clasp-router 4.3.0

CLASP message router and server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

//! HELLO message handler -- authenticates clients and creates sessions.
//!
//! In `Authenticated` mode, the client must present a valid token (CPSK, capability,
//! or entity). On success the handler creates a `Session`, sends WELCOME + snapshot.

use clasp_core::{codec, ErrorMessage, Message, SecurityMode, ValidationResult};
use std::sync::Arc;
use tracing::{error, info, warn};

use super::{send_chunked_snapshot, HandlerContext, MessageResult};
use crate::session::Session;

pub(crate) async fn handle(
    hello: &clasp_core::HelloMessage,
    ctx: &HandlerContext<'_>,
) -> Option<MessageResult> {
    // Auth flow: In Open mode, skip validation entirely. In Authenticated mode,
    // require a token, run it through the validator chain (CPSK -> caps -> entity),
    // and reject on any failure before creating a session.
    // See pentest CAP-01: Token Forgery, ENT-01: Signature Bypass, ENT-04: Non-Existent Entity
    let (authenticated, subject, scopes) = match ctx.security_mode {
        SecurityMode::Open => (false, None, Vec::new()),
        SecurityMode::Authenticated => {
            let token = match &hello.token {
                Some(t) => t,
                // See pentest FED-09: Unauthenticated Federation
                None => {
                    warn!("Connection rejected: no token provided in authenticated mode");
                    #[cfg(feature = "metrics")]
                    metrics::counter!("clasp_errors_total", "code" => "300").increment(1);
                    let error = Message::Error(ErrorMessage {
                        code: 300,
                        message: "Authentication required".to_string(),
                        address: None,
                        correlation_id: None,
                    });
                    let bytes = codec::encode(&error).ok()?;
                    let _ = ctx.sender.send(bytes).await;
                    return Some(MessageResult::Disconnect);
                }
            };

            let validator = match ctx.token_validator {
                Some(v) => v,
                None => {
                    error!("Authenticated mode but no token validator configured");
                    #[cfg(feature = "metrics")]
                    metrics::counter!("clasp_errors_total", "code" => "500").increment(1);
                    let error = Message::Error(ErrorMessage {
                        code: 500,
                        message: "Server misconfiguration".to_string(),
                        address: None,
                        correlation_id: None,
                    });
                    let bytes = codec::encode(&error).ok()?;
                    let _ = ctx.sender.send(bytes).await;
                    return Some(MessageResult::Disconnect);
                }
            };

            match validator.validate(token) {
                ValidationResult::Valid(info) => {
                    info!(
                        "Token validated for subject: {:?}, scopes: {}",
                        info.subject,
                        info.scopes.len()
                    );
                    (true, info.subject, info.scopes)
                }
                ValidationResult::Expired => {
                    warn!("Connection rejected: token expired");
                    #[cfg(feature = "metrics")]
                    metrics::counter!("clasp_errors_total", "code" => "302").increment(1);
                    let error = Message::Error(ErrorMessage {
                        code: 302,
                        message: "Token has expired".to_string(),
                        address: None,
                        correlation_id: None,
                    });
                    let bytes = codec::encode(&error).ok()?;
                    let _ = ctx.sender.send(bytes).await;
                    return Some(MessageResult::Disconnect);
                }
                ValidationResult::Invalid(reason) => {
                    warn!("Connection rejected: invalid token - {}", reason);
                    #[cfg(feature = "metrics")]
                    metrics::counter!("clasp_errors_total", "code" => "300").increment(1);
                    let error = Message::Error(ErrorMessage {
                        code: 300,
                        message: format!("Invalid token: {}", reason),
                        address: None,
                        correlation_id: None,
                    });
                    let bytes = codec::encode(&error).ok()?;
                    let _ = ctx.sender.send(bytes).await;
                    return Some(MessageResult::Disconnect);
                }
                ValidationResult::NotMyToken => {
                    warn!("Connection rejected: unrecognized token format");
                    #[cfg(feature = "metrics")]
                    metrics::counter!("clasp_errors_total", "code" => "300").increment(1);
                    let error = Message::Error(ErrorMessage {
                        code: 300,
                        message: "Unrecognized token format".to_string(),
                        address: None,
                        correlation_id: None,
                    });
                    let bytes = codec::encode(&error).ok()?;
                    let _ = ctx.sender.send(bytes).await;
                    return Some(MessageResult::Disconnect);
                }
            }
        }
    };

    let mut new_session = Session::new(
        ctx.sender.clone(),
        hello.name.clone(),
        hello.features.clone(),
    );

    if authenticated {
        new_session.set_authenticated(hello.token.clone().unwrap_or_default(), subject, scopes);
    }

    let new_session = Arc::new(new_session);
    let session_id = new_session.id.clone();
    ctx.sessions.insert(session_id.clone(), new_session.clone());

    info!(
        "Session created: {} ({}) authenticated={}",
        hello.name, session_id, new_session.authenticated
    );

    #[cfg(feature = "federation")]
    if new_session.is_federation_peer() {
        info!("Federation peer detected: {} ({})", hello.name, session_id);
    }

    let welcome = new_session.welcome_message(&ctx.config.name, &ctx.config.features);
    let response = codec::encode(&welcome).ok()?;
    let _ = ctx.sender.send(response).await;

    let mut full_snapshot = ctx.state.full_snapshot();
    if let Some(ref filter) = ctx.snapshot_filter {
        full_snapshot.params =
            filter.filter_snapshot(full_snapshot.params, &new_session, ctx.state);
    }
    send_chunked_snapshot(ctx.sender, full_snapshot).await;

    Some(MessageResult::NewSession(new_session))
}