1use std::{
10 collections::HashSet,
11 net::{IpAddr, SocketAddr},
12 num::NonZeroU32,
13 path::PathBuf,
14 sync::{
15 Arc, LazyLock, Mutex,
16 atomic::{AtomicU64, Ordering},
17 },
18 time::Duration,
19};
20
21use arc_swap::ArcSwap;
22use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
23use axum::{
24 body::Body,
25 extract::ConnectInfo,
26 http::{Request, header},
27 middleware::Next,
28 response::{IntoResponse, Response},
29};
30use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
31use secrecy::SecretString;
32use serde::Deserialize;
33use x509_parser::prelude::*;
34
35use crate::{bounded_limiter::BoundedKeyedLimiter, error::McpxError};
36
37#[derive(Clone)]
46#[non_exhaustive]
47pub struct AuthIdentity {
48 pub name: String,
50 pub role: String,
52 pub method: AuthMethod,
54 pub raw_token: Option<SecretString>,
60 pub sub: Option<String>,
63}
64
65impl std::fmt::Debug for AuthIdentity {
66 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69 f.debug_struct("AuthIdentity")
70 .field("name", &self.name)
71 .field("role", &self.role)
72 .field("method", &self.method)
73 .field(
74 "raw_token",
75 &if self.raw_token.is_some() {
76 "<redacted>"
77 } else {
78 "<none>"
79 },
80 )
81 .field(
82 "sub",
83 &if self.sub.is_some() {
84 "<redacted>"
85 } else {
86 "<none>"
87 },
88 )
89 .finish()
90 }
91}
92
93#[derive(Debug, Clone, Copy, PartialEq, Eq)]
95#[non_exhaustive]
96pub enum AuthMethod {
97 BearerToken,
99 MtlsCertificate,
101 OAuthJwt,
103}
104
105#[derive(Debug, Clone, Copy, PartialEq, Eq)]
106enum AuthFailureClass {
107 MissingCredential,
108 InvalidCredential,
109 #[cfg_attr(not(feature = "oauth"), allow(dead_code))]
110 ExpiredCredential,
111 RateLimited,
113 PreAuthGate,
116}
117
118impl AuthFailureClass {
119 fn as_str(self) -> &'static str {
120 match self {
121 Self::MissingCredential => "missing_credential",
122 Self::InvalidCredential => "invalid_credential",
123 Self::ExpiredCredential => "expired_credential",
124 Self::RateLimited => "rate_limited",
125 Self::PreAuthGate => "pre_auth_gate",
126 }
127 }
128
129 fn bearer_error(self) -> (&'static str, &'static str) {
130 match self {
131 Self::MissingCredential => (
132 "invalid_request",
133 "missing bearer token or mTLS client certificate",
134 ),
135 Self::InvalidCredential => ("invalid_token", "token is invalid"),
136 Self::ExpiredCredential => ("invalid_token", "token is expired"),
137 Self::RateLimited => ("invalid_request", "too many failed authentication attempts"),
138 Self::PreAuthGate => (
139 "invalid_request",
140 "too many unauthenticated requests from this source",
141 ),
142 }
143 }
144
145 fn response_body(self) -> &'static str {
146 match self {
147 Self::MissingCredential => "unauthorized: missing credential",
148 Self::InvalidCredential => "unauthorized: invalid credential",
149 Self::ExpiredCredential => "unauthorized: expired credential",
150 Self::RateLimited => "rate limited",
151 Self::PreAuthGate => "rate limited (pre-auth)",
152 }
153 }
154}
155
156#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize)]
158#[non_exhaustive]
159pub struct AuthCountersSnapshot {
160 pub success_mtls: u64,
162 pub success_bearer: u64,
164 pub success_oauth_jwt: u64,
166 pub failure_missing_credential: u64,
168 pub failure_invalid_credential: u64,
170 pub failure_expired_credential: u64,
172 pub failure_rate_limited: u64,
174 pub failure_pre_auth_gate: u64,
177}
178
179#[derive(Debug, Default)]
181pub(crate) struct AuthCounters {
182 success_mtls: AtomicU64,
183 success_bearer: AtomicU64,
184 success_oauth_jwt: AtomicU64,
185 failure_missing_credential: AtomicU64,
186 failure_invalid_credential: AtomicU64,
187 failure_expired_credential: AtomicU64,
188 failure_rate_limited: AtomicU64,
189 failure_pre_auth_gate: AtomicU64,
190}
191
192impl AuthCounters {
193 fn record_success(&self, method: AuthMethod) {
194 match method {
195 AuthMethod::MtlsCertificate => {
196 self.success_mtls.fetch_add(1, Ordering::Relaxed);
197 }
198 AuthMethod::BearerToken => {
199 self.success_bearer.fetch_add(1, Ordering::Relaxed);
200 }
201 AuthMethod::OAuthJwt => {
202 self.success_oauth_jwt.fetch_add(1, Ordering::Relaxed);
203 }
204 }
205 }
206
207 fn record_failure(&self, class: AuthFailureClass) {
208 match class {
209 AuthFailureClass::MissingCredential => {
210 self.failure_missing_credential
211 .fetch_add(1, Ordering::Relaxed);
212 }
213 AuthFailureClass::InvalidCredential => {
214 self.failure_invalid_credential
215 .fetch_add(1, Ordering::Relaxed);
216 }
217 AuthFailureClass::ExpiredCredential => {
218 self.failure_expired_credential
219 .fetch_add(1, Ordering::Relaxed);
220 }
221 AuthFailureClass::RateLimited => {
222 self.failure_rate_limited.fetch_add(1, Ordering::Relaxed);
223 }
224 AuthFailureClass::PreAuthGate => {
225 self.failure_pre_auth_gate.fetch_add(1, Ordering::Relaxed);
226 }
227 }
228 }
229
230 fn snapshot(&self) -> AuthCountersSnapshot {
231 AuthCountersSnapshot {
232 success_mtls: self.success_mtls.load(Ordering::Relaxed),
233 success_bearer: self.success_bearer.load(Ordering::Relaxed),
234 success_oauth_jwt: self.success_oauth_jwt.load(Ordering::Relaxed),
235 failure_missing_credential: self.failure_missing_credential.load(Ordering::Relaxed),
236 failure_invalid_credential: self.failure_invalid_credential.load(Ordering::Relaxed),
237 failure_expired_credential: self.failure_expired_credential.load(Ordering::Relaxed),
238 failure_rate_limited: self.failure_rate_limited.load(Ordering::Relaxed),
239 failure_pre_auth_gate: self.failure_pre_auth_gate.load(Ordering::Relaxed),
240 }
241 }
242}
243
244#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
256#[non_exhaustive]
257pub struct RfcTimestamp(chrono::DateTime<chrono::FixedOffset>);
258
259impl RfcTimestamp {
260 pub fn parse(s: &str) -> Result<Self, chrono::ParseError> {
268 chrono::DateTime::parse_from_rfc3339(s).map(Self)
269 }
270
271 #[must_use]
273 pub fn as_datetime(&self) -> &chrono::DateTime<chrono::FixedOffset> {
274 &self.0
275 }
276
277 #[must_use]
279 pub fn into_inner(self) -> chrono::DateTime<chrono::FixedOffset> {
280 self.0
281 }
282}
283
284impl std::fmt::Display for RfcTimestamp {
285 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
286 write!(f, "{}", self.0.to_rfc3339())
288 }
289}
290
291impl std::fmt::Debug for RfcTimestamp {
292 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
293 write!(f, "{}", self.0.to_rfc3339())
298 }
299}
300
301impl<'de> Deserialize<'de> for RfcTimestamp {
302 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
303 where
304 D: serde::Deserializer<'de>,
305 {
306 let s = String::deserialize(deserializer)?;
310 Self::parse(&s).map_err(serde::de::Error::custom)
311 }
312}
313
314impl serde::Serialize for RfcTimestamp {
315 fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
316 where
317 S: serde::Serializer,
318 {
319 serializer.serialize_str(&self.0.to_rfc3339())
320 }
321}
322
323impl From<chrono::DateTime<chrono::FixedOffset>> for RfcTimestamp {
