move most of authentication logic into wolfHSM rather than in port, touch up for test cases

Author: JacobBarthelmeh

port/posix/posix_auth.c

@@ -246,111 +246,32 @@ int posixAuth_Logout(void* context, uint16_t current_user_id,
 }
 
 
-int posixAuth_CheckRequestAuthorization(void* context, uint16_t user_id,
-                                          uint16_t group, uint16_t action)
+int posixAuth_CheckRequestAuthorization(void* context, int err,
+    uint16_t user_id, uint16_t group, uint16_t action)
 {
-    int rc;
-
-    if (user_id == WH_USER_ID_INVALID) {
-        /* allow user login request attempt and comm */
-        if (group == WH_MESSAGE_GROUP_COMM ||
-            (group == WH_MESSAGE_GROUP_AUTH &&
-                action == WH_MESSAGE_AUTH_ACTION_LOGIN)) {
-            rc = WH_ERROR_OK;
-        }
-        else {
-            rc = WH_ERROR_ACCESS;
-        }
-    }
-    else {
-        int              groupIndex = (group >> 8) & 0xFF;
-        whAuthBase_User* user;
-
-        if (user_id > WH_AUTH_BASE_MAX_USERS) {
-            return WH_ERROR_ACCESS;
-        }
-        user = &users[user_id - 1];
-
-        /* check if user has permissions for the group and action */
-
-        /* some operations a user logged in should by default have access to;
-         * - logging out
-         * - updating own credentials */
-        if (group == WH_MESSAGE_GROUP_AUTH &&
-            (action == WH_MESSAGE_AUTH_ACTION_LOGOUT ||
-             action == WH_MESSAGE_AUTH_ACTION_USER_SET_CREDENTIALS)) {
-            rc = WH_ERROR_OK;
-        }
-        else {
-            if (user->user.permissions.groupPermissions & group) {
-                /* Check if action is within supported range */
-                if (action < WH_AUTH_ACTIONS_PER_GROUP) {
-                    /* Get word index and bitmask for this action */
-                    uint32_t wordAndBit = WH_AUTH_ACTION_TO_WORD_AND_BIT(action);
-                    uint32_t wordIndex   = WH_AUTH_ACTION_WORD(wordAndBit);
-                    uint32_t bitmask     = WH_AUTH_ACTION_BIT(wordAndBit);
-
-                    if (wordIndex < WH_AUTH_ACTION_WORDS &&
-                        (user->user.permissions.actionPermissions[groupIndex]
-                                                              [wordIndex] &
-                         bitmask)) {
-                        rc = WH_ERROR_OK;
-                    }
-                    else {
-                        rc = WH_ERROR_ACCESS;
-                    }
-                }
-                else {
-                    rc = WH_ERROR_ACCESS;
-                }
-            }
-            else {
-                rc = WH_ERROR_ACCESS;
-            }
-        }
-    }
-
     (void)context;
-    return rc;
+    (void)user_id;
+    (void)group;
+    (void)action;
+
+    /* could override the error code here */
+    /* the value passed in as 'err' is the current error code */
+    return err;
 }
 
 /* authorization check on key usage after the request has been parsed and before
  * the action is done */
-int posixAuth_CheckKeyAuthorization(void* context, uint16_t user_id,
+int posixAuth_CheckKeyAuthorization(void* context, int err, uint16_t user_id,
                                       uint32_t key_id, uint16_t action)
 {
-    int              rc = WH_ERROR_ACCESS;
-    int              i;
-    whAuthBase_User* user;
-
-    if (user_id == WH_USER_ID_INVALID) {
-        return WH_ERROR_ACCESS;
-    }
-
-    if (user_id > WH_AUTH_BASE_MAX_USERS) {
-        return WH_ERROR_NOTFOUND;
-    }
-
-    user = &users[user_id - 1];
-
-    if (user->user.user_id == WH_USER_ID_INVALID) {
-        return WH_ERROR_NOTFOUND;
-    }
-
-    /* Check if the requested key_id is in the user's keyIds array */
-    for (i = 0;
-         i < user->user.permissions.keyIdCount && i < WH_AUTH_MAX_KEY_IDS;
-         i++) {
-        if (user->user.permissions.keyIds[i] == key_id) {
-            rc = WH_ERROR_OK;
-            break;
-        }
-    }
-
     (void)context;
-    (void)action; /* Action could be used for future fine-grained key access
-                     control */
-    return rc;
+    (void)user_id;
+    (void)key_id;
+    (void)action;
+
+    /* could override the error code here */
+    /* the value passed in as 'err' is the current error code */
+    return err;
 }
 
