1use std::{
10 collections::HashSet,
11 net::{IpAddr, SocketAddr},
12 num::NonZeroU32,
13 path::PathBuf,
14 sync::{
15 Arc, LazyLock, Mutex,
16 atomic::{AtomicU64, Ordering},
17 },
18 time::Duration,
19};
20
21use arc_swap::ArcSwap;
22use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
23use axum::{
24 body::Body,
25 extract::ConnectInfo,
26 http::{Request, header},
27 middleware::Next,
28 response::{IntoResponse, Response},
29};
30use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
31use secrecy::SecretString;
32use serde::Deserialize;
33use x509_parser::prelude::*;
34
35use crate::{bounded_limiter::BoundedKeyedLimiter, error::McpxError};
36
37#[derive(Clone)]
46#[non_exhaustive]
47pub struct AuthIdentity {
48 pub name: String,
50 pub role: String,
52 pub method: AuthMethod,
54 pub raw_token: Option<SecretString>,
60 pub sub: Option<String>,
63}
64
65impl std::fmt::Debug for AuthIdentity {
66 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69 f.debug_struct("AuthIdentity")
70 .field("name", &self.name)
71 .field("role", &self.role)
72 .field("method", &self.method)
73 .field(
74 "raw_token",
75 &if self.raw_token.is_some() {
76 "<redacted>"
77 } else {
78 "<none>"
79 },
80 )
81 .field(
82 "sub",
83 &if self.sub.is_some() {
84 "<redacted>"
85 } else {
86 "<none>"
87 },
88 )
89 .finish()
90 }
91}
92
93#[derive(Debug, Clone, Copy, PartialEq, Eq)]
95#[non_exhaustive]
96pub enum AuthMethod {
97 BearerToken,
99 MtlsCertificate,
101 OAuthJwt,
103}
104
105#[derive(Debug, Clone, Copy, PartialEq, Eq)]
106enum AuthFailureClass {
107 MissingCredential,
108 InvalidCredential,
109 #[cfg_attr(not(feature = "oauth"), allow(dead_code))]
110 ExpiredCredential,
111 RateLimited,
113 PreAuthGate,
116}
117
118impl AuthFailureClass {
119 fn as_str(self) -> &'static str {
120 match self {
121 Self::MissingCredential => "missing_credential",
122 Self::InvalidCredential => "invalid_credential",
123 Self::ExpiredCredential => "expired_credential",
124 Self::RateLimited => "rate_limited",
125 Self::PreAuthGate => "pre_auth_gate",
126 }
127 }
128
129 fn bearer_error(self) -> (&'static str, &'static str) {
130 match self {
131 Self::MissingCredential => (
132 "invalid_request",
133 "missing bearer token or mTLS client certificate",
134 ),
135 Self::InvalidCredential => ("invalid_token", "token is invalid"),
136 Self::ExpiredCredential => ("invalid_token", "token is expired"),
137 Self::RateLimited => ("invalid_request", "too many failed authentication attempts"),
138 Self::PreAuthGate => (
139 "invalid_request",
140 "too many unauthenticated requests from this source",
141 ),
142 }
143 }
144
145 fn response_body(self) -> &'static str {
146 match self {
147 Self::MissingCredential => "unauthorized: missing credential",
148 Self::InvalidCredential => "unauthorized: invalid credential",
149 Self::ExpiredCredential => "unauthorized: expired credential",
150 Self::RateLimited => "rate limited",
151 Self::PreAuthGate => "rate limited (pre-auth)",
152 }
153 }
154}
155
156#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize)]
158#[non_exhaustive]
159pub struct AuthCountersSnapshot {
160 pub success_mtls: u64,
162 pub success_bearer: u64,
164 pub success_oauth_jwt: u64,
166 pub failure_missing_credential: u64,
168 pub failure_invalid_credential: u64,
170 pub failure_expired_credential: u64,
172 pub failure_rate_limited: u64,
174 pub failure_pre_auth_gate: u64,
177}
178
179#[derive(Debug, Default)]
181pub(crate) struct AuthCounters {
182 success_mtls: AtomicU64,
183 success_bearer: AtomicU64,
184 success_oauth_jwt: AtomicU64,
185 failure_missing_credential: AtomicU64,
186 failure_invalid_credential: AtomicU64,
187 failure_expired_credential: AtomicU64,
188 failure_rate_limited: AtomicU64,
189 failure_pre_auth_gate: AtomicU64,
190}
191
192impl AuthCounters {
193 fn record_success(&self, method: AuthMethod) {
194 match method {
195 AuthMethod::MtlsCertificate => {
196 self.success_mtls.fetch_add(1, Ordering::Relaxed);
197 }
198 AuthMethod::BearerToken => {
199 self.success_bearer.fetch_add(1, Ordering::Relaxed);
200 }
201 AuthMethod::OAuthJwt => {
202 self.success_oauth_jwt.fetch_add(1, Ordering::Relaxed);
203 }
204 }
205 }
206
207 fn record_failure(&self, class: AuthFailureClass) {
208 match class {
209 AuthFailureClass::MissingCredential => {
210 self.failure_missing_credential
211 .fetch_add(1, Ordering::Relaxed);
212 }
213 AuthFailureClass::InvalidCredential => {
214 self.failure_invalid_credential
215 .fetch_add(1, Ordering::Relaxed);
216 }
217 AuthFailureClass::ExpiredCredential => {
218 self.failure_expired_credential
219 .fetch_add(1, Ordering::Relaxed);
220 }
221 AuthFailureClass::RateLimited => {
222 self.failure_rate_limited.fetch_add(1, Ordering::Relaxed);
223 }
224 AuthFailureClass::PreAuthGate => {
225 self.failure_pre_auth_gate.fetch_add(1, Ordering::Relaxed);
226 }
227 }
228 }
229
230 fn snapshot(&self) -> AuthCountersSnapshot {
231 AuthCountersSnapshot {
232 success_mtls: self.success_mtls.load(Ordering::Relaxed),
233 success_bearer: self.success_bearer.load(Ordering::Relaxed),
234 success_oauth_jwt: self.success_oauth_jwt.load(Ordering::Relaxed),
235 failure_missing_credential: self.failure_missing_credential.load(Ordering::Relaxed),
236 failure_invalid_credential: self.failure_invalid_credential.load(Ordering::Relaxed),
237 failure_expired_credential: self.failure_expired_credential.load(Ordering::Relaxed),
238 failure_rate_limited: self.failure_rate_limited.load(Ordering::Relaxed),
239 failure_pre_auth_gate: self.failure_pre_auth_gate.load(Ordering::Relaxed),
240 }
241 }
242}
243
244#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
256#[non_exhaustive]
257pub struct RfcTimestamp(chrono::DateTime<chrono::FixedOffset>);
258
259impl RfcTimestamp {
260 pub fn parse(s: &str) -> Result<Self, chrono::ParseError> {
268 chrono::DateTime::parse_from_rfc3339(s).map(Self)
269 }
270
271 #[must_use]
273 pub fn as_datetime(&self) -> &chrono::DateTime<chrono::FixedOffset> {
274 &self.0
275 }
276
277 #[must_use]
279 pub fn into_inner(self) -> chrono::DateTime<chrono::FixedOffset> {
280 self.0
281 }
282}
283
284impl std::fmt::Display for RfcTimestamp {
285 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
286 write!(f, "{}", self.0.to_rfc3339())
288 }
289}
290
291impl std::fmt::Debug for RfcTimestamp {
292 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
293 write!(f, "{}", self.0.to_rfc3339())
298 }
299}
300
301impl<'de> Deserialize<'de> for RfcTimestamp {
302 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
303 where
304 D: serde::Deserializer<'de>,
305 {
306 let s = String::deserialize(deserializer)?;
310 Self::parse(&s).map_err(serde::de::Error::custom)
311 }
312}
313
314impl serde::Serialize for RfcTimestamp {
315 fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
316 where
317 S: serde::Serializer,
318 {
319 serializer.serialize_str(&self.0.to_rfc3339())
320 }
321}
322
323impl From<chrono::DateTime<chrono::FixedOffset>> for RfcTimestamp {
