Feature/verifiers (#14)

Closes #6 Commits: * Created Makefile.toml * add sudoers reader boilerplate * add deserialization * attempt to build verify closure * add verifier closures and parsed sudoers type * remove AbstractVerifier Type * fix verifiers * Update request.rs * Update sudoers.rs * modify verifyerror * fix code review comments * lint using default linter * add pr review fixes * Remove temporary files * Update gitignore to not have non-existing files * Added logging features back for merge * Remove extraneous prints * Add installation for configuration files * Fix compile warnings * Fix install script syntax Co-authored-by: Ammar Ratnani <ammrat13@gmail.com>
ammrat13 · Dec 6, 2021 · 12b7e8d · 12b7e8d
1 parent 5b1b2ba
commit 12b7e8d
Show file tree

Hide file tree

Showing 12 changed files with 600 additions and 33 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -13,3 +13,6 @@ name = "sus-kernel"
 
 [dependencies]
 nix = "0.23.0"
+serde = { version="1.0.130", features = ["derive"] }
+serde_json = "1.0.67"
+users = "0.11.0"
diff --git a/Makefile.toml b/Makefile.toml
@@ -92,6 +92,13 @@ script = '''
  --target-directory="${SUS_INSTALL_PREFIX}/${SUS_INSTALL_DIRECTORY}" \
  "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/release/sus-kernel"
 
+ # Install the configuration file
+ install \
+ --owner=0 --group=0 \
+ --mode=660 \
+ --no-target-directory \
+ "config/sample/sudoers.json" "${SUS_SUDOERS_PATH}"
+
 '''
 
 

diff --git a/config/install.env b/config/install.env
@@ -4,6 +4,11 @@
 # variables for where the final binaries are installed. In particular, the
 # binaries are installed to:
 # "${SUS_INSTALL_PREFIX}/${SUS_INSTALL_DIRECTORY}"
+#
+# It also defines where some configuration files are stored. These values must
+# agree with the `.rs` configuration files.
 
 SUS_INSTALL_PREFIX = /usr/local/
 SUS_INSTALL_DIRECTORY = /bin/
+
+SUS_SUDOERS_PATH = /etc/sudoers.json
diff --git a/config/sample/sudoers.json b/config/sample/sudoers.json
@@ -0,0 +1,158 @@
+{
+ "Defaults": [
+ {
+ "Options": [
+ { "env_reset": true }
+ ]
+ },
+ {
+ "Options": [
+ { "mail_badpass": true }
+ ]
+ },
+ {
+ "Options": [
+ { "secure_path": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" }
+ ]
+ }
+ ],
+ "User_Aliases": {
+ "SYSADMINS": [
+ { "username": "john" },
+ { "username": "tim" },
+ { "username": "tom" }
+ ]
+ },
+ "User_Specs": [
+ {
+ "User_List": [
+ { "username": "root" }
+ ],
+ "Host_List": [
+ { "hostname": "ALL" }
+ ],
+ "Cmnd_Specs": [
+ {
+ "runasusers": [
+ { "username": "ALL" }
+ ],
+ "runasgroups": [
+ { "usergroup": "ALL" }
+ ],
+ "Options": [
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "ALL" }
+ ]
+ }
+ ]
+ },
+ {
+ "User_List": [
+ { "useralias": "SYSADMINS" }
+ ],
+ "Host_List": [
+ { "hostname": "ALL" }
+ ],
+ "Cmnd_Specs": [
+ {
+ "runasusers": [
+ { "username": "ALL" }
+ ],
+ "runasgroups": [
+ { "usergroup": "ALL" }
+ ],
+ "Options": [
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "ALL" }
+ ]
+ }
+ ]
+ },
+ {
+ "User_List": [
+ { "useralias": "SYSADMINS" }
+ ],
+ "Host_List": [
+ { "hostname": "ALL" }
+ ],
+ "Cmnd_Specs": [
+ {
+ "runasusers": [
+ { "username": "john" }
+ ],
+ "runasgroups": [
+ { "usergroup": "sudo" }
+ ],
+ "Options": [
+ { "authenticate": false },
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "/usr/bin/cat" }
+ ]
+ },
+ {
+ "runasusers": [
+ { "username": "tom" }
+ ],
+ "Options": [
+ { "authenticate": false },
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "/etc/shadow" }
+ ]
+ }
+ ]
+ },
+ {
+ "User_List": [
+ { "usergroup": "admin" }
+ ],
+ "Host_List": [
+ { "hostname": "ALL" }
+ ],
+ "Cmnd_Specs": [
+ {
+ "runasusers": [
+ { "username": "ALL" }
+ ],
+ "Options": [
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "ALL" }
+ ]
+ }
+ ]
+ },
+ {
+ "User_List": [
+ { "usergroup": "sudo" }
+ ],
+ "Host_List": [
+ { "hostname": "ALL" }
+ ],
+ "Cmnd_Specs": [
+ {
+ "runasusers": [
+ { "username": "ALL" }
+ ],
+ "runasgroups": [
+ { "usergroup": "ALL" }
+ ],
+ "Options": [
+ { "setenv": true }
+ ],
+ "Commands": [
+ { "command": "ALL" }
+ ]
+ }
+ ]
+ }
+ ]
+}
diff --git a/config/sus-kernel.rs b/config/sus-kernel.rs
@@ -14,7 +14,6 @@ use crate::executable::factory::AutoExecutableFactory;
 use crate::executable::run::Runner;
 use crate::permission;
 use crate::permission::factory::AutoPermissionFactory;
-use crate::permission::verify::Verifier;
 
