ate-auth 1.9.0

Represents a standardized data model and API for authenticating an ATE chain-of-trust
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

use std::sync::Arc;
#[allow(unused_imports)]
use tracing::{debug, error, info, instrument, span, trace, warn, Level};

use async_trait::async_trait;
use ate::crypto::EncryptKey;
use ate::crypto::KeySize;
use ate::{error::ChainCreationError, prelude::*};
use regex::Regex;

use crate::service::*;

pub struct ChainFlow {
    cfg: ConfAte,
    auth_url: url::Url,
    root_key: PrivateSignKey,
    web_key: EncryptKey,
    edge_key: EncryptKey,
    contract_key: EncryptKey,
    regex_auth: Regex,
    regex_cmd: Regex,
    session: AteSessionUser,
    pub terms_and_conditions: Option<String>,
}

impl ChainFlow {
    pub fn new(
        cfg: &ConfAte,
        root_key: PrivateSignKey,
        session: AteSessionUser,
        web_key: EncryptKey,
        edge_key: EncryptKey,
        contract_key: EncryptKey,
        auth_url: &url::Url,
    ) -> Self {
        ChainFlow {
            cfg: cfg.clone(),
            root_key,
            regex_auth: Regex::new("^redo-[a-f0-9]{4}$").unwrap(),
            regex_cmd: Regex::new("^cmd-[a-f0-9]{16}$").unwrap(),
            auth_url: auth_url.clone(),
            session,
            web_key,
            edge_key,
            contract_key,
            terms_and_conditions: None,
        }
    }
}

#[async_trait]
impl OpenFlow for ChainFlow {
    fn hello_path(&self) -> &str {
        self.auth_url.path()
    }

    async fn message_of_the_day(
        &self,
        _chain: &Arc<Chain>,
    ) -> Result<Option<String>, ChainCreationError> {
        Ok(None)
    }

    async fn open(
        &self,
        mut builder: ChainBuilder,
        key: &ChainKey,
        wire_encryption: Option<KeySize>,
    ) -> Result<OpenAction, ChainCreationError> {
        debug!("open_auth: {}", key);

        let name = key.name.clone();
        let name = name.as_str();
        if self.regex_auth.is_match(name) {
            let chain = builder
                .set_session(self.session.clone_session())
                .add_root_public_key(&self.root_key.as_public_key())
                .load_integrity(TrustMode::Distributed)
                .build()
                .open(key)
                .await?;

            return Ok(OpenAction::DistributedChain { chain: chain });
        }
        if self.regex_cmd.is_match(name) {
            // Build a secure session
            let mut cmd_session = AteSessionUser::default();
            cmd_session
                .user
                .add_read_key(&EncryptKey::generate(KeySize::Bit128));

            // For command based chains that are already encryption there is no need
            // to also add signatures which take lots of CPU power
            let session_root_key = if wire_encryption.is_none() {
                let key = PrivateSignKey::generate(KeySize::Bit128);
                cmd_session.user.add_write_key(&key);
                Some(key)
            } else {
                None
            };

            // Build the chain
            builder = builder
                .set_session(cmd_session.clone_session())
                .temporal(true);
            if let Some(session_root_key) = &session_root_key {
                builder = builder.add_root_public_key(&session_root_key.as_public_key())
            }

            let chain = builder.build().open(key).await?;

            // Add the services to this chain
            service_auth_handlers(
                &self.cfg,
                cmd_session.clone(),
                self.auth_url.clone(),
                self.session.clone(),
                self.web_key.clone(),
                self.edge_key.clone(),
                self.contract_key.clone(),
                self.terms_and_conditions.clone(),
                &Arc::clone(&chain),
            )
            .await?;

            // Return the chain to the caller
            return Ok(OpenAction::PrivateChain {
                chain,
                session: cmd_session,
            });
        }
        Ok(OpenAction::Deny {
            reason: format!(
                "The chain-key ({}) does not match a valid chain supported by this server.",
                key.to_string()
            )
            .to_string(),
        })
    }
}