dwh/

oidc.rs

use std::ops::Deref;
use std::time::Duration;

use chrono::Utc;
use clap::Args;
use oauth2::basic::{BasicErrorResponseType, BasicTokenType};
use oauth2::{
    RefreshToken, RequestTokenError, RevocationErrorResponseType, StandardRevocableToken,
};
use openidconnect::core::{
    CoreAuthDisplay, CoreAuthPrompt, CoreClient, CoreGenderClaim, CoreJsonWebKey,
    CoreJsonWebKeyType, CoreJsonWebKeyUse, CoreJweContentEncryptionAlgorithm,
    CoreJwsSigningAlgorithm, CoreProviderMetadata,
};
use openidconnect::{
    Client, ClientId, ClientSecret, EmptyAdditionalClaims, EmptyExtraTokenFields, IdTokenFields,
    IssuerUrl, OAuth2TokenResponse, ResourceOwnerPassword, ResourceOwnerUsername,
    StandardErrorResponse, StandardTokenIntrospectionResponse, StandardTokenResponse,
};
use reqwest::RequestBuilder;
use serde_with::formats::Flexible;
use serde_with::TimestampSeconds;

use openidconnect::reqwest::async_http_client;
use tokio::sync::Mutex;

use crate::config::DwhConfig;
use crate::jwt::JwtError;
use crate::ReqwestHooks;

#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct OidcConfig {
    pub url: String,
    pub user: String,
    pub password: String,
    pub client_id: String,
    pub client_secret: Option<String>,
}

#[derive(Args, Debug)]
pub struct OidcArgs {
    /// set version manually
    #[arg(
        long,
        env,
        requires("oidc_user"),
        requires("oidc_password"),
        requires("oidc_client_id")
    )]
    oidc_server_url: Option<String>,

    #[arg(long, env)]
    oidc_user: Option<String>,

    #[arg(long, env)]
    oidc_password: Option<String>,

    #[arg(long, env)]
    oidc_client_id: Option<String>,

    #[arg(long, env)]
    oidc_client_secret: Option<String>,

    #[arg(long, env)]
    oidc_profile: Option<String>,
}

impl OidcArgs {
    pub fn oidc_config(&self) -> Option<OidcConfig> {
        if let Some(profile) = self.oidc_profile.clone() {
            match DwhConfig::read() {
                Ok(config) => {
                    let Some(profiles) = config.profiles else {
                        panic!("No Profiles in dwh config")
                    };
                    return profiles.get(&profile).cloned();
                }
                Err(e) => {
                    panic!("failed to read config dwh config file {}", e)
                }
            }
        }
        let Some(url) = self.oidc_server_url.clone() else {
            return None;
        };
        let Some(user) = self.oidc_user.clone() else {
            return None;
        };
        let Some(password) = self.oidc_password.clone() else {
            return None;
        };
        let Some(client_id) = self.oidc_client_id.clone() else {
            return None;
        };
        return Some(OidcConfig {
            url,
            user,
            password,
            client_id,
            client_secret: self.oidc_client_secret.clone(),
        });
    }
}

#[derive(thiserror::Error, Debug)]
pub enum TokenProviderError {
    #[error("The given credentials are not authirzed to create a token. reason: {0}")]
    Unauthorized(String),
    #[error("Failed to retreive a token. Server is not answering")]
    Connection,
    #[error("An unknown Error has Been occurred")]
    Other,
}

