98 lines
3.6 KiB
Rust
98 lines
3.6 KiB
Rust
// dead rust-lang/rustfmt/pull/5394 :(
|
|
#![feature(
|
|
decl_macro,
|
|
duration_constructors,
|
|
iterator_try_collect,
|
|
never_type,
|
|
once_cell_try,
|
|
seek_stream_len
|
|
)]
|
|
#![allow(clippy::future_not_send)] // will get to fix these later
|
|
|
|
//! # About, Licensing and More
|
|
//!
|
|
//! Check the README.md for entry-level documentation.
|
|
//!
|
|
//! # Where is my documentation?
|
|
//!
|
|
//! For ease of development and centralized **corrent** information, this codebase will serve both
|
|
//! as project documentation AND documentation for the behavior of the OpenID Connect server.
|
|
//!
|
|
//! Might be hard to figure out how the program behaves based on the code, but I will try to put
|
|
//! behavior parameters in [`consts`], so that might be a good starting point to know some stuff
|
|
//! (e.g. profile profile picture search path).
|
|
//!
|
|
//! Checking out [`conf`] might be useful too to know what could've been configured by server
|
|
//! administrators and less likely but maybe there can also be certain parameters in [`args`].
|
|
//!
|
|
//! I will try to keep those 3 modules as documented as possible, please feel free to open any
|
|
//! issues/PRs regarding information in there.
|
|
//!
|
|
//! # Public Information
|
|
//!
|
|
//! To make sure this application doesn't expose any public imformation it's important to define
|
|
//! what public information we are willing to expose. The application deals with user information
|
|
//! so it must leak at least some information, to make sure we don't overreach, we must have clear
|
|
//! where we draw the line.
|
|
//!
|
|
//! By default all information is private, but this application might leak by default:
|
|
//!
|
|
//! - **User system information:** Unix's UID of a given username.
|
|
//! - **User profile pictures:** See [`consts::USER_PFP_PATHS`].
|
|
//! - **User's `autorized_ssh_keys`:** See [`consts::AUTHORIZED_KEYS_PATH`].
|
|
//!
|
|
//! Note that no file information within user's home can be accessed until the user adds `o+x`
|
|
//! permissions on their home directory. Once this is done, only state of files regarding the
|
|
//! previous can be publicly accessible, there's no arbirtary path reading.
|
|
//!
|
|
//! Any user information is checked ASAP against the allowed groups (see [`conf::Unix::groups`]) to
|
|
//! fail fast without exposing any personal information for users alien to these groups. That means
|
|
//! that any reference to the "user", will assume its already from an allowed group, if its not a
|
|
//! group member, it will be treated as nonexistent.
|
|
//!
|
|
//! Information about existance of a user alien to the configured groups might vulnerable to timing
|
|
//! attacks though.
|
|
//!
|
|
//! TODO: This was clearly defined after some API was already written so these assumptions will
|
|
//! need to be reviewed for the old code (notably pfp logic).
|
|
|
|
use std::fs::File;
|
|
|
|
use clap::Parser;
|
|
|
|
use crate::ext::FileExt as _;
|
|
|
|
pub mod args;
|
|
pub mod auth;
|
|
pub mod conf;
|
|
pub mod consts;
|
|
pub mod db;
|
|
pub mod ext;
|
|
pub mod serdes;
|
|
pub mod server;
|
|
pub mod utils;
|
|
|
|
#[tokio::main]
|
|
async fn main() -> anyhow::Result<()> {
|
|
let args = args::Args::parse();
|
|
#[cfg(feature = "log")]
|
|
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
|
|
let conf = if let Some(conf) = File::try_open(&args.conf) {
|
|
conf::Config::from_toml_file(&mut conf?)?
|
|
} else {
|
|
println!(
|
|
"\x1b[30;43mWRN\x1b[0m: \x1b[35m{:?}\x1b[0m not found, using default configuration",
|
|
args.conf.display()
|
|
);
|
|
conf::Config::default()
|
|
};
|
|
|
|
// o tsukare su-mmer, awaaai yumeniii shiii oooo-tome, wa, hitoshireeeezu, cryyyyying
|
|
// (idek japanese but im vibing)
|
|
println!("\n\x1b[1;3;4;33mConfiguration\x1b[0m: {conf:#?}\n");
|
|
|
|
server::start_app(args, conf, db::DB::new()).await?;
|
|
|
|
Ok(())
|
|
}
|