1use std::{
10 collections::HashSet,
11 net::{IpAddr, SocketAddr},
12 num::NonZeroU32,
13 path::PathBuf,
14 sync::{
15 Arc, LazyLock, Mutex,
16 atomic::{AtomicU64, Ordering},
17 },
18 time::Duration,
19};
20
21use arc_swap::ArcSwap;
22use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
23use axum::{
24 body::Body,
25 extract::ConnectInfo,
26 http::{Request, header},
27 middleware::Next,
28 response::{IntoResponse, Response},
29};
30use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
31use secrecy::SecretString;
32use serde::Deserialize;
33use x509_parser::prelude::*;
34
35use crate::{bounded_limiter::BoundedKeyedLimiter, error::McpxError};
36
37#[derive(Clone)]
46#[non_exhaustive]
47pub struct AuthIdentity {
48 pub name: String,
50 pub role: String,
52 pub method: AuthMethod,
54 pub raw_token: Option<SecretString>,
60 pub sub: Option<String>,
63}
64
65impl std::fmt::Debug for AuthIdentity {
66 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69 f.debug_struct("AuthIdentity")
70 .field("name", &self.name)
71 .field("role", &self.role)
72 .field("method", &self.method)
73 .field(
74 "raw_token",
75 &if self.raw_token.is_some() {
76 "<redacted>"
77 } else {
78 "<none>"
79 },
80 )
81 .field(
82 "sub",
83 &if self.sub.is_some() {
84 "<redacted>"
85 } else {
86 "<none>"
87 },
88 )
89 .finish()
90 }
91}
92
93#[derive(Debug, Clone, Copy, PartialEq, Eq)]
95#[non_exhaustive]
96pub enum AuthMethod {
97 BearerToken,
99 MtlsCertificate,
101 OAuthJwt,
103}
104
105#[derive(Debug, Clone, Copy, PartialEq, Eq)]
106enum AuthFailureClass {
107 MissingCredential,
108 InvalidCredential,
109 #[cfg_attr(not(feature = "oauth"), allow(dead_code))]
110 ExpiredCredential,
111 RateLimited,
113 PreAuthGate,
116}
117
118impl AuthFailureClass {
119 fn as_str(self) -> &'static str {
120 match self {
121 Self::MissingCredential => "missing_credential",
122 Self::InvalidCredential => "invalid_credential",
123 Self::ExpiredCredential => "expired_credential",
124 Self::RateLimited => "rate_limited",
125 Self::PreAuthGate => "pre_auth_gate",
126 }
127 }
128
129 fn bearer_error(self) -> (&'static str, &'static str) {
130 match self {
131 Self::MissingCredential => (
132 "invalid_request",
133 "missing bearer token or mTLS client certificate",
134 ),
135 Self::InvalidCredential => ("invalid_token", "token is invalid"),
136 Self::ExpiredCredential => ("invalid_token", "token is expired"),
137 Self::RateLimited => ("invalid_request", "too many failed authentication attempts"),
138 Self::PreAuthGate => (
139 "invalid_request",
140 "too many unauthenticated requests from this source",
141 ),
142 }
143 }
144
145 fn response_body(self) -> &'static str {
146 match self {
147 Self::MissingCredential => "unauthorized: missing credential",
148 Self::InvalidCredential => "unauthorized: invalid credential",
149 Self::ExpiredCredential => "unauthorized: expired credential",
150 Self::RateLimited => "rate limited",
151 Self::PreAuthGate => "rate limited (pre-auth)",
152 }
153 }
154}
155
156#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize)]
158#[non_exhaustive]
159pub struct AuthCountersSnapshot {
160 pub success_mtls: u64,
162 pub success_bearer: u64,
164 pub success_oauth_jwt: u64,
166 pub failure_missing_credential: u64,
168 pub failure_invalid_credential: u64,
170 pub failure_expired_credential: u64,
172 pub failure_rate_limited: u64,
174 pub failure_pre_auth_gate: u64,
177}
178
179#[derive(Debug, Default)]
181pub(crate) struct AuthCounters {
182 success_mtls: AtomicU64,
183 success_bearer: AtomicU64,
184 success_oauth_jwt: AtomicU64,
185 failure_missing_credential: AtomicU64,
186 failure_invalid_credential: AtomicU64,
187 failure_expired_credential: AtomicU64,
188 failure_rate_limited: AtomicU64,
189 failure_pre_auth_gate: AtomicU64,
190}
191
192impl AuthCounters {
193 fn record_success(&self, method: AuthMethod) {
194 match method {
195 AuthMethod::MtlsCertificate => {
196 self.success_mtls.fetch_add(1, Ordering::Relaxed);
197 }
198 AuthMethod::BearerToken => {
199 self.success_bearer.fetch_add(1, Ordering::Relaxed);
200 }
201 AuthMethod::OAuthJwt => {
202 self.success_oauth_jwt.fetch_add(1, Ordering::Relaxed);
203 }
204 }
205 }
206
207 fn record_failure(&self, class: AuthFailureClass) {
208 match class {
209 AuthFailureClass::MissingCredential => {
210 self.failure_missing_credential
211 .fetch_add(1, Ordering::Relaxed);
212 }
213 AuthFailureClass::InvalidCredential => {
214 self.failure_invalid_credential
215 .fetch_add(1, Ordering::Relaxed);
216 }
217 AuthFailureClass::ExpiredCredential => {
218 self.failure_expired_credential
219 .fetch_add(1, Ordering::Relaxed);
220 }
221 AuthFailureClass::RateLimited => {
222 self.failure_rate_limited.fetch_add(1, Ordering::Relaxed);
223 }
224 AuthFailureClass::PreAuthGate => {
225 self.failure_pre_auth_gate.fetch_add(1, Ordering::Relaxed);
226 }
227 }
228 }
229
230 fn snapshot(&self) -> AuthCountersSnapshot {
231 AuthCountersSnapshot {
232 success_mtls: self.success_mtls.load(Ordering::Relaxed),
233 success_bearer: self.success_bearer.load(Ordering::Relaxed),
234 success_oauth_jwt: self.success_oauth_jwt.load(Ordering::Relaxed),
235 failure_missing_credential: self.failure_missing_credential.load(Ordering::Relaxed),
236 failure_invalid_credential: self.failure_invalid_credential.load(Ordering::Relaxed),
237 failure_expired_credential: self.failure_expired_credential.load(Ordering::Relaxed),
238 failure_rate_limited: self.failure_rate_limited.load(Ordering::Relaxed),
239 failure_pre_auth_gate: self.failure_pre_auth_gate.load(Ordering::Relaxed),
240 }
241 }
242}
243
244#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
256#[non_exhaustive]
257pub struct RfcTimestamp(chrono::DateTime<chrono::FixedOffset>);
258
259impl RfcTimestamp {
260 pub fn parse(s: &str) -> Result<Self, chrono::ParseError> {
268 chrono::DateTime::parse_from_rfc3339(s).map(Self)
