add delete user and get user implementations

Author: JacobBarthelmeh

examples/posix/wh_posix_server/wh_posix_server_cfg.c

@@ -668,6 +668,7 @@ static whAuthCb default_auth_cb = {
     .UserGet = wh_AuthBase_UserGet,
     .UserSetCredentials = wh_AuthBase_UserSetCredentials
 };
+static whAuthContext auth_ctx = {0};
 
 /**
  * @brief Configure a default auth context for the server
@@ -683,7 +684,6 @@ int wh_PosixServer_ExampleAuthConfig(void* conf)
 {
     int rc;
     whServerConfig* s_conf = (whServerConfig*)conf;
-    static whAuthContext auth_ctx = {0};
     static void* auth_backend_context = NULL; /* No backend context needed for stubs */
     static whAuthConfig auth_config = {0};
 

src/wh_auth.c

@@ -143,7 +143,7 @@ int wh_Auth_Logout(whAuthContext* context, whUserId user_id)
         return WH_ERROR_BADARGS;
     }
 
-    rc = context->cb->Logout(context->context, user_id);
+    rc = context->cb->Logout(context->context, context->user.user_id, user_id);
     if (rc != WH_ERROR_OK) {
         return rc;
     }
@@ -156,25 +156,29 @@ int wh_Auth_Logout(whAuthContext* context, whUserId user_id)
 
 /* Check on request authorization and action permissions for current user
  * logged in */
-int wh_Auth_CheckRequestAuthorization(whAuthContext* context, uint8_t client_id,
-    uint16_t group, uint16_t action)
+int wh_Auth_CheckRequestAuthorization(whAuthContext* context, uint16_t group,
+    uint16_t action)
 {
-    printf("In authorization check: Client ID: %d, Group: %d, Action: %d\n",
-        client_id, group, action);
+    uint16_t user_id = context->user.user_id;
 
-    return context->cb->CheckRequestAuthorization(context->context, client_id,
+    printf("In authorization check: User ID: %d, Group: %d, Action: %d\n",
+        user_id, group, action);
+
+    return context->cb->CheckRequestAuthorization(context->context, user_id,
         group, action);
 }
 
 
 /* Check on key ID use after request has been parsed */
-int wh_Auth_CheckKeyAuthorization(whAuthContext* context, uint8_t client_id,
-    uint32_t key_id, uint16_t action)
+int wh_Auth_CheckKeyAuthorization(whAuthContext* context, uint32_t key_id,
+    uint16_t action)
 {
-    printf("In key authorization check: Client ID: %d, Key ID: %d, Action: %d\n",
-        client_id, key_id, action);
+    uint16_t user_id = context->user.user_id;
+
+    printf("In key authorization check: User ID: %d, Key ID: %d, Action: %d\n",
+        user_id, key_id, action);
 
-    return context->cb->CheckKeyAuthorization(context->context, client_id, key_id,
+    return context->cb->CheckKeyAuthorization(context->context, user_id, key_id,
         action);
 }
 
@@ -195,14 +199,19 @@ int wh_Auth_UserAdd(whAuthContext* context, const char* username,
             method, credentials, credentials_len);
 }
 
+
 int wh_Auth_UserDelete(whAuthContext* context, whUserId user_id)
 {
-    /* TODO: Delete user */
-    (void)context;
-    (void)user_id;
-    return WH_ERROR_NOTIMPL;
+    if (    (context == NULL) ||
+            (context->cb == NULL) ||
+            (context->cb->UserDelete == NULL) ) {
+        return WH_ERROR_BADARGS;
+    }
+
+    return context->cb->UserDelete(context->context, user_id);
 }
 
+
 int wh_Auth_UserSetPermissions(whAuthContext* context, whUserId user_id,
                                  whAuthPermissions permissions)
 {
@@ -213,14 +222,16 @@ int wh_Auth_UserSetPermissions(whAuthContext* context, whUserId user_id,
     return WH_ERROR_NOTIMPL;
 }
 
-int wh_Auth_UserGet(whAuthContext* context, whUserId user_id,
-                     whAuthUser* out_user)
+int wh_Auth_UserGet(whAuthContext* context, const char* username, whUserId* out_user_id,
+    whAuthPermissions* out_permissions)
 {
-    /* TODO: Get user information */
-    (void)context;
-    (void)user_id;
-    (void)out_user;
-    return WH_ERROR_NOTIMPL;
+    if (    (context == NULL) ||
+            (context->cb == NULL) ||
+            (context->cb->UserGet == NULL) ) {
+        return WH_ERROR_BADARGS;
+    }
+
+    return context->cb->UserGet(context->context, username, out_user_id, out_permissions);
 }
 
 int wh_Auth_UserSetCredentials(whAuthContext* context, whUserId user_id,

src/wh_auth_base.c

@@ -31,6 +31,7 @@
 #include "wolfhsm/wh_error.h"
 