324 fn from(value: chrono::DateTime<chrono::FixedOffset>) -> Self {
325 Self(value)
326 }
327}
328
329#[derive(Clone, Deserialize)]
336#[non_exhaustive]
337pub struct ApiKeyEntry {
338 pub name: String,
340 pub hash: String,
342 pub role: String,
344 pub expires_at: Option<RfcTimestamp>,
349}
350
351impl std::fmt::Debug for ApiKeyEntry {
352 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
355 f.debug_struct("ApiKeyEntry")
356 .field("name", &self.name)
357 .field("hash", &"<redacted>")
358 .field("role", &self.role)
359 .field("expires_at", &self.expires_at)
360 .finish()
361 }
362}
363
364impl ApiKeyEntry {
365 #[must_use]
367 pub fn new(name: impl Into<String>, hash: impl Into<String>, role: impl Into<String>) -> Self {
368 Self {
369 name: name.into(),
370 hash: hash.into(),
371 role: role.into(),
372 expires_at: None,
373 }
374 }
375
376 #[must_use]
381 pub fn with_expiry(mut self, expires_at: RfcTimestamp) -> Self {
382 self.expires_at = Some(expires_at);
383 self
384 }
385
386 pub fn try_with_expiry(
394 mut self,
395 expires_at: impl AsRef<str>,
396 ) -> Result<Self, chrono::ParseError> {
397 self.expires_at = Some(RfcTimestamp::parse(expires_at.as_ref())?);
398 Ok(self)
399 }
400}
401
402#[derive(Debug, Clone, Deserialize)]
404#[allow(
405 clippy::struct_excessive_bools,
406 reason = "mTLS CRL behavior is intentionally configured as independent booleans"
407)]
408#[non_exhaustive]
409pub struct MtlsConfig {
410 pub ca_cert_path: PathBuf,
412 #[serde(default)]
415 pub required: bool,
416 #[serde(default = "default_mtls_role")]
419 pub default_role: String,
420 #[serde(default = "default_true")]
423 pub crl_enabled: bool,
424 #[serde(default, with = "humantime_serde::option")]
427 pub crl_refresh_interval: Option<Duration>,
428 #[serde(default = "default_crl_fetch_timeout", with = "humantime_serde")]
430 pub crl_fetch_timeout: Duration,
431 #[serde(default = "default_crl_stale_grace", with = "humantime_serde")]
434 pub crl_stale_grace: Duration,
435 #[serde(default)]
438 pub crl_deny_on_unavailable: bool,
439 #[serde(default)]
441 pub crl_end_entity_only: bool,
442 #[serde(default = "default_true")]
451 pub crl_allow_http: bool,
452 #[serde(default = "default_true")]
454 pub crl_enforce_expiration: bool,
455 #[serde(default = "default_crl_max_concurrent_fetches")]
461 pub crl_max_concurrent_fetches: usize,
462 #[serde(default = "default_crl_max_response_bytes")]
466 pub crl_max_response_bytes: u64,
467 #[serde(default = "default_crl_discovery_rate_per_min")]
483 pub crl_discovery_rate_per_min: u32,
484 #[serde(default = "default_crl_max_host_semaphores")]
493 pub crl_max_host_semaphores: usize,
494 #[serde(default = "default_crl_max_seen_urls")]
498 pub crl_max_seen_urls: usize,
499 #[serde(default = "default_crl_max_cache_entries")]
503 pub crl_max_cache_entries: usize,
504}
505
506fn default_mtls_role() -> String {
507 "viewer".into()
508}
509
510const fn default_true() -> bool {
511 true
512}
513
514const fn default_crl_fetch_timeout() -> Duration {
515 Duration::from_secs(30)
516}
517
518const fn default_crl_stale_grace() -> Duration {
519 Duration::from_hours(24)
520}
521
522const fn default_crl_max_concurrent_fetches() -> usize {
523 4
524}
525
526const fn default_crl_max_response_bytes() -> u64 {
527 5 * 1024 * 1024
528}
529
530const fn default_crl_discovery_rate_per_min() -> u32 {
531 60
532}
533
534const fn default_crl_max_host_semaphores() -> usize {
535 1024
536}
537
538const fn default_crl_max_seen_urls() -> usize {
539 4096
540}
541
542const fn default_crl_max_cache_entries() -> usize {
543 1024
544}
545
546#[derive(Debug, Clone, Deserialize)]
561#[non_exhaustive]
562pub struct RateLimitConfig {
563 #[serde(default = "default_max_attempts")]
566 pub max_attempts_per_minute: u32,
567 #[serde(default)]
575 pub pre_auth_max_per_minute: Option<u32>,
576 #[serde(default = "default_max_tracked_keys")]
581 pub max_tracked_keys: usize,
582 #[serde(default = "default_idle_eviction", with = "humantime_serde")]
585 pub idle_eviction: Duration,
586 #[serde(default)]
593 pub burst: Option<u32>,
594 #[serde(default)]
600 pub pre_auth_burst: Option<u32>,
601}
602
603impl Default for RateLimitConfig {
604 fn default() -> Self {
605 Self {
606 max_attempts_per_minute: default_max_attempts(),
607 pre_auth_max_per_minute: None,
608 max_tracked_keys: default_max_tracked_keys(),
609 idle_eviction: default_idle_eviction(),
610 burst: None,
611 pre_auth_burst: None,
612 }
613 }
614}
615
616impl RateLimitConfig {
617 #[must_use]
621 pub fn new(max_attempts_per_minute: u32) -> Self {
622 Self {
623 max_attempts_per_minute,
624 ..Self::default()
625 }
626 }
627
628 #[must_use]
631 pub fn with_pre_auth_max_per_minute(mut self, quota: u32) -> Self {
632 self.pre_auth_max_per_minute = Some(quota);
633 self
634 }
635
636 #[must_use]
638 pub fn with_max_tracked_keys(mut self, max: usize) -> Self {
639 self.max_tracked_keys = max;
640 self
641 }
642
643 #[must_use]
645 pub fn with_idle_eviction(mut self, idle: Duration) -> Self {
646 self.idle_eviction = idle;
647 self
648 }
649
650 #[must_use]
653 pub fn with_burst(mut self, burst: u32) -> Self {
654 self.burst = Some(burst);
655 self
656 }
657
658 #[must_use]
661 pub fn with_pre_auth_burst(mut self, burst: u32) -> Self {
662 self.pre_auth_burst = Some(burst);
663 self
664 }
665}
666
667fn default_max_attempts() -> u32 {
668 30
669}
670
671fn default_max_tracked_keys() -> usize {
672 10_000
673}
674
675fn default_idle_eviction() -> Duration {
676 Duration::from_mins(15)
677}
678
679#[derive(Debug, Clone, Default, Deserialize)]
681#[non_exhaustive]
682pub struct AuthConfig {
683 #[serde(default)]
685 pub enabled: bool,
686 #[serde(default)]
688 pub api_keys: Vec<ApiKeyEntry>,
689 pub mtls: Option<MtlsConfig>,
691 pub rate_limit: Option<RateLimitConfig>,
693 #[cfg(feature = "oauth")]
695 pub oauth: Option<crate::oauth::OAuthConfig>,
696}
697
698impl AuthConfig {
699 #[must_use]
701 pub fn with_keys(keys: Vec<ApiKeyEntry>) -> Self {
702 Self {
703 enabled: true,
704 api_keys: keys,
705 mtls: None,
706 rate_limit: None,
707 #[cfg(feature = "oauth")]
708 oauth: None,
709 }
710 }
711
712 #[must_use]
714 pub fn with_rate_limit(mut self, rate_limit: RateLimitConfig) -> Self {
715 self.rate_limit = Some(rate_limit);
716 self
717 }
718}
719
720#[derive(Debug, Clone, serde::Serialize)]
724#[non_exhaustive]
725pub struct ApiKeySummary {
726 pub name: String,
728 pub role: String,
730 pub expires_at: Option<RfcTimestamp>,
733}
734
735#[derive(Debug, Clone, serde::Serialize)]
737#[allow(
738 clippy::struct_excessive_bools,
739 reason = "this is a flat summary of independent auth-method booleans"
740)]
741#[non_exhaustive]
742pub struct AuthConfigSummary {
743 pub enabled: bool,
745 pub bearer: bool,
747 pub mtls: bool,
749 pub oauth: bool,
751 pub api_keys: Vec<ApiKeySummary>,
753}
754
755impl AuthConfig {
756 #[must_use]
758 pub fn summary(&self) -> AuthConfigSummary {
759 AuthConfigSummary {
760 enabled: self.enabled,