 

port/posix/posix_auth.h

@@ -81,20 +81,21 @@ int posixAuth_Logout(void* context, uint16_t current_user_id,
                        uint16_t user_id);
 
 /**
- * @brief Check if an action is authorized for a session.
+ * @brief Option to override authorization check.
  *
  * @param[in] context Pointer to the auth base context.
+ * @param[in] err The current error code set for check authorization.
  * @param[in] user_id The user ID to check authorization for.
  * @param[in] group The group to check authorization for.
  * @param[in] action The action to check authorization for.
  * @return int Returns 0 if authorized, or a negative error code on failure.
  */
-int posixAuth_CheckRequestAuthorization(void* context, uint16_t user_id,
+int posixAuth_CheckRequestAuthorization(void* context, int err, uint16_t user_id,
                                           uint16_t group, uint16_t action);
 
 /* authorization check on key usage after the request has been parsed and before
  * the action is done */
-int posixAuth_CheckKeyAuthorization(void* context, uint16_t user_id,
+int posixAuth_CheckKeyAuthorization(void* context, int err, uint16_t user_id,
                                       uint32_t key_id, uint16_t action);
 
 /**

src/wh_auth.c

@@ -47,6 +47,7 @@
 #include "wolfhsm/wh_error.h"
 
 #include "wolfhsm/wh_auth.h"
+#include "wolfhsm/wh_message_auth.h"
 
 
 int wh_Auth_Init(whAuthContext* context, const whAuthConfig* config)
@@ -155,17 +156,72 @@ int wh_Auth_CheckRequestAuthorization(whAuthContext* context, uint16_t group,
 {
     uint16_t user_id;
     int      rc;
+    whAuthUser* user;
 
-    if ((context == NULL) || (context->cb == NULL) ||
-        (context->cb->CheckRequestAuthorization == NULL)) {
+    if ((context == NULL) || (context->cb == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
-    user_id = context->user.user_id;
+    user = &context->user;
+    user_id = user->user_id;
     /* @TODO add logging call here and with resulting return value  */
 
-    rc = context->cb->CheckRequestAuthorization(context->context, user_id,
-                                                group, action);
+    if (user_id == WH_USER_ID_INVALID) {
+        /* allow user login request attempt and comm */
+        if (group == WH_MESSAGE_GROUP_COMM ||
+            (group == WH_MESSAGE_GROUP_AUTH &&
+                action == WH_MESSAGE_AUTH_ACTION_LOGIN)) {
+            rc = WH_ERROR_OK;
+        }
+        else {
+            rc = WH_ERROR_ACCESS;
+        }
+    }
+    else {
+        int groupIndex = (group >> 8) & 0xFF;
+
+        /* some operations a user logged in should by default have access to;
+            * - logging out
+            * - updating own credentials */
+        if (group == WH_MESSAGE_GROUP_AUTH &&
+            (action == WH_MESSAGE_AUTH_ACTION_LOGOUT ||
+                action == WH_MESSAGE_AUTH_ACTION_USER_SET_CREDENTIALS)) {
+            rc = WH_ERROR_OK;
+        }
+        else {
+            if (user->permissions.groupPermissions & group) {
+                /* Check if action is within supported range */
+                if (action < WH_AUTH_ACTIONS_PER_GROUP) {
+                    /* Get word index and bitmask for this action */
+                    uint32_t wordAndBit = WH_AUTH_ACTION_TO_WORD_AND_BIT(action);
+                    uint32_t wordIndex   = WH_AUTH_ACTION_WORD(wordAndBit);
+                    uint32_t bitmask     = WH_AUTH_ACTION_BIT(wordAndBit);
+
+                    if (wordIndex < WH_AUTH_ACTION_WORDS &&
+                        (user->permissions.actionPermissions[groupIndex]
+                                                                [wordIndex] &
+                            bitmask)) {
+                        rc = WH_ERROR_OK;
+                    }
+                    else {
+                        rc = WH_ERROR_ACCESS;
+                    }
+                }
+                else {
+                    rc = WH_ERROR_ACCESS;
+                }
+            }
+            else {
+                rc = WH_ERROR_ACCESS;
+            }
+        }
+    }
+
+    /* allow authorization override if callback is set */
+    if (context->cb->CheckRequestAuthorization != NULL) {
+        rc = context->cb->CheckRequestAuthorization(context->context, rc,
+            user_id, group, action);
+    }
     return rc;
 }
 
