quokka_admin/middleware/

auth.rs

//!
//! Authentication flow
//!
//! 1. Request
//! 2. AdminAuthProvider::authenticate (authenticates a user from the request)
//! 3. AdminAuthProvider::authorize (authorizes the user)
//! 4. Continue with the request
//!
//! The request goes through separete authenticate and authorize handler so that one provider can be used to authenticate the user while
//! another provider can add the authorization. This allows setups where a user comes from one database and permissions are managed
//! somewhere else. Like using LDAP to provide the users and PostgreSQL for assigning groupes & other permissions.
//!
//! That said the the authenticate and authorize requests will **not** be executed after each other for each provider. It will instead call
//! the authenticate method on all the providers (until an [AuthenticatedUser] is successfully returned) and after that all the providers
//! get a chance of authorizing the request against the user. Also here the first provider that allows the request to pass will win.
//!

use std::{collections::HashMap, convert::Infallible, future::Future, pin::Pin, sync::Arc};

use axum::{
    extract::{FromRequestParts, MatchedPath, Request},
    http::request::Parts,
    response::{IntoResponse, Redirect, Response},
    RequestExt,
};
use quokka::{
    handler::html::TemplateDataLoader,
    state::{FromState, ProvideState},
};

use crate::{service::page_loader::AdminPageLoader, state::AdminState};

///
/// Provides the required permission for the requested action
///
/// By default for HTTP the verb will be the request method and the resource will be the URL
///
#[derive(Clone, Debug, serde::Deserialize, serde::Serialize)]
pub struct PermissionContext {
    pub verb: String,
    pub resource: String,
}

///
/// Provides the authentication information of a user
///
#[derive(Clone, Debug, serde::Deserialize, serde::Serialize)]
pub struct AuthenticatedUser {
    pub name: String,
    pub groups: Vec<String>,
    /// Contains additional context about the user
    pub context: HashMap<String, serde_json::Value>,
}

///
/// The auth provider takes care of authenticating and authorizing a request
///
/// The first provider authorizing the request will be win, so permissions are always addative
///
pub trait AdminAuthProvider<S> {
    type AuthParams: FromRequestParts<S>;

    ///
    /// Authenticate the user by whatever is required from the request to identify the user. If a [AuthenticatedUser] is returned no other
    /// Auth provider will have the chance of authenticating against the request.
    ///
    fn authenticate(
        &self,
        params: Self::AuthParams,
    ) -> impl Future<Output = quokka::Result<Option<AuthenticatedUser>>> + Send;

    ///
    /// Authorize the request to the authenticated user. As soon as a provider returns a "true" no other provider will be asked about it anymore.
    ///
    fn authorize(
        &self,
        user: &AuthenticatedUser,
        permission: &PermissionContext,
    ) -> impl Future<Output = quokka::Result<bool>> + Send;

    ///
    /// Internal function for error reporting + tracing
    ///
    fn provider_name(&self) -> &str {
        std::any::type_name_of_val(self)
    }
}
///
/// A collection of available auth providers
///
#[derive(Clone)]
pub struct AuthProviders<S> {
    pub(crate) providers: Vec<Arc<dyn InnerAuthProvider<S>>>,
}

///
/// A collections of available login providers
///
#[derive(Clone, Default)]
pub struct LoginProviders {
    pub(crate) providers: Vec<Arc<dyn InnerLoginProvider + Send + Sync>>,
}

///
/// The middleware used for handling the admin authentication. Apply this at the end of your custom admin router to include the admin
/// authentication gate.
///
#[derive(Clone)]
pub struct AdminAuthMiddleware<S> {
    state: S,
}

///
/// The submitted login data from a client.
///
/// **Note**: For multi factor authentication you need to take some custom action (for now) or rely on a trusted proxy that does the job of
/// logging the user in.
///
#[derive(Clone, Debug, serde::Deserialize, serde::Serialize)]
pub struct LoginData {
    pub login_name: String,
    #[serde(skip_serializing)]
    pub password: String,
}

