micromegas-auth 0.19.0

Authentication providers for Micromegas (API keys, OIDC)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

use crate::types::{AuthContext, AuthProvider, AuthType};
use anyhow::{Result, anyhow};
use serde::Deserialize;
use std::{collections::HashMap, fmt::Display};
use subtle::ConstantTimeEq;

/// Represents a key in the keyring.
#[derive(Hash, Eq, PartialEq)]
pub struct Key {
    /// The key value
    pub value: String,
}

impl Key {
    /// Creates a new `Key` from a string value.
    pub fn new(value: String) -> Self {
        Self { value }
    }
}

impl From<String> for Key {
    fn from(value: String) -> Self {
        Self { value }
    }
}

impl Display for Key {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "<sensitive key>")
    }
}

/// Deserializes a string into a `Key`.
fn key_from_string<'de, D>(deserializer: D) -> Result<Key, D::Error>
where
    D: serde::Deserializer<'de>,
{
    let s: String = Deserialize::deserialize(deserializer)?;
    Ok(Key::new(s))
}

/// Represents an entry in the keyring, mapping a key to a name.
#[derive(Deserialize)]
pub struct KeyRingEntry {
    /// The name associated with the key
    pub name: String,
    /// The key
    #[serde(deserialize_with = "key_from_string")]
    pub key: Key,
}

/// A map from `Key` to `String` (name).
pub type KeyRing = HashMap<Key, String>;

/// Parses a JSON string into a `KeyRing`.
///
/// The JSON string is expected to be an array of objects, each with a `name` and `key` field.
pub fn parse_key_ring(json: &str) -> Result<KeyRing> {
    let entries: Vec<KeyRingEntry> = serde_json::from_str(json)?;
    let mut ring = KeyRing::new();
    for entry in entries {
        ring.insert(entry.key, entry.name);
    }
    Ok(ring)
}

/// API key authentication provider
pub struct ApiKeyAuthProvider {
    keyring: KeyRing,
}

impl ApiKeyAuthProvider {
    /// Create a new API key authentication provider
    pub fn new(keyring: KeyRing) -> Self {
        Self { keyring }
    }
}

#[async_trait::async_trait]
impl AuthProvider for ApiKeyAuthProvider {
    /// Validate an API key request using constant-time comparison
    ///
    /// This implementation protects against timing attacks by:
    /// 1. Comparing the provided token against ALL keys in the keyring
    /// 2. Using constant-time comparison from the `subtle` crate
    /// 3. Always iterating through all keys regardless of match status
    ///
    /// This ensures the operation takes the same amount of time whether:
    /// - The key is found early in the iteration
    /// - The key is found late in the iteration
    /// - The key is not found at all
    async fn validate_request(
        &self,
        parts: &dyn crate::types::RequestParts,
    ) -> Result<AuthContext> {
        let token = parts
            .bearer_token()
            .ok_or_else(|| anyhow!("missing bearer token"))?;

        let token_bytes = token.as_bytes();
        let mut found: Option<AuthContext> = None;

        // Compare against all keys in constant time
        // IMPORTANT: We iterate through ALL keys, even if we find a match,
        // to ensure constant-time operation
        for (stored_key, name) in &self.keyring {
            let stored_bytes = stored_key.value.as_bytes();

            // Constant-time comparison
            // Returns 1 if equal, 0 if not equal
            let matches = token_bytes.ct_eq(stored_bytes).unwrap_u8() == 1;

            // Conditionally set the result without branching on the match
            // If matches is true, we set found; if matches is false, found stays as-is
            if matches {
                found = Some(AuthContext {
                    subject: name.clone(),
                    email: None,
                    issuer: "api_key".to_string(),
                    audience: None,
                    expires_at: None,
                    auth_type: AuthType::ApiKey,
                    // SECURITY: API keys can NEVER be admins - only OIDC users can have admin privileges
                    is_admin: false,
                    // SECURITY: API keys CAN delegate (act on behalf of users)
                    allow_delegation: true,
                });
            }
            // Note: We do NOT break or return early - we continue checking all keys
        }

        found.ok_or_else(|| anyhow!("invalid API token"))
    }
}