324 fn from(value: chrono::DateTime<chrono::FixedOffset>) -> Self {
325 Self(value)
326 }
327}
328
329#[derive(Clone, Deserialize)]
336#[non_exhaustive]
337pub struct ApiKeyEntry {
338 pub name: String,
340 pub hash: String,
342 pub role: String,
344 pub expires_at: Option<RfcTimestamp>,
349}
350
351impl std::fmt::Debug for ApiKeyEntry {
352 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
355 f.debug_struct("ApiKeyEntry")
356 .field("name", &self.name)
357 .field("hash", &"<redacted>")
358 .field("role", &self.role)
359 .field("expires_at", &self.expires_at)
360 .finish()
361 }
362}
363
364impl ApiKeyEntry {
365 #[must_use]
367 pub fn new(name: impl Into<String>, hash: impl Into<String>, role: impl Into<String>) -> Self {
368 Self {
369 name: name.into(),
370 hash: hash.into(),
371 role: role.into(),
372 expires_at: None,
373 }
374 }
375
376 #[must_use]
381 pub fn with_expiry(mut self, expires_at: RfcTimestamp) -> Self {
382 self.expires_at = Some(expires_at);
383 self
384 }
385
386 pub fn try_with_expiry(
394 mut self,
395 expires_at: impl AsRef<str>,
396 ) -> Result<Self, chrono::ParseError> {
397 self.expires_at = Some(RfcTimestamp::parse(expires_at.as_ref())?);
398 Ok(self)
399 }
400}
401
402#[derive(Debug, Clone, Deserialize)]
404#[allow(
405 clippy::struct_excessive_bools,
406 reason = "mTLS CRL behavior is intentionally configured as independent booleans"
407)]
408#[non_exhaustive]
409pub struct MtlsConfig {
410 pub ca_cert_path: PathBuf,
412 #[serde(default)]
415 pub required: bool,
416 #[serde(default = "default_mtls_role")]
419 pub default_role: String,
420 #[serde(default = "default_true")]
423 pub crl_enabled: bool,
424 #[serde(default, with = "humantime_serde::option")]
427 pub crl_refresh_interval: Option<Duration>,
428 #[serde(default = "default_crl_fetch_timeout", with = "humantime_serde")]
430 pub crl_fetch_timeout: Duration,
431 #[serde(default = "default_crl_stale_grace", with = "humantime_serde")]
434 pub crl_stale_grace: Duration,
435 #[serde(default)]
438 pub crl_deny_on_unavailable: bool,
439 #[serde(default)]
441 pub crl_end_entity_only: bool,
442 #[serde(default = "default_true")]
451 pub crl_allow_http: bool,
452 #[serde(default = "default_true")]
454 pub crl_enforce_expiration: bool,
455 #[serde(default = "default_crl_max_concurrent_fetches")]
461 pub crl_max_concurrent_fetches: usize,
462 #[serde(default = "default_crl_max_response_bytes")]
466 pub crl_max_response_bytes: u64,
467 #[serde(default = "default_crl_discovery_rate_per_min")]
483 pub crl_discovery_rate_per_min: u32,
484 #[serde(default = "default_crl_max_host_semaphores")]
493 pub crl_max_host_semaphores: usize,
494 #[serde(default = "default_crl_max_seen_urls")]
498 pub crl_max_seen_urls: usize,
499 #[serde(default = "default_crl_max_cache_entries")]
503 pub crl_max_cache_entries: usize,
504}
505
506fn default_mtls_role() -> String {
507 "viewer".into()
508}
509
510const fn default_true() -> bool {
511 true
512}
513
514const fn default_crl_fetch_timeout() -> Duration {
515 Duration::from_secs(30)
516}
517
518const fn default_crl_stale_grace() -> Duration {
519 Duration::from_hours(24)
520}
521
522const fn default_crl_max_concurrent_fetches() -> usize {
523 4
524}
525
526const fn default_crl_max_response_bytes() -> u64 {
527 5 * 1024 * 1024
528}
529
530const fn default_crl_discovery_rate_per_min() -> u32 {
531 60
532}
533
534const fn default_crl_max_host_semaphores() -> usize {
535 1024
536}
537
538const fn default_crl_max_seen_urls() -> usize {
539 4096
540}
541
542const fn default_crl_max_cache_entries() -> usize {
543 1024
544}
545
546#[derive(Debug, Clone, Deserialize)]
561#[non_exhaustive]
562pub struct RateLimitConfig {
563 #[serde(default = "default_max_attempts")]
566 pub max_attempts_per_minute: u32,
567 #[serde(default)]
575 pub pre_auth_max_per_minute: Option<u32>,
576 #[serde(default = "default_max_tracked_keys")]
581 pub max_tracked_keys: usize,
582 #[serde(default = "default_idle_eviction", with = "humantime_serde")]
585 pub idle_eviction: Duration,
586 #[serde(default)]
593 pub burst: Option<u32>,
594 #[serde(default)]
600 pub pre_auth_burst: Option<u32>,
601}
602
603impl Default for RateLimitConfig {
604 fn default() -> Self {
605 Self {
606 max_attempts_per_minute: default_max_attempts(),
607 pre_auth_max_per_minute: None,
608 max_tracked_keys: default_max_tracked_keys(),
609 idle_eviction: default_idle_eviction(),
610 burst: None,
611 pre_auth_burst: None,
612 }
613 }
614}
615
616impl RateLimitConfig {
617 #[must_use]
621 pub fn new(max_attempts_per_minute: u32) -> Self {
622 Self {
623 max_attempts_per_minute,
624 ..Self::default()
625 }
626 }
627
628 #[must_use]
631 pub fn with_pre_auth_max_per_minute(mut self, quota: u32) -> Self {
632 self.pre_auth_max_per_minute = Some(quota);
633 self
634 }
635
636 #[must_use]
638 pub fn with_max_tracked_keys(mut self, max: usize) -> Self {
639 self.max_tracked_keys = max;
640 self
641 }
642
643 #[must_use]
645 pub fn with_idle_eviction(mut self, idle: Duration) -> Self {
646 self.idle_eviction = idle;
647 self
648 }
649
650 #[must_use]
653 pub fn with_burst(mut self, burst: u32) -> Self {
654 self.burst = Some(burst);
655 self
656 }
657
658 #[must_use]
661 pub fn with_pre_auth_burst(mut self, burst: u32) -> Self {
662 self.pre_auth_burst = Some(burst);
663 self
664 }
665}
666
667fn default_max_attempts() -> u32 {
668 30
669}
670
671fn default_max_tracked_keys() -> usize {
672 10_000
673}
674
675fn default_idle_eviction() -> Duration {
676 Duration::from_mins(15)
677}
678
679#[derive(Debug, Clone, Default, Deserialize)]
681#[non_exhaustive]
682pub struct AuthConfig {
683 #[serde(default)]
685 pub enabled: bool,
686 #[serde(default)]
688 pub api_keys: Vec<ApiKeyEntry>,
689 pub mtls: Option<MtlsConfig>,
691 pub rate_limit: Option<RateLimitConfig>,
693 #[cfg(feature = "oauth")]
695 pub oauth: Option<crate::oauth::OAuthConfig>,
696}
697
698impl AuthConfig {
699 #[must_use]
701 pub fn with_keys(keys: Vec<ApiKeyEntry>) -> Self {
702 Self {
703 enabled: true,
704 api_keys: keys,
705 mtls: None,
706 rate_limit: None,
707 #[cfg(feature = "oauth")]
708 oauth: None,
709 }
710 }
711
712 #[must_use]
714 pub fn with_rate_limit(mut self, rate_limit: RateLimitConfig) -> Self {
715 self.rate_limit = Some(rate_limit);
716 self
717 }
718}
719
720#[derive(Debug, Clone, serde::Serialize)]
724#[non_exhaustive]
725pub struct ApiKeySummary {
726 pub name: String,
728 pub role: String,
730 pub expires_at: Option<RfcTimestamp>,
733}
734
735#[derive(Debug, Clone, serde::Serialize)]
737#[allow(
738 clippy::struct_excessive_bools,
739 reason = "this is a flat summary of independent auth-method booleans"
740)]
741#[non_exhaustive]
742pub struct AuthConfigSummary {
743 pub enabled: bool,
745 pub bearer: bool,
747 pub mtls: bool,
749 pub oauth: bool,
751 pub api_keys: Vec<ApiKeySummary>,
753}
754
755impl AuthConfig {
756 #[must_use]
758 pub fn summary(&self) -> AuthConfigSummary {
759 AuthConfigSummary {
760 enabled: self.enabled,