269 }
270
271 #[must_use]
273 pub fn as_datetime(&self) -> &chrono::DateTime<chrono::FixedOffset> {
274 &self.0
275 }
276
277 #[must_use]
279 pub fn into_inner(self) -> chrono::DateTime<chrono::FixedOffset> {
280 self.0
281 }
282}
283
284impl std::fmt::Display for RfcTimestamp {
285 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
286 write!(f, "{}", self.0.to_rfc3339())
288 }
289}
290
291impl std::fmt::Debug for RfcTimestamp {
292 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
293 write!(f, "{}", self.0.to_rfc3339())
298 }
299}
300
301impl<'de> Deserialize<'de> for RfcTimestamp {
302 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
303 where
304 D: serde::Deserializer<'de>,
305 {
306 let s = String::deserialize(deserializer)?;
310 Self::parse(&s).map_err(serde::de::Error::custom)
311 }
312}
313
314impl serde::Serialize for RfcTimestamp {
315 fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
316 where
317 S: serde::Serializer,
318 {
319 serializer.serialize_str(&self.0.to_rfc3339())
320 }
321}
322
323impl From<chrono::DateTime<chrono::FixedOffset>> for RfcTimestamp {
324 fn from(value: chrono::DateTime<chrono::FixedOffset>) -> Self {
325 Self(value)
326 }
327}
328
329#[derive(Clone, Deserialize)]
336#[non_exhaustive]
337pub struct ApiKeyEntry {
338 pub name: String,
340 pub hash: String,
342 pub role: String,
344 pub expires_at: Option<RfcTimestamp>,
349}
350
351impl std::fmt::Debug for ApiKeyEntry {
352 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
355 f.debug_struct("ApiKeyEntry")
356 .field("name", &self.name)
357 .field("hash", &"<redacted>")
358 .field("role", &self.role)
359 .field("expires_at", &self.expires_at)
360 .finish()
361 }
362}
363
364impl ApiKeyEntry {
365 #[must_use]
367 pub fn new(name: impl Into<String>, hash: impl Into<String>, role: impl Into<String>) -> Self {
368 Self {
369 name: name.into(),
370 hash: hash.into(),
371 role: role.into(),
372 expires_at: None,
373 }
374 }
375
376 #[must_use]
381 pub fn with_expiry(mut self, expires_at: RfcTimestamp) -> Self {
382 self.expires_at = Some(expires_at);
383 self
384 }
385
386 pub fn try_with_expiry(
394 mut self,
395 expires_at: impl AsRef<str>,
396 ) -> Result<Self, chrono::ParseError> {
397 self.expires_at = Some(RfcTimestamp::parse(expires_at.as_ref())?);
398 Ok(self)
399 }
400}
401
402#[derive(Debug, Clone, Deserialize)]
404#[allow(
405 clippy::struct_excessive_bools,
406 reason = "mTLS CRL behavior is intentionally configured as independent booleans"
407)]
408#[non_exhaustive]
409pub struct MtlsConfig {
410 pub ca_cert_path: PathBuf,
412 #[serde(default)]
415 pub required: bool,
416 #[serde(default = "default_mtls_role")]
419 pub default_role: String,
420 #[serde(default = "default_true")]
423 pub crl_enabled: bool,
424 #[serde(default, with = "humantime_serde::option")]
427 pub crl_refresh_interval: Option<Duration>,
428 #[serde(default = "default_crl_fetch_timeout", with = "humantime_serde")]
430 pub crl_fetch_timeout: Duration,
431 #[serde(default = "default_crl_stale_grace", with = "humantime_serde")]
434 pub crl_stale_grace: Duration,
435 #[serde(default)]
438 pub crl_deny_on_unavailable: bool,
439 #[serde(default)]
441 pub crl_end_entity_only: bool,
442 #[serde(default = "default_true")]
451 pub crl_allow_http: bool,
452 #[serde(default = "default_true")]
454 pub crl_enforce_expiration: bool,
455 #[serde(default = "default_crl_max_concurrent_fetches")]
461 pub crl_max_concurrent_fetches: usize,
462 #[serde(default = "default_crl_max_response_bytes")]
466 pub crl_max_response_bytes: u64,
467 #[serde(default = "default_crl_discovery_rate_per_min")]
483 pub crl_discovery_rate_per_min: u32,
484 #[serde(default = "default_crl_max_host_semaphores")]
493 pub crl_max_host_semaphores: usize,
494 #[serde(default = "default_crl_max_seen_urls")]
498 pub crl_max_seen_urls: usize,
499 #[serde(default = "default_crl_max_cache_entries")]
503 pub crl_max_cache_entries: usize,
504}
505
506fn default_mtls_role() -> String {
507 "viewer".into()
508}
509
510const fn default_true() -> bool {
511 true
512}
513
514const fn default_crl_fetch_timeout() -> Duration {
515 Duration::from_secs(30)
516}
517
518const fn default_crl_stale_grace() -> Duration {
519 Duration::from_hours(24)
520}
521
522const fn default_crl_max_concurrent_fetches() -> usize {
523 4
524}
525
526const fn default_crl_max_response_bytes() -> u64 {
527 5 * 1024 * 1024
528}
529
530const fn default_crl_discovery_rate_per_min() -> u32 {
531 60
532}
533
534const fn default_crl_max_host_semaphores() -> usize {
535 1024
536}
537
538const fn default_crl_max_seen_urls() -> usize {
539 4096
540}
541
542const fn default_crl_max_cache_entries() -> usize {
543 1024
544}
545
546#[derive(Debug, Clone, Deserialize)]
561#[non_exhaustive]
562pub struct RateLimitConfig {
563 #[serde(default = "default_max_attempts")]
566 pub max_attempts_per_minute: u32,
567 #[serde(default)]
575 pub pre_auth_max_per_minute: Option<u32>,
576 #[serde(default = "default_max_tracked_keys")]
581 pub max_tracked_keys: usize,
582 #[serde(default = "default_idle_eviction", with = "humantime_serde")]
585 pub idle_eviction: Duration,
586 #[serde(default)]
593 pub burst: Option<u32>,
594 #[serde(default)]
600 pub pre_auth_burst: Option<u32>,
601}
602
603impl Default for RateLimitConfig {
604 fn default() -> Self {
605 Self {
606 max_attempts_per_minute: default_max_attempts(),
607 pre_auth_max_per_minute: None,
608 max_tracked_keys: default_max_tracked_keys(),
609 idle_eviction: default_idle_eviction(),
610 burst: None,
611 pre_auth_burst: None,
612 }
613 }
614}
615
616impl RateLimitConfig {
617 #[must_use]
621 pub fn new(max_attempts_per_minute: u32) -> Self {
622 Self {
623 max_attempts_per_minute,
624 ..Self::default()
625 }
626 }
627
628 #[must_use]
631 pub fn with_pre_auth_max_per_minute(mut self, quota: u32) -> Self {
