freighter-auth 1.0.0

Cloudflare's third-party Rust registry implementation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

use crate::cf_access::{CfAccess, UserId};
use crate::{AuthError, AuthProvider, AuthResult};
use async_trait::async_trait;
use freighter_api_types::ownership::response::ListedOwner;
use http::{header, HeaderMap, StatusCode};
use serde::Deserialize;

/// Registry auth based on Cloudflare Access, using JsonWebTokens for auth
///
/// It's not possible to validate Service Auth tokens direclty. To use a token,
/// you need to log in with it to an Access-protected URL, and obtain the JWT from
/// the CF_Authorization cookie. This temporary cookie is the only way
/// auth with this Freighter backend.
///
/// For personal account, you can call `cloudflared access token` to obtain the JWT.
pub struct CfAuthProvider {
    team_base_url: String,
    access: CfAccess,
}

impl CfAuthProvider {
    pub fn new(config: Config) -> AuthResult<Self> {
        let access = CfAccess::new(&config.auth_team_base_url, &config.auth_audience)
            .map_err(AuthError::ServiceError)?;
        Ok(Self {
            access,
            team_base_url: config.auth_team_base_url,
        })
    }

    async fn validated_user_id(&self, token: &str) -> AuthResult<UserId> {
        self.access.validated_user_id(token).await
    }
}

#[derive(Deserialize, Clone)]
pub struct Config {
    /// `https://<team name>.cloudflareaccess.com`
    #[serde(default = "default_auth_team_base_url")]
    pub auth_team_base_url: String,
    /// Long hash from overview tab
    #[serde(default = "default_auth_auth_audience")]
    pub auth_audience: String,
}

fn default_auth_team_base_url() -> String {
    std::env::var("FREIGHTER_AUTH_TEAM_BASE_URL")
        .expect("auth_team_base_url not found in config or environment")
}

fn default_auth_auth_audience() -> String {
    std::env::var("FREIGHTER_AUTH_AUDIENCE")
        .expect("auth_audience not found in config or environment")
}

#[async_trait]
impl AuthProvider for CfAuthProvider {
    type Config = Config;

    async fn healthcheck(&self) -> anyhow::Result<()> {
        self.access.refresh().await?;
        Ok(())
    }

    async fn register(&self, _username: &str) -> AuthResult<String> {
        Err(AuthError::Unimplemented)
    }

    async fn list_owners(&self, token: &str, _crate_name: &str) -> AuthResult<Vec<ListedOwner>> {
        self.validated_user_id(token).await?;

        Ok(vec![ListedOwner {
            id: 0,
            login: self.team_base_url.clone(),
            name: None,
        }])
    }

    async fn add_owners(&self, token: &str, _users: &[&str], _crate_name: &str) -> AuthResult<()> {
        // everyone is an owner, so it's technically a no-op
        self.validated_user_id(token).await?;
        Ok(())
    }

    async fn remove_owners(
        &self,
        token: &str,
        _users: &[&str],
        _crate_name: &str,
    ) -> AuthResult<()> {
        self.validated_user_id(token).await?;
        Err(AuthError::Unimplemented)
    }

    async fn publish(&self, token: &str, _crate_name: &str) -> AuthResult<()> {
        // only CI (using service token) is allowed to publish
        let id = self.validated_user_id(token).await?;
        if id.is_service_token() {
            Ok(())
        } else {
            Err(AuthError::Forbidden)
        }
    }

    async fn auth_yank(&self, token: &str, _crate_name: &str) -> AuthResult<()> {
        self.validated_user_id(token).await?;
        Ok(())
    }

    /// Fetch of config.json.
    async fn auth_config(&self, token: &str) -> AuthResult<()> {
        self.validated_user_id(token).await?;
        Ok(())
    }

    async fn auth_index_fetch(
        &self,
        token: &str,
        _all_users_can_read_crates: &str,
    ) -> AuthResult<()> {
        self.validated_user_id(token).await?;
        Ok(())
    }

    async fn auth_crate_download(
        &self,
        token: &str,
        _all_users_can_read_crates: &str,
    ) -> AuthResult<()> {
        self.validated_user_id(token).await?;
        Ok(())
    }

    async fn auth_view_full_index(&self, token: &str) -> AuthResult<()> {
        self.validated_user_id(token).await?;
        Ok(())
    }

    fn token_from_headers<'h>(
        &self,
        headers: &'h HeaderMap,
    ) -> Result<Option<&'h str>, StatusCode> {
        if let Some(res) = crate::default_token_from_headers(headers)? {
            return Ok(Some(res.strip_prefix("CF_Authorization=").unwrap_or(res)));
        }
        if let Some(cookies) = headers.get(header::COOKIE) {
            let cookies = cookies.to_str().map_err(|_| StatusCode::BAD_REQUEST)?;
            for c in cookie::Cookie::split_parse(cookies) {
                let c = c.map_err(|_| StatusCode::BAD_REQUEST)?;
                if c.name() == "CF_Authorization" {
                    return Ok(c.value_raw());
                }
            }
        }
        Ok(None)
    }
}

#[test]
fn cookie_parse() {
    let a = CfAuthProvider::new(Config {
        auth_audience: "...".into(),
        auth_team_base_url: "https://test.example.net".into(),
    })
    .unwrap();

    let mut h = http::HeaderMap::new();
    h.insert("cookie", http::HeaderValue::from_static("other.cookie=1; lastViewedForm-TEST={}; JSESSIONID=EE; CF_AppSession=2; CF_Authorization=aaaaaaaaa.bbbbbbb.cccccc; X=1"));

    let cookie = a.token_from_headers(&h).unwrap().unwrap();
    assert_eq!("aaaaaaaaa.bbbbbbb.cccccc", cookie);
}