761 bearer: !self.api_keys.is_empty(),
762 mtls: self.mtls.is_some(),
763 #[cfg(feature = "oauth")]
764 oauth: self.oauth.is_some(),
765 #[cfg(not(feature = "oauth"))]
766 oauth: false,
767 api_keys: self
768 .api_keys
769 .iter()
770 .map(|k| ApiKeySummary {
771 name: k.name.clone(),
772 role: k.role.clone(),
773 expires_at: k.expires_at,
774 })
775 .collect(),
776 }
777 }
778}
779
780pub(crate) type KeyedLimiter = BoundedKeyedLimiter<IpAddr>;
783
784#[derive(Clone, Debug)]
794#[non_exhaustive]
795pub(crate) struct TlsConnInfo {
796 pub addr: SocketAddr,
798 pub identity: Option<AuthIdentity>,
801}
802
803impl TlsConnInfo {
804 #[must_use]
806 pub(crate) const fn new(addr: SocketAddr, identity: Option<AuthIdentity>) -> Self {
807 Self { addr, identity }
808 }
809}
810
811const DEFAULT_SEEN_IDENTITY_CAP: usize = 4096;
819
820pub(crate) struct SeenIdentitySet {
840 inner: Mutex<SeenInner>,
841}
842
843struct SeenInner {
844 set: HashSet<String>,
845 order: std::collections::VecDeque<String>,
850 cap: usize,
851}
852
853impl SeenIdentitySet {
854 #[must_use]
856 pub(crate) fn new() -> Self {
857 Self::with_cap(DEFAULT_SEEN_IDENTITY_CAP)
858 }
859
860 #[must_use]
863 pub(crate) fn with_cap(cap: usize) -> Self {
864 let cap = cap.max(1);
865 Self {
866 inner: Mutex::new(SeenInner {
867 set: HashSet::with_capacity(cap.min(64)),
868 order: std::collections::VecDeque::with_capacity(cap.min(64)),
869 cap,
870 }),
871 }
872 }
873
874 pub(crate) fn insert_is_first(&self, name: &str) -> bool {
881 let mut guard = self
887 .inner
888 .lock()
889 .unwrap_or_else(std::sync::PoisonError::into_inner);
890
891 if guard.set.contains(name) {
892 return false;
893 }
894 if guard.set.len() >= guard.cap
897 && let Some(evicted) = guard.order.pop_front()
898 {
899 guard.set.remove(&evicted);
900 }
901 let owned = name.to_owned();
902 guard.set.insert(owned.clone());
903 guard.order.push_back(owned);
904 true
905 }
906
907 #[cfg(test)]
909 pub(crate) fn len(&self) -> usize {
910 self.inner
911 .lock()
912 .unwrap_or_else(std::sync::PoisonError::into_inner)
913 .set
914 .len()
915 }
916}
917
918impl Default for SeenIdentitySet {
919 fn default() -> Self {
920 Self::new()
921 }
922}
923
924#[allow(
929 missing_debug_implementations,
930 reason = "contains governor RateLimiter and JwksCache without Debug impls"
931)]
932#[non_exhaustive]
933pub(crate) struct AuthState {
934 pub api_keys: ArcSwap<Vec<ApiKeyEntry>>,
936 pub rate_limiter: Option<Arc<KeyedLimiter>>,
938 pub pre_auth_limiter: Option<Arc<KeyedLimiter>>,
941 #[cfg(feature = "oauth")]
942 pub jwks_cache: Option<Arc<crate::oauth::JwksCache>>,
944 pub seen_identities: SeenIdentitySet,
949 pub counters: AuthCounters,
951}
952
953impl AuthState {
954 pub(crate) fn reload_keys(&self, keys: Vec<ApiKeyEntry>) {
960 let count = keys.len();
961 self.api_keys.store(Arc::new(keys));
962 tracing::info!(keys = count, "API keys reloaded");
963 }
964
965 #[must_use]
967 pub(crate) fn counters_snapshot(&self) -> AuthCountersSnapshot {
968 self.counters.snapshot()
969 }
970
971 #[must_use]
973 pub(crate) fn api_key_summaries(&self) -> Vec<ApiKeySummary> {
974 self.api_keys
975 .load()
976 .iter()
977 .map(|k| ApiKeySummary {
978 name: k.name.clone(),
979 role: k.role.clone(),
980 expires_at: k.expires_at,
981 })
982 .collect()
983 }
984
985 fn log_auth(&self, id: &AuthIdentity, method: &str) {
993 self.counters.record_success(id.method);
994 let first = self.seen_identities.insert_is_first(&id.name);
995 if first {
996 tracing::info!(name = %id.name, role = %id.role, "{method} authenticated");
997 } else {
998 tracing::debug!(name = %id.name, role = %id.role, "{method} authenticated");
999 }
1000 }
1001}
1002
1003const DEFAULT_AUTH_RATE: NonZeroU32 = NonZeroU32::new(30).unwrap();
1006
1007fn apply_burst(quota: governor::Quota, burst: Option<u32>) -> governor::Quota {
1011 match burst.and_then(NonZeroU32::new) {
1012 Some(b) => quota.allow_burst(b),
1013 None => quota,
1014 }
1015}
1016
1017#[must_use]
1019pub(crate) fn build_rate_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1020 let quota = governor::Quota::per_minute(
1021 NonZeroU32::new(config.max_attempts_per_minute).unwrap_or(DEFAULT_AUTH_RATE),
1022 );
1023 let quota = apply_burst(quota, config.burst);
1024 Arc::new(BoundedKeyedLimiter::new(
1025 quota,
1026 config.max_tracked_keys,
1027 config.idle_eviction,
1028 ))
1029}
1030
1031#[must_use]
1038pub(crate) fn build_pre_auth_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1039 let resolved = config.pre_auth_max_per_minute.unwrap_or_else(|| {
1040 config
1041 .max_attempts_per_minute
1042 .saturating_mul(PRE_AUTH_DEFAULT_MULTIPLIER)
1043 });
1044 let quota =
1045 governor::Quota::per_minute(NonZeroU32::new(resolved).unwrap_or(DEFAULT_PRE_AUTH_RATE));
1046 let quota = apply_burst(quota, config.pre_auth_burst);
1047 Arc::new(BoundedKeyedLimiter::new(
1048 quota,
1049 config.max_tracked_keys,
1050 config.idle_eviction,
1051 ))
1052}
1053
1054const PRE_AUTH_DEFAULT_MULTIPLIER: u32 = 10;
1057
1058const DEFAULT_PRE_AUTH_RATE: NonZeroU32 = NonZeroU32::new(300).unwrap();
1062
1063#[must_use]
1068pub fn extract_mtls_identity(cert_der: &[u8], default_role: &str) -> Option<AuthIdentity> {
1069 let (_, cert) = X509Certificate::from_der(cert_der).ok()?;
1070
1071 let cn = cert
1073 .subject()
1074 .iter_common_name()
1075 .next()
1076 .and_then(|attr| attr.as_str().ok())
1077 .map(String::from);
1078
1079 let name = cn.or_else(|| {
1081 cert.subject_alternative_name()
1082 .ok()
1083 .flatten()
1084 .and_then(|san| {
1085 #[allow(
1086 clippy::wildcard_enum_match_arm,
1087 reason = "x509-parser GeneralName is a large external enum; only DNSName is meaningful here"
1088 )]
1089 san.value.general_names.iter().find_map(|gn| match gn {
1090 GeneralName::DNSName(dns) => Some((*dns).to_owned()),
1091 _ => None,
1092 })
1093 })
1094 })?;
1095
1096 if !name
1098 .chars()
1099 .all(|c| c.is_alphanumeric() || matches!(c, '-' | '.' | '_' | '@'))
1100 {
1101 tracing::warn!(cn = %name, "mTLS identity rejected: invalid characters in CN/SAN");
1102 return None;
1103 }
1104
1105 Some(AuthIdentity {
1106 name,
1107 role: default_role.to_owned(),
1108 method: AuthMethod::MtlsCertificate,
1109 raw_token: None,
1110 sub: None,
1111 })
1112}
1113
1114fn extract_bearer(value: &str) -> Option<&str> {
1129 let (scheme, rest) = value.split_once(' ')?;
1130 if scheme.eq_ignore_ascii_case("Bearer") {
1131 let token = rest.trim_start_matches(' ');
1132 if token.is_empty() { None } else { Some(token) }
1133 } else {
1134 None
1135 }
1136}
1137
1138#[must_use]
1167pub fn verify_bearer_token(token: &str, keys: &[ApiKeyEntry]) -> Option<AuthIdentity> {
1168 use subtle::ConstantTimeEq as _;
1169
1170 let now = chrono::Utc::now();
1171 #[allow(
1172 clippy::expect_used,
1173 reason = "DUMMY_PHC_HASH is a static LazyLock built from a fixed Argon2id PHC string by construction; PasswordHash::new on it is infallible. See DUMMY_PHC_HASH definition."
