gel-auth 0.1.7

Authentication and authorization for the Gel database.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335

use std::collections::HashMap;

#[derive(Clone, Copy, PartialEq, Eq, Default, Debug)]
pub enum ConnectionSslRequirement {
    /// SSL is disabled, and it is an error to attempt to use it.
    #[default]
    Disable,
    /// SSL is optional, but we prefer to use it.
    Optional,
    /// SSL is required and it is an error to reject it.
    Required,
}

mod client_state_machine;
mod server_state_machine;

pub mod client {
    pub use super::client_state_machine::*;
}

pub mod server {
    pub use super::server_state_machine::*;
}

macro_rules! __invalid_state {
    ($error:literal) => {{
        eprintln!(
            "Invalid connection state: {}\n{}",
            $error,
            ::std::backtrace::Backtrace::capture()
        );
        #[allow(deprecated)]
        $crate::postgres::ConnectionError::__InvalidState
    }};
}
pub(crate) use __invalid_state as invalid_state;

#[derive(Debug, derive_more::Error, derive_more::Display, derive_more::From)]
pub enum ConnectionError {
    /// Invalid state error, suggesting a logic error in code rather than a server or client failure.
    /// Use the `invalid_state!` macro instead which will print a backtrace.
    #[display("Invalid state")]
    #[deprecated = "Use invalid_state!"]
    __InvalidState,

    /// Error returned by the server.
    #[display("Server error: {_0}")]
    ServerError(#[from] gel_pg_protocol::errors::PgServerError),

    /// The server sent something we didn't expect
    #[display("Unexpected server response: {_0}")]
    UnexpectedResponse(#[error(not(source))] String),

    /// Error related to SCRAM authentication.
    #[display("SCRAM: {_0}")]
    Scram(#[from] crate::scram::SCRAMError),

    /// I/O error encountered during connection operations.
    #[display("I/O error: {_0}")]
    Io(#[from] std::io::Error),

    /// UTF-8 decoding error.
    #[display("UTF8 error: {_0}")]
    Utf8Error(#[from] std::str::Utf8Error),

    /// SSL-related error.
    #[display("SSL error: {_0}")]
    SslError(#[from] SslError),

    #[display("Protocol error: {_0}")]
    ParseError(#[from] gel_pg_protocol::prelude::ParseError),
}

#[derive(Debug, derive_more::Error, derive_more::Display)]
pub enum SslError {
    #[display("SSL is not supported by this client transport")]
    SslUnsupportedByClient,
    #[display("SSL was required by the client, but not offered by server (rejected SSL)")]
    SslRequiredByClient,
}

/// A sufficient set of required parameters to connect to a given transport.
#[derive(Clone, Default, derive_more::Debug)]
pub struct Credentials {
    pub username: String,
    #[debug(skip)]
    pub password: String,
    pub database: String,
    pub server_settings: HashMap<String, String>,
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::*;
    use gel_pg_protocol::errors::*;
    use gel_pg_protocol::prelude::*;
    use gel_pg_protocol::protocol::*;
    use rstest::rstest;
    use std::collections::VecDeque;

    #[derive(Debug, Default)]
    struct ConnectionPipe {
        cmsg: VecDeque<(bool, Vec<u8>)>,
        smsg: VecDeque<(bool, Vec<u8>)>,
        sparams: bool,
        sauth_user: Option<String>,
        cauth: Option<AuthType>,
        cerror: Option<PgError>,
        serror: Option<PgError>,
    }

    impl client::ConnectionStateUpdate for ConnectionPipe {
        fn auth(&mut self, auth: AuthType) {
            eprintln!("Client: Auth = {auth:?}");
            self.cauth = Some(auth);
        }
        fn cancellation_key(&mut self, _pid: i32, _key: i32) {}
        fn parameter(&mut self, _name: &str, _value: &str) {}
        fn server_error(&mut self, error: &PgServerError) {
            self.cerror = Some(error.code);
        }
        fn state_changed(&mut self, state: client::ConnectionStateType) {
            eprintln!("Client: Start = {state:?}");
        }
    }

    impl client::ConnectionStateSend for ConnectionPipe {
        fn send<'a, M>(
            &mut self,
            message: impl IntoFrontendBuilder<'a, M>,
        ) -> Result<(), std::io::Error> {
            let message = message.into_builder();
            eprintln!("Client -> Server {message:?}");
            self.smsg.push_back((false, message.to_vec()));
            Ok(())
        }
        fn send_initial<'a, M>(
            &mut self,
            message: impl IntoInitialBuilder<'a, M>,
        ) -> Result<(), std::io::Error> {
            let message = message.into_builder();
            eprintln!("Client -> Server {message:?}");
            self.smsg.push_back((true, message.to_vec()));
            Ok(())
        }
        fn upgrade(&mut self) -> Result<(), std::io::Error> {
            unimplemented!()
        }
    }

    impl server::ConnectionStateUpdate for ConnectionPipe {
        fn state_changed(&mut self, _state: server::ConnectionStateType) {}
        fn parameter(&mut self, _name: &str, _value: &str) {}
        fn server_error(&mut self, error: &PgServerError) {
            self.serror = Some(error.code);
        }
    }