#[async_trait::async_trait]
pub trait TokenProvider {
    async fn get_access_token(&self) -> Result<String, TokenProviderError>;
}

type OidcClient = Client<
    EmptyAdditionalClaims,
    CoreAuthDisplay,
    CoreGenderClaim,
    CoreJweContentEncryptionAlgorithm,
    CoreJwsSigningAlgorithm,
    CoreJsonWebKeyType,
    CoreJsonWebKeyUse,
    CoreJsonWebKey,
    CoreAuthPrompt,
    StandardErrorResponse<oauth2::basic::BasicErrorResponseType>,
    StandardTokenResponse<
        IdTokenFields<
            EmptyAdditionalClaims,
            EmptyExtraTokenFields,
            CoreGenderClaim,
            CoreJweContentEncryptionAlgorithm,
            CoreJwsSigningAlgorithm,
            CoreJsonWebKeyType,
        >,
        BasicTokenType,
    >,
    BasicTokenType,
    StandardTokenIntrospectionResponse<EmptyExtraTokenFields, BasicTokenType>,
    StandardRevocableToken,
    StandardErrorResponse<RevocationErrorResponseType>,
>;

type TokenType = StandardTokenResponse<
    IdTokenFields<
        EmptyAdditionalClaims,
        EmptyExtraTokenFields,
        CoreGenderClaim,
        CoreJweContentEncryptionAlgorithm,
        CoreJwsSigningAlgorithm,
        CoreJsonWebKeyType,
    >,
    BasicTokenType,
>;

pub struct Token {
    pub token: String,
    pub claims: Claims,
}

impl Token {
    pub fn expires_soon(&self, min_time_left: Duration) -> bool {
        return chrono::Utc::now() + min_time_left > self.claims.exp;
    }
}

pub struct TokenState {
    pub access_token: Token,
    pub refresh_token: Option<Token>,
}

impl TryFrom<TokenType> for TokenState {
    type Error = JwtError;

    fn try_from(value: TokenType) -> Result<Self, Self::Error> {
        let token = value.access_token().secret();
        let access_token = Token {
            claims: crate::jwt::decode(token)?,
            token: token.to_string(),
        };
        let refresh_token = match value.refresh_token() {
            Some(rt) => {
                let token = rt.secret();
                Some(Token {
                    claims: crate::jwt::decode(token)?,
                    token: token.to_string(),
                })
            }
            None => None,
        };
        Ok(TokenState {
            access_token,
            refresh_token,
        })
    }
}

#[derive(thiserror::Error, Debug)]
pub enum OidcTokenServiceError {
    #[error("failed to request token {0}")]
    RequestTokenError(String),
    #[error("Failed to parse token {0}")]
    JwtError(#[from] JwtError),
}

impl From<OidcTokenServiceError> for TokenProviderError {
    //    fn into(self) -> TokenProviderError {}

    fn from(value: OidcTokenServiceError) -> Self {
        match value {
            OidcTokenServiceError::RequestTokenError(_value) => TokenProviderError::Other,
            OidcTokenServiceError::JwtError(_) => TokenProviderError::Other,
        }
    }
}

pub struct OidcTokenService {
    user: String,
    password: String,
    client: OidcClient,
    token: tokio::sync::Mutex<Option<TokenState>>,
}

impl OidcTokenService {
    pub async fn new(config: OidcConfig) -> anyhow::Result<Self> {
        let provider_metadata =
            CoreProviderMetadata::discover_async(IssuerUrl::new(config.url)?, async_http_client)
                .await?;

        let client = CoreClient::from_provider_metadata(
            provider_metadata,
            ClientId::new(config.client_id.clone()),
            config.client_secret.map(|secret| ClientSecret::new(secret)),
        );

        Ok(Self {
            client,
            user: config.user,
            password: config.password,
            token: Mutex::new(None),
        })
    }

    pub async fn refresh_access_token_with_credentials(
        &self,
    ) -> Result<TokenState, OidcTokenServiceError> {
        let user = ResourceOwnerUsername::new(self.user.clone());
        let password = ResourceOwnerPassword::new(self.password.clone());
        let result = self
            .client
            .exchange_password(&user, &password)
            .request_async(async_http_client)
            .await
            .map_err(|e| OidcTokenServiceError::RequestTokenError(e.to_string()))?;
        //let token = result.access_token().secret();
        Ok(result.try_into()?)
    }
    pub async fn refresh_access_token_with_refresh_token(
        &self,
        refresh_token: String,
    ) -> Result<TokenState, OidcTokenServiceError> {
        let refresh_token = RefreshToken::new(refresh_token);
        Ok(self
            .client
            .exchange_refresh_token(&refresh_token)
            .request_async(async_http_client)
            .await
            .map_err(|e| OidcTokenServiceError::RequestTokenError(e.to_string()))?
            .try_into()?)
    }
}