761 bearer: !self.api_keys.is_empty(),
762 mtls: self.mtls.is_some(),
763 #[cfg(feature = "oauth")]
764 oauth: self.oauth.is_some(),
765 #[cfg(not(feature = "oauth"))]
766 oauth: false,
767 api_keys: self
768 .api_keys
769 .iter()
770 .map(|k| ApiKeySummary {
771 name: k.name.clone(),
772 role: k.role.clone(),
773 expires_at: k.expires_at,
774 })
775 .collect(),
776 }
777 }
778}
779
780pub(crate) type KeyedLimiter = BoundedKeyedLimiter<IpAddr>;
783
784#[derive(Clone, Debug)]
794#[non_exhaustive]
795pub(crate) struct TlsConnInfo {
796 pub addr: SocketAddr,
798 pub identity: Option<AuthIdentity>,
801}
802
803impl TlsConnInfo {
804 #[must_use]
806 pub(crate) const fn new(addr: SocketAddr, identity: Option<AuthIdentity>) -> Self {
807 Self { addr, identity }
808 }
809}
810
811const DEFAULT_SEEN_IDENTITY_CAP: usize = 4096;
819
820pub(crate) struct SeenIdentitySet {
840 inner: Mutex<SeenInner>,
841}
842
843struct SeenInner {
844 set: HashSet<String>,
845 order: std::collections::VecDeque<String>,
850 cap: usize,
851}
852
853impl SeenIdentitySet {
854 #[must_use]
856 pub(crate) fn new() -> Self {
857 Self::with_cap(DEFAULT_SEEN_IDENTITY_CAP)
858 }
859
860 #[must_use]
863 pub(crate) fn with_cap(cap: usize) -> Self {
864 let cap = cap.max(1);
865 Self {
866 inner: Mutex::new(SeenInner {
867 set: HashSet::with_capacity(cap.min(64)),
868 order: std::collections::VecDeque::with_capacity(cap.min(64)),
869 cap,
870 }),
871 }
872 }
873
874 pub(crate) fn insert_is_first(&self, name: &str) -> bool {
881 let mut guard = self
887 .inner
888 .lock()
889 .unwrap_or_else(std::sync::PoisonError::into_inner);
890
891 if guard.set.contains(name) {
892 return false;
893 }
894 if guard.set.len() >= guard.cap
897 && let Some(evicted) = guard.order.pop_front()
898 {
899 guard.set.remove(&evicted);
900 }
901 let owned = name.to_owned();
902 guard.set.insert(owned.clone());
903 guard.order.push_back(owned);
904 true
905 }
906
907 #[cfg(test)]
909 pub(crate) fn len(&self) -> usize {
910 self.inner
911 .lock()
912 .unwrap_or_else(std::sync::PoisonError::into_inner)
913 .set
914 .len()
915 }
916}
917
918impl Default for SeenIdentitySet {
919 fn default() -> Self {
920 Self::new()
921 }
922}
923
924#[allow(
929 missing_debug_implementations,
930 reason = "contains governor RateLimiter and JwksCache without Debug impls"
931)]
932#[non_exhaustive]
933pub(crate) struct AuthState {
934 pub api_keys: ArcSwap<Vec<ApiKeyEntry>>,
936 pub rate_limiter: Option<Arc<KeyedLimiter>>,
938 pub pre_auth_limiter: Option<Arc<KeyedLimiter>>,
941 #[cfg(feature = "oauth")]
942 pub jwks_cache: Option<Arc<crate::oauth::JwksCache>>,
944 pub seen_identities: SeenIdentitySet,
949 pub counters: AuthCounters,
951}
952
953impl AuthState {
954 pub(crate) fn reload_keys(&self, keys: Vec<ApiKeyEntry>) {
960 let count = keys.len();
961 self.api_keys.store(Arc::new(keys));
962 tracing::info!(keys = count, "API keys reloaded");
963 }
964
965 #[must_use]
967 pub(crate) fn counters_snapshot(&self) -> AuthCountersSnapshot {
968 self.counters.snapshot()
969 }
970
971 #[must_use]
973 pub(crate) fn api_key_summaries(&self) -> Vec<ApiKeySummary> {
974 self.api_keys
975 .load()
976 .iter()
977 .map(|k| ApiKeySummary {
978 name: k.name.clone(),
979 role: k.role.clone(),
980 expires_at: k.expires_at,
981 })
982 .collect()
983 }
984
985 fn log_auth(&self, id: &AuthIdentity, method: &str) {
993 self.counters.record_success(id.method);
994 let first = self.seen_identities.insert_is_first(&id.name);
995 if first {
996 tracing::info!(name = %id.name, role = %id.role, "{method} authenticated");
997 } else {
998 tracing::debug!(name = %id.name, role = %id.role, "{method} authenticated");
999 }
1000 }
1001}
1002
1003const DEFAULT_AUTH_RATE: NonZeroU32 = NonZeroU32::new(30).unwrap();
1006
1007fn apply_burst(quota: governor::Quota, burst: Option<u32>) -> governor::Quota {
1011 match burst.and_then(NonZeroU32::new) {
1012 Some(b) => quota.allow_burst(b),
1013 None => quota,
1014 }
1015}
1016
1017#[must_use]
1019pub(crate) fn build_rate_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1020 let quota = governor::Quota::per_minute(
1021 NonZeroU32::new(config.max_attempts_per_minute).unwrap_or(DEFAULT_AUTH_RATE),
1022 );
1023 let quota = apply_burst(quota, config.burst);
1024 Arc::new(BoundedKeyedLimiter::new(
1025 quota,
1026 config.max_tracked_keys,
1027 config.idle_eviction,
1028 ))
1029}
1030
1031#[must_use]
1038pub(crate) fn build_pre_auth_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1039 let resolved = config.pre_auth_max_per_minute.unwrap_or_else(|| {
1040 config
1041 .max_attempts_per_minute
1042 .saturating_mul(PRE_AUTH_DEFAULT_MULTIPLIER)
1043 });
1044 let quota =
1045 governor::Quota::per_minute(NonZeroU32::new(resolved).unwrap_or(DEFAULT_PRE_AUTH_RATE));
1046 let quota = apply_burst(quota, config.pre_auth_burst);
1047 Arc::new(BoundedKeyedLimiter::new(
1048 quota,
1049 config.max_tracked_keys,
1050 config.idle_eviction,
1051 ))
1052}
1053
1054const PRE_AUTH_DEFAULT_MULTIPLIER: u32 = 10;
1057
1058const DEFAULT_PRE_AUTH_RATE: NonZeroU32 = NonZeroU32::new(300).unwrap();
1062
1063#[must_use]
1068pub fn extract_mtls_identity(cert_der: &[u8], default_role: &str) -> Option<AuthIdentity> {
1069 let (_, cert) = X509Certificate::from_der(cert_der).ok()?;
1070
1071 let cn = cert
1073 .subject()
1074 .iter_common_name()
1075 .next()
1076 .and_then(|attr| attr.as_str().ok())
1077 .map(String::from);
1078
1079 let name = cn.or_else(|| {
1081 cert.subject_alternative_name()
1082 .ok()
1083 .flatten()
1084 .and_then(|san| {
1085 #[allow(
1086 clippy::wildcard_enum_match_arm,
1087 reason = "x509-parser GeneralName is a large external enum; only DNSName is meaningful here"
1088 )]
1089 san.value.general_names.iter().find_map(|gn| match gn {
1090 GeneralName::DNSName(dns) => Some((*dns).to_owned()),
1091 _ => None,
1092 })
1093 })
1094 })?;
1095
1096 if !name
1098 .chars()
1099 .all(|c| c.is_alphanumeric() || matches!(c, '-' | '.' | '_' | '@'))
1100 {
1101 tracing::warn!(cn = %name, "mTLS identity rejected: invalid characters in CN/SAN");
1102 return None;
1103 }
1104
1105 Some(AuthIdentity {
1106 name,
1107 role: default_role.to_owned(),
1108 method: AuthMethod::MtlsCertificate,
1109 raw_token: None,
1110 sub: None,
1111 })
1112}
1113
1114fn extract_bearer(value: &str) -> Option<&str> {
1129 let (scheme, rest) = value.split_once(' ')?;
1130 if scheme.eq_ignore_ascii_case("Bearer") {
1131 let token = rest.trim_start_matches(' ');
1132 if token.is_empty() { None } else { Some(token) }
1133 } else {
1134 None
1135 }
1136}
1137
1138#[must_use]
1167pub fn verify_bearer_token(token: &str, keys: &[ApiKeyEntry]) -> Option<AuthIdentity> {
1168 use subtle::ConstantTimeEq as _;
1169
1170 let now = chrono::Utc::now();
1171 #[allow(
1172 clippy::expect_used,
1173 reason = "DUMMY_PHC_HASH is a static LazyLock built from a fixed Argon2id PHC string by construction; PasswordHash::new on it is infallible. See DUMMY_PHC_HASH definition."