    impl server::ConnectionStateSend for ConnectionPipe {
        fn auth(&mut self, user: String, database: String) -> Result<(), std::io::Error> {
            eprintln!("Server: auth request {user}/{database}");
            self.sauth_user = Some(user);
            Ok(())
        }
        fn params(&mut self) -> Result<(), std::io::Error> {
            eprintln!("Server: param request");
            self.sparams = true;
            Ok(())
        }
        fn send<'a, M>(
            &mut self,
            message: impl IntoBackendBuilder<'a, M>,
        ) -> Result<(), std::io::Error> {
            let message = message.into_builder();
            eprintln!("Server -> Client {message:?}");
            self.cmsg.push_back((false, message.to_vec()));
            Ok(())
        }
        fn send_ssl(&mut self, message: SSLResponseBuilder) -> Result<(), std::io::Error> {
            self.cmsg.push_back((true, message.to_vec()));
            Ok(())
        }
        fn upgrade(&mut self) -> Result<(), std::io::Error> {
            unimplemented!()
        }
    }

    /// We test the full matrix of server and client combinations.
    #[rstest]
    fn test_both(
        #[values(
            AuthType::Deny,
            AuthType::Trust,
            AuthType::Plain,
            AuthType::Md5,
            AuthType::ScramSha256
        )]
        auth_type: AuthType,
        #[values(
            AuthType::Deny,
            AuthType::Trust,
            AuthType::Plain,
            AuthType::Md5,
            AuthType::ScramSha256
        )]
        credential_type: AuthType,
        #[values(true, false)] correct_password: bool,
    ) {
        let mut client = client::ConnectionState::new(
            Credentials {
                username: "user".to_string(),
                password: "password".to_string(),
                database: "database".to_string(),
                ..Default::default()
            },
            ConnectionSslRequirement::Disable,
        );
        let mut server = server::ServerState::new(ConnectionSslRequirement::Disable);

        // We test all variations here, but not all combinations will result in
        // valid auth, even with a correct password.
        let expect_success = match (auth_type, credential_type, correct_password) {
            // If the server is set to trust, we always succeed (as no password is exchanged)
            (AuthType::Trust, ..) => true,
            // If the server is asking for a denial auth type, it'll always fail
            (AuthType::Deny, ..) => false,
            // If the credential is denial, it'll always fail
            (_, AuthType::Deny, _) => false,
            // SCRAM succeeds if the credential is SCRAM or Password (it cannot
            // succeed with a Trust credential because the server also sends a
            // verifier to the client.
            (AuthType::ScramSha256, AuthType::ScramSha256 | AuthType::Plain, correct) => correct,
            (AuthType::ScramSha256, _, _) => false,
            // Other auth types will always succeed if credential type is trust
            (_, AuthType::Trust, _) => true,
            // MD5 succeeds if the credential is not SCRAM
            (AuthType::Md5, AuthType::Md5 | AuthType::Plain, correct) => correct,
            (AuthType::Md5, _, _) => false,
            // Plain text works in all cases
            (AuthType::Plain, _, correct) => correct,
        };

        let mut client_error = false;
        let mut server_error = false;

        let mut pipe = ConnectionPipe::default();
        // This one can never fail
        client
            .drive(client::ConnectionDrive::Initial, &mut pipe)
            .unwrap();
        let mut max_iterations: i32 = 100;
        loop {
            max_iterations -= 1;
            if max_iterations == 0 {
                panic!("Failed to complete");
            }
            if let Some(user) = pipe.sauth_user.take() {
                eprintln!("Sending auth");
                let password = if correct_password {
                    "password".to_owned()
                } else {
                    "incorrect".to_owned()
                };
                let data = CredentialData::new(credential_type, user.clone(), password);
                server_error |= server
                    .drive(
                        server::ConnectionDrive::AuthInfo(auth_type, data),
                        &mut pipe,
                    )
                    .is_err();
            }
            if pipe.sparams {
                server_error |= server
                    .drive(
                        server::ConnectionDrive::Parameter("param1".to_owned(), "value".to_owned()),
                        &mut pipe,
                    )
                    .is_err();
                server_error |= server
                    .drive(
                        server::ConnectionDrive::Parameter("param2".to_owned(), "value".to_owned()),
                        &mut pipe,
                    )
                    .is_err();
                server_error |= server
                    .drive(server::ConnectionDrive::Ready(1234, 4567), &mut pipe)
                    .is_err();
            }
            while let Some((initial, msg)) = pipe.smsg.pop_front() {
                if initial {
                    server_error |= server
                        .drive(
                            server::ConnectionDrive::Initial(InitialMessage::new(&msg)),
                            &mut pipe,
                        )
                        .is_err();
                } else {
                    server_error |= server
                        .drive(
                            server::ConnectionDrive::Message(Message::new(&msg)),
                            &mut pipe,
                        )
                        .is_err();
                }
            }
            while let Some((ssl, msg)) = pipe.cmsg.pop_front() {
                if ssl {
                    unimplemented!()
                } else {
                    client_error |= client
                        .drive(
                            client::ConnectionDrive::Message(Message::new(&msg)),
                            &mut pipe,
                        )
                        .is_err();
                }
            }
            if client.is_done() && server.is_done() {
                break;
            }
        }

        if expect_success {
            assert!(
                client.is_ready() && server.is_ready(),
                "client={client:?} server={server:?}"
            );
        } else {
            assert!(client_error && server_error);
            assert!(pipe.cerror.is_some() && pipe.serror.is_some());
            assert!(client.is_error() && server.is_error())
        }
    }
}