632 self.pre_auth_max_per_minute = Some(quota);
633 self
634 }
635
636 #[must_use]
638 pub fn with_max_tracked_keys(mut self, max: usize) -> Self {
639 self.max_tracked_keys = max;
640 self
641 }
642
643 #[must_use]
645 pub fn with_idle_eviction(mut self, idle: Duration) -> Self {
646 self.idle_eviction = idle;
647 self
648 }
649
650 #[must_use]
653 pub fn with_burst(mut self, burst: u32) -> Self {
654 self.burst = Some(burst);
655 self
656 }
657
658 #[must_use]
661 pub fn with_pre_auth_burst(mut self, burst: u32) -> Self {
662 self.pre_auth_burst = Some(burst);
663 self
664 }
665}
666
667fn default_max_attempts() -> u32 {
668 30
669}
670
671fn default_max_tracked_keys() -> usize {
672 10_000
673}
674
675fn default_idle_eviction() -> Duration {
676 Duration::from_mins(15)
677}
678
679#[derive(Debug, Clone, Default, Deserialize)]
681#[non_exhaustive]
682pub struct AuthConfig {
683 #[serde(default)]
685 pub enabled: bool,
686 #[serde(default)]
688 pub api_keys: Vec<ApiKeyEntry>,
689 pub mtls: Option<MtlsConfig>,
691 pub rate_limit: Option<RateLimitConfig>,
693 #[cfg(feature = "oauth")]
695 pub oauth: Option<crate::oauth::OAuthConfig>,
696}
697
698impl AuthConfig {
699 #[must_use]
701 pub fn with_keys(keys: Vec<ApiKeyEntry>) -> Self {
702 Self {
703 enabled: true,
704 api_keys: keys,
705 mtls: None,
706 rate_limit: None,
707 #[cfg(feature = "oauth")]
708 oauth: None,
709 }
710 }
711
712 #[must_use]
714 pub fn with_rate_limit(mut self, rate_limit: RateLimitConfig) -> Self {
715 self.rate_limit = Some(rate_limit);
716 self
717 }
718}
719
720#[derive(Debug, Clone, serde::Serialize)]
724#[non_exhaustive]
725pub struct ApiKeySummary {
726 pub name: String,
728 pub role: String,
730 pub expires_at: Option<RfcTimestamp>,
733}
734
735#[derive(Debug, Clone, serde::Serialize)]
737#[allow(
738 clippy::struct_excessive_bools,
739 reason = "this is a flat summary of independent auth-method booleans"
740)]
741#[non_exhaustive]
742pub struct AuthConfigSummary {
743 pub enabled: bool,
745 pub bearer: bool,
747 pub mtls: bool,
749 pub oauth: bool,
751 pub api_keys: Vec<ApiKeySummary>,
753}
754
755impl AuthConfig {
756 #[must_use]
758 pub fn summary(&self) -> AuthConfigSummary {
759 AuthConfigSummary {
760 enabled: self.enabled,
761 bearer: !self.api_keys.is_empty(),
762 mtls: self.mtls.is_some(),
763 #[cfg(feature = "oauth")]
764 oauth: self.oauth.is_some(),
765 #[cfg(not(feature = "oauth"))]
766 oauth: false,
767 api_keys: self
768 .api_keys
769 .iter()
770 .map(|k| ApiKeySummary {
771 name: k.name.clone(),
772 role: k.role.clone(),
773 expires_at: k.expires_at,
774 })
775 .collect(),
776 }
777 }
778}
779
780pub(crate) type KeyedLimiter = BoundedKeyedLimiter<IpAddr>;
783
784#[derive(Clone, Debug)]
794#[non_exhaustive]
795pub(crate) struct TlsConnInfo {
796 pub addr: SocketAddr,
798 pub identity: Option<AuthIdentity>,
801}
802
803impl TlsConnInfo {
804 #[must_use]
806 pub(crate) const fn new(addr: SocketAddr, identity: Option<AuthIdentity>) -> Self {
807 Self { addr, identity }
808 }
809}
810
811const DEFAULT_SEEN_IDENTITY_CAP: usize = 4096;
819
820pub(crate) struct SeenIdentitySet {
840 inner: Mutex<SeenInner>,
841}
842
843struct SeenInner {
844 set: HashSet<String>,
845 order: std::collections::VecDeque<String>,
850 cap: usize,
851}
852
853impl SeenIdentitySet {
854 #[must_use]
856 pub(crate) fn new() -> Self {
857 Self::with_cap(DEFAULT_SEEN_IDENTITY_CAP)
858 }
859
860 #[must_use]
863 pub(crate) fn with_cap(cap: usize) -> Self {
864 let cap = cap.max(1);
865 Self {
866 inner: Mutex::new(SeenInner {
867 set: HashSet::with_capacity(cap.min(64)),
868 order: std::collections::VecDeque::with_capacity(cap.min(64)),
869 cap,
870 }),
871 }
872 }
873
874 pub(crate) fn insert_is_first(&self, name: &str) -> bool {
881 let mut guard = self
887 .inner
888 .lock()
889 .unwrap_or_else(std::sync::PoisonError::into_inner);
890
891 if guard.set.contains(name) {
892 return false;
893 }
894 if guard.set.len() >= guard.cap
897 && let Some(evicted) = guard.order.pop_front()
898 {
899 guard.set.remove(&evicted);
900 }
901 let owned = name.to_owned();
902 guard.set.insert(owned.clone());
903 guard.order.push_back(owned);
904 true
905 }
906
907 #[cfg(test)]
909 pub(crate) fn len(&self) -> usize {
910 self.inner
911 .lock()
912 .unwrap_or_else(std::sync::PoisonError::into_inner)
913 .set
914 .len()
915 }
916}
917
918impl Default for SeenIdentitySet {
919 fn default() -> Self {
920 Self::new()
921 }
922}
923
924#[allow(
929 missing_debug_implementations,
930 reason = "contains governor RateLimiter and JwksCache without Debug impls"
931)]
932#[non_exhaustive]
933pub(crate) struct AuthState {
934 pub api_keys: ArcSwap<Vec<ApiKeyEntry>>,
936 pub rate_limiter: Option<Arc<KeyedLimiter>>,
938 pub pre_auth_limiter: Option<Arc<KeyedLimiter>>,
941 #[cfg(feature = "oauth")]
942 pub jwks_cache: Option<Arc<crate::oauth::JwksCache>>,
944 pub seen_identities: SeenIdentitySet,
949 pub counters: AuthCounters,
951}
952
953impl AuthState {
954 pub(crate) fn reload_keys(&self, keys: Vec<ApiKeyEntry>) {
960 let count = keys.len();
961 self.api_keys.store(Arc::new(keys));
962 tracing::info!(keys = count, "API keys reloaded");
963 }
964
965 #[must_use]
967 pub(crate) fn counters_snapshot(&self) -> AuthCountersSnapshot {
968 self.counters.snapshot()
969 }
970
971 #[must_use]
973 pub(crate) fn api_key_summaries(&self) -> Vec<ApiKeySummary> {
974 self.api_keys
975 .load()
976 .iter()
977 .map(|k| ApiKeySummary {
978 name: k.name.clone(),
979 role: k.role.clone(),
980 expires_at: k.expires_at,
981 })
982 .collect()
983 }
984
985 fn log_auth(&self, id: &AuthIdentity, method: &str) {
993 self.counters.record_success(id.method);
994 let first = self.seen_identities.insert_is_first(&id.name);
995 if first {
996 tracing::info!(name = %id.name, role = %id.role, "{method} authenticated");
997 } else {