1174 )]
1175 let dummy_hash = PasswordHash::new(&DUMMY_PHC_HASH)
1176 .expect("DUMMY_PHC_HASH is a valid Argon2id PHC string by construction");
1177
1178 let mut matched_index: usize = usize::MAX;
1179 let mut any_match: u8 = 0;
1180
1181 for (idx, key) in keys.iter().enumerate() {
1182 let expired = key.expires_at.is_some_and(|exp| exp.as_datetime() < &now);
1183
1184 let real_hash = PasswordHash::new(&key.hash);
1185 let verify_against = match (&real_hash, expired, any_match) {
1186 (Ok(h), false, 0) => h,
1187 _ => &dummy_hash,
1188 };
1189
1190 let slot_ok = u8::from(
1191 Argon2::default()
1192 .verify_password(token.as_bytes(), verify_against)
1193 .is_ok(),
1194 );
1195
1196 let real_match = slot_ok & u8::from(!expired) & u8::from(real_hash.is_ok());
1197 let first_real_match = real_match & (1 - any_match);
1198 if first_real_match.ct_eq(&1).into() {
1199 matched_index = idx;
1200 }
1201 any_match |= real_match;
1202 }
1203
1204 if any_match == 0 {
1205 return None;
1206 }
1207 let key = keys.get(matched_index)?;
1208 Some(AuthIdentity {
1209 name: key.name.clone(),
1210 role: key.role.clone(),
1211 method: AuthMethod::BearerToken,
1212 raw_token: None,
1213 sub: None,
1214 })
1215}
1216
1217static DUMMY_PHC_HASH: LazyLock<String> = LazyLock::new(|| {
1230 #[allow(
1232 clippy::expect_used,
1233 reason = "fixed 22-char base64 ('AAAA...') decodes to a valid 16-byte salt; SaltString::from_b64 is infallible on this literal"
1234 )]
1235 let salt = SaltString::from_b64("AAAAAAAAAAAAAAAAAAAAAA")
1236 .expect("fixed 16-byte base64 salt is well-formed");
1237 #[allow(
1238 clippy::expect_used,
1239 reason = "Argon2::default() with a fixed plaintext and a well-formed salt is infallible; only fails on bad params/salt"
1240 )]
1241 Argon2::default()
1242 .hash_password(b"rmcp-server-kit-dummy", &salt)
1243 .expect("Argon2 default params hash a fixed plaintext")
1244 .to_string()
1245});
1246
1247pub fn generate_api_key() -> Result<(String, String), McpxError> {
1257 let mut token_bytes = [0u8; 32];
1258 rand::fill(&mut token_bytes);
1259 let token = URL_SAFE_NO_PAD.encode(token_bytes);
1260
1261 let mut salt_bytes = [0u8; 16];
1263 rand::fill(&mut salt_bytes);
1264 let salt = SaltString::encode_b64(&salt_bytes)
1265 .map_err(|e| McpxError::Auth(format!("salt encoding failed: {e}")))?;
1266 let hash = Argon2::default()
1267 .hash_password(token.as_bytes(), &salt)
1268 .map_err(|e| McpxError::Auth(format!("argon2id hashing failed: {e}")))?
1269 .to_string();
1270
1271 Ok((token, hash))
1272}
1273
1274fn build_www_authenticate_value(
1275 advertise_resource_metadata: bool,
1276 failure: AuthFailureClass,
1277) -> String {
1278 let (error, error_description) = failure.bearer_error();
1279 if advertise_resource_metadata {
1280 return format!(
1281 "Bearer resource_metadata=\"/.well-known/oauth-protected-resource\", error=\"{error}\", error_description=\"{error_description}\""
1282 );
1283 }
1284 format!("Bearer error=\"{error}\", error_description=\"{error_description}\"")
1285}
1286
1287fn auth_method_label(method: AuthMethod) -> &'static str {
1288 match method {
1289 AuthMethod::MtlsCertificate => "mTLS",
1290 AuthMethod::BearerToken => "bearer token",
1291 AuthMethod::OAuthJwt => "OAuth JWT",
1292 }
1293}
1294
1295#[cfg_attr(not(feature = "oauth"), allow(unused_variables))]
1296fn unauthorized_response(state: &AuthState, failure_class: AuthFailureClass) -> Response {
1297 #[cfg(feature = "oauth")]
1298 let advertise_resource_metadata = state.jwks_cache.is_some();
1299 #[cfg(not(feature = "oauth"))]
1300 let advertise_resource_metadata = false;
1301
1302 let challenge = build_www_authenticate_value(advertise_resource_metadata, failure_class);
1303 (
1304 axum::http::StatusCode::UNAUTHORIZED,
1305 [(header::WWW_AUTHENTICATE, challenge)],
1306 failure_class.response_body(),
1307 )
1308 .into_response()
1309}
1310
1311async fn authenticate_bearer_identity(
1312 state: &AuthState,
1313 token: &str,
1314) -> Result<AuthIdentity, AuthFailureClass> {
1315 let mut failure_class = AuthFailureClass::MissingCredential;
1316
1317 #[cfg(feature = "oauth")]
1318 if let Some(ref cache) = state.jwks_cache
1319 && crate::oauth::looks_like_jwt(token)
1320 {
1321 match cache.validate_token_with_reason(token).await {
1322 Ok(mut id) => {
1323 id.raw_token = Some(SecretString::from(token.to_owned()));
1324 return Ok(id);
1325 }
1326 Err(crate::oauth::JwtValidationFailure::Expired) => {
1327 failure_class = AuthFailureClass::ExpiredCredential;
1328 }
1329 Err(crate::oauth::JwtValidationFailure::Invalid) => {
1330 failure_class = AuthFailureClass::InvalidCredential;
1331 }
1332 }
1333 }
1334
1335 let token = token.to_owned();
1336 let keys = state.api_keys.load_full(); let identity = tokio::task::spawn_blocking(move || verify_bearer_token(&token, &keys))
1340 .await
1341 .ok()
1342 .flatten();
1343
1344 if let Some(id) = identity {
1345 return Ok(id);
1346 }
1347
1348 if failure_class == AuthFailureClass::MissingCredential {
1349 failure_class = AuthFailureClass::InvalidCredential;
1350 }
1351
1352 Err(failure_class)
1353}
1354
1355fn pre_auth_gate(state: &AuthState, client_ip: Option<IpAddr>) -> Option<Response> {
1366 let limiter = state.pre_auth_limiter.as_ref()?;
1367 let ip = client_ip?;
1368 let Err(wait) = limiter.check_key_wait(&ip) else {
1369 return None;
1370 };
1371 state.counters.record_failure(AuthFailureClass::PreAuthGate);
1372 tracing::warn!(
1373 %ip,
1374 "auth rate limited by pre-auth gate (request rejected before credential verification)"
1375 );
1376 Some(
1377 McpxError::RateLimitedFor {
1378 message: "too many unauthenticated requests from this source".into(),
1379 retry_after: wait,
1380 }
1381 .into_response(),
1382 )
1383}
1384
1385pub(crate) async fn auth_middleware(
1394 state: Arc<AuthState>,
1395 req: Request<Body>,
1396 next: Next,
1397) -> Response {
1398 let tls_info = req.extensions().get::<ConnectInfo<TlsConnInfo>>().cloned();
1404 let client_ip = crate::transport::limiter_client_ip(req.extensions());
1405
1406 if let Some(id) = tls_info.and_then(|ci| ci.0.identity) {
1413 state.log_auth(&id, "mTLS");
1414 let mut req = req;
1415 req.extensions_mut().insert(id);
1416 return next.run(req).await;
1417 }
1418
1419 if let Some(blocked) = pre_auth_gate(&state, client_ip) {
1423 return blocked;
1424 }
1425
1426 let failure_class = if let Some(value) = req.headers().get(header::AUTHORIZATION) {
1427 match value.to_str().ok().and_then(extract_bearer) {
1428 Some(token) => match authenticate_bearer_identity(&state, token).await {
1429 Ok(id) => {
1430 state.log_auth(&id, auth_method_label(id.method));
1431 let mut req = req;
1432 req.extensions_mut().insert(id);
1433 return next.run(req).await;
1434 }
1435 Err(class) => class,
1436 },
1437 None => AuthFailureClass::InvalidCredential,
1438 }
1439 } else {
1440 AuthFailureClass::MissingCredential
1441 };
1442
1443 tracing::warn!(failure_class = %failure_class.as_str(), "auth failed");
1444
1445 if let (Some(limiter), Some(ip)) = (&state.rate_limiter, client_ip)
1448 && let Err(wait) = limiter.check_key_wait(&ip)
1449 {
1450 state.counters.record_failure(AuthFailureClass::RateLimited);
1451 tracing::warn!(%ip, "auth rate limited after repeated failures");
1452 return McpxError::RateLimitedFor {
1453 message: "too many failed authentication attempts".into(),
1454 retry_after: wait,
1455 }
1456 .into_response();
1457 }
1458
1459 state.counters.record_failure(failure_class);
