Wiktor Kwapisiewicz · 627000bc · c48e1e22 · ffc6e9bf · 4fe9cf8c · 56691b16
--- a/signstar-common/src/admin_credentials.rs 0 → 100644

+ 113

− 0
+++ b/signstar-common/src/admin_credentials.rs 0 → 100644

+ 113

− 0
+//! Data and functions for using administrative credentials on a Signstar host.
+//!
+//! # Examples
+//!
+//! ```
+//! use signstar_common::admin_credentials::get_credentials_dir;
+//!
+//! // Get the directory path in which administrative credentials reside.
+//! println!("{:?}", get_credentials_dir());
+//! ```
+
+use std::{
+    fs::{Permissions, create_dir_all, set_permissions},
+    os::unix::fs::{PermissionsExt, chown},
+    path::PathBuf,
+};
+
+use crate::common::{CREDENTIALS_DIR_MODE, get_data_home};
+
+/// File name of plaintext administrative credentials.
+const PLAINTEXT_CREDENTIALS_FILE: &str = "admin-credentials.toml";
+
+/// File name of systemd-creds encrypted administrative credentials.
+const SYSTEMD_CREDS_CREDENTIALS_FILE: &str = "admin-credentials.creds";
+
+/// The directory for administrative credentials (encrypted and unencrypted).
+const CREDENTIALS_DIR: &str = "creds/";
+
+/// An error that may occur when handling credentials.
+#[derive(Debug, thiserror::Error)]
+pub enum Error {
+    /// Applying permissions to a file failed.
+    #[error("Unable to apply permissions {permissions} to {path}:\n{source}")]
+    ApplyPermissions {
+        permissions: u32,
+        path: PathBuf,
+        source: std::io::Error,
+    },
+
+    /// No plaintext administrative credentials file can be found
+    #[error("Unable to create directory {dir}:\n{source}")]
+    CreateDirectory {
+        dir: &'static str,
+        source: std::io::Error,
+    },
+
+    /// The ownership of a directory can not be set.
+    #[error("Ownership of directory {dir} can not be changed to user {system_user}: {source}")]
+    DirChangeOwner {
+        dir: PathBuf,
+        system_user: String,
+        source: std::io::Error,
+    },
+}
+
+/// Returns the path of the directory in which administrative credentials reside.
+pub fn get_credentials_dir() -> PathBuf {
+    get_data_home().join(PathBuf::from(CREDENTIALS_DIR))
+}
+
+/// Returns the file path for plaintext administrative credentials.
+pub fn get_plaintext_credentials_file() -> PathBuf {
+    get_credentials_dir().join(PathBuf::from(PLAINTEXT_CREDENTIALS_FILE))
+}
+
+/// Returns the file path for systemd-creds encrypted administrative credentials.
+pub fn get_systemd_creds_credentials_file() -> PathBuf {
+    get_credentials_dir().join(PathBuf::from(SYSTEMD_CREDS_CREDENTIALS_FILE))
+}
+
+/// Creates the directory for administrative credentials.
+///
+/// # Errors
+///
+/// Returns an error if the directory or one of its parents can not be created.
+/// Refer to [`create_dir_all`] for further information on failure scenarios.
+pub fn create_credentials_dir() -> Result<(), Error> {
+    let credentials_dir = get_credentials_dir();
+    create_dir_all(credentials_dir.as_path()).map_err(|source| Error::CreateDirectory {
+        dir: CREDENTIALS_DIR,
+        source,
+    })?;
+
+    // Set the permissions of the credentials directory to `CREDENTIALS_DIR_MODE`.
+    set_permissions(
+        credentials_dir.as_path(),
+        Permissions::from_mode(CREDENTIALS_DIR_MODE),
+    )
+    .map_err(|source| Error::ApplyPermissions {
+        permissions: CREDENTIALS_DIR_MODE,
+        path: credentials_dir.clone(),
+        source,
+    })?;
+
+    // Recursively chown all directories to root, until `DATA_HOME` is
+    // reached.
+    let data_home = get_data_home();
+    let mut chown_dir = credentials_dir.clone();
+    while chown_dir != data_home {
+        chown(&chown_dir, Some(0), Some(0)).map_err(|source| Error::DirChangeOwner {
+            dir: chown_dir.to_path_buf(),
+            system_user: "root".to_string(),
+            source,
+        })?;
+        if let Some(parent) = &chown_dir.parent() {
+            chown_dir = parent.to_path_buf()
+        } else {
+            break;
+        }
+    }
+
+    Ok(())
+}