1174 )]
1175 let dummy_hash = PasswordHash::new(&DUMMY_PHC_HASH)
1176 .expect("DUMMY_PHC_HASH is a valid Argon2id PHC string by construction");
1177
1178 let mut matched_index: usize = usize::MAX;
1179 let mut any_match: u8 = 0;
1180
1181 for (idx, key) in keys.iter().enumerate() {
1182 let expired = key.expires_at.is_some_and(|exp| exp.as_datetime() < &now);
1183
1184 let real_hash = PasswordHash::new(&key.hash);
1185 let verify_against = match (&real_hash, expired, any_match) {
1186 (Ok(h), false, 0) => h,
1187 _ => &dummy_hash,
1188 };
1189
1190 let slot_ok = u8::from(
1191 Argon2::default()
1192 .verify_password(token.as_bytes(), verify_against)
1193 .is_ok(),
1194 );
1195
1196 let real_match = slot_ok & u8::from(!expired) & u8::from(real_hash.is_ok());
1197 let first_real_match = real_match & (1 - any_match);
1198 if first_real_match.ct_eq(&1).into() {
1199 matched_index = idx;
1200 }
1201 any_match |= real_match;
1202 }
1203
1204 if any_match == 0 {
1205 return None;
1206 }
1207 let key = keys.get(matched_index)?;
1208 Some(AuthIdentity {
1209 name: key.name.clone(),
1210 role: key.role.clone(),
1211 method: AuthMethod::BearerToken,
1212 raw_token: None,
1213 sub: None,
1214 })
1215}
1216
1217static DUMMY_PHC_HASH: LazyLock<String> = LazyLock::new(|| {
1230 #[allow(
1232 clippy::expect_used,
1233 reason = "fixed 22-char base64 ('AAAA...') decodes to a valid 16-byte salt; SaltString::from_b64 is infallible on this literal"
1234 )]
1235 let salt = SaltString::from_b64("AAAAAAAAAAAAAAAAAAAAAA")
1236 .expect("fixed 16-byte base64 salt is well-formed");
1237 #[allow(
1238 clippy::expect_used,
1239 reason = "Argon2::default() with a fixed plaintext and a well-formed salt is infallible; only fails on bad params/salt"
1240 )]
1241 Argon2::default()
1242 .hash_password(b"rmcp-server-kit-dummy", &salt)
1243 .expect("Argon2 default params hash a fixed plaintext")
1244 .to_string()
1245});
1246
1247pub fn generate_api_key() -> Result<(String, String), McpxError> {
1257 let mut token_bytes = [0u8; 32];
1258 rand::fill(&mut token_bytes);
1259 let token = URL_SAFE_NO_PAD.encode(token_bytes);
1260
1261 let mut salt_bytes = [0u8; 16];
1263 rand::fill(&mut salt_bytes);
1264 let salt = SaltString::encode_b64(&salt_bytes)
1265 .map_err(|e| McpxError::Auth(format!("salt encoding failed: {e}")))?;
1266 let hash = Argon2::default()
1267 .hash_password(token.as_bytes(), &salt)
1268 .map_err(|e| McpxError::Auth(format!("argon2id hashing failed: {e}")))?
1269 .to_string();
1270
1271 Ok((token, hash))
1272}
1273
1274fn build_www_authenticate_value(
1275 advertise_resource_metadata: bool,
1276 failure: AuthFailureClass,
1277) -> String {
1278 let (error, error_description) = failure.bearer_error();
1279 if advertise_resource_metadata {
1280 return format!(
1281 "Bearer resource_metadata=\"/.well-known/oauth-protected-resource\", error=\"{error}\", error_description=\"{error_description}\""
1282 );
1283 }
1284 format!("Bearer error=\"{error}\", error_description=\"{error_description}\"")
1285}
1286
1287fn auth_method_label(method: AuthMethod) -> &'static str {
1288 match method {
1289 AuthMethod::MtlsCertificate => "mTLS",
1290 AuthMethod::BearerToken => "bearer token",
1291 AuthMethod::OAuthJwt => "OAuth JWT",
1292 }
1293}
1294
1295#[cfg_attr(not(feature = "oauth"), allow(unused_variables))]
1296fn unauthorized_response(state: &AuthState, failure_class: AuthFailureClass) -> Response {
1297 #[cfg(feature = "oauth")]
1298 let advertise_resource_metadata = state.jwks_cache.is_some();
1299 #[cfg(not(feature = "oauth"))]
1300 let advertise_resource_metadata = false;
1301
1302 let challenge = build_www_authenticate_value(advertise_resource_metadata, failure_class);
1303 (
1304 axum::http::StatusCode::UNAUTHORIZED,
1305 [(header::WWW_AUTHENTICATE, challenge)],
1306 failure_class.response_body(),
1307 )
1308 .into_response()
1309}
1310
1311async fn authenticate_bearer_identity(
1312 state: &AuthState,
1313 token: &str,
1314) -> Result<AuthIdentity, AuthFailureClass> {
1315 let mut failure_class = AuthFailureClass::MissingCredential;
1316
1317 #[cfg(feature = "oauth")]
1318 if let Some(ref cache) = state.jwks_cache
1319 && crate::oauth::looks_like_jwt(token)
1320 {
1321 match cache.validate_token_with_reason(token).await {
1322 Ok(mut id) => {
1323 id.raw_token = Some(SecretString::from(token.to_owned()));
1324 return Ok(id);
1325 }
1326 Err(crate::oauth::JwtValidationFailure::Expired) => {
1327 failure_class = AuthFailureClass::ExpiredCredential;
1328 }
1329 Err(crate::oauth::JwtValidationFailure::Invalid) => {
1330 failure_class = AuthFailureClass::InvalidCredential;
1331 }
1332 }
1333 }
1334
1335 let token = token.to_owned();
1336 let keys = state.api_keys.load_full(); let identity = tokio::task::spawn_blocking(move || verify_bearer_token(&token, &keys))
1340 .await
1341 .ok()
1342 .flatten();
1343
1344 if let Some(id) = identity {
1345 return Ok(id);
1346 }
1347
1348 if failure_class == AuthFailureClass::MissingCredential {
1349 failure_class = AuthFailureClass::InvalidCredential;
1350 }
1351
1352 Err(failure_class)
1353}
1354
1355fn pre_auth_gate(state: &AuthState, peer_addr: Option<SocketAddr>) -> Option<Response> {
1366 let limiter = state.pre_auth_limiter.as_ref()?;
1367 let addr = peer_addr?;
1368 let Err(wait) = limiter.check_key_wait(&addr.ip()) else {
1369 return None;
1370 };
1371 state.counters.record_failure(AuthFailureClass::PreAuthGate);
1372 tracing::warn!(
1373 ip = %addr.ip(),
1374 "auth rate limited by pre-auth gate (request rejected before credential verification)"
1375 );
1376 Some(
1377 McpxError::RateLimitedFor {
1378 message: "too many unauthenticated requests from this source".into(),
1379 retry_after: wait,
1380 }
1381 .into_response(),
1382 )
1383}
1384
1385pub(crate) async fn auth_middleware(
1394 state: Arc<AuthState>,
1395 req: Request<Body>,
1396 next: Next,
1397) -> Response {
1398 let tls_info = req.extensions().get::<ConnectInfo<TlsConnInfo>>().cloned();
1403 let peer_addr = req
1404 .extensions()
1405 .get::<ConnectInfo<SocketAddr>>()
1406 .map(|ci| ci.0)
1407 .or_else(|| tls_info.as_ref().map(|ci| ci.0.addr));
1408
1409 if let Some(id) = tls_info.and_then(|ci| ci.0.identity) {
1416 state.log_auth(&id, "mTLS");
1417 let mut req = req;
1418 req.extensions_mut().insert(id);
1419 return next.run(req).await;
1420 }
1421
1422 if let Some(blocked) = pre_auth_gate(&state, peer_addr) {
1426 return blocked;
1427 }
1428
1429 let failure_class = if let Some(value) = req.headers().get(header::AUTHORIZATION) {
1430 match value.to_str().ok().and_then(extract_bearer) {
1431 Some(token) => match authenticate_bearer_identity(&state, token).await {
1432 Ok(id) => {
1433 state.log_auth(&id, auth_method_label(id.method));
1434 let mut req = req;
1435 req.extensions_mut().insert(id);
1436 return next.run(req).await;
1437 }
1438 Err(class) => class,
1439 },
1440 None => AuthFailureClass::InvalidCredential,
1441 }
1442 } else {
1443 AuthFailureClass::MissingCredential
1444 };
1445
1446 tracing::warn!(failure_class = %failure_class.as_str(), "auth failed");
1447
1448 if let (Some(limiter), Some(addr)) = (&state.rate_limiter, peer_addr)
1451 && let Err(wait) = limiter.check_key_wait(&addr.ip())
1452 {
1453 state.counters.record_failure(AuthFailureClass::RateLimited);
1454 tracing::warn!(ip = %addr.ip(), "auth rate limited after repeated failures");
1455 return McpxError::RateLimitedFor {
1456 message: "too many failed authentication attempts".into(),
