ncryptf-rs 0.5.7

Secure API authentication and end to end encryption.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501

use std::fmt;

use base64::{engine::general_purpose, Engine as _};
use chrono::Utc;
use reqwest::{
    header::{HeaderMap, HeaderValue},
    RequestBuilder,
};
use thiserror::Error;
use crate::shared::{ExportableEncryptionKeyData};

#[derive(Error, Debug)]
pub enum RequestError {
    #[error("reqwest failed")]
    ReqwestError(#[from] reqwest::Error),
    #[error("unable to create authorization")]
    AuthConstructionError,
    #[error("bootstrapping encrypted request failed.")]
    ReKeyError,
    #[error("handling the response failed")]
    HandlingResponse(#[from] crate::client::ResponseError),
    #[error("the argument provided was not one that can be handled")]
    InvalidArgument,
    #[error("the request could not be encrypted")]
    EncryptionError,
    #[error("the token provided has expired, and could not be renewed")]
    TokenExpired,
}

/// The client request simplifies creating, sending, and handling an ncryptf request and response by providing a
/// simplified API that utilizes reqwest underneath.
///
/// Requests can be constructed by calling:
///
/// ```rust
/// let mut request = ncryptf::client::Request::<T>::new(client, "https://www.ncryptf.com", Some(ncryptf::Token), Some(T));
/// ```
/// Where `T` is an implementation of `UpdateTokenTrait`, which provides an essential function for handling refresh tokens.
/// When the Token object is updated, `UpdateTokenTrait::token_update` will be called with the new token for you to handle.
/// If you wish to handle this separatedly, you can use the `UpdateTokenImpl` dummy trait.
///
/// and then use the helper http verb methods to make an request, which will automatically handle setting up an encrypted request
/// for you which includes bootstraping a new encryption key from a compliant server, and encrypting the request with a one-time encryption key
/// that is thrown away at the end of the request
///
/// ```rust
/// let response: ncryptf::Client::Response = request.get("/user/1").await.unwrap();
/// let response: ncryptf::Client::Response = request.delete("/user/1").await.unwrap();
/// let response: ncryptf::Client::Response = request.post("/user", "{ ... json ...}").await.unwrap();
/// let response: ncryptf::Client::Response = request.put("/user/1", "{ .. json ..}").await.unwrap();
/// ```
///
/// > NOTE: Only GET, DELETE, POST, PATHCH, and PUT verbs are supported for this client library -- you likely do not need to have an encrypted HEAD, or OPTIONS for an API.
///
/// An `ncryptf::Client::Response` is emitted on success. The response automatically handles decrypting the response for your application.
#[derive(Debug, Clone)]
pub struct Request<UT, RT>
where
    UT: UpdateTokenTrait,
    RT: RequestTrait,
{
    pub client: reqwest::Client,
    pub endpoint: String,
    pub token: Option<crate::Token>,
    pub ut: Option<UT>,
    pub rt: Option<RT>,
    ek: Option<ExportableEncryptionKeyData>,
}

#[derive(Debug, Clone)]
pub enum Method {
    Get,
    Post,
    Put,
    Patch,
    Delete,
}

impl fmt::Display for Method {
    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
        write!(f, "{:?}", self)
    }
}

pub trait UpdateTokenTrait: Send + Sync {
    /// Provides a post-callback // token update mechansim that can be controlled by the caller
    /// Necessary for Token refresh implementation
    fn token_update(&self, _token: crate::Token) -> bool {
        return true;
    }
}

pub trait RequestTrait: Send + Sync {
    /// Modify the request before it is sent
    fn before(&self, builder: RequestBuilder) -> RequestBuilder {
        return builder;
    }

    /// Run a task after the request is sent
    fn after(&self, _response: crate::client::Response) {
        return;
    }
}

impl<UT: UpdateTokenTrait, RT: RequestTrait> Request<UT, RT> {
    /// Constructs a new request
    pub fn new_simple(
        client: reqwest::Client,
        endpoint: &str,
        token: Option<crate::Token>,
    ) -> Self {
        return Self::new(client, endpoint, token, None, None);
    }

