drogue-bazaar 0.3.0

A place to find tools for building your Rust application
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

mod middleware;

use crate::auth::{openid, pat, AuthError, UserInformation};
use ::openid::{Claims, CustomClaims};
use chrono::{DateTime, LocalResult, TimeZone, Utc};
pub use middleware::AuthenticatedUntil;
use tracing::instrument;

/// Credentials
pub enum Credentials {
    /// openID token
    OpenIDToken(String),
    /// username + Personal Access Token
    AccessToken(UsernameAndToken),
    /// Anonymous
    Anonymous,
}

pub struct UsernameAndToken {
    pub username: String,
    pub access_token: Option<String>,
}

/// An Authentication middleware for actix-web relying on drogue-cloud user-auth-service and an openID service
///
/// This middleware will act on each request and try to authenticate the request with :
/// - The `Authorisation: Bearer` header, which should contain an openID token.
/// - The `Authorisation: Basic` header, which should contain a username and an access token issued by the drogue-cloud API.
/// - The `token` query parameter, which should contain am openID token.
///
/// If more than one of the above is provided, the request will be responded with `400: Bad request.`
///
/// After the authentication is successful, this middleware will inject the `UserInformation` in the request object and forward it.
///
/// # Fields
///
/// * `open_id` - An instance of [`openid::Authenticator`] It's an openID client. It is used to verify OpenID tokens.
/// * `token` - An instance of [`pat::Authenticator`]. It's a client for drogue-cloud-user-auth-service. It is used to verify API keys.
/// * `enable_access_token` - Whether to allow access tokens for authentication.
///
#[derive(Clone, Debug)]
pub enum AuthN {
    /// Authentication is disabled, all requests will be using [`UserInformation::Anonymous`].
    Disabled,
    /// Authentication is enabled, using openid or API tokens.
    ///
    /// **NOTE:** If neither is provided, all requests will fail.
    Enabled {
        openid: Option<openid::Authenticator>,
        token: Option<pat::Authenticator>,
    },
}

/// Map a combination of openid and PAT authenticator
impl From<(Option<openid::Authenticator>, Option<pat::Authenticator>)> for AuthN {
    fn from(auth: (Option<openid::Authenticator>, Option<pat::Authenticator>)) -> Self {
        let (openid, token) = auth;
        if openid.is_none() {
            AuthN::Disabled
        } else {
            AuthN::Enabled { openid, token }
        }
    }
}

impl AuthN {
    #[instrument(skip_all, err)]
    async fn authenticate(
        &self,
        credentials: Credentials,
    ) -> Result<(UserInformation, Option<DateTime<Utc>>), AuthError> {
        match self {
            Self::Disabled => {
                // authentication disabled
                Ok((UserInformation::Anonymous, None))
            }
            Self::Enabled { openid, token } => match credentials {
                Credentials::AccessToken(creds) => {
                    if let Some(token) = token {
                        if creds.access_token.is_none() {
                            log::debug!("Cannot authenticate : empty access token.");
                            return Err(AuthError::InvalidRequest(String::from(
                                "No access token provided.",
                            )));
                        }
                        let auth_response = token
                            .authenticate(pat::Request {
                                user_id: creds.username.clone(),
                                access_token: creds.access_token.clone().unwrap_or_default(),
                            })
                            .await
                            .map_err(|e| AuthError::Internal(e.to_string()))?;
                        match auth_response.outcome {
                            pat::Outcome::Known(details) => {
                                Ok((UserInformation::Authenticated(details), None))
                            }
                            pat::Outcome::Unknown => {
                                log::debug!("Unknown access token");
                                Err(AuthError::Forbidden)
                            }
                        }
                    } else {
                        log::debug!("Access token authentication disabled");
                        Err(AuthError::InvalidRequest(
                            "Access token authentication disabled".to_string(),
                        ))
                    }
                }
                Credentials::OpenIDToken(token) => {
                    if let Some(openid) = openid {
                        match openid.validate_token(&token).await {
                            Ok(token) => Ok((
                                UserInformation::Authenticated(token.clone().into()),
                                Some(to_expiration(token.standard_claims().exp())?),
                            )),
                            Err(err) => {
                                log::debug!("Authentication error: {err}");
                                Err(AuthError::Forbidden)
                            }
                        }
                    } else {
                        log::debug!("Open ID authentication disabled");
                        Err(AuthError::InvalidRequest(
                            "Open ID authentication disabled".to_string(),
                        ))
                    }
                }
                Credentials::Anonymous => Ok((UserInformation::Anonymous, None)),
            },
        }
    }
}

/// Convert "exp" timestamp to `DateTime`.
fn to_expiration(exp: i64) -> Result<DateTime<Utc>, AuthError> {
    match Utc.timestamp_opt(exp, 0) {
        LocalResult::None => Err(AuthError::Internal(
            "Unable to convert timestamp".to_string(),
        )),
        LocalResult::Single(exp) => Ok(exp),
        LocalResult::Ambiguous(min, _) => Ok(min),
    }
}