 #[cfg(feature = "log")]
 use crate::log;
@@ -46,23 +45,17 @@ pub const CURRENT_PERMISSION_FACTORY: AutoPermissionFactory = permission::factor
 pub const REQUESTED_PERMISSION_FACTORY: AutoPermissionFactory =
  permission::factory::from_commandline;
 
-/// An array of all the [Verifier]s to invoke
-///
-/// We might want multiple checks to pass before running [Executable][eb]. This
-/// is a list of all the checks that have to pass.
-///
-/// Note that *all* the checks have to pass for the [Executable][eb] to be run.
-/// Effectively, these checks are `AND`ed together. As a corollary, if this list
-/// is empty, the [Executable][eb] will be run unconditionally.
-///
-/// [eb]: executable::Executable
-pub const VERIFIERS: &[Verifier] = &[];
-
 /// The method to run the [Executable][eb] created
 ///
 /// [eb]: executable::Executable
 pub const RUNNER: Runner = executable::run::exec;
 
+/// The path to log to
+///
+/// The path to sudoers file. For readability purpose, this is represented as JSON
+/// and not traditional sudoers file syntax
+pub const SUDOER_PATH: &str = "/etc/sudoers.json";
+
 /// How to log incoming [Request][rq]s
 ///
 /// For administrative purposes, it might be useful to log what [Request][rq]s

diff --git a/src/bin/sus-kernel/main.rs b/src/bin/sus-kernel/main.rs
@@ -11,12 +11,14 @@ mod log;
 mod permission;
 mod request;
 
-use permission::verify::AbstractVerifier;
-use request::Request;
+use crate::permission::verify::Verifier;
+use permission::verify::from_sudoers;
 
 #[cfg(feature = "log")]
 use log::AbstractLogger;
 
+use request::Request;
+
 /// Method to get the [Logger][lg] to use
 ///
 /// Logging is an optional feature for this binary. As such, we need to use
@@ -57,14 +59,13 @@ fn main() {
  // We need to clone them from the slice reference
  let verifiers = {
  // Do the clone
- let mut vfers = Vec::new();
- vfers.extend_from_slice(config::VERIFIERS);
+ let vfers = from_sudoers();
  // Create and return
  // Box everything up as well
  // See: https://newbedev.com/how-to-create-a-vector-of-boxed-closures-in-rust
  vfers
  .into_iter()
- .map(|f| Box::new(f) as Box<AbstractVerifier>)
+ .map(|f| Box::new(f) as Box<Verifier>)
  .collect()
  };
 
@@ -80,6 +81,7 @@ fn main() {
  #[cfg(feature = "log")]
  logger: get_logger(),
  };
+
  // Service the request
  req.service().unwrap();
 }