1457 retry_after: wait,
1458 }
1459 .into_response();
1460 }
1461
1462 state.counters.record_failure(failure_class);
1463 unauthorized_response(&state, failure_class)
1464}
1465
1466#[cfg(test)]
1467mod tests {
1468 use super::*;
1469
1470 #[test]
1471 fn generate_and_verify_api_key() {
1472 let (token, hash) = generate_api_key().unwrap();
1473
1474 assert_eq!(token.len(), 43);
1476
1477 assert!(hash.starts_with("$argon2id$"));
1479
1480 let keys = vec![ApiKeyEntry {
1482 name: "test".into(),
1483 hash,
1484 role: "viewer".into(),
1485 expires_at: None,
1486 }];
1487 let id = verify_bearer_token(&token, &keys);
1488 assert!(id.is_some());
1489 let id = id.unwrap();
1490 assert_eq!(id.name, "test");
1491 assert_eq!(id.role, "viewer");
1492 assert_eq!(id.method, AuthMethod::BearerToken);
1493 }
1494
1495 #[test]
1496 fn wrong_token_rejected() {
1497 let (_token, hash) = generate_api_key().unwrap();
1498 let keys = vec![ApiKeyEntry {
1499 name: "test".into(),
1500 hash,
1501 role: "viewer".into(),
1502 expires_at: None,
1503 }];
1504 assert!(verify_bearer_token("wrong-token", &keys).is_none());
1505 }
1506
1507 #[test]
1508 fn expired_key_rejected() {
1509 let (token, hash) = generate_api_key().unwrap();
1510 let keys = vec![ApiKeyEntry {
1511 name: "test".into(),
1512 hash,
1513 role: "viewer".into(),
1514 expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1515 }];
1516 assert!(verify_bearer_token(&token, &keys).is_none());
1517 }
1518
1519 #[test]
1520 fn match_in_last_slot_still_authenticates() {
1521 let (token, hash) = generate_api_key().unwrap();
1522 let (_other_token, other_hash) = generate_api_key().unwrap();
1523 let keys = vec![
1524 ApiKeyEntry {
1525 name: "first".into(),
1526 hash: other_hash.clone(),
1527 role: "viewer".into(),
1528 expires_at: None,
1529 },
1530 ApiKeyEntry {
1531 name: "second".into(),
1532 hash: other_hash,
1533 role: "viewer".into(),
1534 expires_at: None,
1535 },
1536 ApiKeyEntry {
1537 name: "match".into(),
1538 hash,
1539 role: "ops".into(),
1540 expires_at: None,
1541 },
1542 ];
1543 let id = verify_bearer_token(&token, &keys).expect("last-slot match must authenticate");
1544 assert_eq!(id.name, "match");
1545 assert_eq!(id.role, "ops");
1546 }
1547
1548 #[test]
1549 fn expired_slot_before_valid_match_does_not_short_circuit() {
1550 let (token, hash) = generate_api_key().unwrap();
1551 let (_, other_hash) = generate_api_key().unwrap();
1552 let keys = vec![
1553 ApiKeyEntry {
1554 name: "expired".into(),
1555 hash: other_hash,
1556 role: "viewer".into(),
1557 expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1558 },
1559 ApiKeyEntry {
1560 name: "valid".into(),
1561 hash,
1562 role: "ops".into(),
1563 expires_at: None,
1564 },
1565 ];
1566 let id = verify_bearer_token(&token, &keys)
1567 .expect("valid slot following an expired slot must authenticate");
1568 assert_eq!(id.name, "valid");
1569 }
1570
1571 #[test]
1572 fn malformed_hash_slot_does_not_short_circuit() {
1573 let (token, hash) = generate_api_key().unwrap();
1574 let keys = vec![
1575 ApiKeyEntry {
1576 name: "broken".into(),
1577 hash: "this-is-not-a-phc-string".into(),
1578 role: "viewer".into(),
1579 expires_at: None,
1580 },
1581 ApiKeyEntry {
1582 name: "valid".into(),
1583 hash,
1584 role: "ops".into(),
1585 expires_at: None,
1586 },
1587 ];
1588 let id = verify_bearer_token(&token, &keys)
1589 .expect("valid slot following a malformed-hash slot must authenticate");
1590 assert_eq!(id.name, "valid");
1591 }
1592
1593 #[test]
1604 fn rfc_timestamp_parse_rejects_malformed() {
1605 for bad in [
1606 "not-a-date",
1607 "",
1608 "2025-13-01T00:00:00Z", "2025-01-32T00:00:00Z", "2025-01-01T00:00:00", "01/01/2025", "2025-01-01T25:00:00Z", ] {
1614 assert!(
1615 RfcTimestamp::parse(bad).is_err(),
1616 "RfcTimestamp::parse must reject {bad:?}"
1617 );
1618 }
1619 }
1620
1621 #[test]
1622 fn rfc_timestamp_parse_accepts_valid() {
1623 for good in [
1624 "2025-01-01T00:00:00Z",
1625 "2025-01-01T00:00:00+00:00",
1626 "2025-12-31T23:59:59-08:00",
1627 "2099-01-01T00:00:00.123456789Z",
1628 ] {
1629 assert!(
1630 RfcTimestamp::parse(good).is_ok(),
1631 "RfcTimestamp::parse must accept {good:?}"
1632 );
1633 }
1634 }
1635
1636 #[test]
1637 fn api_key_entry_deserialize_rejects_malformed_expires_at() {
1638 let toml = r#"
1643 name = "bad-key"
1644 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1645 role = "viewer"
1646 expires_at = "not-a-date"
1647 "#;
1648 let result: Result<ApiKeyEntry, _> = toml::from_str(toml);
1649 assert!(
1650 result.is_err(),
1651 "deserialization must reject malformed expires_at"
1652 );
1653 }
1654
1655 #[test]
1656 fn api_key_entry_deserialize_accepts_valid_expires_at() {
1657 let toml = r#"
1658 name = "good-key"
1659 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1660 role = "viewer"
1661 expires_at = "2099-01-01T00:00:00Z"
1662 "#;
1663 let entry: ApiKeyEntry = toml::from_str(toml).expect("valid RFC 3339 must deserialize");
1664 assert!(entry.expires_at.is_some());
1665 }
1666
1667 #[test]
1668 fn api_key_entry_deserialize_accepts_missing_expires_at() {
1669 let toml = r#"
1672 name = "eternal-key"
1673 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1674 role = "viewer"
1675 "#;
1676 let entry: ApiKeyEntry = toml::from_str(toml).expect("missing expires_at must deserialize");
1677 assert!(entry.expires_at.is_none());
1678 }
1679
1680 #[test]
1681 fn try_with_expiry_rejects_malformed() {
1682 let entry = ApiKeyEntry::new("k", "hash", "viewer");
1683 assert!(entry.try_with_expiry("not-a-date").is_err());
1684 }
1685
1686 #[test]
1687 fn try_with_expiry_accepts_valid() {
1688 let entry = ApiKeyEntry::new("k", "hash", "viewer")
1689 .try_with_expiry("2099-01-01T00:00:00Z")
1690 .expect("valid RFC 3339 must be accepted");
1691 assert!(entry.expires_at.is_some());
1692 }
1693
1694 #[test]
1695 fn api_key_summary_serializes_expires_at_as_rfc3339() {
1696 let summary = ApiKeySummary {
1701 name: "k".into(),
1702 role: "viewer".into(),
1703 expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
1704 };
1705 let json = serde_json::to_string(&summary).unwrap();
1706 assert!(
1707 json.contains(r#""expires_at":"2030-01-01T00:00:00+00:00""#),
1708 "wire format regressed: {json}"
1709 );
1710 }
1711
1712 #[test]
1713 fn future_expiry_accepted() {
1714 let (token, hash) = generate_api_key().unwrap();
1715 let keys = vec![ApiKeyEntry {
1716 name: "test".into(),
1717 hash,
1718 role: "viewer".into(),
1719 expires_at: Some(RfcTimestamp::parse("2099-01-01T00:00:00Z").unwrap()),
1720 }];
1721 assert!(verify_bearer_token(&token, &keys).is_some());
1722 }
1723
1724 #[test]
1725 fn multiple_keys_first_match_wins() {
1726 let (token, hash) = generate_api_key().unwrap();
1727 let keys = vec![
1728 ApiKeyEntry {
1729 name: "wrong".into(),
1730 hash: "$argon2id$v=19$m=19456,t=2,p=1$invalid$invalid".into(),
1731 role: "ops".into(),
1732 expires_at: None,
1733 },
1734 ApiKeyEntry {
1735 name: "correct".into(),
1736 hash,
1737 role: "deploy".into(),
1738 expires_at: None,
1739 },
1740 ];
1741 let id = verify_bearer_token(&token, &keys).unwrap();
1742 assert_eq!(id.name, "correct");
1743 assert_eq!(id.role, "deploy");
1744 }
1745
1746 #[test]
1747 fn rate_limiter_allows_within_quota() {
1748 let config = RateLimitConfig {
1749 max_attempts_per_minute: 5,
1750 pre_auth_max_per_minute: None,
1751 max_tracked_keys: default_max_tracked_keys(),
1752 idle_eviction: default_idle_eviction(),
1753 burst: None,
1754 pre_auth_burst: None,