998 tracing::debug!(name = %id.name, role = %id.role, "{method} authenticated");
999 }
1000 }
1001}
1002
1003const DEFAULT_AUTH_RATE: NonZeroU32 = NonZeroU32::new(30).unwrap();
1006
1007fn apply_burst(quota: governor::Quota, burst: Option<u32>) -> governor::Quota {
1011 match burst.and_then(NonZeroU32::new) {
1012 Some(b) => quota.allow_burst(b),
1013 None => quota,
1014 }
1015}
1016
1017#[must_use]
1019pub(crate) fn build_rate_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1020 let quota = governor::Quota::per_minute(
1021 NonZeroU32::new(config.max_attempts_per_minute).unwrap_or(DEFAULT_AUTH_RATE),
1022 );
1023 let quota = apply_burst(quota, config.burst);
1024 Arc::new(BoundedKeyedLimiter::new(
1025 quota,
1026 config.max_tracked_keys,
1027 config.idle_eviction,
1028 ))
1029}
1030
1031#[must_use]
1038pub(crate) fn build_pre_auth_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1039 let resolved = config.pre_auth_max_per_minute.unwrap_or_else(|| {
1040 config
1041 .max_attempts_per_minute
1042 .saturating_mul(PRE_AUTH_DEFAULT_MULTIPLIER)
1043 });
1044 let quota =
1045 governor::Quota::per_minute(NonZeroU32::new(resolved).unwrap_or(DEFAULT_PRE_AUTH_RATE));
1046 let quota = apply_burst(quota, config.pre_auth_burst);
1047 Arc::new(BoundedKeyedLimiter::new(
1048 quota,
1049 config.max_tracked_keys,
1050 config.idle_eviction,
1051 ))
1052}
1053
1054const PRE_AUTH_DEFAULT_MULTIPLIER: u32 = 10;
1057
1058const DEFAULT_PRE_AUTH_RATE: NonZeroU32 = NonZeroU32::new(300).unwrap();
1062
1063#[must_use]
1068pub fn extract_mtls_identity(cert_der: &[u8], default_role: &str) -> Option<AuthIdentity> {
1069 let (_, cert) = X509Certificate::from_der(cert_der).ok()?;
1070
1071 let cn = cert
1073 .subject()
1074 .iter_common_name()
1075 .next()
1076 .and_then(|attr| attr.as_str().ok())
1077 .map(String::from);
1078
1079 let name = cn.or_else(|| {
1081 cert.subject_alternative_name()
1082 .ok()
1083 .flatten()
1084 .and_then(|san| {
1085 #[allow(
1086 clippy::wildcard_enum_match_arm,
1087 reason = "x509-parser GeneralName is a large external enum; only DNSName is meaningful here"
1088 )]
1089 san.value.general_names.iter().find_map(|gn| match gn {
1090 GeneralName::DNSName(dns) => Some((*dns).to_owned()),
1091 _ => None,
1092 })
1093 })
1094 })?;
1095
1096 if !name
1098 .chars()
1099 .all(|c| c.is_alphanumeric() || matches!(c, '-' | '.' | '_' | '@'))
1100 {
1101 tracing::warn!(cn = %name, "mTLS identity rejected: invalid characters in CN/SAN");
1102 return None;
1103 }
1104
1105 Some(AuthIdentity {
1106 name,
1107 role: default_role.to_owned(),
1108 method: AuthMethod::MtlsCertificate,
1109 raw_token: None,
1110 sub: None,
1111 })
1112}
1113
1114fn extract_bearer(value: &str) -> Option<&str> {
1129 let (scheme, rest) = value.split_once(' ')?;
1130 if scheme.eq_ignore_ascii_case("Bearer") {
1131 let token = rest.trim_start_matches(' ');
1132 if token.is_empty() { None } else { Some(token) }
1133 } else {
1134 None
1135 }
1136}
1137
1138#[must_use]
1167pub fn verify_bearer_token(token: &str, keys: &[ApiKeyEntry]) -> Option<AuthIdentity> {
1168 use subtle::ConstantTimeEq as _;
1169
1170 let now = chrono::Utc::now();
1171 #[allow(
1172 clippy::expect_used,
1173 reason = "DUMMY_PHC_HASH is a static LazyLock built from a fixed Argon2id PHC string by construction; PasswordHash::new on it is infallible. See DUMMY_PHC_HASH definition."
1174 )]
1175 let dummy_hash = PasswordHash::new(&DUMMY_PHC_HASH)
1176 .expect("DUMMY_PHC_HASH is a valid Argon2id PHC string by construction");
1177
1178 let mut matched_index: usize = usize::MAX;
1179 let mut any_match: u8 = 0;
1180
1181 for (idx, key) in keys.iter().enumerate() {
1182 let expired = key.expires_at.is_some_and(|exp| exp.as_datetime() < &now);
1183
1184 let real_hash = PasswordHash::new(&key.hash);
1185 let verify_against = match (&real_hash, expired, any_match) {
1186 (Ok(h), false, 0) => h,
1187 _ => &dummy_hash,
1188 };
1189
1190 let slot_ok = u8::from(
1191 Argon2::default()
1192 .verify_password(token.as_bytes(), verify_against)
1193 .is_ok(),
1194 );
1195
1196 let real_match = slot_ok & u8::from(!expired) & u8::from(real_hash.is_ok());
1197 let first_real_match = real_match & (1 - any_match);
1198 if first_real_match.ct_eq(&1).into() {
1199 matched_index = idx;
1200 }
1201 any_match |= real_match;
1202 }
1203
1204 if any_match == 0 {
1205 return None;
1206 }
1207 let key = keys.get(matched_index)?;
1208 Some(AuthIdentity {
1209 name: key.name.clone(),
1210 role: key.role.clone(),
1211 method: AuthMethod::BearerToken,
1212 raw_token: None,
1213 sub: None,
1214 })
1215}
1216
1217static DUMMY_PHC_HASH: LazyLock<String> = LazyLock::new(|| {
1230 #[allow(
1232 clippy::expect_used,
1233 reason = "fixed 22-char base64 ('AAAA...') decodes to a valid 16-byte salt; SaltString::from_b64 is infallible on this literal"
1234 )]
1235 let salt = SaltString::from_b64("AAAAAAAAAAAAAAAAAAAAAA")
1236 .expect("fixed 16-byte base64 salt is well-formed");
1237 #[allow(
1238 clippy::expect_used,
1239 reason = "Argon2::default() with a fixed plaintext and a well-formed salt is infallible; only fails on bad params/salt"
1240 )]
1241 Argon2::default()
1242 .hash_password(b"rmcp-server-kit-dummy", &salt)
1243 .expect("Argon2 default params hash a fixed plaintext")
1244 .to_string()
1245});
1246
1247pub fn generate_api_key() -> Result<(String, String), McpxError> {
1257 let mut token_bytes = [0u8; 32];
1258 rand::fill(&mut token_bytes);
1259 let token = URL_SAFE_NO_PAD.encode(token_bytes);
1260
1261 let mut salt_bytes = [0u8; 16];
1263 rand::fill(&mut salt_bytes);
1264 let salt = SaltString::encode_b64(&salt_bytes)
1265 .map_err(|e| McpxError::Auth(format!("salt encoding failed: {e}")))?;
1266 let hash = Argon2::default()
1267 .hash_password(token.as_bytes(), &salt)
1268 .map_err(|e| McpxError::Auth(format!("argon2id hashing failed: {e}")))?