impl
    From<
        RequestTokenError<
            oauth2::reqwest::Error<reqwest::Error>,
            StandardErrorResponse<BasicErrorResponseType>,
        >,
    > for TokenProviderError
{
    fn from(
        value: RequestTokenError<
            oauth2::reqwest::Error<reqwest::Error>,
            StandardErrorResponse<BasicErrorResponseType>,
        >,
    ) -> Self {
        let response = match value {
            RequestTokenError::ServerResponse(response) => response,
            RequestTokenError::Request(_) => return Self::Connection,
            RequestTokenError::Parse(_, _) => return Self::Other,
            RequestTokenError::Other(_) => return Self::Other,
        };
        Self::Unauthorized(
            response
                .error_description()
                .cloned()
                .unwrap_or("Unknown".to_string()),
        )
    }
}

#[serde_with::serde_as]
#[derive(serde::Deserialize, serde::Serialize)]
pub struct Claims {
    #[serde_as(as = "TimestampSeconds<String, Flexible>")]
    exp: chrono::DateTime<Utc>,
}

#[async_trait::async_trait]
impl TokenProvider for OidcTokenService {
    async fn get_access_token(&self) -> Result<String, TokenProviderError> {
        let mut token_container = self.token.lock().await;
        if let Some(token) = token_container.deref() {
            //we have tokens!
            if !token.access_token.expires_soon(Duration::from_secs(7)) {
                //happy path. we have a token and nobody has a problem
                return Ok(token.access_token.token.clone());
            }
            //do we have a refresh token?
            if let Some(refresh_token) = token.refresh_token.as_ref() {
                // is that refresh_token still valid?
                if !refresh_token.expires_soon(Duration::from_secs(7)) {
                    //use that refresh token to get a new access token
                    let token = self
                        .refresh_access_token_with_refresh_token(refresh_token.token.clone())
                        .await?;
                    let token_string = token.access_token.token.clone();
                    *token_container = Some(token);
                    return Ok(token_string);
                }
            }
        };
        // no token
        // refresh token epxired
        // no refresh token or refresh token expired
        let token = self.refresh_access_token_with_credentials().await?;
        let token_string = token.access_token.token.clone();
        *token_container = Some(token);
        return Ok(token_string);
    }
}

#[async_trait::async_trait]
impl ReqwestHooks for OidcTokenService {
    async fn before_send(&self, req: RequestBuilder) -> crate::Result<RequestBuilder> {
        let token = self.get_access_token().await?;
        let req = req.header("Authorization", format!("Bearer {}", token));
        Ok(req)
    }
}

// #[derive(serde::Serialize, serde::Deserialize)]
// #[serde(untagged)]
// pub enum MacType {
//     Vec(Vec<String>),
//     String(String),
// }

// impl MacType {
//     pub fn into_vec(self) -> Vec<String> {
//         match self {
//             MacType::String(mac) => vec![mac],
//             MacType::Vec(macs) => macs,
//         }
//     }
// }
// #[cfg(test)]
// mod test {
//     use super::MacType;
//     #[test]

//     pub fn test_deserialize() -> anyhow::Result<()> {
//         let t: Vec<String> = serde_json::from_str::<MacType>(r#""00:11:22:33:44:55""#)?.into_vec();
//         assert_eq!(1, t.len());
//         let t: Vec<String> =
//             serde_json::from_str::<MacType>(r#"["00:11:22:33:44:55", "00:11:22:33:44:56"]"#)?
//                 .into_vec();
//         assert_eq!(2, t.len());
//         Ok(())
//     }
// }