Merge pull request #318 from himmelblau-idm/dmulder/hello_pin_change

Hello Pin changes via `passwd` command

.github/workflows/build.yml

@@ -48,7 +48,15 @@ jobs:
             autoconf \
             gettext \
             libdbus-1-dev \
-            libutf8proc-dev
+            libutf8proc-dev \
+            libgirepository1.0-dev \
+            libcairo2-dev \
+            libgdk-pixbuf2.0-dev \
+            libsoup-3.0-dev \
+            libpango1.0-dev \
+            libatk1.0-dev \
+            libgtk-3-dev \
+            libwebkit2gtk-4.1-dev
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

.github/workflows/clippy.yml

@@ -41,16 +41,22 @@ jobs:
             tpm-udev \
             libtss2-dev \
             libcap-dev \
-            libtalloc-dev \
-            libtevent-dev \
-            libldb-dev \
             libdhash-dev \
             libkrb5-dev \
             libpcre2-dev \
             libclang-13-dev \
             autoconf \
             gettext \
-            libdbus-1-dev
+            libdbus-1-dev \
+            libutf8proc-dev \
+            libgirepository1.0-dev \
+            libcairo2-dev \
+            libgdk-pixbuf2.0-dev \
+            libsoup-3.0-dev \
+            libpango1.0-dev \
+            libatk1.0-dev \
+            libgtk-3-dev \
+            libwebkit2gtk-4.1-dev
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

.github/workflows/test.yml

@@ -48,7 +48,15 @@ jobs:
             autoconf \
             gettext \
             libdbus-1-dev \
-            libutf8proc-dev
+            libutf8proc-dev \
+            libgirepository1.0-dev \
+            libcairo2-dev \
+            libgdk-pixbuf2.0-dev \
+            libsoup-3.0-dev \
+            libpango1.0-dev \
+            libatk1.0-dev \
+            libgtk-3-dev \
+            libwebkit2gtk-4.1-dev
 
       - name: "Fetch submodules"
         run: git submodule init && git submodule update

Cargo.toml

@@ -40,7 +40,7 @@ tracing-subscriber = "^0.3.17"
 tracing = "^0.1.37"
 himmelblau_unix_common = { path = "src/common" }
 kanidm_unix_common = { path = "src/glue" }
-libhimmelblau = { version = "0.4.2" }
+libhimmelblau = { version = "0.4.4" }
 clap = { version = "^4.5", features = ["derive", "env"] }
 clap_complete = "^4.4.1"
 reqwest = { version = "^0.12.2", features = ["json"] }

README.md

@@ -67,7 +67,7 @@ sudo zypper ref && sudo zypper in himmelblau nss-himmelblau pam-himmelblau
 
 The following packages are required on openSUSE to build and test this package.
 
-    sudo zypper in make cargo git gcc sqlite3-devel libopenssl-3-devel pam-devel libcap-devel libtalloc-devel libtevent-devel libldb-devel libdhash-devel krb5-devel pcre2-devel libclang13 autoconf make automake  gettext-tools clang dbus-1-devel utf8proc-devel
+    sudo zypper in make cargo git gcc sqlite3-devel libopenssl-3-devel pam-devel libcap-devel libtalloc-devel libtevent-devel libldb-devel libdhash-devel krb5-devel pcre2-devel libclang13 autoconf make automake  gettext-tools clang dbus-1-devel utf8proc-devel gobject-introspection-devel cairo-devel gdk-pixbuf-devel libsoup-devel pango-devel atk-devel gtk3-devel webkit2gtk3-devel
 
 
 Or on Debian based systems:

images/rpm/Dockerfile.fedora41

@@ -22,7 +22,14 @@ RUN dnf -y update && \
     gettext \
     sqlite-devel \
     utf8proc-devel \
-    cargo && \
+    cargo \
+    gobject-introspection-devel \
+    cairo-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel && \
     dnf clean all
 
 # Set environment for Rust
@@ -37,4 +44,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso

images/rpm/Dockerfile.rawhide

@@ -22,7 +22,14 @@ RUN dnf -y update && \
     gettext \
     sqlite-devel \
     utf8proc-devel \
-    cargo && \
+    cargo \
+    gobject-introspection-devel \
+    cairo-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel && \
     dnf clean all
 
 # Set environment for Rust
@@ -37,4 +44,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso

images/rpm/Dockerfile.rocky9

@@ -28,6 +28,14 @@ RUN yum update -y && yum install -y \
     gettext \
     sqlite-devel \
     utf8proc-devel \
+    gobject-introspection-devel \
+    cairo-devel \
+    gdk-pixbuf-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel \
     && yum clean all
 