1460 unauthorized_response(&state, failure_class)
1461}
1462
1463#[cfg(test)]
1464mod tests {
1465 use super::*;
1466
1467 #[test]
1468 fn generate_and_verify_api_key() {
1469 let (token, hash) = generate_api_key().unwrap();
1470
1471 assert_eq!(token.len(), 43);
1473
1474 assert!(hash.starts_with("$argon2id$"));
1476
1477 let keys = vec![ApiKeyEntry {
1479 name: "test".into(),
1480 hash,
1481 role: "viewer".into(),
1482 expires_at: None,
1483 }];
1484 let id = verify_bearer_token(&token, &keys);
1485 assert!(id.is_some());
1486 let id = id.unwrap();
1487 assert_eq!(id.name, "test");
1488 assert_eq!(id.role, "viewer");
1489 assert_eq!(id.method, AuthMethod::BearerToken);
1490 }
1491
1492 #[test]
1493 fn wrong_token_rejected() {
1494 let (_token, hash) = generate_api_key().unwrap();
1495 let keys = vec![ApiKeyEntry {
1496 name: "test".into(),
1497 hash,
1498 role: "viewer".into(),
1499 expires_at: None,
1500 }];
1501 assert!(verify_bearer_token("wrong-token", &keys).is_none());
1502 }
1503
1504 #[test]
1505 fn expired_key_rejected() {
1506 let (token, hash) = generate_api_key().unwrap();
1507 let keys = vec![ApiKeyEntry {
1508 name: "test".into(),
1509 hash,
1510 role: "viewer".into(),
1511 expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1512 }];
1513 assert!(verify_bearer_token(&token, &keys).is_none());
1514 }
1515
1516 #[test]
1517 fn match_in_last_slot_still_authenticates() {
1518 let (token, hash) = generate_api_key().unwrap();
1519 let (_other_token, other_hash) = generate_api_key().unwrap();
1520 let keys = vec![
1521 ApiKeyEntry {
1522 name: "first".into(),
1523 hash: other_hash.clone(),
1524 role: "viewer".into(),
1525 expires_at: None,
1526 },
1527 ApiKeyEntry {
1528 name: "second".into(),
1529 hash: other_hash,
1530 role: "viewer".into(),
1531 expires_at: None,
1532 },
1533 ApiKeyEntry {
1534 name: "match".into(),
1535 hash,
1536 role: "ops".into(),
1537 expires_at: None,
1538 },
1539 ];
1540 let id = verify_bearer_token(&token, &keys).expect("last-slot match must authenticate");
1541 assert_eq!(id.name, "match");
1542 assert_eq!(id.role, "ops");
1543 }
1544
1545 #[test]
1546 fn expired_slot_before_valid_match_does_not_short_circuit() {
1547 let (token, hash) = generate_api_key().unwrap();
1548 let (_, other_hash) = generate_api_key().unwrap();
1549 let keys = vec![
1550 ApiKeyEntry {
1551 name: "expired".into(),
1552 hash: other_hash,
1553 role: "viewer".into(),
1554 expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1555 },
1556 ApiKeyEntry {
1557 name: "valid".into(),
1558 hash,
1559 role: "ops".into(),
1560 expires_at: None,
1561 },
1562 ];
1563 let id = verify_bearer_token(&token, &keys)
1564 .expect("valid slot following an expired slot must authenticate");
1565 assert_eq!(id.name, "valid");
1566 }
1567
1568 #[test]
1569 fn malformed_hash_slot_does_not_short_circuit() {
1570 let (token, hash) = generate_api_key().unwrap();
1571 let keys = vec![
1572 ApiKeyEntry {
1573 name: "broken".into(),
1574 hash: "this-is-not-a-phc-string".into(),
1575 role: "viewer".into(),
1576 expires_at: None,
1577 },
1578 ApiKeyEntry {
1579 name: "valid".into(),
1580 hash,
1581 role: "ops".into(),
1582 expires_at: None,
1583 },
1584 ];
1585 let id = verify_bearer_token(&token, &keys)
1586 .expect("valid slot following a malformed-hash slot must authenticate");
1587 assert_eq!(id.name, "valid");
1588 }
1589
1590 #[test]
1601 fn rfc_timestamp_parse_rejects_malformed() {
1602 for bad in [
1603 "not-a-date",
1604 "",
1605 "2025-13-01T00:00:00Z", "2025-01-32T00:00:00Z", "2025-01-01T00:00:00", "01/01/2025", "2025-01-01T25:00:00Z", ] {
1611 assert!(
1612 RfcTimestamp::parse(bad).is_err(),
1613 "RfcTimestamp::parse must reject {bad:?}"
1614 );
1615 }
1616 }
1617
1618 #[test]
1619 fn rfc_timestamp_parse_accepts_valid() {
1620 for good in [
1621 "2025-01-01T00:00:00Z",
1622 "2025-01-01T00:00:00+00:00",
1623 "2025-12-31T23:59:59-08:00",
1624 "2099-01-01T00:00:00.123456789Z",
1625 ] {
1626 assert!(
1627 RfcTimestamp::parse(good).is_ok(),
1628 "RfcTimestamp::parse must accept {good:?}"
1629 );
1630 }
1631 }
1632
1633 #[test]
1634 fn api_key_entry_deserialize_rejects_malformed_expires_at() {
1635 let toml = r#"
1640 name = "bad-key"
1641 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1642 role = "viewer"
1643 expires_at = "not-a-date"
1644 "#;
1645 let result: Result<ApiKeyEntry, _> = toml::from_str(toml);
1646 assert!(
1647 result.is_err(),
1648 "deserialization must reject malformed expires_at"
1649 );
1650 }
1651
1652 #[test]
1653 fn api_key_entry_deserialize_accepts_valid_expires_at() {
1654 let toml = r#"
1655 name = "good-key"
1656 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1657 role = "viewer"
1658 expires_at = "2099-01-01T00:00:00Z"
1659 "#;
1660 let entry: ApiKeyEntry = toml::from_str(toml).expect("valid RFC 3339 must deserialize");
1661 assert!(entry.expires_at.is_some());
1662 }
1663
1664 #[test]
1665 fn api_key_entry_deserialize_accepts_missing_expires_at() {
1666 let toml = r#"
1669 name = "eternal-key"
1670 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1671 role = "viewer"
1672 "#;
1673 let entry: ApiKeyEntry = toml::from_str(toml).expect("missing expires_at must deserialize");
1674 assert!(entry.expires_at.is_none());
1675 }
1676
1677 #[test]
1678 fn try_with_expiry_rejects_malformed() {
1679 let entry = ApiKeyEntry::new("k", "hash", "viewer");
1680 assert!(entry.try_with_expiry("not-a-date").is_err());
1681 }
1682
1683 #[test]
1684 fn try_with_expiry_accepts_valid() {
1685 let entry = ApiKeyEntry::new("k", "hash", "viewer")
1686 .try_with_expiry("2099-01-01T00:00:00Z")
1687 .expect("valid RFC 3339 must be accepted");
1688 assert!(entry.expires_at.is_some());
1689 }
1690
1691 #[test]
1692 fn api_key_summary_serializes_expires_at_as_rfc3339() {
1693 let summary = ApiKeySummary {
1698 name: "k".into(),
1699 role: "viewer".into(),
1700 expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
1701 };
1702 let json = serde_json::to_string(&summary).unwrap();
1703 assert!(
1704 json.contains(r#""expires_at":"2030-01-01T00:00:00+00:00""#),
1705 "wire format regressed: {json}"
1706 );
1707 }
1708
1709 #[test]
1710 fn future_expiry_accepted() {
1711 let (token, hash) = generate_api_key().unwrap();
1712 let keys = vec![ApiKeyEntry {
1713 name: "test".into(),
1714 hash,
1715 role: "viewer".into(),
1716 expires_at: Some(RfcTimestamp::parse("2099-01-01T00:00:00Z").unwrap()),
1717 }];
1718 assert!(verify_bearer_token(&token, &keys).is_some());
1719 }
1720
1721 #[test]
1722 fn multiple_keys_first_match_wins() {
1723 let (token, hash) = generate_api_key().unwrap();
1724 let keys = vec![
1725 ApiKeyEntry {
1726 name: "wrong".into(),
1727 hash: "$argon2id$v=19$m=19456,t=2,p=1$invalid$invalid".into(),
1728 role: "ops".into(),
1729 expires_at: None,
1730 },
1731 ApiKeyEntry {
1732 name: "correct".into(),
1733 hash,
1734 role: "deploy".into(),
1735 expires_at: None,
1736 },
1737 ];
1738 let id = verify_bearer_token(&token, &keys).unwrap();
1739 assert_eq!(id.name, "correct");
1740 assert_eq!(id.role, "deploy");
1741 }
1742
1743 #[test]
1744 fn rate_limiter_allows_within_quota() {
1745 let config = RateLimitConfig {
1746 max_attempts_per_minute: 5,
1747 pre_auth_max_per_minute: None,
1748 max_tracked_keys: default_max_tracked_keys(),
1749 idle_eviction: default_idle_eviction(),
1750 burst: None,
1751 pre_auth_burst: None,
1752 };
1753 let limiter = build_rate_limiter(&config);