1269 .to_string();
1270
1271 Ok((token, hash))
1272}
1273
1274fn build_www_authenticate_value(
1275 advertise_resource_metadata: bool,
1276 failure: AuthFailureClass,
1277) -> String {
1278 let (error, error_description) = failure.bearer_error();
1279 if advertise_resource_metadata {
1280 return format!(
1281 "Bearer resource_metadata=\"/.well-known/oauth-protected-resource\", error=\"{error}\", error_description=\"{error_description}\""
1282 );
1283 }
1284 format!("Bearer error=\"{error}\", error_description=\"{error_description}\"")
1285}
1286
1287fn auth_method_label(method: AuthMethod) -> &'static str {
1288 match method {
1289 AuthMethod::MtlsCertificate => "mTLS",
1290 AuthMethod::BearerToken => "bearer token",
1291 AuthMethod::OAuthJwt => "OAuth JWT",
1292 }
1293}
1294
1295#[cfg_attr(not(feature = "oauth"), allow(unused_variables))]
1296fn unauthorized_response(state: &AuthState, failure_class: AuthFailureClass) -> Response {
1297 #[cfg(feature = "oauth")]
1298 let advertise_resource_metadata = state.jwks_cache.is_some();
1299 #[cfg(not(feature = "oauth"))]
1300 let advertise_resource_metadata = false;
1301
1302 let challenge = build_www_authenticate_value(advertise_resource_metadata, failure_class);
1303 (
1304 axum::http::StatusCode::UNAUTHORIZED,
1305 [(header::WWW_AUTHENTICATE, challenge)],
1306 failure_class.response_body(),
1307 )
1308 .into_response()
1309}
1310
1311async fn authenticate_bearer_identity(
1317 state: &AuthState,
1318 token: &str,
1319) -> Result<AuthIdentity, AuthFailureClass> {
1320 let mut failure_class = AuthFailureClass::MissingCredential;
1321
1322 #[cfg(feature = "oauth")]
1323 if let Some(ref cache) = state.jwks_cache
1324 && crate::oauth::looks_like_jwt(token)
1325 {
1326 match cache.validate_token_with_reason(token).await {
1327 Ok(mut id) => {
1328 id.raw_token = Some(SecretString::from(token.to_owned()));
1329 return Ok(id);
1330 }
1331 Err(crate::oauth::JwtValidationFailure::Expired) => {
1332 failure_class = AuthFailureClass::ExpiredCredential;
1333 }
1334 Err(crate::oauth::JwtValidationFailure::Invalid) => {
1335 failure_class = AuthFailureClass::InvalidCredential;
1336 }
1337 }
1338 }
1339
1340 let token = token.to_owned();
1341 let keys = state.api_keys.load_full(); let identity = tokio::task::spawn_blocking(move || verify_bearer_token(&token, &keys))
1345 .await
1346 .ok()
1347 .flatten();
1348
1349 if let Some(id) = identity {
1350 return Ok(id);
1351 }
1352
1353 if failure_class == AuthFailureClass::MissingCredential {
1354 failure_class = AuthFailureClass::InvalidCredential;
1355 }
1356
1357 Err(failure_class)
1358}
1359
1360fn pre_auth_gate(state: &AuthState, client_ip: Option<IpAddr>) -> Option<Response> {
1371 let limiter = state.pre_auth_limiter.as_ref()?;
1372 let ip = client_ip?;
1373 let Err(wait) = limiter.check_key_wait(&ip) else {
1374 return None;
1375 };
1376 state.counters.record_failure(AuthFailureClass::PreAuthGate);
1377 tracing::warn!(
1378 %ip,
1379 "auth rate limited by pre-auth gate (request rejected before credential verification)"
1380 );
1381 Some(
1382 McpxError::RateLimitedFor {
1383 message: "too many unauthenticated requests from this source".into(),
1384 retry_after: wait,
1385 }
1386 .into_response(),
1387 )
1388}
1389
1390pub(crate) async fn auth_middleware(
1399 state: Arc<AuthState>,
1400 req: Request<Body>,
1401 next: Next,
1402) -> Response {
1403 let tls_info = req.extensions().get::<ConnectInfo<TlsConnInfo>>().cloned();
1409 let client_ip = crate::transport::limiter_client_ip(req.extensions());
1410
1411 if let Some(id) = tls_info.and_then(|ci| ci.0.identity) {
1418 state.log_auth(&id, "mTLS");
1419 let mut req = req;
1420 req.extensions_mut().insert(id);
1421 return next.run(req).await;
1422 }
1423
1424 if let Some(blocked) = pre_auth_gate(&state, client_ip) {
1428 #[cfg(feature = "metrics")]
1429 crate::metrics::record_rate_limit_deny(req.extensions(), "auth_pre");
1430 return blocked;
1431 }
1432
1433 let failure_class = if let Some(value) = req.headers().get(header::AUTHORIZATION) {
1434 match value.to_str().ok().and_then(extract_bearer) {
1435 Some(token) => match authenticate_bearer_identity(&state, token).await {
1436 Ok(id) => {
1437 state.log_auth(&id, auth_method_label(id.method));
1438 let mut req = req;
1439 req.extensions_mut().insert(id);
1440 return next.run(req).await;
1441 }
1442 Err(class) => class,
1443 },
1444 None => AuthFailureClass::InvalidCredential,
1445 }
1446 } else {
1447 AuthFailureClass::MissingCredential
1448 };
1449
1450 tracing::warn!(failure_class = %failure_class.as_str(), "auth failed");
1451
1452 if let (Some(limiter), Some(ip)) = (&state.rate_limiter, client_ip)
1455 && let Err(wait) = limiter.check_key_wait(&ip)
1456 {
1457 state.counters.record_failure(AuthFailureClass::RateLimited);
1458 #[cfg(feature = "metrics")]
1459 crate::metrics::record_rate_limit_deny(req.extensions(), "auth_post");
1460 tracing::warn!(%ip, "auth rate limited after repeated failures");
1461 return McpxError::RateLimitedFor {
1462 message: "too many failed authentication attempts".into(),
1463 retry_after: wait,
1464 }
1465 .into_response();
1466 }
1467
1468 state.counters.record_failure(failure_class);
1469 unauthorized_response(&state, failure_class)
1470}
1471
1472#[cfg(test)]
1473mod tests {
1474 use super::*;
1475
1476 #[test]
1477 fn generate_and_verify_api_key() {
1478 let (token, hash) = generate_api_key().unwrap();
1479
1480 assert_eq!(token.len(), 43);
1482
1483 assert!(hash.starts_with("$argon2id$"));
1485
1486 let keys = vec![ApiKeyEntry {
1488 name: "test".into(),
1489 hash,
1490 role: "viewer".into(),
1491 expires_at: None,
1492 }];
1493 let id = verify_bearer_token(&token, &keys);
1494 assert!(id.is_some());
1495 let id = id.unwrap();
1496 assert_eq!(id.name, "test");
1497 assert_eq!(id.role, "viewer");
1498 assert_eq!(id.method, AuthMethod::BearerToken);
1499 }
1500
1501 #[test]
1502 fn wrong_token_rejected() {
1503 let (_token, hash) = generate_api_key().unwrap();
1504 let keys = vec![ApiKeyEntry {
1505 name: "test".into(),
1506 hash,
1507 role: "viewer".into(),
1508 expires_at: None,
1509 }];
1510 assert!(verify_bearer_token("wrong-token", &keys).is_none());
1511 }
1512
1513 #[test]
1514 fn expired_key_rejected() {
1515 let (token, hash) = generate_api_key().unwrap();
1516 let keys = vec![ApiKeyEntry {
1517 name: "test".into(),
1518 hash,
1519 role: "viewer".into(),
1520 expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1521 }];
1522 assert!(verify_bearer_token(&token, &keys).is_none());
1523 }
1524
1525 #[test]
1526 fn match_in_last_slot_still_authenticates() {
1527 let (token, hash) = generate_api_key().unwrap();