///
/// Represents the result of a [AdminLoginProvider].
///
/// The user_identifier might be the user's id, the user name or whatever your providers can use to identify the user later. The only
/// requirement is' that it can represented as a string.
///
#[derive(Clone, Debug, serde::Deserialize, serde::Serialize)]
pub struct LoginResult {
    pub user_identifier: String,
}

///
/// Provides login methods
///
/// Validates the username & password of a submitted login form and returns a [LoginResult] containing a session key or username that can
/// be validated by an [AdminAuthProvider].
///
pub trait AdminLoginProvider {
    ///
    /// Does the login. The first Login Provider that returns a [Option::Some] is being used.
    ///
    fn do_login(
        &self,
        login_data: &LoginData,
    ) -> impl Future<Output = quokka::Result<Option<LoginResult>>> + Send;

    /// Provides the type name. Used for logging & debugging
    fn type_name(&self) -> &str {
        std::any::type_name_of_val(self)
    }
}

///
/// This is automatically implemented for all T: AdminAuthProvider<S>
///
#[doc(hidden)]
pub trait InnerAuthProvider<S>: Send + Sync {
    fn authenticate<'a>(
        &'a self,
        request: &'a mut Request,
        state: &'a S,
    ) -> Pin<Box<dyn Future<Output = quokka::Result<Option<AuthenticatedUser>>> + Send + 'a>>;

    fn authorize<'a>(
        &'a self,
        user: &'a AuthenticatedUser,
        permission: &'a PermissionContext,
    ) -> Pin<Box<dyn Future<Output = quokka::Result<bool>> + Send + 'a>>;

    fn provider_name(&self) -> &str;
}

///
/// A wrapper to make the [AdminLoginHandler] dyn-compatible.
///
/// This is automatically implemented for all T: [AdminLoginProvider]
///
#[doc(hidden)]
pub trait InnerLoginProvider {
    fn login<'a>(
        &'a self,
        login_data: &'a LoginData,
    ) -> Pin<Box<dyn Future<Output = quokka::Result<Option<LoginResult>>> + Send + 'a>>;

    fn provider_name(&self) -> &str;
}

#[derive(Clone)]
#[doc(hidden)]
pub struct AdminAuthLayer<S, I> {
    state: S,
    inner: I,
    admin: AdminState<S>,
    page_loader: AdminPageLoader,
}

impl<T: AdminLoginProvider> InnerLoginProvider for T {
    fn login<'a>(
        &'a self,
        login_data: &'a LoginData,
    ) -> Pin<Box<dyn Future<Output = quokka::Result<Option<LoginResult>>> + Send + 'a>> {
        Box::pin(self.do_login(login_data))
    }

    fn provider_name(&self) -> &str {
        self.type_name()
    }
}

impl<S, T> InnerAuthProvider<S> for T
where
    S: Send + Sync + 'static,
    T: AdminAuthProvider<S> + Send + Sync,
    T::AuthParams: 'static,
    <T::AuthParams as FromRequestParts<S>>::Rejection: std::fmt::Debug,
{
    fn authenticate<'a>(
        &'a self,
        request: &'a mut Request,
        state: &'a S,
    ) -> Pin<Box<dyn Future<Output = quokka::Result<Option<AuthenticatedUser>>> + Send + 'a>> {
        Box::pin(async move {
            let params = request
                .extract_parts_with_state::<T::AuthParams, S>(state)
                .await
                .inspect_err(|error| tracing::error!(?error, "Unable to extract request params"))
                .map_err(|_| quokka::Error::status("Unable authenticate user", 500))?;

            <T as AdminAuthProvider<S>>::authenticate(self, params).await
        })
    }

    fn authorize<'a>(
        &'a self,
        user: &'a AuthenticatedUser,
        permission: &'a PermissionContext,
    ) -> Pin<Box<dyn Future<Output = quokka::Result<bool>> + Send + 'a>> {
        Box::pin(<T as AdminAuthProvider<S>>::authorize(
            self, user, permission,
        ))
    }
    fn provider_name(&self) -> &str {
        <T as AdminAuthProvider<S>>::provider_name(self)
    }
}

