auth-framework 0.5.0-rc18

A comprehensive, production-ready authentication and authorization framework for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

//! OAuth 2.0 Client Registry Module
//!
//! This module implements a client registry for managing OAuth 2.0 clients
//! including registration, retrieval, and validation.

use crate::errors::{AuthError, Result};
use crate::storage::core::AuthStorage;
use crate::storage::memory::InMemoryStorage;
use std::sync::Arc;

// Re-export canonical types so existing imports like
// `server::core::client_registry::{ClientType, ClientConfig}` keep working.
pub use crate::client::{ClientConfig, ClientType};

/// Client Registry for managing OAuth 2.0 clients
#[derive(Clone)]
pub struct ClientRegistry {
    storage: Arc<dyn AuthStorage>,
}

impl ClientRegistry {
    /// Create a new client registry
    pub async fn new(storage: Arc<dyn AuthStorage>) -> Result<Self> {
        Ok(Self { storage })
    }

    /// Register a new OAuth 2.0 client
    pub async fn register_client(&self, config: ClientConfig) -> Result<ClientConfig> {
        // Validate the client configuration
        self.validate_client_config(&config)?;

        // Store the client in the storage backend
        let client_key = format!("oauth_client:{}", config.client_id);
        let client_data = serde_json::to_string(&config)
            .map_err(|e| AuthError::internal(format!("Failed to serialize client: {}", e)))?;

        self.storage
            .store_kv(&client_key, client_data.as_bytes(), None)
            .await?;

        Ok(config)
    }

    /// Retrieve a client by ID
    pub async fn get_client(&self, client_id: &str) -> Result<Option<ClientConfig>> {
        let client_key = format!("oauth_client:{}", client_id);

        if let Some(client_data) = self.storage.get_kv(&client_key).await? {
            let client_str = std::str::from_utf8(&client_data)
                .map_err(|e| AuthError::internal(format!("Invalid UTF-8 in client data: {}", e)))?;
            let config: ClientConfig = serde_json::from_str(client_str)
                .map_err(|e| AuthError::internal(format!("Failed to deserialize client: {}", e)))?;
            Ok(Some(config))
        } else {
            Ok(None)
        }
    }

    /// Update a client configuration
    pub async fn update_client(&self, client_id: &str, config: ClientConfig) -> Result<()> {
        // Ensure the client ID matches
        if config.client_id != client_id {
            return Err(AuthError::validation("Client ID mismatch"));
        }

        // Validate the updated configuration
        self.validate_client_config(&config)?;

        // Store the updated client
        let client_key = format!("oauth_client:{}", client_id);
        let client_data = serde_json::to_string(&config)
            .map_err(|e| AuthError::internal(format!("Failed to serialize client: {}", e)))?;

        self.storage
            .store_kv(&client_key, client_data.as_bytes(), None)
            .await?;

        Ok(())
    }

    /// Delete a client
    pub async fn delete_client(&self, client_id: &str) -> Result<()> {
        let client_key = format!("oauth_client:{}", client_id);
        self.storage.delete_kv(&client_key).await?;
        Ok(())
    }

    /// Validate that a redirect URI is authorized for a client
    pub async fn validate_redirect_uri(&self, client_id: &str, redirect_uri: &str) -> Result<bool> {
        if let Some(client) = self.get_client(client_id).await? {
            Ok(client.redirect_uris.contains(&redirect_uri.to_string()))
        } else {
            Ok(false)
        }
    }

    /// Validate that a scope is authorized for a client
    pub async fn validate_scope(&self, client_id: &str, scope: &str) -> Result<bool> {
        if let Some(client) = self.get_client(client_id).await? {
            Ok(client.authorized_scopes.contains(&scope.to_string()))
        } else {
            Ok(false)
        }
    }

    /// Validate that a grant type is authorized for a client
    pub async fn validate_grant_type(&self, client_id: &str, grant_type: &str) -> Result<bool> {
        if let Some(client) = self.get_client(client_id).await? {
            Ok(client
                .authorized_grant_types
                .contains(&grant_type.to_string()))
        } else {
            Ok(false)
        }
    }

    /// Authenticate a confidential client using client credentials
    pub async fn authenticate_client(&self, client_id: &str, client_secret: &str) -> Result<bool> {
        if let Some(client) = self.get_client(client_id).await? {
            match (&client.client_type, &client.client_secret) {
                (ClientType::Confidential, Some(stored_secret)) => {
                    // Use constant-time comparison to prevent timing attacks
                    Ok(crate::security::secure_utils::constant_time_compare(
                        client_secret.as_bytes(),
                        stored_secret.as_bytes(),
                    ))
                }
                (ClientType::Public, None) => {
                    // Public clients don't have secrets
                    Ok(true)
                }
                _ => Ok(false),
            }
        } else {
            Ok(false)
        }
    }

    /// Validate client configuration
    fn validate_client_config(&self, config: &ClientConfig) -> Result<()> {
        // Client ID must not be empty
        if config.client_id.is_empty() {
            return Err(AuthError::validation("Client ID cannot be empty"));
        }