1528 let (_other_token, other_hash) = generate_api_key().unwrap();
1529 let keys = vec![
1530 ApiKeyEntry {
1531 name: "first".into(),
1532 hash: other_hash.clone(),
1533 role: "viewer".into(),
1534 expires_at: None,
1535 },
1536 ApiKeyEntry {
1537 name: "second".into(),
1538 hash: other_hash,
1539 role: "viewer".into(),
1540 expires_at: None,
1541 },
1542 ApiKeyEntry {
1543 name: "match".into(),
1544 hash,
1545 role: "ops".into(),
1546 expires_at: None,
1547 },
1548 ];
1549 let id = verify_bearer_token(&token, &keys).expect("last-slot match must authenticate");
1550 assert_eq!(id.name, "match");
1551 assert_eq!(id.role, "ops");
1552 }
1553
1554 #[test]
1555 fn expired_slot_before_valid_match_does_not_short_circuit() {
1556 let (token, hash) = generate_api_key().unwrap();
1557 let (_, other_hash) = generate_api_key().unwrap();
1558 let keys = vec![
1559 ApiKeyEntry {
1560 name: "expired".into(),
1561 hash: other_hash,
1562 role: "viewer".into(),
1563 expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1564 },
1565 ApiKeyEntry {
1566 name: "valid".into(),
1567 hash,
1568 role: "ops".into(),
1569 expires_at: None,
1570 },
1571 ];
1572 let id = verify_bearer_token(&token, &keys)
1573 .expect("valid slot following an expired slot must authenticate");
1574 assert_eq!(id.name, "valid");
1575 }
1576
1577 #[test]
1578 fn malformed_hash_slot_does_not_short_circuit() {
1579 let (token, hash) = generate_api_key().unwrap();
1580 let keys = vec![
1581 ApiKeyEntry {
1582 name: "broken".into(),
1583 hash: "this-is-not-a-phc-string".into(),
1584 role: "viewer".into(),
1585 expires_at: None,
1586 },
1587 ApiKeyEntry {
1588 name: "valid".into(),
1589 hash,
1590 role: "ops".into(),
1591 expires_at: None,
1592 },
1593 ];
1594 let id = verify_bearer_token(&token, &keys)
1595 .expect("valid slot following a malformed-hash slot must authenticate");
1596 assert_eq!(id.name, "valid");
1597 }
1598
1599 #[test]
1610 fn rfc_timestamp_parse_rejects_malformed() {
1611 for bad in [
1612 "not-a-date",
1613 "",
1614 "2025-13-01T00:00:00Z", "2025-01-32T00:00:00Z", "2025-01-01T00:00:00", "01/01/2025", "2025-01-01T25:00:00Z", ] {
1620 assert!(
1621 RfcTimestamp::parse(bad).is_err(),
1622 "RfcTimestamp::parse must reject {bad:?}"
1623 );
1624 }
1625 }
1626
1627 #[test]
1628 fn rfc_timestamp_parse_accepts_valid() {
1629 for good in [
1630 "2025-01-01T00:00:00Z",
1631 "2025-01-01T00:00:00+00:00",
1632 "2025-12-31T23:59:59-08:00",
1633 "2099-01-01T00:00:00.123456789Z",
1634 ] {
1635 assert!(
1636 RfcTimestamp::parse(good).is_ok(),
1637 "RfcTimestamp::parse must accept {good:?}"
1638 );
1639 }
1640 }
1641
1642 #[test]
1643 fn api_key_entry_deserialize_rejects_malformed_expires_at() {
1644 let toml = r#"
1649 name = "bad-key"
1650 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1651 role = "viewer"
1652 expires_at = "not-a-date"
1653 "#;
1654 let result: Result<ApiKeyEntry, _> = toml::from_str(toml);
1655 assert!(
1656 result.is_err(),
1657 "deserialization must reject malformed expires_at"
1658 );
1659 }
1660
1661 #[test]
1662 fn api_key_entry_deserialize_accepts_valid_expires_at() {
1663 let toml = r#"
1664 name = "good-key"
1665 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1666 role = "viewer"
1667 expires_at = "2099-01-01T00:00:00Z"
1668 "#;
1669 let entry: ApiKeyEntry = toml::from_str(toml).expect("valid RFC 3339 must deserialize");
1670 assert!(entry.expires_at.is_some());
1671 }
1672
1673 #[test]
1674 fn api_key_entry_deserialize_accepts_missing_expires_at() {
1675 let toml = r#"
1678 name = "eternal-key"
1679 hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1680 role = "viewer"
1681 "#;
1682 let entry: ApiKeyEntry = toml::from_str(toml).expect("missing expires_at must deserialize");
1683 assert!(entry.expires_at.is_none());
1684 }
1685
1686 #[test]
1687 fn try_with_expiry_rejects_malformed() {
1688 let entry = ApiKeyEntry::new("k", "hash", "viewer");
1689 assert!(entry.try_with_expiry("not-a-date").is_err());
1690 }
1691
1692 #[test]
1693 fn try_with_expiry_accepts_valid() {
1694 let entry = ApiKeyEntry::new("k", "hash", "viewer")
1695 .try_with_expiry("2099-01-01T00:00:00Z")
1696 .expect("valid RFC 3339 must be accepted");
1697 assert!(entry.expires_at.is_some());
1698 }
1699
1700 #[test]
1701 fn api_key_summary_serializes_expires_at_as_rfc3339() {
1702 let summary = ApiKeySummary {
1707 name: "k".into(),
1708 role: "viewer".into(),
1709 expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
1710 };
1711 let json = serde_json::to_string(&summary).unwrap();
1712 assert!(
1713 json.contains(r#""expires_at":"2030-01-01T00:00:00+00:00""#),
1714 "wire format regressed: {json}"
1715 );
1716 }
1717
1718 #[test]
1719 fn future_expiry_accepted() {
1720 let (token, hash) = generate_api_key().unwrap();
1721 let keys = vec![ApiKeyEntry {
1722 name: "test".into(),
1723 hash,
1724 role: "viewer".into(),
1725 expires_at: Some(RfcTimestamp::parse("2099-01-01T00:00:00Z").unwrap()),
1726 }];
1727 assert!(verify_bearer_token(&token, &keys).is_some());
1728 }
1729
1730 #[test]
1731 fn multiple_keys_first_match_wins() {
1732 let (token, hash) = generate_api_key().unwrap();
1733 let keys = vec![
1734 ApiKeyEntry {
1735 name: "wrong".into(),
1736 hash: "$argon2id$v=19$m=19456,t=2,p=1$invalid$invalid".into(),
1737 role: "ops".into(),
1738 expires_at: None,
1739 },
1740 ApiKeyEntry {
1741 name: "correct".into(),
1742 hash,
1743 role: "deploy".into(),
1744 expires_at: None,
1745 },
1746 ];
1747 let id = verify_bearer_token(&token, &keys).unwrap();
1748 assert_eq!(id.name, "correct");
1749 assert_eq!(id.role, "deploy");
1750 }
1751
1752 #[test]
1753 fn rate_limiter_allows_within_quota() {
1754 let config = RateLimitConfig {
1755 max_attempts_per_minute: 5,
1756 pre_auth_max_per_minute: None,
1757 max_tracked_keys: default_max_tracked_keys(),
1758 idle_eviction: default_idle_eviction(),
1759 burst: None,
1760 pre_auth_burst: None,
1761 };
1762 let limiter = build_rate_limiter(&config);
1763 let ip: IpAddr = "10.0.0.1".parse().unwrap();
1764
1765 for _ in 0..5 {
1767 assert!(limiter.check_key(&ip).is_ok());
1768 }
1769 assert!(limiter.check_key(&ip).is_err());
1771 }
1772
1773 #[test]
1774 fn rate_limiter_separate_ips() {
1775 let config = RateLimitConfig {
1776 max_attempts_per_minute: 2,
1777 pre_auth_max_per_minute: None,
1778 max_tracked_keys: default_max_tracked_keys(),
1779 idle_eviction: default_idle_eviction(),
1780 burst: None,
1781 pre_auth_burst: None,
1782 };
1783 let limiter = build_rate_limiter(&config);
1784 let ip1: IpAddr = "10.0.0.1".parse().unwrap();
1785 let ip2: IpAddr = "10.0.0.2".parse().unwrap();
1786
1787 assert!(limiter.check_key(&ip1).is_ok());