impl<S, I> tower_layer::Layer<I> for AdminAuthMiddleware<S>
where
    S: Send + Sync + Clone,
    S: ProvideState<AdminState<S>>,
    S: ProvideState<AdminPageLoader>,
{
    type Service = AdminAuthLayer<S, I>;

    fn layer(&self, inner: I) -> Self::Service {
        AdminAuthLayer {
            state: self.state.clone(),
            inner,
            admin: self.state.provide(),
            page_loader: self.state.provide(),
        }
    }
}

impl<S, I> tower_service::Service<Request> for AdminAuthLayer<S, I>
where
    I: tower_service::Service<Request, Response = Response, Error = Infallible>
        + Clone
        + Send
        + 'static,
    I::Future: Send,
    S: Send + Sync + Clone + 'static,
    S: ProvideState<AdminState<S>>,
    S: ProvideState<AdminPageLoader>,
{
    type Response = Response;

    type Error = Infallible;

    type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send>>;

    fn poll_ready(
        &mut self,
        _: &mut std::task::Context<'_>,
    ) -> std::task::Poll<Result<(), Self::Error>> {
        std::task::Poll::Ready(Ok(()))
    }

    fn call(&mut self, mut request: Request) -> Self::Future {
        let state = self.state.clone();
        let admin = self.admin.clone();
        let page_loader = self.page_loader.clone();
        let mut inner = self.inner.clone();

        Box::pin(async move {
            let mut user: Option<AuthenticatedUser> = None;

            // It's [Infallible]
            let permission: PermissionContext = request.extract_parts().await.unwrap();

            for provider in &admin.auth_providers.providers {
                match provider.authenticate(&mut request, &state).await {
                    Ok(Some(authenticated_user)) => {
                        user = Some(authenticated_user);

                        break;
                    }
                    Err(error) => {
                        tracing::error!(
                            ?error,
                            provider = provider.provider_name(),
                            "Error while authenticating user"
                        )
                    }
                    _ => {}
                }
            }

            let Some(user) = user else {
                return Ok(Redirect::to(&admin.login_url).into_response());
            };

            let span = tracing::info_span!("authenticated user", ?user, ?permission);
            let _ = span.enter();

            if let Some(admin_group) = &admin.super_admin_group {
                if user.groups.contains(admin_group) {
                    tracing::debug!(?user, ?permission, "Granted permission for super_admin");

                    let span = tracing::info_span!("super_admin user", ?user);
                    let _ = span.enter();

                    request.extensions_mut().insert(user);
                    request.extensions_mut().insert(permission);

                    return inner.call(request).await;
                }
            }

            for provider in &admin.auth_providers.providers {
                match provider.authorize(&user, &permission).await {
                    Ok(true) => {
                        tracing::debug!(
                            provider = provider.provider_name(),
                            "Granted permissions for user"
                        );

                        let span = tracing::info_span!("authorized user", ?user);
                        let _ = span.enter();

                        request.extensions_mut().insert(user);
                        request.extensions_mut().insert(permission);

                        return inner.call(request).await;
                    }
                    Err(error) => {
                        tracing::error!(
                            ?error,
                            provider = provider.provider_name(),
                            "Error while checking authorization of user"
                        )
                    }
                    _ => {}
                }
            }

            Ok(<AdminPageLoader as TemplateDataLoader<S>>::render_error(
                &page_loader,
                quokka::Error::status("Forbidden", 403),
            )
            .await
            .into_response())
        })
    }
}

impl<S: Send + Sync> FromRequestParts<S> for PermissionContext {
    type Rejection = Infallible;

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        if let Some(permission) = parts.extensions.get::<PermissionContext>() {
            return Ok(permission.clone());
        }

        let uri = MatchedPath::from_request_parts(parts, state).await.unwrap();

        Ok(PermissionContext {
            verb: parts.method.to_string(),
            resource: uri.as_str().to_string(),
        })
    }
}

impl<S> Default for AuthProviders<S> {
    fn default() -> Self {
        Self {
            providers: Default::default(),
        }
    }
}

impl<S: Clone> FromState<S> for AdminAuthMiddleware<S> {
    fn from_state(state: &S) -> Self {
        Self {
            state: state.clone(),
        }
    }
}