tfa: fixup for challenge file split

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2020-12-21 14:27:13 +01:00
parent f22dfb5ece
commit abfe0c0e70

View File

@ -1,6 +1,7 @@
use std::collections::HashMap; use std::collections::HashMap;
use std::fs::File; use std::fs::File;
use std::io::{self, Read, Seek, SeekFrom}; use std::io::{self, Read, Seek, SeekFrom};
use std::os::unix::fs::OpenOptionsExt;
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
use std::path::PathBuf; use std::path::PathBuf;
use std::time::Duration; use std::time::Duration;
@ -463,8 +464,6 @@ impl TfaUserChallengeData {
/// Load the user's current challenges with the intent to create a challenge (create the file /// Load the user's current challenges with the intent to create a challenge (create the file
/// if it does not exist), and keep a lock on the file. /// if it does not exist), and keep a lock on the file.
fn open(userid: &Userid) -> Result<Self, Error> { fn open(userid: &Userid) -> Result<Self, Error> {
use std::os::unix::fs::OpenOptionsExt;
crate::tools::create_run_dir()?; crate::tools::create_run_dir()?;
let options = CreateOptions::new().perm(Mode::from_bits_truncate(0o0600)); let options = CreateOptions::new().perm(Mode::from_bits_truncate(0o0600));
proxmox::tools::fs::create_path(CHALLENGE_DATA_PATH, Some(options.clone()), Some(options)) proxmox::tools::fs::create_path(CHALLENGE_DATA_PATH, Some(options.clone()), Some(options))
@ -518,7 +517,13 @@ impl TfaUserChallengeData {
/// `open` without creating the file if it doesn't exist, to finish WA authentications. /// `open` without creating the file if it doesn't exist, to finish WA authentications.
fn open_no_create(userid: &Userid) -> Result<Option<Self>, Error> { fn open_no_create(userid: &Userid) -> Result<Option<Self>, Error> {
let path = Self::challenge_data_path(userid); let path = Self::challenge_data_path(userid);
let mut file = match File::open(&path) { let mut file = match std::fs::OpenOptions::new()
.read(true)
.write(true)
.truncate(false)
.mode(0o600)
.open(&path)
{
Ok(file) => file, Ok(file) => file,
Err(err) if err.kind() == io::ErrorKind::NotFound => return Ok(None), Err(err) if err.kind() == io::ErrorKind::NotFound => return Ok(None),
Err(err) => return Err(err.into()), Err(err) => return Err(err.into()),
@ -971,7 +976,8 @@ impl TfaUserData {
} }
// we don't allow re-trying the challenge, so make the removal persistent now: // we don't allow re-trying the challenge, so make the removal persistent now:
data.save()?; data.save()
.map_err(|err| format_err!("failed to save challenge file: {}", err))?;
match webauthn.authenticate_credential(response, challenge.state)? { match webauthn.authenticate_credential(response, challenge.state)? {
Some((_cred, _counter)) => Ok(()), Some((_cred, _counter)) => Ok(()),