1789 assert!(limiter.check_key(&ip1).is_ok());
1790 assert!(limiter.check_key(&ip1).is_err());
1791
1792 assert!(limiter.check_key(&ip2).is_ok());
1794 }
1795
1796 #[test]
1797 fn extract_mtls_identity_from_cn() {
1798 let mut params = rcgen::CertificateParams::new(vec!["test-client.local".into()]).unwrap();
1800 params.distinguished_name = rcgen::DistinguishedName::new();
1801 params
1802 .distinguished_name
1803 .push(rcgen::DnType::CommonName, "test-client");
1804 let cert = params
1805 .self_signed(&rcgen::KeyPair::generate().unwrap())
1806 .unwrap();
1807 let der = cert.der();
1808
1809 let id = extract_mtls_identity(der, "ops").unwrap();
1810 assert_eq!(id.name, "test-client");
1811 assert_eq!(id.role, "ops");
1812 assert_eq!(id.method, AuthMethod::MtlsCertificate);
1813 }
1814
1815 #[test]
1816 fn extract_mtls_identity_falls_back_to_san() {
1817 let mut params =
1819 rcgen::CertificateParams::new(vec!["san-only.example.com".into()]).unwrap();
1820 params.distinguished_name = rcgen::DistinguishedName::new();
1821 let cert = params
1823 .self_signed(&rcgen::KeyPair::generate().unwrap())
1824 .unwrap();
1825 let der = cert.der();
1826
1827 let id = extract_mtls_identity(der, "viewer").unwrap();
1828 assert_eq!(id.name, "san-only.example.com");
1829 assert_eq!(id.role, "viewer");
1830 }
1831
1832 #[test]
1833 fn extract_mtls_identity_invalid_der() {
1834 assert!(extract_mtls_identity(b"not-a-cert", "viewer").is_none());
1835 }
1836
1837 use axum::{
1840 body::Body,
1841 http::{Request, StatusCode},
1842 };
1843 use tower::ServiceExt as _;
1844
1845 fn auth_router(state: Arc<AuthState>) -> axum::Router {
1846 axum::Router::new()
1847 .route("/mcp", axum::routing::post(|| async { "ok" }))
1848 .layer(axum::middleware::from_fn(move |req, next| {
1849 let s = Arc::clone(&state);
1850 auth_middleware(s, req, next)
1851 }))
1852 }
1853
1854 fn test_auth_state(keys: Vec<ApiKeyEntry>) -> Arc<AuthState> {
1855 Arc::new(AuthState {
1856 api_keys: ArcSwap::new(Arc::new(keys)),
1857 rate_limiter: None,
1858 pre_auth_limiter: None,
1859 #[cfg(feature = "oauth")]
1860 jwks_cache: None,
1861 seen_identities: SeenIdentitySet::new(),
1862 counters: AuthCounters::default(),
1863 })
1864 }
1865
1866 #[tokio::test]
1867 async fn middleware_rejects_no_credentials() {
1868 let state = test_auth_state(vec![]);
1869 let app = auth_router(Arc::clone(&state));
1870 let req = Request::builder()
1871 .method(axum::http::Method::POST)
1872 .uri("/mcp")
1873 .body(Body::empty())
1874 .unwrap();
1875 let resp = app.oneshot(req).await.unwrap();
1876 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1877 let challenge = resp
1878 .headers()
1879 .get(header::WWW_AUTHENTICATE)
1880 .unwrap()
1881 .to_str()
1882 .unwrap();
1883 assert!(challenge.contains("error=\"invalid_request\""));
1884
1885 let counters = state.counters_snapshot();
1886 assert_eq!(counters.failure_missing_credential, 1);
1887 }
1888
1889 #[tokio::test]
1890 async fn middleware_accepts_valid_bearer() {
1891 let (token, hash) = generate_api_key().unwrap();
1892 let keys = vec![ApiKeyEntry {
1893 name: "test-key".into(),
1894 hash,
1895 role: "ops".into(),
1896 expires_at: None,
1897 }];
1898 let state = test_auth_state(keys);
1899 let app = auth_router(Arc::clone(&state));
1900 let req = Request::builder()
1901 .method(axum::http::Method::POST)
1902 .uri("/mcp")
1903 .header("authorization", format!("Bearer {token}"))
1904 .body(Body::empty())
1905 .unwrap();
1906 let resp = app.oneshot(req).await.unwrap();
1907 assert_eq!(resp.status(), StatusCode::OK);
1908
1909 let counters = state.counters_snapshot();
1910 assert_eq!(counters.success_bearer, 1);
1911 }
1912
1913 #[tokio::test]
1914 async fn middleware_rejects_wrong_bearer() {
1915 let (_token, hash) = generate_api_key().unwrap();
1916 let keys = vec![ApiKeyEntry {
1917 name: "test-key".into(),
1918 hash,
1919 role: "ops".into(),
1920 expires_at: None,
1921 }];
1922 let state = test_auth_state(keys);
1923 let app = auth_router(Arc::clone(&state));
1924 let req = Request::builder()
1925 .method(axum::http::Method::POST)
1926 .uri("/mcp")
1927 .header("authorization", "Bearer wrong-token-here")
1928 .body(Body::empty())
1929 .unwrap();
1930 let resp = app.oneshot(req).await.unwrap();
1931 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1932 let challenge = resp
1933 .headers()
1934 .get(header::WWW_AUTHENTICATE)
1935 .unwrap()
1936 .to_str()
1937 .unwrap();
1938 assert!(challenge.contains("error=\"invalid_token\""));
1939
1940 let counters = state.counters_snapshot();
1941 assert_eq!(counters.failure_invalid_credential, 1);
1942 }
1943
1944 #[tokio::test]
1945 async fn middleware_rate_limits() {
1946 let state = Arc::new(AuthState {
1947 api_keys: ArcSwap::new(Arc::new(vec![])),
1948 rate_limiter: Some(build_rate_limiter(&RateLimitConfig {
1949 max_attempts_per_minute: 1,
1950 pre_auth_max_per_minute: None,
1951 max_tracked_keys: default_max_tracked_keys(),
1952 idle_eviction: default_idle_eviction(),
1953 burst: None,
1954 pre_auth_burst: None,
1955 })),
1956 pre_auth_limiter: None,
1957 #[cfg(feature = "oauth")]
1958 jwks_cache: None,
1959 seen_identities: SeenIdentitySet::new(),
1960 counters: AuthCounters::default(),
1961 });
1962 let app = auth_router(state);
1963
1964 let req = Request::builder()
1966 .method(axum::http::Method::POST)
1967 .uri("/mcp")
1968 .body(Body::empty())
1969 .unwrap();
1970 let resp = app.clone().oneshot(req).await.unwrap();
1971 assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1972
1973 }
1978
1979 #[test]
1985 fn rate_limit_semantics_failed_only() {
1986 let config = RateLimitConfig {
1987 max_attempts_per_minute: 3,
1988 pre_auth_max_per_minute: None,
1989 max_tracked_keys: default_max_tracked_keys(),
1990 idle_eviction: default_idle_eviction(),
1991 burst: None,
1992 pre_auth_burst: None,
1993 };
1994 let limiter = build_rate_limiter(&config);
1995 let ip: IpAddr = "192.168.1.100".parse().unwrap();
1996
1997 assert!(
1999 limiter.check_key(&ip).is_ok(),
2000 "failure 1 should be allowed"
2001 );
2002 assert!(
2003 limiter.check_key(&ip).is_ok(),
2004 "failure 2 should be allowed"
2005 );
2006 assert!(
2007 limiter.check_key(&ip).is_ok(),
2008 "failure 3 should be allowed"
2009 );
2010 assert!(
2011 limiter.check_key(&ip).is_err(),
2012 "failure 4 should be blocked"
2013 );
2014
2015 }
2024
2025 #[test]
2030 fn pre_auth_default_multiplier_is_10x() {
2031 let config = RateLimitConfig {
2032 max_attempts_per_minute: 5,
2033 pre_auth_max_per_minute: None,
2034 max_tracked_keys: default_max_tracked_keys(),
2035 idle_eviction: default_idle_eviction(),
2036 burst: None,
2037 pre_auth_burst: None,
2038 };
