athena_rs 2.9.1

Database gateway API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

use actix_web::{HttpRequest, HttpResponse};
use serde_json::json;
use std::env;

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ApiKeySource {
    XAthenaKeyHeader,
}

fn extract_api_keys_with_sources(req: &HttpRequest) -> Vec<(String, ApiKeySource)> {
    let mut keys: Vec<(String, ApiKeySource)> = Vec::new();

    if let Some(value) = req
        .headers()
        .get("x-athena-key")
        .and_then(|value| value.to_str().ok())
        .map(str::to_string)
        .filter(|value| !value.trim().is_empty())
    {
        keys.push((value, ApiKeySource::XAthenaKeyHeader));
    }

    keys
}

pub fn extract_api_key_with_source(req: &HttpRequest) -> Option<(String, ApiKeySource)> {
    extract_api_keys_with_sources(req).into_iter().next()
}

pub fn api_key_query_param_used(req: &HttpRequest) -> bool {
    let _ = req;
    false
}

/// Extract an API key from standard request locations.
///
/// The first non-empty value wins.
pub fn extract_api_key(req: &HttpRequest) -> Option<String> {
    extract_api_key_with_source(req).map(|(value, _)| value)
}

/// Validate the static admin key stored in `ATHENA_KEY_12`.
pub fn authorize_static_admin_key(req: &HttpRequest) -> Result<(), HttpResponse> {
    let expected: Option<String> = env::var("ATHENA_KEY_12")
        .ok()
        .filter(|value| !value.is_empty());

    let Some(expected) = expected else {
        return Err(HttpResponse::InternalServerError().json(json!({
            "error": "ATHENA_KEY_12 is not configured"
        })));
    };

    let authorized: bool = extract_api_keys_with_sources(req)
        .into_iter()
        .any(|(provided, _)| provided == expected);

    if authorized {
        Ok(())
    } else {
        Err(HttpResponse::Unauthorized().json(json!({
            "error": "Invalid or missing API key. Use X-Athena-Key."
        })))
    }
}

#[cfg(test)]
mod tests {
    use super::{ApiKeySource, authorize_static_admin_key, extract_api_key_with_source};
    use actix_web::test::TestRequest;

    #[test]
    fn extract_reads_x_athena_key() {
        let req = TestRequest::default()
            .insert_header(("x-athena-key", "token-from-x-athena"))
            .to_http_request();

        let extracted = extract_api_key_with_source(&req);
        assert_eq!(
            extracted,
            Some((
                "token-from-x-athena".to_string(),
                ApiKeySource::XAthenaKeyHeader
            ))
        );
    }

    #[test]
    fn authorize_accepts_when_any_supported_header_matches() {
        unsafe {
            std::env::set_var("ATHENA_KEY_12", "expected-token");
        }

        let req = TestRequest::default()
            .insert_header(("x-athena-key", "expected-token"))
            .to_http_request();

        let result = authorize_static_admin_key(&req);

        assert!(result.is_ok());

        unsafe {
            std::env::remove_var("ATHENA_KEY_12");
        }
    }

    #[test]
    fn authorize_rejects_when_all_provided_keys_are_wrong() {
        unsafe {
            std::env::set_var("ATHENA_KEY_12", "expected-token");
        }

        let req = TestRequest::default()
            .insert_header(("x-athena-key", "wrong"))
            .to_http_request();

        let result = authorize_static_admin_key(&req);

        assert!(result.is_err());

        unsafe {
            std::env::remove_var("ATHENA_KEY_12");
        }
    }
}