1754 let ip: IpAddr = "10.0.0.1".parse().unwrap();
1755
1756 for _ in 0..5 {
1758 assert!(limiter.check_key(&ip).is_ok());
1759 }
1760 assert!(limiter.check_key(&ip).is_err());
1762 }
1763
1764 #[test]
1765 fn rate_limiter_separate_ips() {
1766 let config = RateLimitConfig {
1767 max_attempts_per_minute: 2,
1768 pre_auth_max_per_minute: None,
1769 max_tracked_keys: default_max_tracked_keys(),
1770 idle_eviction: default_idle_eviction(),
1771 burst: None,
1772 pre_auth_burst: None,
1773 };
1774 let limiter = build_rate_limiter(&config);
1775 let ip1: IpAddr = "10.0.0.1".parse().unwrap();
1776 let ip2: IpAddr = "10.0.0.2".parse().unwrap();
1777
1778 assert!(limiter.check_key(&ip1).is_ok());
1780 assert!(limiter.check_key(&ip1).is_ok());
1781 assert!(limiter.check_key(&ip1).is_err());
1782
1783 assert!(limiter.check_key(&ip2).is_ok());
1785 }
1786
1787 #[test]
1788 fn extract_mtls_identity_from_cn() {
1789 let mut params = rcgen::CertificateParams::new(vec!["test-client.local".into()]).unwrap();
1791 params.distinguished_name = rcgen::DistinguishedName::new();
1792 params
1793 .distinguished_name
1794 .push(rcgen::DnType::CommonName, "test-client");
1795 let cert = params
1796 .self_signed(&rcgen::KeyPair::generate().unwrap())
1797 .unwrap();
1798 let der = cert.der();
1799
1800 let id = extract_mtls_identity(der, "ops").unwrap();
1801 assert_eq!(id.name, "test-client");
1802 assert_eq!(id.role, "ops");
1803 assert_eq!(id.method, AuthMethod::MtlsCertificate);
1804 }
1805
1806 #[test]
1807 fn extract_mtls_identity_falls_back_to_san() {
1808 let mut params =
1810 rcgen::CertificateParams::new(vec!["san-only.example.com".into()]).unwrap();
1811 params.distinguished_name = rcgen::DistinguishedName::new();
1812 let cert = params
1814 .self_signed(&rcgen::KeyPair::generate().unwrap())
1815 .unwrap();
1816 let der = cert.der();
1817
1818 let id = extract_mtls_identity(der, "viewer").unwrap();
1819 assert_eq!(id.name, "san-only.example.com");
1820 assert_eq!(id.role, "viewer");
1821 }
1822
1823 #[test]
1824 fn extract_mtls_identity_invalid_der() {
1825 assert!(extract_mtls_identity(b"not-a-cert", "viewer").is_none());
1826 }
1827
1828 use axum::{
1831 body::Body,
1832 http::{Request, StatusCode},
1833 };
1834 use tower::ServiceExt as _;
1835
1836 fn auth_router(state: Arc<AuthState>) -> axum::Router {
1837 axum::Router::new()
1838 .route("/mcp", axum::routing::post(|| async { "ok" }))
1839 .layer(axum::middleware::from_fn(move |req, next| {
1840 let s = Arc::clone(&state);
1841 auth_middleware(s, req, next)
1842 }))
1843 }
1844
1845 fn test_auth_state(keys: Vec<ApiKeyEntry>) -> Arc<AuthState> {
1846 Arc::new(AuthState {
1847 api_keys: ArcSwap::new(Arc::new(keys)),
1848 rate_limiter: None,
1849 pre_auth_limiter: None,
1850 #[cfg(feature = "oauth")]
1851 jwks_cache: None,
1852 seen_identities: SeenIdentitySet::new(),
1853 counters: AuthCounters::default(),
1854 })
1855 }
1856
1857 #[tokio::test]
1858 async fn middleware_rejects_no_credentials() {
1859 let state = test_auth_state(vec![]);
1860 let app = auth_router(Arc::clone(&state));
1861 let req = Request::builder()
1862 .method(axum::http::Method::POST)
1863 .uri("/mcp")
1864 .body(Body::empty())
1865 .unwrap();
1866 let resp = app.oneshot(req).await.unwrap();
1867 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1868 let challenge = resp
1869 .headers()
1870 .get(header::WWW_AUTHENTICATE)
1871 .unwrap()
1872 .to_str()
1873 .unwrap();
1874 assert!(challenge.contains("error=\"invalid_request\""));
1875
1876 let counters = state.counters_snapshot();
1877 assert_eq!(counters.failure_missing_credential, 1);
1878 }
1879
1880 #[tokio::test]
1881 async fn middleware_accepts_valid_bearer() {
1882 let (token, hash) = generate_api_key().unwrap();
1883 let keys = vec![ApiKeyEntry {
1884 name: "test-key".into(),
1885 hash,
1886 role: "ops".into(),
1887 expires_at: None,
1888 }];
1889 let state = test_auth_state(keys);
1890 let app = auth_router(Arc::clone(&state));
1891 let req = Request::builder()
1892 .method(axum::http::Method::POST)
1893 .uri("/mcp")
1894 .header("authorization", format!("Bearer {token}"))
1895 .body(Body::empty())
1896 .unwrap();
1897 let resp = app.oneshot(req).await.unwrap();
1898 assert_eq!(resp.status(), StatusCode::OK);
1899
1900 let counters = state.counters_snapshot();
1901 assert_eq!(counters.success_bearer, 1);
1902 }
1903
1904 #[tokio::test]
1905 async fn middleware_rejects_wrong_bearer() {
1906 let (_token, hash) = generate_api_key().unwrap();
1907 let keys = vec![ApiKeyEntry {
1908 name: "test-key".into(),
1909 hash,
1910 role: "ops".into(),
1911 expires_at: None,
1912 }];
1913 let state = test_auth_state(keys);
1914 let app = auth_router(Arc::clone(&state));
1915 let req = Request::builder()
1916 .method(axum::http::Method::POST)
1917 .uri("/mcp")
1918 .header("authorization", "Bearer wrong-token-here")
1919 .body(Body::empty())
1920 .unwrap();
1921 let resp = app.oneshot(req).await.unwrap();
1922 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1923 let challenge = resp
1924 .headers()
1925 .get(header::WWW_AUTHENTICATE)
1926 .unwrap()
1927 .to_str()
1928 .unwrap();
1929 assert!(challenge.contains("error=\"invalid_token\""));
1930
1931 let counters = state.counters_snapshot();
1932 assert_eq!(counters.failure_invalid_credential, 1);
1933 }
1934
1935 #[tokio::test]
1936 async fn middleware_rate_limits() {
1937 let state = Arc::new(AuthState {
1938 api_keys: ArcSwap::new(Arc::new(vec![])),
1939 rate_limiter: Some(build_rate_limiter(&RateLimitConfig {
1940 max_attempts_per_minute: 1,
1941 pre_auth_max_per_minute: None,
1942 max_tracked_keys: default_max_tracked_keys(),
1943 idle_eviction: default_idle_eviction(),
1944 burst: None,
1945 pre_auth_burst: None,
1946 })),
1947 pre_auth_limiter: None,
1948 #[cfg(feature = "oauth")]
1949 jwks_cache: None,
1950 seen_identities: SeenIdentitySet::new(),
1951 counters: AuthCounters::default(),
1952 });
1953 let app = auth_router(state);
1954
1955 let req = Request::builder()
1957 .method(axum::http::Method::POST)
1958 .uri("/mcp")
1959 .body(Body::empty())
1960 .unwrap();
1961 let resp = app.clone().oneshot(req).await.unwrap();
1962 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1963
1964 }
1969
1970 #[test]
1976 fn rate_limit_semantics_failed_only() {
1977 let config = RateLimitConfig {
1978 max_attempts_per_minute: 3,
1979 pre_auth_max_per_minute: None,
1980 max_tracked_keys: default_max_tracked_keys(),
1981 idle_eviction: default_idle_eviction(),
1982 burst: None,
1983 pre_auth_burst: None,
1984 };
1985 let limiter = build_rate_limiter(&config);
1986 let ip: IpAddr = "192.168.1.100".parse().unwrap();
1987
1988 assert!(
1990 limiter.check_key(&ip).is_ok(),
1991 "failure 1 should be allowed"
1992 );
1993 assert!(
1994 limiter.check_key(&ip).is_ok(),
1995 "failure 2 should be allowed"
1996 );
1997 assert!(
1998 limiter.check_key(&ip).is_ok(),
1999 "failure 3 should be allowed"
2000 );
2001 assert!(
2002 limiter.check_key(&ip).is_err(),
2003 "failure 4 should be blocked"
2004 );
2005
2006 }
2015
2016 #[test]
2021 fn pre_auth_default_multiplier_is_10x() {
2022 let config = RateLimitConfig {
2023 max_attempts_per_minute: 5,
2024 pre_auth_max_per_minute: None,
2025 max_tracked_keys: default_max_tracked_keys(),
2026 idle_eviction: default_idle_eviction(),
2027 burst: None,
2028 pre_auth_burst: None,
2029 };
2030 let limiter = build_pre_auth_limiter(&config);
2031 let ip: IpAddr = "10.0.0.1".parse().unwrap();
2032
