From: Wolfgang Bumiller <w.bumiller@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH backup 1/2] tfa: remember recovery indices
Date: Mon, 18 Jan 2021 12:46:46 +0100 [thread overview]
Message-ID: <20210118114647.632-1-w.bumiller@proxmox.com> (raw)
and tell the client which keys are still available rather
than just yes/no/low
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
src/config/tfa.rs | 76 ++++++++++++++++++++++-------------------------
1 file changed, 35 insertions(+), 41 deletions(-)
diff --git a/src/config/tfa.rs b/src/config/tfa.rs
index e0f2fcfe..5d01ea82 100644
--- a/src/config/tfa.rs
+++ b/src/config/tfa.rs
@@ -1088,7 +1088,7 @@ impl TfaUserData {
#[derive(Deserialize, Serialize)]
pub struct Recovery {
secret: String,
- entries: Vec<String>,
+ entries: Vec<Option<String>>,
}
impl Recovery {
@@ -1116,7 +1116,7 @@ impl Recovery {
AsHex(&b[6..8]),
);
- this.entries.push(this.hash(entry.as_bytes())?);
+ this.entries.push(Some(this.hash(entry.as_bytes())?));
original.push(entry);
}
@@ -1138,31 +1138,32 @@ impl Recovery {
Ok(AsHex(&hmac).to_string())
}
- /// Shortcut to get the count.
- fn len(&self) -> usize {
- self.entries.len()
+ /// Iterator over available keys.
+ fn available(&self) -> impl Iterator<Item = &str> {
+ self.entries.iter().filter_map(Option::as_deref)
}
- /// Check if this entry is empty.
- fn is_empty(&self) -> bool {
- self.entries.is_empty()
+ /// Count the available keys.
+ fn count_available(&self) -> usize {
+ self.available().count()
}
/// Convenience serde method to check if either the option is `None` or the content `is_empty`.
fn option_is_empty(this: &Option<Self>) -> bool {
- this.as_ref().map_or(true, Self::is_empty)
+ this.as_ref()
+ .map_or(true, |this| this.count_available() == 0)
}
/// Verify a key and remove it. Returns whether the key was valid. Errors on openssl errors.
fn verify(&mut self, key: &str) -> Result<bool, Error> {
let hash = self.hash(key.as_bytes())?;
- Ok(match self.entries.iter().position(|entry| *entry == hash) {
- Some(index) => {
- self.entries.remove(index);
- true
+ for entry in &mut self.entries {
+ if entry.as_ref() == Some(&hash) {
+ *entry = None;
+ return Ok(true);
}
- None => false,
- })
+ }
+ Ok(false)
}
}
@@ -1283,45 +1284,38 @@ pub fn verify_challenge(
}
/// Used to inform the user about the recovery code status.
-#[derive(Clone, Copy, Eq, PartialEq, Deserialize, Serialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum RecoveryState {
- Unavailable,
- Low,
- Available,
-}
+///
+/// This contains the available key indices.
+#[derive(Clone, Default, Eq, PartialEq, Deserialize, Serialize)]
+pub struct RecoveryState(Vec<usize>);
impl RecoveryState {
- fn from_count(count: usize) -> Self {
- match count {
- 0 => RecoveryState::Unavailable,
- 1..=3 => RecoveryState::Low,
- _ => RecoveryState::Available,
- }
- }
-
- // serde needs `&self` but this is a tiny Copy type, so we mark this as inline
- #[inline]
fn is_unavailable(&self) -> bool {
- *self == RecoveryState::Unavailable
- }
-}
-
-impl Default for RecoveryState {
- fn default() -> Self {
- RecoveryState::Unavailable
+ self.0.is_empty()
}
}
impl From<&Option<Recovery>> for RecoveryState {
fn from(r: &Option<Recovery>) -> Self {
match r {
- Some(r) => Self::from_count(r.len()),
- None => RecoveryState::Unavailable,
+ Some(r) => Self::from(r),
+ None => Self::default(),
}
}
}
+impl From<&Recovery> for RecoveryState {
+ fn from(r: &Recovery) -> Self {
+ Self(
+ r.entries
+ .iter()
+ .enumerate()
+ .filter_map(|(idx, key)| if key.is_some() { Some(idx) } else { None })
+ .collect(),
+ )
+ }
+}
+
/// When sending a TFA challenge to the user, we include information about what kind of challenge
/// the user may perform. If webauthn credentials are available, a webauthn challenge will be
/// included.
--
2.20.1
next reply other threads:[~2021-01-18 11:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-18 11:46 Wolfgang Bumiller [this message]
2021-01-18 11:46 ` [pbs-devel] [PATCH backup 2/2] gui: enumerate recovery keys and list in 2nd factor window Wolfgang Bumiller
2021-01-18 12:52 ` [pbs-devel] applied: " Thomas Lamprecht
2021-01-18 12:52 ` [pbs-devel] applied: [PATCH backup 1/2] tfa: remember recovery indices Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210118114647.632-1-w.bumiller@proxmox.com \
--to=w.bumiller@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.