    /// Constructs a new request
    pub fn new(
        client: reqwest::Client,
        endpoint: &str,
        token: Option<crate::Token>,
        ut: Option<UT>,
        rt: Option<RT>,
    ) -> Self {
        Self {
            client,
            endpoint: endpoint.to_string(),
            token,
            ut,
            rt,
            ek: None,
        }
    }

    /// Updates the token in both the current instance and via the callback
    pub fn update_token(&mut self, token: Option<crate::Token>) {
        self.token = token.clone();

        match &self.ut {
            Some(callback) => match token {
                Some(token) => {
                    callback.token_update(token);
                }
                None => {}
            },
            None => {}
        };
    }

    /// This will bootstrap our request and get the necessary encryption keys to encrypt the request
    /// and decrypt the response
    /// This function is recursive, and will call itself until it ensures the underlying data is encrypted and non-readable
    #[async_recursion::async_recursion]
    pub async fn rekey(&mut self, hashid: Option<String>) -> Result<bool, RequestError> {
        let kp = crate::Keypair::new();
        let mut headers = HeaderMap::new();
        headers.insert(
            "Content-Type",
            HeaderValue::from_str(&"application/json").unwrap(),
        );

        match hashid.clone() {
            Some(hashid) => {
                headers.insert(
                    "Accept",
                    HeaderValue::from_str(&"application/vnd.ncryptf+json").unwrap(),
                );
                headers.insert("X-HashId", HeaderValue::from_str(&hashid).unwrap());
                let pk = general_purpose::STANDARD.encode(kp.get_public_key());
                headers.insert("X-PubKey", HeaderValue::from_str(&pk).unwrap());
            }
            _ => {
                headers.insert(
                    "Accept",
                    HeaderValue::from_str(&"application/json").unwrap(),
                );
            }
        };

        let furi = format!("{}{}", self.endpoint, "/ncryptf/ek");
        let builder = self.client.clone().get(furi).headers(headers);

        match self.do_request(builder, kp).await {
            Ok(response) => match response.status {
                reqwest::StatusCode::OK => match serde_json::from_str::<
                    ExportableEncryptionKeyData,
                >(&response.body.unwrap())
                {
                    Ok(ek) => {
                        self.ek = Some(ek.clone());
                        match hashid.clone() {
                            Some(_) => return Ok(true),
                            _ => return self.rekey(Some(ek.hash_id)).await,
                        }
                    }
                    Err(_error) => return Err(RequestError::ReKeyError),
                },
                _ => return Err(RequestError::ReKeyError),
            },
            Err(_error) => return Err(RequestError::ReKeyError),
        };
    }

    /// Performs an HTTP GET request
    pub async fn get(&mut self, url: &str) -> Result<crate::client::Response, RequestError> {
        return self.execute(Method::Get, url, None).await;
    }

    /// Performs an HTTP DELETE request
    pub async fn delete(
        &mut self,
        url: &str,
        payload: Option<&str>,
    ) -> Result<crate::client::Response, RequestError> {
        return self.execute(Method::Delete, url, payload).await;
    }

    /// Performs an HTTP PATCH request
    pub async fn patch(
        &mut self,
        url: &str,
        payload: Option<&str>,
    ) -> Result<crate::client::Response, RequestError> {
        return self.execute(Method::Patch, url, payload).await;
    }

    /// Performs an HTTP POST request
    pub async fn post(
        &mut self,
        url: &str,
        payload: Option<&str>,
    ) -> Result<crate::client::Response, RequestError> {
        return self.execute(Method::Post, url, payload).await;
    }

    /// Performs an HTTP PUT request
    pub async fn put(
        &mut self,
        url: &str,
        payload: Option<&str>,
    ) -> Result<crate::client::Response, RequestError> {
        return self.execute(Method::Put, url, payload).await;
    }

