multistore-oidc-provider 0.4.0

OIDC provider for outbound authentication — JWT signing, JWKS serving, and cloud credential exchange
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303

//! OIDC-based backend credential resolution.
//!
//! When a bucket's `backend_options` contains `auth_type=oidc`, the proxy
//! mints a self-signed JWT and exchanges it for temporary cloud credentials
//! via the cloud provider's STS. The resolved credentials are injected back
//! into the config so the existing builder pipeline works unmodified.
//!
//! Implements the [`Middleware`] trait so that credential resolution runs
//! as part of the dispatch middleware chain.

use multistore::error::ProxyError;
use multistore::middleware::{DispatchContext, Middleware, Next};
use multistore::route_handler::HandlerAction;
use multistore::types::BucketConfig;
use std::borrow::Cow;
use std::collections::HashMap;

use crate::exchange::aws::AwsExchange;
use crate::{HttpExchange, OidcCredentialProvider};

/// AWS OIDC backend auth — exchanges a self-signed JWT for temporary
/// AWS credentials via `AssumeRoleWithWebIdentity`.
pub struct AwsBackendAuth<H: HttpExchange> {
    provider: OidcCredentialProvider<H>,
}

impl<H: HttpExchange> AwsBackendAuth<H> {
    /// Wrap an [`OidcCredentialProvider`] as middleware for AWS credential resolution.
    pub fn new(provider: OidcCredentialProvider<H>) -> Self {
        Self { provider }
    }

    async fn resolve_aws(
        &self,
        config: &BucketConfig,
    ) -> Result<HashMap<String, String>, ProxyError> {
        let role_arn = config.option("oidc_role_arn").ok_or_else(|| {
            ProxyError::ConfigError(
                "auth_type=oidc requires 'oidc_role_arn' in backend_options".into(),
            )
        })?;
        let subject = config.option("oidc_subject").unwrap_or("s3-proxy");

        let exchange = AwsExchange::new(role_arn.to_string());
        let creds = self
            .provider
            .get_credentials(role_arn, &exchange, subject, &[])
            .await?;

        let mut options = config.backend_options.clone();
        options.insert("access_key_id".into(), creds.access_key_id.clone());
        options.insert("secret_access_key".into(), creds.secret_access_key.clone());
        options.insert("token".into(), creds.session_token.clone());

        // Remove OIDC-specific keys so they don't confuse the builder.
        options.remove("auth_type");
        options.remove("oidc_role_arn");
        options.remove("oidc_subject");

        Ok(options)
    }

    /// Internal helper: resolve credentials if bucket needs OIDC.
    ///
    /// Returns `None` if the bucket doesn't use OIDC auth, `Some(options)` with
    /// replacement backend options if it does.
    #[cfg(test)]
    async fn resolve_credentials(
        &self,
        config: &BucketConfig,
    ) -> Result<Option<HashMap<String, String>>, ProxyError> {
        if config.option("auth_type") != Some("oidc") {
            return Ok(None);
        }
        match config.backend_type.as_str() {
            "s3" => self.resolve_aws(config).await.map(Some),
            other => Err(ProxyError::ConfigError(format!(
                "OIDC backend auth not yet supported for backend_type '{other}'"
            ))),
        }
    }
}

impl<H: HttpExchange> Middleware for AwsBackendAuth<H> {
    async fn handle<'a>(
        &'a self,
        mut ctx: DispatchContext<'a>,
        next: Next<'a>,
    ) -> Result<HandlerAction, ProxyError> {
        if let Some(ref bucket_config) = ctx.bucket_config {
            if bucket_config.option("auth_type") == Some("oidc") {
                match bucket_config.backend_type.as_str() {
                    "s3" => {
                        let options = self.resolve_aws(bucket_config).await?;
                        ctx.bucket_config = Some(Cow::Owned(BucketConfig {
                            backend_options: options,
                            ..ctx.bucket_config.unwrap().into_owned()
                        }));
                    }
                    other => {
                        return Err(ProxyError::ConfigError(format!(
                            "OIDC backend auth not yet supported for backend_type '{other}'"
                        )));
                    }
                }
            }
        }
        next.run(ctx).await
    }
}

/// Wrapper enum that runtimes use as a single concrete middleware type.
///
/// `Enabled` holds the live OIDC provider; `Disabled` is the no-op fallback.
/// When disabled and a bucket specifies `auth_type=oidc`, a `ConfigError`
/// is returned.
pub enum MaybeOidcAuth<H: HttpExchange> {
    /// OIDC provider is configured; delegates to [`AwsBackendAuth`].
    Enabled(Box<AwsBackendAuth<H>>),
    /// No OIDC provider configured; requests requiring OIDC auth will fail with a config error.
    Disabled,
}

impl<H: HttpExchange> Middleware for MaybeOidcAuth<H> {
    async fn handle<'a>(
        &'a self,
        ctx: DispatchContext<'a>,
        next: Next<'a>,
    ) -> Result<HandlerAction, ProxyError> {
        match self {
            MaybeOidcAuth::Enabled(auth) => auth.handle(ctx, next).await,
            MaybeOidcAuth::Disabled => {
                let is_oidc = ctx
                    .bucket_config
                    .as_deref()
                    .and_then(|c| c.option("auth_type"))
                    == Some("oidc");
                if is_oidc {
                    Err(ProxyError::ConfigError(
                        "bucket requires auth_type=oidc but no OIDC provider is configured".into(),
                    ))
                } else {
                    next.run(ctx).await
                }
            }
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::jwt::JwtSigner;
    use crate::OidcProviderError;
    use chrono::{Duration, Utc};
    use std::sync::atomic::{AtomicUsize, Ordering};
    use std::sync::Arc;

