMAKE_CXX_EXTENSIONS NO) add_compile_options(-Wall -Wextra -Wpedantic -Wno-format-security) -add_compile_options(-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer) -add_link_options(-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer) +#add_compile_options(-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer) +#add_link_options(-fsanitize=address -fsanitize=undefined -fno-sanitize-recover=all -fsanitize=float-divide-by-zero -fsanitize=float-cast-overflow -fno-sanitize=null -fno-sanitize=alignment -fno-omit-frame-pointer) option(ENABLE_TESTS "Enable tests" OFF) diff --git a/PAM/ssh/include/rublon/core_handler.hpp b/PAM/ssh/include/rublon/core_handler.hpp index 602657d..ce3d48d 100644 --- a/PAM/ssh/include/rublon/core_handler.hpp +++ b/PAM/ssh/include/rublon/core_handler.hpp @@ -51,6 +51,7 @@ class CoreHandler : public CoreHandlerInterface< CoreHandler< HttpHandler > > { } tl::expected validateResponse(RapidJSONPMRAlloc &alloc, const Response & response) const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "validateResponse", __LINE__); Document resp{&alloc}; resp.Parse(response.body.c_str()); @@ -69,15 +70,19 @@ class CoreHandler : public CoreHandlerInterface< CoreHandler< HttpHandler > > { } tl::unexpected< Error > handleCoreException(std::string_view exceptionString) const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "handleCoreException", __LINE__); if(exceptionString == "UserBypassedException" or exceptionString == "UserNotFoundException") { + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "handleCoreException", __LINE__); return tl::unexpected{Error{PamBaypass{}}}; } else { + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "handleCoreException", __LINE__); return tl::unexpected{ Error{CoreHandlerError{CoreHandlerError::CoreException, std::string{exceptionString.data(), exceptionString.size()}}}}; } } tl::unexpected< Error > handleHttpError() const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "handleHttpError", __LINE__); if(bypass) { log(LogLevel::Warning, "User login bypass"); return tl::unexpected{Error{PamBaypass{}}}; @@ -88,6 +93,7 @@ class CoreHandler : public CoreHandlerInterface< CoreHandler< HttpHandler > > { } tl::expected< Document, Error > handleError(const Error & error) const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "handleError", __LINE__); if(error.is< HttpError >() and error.hasClass(HttpError::Error)) { return handleHttpError(); } @@ -106,7 +112,8 @@ class CoreHandler : public CoreHandlerInterface< CoreHandler< HttpHandler > > { } tl::expected< Document, Error > request(RapidJSONPMRAlloc &mr, std::string_view path, const Document & body) const { - memory::StrictMonotonic_2k_HeapResource memoryResource; + log(LogLevel::Debug, "TRACE %s::%s:%d", "CoreHandler", "validateResponse", __LINE__); + memory::StrictMonotonic_4k_HeapResource memoryResource; const auto validateSignature = [this](const auto & arg) { return this->validateSignature(arg); }; const auto validateResponse = [&](const auto & arg) { return this->validateResponse(mr, arg); }; @@ -114,6 +121,7 @@ class CoreHandler : public CoreHandlerInterface< CoreHandler< HttpHandler > > { const auto pmrs = [&](auto txt) { return std::pmr::string{txt, &memoryResource}; }; Request request{&memoryResource}; + Response response{&memoryResource}; stringifyTo(body, request.body); diff --git a/PAM/ssh/include/rublon/curl.hpp b/PAM/ssh/include/rublon/curl.hpp index dfec7d0..cf7801f 100644 --- a/PAM/ssh/include/rublon/curl.hpp +++ b/PAM/ssh/include/rublon/curl.hpp @@ -42,10 +42,6 @@ struct Request { Request(Request && res) = delete; Request & operator=(Request &&) = delete; - - std::pmr::memory_resource * get_allocator() const noexcept { - return _mr; - } }; struct Response { @@ -62,10 +58,6 @@ struct Response { Response(Response && res) noexcept = default; Response & operator=(Response && res) noexcept = default; - - std::pmr::memory_resource * get_allocator() const noexcept { - return _mr; - } }; class CURL { diff --git a/PAM/ssh/include/rublon/method/passcode_based_auth.hpp b/PAM/ssh/include/rublon/method/passcode_based_auth.hpp index 7dbfa4a..e4b58c1 100644 --- a/PAM/ssh/include/rublon/method/passcode_based_auth.hpp +++ b/PAM/ssh/include/rublon/method/passcode_based_auth.hpp @@ -16,21 +16,23 @@ class PasscodeBasedAuth : public AuthenticationStep< PasscodeBasedAuth > { constexpr static bool isdigit(char