1755 };
1756 let limiter = build_rate_limiter(&config);
1757 let ip: IpAddr = "10.0.0.1".parse().unwrap();
1758
1759 for _ in 0..5 {
1761 assert!(limiter.check_key(&ip).is_ok());
1762 }
1763 assert!(limiter.check_key(&ip).is_err());
1765 }
1766
1767 #[test]
1768 fn rate_limiter_separate_ips() {
1769 let config = RateLimitConfig {
1770 max_attempts_per_minute: 2,
1771 pre_auth_max_per_minute: None,
1772 max_tracked_keys: default_max_tracked_keys(),
1773 idle_eviction: default_idle_eviction(),
1774 burst: None,
1775 pre_auth_burst: None,
1776 };
1777 let limiter = build_rate_limiter(&config);
1778 let ip1: IpAddr = "10.0.0.1".parse().unwrap();
1779 let ip2: IpAddr = "10.0.0.2".parse().unwrap();
1780
1781 assert!(limiter.check_key(&ip1).is_ok());
1783 assert!(limiter.check_key(&ip1).is_ok());
1784 assert!(limiter.check_key(&ip1).is_err());
1785
1786 assert!(limiter.check_key(&ip2).is_ok());
1788 }
1789
1790 #[test]
1791 fn extract_mtls_identity_from_cn() {
1792 let mut params = rcgen::CertificateParams::new(vec!["test-client.local".into()]).unwrap();
1794 params.distinguished_name = rcgen::DistinguishedName::new();
1795 params
1796 .distinguished_name
1797 .push(rcgen::DnType::CommonName, "test-client");
1798 let cert = params
1799 .self_signed(&rcgen::KeyPair::generate().unwrap())
1800 .unwrap();
1801 let der = cert.der();
1802
1803 let id = extract_mtls_identity(der, "ops").unwrap();
1804 assert_eq!(id.name, "test-client");
1805 assert_eq!(id.role, "ops");
1806 assert_eq!(id.method, AuthMethod::MtlsCertificate);
1807 }
1808
1809 #[test]
1810 fn extract_mtls_identity_falls_back_to_san() {
1811 let mut params =
1813 rcgen::CertificateParams::new(vec!["san-only.example.com".into()]).unwrap();
1814 params.distinguished_name = rcgen::DistinguishedName::new();
1815 let cert = params
1817 .self_signed(&rcgen::KeyPair::generate().unwrap())
1818 .unwrap();
1819 let der = cert.der();
1820
1821 let id = extract_mtls_identity(der, "viewer").unwrap();
1822 assert_eq!(id.name, "san-only.example.com");
1823 assert_eq!(id.role, "viewer");
1824 }
1825
1826 #[test]
1827 fn extract_mtls_identity_invalid_der() {
1828 assert!(extract_mtls_identity(b"not-a-cert", "viewer").is_none());
1829 }
1830
1831 use axum::{
1834 body::Body,
1835 http::{Request, StatusCode},
1836 };
1837 use tower::ServiceExt as _;
1838
1839 fn auth_router(state: Arc<AuthState>) -> axum::Router {
1840 axum::Router::new()
1841 .route("/mcp", axum::routing::post(|| async { "ok" }))
1842 .layer(axum::middleware::from_fn(move |req, next| {
1843 let s = Arc::clone(&state);
1844 auth_middleware(s, req, next)
1845 }))
1846 }
1847
1848 fn test_auth_state(keys: Vec<ApiKeyEntry>) -> Arc<AuthState> {
1849 Arc::new(AuthState {
1850 api_keys: ArcSwap::new(Arc::new(keys)),
1851 rate_limiter: None,
1852 pre_auth_limiter: None,
1853 #[cfg(feature = "oauth")]
1854 jwks_cache: None,
1855 seen_identities: SeenIdentitySet::new(),
1856 counters: AuthCounters::default(),
1857 })
1858 }
1859
1860 #[tokio::test]
1861 async fn middleware_rejects_no_credentials() {
1862 let state = test_auth_state(vec![]);
1863 let app = auth_router(Arc::clone(&state));
1864 let req = Request::builder()
1865 .method(axum::http::Method::POST)
1866 .uri("/mcp")
1867 .body(Body::empty())
1868 .unwrap();
1869 let resp = app.oneshot(req).await.unwrap();
1870 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1871 let challenge = resp
1872 .headers()
1873 .get(header::WWW_AUTHENTICATE)
1874 .unwrap()
1875 .to_str()
1876 .unwrap();
1877 assert!(challenge.contains("error=\"invalid_request\""));
1878
1879 let counters = state.counters_snapshot();
1880 assert_eq!(counters.failure_missing_credential, 1);
1881 }
1882
1883 #[tokio::test]
1884 async fn middleware_accepts_valid_bearer() {
1885 let (token, hash) = generate_api_key().unwrap();
1886 let keys = vec![ApiKeyEntry {
1887 name: "test-key".into(),
1888 hash,
1889 role: "ops".into(),
1890 expires_at: None,
1891 }];
1892 let state = test_auth_state(keys);
1893 let app = auth_router(Arc::clone(&state));
1894 let req = Request::builder()
1895 .method(axum::http::Method::POST)
1896 .uri("/mcp")
1897 .header("authorization", format!("Bearer {token}"))
1898 .body(Body::empty())
1899 .unwrap();
1900 let resp = app.oneshot(req).await.unwrap();
1901 assert_eq!(resp.status(), StatusCode::OK);
1902
1903 let counters = state.counters_snapshot();
1904 assert_eq!(counters.success_bearer, 1);
1905 }
1906
1907 #[tokio::test]
1908 async fn middleware_rejects_wrong_bearer() {
1909 let (_token, hash) = generate_api_key().unwrap();
1910 let keys = vec![ApiKeyEntry {
1911 name: "test-key".into(),
1912 hash,
1913 role: "ops".into(),
1914 expires_at: None,
1915 }];
1916 let state = test_auth_state(keys);
1917 let app = auth_router(Arc::clone(&state));
1918 let req = Request::builder()
1919 .method(axum::http::Method::POST)
1920 .uri("/mcp")
1921 .header("authorization", "Bearer wrong-token-here")
1922 .body(Body::empty())
1923 .unwrap();
1924 let resp = app.oneshot(req).await.unwrap();
1925 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1926 let challenge = resp
1927 .headers()
1928 .get(header::WWW_AUTHENTICATE)
1929 .unwrap()
1930 .to_str()
1931 .unwrap();
1932 assert!(challenge.contains("error=\"invalid_token\""));
1933
1934 let counters = state.counters_snapshot();
1935 assert_eq!(counters.failure_invalid_credential, 1);
1936 }
1937
1938 #[tokio::test]
1939 async fn middleware_rate_limits() {
1940 let state = Arc::new(AuthState {
1941 api_keys: ArcSwap::new(Arc::new(vec![])),
1942 rate_limiter: Some(build_rate_limiter(&RateLimitConfig {
1943 max_attempts_per_minute: 1,
1944 pre_auth_max_per_minute: None,
1945 max_tracked_keys: default_max_tracked_keys(),
1946 idle_eviction: default_idle_eviction(),
1947 burst: None,
1948 pre_auth_burst: None,
1949 })),
1950 pre_auth_limiter: None,
1951 #[cfg(feature = "oauth")]
1952 jwks_cache: None,
1953 seen_identities: SeenIdentitySet::new(),
1954 counters: AuthCounters::default(),
1955 });
1956 let app = auth_router(state);
1957
1958 let req = Request::builder()
1960 .method(axum::http::Method::POST)
1961 .uri("/mcp")
1962 .body(Body::empty())
1963 .unwrap();
1964 let resp = app.clone().oneshot(req).await.unwrap();
1965 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1966
1967 }
1972
1973 #[test]
1979 fn rate_limit_semantics_failed_only() {
1980 let config = RateLimitConfig {
1981 max_attempts_per_minute: 3,
1982 pre_auth_max_per_minute: None,
1983 max_tracked_keys: default_max_tracked_keys(),
1984 idle_eviction: default_idle_eviction(),
1985 burst: None,
1986 pre_auth_burst: None,
1987 };
1988 let limiter = build_rate_limiter(&config);
1989 let ip: IpAddr = "192.168.1.100".parse().unwrap();
1990
1991 assert!(
1993 limiter.check_key(&ip).is_ok(),
1994 "failure 1 should be allowed"
1995 );
1996 assert!(
1997 limiter.check_key(&ip).is_ok(),
1998 "failure 2 should be allowed"
1999 );
2000 assert!(
2001 limiter.check_key(&ip).is_ok(),
2002 "failure 3 should be allowed"
2003 );
2004 assert!(
2005 limiter.check_key(&ip).is_err(),
2006 "failure 4 should be blocked"
2007 );
2008
2009 }
2018
2019 #[test]
2024 fn pre_auth_default_multiplier_is_10x() {
2025 let config = RateLimitConfig {
2026 max_attempts_per_minute: 5,
2027 pre_auth_max_per_minute: None,
2028 max_tracked_keys: default_max_tracked_keys(),
2029 idle_eviction: default_idle_eviction(),
2030 burst: None,
2031 pre_auth_burst: None,
2032 };
2033 let limiter = build_pre_auth_limiter(&config);