2033 for i in 0..50 {
2035 assert!(
2036 limiter.check_key(&ip).is_ok(),
2037 "pre-auth attempt {i} (of expected 50) should be allowed under default 10x multiplier"
2038 );
2039 }
2040 assert!(
2042 limiter.check_key(&ip).is_err(),
2043 "pre-auth attempt 51 should be blocked (quota is 50, not unbounded)"
2044 );
2045 }
2046
2047 #[test]
2050 fn pre_auth_explicit_override_wins() {
2051 let config = RateLimitConfig {
2052 max_attempts_per_minute: 100, pre_auth_max_per_minute: Some(2), max_tracked_keys: default_max_tracked_keys(),
2055 idle_eviction: default_idle_eviction(),
2056 burst: None,
2057 pre_auth_burst: None,
2058 };
2059 let limiter = build_pre_auth_limiter(&config);
2060 let ip: IpAddr = "10.0.0.2".parse().unwrap();
2061
2062 assert!(limiter.check_key(&ip).is_ok(), "attempt 1 allowed");
2063 assert!(limiter.check_key(&ip).is_ok(), "attempt 2 allowed");
2064 assert!(
2065 limiter.check_key(&ip).is_err(),
2066 "attempt 3 must be blocked (explicit override of 2 wins over 10x default of 1000)"
2067 );
2068 }
2069
2070 #[test]
2072 fn pre_auth_gate_deny_sets_retry_after() {
2073 let config = RateLimitConfig::new(100).with_pre_auth_max_per_minute(1);
2074 let state = AuthState {
2075 api_keys: ArcSwap::new(Arc::new(vec![])),
2076 rate_limiter: None,
2077 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2078 #[cfg(feature = "oauth")]
2079 jwks_cache: None,
2080 seen_identities: SeenIdentitySet::new(),
2081 counters: AuthCounters::default(),
2082 };
2083 let ip: IpAddr = "10.7.7.7".parse().unwrap();
2084 assert!(
2085 pre_auth_gate(&state, Some(ip)).is_none(),
2086 "first request within quota"
2087 );
2088 let resp = pre_auth_gate(&state, Some(ip)).expect("second request must be gated");
2089 assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
2090 let retry_after = resp
2091 .headers()
2092 .get(header::RETRY_AFTER)
2093 .expect("Retry-After present")
2094 .to_str()
2095 .unwrap()
2096 .parse::<u64>()
2097 .unwrap();
2098 assert!(retry_after >= 1, "delta-seconds must be >= 1");
2099 }
2100
2101 #[test]
2103 fn post_failure_limiter_burst_allows_initial_spike() {
2104 let config = RateLimitConfig::new(1).with_burst(3);
2105 let limiter = build_rate_limiter(&config);
2106 let ip: IpAddr = "10.6.6.6".parse().unwrap();
2107 for i in 0..3 {
2108 assert!(limiter.check_key(&ip).is_ok(), "burst attempt {i}");
2109 }
2110 assert!(
2111 limiter.check_key(&ip).is_err(),
2112 "attempt 4 must exceed the burst bucket"
2113 );
2114 }
2115
2116 #[tokio::test]
2122 async fn pre_auth_gate_blocks_before_argon2_verification() {
2123 let (_token, hash) = generate_api_key().unwrap();
2124 let keys = vec![ApiKeyEntry {
2125 name: "test-key".into(),
2126 hash,
2127 role: "ops".into(),
2128 expires_at: None,
2129 }];
2130 let config = RateLimitConfig {
2131 max_attempts_per_minute: 100,
2132 pre_auth_max_per_minute: Some(1),
2133 max_tracked_keys: default_max_tracked_keys(),
2134 idle_eviction: default_idle_eviction(),
2135 burst: None,
2136 pre_auth_burst: None,
2137 };
2138 let state = Arc::new(AuthState {
2139 api_keys: ArcSwap::new(Arc::new(keys)),
2140 rate_limiter: None,
2141 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2142 #[cfg(feature = "oauth")]
2143 jwks_cache: None,
2144 seen_identities: SeenIdentitySet::new(),
2145 counters: AuthCounters::default(),
2146 });
2147 let app = auth_router(Arc::clone(&state));
2148 let peer: SocketAddr = "10.0.0.10:54321".parse().unwrap();
2149
2150 let mut req1 = Request::builder()
2153 .method(axum::http::Method::POST)
2154 .uri("/mcp")
2155 .header("authorization", "Bearer obviously-not-a-real-token")
2156 .body(Body::empty())
2157 .unwrap();
2158 req1.extensions_mut().insert(ConnectInfo(peer));
2159 let resp1 = app.clone().oneshot(req1).await.unwrap();
2160 assert_eq!(
2161 resp1.status(),
2162 StatusCode::UNAUTHORIZED,
2163 "first attempt: gate has quota, falls through to bearer auth which fails with 401"
2164 );
2165
2166 let mut req2 = Request::builder()
2169 .method(axum::http::Method::POST)
2170 .uri("/mcp")
2171 .header("authorization", "Bearer also-not-a-real-token")
2172 .body(Body::empty())
2173 .unwrap();
2174 req2.extensions_mut().insert(ConnectInfo(peer));
2175 let resp2 = app.oneshot(req2).await.unwrap();
2176 assert_eq!(
2177 resp2.status(),
2178 StatusCode::TOO_MANY_REQUESTS,
2179 "second attempt from same IP: pre-auth gate must reject with 429"
2180 );
2181
2182 let counters = state.counters_snapshot();
2183 assert_eq!(
2184 counters.failure_pre_auth_gate, 1,
2185 "exactly one request must have been rejected by the pre-auth gate"
2186 );
2187 assert_eq!(
2191 counters.failure_invalid_credential, 1,
2192 "bearer verification must run exactly once (only the un-gated first request)"
2193 );
2194 }
2195
2196 #[tokio::test]
2203 async fn pre_auth_gate_does_not_throttle_mtls() {
2204 let config = RateLimitConfig {
2205 max_attempts_per_minute: 100,
2206 pre_auth_max_per_minute: Some(1), max_tracked_keys: default_max_tracked_keys(),
2208 idle_eviction: default_idle_eviction(),
2209 burst: None,
2210 pre_auth_burst: None,
2211 };
2212 let state = Arc::new(AuthState {
2213 api_keys: ArcSwap::new(Arc::new(vec![])),
2214 rate_limiter: None,
2215 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2216 #[cfg(feature = "oauth")]
2217 jwks_cache: None,
2218 seen_identities: SeenIdentitySet::new(),
2219 counters: AuthCounters::default(),
2220 });
2221 let app = auth_router(Arc::clone(&state));
2222 let peer: SocketAddr = "10.0.0.20:54321".parse().unwrap();
2223 let identity = AuthIdentity {
2224 name: "cn=test-client".into(),
2225 role: "viewer".into(),
2226 method: AuthMethod::MtlsCertificate,
2227 raw_token: None,
2228 sub: None,
2229 };
2230 let tls_info = TlsConnInfo::new(peer, Some(identity));
2231
2232 for i in 0..3 {
2233 let mut req = Request::builder()
2234 .method(axum::http::Method::POST)
2235 .uri("/mcp")
2236 .body(Body::empty())
2237 .unwrap();
2238 req.extensions_mut().insert(ConnectInfo(tls_info.clone()));
2239 let resp = app.clone().oneshot(req).await.unwrap();
2240 assert_eq!(
2241 resp.status(),
2242 StatusCode::OK,
2243 "mTLS request {i} must succeed: pre-auth gate must not apply to mTLS callers"
2244 );
2245 }
2246
2247 let counters = state.counters_snapshot();
2248 assert_eq!(
2249 counters.failure_pre_auth_gate, 0,
2250 "pre-auth gate counter must remain at zero: mTLS bypasses the gate"
2251 );
2252 assert_eq!(
2253 counters.success_mtls, 3,
2254 "all three mTLS requests must have been counted as successful"
2255 );
2256 }
2257
2258 #[test]
2263 fn extract_bearer_accepts_canonical_case() {
2264 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2265 }
2266
2267 #[test]
2268 fn extract_bearer_is_case_insensitive_per_rfc7235() {
2269 for header in &[
2273 "bearer abc123",
2274 "BEARER abc123",
2275 "BeArEr abc123",
2276 "bEaReR abc123",
2277 ] {
2278 assert_eq!(
2279 extract_bearer(header),
2280 Some("abc123"),
2281 "header {header:?} must parse as a Bearer token (RFC 7235 §2.1)"
2282 );
2283 }
2284 }
2285
2286 #[test]
2287 fn extract_bearer_rejects_other_schemes() {
2288 assert_eq!(extract_bearer("Basic dXNlcjpwYXNz"), None);
2289 assert_eq!(extract_bearer("Digest username=\"x\""), None);
2290 assert_eq!(extract_bearer("Token abc123"), None);
2291 }
2292
2293 #[test]
2294 fn extract_bearer_rejects_malformed() {
2295 assert_eq!(extract_bearer(""), None);
2297 assert_eq!(extract_bearer("Bearer"), None);
2298 assert_eq!(extract_bearer("Bearer "), None);