 #include "wolfhsm/wh_message.h"
+#include "wolfhsm/wh_message_auth.h"
 #include "wolfhsm/wh_auth_base.h"
 
 /* simple base user list */
@@ -49,10 +50,20 @@ static whAuthBase_User users[WH_AUTH_BASE_MAX_USERS];
 
 int wh_AuthBase_Init(void* context, const void *config)
 {
+    whAuthPermissions permissions;
+    int rc;
+    uint16_t out_user_id;
+
     /* TODO: Initialize auth manager context */
     (void)context;
     (void)config;
-    return WH_ERROR_OK;
+
+    memset(&permissions, 0xFF, sizeof(whAuthPermissions));
+    /* add a demo user with admin permissions */
+    rc = wh_AuthBase_UserAdd(context, "admin", &out_user_id, permissions,
+        WH_AUTH_METHOD_PIN, "1234", 4);
+    printf("Admin user added with ID: %d\n", out_user_id);
+    return rc;
 }
 
 int wh_AuthBase_Cleanup(void* context)
@@ -169,7 +180,8 @@ int wh_AuthBase_Login(void* context, uint8_t client_id,
     return WH_ERROR_OK;
 }
 
-int wh_AuthBase_Logout(void* context, uint16_t user_id)
+int wh_AuthBase_Logout(void* context, uint16_t current_user_id,
+    uint16_t user_id)
 {
     whAuthBase_User* user;
 
@@ -182,6 +194,7 @@ int wh_AuthBase_Logout(void* context, uint16_t user_id)
     }
 
     /* @TODO there likely should be restrictions here on who can logout who */
+    (void)current_user_id;
 
     user = &users[user_id - 1];
     user->user.is_active = false;
@@ -191,77 +204,90 @@ int wh_AuthBase_Logout(void* context, uint16_t user_id)
 
 
 int wh_AuthBase_CheckRequestAuthorization(void* context,
-    uint8_t client_id, uint16_t group, uint16_t action)
+    uint16_t user_id, uint16_t group, uint16_t action)
 {
     int rc;
-    whAuthContext* auth_context = (whAuthContext*)context;
 
+    printf("In authorization check: User ID: %d, Group: %d, Action: %d\n",
+        user_id, group, action);
 
-    printf("In authorization check: Client ID: %d, Group: %d, Action: %d\n",
-        client_id, group, action);
-
-    if (auth_context == NULL) {
-        printf("This likely should be fail case when no authorization context is set\n");
-        return WH_ERROR_OK;
-    }
-
-    if (auth_context->user.user_id == WH_USER_ID_INVALID) {
+    if (user_id == WH_USER_ID_INVALID) {
         /* allow user login request attempt */
-        if (group == WH_MESSAGE_GROUP_AUTH &&
-            action == WH_AUTH_ACTION_LOGIN) {
-            rc = WH_ERROR_OK;
+        if (group == WH_MESSAGE_GROUP_AUTH) {
+            if (action == WH_MESSAGE_AUTH_ACTION_LOGIN) {
+                rc = WH_ERROR_OK;
+            }
+            else {
+                printf("User does not have permissions for the action");
+                rc = WH_ERROR_ACCESS;
+            }
         }
         else {
             printf("No user associated with session");
-            rc = WH_ERROR_ACCESS;
+            rc = WH_ERROR_OK; /*rc = WH_ERROR_ACCESS;*/
         }
     }
     else {
         int groupIndex = (group >> 8) & 0xFF;
+        whAuthBase_User* user = &users[user_id - 1];
 
