rauthy-client 0.14.0

Client for the Rauthy OIDC IAM project
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

use crate::principal::PrincipalOidc;
use axum::extract::OptionalFromRequestParts;
use axum::response::IntoResponse;
use axum::{body::Body, extract::FromRequestParts, http::request::Parts, response::Response};
use axum_extra::{
    TypedHeader,
    headers::{Authorization, authorization::Bearer},
};

impl PrincipalOidc {
    #[allow(clippy::result_large_err)]
    pub fn is_admin(&self) -> Result<(), Response> {
        if self.is_admin {
            Ok(())
        } else {
            Err(Response::builder()
                .status(403)
                .body(Body::from("Admin access only"))
                .unwrap()
                .into_response())
        }
    }

    #[allow(clippy::result_large_err)]
    pub fn is_user(&self) -> Result<(), Response> {
        if self.is_user {
            Ok(())
        } else {
            Err(Response::builder()
                .status(403)
                .body(Body::from("Access Forbidden"))
                .unwrap()
                .into_response())
        }
    }

    #[allow(clippy::result_large_err)]
    pub fn has_any_group(&self, group: Vec<&str>) -> Result<(), Response> {
        for g in &self.groups {
            if group.contains(&g.as_str()) {
                return Ok(());
            }
        }
        Err(Response::builder()
            .status(403)
            .body(Body::from("Groups do not match"))
            .unwrap()
            .into_response())
    }

    #[allow(clippy::result_large_err)]
    pub fn has_any_role(&self, roles: Vec<&str>) -> Result<(), Response> {
        for r in &self.roles {
            if roles.contains(&r.as_str()) {
                return Ok(());
            }
        }
        Err(Response::builder()
            .status(403)
            .body(Body::from("Roles do not match"))
            .unwrap()
            .into_response())
    }
}

impl<S> FromRequestParts<S> for PrincipalOidc
where
    S: Send + Sync,
{
    type Rejection = Response<Body>;

    #[inline(always)]
    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        let TypedHeader(Authorization(bearer)) =
            <TypedHeader<Authorization<Bearer>> as FromRequestParts<S>>::from_request_parts(
                parts, state,
            )
            .await
            .map_err(|_| Response::builder().status(401).body(Body::empty()).unwrap())?;

        match PrincipalOidc::from_token_validated(bearer.token()).await {
            Ok(p) => {
                p.is_user()?;
                Ok(p)
            }
            Err(_err) => Err(Response::builder().status(401).body(Body::empty()).unwrap()),
        }
    }
}

impl<S> OptionalFromRequestParts<S> for PrincipalOidc
where
    S: Send + Sync,
{
    type Rejection = Response<Body>;

    #[inline(always)]
    async fn from_request_parts(
        parts: &mut Parts,
        state: &S,
    ) -> Result<Option<Self>, Self::Rejection> {
        // Extract the token from the authorization header
        if let Ok(TypedHeader(Authorization(bearer))) =
            <TypedHeader<Authorization<Bearer>> as FromRequestParts<S>>::from_request_parts(
                parts, state,
            )
            .await
            && let Ok(p) = PrincipalOidc::from_token_validated(bearer.token()).await
            && p.is_user().is_ok()
        {
            return Ok(Some(p));
        }

        Ok(None)
    }
}