2034 let ip: IpAddr = "10.0.0.1".parse().unwrap();
2035
2036 for i in 0..50 {
2038 assert!(
2039 limiter.check_key(&ip).is_ok(),
2040 "pre-auth attempt {i} (of expected 50) should be allowed under default 10x multiplier"
2041 );
2042 }
2043 assert!(
2045 limiter.check_key(&ip).is_err(),
2046 "pre-auth attempt 51 should be blocked (quota is 50, not unbounded)"
2047 );
2048 }
2049
2050 #[test]
2053 fn pre_auth_explicit_override_wins() {
2054 let config = RateLimitConfig {
2055 max_attempts_per_minute: 100, pre_auth_max_per_minute: Some(2), max_tracked_keys: default_max_tracked_keys(),
2058 idle_eviction: default_idle_eviction(),
2059 burst: None,
2060 pre_auth_burst: None,
2061 };
2062 let limiter = build_pre_auth_limiter(&config);
2063 let ip: IpAddr = "10.0.0.2".parse().unwrap();
2064
2065 assert!(limiter.check_key(&ip).is_ok(), "attempt 1 allowed");
2066 assert!(limiter.check_key(&ip).is_ok(), "attempt 2 allowed");
2067 assert!(
2068 limiter.check_key(&ip).is_err(),
2069 "attempt 3 must be blocked (explicit override of 2 wins over 10x default of 1000)"
2070 );
2071 }
2072
2073 #[test]
2075 fn pre_auth_gate_deny_sets_retry_after() {
2076 let config = RateLimitConfig::new(100).with_pre_auth_max_per_minute(1);
2077 let state = AuthState {
2078 api_keys: ArcSwap::new(Arc::new(vec![])),
2079 rate_limiter: None,
2080 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2081 #[cfg(feature = "oauth")]
2082 jwks_cache: None,
2083 seen_identities: SeenIdentitySet::new(),
2084 counters: AuthCounters::default(),
2085 };
2086 let addr: SocketAddr = "10.7.7.7:55555".parse().unwrap();
2087 assert!(
2088 pre_auth_gate(&state, Some(addr)).is_none(),
2089 "first request within quota"
2090 );
2091 let resp = pre_auth_gate(&state, Some(addr)).expect("second request must be gated");
2092 assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
2093 let retry_after = resp
2094 .headers()
2095 .get(header::RETRY_AFTER)
2096 .expect("Retry-After present")
2097 .to_str()
2098 .unwrap()
2099 .parse::<u64>()
2100 .unwrap();
2101 assert!(retry_after >= 1, "delta-seconds must be >= 1");
2102 }
2103
2104 #[test]
2106 fn post_failure_limiter_burst_allows_initial_spike() {
2107 let config = RateLimitConfig::new(1).with_burst(3);
2108 let limiter = build_rate_limiter(&config);
2109 let ip: IpAddr = "10.6.6.6".parse().unwrap();
2110 for i in 0..3 {
2111 assert!(limiter.check_key(&ip).is_ok(), "burst attempt {i}");
2112 }
2113 assert!(
2114 limiter.check_key(&ip).is_err(),
2115 "attempt 4 must exceed the burst bucket"
2116 );
2117 }
2118
2119 #[tokio::test]
2125 async fn pre_auth_gate_blocks_before_argon2_verification() {
2126 let (_token, hash) = generate_api_key().unwrap();
2127 let keys = vec![ApiKeyEntry {
2128 name: "test-key".into(),
2129 hash,
2130 role: "ops".into(),
2131 expires_at: None,
2132 }];
2133 let config = RateLimitConfig {
2134 max_attempts_per_minute: 100,
2135 pre_auth_max_per_minute: Some(1),
2136 max_tracked_keys: default_max_tracked_keys(),
2137 idle_eviction: default_idle_eviction(),
2138 burst: None,
2139 pre_auth_burst: None,
2140 };
2141 let state = Arc::new(AuthState {
2142 api_keys: ArcSwap::new(Arc::new(keys)),
2143 rate_limiter: None,
2144 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2145 #[cfg(feature = "oauth")]
2146 jwks_cache: None,
2147 seen_identities: SeenIdentitySet::new(),
2148 counters: AuthCounters::default(),
2149 });
2150 let app = auth_router(Arc::clone(&state));
2151 let peer: SocketAddr = "10.0.0.10:54321".parse().unwrap();
2152
2153 let mut req1 = Request::builder()
2156 .method(axum::http::Method::POST)
2157 .uri("/mcp")
2158 .header("authorization", "Bearer obviously-not-a-real-token")
2159 .body(Body::empty())
2160 .unwrap();
2161 req1.extensions_mut().insert(ConnectInfo(peer));
2162 let resp1 = app.clone().oneshot(req1).await.unwrap();
2163 assert_eq!(
2164 resp1.status(),
2165 StatusCode::UNAUTHORIZED,
2166 "first attempt: gate has quota, falls through to bearer auth which fails with 401"
2167 );
2168
2169 let mut req2 = Request::builder()
2172 .method(axum::http::Method::POST)
2173 .uri("/mcp")
2174 .header("authorization", "Bearer also-not-a-real-token")
2175 .body(Body::empty())
2176 .unwrap();
2177 req2.extensions_mut().insert(ConnectInfo(peer));
2178 let resp2 = app.oneshot(req2).await.unwrap();
2179 assert_eq!(
2180 resp2.status(),
2181 StatusCode::TOO_MANY_REQUESTS,
2182 "second attempt from same IP: pre-auth gate must reject with 429"
2183 );
2184
2185 let counters = state.counters_snapshot();
2186 assert_eq!(
2187 counters.failure_pre_auth_gate, 1,
2188 "exactly one request must have been rejected by the pre-auth gate"
2189 );
2190 assert_eq!(
2194 counters.failure_invalid_credential, 1,
2195 "bearer verification must run exactly once (only the un-gated first request)"
2196 );
2197 }
2198
2199 #[tokio::test]
2206 async fn pre_auth_gate_does_not_throttle_mtls() {
2207 let config = RateLimitConfig {
2208 max_attempts_per_minute: 100,
2209 pre_auth_max_per_minute: Some(1), max_tracked_keys: default_max_tracked_keys(),
2211 idle_eviction: default_idle_eviction(),
2212 burst: None,
2213 pre_auth_burst: None,
2214 };
2215 let state = Arc::new(AuthState {
2216 api_keys: ArcSwap::new(Arc::new(vec![])),
2217 rate_limiter: None,
2218 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2219 #[cfg(feature = "oauth")]
2220 jwks_cache: None,
2221 seen_identities: SeenIdentitySet::new(),
2222 counters: AuthCounters::default(),
2223 });
2224 let app = auth_router(Arc::clone(&state));
2225 let peer: SocketAddr = "10.0.0.20:54321".parse().unwrap();
2226 let identity = AuthIdentity {
2227 name: "cn=test-client".into(),
2228 role: "viewer".into(),
2229 method: AuthMethod::MtlsCertificate,
2230 raw_token: None,
2231 sub: None,
2232 };
2233 let tls_info = TlsConnInfo::new(peer, Some(identity));
2234
2235 for i in 0..3 {
2236 let mut req = Request::builder()
2237 .method(axum::http::Method::POST)
2238 .uri("/mcp")
2239 .body(Body::empty())
2240 .unwrap();
2241 req.extensions_mut().insert(ConnectInfo(tls_info.clone()));
2242 let resp = app.clone().oneshot(req).await.unwrap();
2243 assert_eq!(
2244 resp.status(),
2245 StatusCode::OK,
2246 "mTLS request {i} must succeed: pre-auth gate must not apply to mTLS callers"
2247 );
2248 }
2249
2250 let counters = state.counters_snapshot();
2251 assert_eq!(
2252 counters.failure_pre_auth_gate, 0,
2253 "pre-auth gate counter must remain at zero: mTLS bypasses the gate"
2254 );
2255 assert_eq!(
2256 counters.success_mtls, 3,
2257 "all three mTLS requests must have been counted as successful"
2258 );
2259 }
2260
2261 #[test]
2266 fn extract_bearer_accepts_canonical_case() {
2267 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2268 }
2269
2270 #[test]
2271 fn extract_bearer_is_case_insensitive_per_rfc7235() {
2272 for header in &[
2276 "bearer abc123",
2277 "BEARER abc123",
2278 "BeArEr abc123",
2279 "bEaReR abc123",
2280 ] {
2281 assert_eq!(
2282 extract_bearer(header),
2283 Some("abc123"),
2284 "header {header:?} must parse as a Bearer token (RFC 7235 §2.1)"
2285 );
2286 }
2287 }
2288
2289 #[test]
2290 fn extract_bearer_rejects_other_schemes() {
2291 assert_eq!(extract_bearer("Basic dXNlcjpwYXNz"), None);
2292 assert_eq!(extract_bearer("Digest username=\"x\""), None);
2293 assert_eq!(extract_bearer("Token abc123"), None);
2294 }
2295
2296 #[test]
2297 fn extract_bearer_rejects_malformed() {
2298 assert_eq!(extract_bearer(""), None);
2300 assert_eq!(extract_bearer("Bearer"), None);