         /* check if user has permissions for the group and action */
-        if (auth_context->user.permissions.groupPermissions & group) {
-            if (auth_context->user.permissions.actionPermissions[groupIndex] & action) {
-                rc = WH_ERROR_OK;
+
+        /* some operations a user logged in should by default have access to;
+         * - logging out
+         * - updating own credentials */
+        if (group == WH_MESSAGE_GROUP_AUTH &&
+            (action == WH_MESSAGE_AUTH_ACTION_LOGOUT ||
+            action == WH_MESSAGE_AUTH_ACTION_USER_SET_CREDENTIALS)) {
+            rc = WH_ERROR_OK;
+        }
+        else {
+            if (user->user.permissions.groupPermissions & group) {
+                if (user->user.permissions.actionPermissions[groupIndex] & action) {
+                    rc = WH_ERROR_OK;
+                }
+                else {
+                    printf("User does not have permissions for the action");
+                    rc = WH_ERROR_ACCESS;
+                }
             }
             else {
-                printf("User does not have permissions for the action");
+                printf("User does not have permissions for the group");
                 rc = WH_ERROR_ACCESS;
             }
         }
-        else {
-            printf("User does not have permissions for the group");
-            rc = WH_ERROR_ACCESS;
-        }
     }
 
+    (void)context;
     return rc;
 }
 
 /* authorization check on key usage after the request has been parsed and before
  * the action is done */
-int wh_AuthBase_CheckKeyAuthorization(void* context, uint8_t client_id,
+int wh_AuthBase_CheckKeyAuthorization(void* context, uint16_t user_id,
     uint32_t key_id, uint16_t action)
 {
-    int rc;
-    whAuthContext* auth_context = (whAuthContext*)context;
+    int rc = WH_ERROR_OK;
 
-    printf("In key authorization check: Client ID: %d, Key ID: %d, Action: %d\n",
-        client_id, key_id, action);
+    printf("In key authorization check: User ID: %d, Key ID: %d, Action: %d\n",
+        user_id, key_id, action);
 
-    if (auth_context->user.user_id == WH_USER_ID_INVALID) {
+    if (user_id == WH_USER_ID_INVALID) {
         rc = WH_ERROR_ACCESS;
     }
     else {
+        /*
         if (auth_context->user.permissions.keyId == key_id) {
             rc = WH_ERROR_OK;
         }
         else {
             printf("User does not have access to the key");
             rc = WH_ERROR_ACCESS;
         }
+        */
     }
 
+    (void)context;
     return rc;
 }
 
@@ -289,7 +315,6 @@ int wh_AuthBase_UserAdd(void* context, const char* username,
     }
 
     if (i >= WH_AUTH_BASE_MAX_USERS) {
-        printf("User list is full");
         return WH_ERROR_BUFFER_SIZE;
     }
     userId = i + 1; /* save 0 fron WH_USER_ID_INVALID */
@@ -320,42 +345,42 @@ int wh_AuthBase_UserAdd(void* context, const char* username,
 
 int wh_AuthBase_UserDelete(void* context, uint16_t user_id)
 {
-    whAuthContext* auth_context = (whAuthContext*)context;
     whAuthBase_User* user = &users[user_id];
     if (user->user.user_id == WH_USER_ID_INVALID) {
         return WH_ERROR_NOTFOUND;
     }
     memset(user, 0, sizeof(whAuthBase_User));
-    (void)auth_context;
+    (void)context;
     return WH_ERROR_OK;
 }
 
 int wh_AuthBase_UserSetPermissions(void* context, uint16_t user_id,
     whAuthPermissions permissions)
 {
-    whAuthContext* auth_context = (whAuthContext*)context;
     whAuthBase_User* user = &users[user_id];
     if (user->user.user_id == WH_USER_ID_INVALID) {
         return WH_ERROR_NOTFOUND;
     }
     user->user.permissions = permissions;
-    (void)auth_context;
+    (void)context;
     return WH_ERROR_OK;
 }
 
-int wh_AuthBase_UserGet(void* context, uint16_t user_id,
-    whAuthUser* out_user)
+
+int wh_AuthBase_UserGet(void* context, const char* username, uint16_t* out_user_id,
+    whAuthPermissions* out_permissions)
 {
-    whAuthContext* auth_context = (whAuthContext*)context;
-    whAuthBase_User* user = &users[user_id];
-    if (user->user.user_id == WH_USER_ID_INVALID) {
+    whAuthBase_User* user = FindUser(username);
+    if (user == NULL) {
         return WH_ERROR_NOTFOUND;
     }
-    memcpy(out_user, &user->user, sizeof(whAuthUser));
-    (void)auth_context;
+    *out_user_id = user->user.user_id;
+    *out_permissions = user->user.permissions;
+    (void)context;
     return WH_ERROR_OK;
 }
 
+
 int wh_AuthBase_UserSetCredentials(void* context, uint16_t user_id,
     whAuthMethod method,
     const void* current_credentials, uint16_t current_credentials_len,