2299 assert_eq!(extract_bearer("Bearer "), None);
2300 }
2301
2302 #[test]
2303 fn extract_bearer_tolerates_extra_separator_whitespace() {
2304 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2306 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2307 }
2308
2309 #[test]
2315 fn auth_identity_debug_redacts_raw_token() {
2316 let id = AuthIdentity {
2317 name: "alice".into(),
2318 role: "admin".into(),
2319 method: AuthMethod::OAuthJwt,
2320 raw_token: Some(SecretString::from("super-secret-jwt-payload-xyz")),
2321 sub: Some("keycloak-uuid-2f3c8b".into()),
2322 };
2323 let dbg = format!("{id:?}");
2324
2325 assert!(dbg.contains("alice"), "name should be visible: {dbg}");
2327 assert!(dbg.contains("admin"), "role should be visible: {dbg}");
2328 assert!(dbg.contains("OAuthJwt"), "method should be visible: {dbg}");
2329
2330 assert!(
2332 !dbg.contains("super-secret-jwt-payload-xyz"),
2333 "raw_token must be redacted in Debug output: {dbg}"
2334 );
2335 assert!(
2336 !dbg.contains("keycloak-uuid-2f3c8b"),
2337 "sub must be redacted in Debug output: {dbg}"
2338 );
2339 assert!(
2340 dbg.contains("<redacted>"),
2341 "redaction marker missing: {dbg}"
2342 );
2343 }
2344
2345 #[test]
2346 fn auth_identity_debug_marks_absent_secrets() {
2347 let id = AuthIdentity {
2350 name: "viewer-key".into(),
2351 role: "viewer".into(),
2352 method: AuthMethod::BearerToken,
2353 raw_token: None,
2354 sub: None,
2355 };
2356 let dbg = format!("{id:?}");
2357 assert!(
2358 dbg.contains("<none>"),
2359 "absent secrets should be marked: {dbg}"
2360 );
2361 assert!(
2362 !dbg.contains("<redacted>"),
2363 "no <redacted> marker when secrets are absent: {dbg}"
2364 );
2365 }
2366
2367 #[test]
2368 fn api_key_entry_debug_redacts_hash() {
2369 let entry = ApiKeyEntry {
2370 name: "viewer-key".into(),
2371 hash: "$argon2id$v=19$m=19456,t=2,p=1$c2FsdHNhbHQ$h4sh3dPa55w0rd".into(),
2373 role: "viewer".into(),
2374 expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
2375 };
2376 let dbg = format!("{entry:?}");
2377
2378 assert!(dbg.contains("viewer-key"));
2380 assert!(dbg.contains("viewer"));
2381 assert!(dbg.contains("2030-01-01T00:00:00+00:00"));
2382
2383 assert!(
2385 !dbg.contains("$argon2id$"),
2386 "argon2 hash leaked into Debug output: {dbg}"
2387 );
2388 assert!(
2389 !dbg.contains("h4sh3dPa55w0rd"),
2390 "hash digest leaked into Debug output: {dbg}"
2391 );
2392 assert!(
2393 dbg.contains("<redacted>"),
2394 "redaction marker missing: {dbg}"
2395 );
2396 }
2397
2398 #[test]
2409 fn auth_failure_class_as_str_exact_strings() {
2410 assert_eq!(
2411 AuthFailureClass::MissingCredential.as_str(),
2412 "missing_credential"
2413 );
2414 assert_eq!(
2415 AuthFailureClass::InvalidCredential.as_str(),
2416 "invalid_credential"
2417 );
2418 assert_eq!(
2419 AuthFailureClass::ExpiredCredential.as_str(),
2420 "expired_credential"
2421 );
2422 assert_eq!(AuthFailureClass::RateLimited.as_str(), "rate_limited");
2423 assert_eq!(AuthFailureClass::PreAuthGate.as_str(), "pre_auth_gate");
2424 }
2425
2426 #[test]
2427 fn auth_failure_class_response_body_exact_strings() {
2428 assert_eq!(
2429 AuthFailureClass::MissingCredential.response_body(),
2430 "unauthorized: missing credential"
2431 );
2432 assert_eq!(
2433 AuthFailureClass::InvalidCredential.response_body(),
2434 "unauthorized: invalid credential"
2435 );
2436 assert_eq!(
2437 AuthFailureClass::ExpiredCredential.response_body(),
2438 "unauthorized: expired credential"
2439 );
2440 assert_eq!(
2441 AuthFailureClass::RateLimited.response_body(),
2442 "rate limited"
2443 );
2444 assert_eq!(
2445 AuthFailureClass::PreAuthGate.response_body(),
2446 "rate limited (pre-auth)"
2447 );
2448 }
2449
2450 #[test]
2451 fn auth_failure_class_bearer_error_exact_strings() {
2452 assert_eq!(
2453 AuthFailureClass::MissingCredential.bearer_error(),
2454 (
2455 "invalid_request",
2456 "missing bearer token or mTLS client certificate"
2457 )
2458 );
2459 assert_eq!(
2460 AuthFailureClass::InvalidCredential.bearer_error(),
2461 ("invalid_token", "token is invalid")
2462 );
2463 assert_eq!(
2464 AuthFailureClass::ExpiredCredential.bearer_error(),
2465 ("invalid_token", "token is expired")
2466 );
2467 assert_eq!(
2468 AuthFailureClass::RateLimited.bearer_error(),
2469 ("invalid_request", "too many failed authentication attempts")
2470 );
2471 assert_eq!(
2472 AuthFailureClass::PreAuthGate.bearer_error(),
2473 (
2474 "invalid_request",
2475 "too many unauthenticated requests from this source"
2476 )
2477 );
2478 }
2479
2480 #[test]
2489 fn auth_config_summary_bearer_true_when_keys_present() {
2490 let (_token, hash) = generate_api_key().unwrap();
2491 let cfg = AuthConfig::with_keys(vec![ApiKeyEntry::new("k", hash, "viewer")]);
2492 let s = cfg.summary();
2493 assert!(s.enabled, "summary.enabled must reflect AuthConfig.enabled");
2494 assert!(
2495 s.bearer,
2496 "summary.bearer must be true when api_keys is non-empty (kills `!` deletion at L615)"
2497 );
2498 assert!(!s.mtls, "summary.mtls must be false when mtls is None");
2499 assert!(!s.oauth, "summary.oauth must be false when oauth is None");
2500 assert_eq!(s.api_keys.len(), 1);
2501 assert_eq!(s.api_keys[0].name, "k");
2502 assert_eq!(s.api_keys[0].role, "viewer");
2503 }
2504
2505 #[test]
2506 fn auth_config_summary_bearer_false_when_no_keys() {
2507 let cfg = AuthConfig::with_keys(vec![]);
2508 let s = cfg.summary();
2509 assert!(
2510 !s.bearer,
2511 "summary.bearer must be false when api_keys is empty (kills `!` deletion at L615)"
2512 );
2513 assert!(s.api_keys.is_empty());
2514 }
2515
2516 #[test]
2517 fn seen_identity_set_first_then_repeat() {
2518 let set = SeenIdentitySet::new();
2519 assert!(set.insert_is_first("alice"), "first sighting is first");
2520 assert!(
2521 !set.insert_is_first("alice"),
2522 "second sighting is not first"
2523 );
2524 assert!(set.insert_is_first("bob"));
2525 assert_eq!(set.len(), 2);
2526 }
2527
2528 #[test]
2529 fn seen_identity_set_evicts_oldest_at_cap() {
2530 let set = SeenIdentitySet::with_cap(2);
2531 assert!(set.insert_is_first("a"));
2532 assert!(set.insert_is_first("b"));
2533 assert!(set.insert_is_first("c"));
2535 assert_eq!(set.len(), 2);
2536 assert!(set.insert_is_first("a"));
2540 assert_eq!(set.len(), 2);
2541 assert!(set.insert_is_first("b"));
2543 for i in 0..32 {
2545 set.insert_is_first(&format!("churn-{i}"));
2546 assert!(set.len() <= 2, "cap invariant must hold");
2547 }
2548 }
2549
2550 #[test]
2551 fn seen_identity_set_cap_zero_is_raised_to_one() {
2552 let set = SeenIdentitySet::with_cap(0);
2553 assert!(set.insert_is_first("only"));
2554 assert_eq!(set.len(), 1);
2555 assert!(set.insert_is_first("next"));
2557 assert_eq!(set.len(), 1);
2558 }
2559
2560 #[test]
2561 fn seen_identity_set_fifo_does_not_refresh_on_repeat_hit() {
2562 let set = SeenIdentitySet::with_cap(2);
2565 assert!(set.insert_is_first("a")); assert!(set.insert_is_first("b")); assert!(!set.insert_is_first("a"));
2571 assert!(set.insert_is_first("c"));
2574 assert!(set.insert_is_first("a"));
2576 let set = SeenIdentitySet::with_cap(2);
2582 assert!(set.insert_is_first("x")); assert!(set.insert_is_first("y")); assert!(!set.insert_is_first("x")); assert!(set.insert_is_first("z")); assert!(
2587 !set.insert_is_first("y"),
2588 "y must still be present (FIFO did not evict it)"
2589 );
2590 assert!(
2591 set.insert_is_first("x"),
2592 "x must have been evicted by FIFO (would NOT have been evicted under LRU)"
2593 );
2594 }
2595}