ch) { return std::isdigit(static_cast< unsigned char >(ch)); } - - static bool hasDigitsOnly(const std::string & userinput) { + + static bool hasDigitsOnly(std::string_view userinput) { return std::all_of(userinput.cbegin(), userinput.cend(), isdigit); } - static bool isProperLength(const std::string & userInput) { + static bool isProperLength(std::string_view userInput) { return userInput.size() == 6; } template < typename PamInfo_t = LinuxPam > tl::expected< std::reference_wrapper< Document >, Error > readPasscode(Document & body, const PamInfo_t & pam) const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "PasscodeBasedAuth", "readPasscode", __LINE__); auto & alloc = body.GetAllocator(); auto vericode = pam.scan([](const char * userInput) { return std::string{userInput}; }, userMessage); if(isProperLength(vericode) and hasDigitsOnly(vericode)) { + log(LogLevel::Debug, "TRACE %s::%s:%d", "PasscodeBasedAuth", "readPasscode", __LINE__); body.AddMember("vericode", Value{vericode.c_str(), alloc}, alloc); return body; } @@ -40,12 +42,14 @@ class PasscodeBasedAuth : public AuthenticationStep< PasscodeBasedAuth > { template < typename PamInfo_t = LinuxPam > tl::expected< std::reference_wrapper< Document >, Error > askForPasscodeAgain(Document & body, const PamInfo_t & pam) const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "PasscodeBasedAuth", "askForPasscodeAgain", __LINE__); pam.print("passcode has wrong number of digits or illegal characters, please correct"); return readPasscode(body, pam); } template < typename PamInfo_t = LinuxPam > tl::expected< AuthenticationStatus, Error > checkAuthenticationStatus(const Document & coreResponse, const PamInfo_t & pam) const { + log(LogLevel::Debug, "TRACE %s::%s:%d", "PasscodeBasedAuth", "checkAuthenticationStatus", __LINE__); RapidJSONPMRStackAlloc< 1024 > alloc; auto error = JSONPointer{"/result/error", &alloc}.Get(coreResponse); @@ -66,7 +70,8 @@ class PasscodeBasedAuth : public AuthenticationStep< PasscodeBasedAuth > { template < typename Hander_t, typename PamInfo_t = LinuxPam > tl::expected< AuthenticationStatus, Error > handle(const CoreHandlerInterface< Hander_t > & coreHandler, const PamInfo_t & pam) const { - RapidJSONPMRStackAlloc< 1024 > alloc{}; + log(LogLevel::Debug, "TRACE %s::%s:%d", "PasscodeBasedAuth", "handle", __LINE__); + RapidJSONPMRStackAlloc< 2048 > alloc{}; Document body{rapidjson::kObjectType, &alloc}; const auto checkCodeValidity = [&](const auto & coreResponse) { return this->checkAuthenticationStatus(coreResponse, pam); }; diff --git a/PAM/ssh/lib/pam.cpp b/PAM/ssh/lib/pam.cpp index f95398a..27f6a47 100644 --- a/PAM/ssh/lib/pam.cpp +++ b/PAM/ssh/lib/pam.cpp @@ -50,22 +50,21 @@ pam_sm_authenticate(pam_handle_t * pamh, [[maybe_unused]] int flags, [[maybe_unu auto selectMethod = [&](const MethodSelect & selector) { return selector.create(pam); }; auto confirmMethod = [&](const PostMethod & confirm) { return confirm.fire(CH); }; - auto confirmCode = [&](const MethodProxy & method) { return method.fire(CH, pam); }; + auto confirmCode = [&](const MethodProxy & method) { return method.fire(CH, pam); }; auto allowLogin = [&](const AuthenticationStatus & status) -> tl::expected< int, Error > { if(status.userAuthorized()) { rublon::log(rublon::LogLevel::Info, "Auth OK"); pam.print("RUBLON authentication SUCCESS!\n"); return PAM_SUCCESS; - }else{ + } else { rublon::log(rublon::LogLevel::Info, "User unauthorized"); pam.print("RUBLON authentication FAILED"); return PAM_MAXTRIES; } }; - auto mapError = [&](const Error & error) -> tl::expected - { + auto mapError = [&](const Error & error) -> tl::expected< int, Error > { rublon::log( LogLevel::Error, "auth problems due to %d class and %d category", error.errorClass(), static_cast< int >(error.category())); if(error.is< PamBaypass >()) { @@ -74,16 +73,17 @@ pam_sm_authenticate(pam_handle_t * pamh, [[maybe_unused]] int flags, [[maybe_unu } pam.print("RUBLON authentication FAILED"); rublon::log(LogLevel::Warning, "User login failed"); - + return PAM_MAXTRIES; }; auto ret = Init{rublonConfig.value()} - .fire(CH, pam) // - .and_then(selectMethod) - .and_then(confirmMethod) - .and_then(confirmCode) - .and_then(allowLogin).or_else(mapError); + .fire(CH, pam) // + .and_then(selectMethod) + .and_then(confirmMethod) + .and_then(confirmCode) + .and_then(allowLogin) + .or_else(mapError); return ret.value_or(PAM_MAXTRIES); }