1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127

//! The service provider interface (SPI) for auth

use super::UserDetail;
use crate::BoxError;

use async_trait::async_trait;
use std::fmt::{Debug, Formatter};
use thiserror::Error;

/// Defines the requirements for Authentication implementations
#[async_trait]
pub trait Authenticator<User>: Sync + Send + Debug
where
    User: UserDetail,
{
    /// Authenticate the given user with the given credentials.
    async fn authenticate(&self, username: &str, creds: &Credentials) -> Result<User, AuthenticationError>;

    /// Tells whether its OK to not ask for a password when a valid client cert
    /// was presented.
    async fn cert_auth_sufficient(&self, _username: &str) -> bool {
        return false;
    }

    /// Implement to set the name of the authenticator. By default it returns the type signature.
    fn name(&self) -> &str {
        std::any::type_name::<Self>()
    }
}

/// The error type returned by `Authenticator.authenticate`
#[derive(Error, Debug)]
pub enum AuthenticationError {
    /// A bad password was provided
    #[error("bad password")]
    BadPassword,

    /// A bad username was provided
    #[error("bad username")]
    BadUser,

    /// A bad client certificate was presented.
    #[error("bad client certificate")]
    BadCert,

    /// The source IP address was not allowed
    #[error("client IP address not allowed")]
    IpDisallowed,

    /// The certificate CN is not allowed for this user
    #[error("certificate does not match allowed CN for this user")]
    CnDisallowed,

    /// Another issue occurred during the authentication process.
    #[error("authentication error: {0}: {1:?}")]
    ImplPropagated(String, #[source] Option<BoxError>),
}

impl AuthenticationError {
    /// Creates a new domain specific error
    pub fn new(s: impl Into<String>) -> AuthenticationError {
        AuthenticationError::ImplPropagated(s.into(), None)
    }

    /// Creates a new domain specific error with the given source error.
    pub fn with_source<E>(s: impl Into<String>, source: E) -> AuthenticationError
    where
        E: std::error::Error + Send + Sync + 'static,
    {
        AuthenticationError::ImplPropagated(s.into(), Some(Box::new(source)))
    }
}

/// Credentials passed to an [Authenticator](crate::auth::Authenticator)
///
/// [Authenticator](crate::auth::Authenticator) implementations can assume that either `certificate_chain` or `password`
/// will not be `None`.
#[derive(Clone, Debug)]
pub struct Credentials {
    /// The password that the client sent.
    pub password: Option<String>,
    /// DER encoded x509 certificate chain coming from the client.
    pub certificate_chain: Option<Vec<ClientCert>>,
    /// The IP address of the user's connection
    pub source_ip: std::net::IpAddr,
}

impl From<&str> for Credentials {
    fn from(s: &str) -> Self {
        Credentials {
            password: Some(String::from(s)),
            certificate_chain: None,
            source_ip: [127, 0, 0, 1].into(),
        }
    }
}

/// Contains a single DER-encoded X.509 client certificate.
#[derive(Clone, Eq, PartialEq)]
pub struct ClientCert(pub Vec<u8>);

use x509_parser::prelude::parse_x509_certificate;

impl ClientCert {
    /// Returns true if the Common Name from the client certificate matches the allowed_cn
    pub fn verify_cn(&self, allowed_cn: &str) -> Result<bool, std::io::Error> {
        let client_cert = parse_x509_certificate(&self.0);
        let subject = match client_cert {
            Ok(c) => c.1.subject().to_string(),
            Err(e) => return Err(std::io::Error::new(std::io::ErrorKind::Other, e.to_string())),
        };

        Ok(subject.contains(allowed_cn))
    }
}

impl std::fmt::Debug for ClientCert {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        write!(f, "ClientCert(***)")
    }
}

impl AsRef<[u8]> for ClientCert {
    fn as_ref(&self) -> &[u8] {
        &self.0
    }
}