drogue-bazaar 0.3.0

A place to find tools for building your Rust application
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158

use super::{AuthN, Credentials, UsernameAndToken};
use crate::auth::AuthError;
use actix_http::body::EitherBody;
use actix_service::{Service, Transform};
use actix_web::{
    dev::{ServiceRequest, ServiceResponse},
    web::Query,
    Error, HttpMessage,
};
use actix_web_httpauth::extractors::{basic::BasicAuth, bearer::BearerAuth};
use chrono::{DateTime, Utc};
use futures_util::future::{ok, LocalBoxFuture, Ready};
use serde::Deserialize;
use std::rc::Rc;

pub struct AuthMiddleware<S> {
    service: Rc<S>,
    authenticator: AuthN,
}

// 1. Middleware initialization
// Middleware factory is `Transform` trait from actix-service crate
// `S` - type of the next service
// `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthN
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = S::Error;
    type Transform = AuthMiddleware<S>;
    type InitError = ();
    type Future = Ready<Result<Self::Transform, Self::InitError>>;

    fn new_transform(&self, service: S) -> Self::Future {
        ok(AuthMiddleware {
            service: Rc::new(service),
            authenticator: self.clone(),
        })
    }
}

#[derive(Debug, Clone, PartialEq)]
pub struct AuthenticatedUntil(pub DateTime<Utc>);

#[derive(Deserialize, Debug)]
struct Token {
    token: String,
}
#[derive(Deserialize, Debug)]
struct ApiKey {
    username: String,
    api_key: String,
}

// 2. Middleware's call method gets called with normal request.
impl<S, B> Service<ServiceRequest> for AuthMiddleware<S>
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;
    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;

    actix_service::forward_ready!(service);

    fn call(&self, mut req: ServiceRequest) -> Self::Future {
        let srv = Rc::clone(&self.service);
        let auth = self.authenticator.clone();

        Box::pin(async move {
            let basic_auth = req.extract::<BasicAuth>().await;
            let bearer_auth = req.extract::<BearerAuth>().await;

            // This match a "token" or "api_key" query parameter
            let query_str = req.query_string();
            let token_query_param = Query::<Token>::from_query(query_str);
            let api_key_query_param = Query::<ApiKey>::from_query(query_str);

            log::debug!(
                "Basic: {:?}, Bearer: {:?}, Query.token: {:?} Query.api_key: {:?}",
                basic_auth,
                bearer_auth,
                token_query_param,
                api_key_query_param,
            );

            // now evaluate

            let credentials = match (
                basic_auth,
                bearer_auth,
                token_query_param,
                api_key_query_param,
            ) {
                // basic auth is present
                (Ok(basic), Err(_), Err(_), Err(_)) => {
                    Ok(Credentials::AccessToken(UsernameAndToken {
                        username: basic.user_id().to_string(),
                        access_token: basic.password().map(|k| k.to_string()),
                    }))
                }
                // bearer auth is present
                (Err(_), Ok(bearer), Err(_), Err(_)) => {
                    Ok(Credentials::OpenIDToken(bearer.token().to_string()))
                }

                // token query param is present
                (Err(_), Err(_), Ok(query), Err(_)) => Ok(Credentials::OpenIDToken(query.0.token)),
                // api_key query param is present
                (Err(_), Err(_), Err(_), Ok(query)) => {
                    Ok(Credentials::AccessToken(UsernameAndToken {
                        username: query.0.username,
                        access_token: Some(query.0.api_key),
                    }))
                }

                // No headers and no query param (or both headers are invalid, but both invalid should be met with a Bad request anyway)
                (Err(_), Err(_), Err(_query), Err(_api_key)) => Ok(Credentials::Anonymous),
                // More than one way of authentication provided
                // Note on both headers provided and valid -> This never happens, the NGINX load balancer sends back 400 Bad request.
                (_, _, _, _) => Err(AuthError::InvalidRequest(
                    "More than one way of authentication provided".to_string(),
                )),
            };

            // authentication
            let auth_result = match credentials {
                Ok(c) => auth.authenticate(c).await,
                Err(err) => {
                    log::info!("Credentials error: {err}");
                    Err(err)
                }
            };

            match auth_result {
                Ok((user, time)) => {
                    log::debug!("Authenticated: {user:?}");
                    // insert the UserInformation and the expiration time of the token in the request
                    req.extensions_mut().insert(user);
                    if let Some(exp) = time {
                        req.extensions_mut().insert(AuthenticatedUntil(exp));
                    }
                    // then forward it to the next service
                    srv.call(req).await.map(|res| res.map_into_left_body())
                }
                Err(err) => {
                    log::debug!("Authentication error: {err}");
                    Ok(req.error_response(err).map_into_right_body())
                }
            }
        })
    }
}