@@ -176,16 +232,36 @@ int wh_Auth_CheckKeyAuthorization(whAuthContext* context, uint32_t key_id,
 {
     uint16_t user_id;
     int      rc;
+    int      i;
+    whAuthUser* user;
 
-    if ((context == NULL) || (context->cb == NULL) ||
-        (context->cb->CheckKeyAuthorization == NULL)) {
+    if ((context == NULL) || (context->cb == NULL)) {
         return WH_ERROR_BADARGS;
     }
 
     user_id = context->user.user_id;
+    user = &context->user;
+    if (user->user_id == WH_USER_ID_INVALID) {
+        return WH_ERROR_ACCESS;
+    }
 
-    rc = context->cb->CheckKeyAuthorization(context->context, user_id, key_id,
-                                              action);
+    /* Check if the requested key_id is in the user's keyIds array */
+    for (i = 0;
+         i < user->permissions.keyIdCount && i < WH_AUTH_MAX_KEY_IDS;
+         i++) {
+        if (user->permissions.keyIds[i] == key_id) {
+            rc = WH_ERROR_OK;
+            break;
+        }
+    }
+
+    (void)context;
+    (void)action; /* Action could be used for future fine-grained key access
+                     control */
+    if (context->cb->CheckKeyAuthorization != NULL) {
+        rc = context->cb->CheckKeyAuthorization(context->context, rc,
+            user_id, key_id, action);
+    }
     return rc;
 }
 

test/wh_test_auth.c

@@ -1177,11 +1177,11 @@ static int CheckServerSupportsAuth(whClientContext* client_ctx)
     whUserId user_id;
     int isSupported = 0;
 
-    WH_TEST_RETURN_ON_FAIL(wh_Client_AuthLogin(client_ctx, WH_AUTH_METHOD_PIN,
+    WH_TEST_RETURN_ON_FAIL(_whTest_Auth_LoginOp(client_ctx, WH_AUTH_METHOD_PIN,
         TEST_ADMIN_USERNAME, TEST_ADMIN_PIN, strlen(TEST_ADMIN_PIN), &server_rc,
         &user_id));
     if (server_rc != WH_AUTH_NOT_ENABLED) {
-        WH_TEST_RETURN_ON_FAIL(wh_Client_AuthLogout(client_ctx, user_id,
+        WH_TEST_RETURN_ON_FAIL(_whTest_Auth_LogoutOp(client_ctx, user_id,
             &server_rc));
         isSupported = 1;
     }

test/wh_test_she.c

@@ -179,7 +179,7 @@ int whTest_SheClientConfig(whClientConfig* config)
     /* Attempt log in as an admin user for the rest of the tests */
     WH_TEST_RETURN_ON_FAIL(wh_Client_AuthLogin(client, WH_AUTH_METHOD_PIN,
         TEST_ADMIN_USERNAME, TEST_ADMIN_PIN, strlen(TEST_ADMIN_PIN),
-        NULL, NULL));
+        &ret, NULL));
 #endif /* WOLFHSM_CFG_ENABLE_AUTHENTICATION */
 
     {

wolfhsm/wh_auth.h

@@ -112,12 +112,12 @@ typedef struct {
     int (*Logout)(void* context, whUserId current_user_id, whUserId user_id);
 
 
-    /* Check if an action is authorized for a session */
-    int (*CheckRequestAuthorization)(void* context, uint16_t user_id,
+    /* Allow override of if action is authorized for a user */
+    int (*CheckRequestAuthorization)(void* context, int err, uint16_t user_id,
                                      uint16_t group, uint16_t action);
 
-    /* Check if a key is authorized for use */
-    int (*CheckKeyAuthorization)(void* context, uint16_t user_id,
+    /* Allow override of if a key is authorized for use */
+    int (*CheckKeyAuthorization)(void* context, int err, uint16_t user_id,
                                  uint32_t key_id, uint16_t action);
 
     /* Add a new user */