tonin-core 0.3.4

Core types for tonin: Service builder, Config, Context, Error, runtime.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131

//! The tower::Layer that runs auth on every inbound request.
//!
//! Pulls a `RawToken` via [`TokenExtractor`] → verifies it via
//! [`TokenVerifier`] → puts the resulting `AuthCtx` into request
//! extensions AND into the [`CURRENT_AUTH`] task-local for the
//! handler's execution.
//!
//! If the extractor returns [`AuthError::MissingToken`] and the layer
//! was configured with `optional = true` (via [`crate::Service::without_auth()`]),
//! it inserts an anonymous `AuthCtx` instead of rejecting. This is the
//! single seam that supports opt-out without forcing handlers to think
//! about it.

use std::sync::Arc;
use std::task::{Context, Poll};

use futures_util::future::BoxFuture;
use http::{Request, Response};
use tonic::Status;
use tonic::body::BoxBody;
use tower::{Layer, Service};

use super::{AuthCtx, AuthError, CURRENT_AUTH, TokenExtractor, TokenVerifier};

/// Layer that installs auth on every incoming request.
#[derive(Clone)]
pub struct AuthLayer {
    extractor: Arc<dyn TokenExtractor>,
    verifier: Arc<dyn TokenVerifier>,
    /// If true, MissingToken → anonymous AuthCtx instead of 401.
    optional: bool,
}

impl AuthLayer {
    pub fn new<E, V>(extractor: E, verifier: V) -> Self
    where
        E: TokenExtractor,
        V: TokenVerifier,
    {
        Self {
            extractor: Arc::new(extractor),
            verifier: Arc::new(verifier),
            optional: false,
        }
    }

    /// Mark the layer as opt-out friendly: missing token → anonymous
    /// AuthCtx, no 401. Used by [`crate::Service::without_auth()`].
    pub fn optional(mut self) -> Self {
        self.optional = true;
        self
    }
}

impl<S> Layer<S> for AuthLayer {
    type Service = AuthService<S>;
    fn layer(&self, inner: S) -> Self::Service {
        AuthService {
            inner,
            extractor: self.extractor.clone(),
            verifier: self.verifier.clone(),
            optional: self.optional,
        }
    }
}

#[derive(Clone)]
pub struct AuthService<S> {
    inner: S,
    extractor: Arc<dyn TokenExtractor>,
    verifier: Arc<dyn TokenVerifier>,
    optional: bool,
}

impl<S> Service<Request<BoxBody>> for AuthService<S>
where
    S: Service<Request<BoxBody>, Response = Response<BoxBody>> + Clone + Send + 'static,
    S::Error: Send + 'static,
    S::Future: Send + 'static,
{
    type Response = Response<BoxBody>;
    type Error = S::Error;
    type Future = BoxFuture<'static, Result<Self::Response, Self::Error>>;

    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
        self.inner.poll_ready(cx)
    }

    fn call(&mut self, mut req: Request<BoxBody>) -> Self::Future {
        let mut inner = self.inner.clone();
        let extractor = self.extractor.clone();
        let verifier = self.verifier.clone();
        let optional = self.optional;

        Box::pin(async move {
            // Build a MetadataMap view over the request headers. The
            // extractor only needs metadata; this keeps the trait
            // dyn-safe (no generic over body type).
            let metadata = metadata_from_headers(req.headers());

            let ctx = match extractor.extract(&metadata) {
                Ok(token) => match verifier.verify(&token).await {
                    Ok(ctx) => ctx,
                    Err(e) => return Ok(error_response(e)),
                },
                Err(AuthError::MissingToken) if optional => AuthCtx::anonymous(),
                Err(e) => return Ok(error_response(e)),
            };

            // Stuff into extensions for `AuthCtx::from(&req)` access.
            req.extensions_mut().insert(ctx.clone());

            // Run the handler with CURRENT_AUTH set so generated clients
            // pick up the caller's identity on outbound calls.
            CURRENT_AUTH.scope(ctx, inner.call(req)).await
        })
    }
}

/// Build a `MetadataMap` view from raw http headers. Tonic's
/// `MetadataMap::from_headers` does this — we just call it.
fn metadata_from_headers(h: &http::HeaderMap) -> tonic::metadata::MetadataMap {
    tonic::metadata::MetadataMap::from_headers(h.clone())
}

/// Encode an `AuthError` as a gRPC status response. tonic 0.12 exposes
/// `Status::into_http()` for this.
fn error_response(e: AuthError) -> Response<BoxBody> {
    let status: Status = e.into();
    status.into_http()
}