        // Confidential clients must have a secret
        if config.client_type == ClientType::Confidential && config.client_secret.is_none() {
            return Err(AuthError::validation(
                "Confidential clients must have a client secret",
            ));
        }

        // Public clients must not have a secret
        if config.client_type == ClientType::Public && config.client_secret.is_some() {
            return Err(AuthError::validation(
                "Public clients must not have a client secret",
            ));
        }

        // At least one redirect URI must be provided
        if config.redirect_uris.is_empty() {
            return Err(AuthError::validation(
                "At least one redirect URI must be provided",
            ));
        }

        // Validate redirect URIs
        for uri in &config.redirect_uris {
            if uri.is_empty() {
                return Err(AuthError::validation("Redirect URI cannot be empty"));
            }

            // Basic URI validation (in production, use a proper URI parser)
            if !uri.starts_with("https://") && !uri.starts_with("http://localhost") {
                return Err(AuthError::validation(
                    "Redirect URIs must use HTTPS (except localhost)",
                ));
            }
        }

        // At least one scope must be provided
        if config.authorized_scopes.is_empty() {
            return Err(AuthError::validation(
                "At least one authorized scope must be provided",
            ));
        }

        // At least one grant type must be provided
        if config.authorized_grant_types.is_empty() {
            return Err(AuthError::validation(
                "At least one authorized grant type must be provided",
            ));
        }

        // At least one response type must be provided
        if config.authorized_response_types.is_empty() {
            return Err(AuthError::validation(
                "At least one authorized response type must be provided",
            ));
        }

        Ok(())
    }
}

impl Default for ClientRegistry {
    fn default() -> Self {
        // Create default registry with environment-based storage configuration
        let storage =
            if std::env::var("CLIENT_REGISTRY_STORAGE").unwrap_or_default() == "persistent" {
                // In production, this could be database or file-based storage
                Arc::new(InMemoryStorage::new())
            } else {
                // Default to in-memory storage for development/testing
                Arc::new(InMemoryStorage::new())
            };

        Self { storage }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::storage::memory::InMemoryStorage;

    #[tokio::test]
    async fn test_client_registry_operations() {
        let storage = Arc::new(InMemoryStorage::new());
        let registry = ClientRegistry::new(storage).await.unwrap();

        // Create a test client configuration
        let client_config = ClientConfig {
            client_id: "test_client".to_string(),
            client_type: ClientType::Confidential,
            client_secret: Some("test_secret".to_string()),
            redirect_uris: vec!["https://example.com/callback".to_string()].into(),
            ..Default::default()
        };

        // Register the client
        let registered_client = registry
            .register_client(client_config.clone())
            .await
            .unwrap();
        assert_eq!(registered_client.client_id, "test_client");

        // Retrieve the client
        let retrieved_client = registry.get_client("test_client").await.unwrap().unwrap();
        assert_eq!(retrieved_client.client_id, "test_client");
        assert_eq!(retrieved_client.client_type, ClientType::Confidential);

        // Authenticate the client
        let auth_result = registry
            .authenticate_client("test_client", "test_secret")
            .await
            .unwrap();
        assert!(auth_result);

        let auth_fail = registry
            .authenticate_client("test_client", "wrong_secret")
            .await
            .unwrap();
        assert!(!auth_fail);

        // Validate redirect URI
        let valid_uri = registry
            .validate_redirect_uri("test_client", "https://example.com/callback")
            .await
            .unwrap();
        assert!(valid_uri);

        let invalid_uri = registry
            .validate_redirect_uri("test_client", "https://malicious.com/callback")
            .await
            .unwrap();
        assert!(!invalid_uri);

        // Delete the client
        registry.delete_client("test_client").await.unwrap();
        let deleted_client = registry.get_client("test_client").await.unwrap();
        assert!(deleted_client.is_none());
    }

    #[tokio::test]
    async fn test_client_validation() {
        let storage = Arc::new(InMemoryStorage::new());
        let registry = ClientRegistry::new(storage).await.unwrap();

        // Test empty client ID
        let invalid_config = ClientConfig {
            client_id: "".to_string(),
            ..Default::default()
        };
        assert!(registry.register_client(invalid_config).await.is_err());

        // Test confidential client without secret
        let invalid_config = ClientConfig {
            client_type: ClientType::Confidential,
            client_secret: None,
            ..Default::default()
        };
        assert!(registry.register_client(invalid_config).await.is_err());

        // Test public client with secret
        let invalid_config = ClientConfig {
            client_type: ClientType::Public,
            client_secret: Some("secret".to_string()),
            ..Default::default()
        };
        assert!(registry.register_client(invalid_config).await.is_err());

        // Test empty redirect URIs
        let invalid_config = ClientConfig {
            redirect_uris: vec![].into(),
            ..Default::default()
        };
        assert!(registry.register_client(invalid_config).await.is_err());

        // Test insecure redirect URI
        let invalid_config = ClientConfig {
            redirect_uris: vec!["http://example.com/callback".to_string()].into(),
            ..Default::default()
        };
        assert!(registry.register_client(invalid_config).await.is_err());
    }
}