Generate a fake user token to please SSH

If the user exists, then generate a UserToken for NSS with invalid uid/gid and object id, since we don't have these yet. SSH needs something, or it will refuse to permit authentication. Signed-off-by: David Mulder <[email protected]>
himmelblau-idm · May 14, 2024 · 8dff47c · 8dff47c
1 parent af88361
commit 8dff47c
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 5 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -37,7 +37,7 @@ tracing-subscriber = "^0.3.17"
 tracing = "^0.1.37"
 himmelblau_unix_common = { path = "src/common" }
 kanidm_unix_common = { path = "src/glue" }
-msal = { version = "0.1.21" }
+msal = { version = "0.1.24" }
 graph = { path = "src/graph" }
 clap = { version = "^4.5", features = ["derive", "env"] }
 clap_complete = "^4.4.1"

diff --git a/src/common/src/idprovider/himmelblau.rs b/src/common/src/idprovider/himmelblau.rs
@@ -483,10 +483,44 @@ impl IdProvider for HimmelblauProvider {
         let prt = match self.refresh_cache.refresh_token(&account_id).await {
             Ok(prt) => prt,
             Err(_) => {
-                debug!("Unable to refresh user via PRT cache");
-                // Never return IdpError::NotFound. This deletes the existing
-                // user from the cache.
-                return Err(IdpError::BadRequest);
+                // Check if the user exists
+                let exists = self
+                    .client
+                    .write()
+                    .await
+                    .check_user_exists(&account_id)
+                    .await
+                    .map_err(|e| {
+                        error!("Failed checking if the user exists: {:?}", e);
+                        IdpError::BadRequest
+                    })?;
+                if exists {
+                    // Generate a UserToken, with invalid uuid and gid. We can
+                    // only fetch these from an authenticated token. We have to
+                    // provide something, or SSH will fail.
+                    let groups = vec![GroupToken {
+                        name: account_id.clone(),
+                        spn: account_id.clone(),
+                        uuid: Uuid::max(),
+                        gidnumber: i32::MAX as u32,
+                    }];
+                    let config = self.config.read().await;
+                    return Ok(UserToken {
+                        name: account_id.clone(),
+                        spn: account_id.clone(),
+                        uuid: Uuid::max(),
+                        gidnumber: i32::MAX as u32,
+                        displayname: "".to_string(),
+                        shell: Some(config.get_shell(Some(&self.domain))),
+                        groups,
+                        sshkeys: vec![],
+                        valid: true,
+                    });
+                } else {
+                    // This is the one time we really should return
+                    // IdpError::NotFound, because this user doesn't exist.
+                    return Err(IdpError::NotFound);
+                }
             }
         };
         let scopes = vec!["GroupMember.Read.All"];