1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

use crate::NeutronError;
use async_trait::async_trait;
use chrono::{DateTime, Utc};
use futures::lock::Mutex;
use reqwest::Client;
use serde::{Deserialize, Serialize};
use std::error::Error;

#[async_trait]
pub trait AuthenticationPlugin {
    fn auth_method_name(&self) -> String;
    async fn auth_data(&self) -> Result<Vec<u8>, NeutronError>;
}

#[derive(Serialize)]
struct OAuth2TokenRequest {
    client_id: String,
    scope: String,
    client_secret: String,
    grant_type: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    audience: Option<String>,
}

#[derive(Deserialize)]
struct OAuth2TokenResponse {
    access_token: String,
    expires_in: i64,
}

#[derive(Clone)]
struct CachedToken {
    access_token: String,
    expires_on: DateTime<Utc>,
}

impl CachedToken {
    fn is_expired(&self) -> bool {
        Utc::now() > self.expires_on
    }
}

pub struct ClientCredentialsOAuth2 {
    client_id: String,
    client_secret: String,
    authority: String,
    scope: String,
    audience: Option<String>,
    cached_token: Mutex<Option<CachedToken>>,
}

impl ClientCredentialsOAuth2 {
    pub fn new(
        client_id: String,
        client_secret: String,
        authority: String,
        scopes: Vec<String>,
        audience: Option<String>,
    ) -> Self {
        ClientCredentialsOAuth2 {
            client_id,
            client_secret,
            authority,
            scope: scopes.join(" "),
            audience,
            cached_token: Mutex::new(None),
        }
    }

    pub async fn get_auth_data(&self) -> Result<Vec<u8>, Box<dyn Error>> {
        let mut cached_token = self.cached_token.lock().await;

        if let Some(cached_token) = cached_token.as_ref() {
            if !cached_token.is_expired() {
                log::debug!("Using cached token");
                return Ok(cached_token.access_token.clone().into_bytes());
            }
        }

        let token_response = self.request_new_token().await?;
        let token = CachedToken {
            access_token: token_response.access_token.clone(),
            expires_on: Utc::now() + chrono::Duration::seconds(token_response.expires_in),
        };
        *cached_token = Some(token.clone());
        Ok(token.access_token.clone().into_bytes())
    }

    async fn request_new_token(&self) -> Result<OAuth2TokenResponse, Box<dyn Error>> {
        let client = Client::new();
        let res = client
            .post(format!("{}/oauth2/v2.0/token", &self.authority))
            .form(&OAuth2TokenRequest {
                client_id: self.client_id.clone(),
                client_secret: self.client_secret.clone(),
                grant_type: "client_credentials".to_string(),
                scope: self.scope.clone(),
                audience: self.audience.clone(),
            })
            .send()
            .await?
            .json::<OAuth2TokenResponse>()
            .await?;
        Ok(res)
    }
}

#[async_trait]
impl AuthenticationPlugin for ClientCredentialsOAuth2 {
    async fn auth_data(&self) -> Result<Vec<u8>, NeutronError> {
        self.get_auth_data()
            .await
            .map_err(|e| NeutronError::AuthenticationFailed(e.to_string()))
    }

    fn auth_method_name(&self) -> String {
        "token".to_string()
    }
}