2301 assert_eq!(extract_bearer("Bearer "), None);
2302 assert_eq!(extract_bearer("Bearer "), None);
2303 }
2304
2305 #[test]
2306 fn extract_bearer_tolerates_extra_separator_whitespace() {
2307 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2309 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2310 }
2311
2312 #[test]
2318 fn auth_identity_debug_redacts_raw_token() {
2319 let id = AuthIdentity {
2320 name: "alice".into(),
2321 role: "admin".into(),
2322 method: AuthMethod::OAuthJwt,
2323 raw_token: Some(SecretString::from("super-secret-jwt-payload-xyz")),
2324 sub: Some("keycloak-uuid-2f3c8b".into()),
2325 };
2326 let dbg = format!("{id:?}");
2327
2328 assert!(dbg.contains("alice"), "name should be visible: {dbg}");
2330 assert!(dbg.contains("admin"), "role should be visible: {dbg}");
2331 assert!(dbg.contains("OAuthJwt"), "method should be visible: {dbg}");
2332
2333 assert!(
2335 !dbg.contains("super-secret-jwt-payload-xyz"),
2336 "raw_token must be redacted in Debug output: {dbg}"
2337 );
2338 assert!(
2339 !dbg.contains("keycloak-uuid-2f3c8b"),
2340 "sub must be redacted in Debug output: {dbg}"
2341 );
2342 assert!(
2343 dbg.contains("<redacted>"),
2344 "redaction marker missing: {dbg}"
2345 );
2346 }
2347
2348 #[test]
2349 fn auth_identity_debug_marks_absent_secrets() {
2350 let id = AuthIdentity {
2353 name: "viewer-key".into(),
2354 role: "viewer".into(),
2355 method: AuthMethod::BearerToken,
2356 raw_token: None,
2357 sub: None,
2358 };
2359 let dbg = format!("{id:?}");
2360 assert!(
2361 dbg.contains("<none>"),
2362 "absent secrets should be marked: {dbg}"
2363 );
2364 assert!(
2365 !dbg.contains("<redacted>"),
2366 "no <redacted> marker when secrets are absent: {dbg}"
2367 );
2368 }
2369
2370 #[test]
2371 fn api_key_entry_debug_redacts_hash() {
2372 let entry = ApiKeyEntry {
2373 name: "viewer-key".into(),
2374 hash: "$argon2id$v=19$m=19456,t=2,p=1$c2FsdHNhbHQ$h4sh3dPa55w0rd".into(),
2376 role: "viewer".into(),
2377 expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
2378 };
2379 let dbg = format!("{entry:?}");
2380
2381 assert!(dbg.contains("viewer-key"));
2383 assert!(dbg.contains("viewer"));
2384 assert!(dbg.contains("2030-01-01T00:00:00+00:00"));
2385
2386 assert!(
2388 !dbg.contains("$argon2id$"),
2389 "argon2 hash leaked into Debug output: {dbg}"
2390 );
2391 assert!(
2392 !dbg.contains("h4sh3dPa55w0rd"),
2393 "hash digest leaked into Debug output: {dbg}"
2394 );
2395 assert!(
2396 dbg.contains("<redacted>"),
2397 "redaction marker missing: {dbg}"
2398 );
2399 }
2400
2401 #[test]
2412 fn auth_failure_class_as_str_exact_strings() {
2413 assert_eq!(
2414 AuthFailureClass::MissingCredential.as_str(),
2415 "missing_credential"
2416 );
2417 assert_eq!(
2418 AuthFailureClass::InvalidCredential.as_str(),
2419 "invalid_credential"
2420 );
2421 assert_eq!(
2422 AuthFailureClass::ExpiredCredential.as_str(),
2423 "expired_credential"
2424 );
2425 assert_eq!(AuthFailureClass::RateLimited.as_str(), "rate_limited");
2426 assert_eq!(AuthFailureClass::PreAuthGate.as_str(), "pre_auth_gate");
2427 }
2428
2429 #[test]
2430 fn auth_failure_class_response_body_exact_strings() {
2431 assert_eq!(
2432 AuthFailureClass::MissingCredential.response_body(),
2433 "unauthorized: missing credential"
2434 );
2435 assert_eq!(
2436 AuthFailureClass::InvalidCredential.response_body(),
2437 "unauthorized: invalid credential"
2438 );
2439 assert_eq!(
2440 AuthFailureClass::ExpiredCredential.response_body(),
2441 "unauthorized: expired credential"
2442 );
2443 assert_eq!(
2444 AuthFailureClass::RateLimited.response_body(),
2445 "rate limited"
2446 );
2447 assert_eq!(
2448 AuthFailureClass::PreAuthGate.response_body(),
2449 "rate limited (pre-auth)"
2450 );
2451 }
2452
2453 #[test]
2454 fn auth_failure_class_bearer_error_exact_strings() {
2455 assert_eq!(
2456 AuthFailureClass::MissingCredential.bearer_error(),
2457 (
2458 "invalid_request",
2459 "missing bearer token or mTLS client certificate"
2460 )
2461 );
2462 assert_eq!(
2463 AuthFailureClass::InvalidCredential.bearer_error(),
2464 ("invalid_token", "token is invalid")
2465 );
2466 assert_eq!(
2467 AuthFailureClass::ExpiredCredential.bearer_error(),
2468 ("invalid_token", "token is expired")
2469 );
2470 assert_eq!(
2471 AuthFailureClass::RateLimited.bearer_error(),
2472 ("invalid_request", "too many failed authentication attempts")
2473 );
2474 assert_eq!(
2475 AuthFailureClass::PreAuthGate.bearer_error(),
2476 (
2477 "invalid_request",
2478 "too many unauthenticated requests from this source"
2479 )
2480 );
2481 }
2482
2483 #[test]
2492 fn auth_config_summary_bearer_true_when_keys_present() {
2493 let (_token, hash) = generate_api_key().unwrap();
2494 let cfg = AuthConfig::with_keys(vec![ApiKeyEntry::new("k", hash, "viewer")]);
2495 let s = cfg.summary();
2496 assert!(s.enabled, "summary.enabled must reflect AuthConfig.enabled");
2497 assert!(
2498 s.bearer,
2499 "summary.bearer must be true when api_keys is non-empty (kills `!` deletion at L615)"
2500 );
2501 assert!(!s.mtls, "summary.mtls must be false when mtls is None");
2502 assert!(!s.oauth, "summary.oauth must be false when oauth is None");
2503 assert_eq!(s.api_keys.len(), 1);
2504 assert_eq!(s.api_keys[0].name, "k");
2505 assert_eq!(s.api_keys[0].role, "viewer");
2506 }
2507
2508 #[test]
2509 fn auth_config_summary_bearer_false_when_no_keys() {
2510 let cfg = AuthConfig::with_keys(vec![]);
2511 let s = cfg.summary();
2512 assert!(
2513 !s.bearer,
2514 "summary.bearer must be false when api_keys is empty (kills `!` deletion at L615)"
2515 );
2516 assert!(s.api_keys.is_empty());
2517 }
2518
2519 #[test]
2520 fn seen_identity_set_first_then_repeat() {
2521 let set = SeenIdentitySet::new();
2522 assert!(set.insert_is_first("alice"), "first sighting is first");
2523 assert!(
2524 !set.insert_is_first("alice"),
2525 "second sighting is not first"
2526 );
2527 assert!(set.insert_is_first("bob"));
2528 assert_eq!(set.len(), 2);
2529 }
2530
2531 #[test]
2532 fn seen_identity_set_evicts_oldest_at_cap() {
2533 let set = SeenIdentitySet::with_cap(2);
2534 assert!(set.insert_is_first("a"));
2535 assert!(set.insert_is_first("b"));
2536 assert!(set.insert_is_first("c"));
2538 assert_eq!(set.len(), 2);
2539 assert!(set.insert_is_first("a"));
2543 assert_eq!(set.len(), 2);
2544 assert!(set.insert_is_first("b"));
2546 for i in 0..32 {
2548 set.insert_is_first(&format!("churn-{i}"));
2549 assert!(set.len() <= 2, "cap invariant must hold");
2550 }
2551 }
2552
2553 #[test]
2554 fn seen_identity_set_cap_zero_is_raised_to_one() {
2555 let set = SeenIdentitySet::with_cap(0);
2556 assert!(set.insert_is_first("only"));
2557 assert_eq!(set.len(), 1);
2558 assert!(set.insert_is_first("next"));
2560 assert_eq!(set.len(), 1);
2561 }
2562
2563 #[test]
2564 fn seen_identity_set_fifo_does_not_refresh_on_repeat_hit() {
2565 let set = SeenIdentitySet::with_cap(2);
2568 assert!(set.insert_is_first("a")); assert!(set.insert_is_first("b")); assert!(!set.insert_is_first("a"));
2574 assert!(set.insert_is_first("c"));
2577 assert!(set.insert_is_first("a"));
2579 let set = SeenIdentitySet::with_cap(2);
2585 assert!(set.insert_is_first("x")); assert!(set.insert_is_first("y")); assert!(!set.insert_is_first("x")); assert!(set.insert_is_first("z")); assert!(
2590 !set.insert_is_first("y"),
2591 "y must still be present (FIFO did not evict it)"
2592 );
2593 assert!(
2594 set.insert_is_first("x"),
2595 "x must have been evicted by FIFO (would NOT have been evicted under LRU)"
2596 );
2597 }
2598}