    ///  Executes a request
    ///
    /// If a token is provided, the request is assumed to require authentication and the appropriate auth header is added
    /// GET requets are assumed to expect an encrypted response
    /// This will bootstrap the encryption process if necessary for an ncryptf encrypted response
    ///
    /// AsyncRecursion is to prevent Rust Compiler from detecting a loop - this method is not recursive.
    #[async_recursion::async_recursion]
    async fn execute(
        &mut self,
        method: Method,
        url: &str,
        payload: Option<&'async_recursion str>,
    ) -> Result<crate::client::Response, RequestError> {
        let payload_actual = match payload {
            Some(payload) => payload,
            None => "",
        };

        match &self.ek {
            Some(ek) => {
                if ek.is_expired() {
                    match self.rekey(None).await {
                        Ok(_) => {}
                        Err(error) => return Err(error),
                    };
                }
            }
            _ => match self.rekey(None).await {
                Ok(_) => {}
                Err(error) => return Err(error),
            },
        };

        let auth: Option<crate::Authorization> = match self.token.clone() {
            Some(mut token) => {
                // If the token has, or is nearing expiry, attempt to refresh it
                let expiration_limit = chrono::Utc::now().timestamp() + 120;
                if token.expires_at <= expiration_limit {
                    let refresh_token = token.refresh_token;
                    // Throw away this token
                    self.token = None;

                    match self
                        .post(
                            format!("/ncryptf/token/refresh?refresh_token={}", refresh_token)
                                .as_str(),
                            None,
                        )
                        .await
                    {
                        Ok(response) => match response.status {
                            reqwest::StatusCode::OK => match response.into::<crate::Token>() {
                                Ok(tt) => {
                                    self.update_token(Some(tt.clone()));
                                    token = self.token.clone().unwrap();
                                }
                                Err(_error) => return Err(RequestError::TokenExpired),
                            },
                            _ => return Err(RequestError::TokenExpired),
                        },
                        Err(_error) => return Err(RequestError::TokenExpired),
                    };
                }

                // For requests with tokens, attempt to generate an Authorization struct
                match crate::Authorization::from(
                    method.to_string().to_uppercase(),
                    url.to_string().clone(),
                    token.clone(),
                    Utc::now(),
                    payload_actual.to_string(),
                    None,
                    None,
                ) {
                    Ok(auth) => Some(auth),
                    Err(_error) => return Err(RequestError::AuthConstructionError),
                }
            }
            None => None,
        };

        let kp = crate::Keypair::new();

        let mut headers = HeaderMap::new();
        headers.insert(
            "Accept",
            HeaderValue::from_str(&"application/vnd.ncryptf+json").unwrap(),
        );
        // We always send the headers incase the request don't have a body
        headers.insert(
            "X-PubKey",
            HeaderValue::from_str(&general_purpose::STANDARD.encode(kp.get_public_key())).unwrap(),
        );
        headers.insert(
            "X-HashId",
            HeaderValue::from_str(&self.ek.clone().unwrap().hash_id).unwrap(),
        );

        match auth {
            Some(auth) => {
                headers.insert(
                    "Authorization",
                    HeaderValue::from_str(auth.get_header().as_str()).unwrap(),
                );
            }
            _ => {}
        }

        let furi = format!("{}{}", self.endpoint, url);
        let mut builder: reqwest::RequestBuilder = match method {
            Method::Get => self.client.clone().get(furi),
            Method::Post => self.client.clone().post(furi),
            Method::Put => self.client.clone().put(furi),
            Method::Delete => self.client.clone().delete(furi),
            Method::Patch => self.client.clone().patch(furi),
        };