 # Install Rust (latest stable)
@@ -45,4 +53,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the .deb package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso

images/rpm/Dockerfile.tumbleweed

@@ -24,6 +24,14 @@ RUN zypper --non-interactive refresh && zypper --non-interactive update && \
     sqlite3-devel \
     utf8proc-devel \
     cargo \
+    gobject-introspection-devel \
+    cairo-devel \
+    gdk-pixbuf-devel \
+    libsoup-devel \
+    pango-devel \
+    atk-devel \
+    gtk3-devel \
+    webkit2gtk3-devel \
     && zypper clean --all
 
 # Set environment for Rust
@@ -38,4 +46,4 @@ WORKDIR /himmelblau
 RUN cargo install cargo-generate-rpm
 
 # Build the project and create the RPM package
-CMD cargo clean && cargo build --release && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso
+CMD cargo clean && cargo build --release --features interactive && strip -s target/release/*.so && strip -s target/release/aad-tool && strip -s target/release/himmelblaud && strip -s target/release/himmelblaud_tasks && strip -s target/release/broker && cargo generate-rpm -p src/daemon && cargo generate-rpm -p src/nss && cargo generate-rpm -p src/pam && cargo generate-rpm -p src/sshd-config && cargo generate-rpm -p src/sso

images/ubuntu/Dockerfile.22.04

@@ -32,6 +32,15 @@ RUN apt-get update && apt-get install -y \
     cargo \
     libsqlite3-dev \
     libutf8proc-dev \
+    libgirepository1.0-dev \
+    libcairo2-dev \
+    libgdk-pixbuf2.0-dev \
+    libsoup-3.0-dev \
+    libpango1.0-dev \
+    libatk1.0-dev \
+    libgtk-3-dev \
+    libwebkit2gtk-4.1-dev \
+    libjavascriptcoregtk-4.1-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Rust (latest stable)

images/ubuntu/Dockerfile.24.04

@@ -32,6 +32,14 @@ RUN apt-get update && apt-get install -y \
     cargo \
     libsqlite3-dev \
     libutf8proc-dev \
+    libgirepository1.0-dev \
+    libcairo2-dev \
+    libgdk-pixbuf2.0-dev \
+    libsoup-3.0-dev \
+    libpango1.0-dev \
+    libatk1.0-dev \
+    libgtk-3-dev \
+    libwebkit2gtk-4.1-dev \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Rust (latest stable)

src/common/src/config.rs

@@ -1054,9 +1054,15 @@ mod tests {
         "#;
         let temp_file_invalid = create_temp_config(config_invalid);
         let config_invalid = HimmelblauConfig::new(Some(&temp_file_invalid)).unwrap();
-        assert_eq!(config_invalid.get_hello_pin_min_length(), DEFAULT_HELLO_PIN_MIN_LEN);
+        assert_eq!(
+            config_invalid.get_hello_pin_min_length(),
+            DEFAULT_HELLO_PIN_MIN_LEN
+        );
         let config_missing = HimmelblauConfig::new(None).unwrap();
-        assert_eq!(config_missing.get_hello_pin_min_length(), DEFAULT_HELLO_PIN_MIN_LEN);
+        assert_eq!(
+            config_missing.get_hello_pin_min_length(),
+            DEFAULT_HELLO_PIN_MIN_LEN
+        );
     }
 
     #[test]
@@ -1069,7 +1075,10 @@ mod tests {
         let temp_file = create_temp_config(config_data);
         let config = HimmelblauConfig::new(Some(&temp_file)).unwrap();
 
-        assert_eq!(config.get_tenant_id("example.com"), Some("example-tenant-id".to_string()));
+        assert_eq!(
+            config.get_tenant_id("example.com"),
+            Some("example-tenant-id".to_string())
+        );
         assert_eq!(config.get_tenant_id("nonexistent.com"), None);
         let config_missing = HimmelblauConfig::new(None).unwrap();
         assert_eq!(config_missing.get_tenant_id("example.com"), None);
@@ -1085,7 +1094,11 @@ mod tests {
         let temp_file = create_temp_config(config_data);
         let config = HimmelblauConfig::new(Some(&temp_file)).unwrap();
 
-        let expected_groups = vec!["group1".to_string(), "group2".to_string(), "group3".to_string()];
+        let expected_groups = vec![
+            "group1".to_string(),
+            "group2".to_string(),
+            "group3".to_string(),
+        ];
         assert_eq!(config.get_local_groups(), expected_groups);
         let config_empty = HimmelblauConfig::new(None).unwrap();
         assert_eq!(config_empty.get_local_groups(), Vec::<String>::new());
@@ -1101,7 +1114,10 @@ mod tests {
         let temp_file = create_temp_config(config_data);
         let config = HimmelblauConfig::new(Some(&temp_file)).unwrap();
 
