svc-utils 0.8.0

Bunch of reusable utilities
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

use std::sync::Arc;

use axum::{
    async_trait,
    extract::{Extension, FromRequestParts, Json},
    http::{request::Parts, StatusCode},
};
use svc_agent::{AccountId, AgentId};
use svc_authn::{
    jose::ConfigMap as AuthnConfig, token::jws_compact::extract::decode_jws_compact_with_config,
};
use svc_error::Error;
use tracing::{field, Span};

/// Extracts `AccountId` from "Authorization: Bearer ..." headers.
pub struct AccountIdExtractor(pub AccountId);

#[async_trait]
impl<S: Send + Sync> FromRequestParts<S> for AccountIdExtractor {
    type Rejection = (StatusCode, Json<Error>);

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        use axum::RequestPartsExt;
        let Extension(authn) = parts
            .extract::<Extension<Arc<AuthnConfig>>>()
            .await
            .ok()
            .ok_or((
                StatusCode::UNAUTHORIZED,
                Json(Error::new(
                    "no_authn_config",
                    "No authn config",
                    StatusCode::UNAUTHORIZED,
                )),
            ))?;

        let auth_header = parts
            .headers
            .get("Authorization")
            .and_then(|x| x.to_str().ok())
            .and_then(|x| x.get("Bearer ".len()..));
        let access_token = url::form_urlencoded::parse(parts.uri.query().unwrap_or("").as_bytes())
            .find(|(key, _)| key == "access_token")
            .map(|(_, val)| val);

        let claims = match (auth_header, access_token) {
            (Some(token), _) => decode_jws_compact_with_config::<String>(token, &authn),
            (_, Some(token)) => decode_jws_compact_with_config::<String>(&token, &authn),
            (None, None) => {
                let Extension(application_id) = parts
                    .extract::<Extension<Arc<AccountId>>>()
                    .await
                    .ok()
                    .ok_or((
                        StatusCode::UNAUTHORIZED,
                        Json(Error::new(
                            "no_authentication_token",
                            "No application account id for anonymous access",
                            StatusCode::UNAUTHORIZED,
                        )),
                    ))?;
                let audience = application_id.audience();
                return Ok(Self(AccountId::new("anonymous", audience)));
            }
        }
        .map_err(|e| {
            let err = e.to_string();
            (
                StatusCode::UNAUTHORIZED,
                Json(Error::new(
                    "invalid_authentication",
                    &err,
                    StatusCode::UNAUTHORIZED,
                )),
            )
        })?
        .claims;

        let account_id = AccountId::new(claims.subject(), claims.audience());

        Span::current().record("account_id", &field::display(&account_id));

        Ok(Self(account_id))
    }
}

/// Extracts `AgentId`. User should provide 2 headers to make this work:
///
/// * "Authorization: Bearer <token>"
/// * "X-Agent-Label: <label>"
pub struct AgentIdExtractor(pub AgentId);

#[async_trait]
impl<S: Send + Sync> FromRequestParts<S> for AgentIdExtractor {
    type Rejection = (StatusCode, Json<Error>);

    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        let agent_label = parts
            .headers
            .get("X-Agent-Label")
            .and_then(|x| x.to_str().ok())
            .unwrap_or("http")
            .to_string();

        let AccountIdExtractor(account_id) =
            AccountIdExtractor::from_request_parts(parts, state).await?;

        // TODO: later missing header will be hard error
        // .ok_or((
        //     StatusCode::UNAUTHORIZED,
        //     Json(Error::new(
        //         "invalid_agent_label",
        //         "Invalid agent label",
        //         StatusCode::UNAUTHORIZED,
        //     )),
        // ))?;

        let agent_id = AgentId::new(agent_label, account_id);

        Span::current().record("agent_id", &field::display(&agent_id));

        Ok(Self(agent_id))
    }
}