        match payload_actual {
            "" => {
                headers.insert(
                    "Content-Type",
                    HeaderValue::from_str(&"application/json").unwrap(),
                );
            }
            _ => {
                headers.insert(
                    "Content-Type",
                    HeaderValue::from_str(&"application/vnd.ncryptf+json").unwrap(),
                );
                let sk = match self.token.clone() {
                    Some(token) => token.signature,
                    None => {
                        let sk = crate::Signature::new();
                        sk.get_secret_key()
                    }
                };

                let mut request = crate::Request::from(kp.get_secret_key(), sk).unwrap();
                match request.encrypt(
                    payload_actual.to_string(),
                    self.ek.as_ref().unwrap().clone().get_public_key().unwrap(),
                ) {
                    Ok(body) => {
                        builder = builder.body(general_purpose::STANDARD.encode(body));
                    }
                    Err(_error) => return Err(RequestError::EncryptionError),
                }
            }
        }

        // Execute any before request implementation
        builder = match &self.rt {
            Some(rt) => rt.before(builder),
            None => builder,
        };
        builder = builder.headers(headers);

        match self.do_request(builder, kp).await {
            Ok(response) => match &self.rt {
                Some(rt) => {
                    rt.after(response.clone());
                    return Ok(response);
                }
                None => return Ok(response),
            },
            Err(error) => return Err(error),
        };
    }

    /// Internal method to perform the http request
    async fn do_request(
        &mut self,
        builder: reqwest::RequestBuilder,
        kp: crate::Keypair,
    ) -> Result<crate::client::Response, RequestError> {
        match builder.send().await {
            Ok(response) => {
                // If the key is ephemeral or expired, we need to purge it so future requests don't use it
                // We can handle re-keying on the next request
                if self.ek.is_some() {
                    if self.ek.clone().unwrap().ephemeral || self.ek.clone().unwrap().is_expired() {
                        self.ek = None;
                    }
                }

                let result = match crate::client::Response::new(response, kp.get_secret_key()).await
                {
                    Ok(response) => response,
                    Err(error) => return Err(RequestError::HandlingResponse(error)),
                };

                // Opportunistically update the encryption key headers
                let hash_id = self.get_header_by_name(result.headers.get("x-hashid"));
                let expires_at =
                    self.get_header_by_name(result.headers.get("x-public-key-expiration"));
                let public_key = self.get_key_string_by_result_or_header(
                    result.pk.clone(),
                    result.headers.get("x-public-key"),
                );
                let signature_key = self.get_key_string_by_result_or_header(
                    result.sk.clone(),
                    result.headers.get("x-signature-key"),
                );
                if hash_id.is_some()
                    && expires_at.is_some()
                    && public_key.is_some()
                    && signature_key.is_some()
                {
                    let xp = expires_at.unwrap().parse::<i64>();
                    if xp.is_ok() {
                        self.ek = Some(ExportableEncryptionKeyData {
                            public: public_key.unwrap(),
                            signature: signature_key.unwrap(),
                            hash_id: hash_id.unwrap(),
                            ephemeral: false,
                            expires_at: xp.unwrap(),
                        });
                    }
                }

                return Ok(result);
            }
            Err(error) => Err(RequestError::ReqwestError(error)),
        }
    }

    /// Helper method to get the key material from either the response body or the headers
    fn get_key_string_by_result_or_header(
        &self,
        key: Option<Vec<u8>>,
        header: Option<&HeaderValue>,
    ) -> Option<String> {
        match key {
            // If we have a key from the response, base64 encode and return it
            Some(key) => Some(general_purpose::STANDARD.encode(key)),
            // If we don't have a key check the header
            None => match header {
                Some(header) => match header.to_str() {
                    // The header will already be base64 encoded, return it directly.
                    Ok(s) => Some(s.to_string()),
                    Err(_) => None,
                },
                None => None,
            },
        }
    }

    /// Helper method to grab a given header by its name
    fn get_header_by_name(&self, header: Option<&HeaderValue>) -> Option<String> {
        match header {
            Some(h) => match h.to_str() {
                Ok(s) => Some(s.to_string()),
                Err(_) => None,
            },
            None => None,
        }
    }
}