-        assert_eq!(config.get_logon_script(), Some("/path/to/logon/script".to_string()));
+        assert_eq!(
+            config.get_logon_script(),
+            Some("/path/to/logon/script".to_string())
+        );
         let config_missing = HimmelblauConfig::new(None).unwrap();
         assert_eq!(config_missing.get_logon_script(), None);
     }
@@ -1116,7 +1132,11 @@ mod tests {
         let temp_file = create_temp_config(config_data);
         let config = HimmelblauConfig::new(Some(&temp_file)).unwrap();
 
-        let expected_scopes = vec!["scope1".to_string(), "scope2".to_string(), "scope3".to_string()];
+        let expected_scopes = vec![
+            "scope1".to_string(),
+            "scope2".to_string(),
+            "scope3".to_string(),
+        ];
         assert_eq!(config.get_logon_token_scopes(), expected_scopes);
         let config_empty = HimmelblauConfig::new(None).unwrap();
         assert_eq!(config_empty.get_logon_token_scopes(), Vec::<String>::new());

src/common/src/idprovider/himmelblau.rs

@@ -264,6 +264,38 @@ impl IdProvider for HimmelblauMultiProvider {
         }
     }
 
+    async fn change_auth_token<D: KeyStoreTxn + Send>(
+        &self,
+        account_id: &str,
+        token: &UnixUserToken,
+        new_tok: &str,
+        keystore: &mut D,
+        tpm: &mut tpm::BoxedDynTpm,
+        machine_key: &tpm::MachineKey,
+    ) -> Result<bool, IdpError> {
+        match split_username(account_id) {
+            Some((_sam, domain)) => {
+                let providers = self.providers.read().await;
+                match providers.get(domain) {
+                    Some(provider) => {
+                        provider
+                            .change_auth_token(
+                                account_id,
+                                token,
+                                new_tok,
+                                keystore,
+                                tpm,
+                                machine_key,
+                            )
+                            .await
+                    }
+                    None => Err(IdpError::NotFound),
+                }
+            }
+            None => Err(IdpError::NotFound),
+        }
+    }
+
     async fn unix_user_get(
         &self,
         id: &Id,
@@ -575,6 +607,54 @@ impl IdProvider for HimmelblauProvider {
             })
     }
 
+    async fn change_auth_token<D: KeyStoreTxn + Send>(
+        &self,
+        account_id: &str,
+        token: &UnixUserToken,
+        new_tok: &str,
+        keystore: &mut D,
+        tpm: &mut tpm::BoxedDynTpm,
+        machine_key: &tpm::MachineKey,
+    ) -> Result<bool, IdpError> {
+        let hello_tag = self.fetch_hello_key_tag(account_id);
+
+        // Ensure the user is setting the token for the account it has authenticated to
+        if account_id.to_string().to_lowercase()
+            != token
+                .spn()
+                .map_err(|e| {
+                    error!("Failed checking the spn on the user token: {:?}", e);
+                    IdpError::BadRequest
+                })?
+                .to_lowercase()
+        {
+            error!("A hello key may only be set by the authenticated user!");
+            return Err(IdpError::BadRequest);
+        }
+
+        // Set the hello pin
+        let hello_key = match self
+            .client
+            .write()
+            .await
+            .provision_hello_for_business_key(token, tpm, machine_key, new_tok)
+            .await
+        {
+            Ok(hello_key) => hello_key,
+            Err(e) => {
+                error!("Failed to provision hello key: {:?}", e);
+                return Ok(false);
+            }
+        };
+        keystore
+            .insert_tagged_hsm_key(&hello_tag, &hello_key)
+            .map_err(|e| {
+                error!("Failed to provision hello key: {:?}", e);
+                IdpError::Tpm
+            })?;
+        Ok(true)
+    }
+
     async fn unix_user_get(
         &self,
         id: &Id,

src/common/src/idprovider/interface.rs

@@ -196,6 +196,16 @@ pub trait IdProvider {
         _machine_key: &tpm::MachineKey,
     ) -> Result<String, IdpError>;
 
+    async fn change_auth_token<D: KeyStoreTxn + Send>(
+        &self,
+        _account_id: &str,
+        _token: &UnixUserToken,
+        _new_tok: &str,
+        _keystore: &mut D,
+        _tpm: &mut tpm::BoxedDynTpm,
+        _machine_key: &tpm::MachineKey,
+    ) -> Result<bool, IdpError>;
+
     async fn unix_user_online_auth_init<D: KeyStoreTxn + Send>(
         &self,
         _account_id: &str,