parsec-service 1.5.0

A language-agnostic API to secure services in a platform-agnostic way
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227

// Copyright 2019 Contributors to the Parsec project.
// SPDX-License-Identifier: Apache-2.0
//! Request authentication
//!
//! [Authenticators](https://parallaxsecond.github.io/parsec-book/parsec_service/authenticators.html)
//! provide functionality to the service for verifying the authenticity of requests.
//! The result of an authentication is an `Application` which is parsed by the authenticator and
//! used throughout the service for identifying the request initiator. The input to an authentication
//! is the `RequestAuth` field of a request, which is parsed by the authenticator specified in the header.
//! The authentication functionality is abstracted through an `Authenticate` trait.

#[cfg(not(any(
    feature = "direct-authenticator",
    feature = "unix-peer-credentials-authenticator",
    feature = "jwt-svid-authenticator",
)))]
compile_error!("Please provide in at least one authenticator");

#[cfg(feature = "direct-authenticator")]
pub mod direct_authenticator;

#[cfg(feature = "unix-peer-credentials-authenticator")]
pub mod unix_peer_credentials_authenticator;

#[cfg(feature = "jwt-svid-authenticator")]
pub mod jwt_svid_authenticator;

use crate::front::listener::ConnectionMetadata;
use crate::utils::config::Admin;
use parsec_interface::operations::list_authenticators;
use parsec_interface::requests::request::RequestAuth;
use parsec_interface::requests::{AuthType, Result};
use std::fmt;
use std::ops::Deref;

/// A unique identifier for an application.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
pub struct ApplicationIdentity {
    /// The name of the application.
    name: String,
    /// The id of the authenticator used to authenticate the application name.
    auth: Auth,
}

/// Application Name any ApplicationIdentity generated by calling `new_internal()`
pub const INTERNAL_APP_NAME: &str = "parsec";

impl fmt::Display for ApplicationIdentity {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "ApplicationIdentity: [name=\"{}\", auth=\"{}\"]",
            self.name, self.auth
        )
    }
}

impl ApplicationIdentity {
    /// Creates a new instance of ApplicationIdentity using the client-facing authenticator type.
    /// Note that for creating internal keys, new_internal should be used instead
    pub fn new(name: String, authenticator_id: AuthType) -> ApplicationIdentity {
        ApplicationIdentity {
            name,
            auth: authenticator_id.into(),
        }
    }

    /// Creates a new instance of ApplicationIdentity using the authenticator type.
    /// Note that for creating internal keys, new_internal should be used instead
    pub fn new_with_auth(name: String, auth: Auth) -> ApplicationIdentity {
        ApplicationIdentity { name, auth }
    }

    /// Creates a new instance of ApplicationIdentity using the internal authenticator
    /// An `INTERNAL_APP_NAME` as its application name
    pub fn new_internal() -> ApplicationIdentity {
        ApplicationIdentity {
            name: INTERNAL_APP_NAME.to_string(),
            auth: Auth::Internal,
        }
    }

    /// Get the identity of the application
    pub fn name(&self) -> &String {
        &self.name
    }

    /// Get the numeric ID of the authenticator
    pub fn authenticator_id(&self) -> u8 {
        self.auth.authenticator_id()
    }

    /// Get the authenticator type of the application
    pub fn auth(&self) -> &Auth {
        &self.auth
    }

    /// Check if the application identity is of type internal
    pub fn is_internal(&self) -> bool {
        self.auth == Auth::Internal
    }
}

/// Authentication type covering both internal and external sources
#[derive(PartialEq, Eq, Hash, Copy, Clone, Debug)]
pub enum Auth {
    /// An authentication origination from a client request
    Client(AuthType),
    /// An authentication origination from within the service
    Internal,
}

/// Authenticatior id for the Auth::Internal enum.
pub const INTERNAL_AUTH_ID: i64 = 255;

impl Auth {
    /// Get the numeric ID of the authenticator
    pub fn authenticator_id(&self) -> u8 {
        match self {
            Auth::Client(auth) => *auth as u8,
            Auth::Internal => INTERNAL_AUTH_ID as u8,
        }
    }
}

impl From<AuthType> for Auth {
    fn from(auth: AuthType) -> Self {
        Auth::Client(auth)
    }
}

impl fmt::Display for Auth {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Auth::Client(auth) => {
                write!(f, "Client authenticator ({})", auth)
            }
            Auth::Internal => {
                write!(f, "Internal service authenticator")
            }
        }
    }
}

/// Wrapper for a Parsec application
#[derive(Debug, Clone)]
pub struct Application {
    /// The identity of the Application
    identity: ApplicationIdentity,
    /// Whether the application has administrator rights
    is_admin: bool,
}

impl fmt::Display for Application {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        write!(
            f,
            "Application {{identity: {}, is_admin: {}}}",
            self.identity, self.is_admin
        )
    }
}

impl Application {
    /// Creates a new instance of ProviderIdentity.
    pub fn new(identity: ApplicationIdentity, is_admin: bool) -> Application {
        Application { identity, is_admin }
    }

    /// Get the identity of the application
    pub fn identity(&self) -> &ApplicationIdentity {
        &self.identity
    }

    /// Get whether the application has administrator rights
    pub fn is_admin(&self) -> &bool {
        &self.is_admin
    }
}

/// Authentication interface
///
/// Interface that must be implemented for each authentication type available for the service.
pub trait Authenticate {
    /// Return a description of the authenticator.
    ///
    /// The descriptions are gathered in the Core Provider and returned for a ListAuthenticators
    /// operation.
    fn describe(&self) -> Result<list_authenticators::AuthenticatorInfo>;

    /// Authenticates a `RequestAuth` payload and returns the `Application` if successful. A
    /// optional `ConnectionMetadata` object is passed in too, since it is sometimes possible to
    /// perform authentication based on the connection's metadata (i.e. as is the case for UNIX
    /// domain sockets with Unix peer credentials).
    ///
    /// # Errors
    ///
    /// If the authentification fails, returns a `ResponseStatus::AuthenticationError`.
    fn authenticate(
        &self,
        auth: &RequestAuth,
        meta: Option<ConnectionMetadata>,
    ) -> Result<Application>;
}

#[derive(Debug, Clone, Default)]
struct AdminList(Vec<Admin>);

impl AdminList {
    fn is_admin(&self, app_name: &str) -> bool {
        self.iter().any(|admin| admin.name() == app_name)
    }
}

impl Deref for AdminList {
    type Target = Vec<Admin>;

    fn deref(&self) -> &Self::Target {
        &self.0
    }
}

impl From<Vec<Admin>> for AdminList {
    fn from(admin_list: Vec<Admin>) -> Self {
        AdminList(admin_list)
    }
}