    #[derive(Clone)]
    struct MockHttp {
        call_count: Arc<AtomicUsize>,
    }

    impl MockHttp {
        fn new() -> Self {
            Self {
                call_count: Arc::new(AtomicUsize::new(0)),
            }
        }
    }

    impl HttpExchange for MockHttp {
        async fn post_form(
            &self,
            _url: &str,
            _form: &[(&str, &str)],
        ) -> Result<String, OidcProviderError> {
            self.call_count.fetch_add(1, Ordering::SeqCst);
            let exp = (Utc::now() + Duration::hours(1)).to_rfc3339();
            Ok(format!(
                r#"<AssumeRoleWithWebIdentityResponse>
                    <AssumeRoleWithWebIdentityResult>
                        <Credentials>
                            <AccessKeyId>AKID_OIDC</AccessKeyId>
                            <SecretAccessKey>secret_oidc</SecretAccessKey>
                            <SessionToken>token_oidc</SessionToken>
                            <Expiration>{exp}</Expiration>
                        </Credentials>
                    </AssumeRoleWithWebIdentityResult>
                </AssumeRoleWithWebIdentityResponse>"#
            ))
        }
    }

    fn test_signer() -> JwtSigner {
        use rsa::pkcs8::EncodePrivateKey;
        let mut rng = rand::rngs::OsRng;
        let key = rsa::RsaPrivateKey::new(&mut rng, 2048).unwrap();
        let pem = key.to_pkcs8_pem(rsa::pkcs8::LineEnding::LF).unwrap();
        JwtSigner::from_pem(&pem, "test-kid".into(), 300).unwrap()
    }

    fn oidc_bucket_config() -> BucketConfig {
        let mut opts = HashMap::new();
        opts.insert("auth_type".into(), "oidc".into());
        opts.insert("oidc_role_arn".into(), "arn:aws:iam::123:role/Test".into());
        opts.insert(
            "endpoint".into(),
            "https://s3.us-east-1.amazonaws.com".into(),
        );
        opts.insert("bucket_name".into(), "my-bucket".into());
        opts.insert("region".into(), "us-east-1".into());
        BucketConfig {
            name: "test".into(),
            backend_type: "s3".into(),
            backend_prefix: None,
            anonymous_access: false,
            allowed_roles: vec![],
            backend_options: opts,
        }
    }

    fn static_bucket_config() -> BucketConfig {
        let mut opts = HashMap::new();
        opts.insert("access_key_id".into(), "AKID_STATIC".into());
        opts.insert("secret_access_key".into(), "secret_static".into());
        opts.insert(
            "endpoint".into(),
            "https://s3.us-east-1.amazonaws.com".into(),
        );
        opts.insert("bucket_name".into(), "my-bucket".into());
        BucketConfig {
            name: "test".into(),
            backend_type: "s3".into(),
            backend_prefix: None,
            anonymous_access: false,
            allowed_roles: vec![],
            backend_options: opts,
        }
    }

    #[tokio::test]
    async fn resolve_injects_creds_for_oidc_bucket() {
        let http = MockHttp::new();
        let provider = OidcCredentialProvider::new(
            test_signer(),
            http,
            "https://issuer.example.com".into(),
            "sts.amazonaws.com".into(),
        );
        let auth = AwsBackendAuth::new(provider);

        let config = oidc_bucket_config();
        let resolved = auth.resolve_credentials(&config).await.unwrap().unwrap();

        assert_eq!(resolved.get("access_key_id").unwrap(), "AKID_OIDC");
        assert_eq!(resolved.get("secret_access_key").unwrap(), "secret_oidc");
        assert_eq!(resolved.get("token").unwrap(), "token_oidc");
        assert!(!resolved.contains_key("auth_type"));
        assert!(!resolved.contains_key("oidc_role_arn"));
    }

    #[tokio::test]
    async fn resolve_passes_through_static_bucket() {
        let http = MockHttp::new();
        let provider = OidcCredentialProvider::new(
            test_signer(),
            http.clone(),
            "https://issuer.example.com".into(),
            "sts.amazonaws.com".into(),
        );
        let auth = AwsBackendAuth::new(provider);

        let config = static_bucket_config();
        let resolved = auth.resolve_credentials(&config).await.unwrap();

        assert!(resolved.is_none());
        assert_eq!(http.call_count.load(Ordering::SeqCst), 0);
    }

    #[tokio::test]
    async fn maybe_disabled_errors_on_oidc_bucket() {
        // MaybeOidcAuth::Disabled should error when a bucket requires OIDC.
        // We verify the branch condition directly since Next/Dispatch are
        // pub(crate) in core and can't be constructed from here.
        let config = oidc_bucket_config();
        assert_eq!(config.option("auth_type"), Some("oidc"));
        // The Middleware::handle impl returns this error before calling next:
        let err = ProxyError::ConfigError(
            "bucket requires auth_type=oidc but no OIDC provider is configured".into(),
        );
        assert!(err.to_string().contains("no OIDC provider is configured"));
    }

    #[tokio::test]
    async fn maybe_disabled_passes_through_static_bucket() {
        // MaybeOidcAuth::Disabled should pass through when the bucket
        // doesn't require OIDC auth (no auth_type=oidc in options).
        let config = static_bucket_config();
        assert!(config.option("auth_type") != Some("oidc"));
        // The Middleware::handle impl calls next.run(ctx) in this case.
    }
}