2039 let limiter = build_pre_auth_limiter(&config);
2040 let ip: IpAddr = "10.0.0.1".parse().unwrap();
2041
2042 for i in 0..50 {
2044 assert!(
2045 limiter.check_key(&ip).is_ok(),
2046 "pre-auth attempt {i} (of expected 50) should be allowed under default 10x multiplier"
2047 );
2048 }
2049 assert!(
2051 limiter.check_key(&ip).is_err(),
2052 "pre-auth attempt 51 should be blocked (quota is 50, not unbounded)"
2053 );
2054 }
2055
2056 #[test]
2059 fn pre_auth_explicit_override_wins() {
2060 let config = RateLimitConfig {
2061 max_attempts_per_minute: 100, pre_auth_max_per_minute: Some(2), max_tracked_keys: default_max_tracked_keys(),
2064 idle_eviction: default_idle_eviction(),
2065 burst: None,
2066 pre_auth_burst: None,
2067 };
2068 let limiter = build_pre_auth_limiter(&config);
2069 let ip: IpAddr = "10.0.0.2".parse().unwrap();
2070
2071 assert!(limiter.check_key(&ip).is_ok(), "attempt 1 allowed");
2072 assert!(limiter.check_key(&ip).is_ok(), "attempt 2 allowed");
2073 assert!(
2074 limiter.check_key(&ip).is_err(),
2075 "attempt 3 must be blocked (explicit override of 2 wins over 10x default of 1000)"
2076 );
2077 }
2078
2079 #[test]
2081 fn pre_auth_gate_deny_sets_retry_after() {
2082 let config = RateLimitConfig::new(100).with_pre_auth_max_per_minute(1);
2083 let state = AuthState {
2084 api_keys: ArcSwap::new(Arc::new(vec![])),
2085 rate_limiter: None,
2086 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2087 #[cfg(feature = "oauth")]
2088 jwks_cache: None,
2089 seen_identities: SeenIdentitySet::new(),
2090 counters: AuthCounters::default(),
2091 };
2092 let ip: IpAddr = "10.7.7.7".parse().unwrap();
2093 assert!(
2094 pre_auth_gate(&state, Some(ip)).is_none(),
2095 "first request within quota"
2096 );
2097 let resp = pre_auth_gate(&state, Some(ip)).expect("second request must be gated");
2098 assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
2099 let retry_after = resp
2100 .headers()
2101 .get(header::RETRY_AFTER)
2102 .expect("Retry-After present")
2103 .to_str()
2104 .unwrap()
2105 .parse::<u64>()
2106 .unwrap();
2107 assert!(retry_after >= 1, "delta-seconds must be >= 1");
2108 }
2109
2110 #[test]
2112 fn post_failure_limiter_burst_allows_initial_spike() {
2113 let config = RateLimitConfig::new(1).with_burst(3);
2114 let limiter = build_rate_limiter(&config);
2115 let ip: IpAddr = "10.6.6.6".parse().unwrap();
2116 for i in 0..3 {
2117 assert!(limiter.check_key(&ip).is_ok(), "burst attempt {i}");
2118 }
2119 assert!(
2120 limiter.check_key(&ip).is_err(),
2121 "attempt 4 must exceed the burst bucket"
2122 );
2123 }
2124
2125 #[tokio::test]
2131 async fn pre_auth_gate_blocks_before_argon2_verification() {
2132 let (_token, hash) = generate_api_key().unwrap();
2133 let keys = vec![ApiKeyEntry {
2134 name: "test-key".into(),
2135 hash,
2136 role: "ops".into(),
2137 expires_at: None,
2138 }];
2139 let config = RateLimitConfig {
2140 max_attempts_per_minute: 100,
2141 pre_auth_max_per_minute: Some(1),
2142 max_tracked_keys: default_max_tracked_keys(),
2143 idle_eviction: default_idle_eviction(),
2144 burst: None,
2145 pre_auth_burst: None,
2146 };
2147 let state = Arc::new(AuthState {
2148 api_keys: ArcSwap::new(Arc::new(keys)),
2149 rate_limiter: None,
2150 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2151 #[cfg(feature = "oauth")]
2152 jwks_cache: None,
2153 seen_identities: SeenIdentitySet::new(),
2154 counters: AuthCounters::default(),
2155 });
2156 let app = auth_router(Arc::clone(&state));
2157 let peer: SocketAddr = "10.0.0.10:54321".parse().unwrap();
2158
2159 let mut req1 = Request::builder()
2162 .method(axum::http::Method::POST)
2163 .uri("/mcp")
2164 .header("authorization", "Bearer obviously-not-a-real-token")
2165 .body(Body::empty())
2166 .unwrap();
2167 req1.extensions_mut().insert(ConnectInfo(peer));
2168 let resp1 = app.clone().oneshot(req1).await.unwrap();
2169 assert_eq!(
2170 resp1.status(),
2171 StatusCode::UNAUTHORIZED,
2172 "first attempt: gate has quota, falls through to bearer auth which fails with 401"
2173 );
2174
2175 let mut req2 = Request::builder()
2178 .method(axum::http::Method::POST)
2179 .uri("/mcp")
2180 .header("authorization", "Bearer also-not-a-real-token")
2181 .body(Body::empty())
2182 .unwrap();
2183 req2.extensions_mut().insert(ConnectInfo(peer));
2184 let resp2 = app.oneshot(req2).await.unwrap();
2185 assert_eq!(
2186 resp2.status(),
2187 StatusCode::TOO_MANY_REQUESTS,
2188 "second attempt from same IP: pre-auth gate must reject with 429"
2189 );
2190
2191 let counters = state.counters_snapshot();
2192 assert_eq!(
2193 counters.failure_pre_auth_gate, 1,
2194 "exactly one request must have been rejected by the pre-auth gate"
2195 );
2196 assert_eq!(
2200 counters.failure_invalid_credential, 1,
2201 "bearer verification must run exactly once (only the un-gated first request)"
2202 );
2203 }
2204
2205 #[tokio::test]
2212 async fn pre_auth_gate_does_not_throttle_mtls() {
2213 let config = RateLimitConfig {
2214 max_attempts_per_minute: 100,
2215 pre_auth_max_per_minute: Some(1), max_tracked_keys: default_max_tracked_keys(),
2217 idle_eviction: default_idle_eviction(),
2218 burst: None,
2219 pre_auth_burst: None,
2220 };
2221 let state = Arc::new(AuthState {
2222 api_keys: ArcSwap::new(Arc::new(vec![])),
2223 rate_limiter: None,
2224 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2225 #[cfg(feature = "oauth")]
2226 jwks_cache: None,
2227 seen_identities: SeenIdentitySet::new(),
2228 counters: AuthCounters::default(),
2229 });
2230 let app = auth_router(Arc::clone(&state));
2231 let peer: SocketAddr = "10.0.0.20:54321".parse().unwrap();
2232 let identity = AuthIdentity {
2233 name: "cn=test-client".into(),
2234 role: "viewer".into(),
2235 method: AuthMethod::MtlsCertificate,
2236 raw_token: None,
2237 sub: None,
2238 };
2239 let tls_info = TlsConnInfo::new(peer, Some(identity));
2240
2241 for i in 0..3 {
2242 let mut req = Request::builder()
2243 .method(axum::http::Method::POST)
2244 .uri("/mcp")
2245 .body(Body::empty())
2246 .unwrap();
2247 req.extensions_mut().insert(ConnectInfo(tls_info.clone()));
2248 let resp = app.clone().oneshot(req).await.unwrap();
2249 assert_eq!(
2250 resp.status(),
2251 StatusCode::OK,
2252 "mTLS request {i} must succeed: pre-auth gate must not apply to mTLS callers"
2253 );
2254 }
2255
2256 let counters = state.counters_snapshot();
2257 assert_eq!(
2258 counters.failure_pre_auth_gate, 0,
2259 "pre-auth gate counter must remain at zero: mTLS bypasses the gate"
2260 );
2261 assert_eq!(
2262 counters.success_mtls, 3,
2263 "all three mTLS requests must have been counted as successful"
2264 );
2265 }
2266
2267 #[cfg(feature = "metrics")]
2270 #[tokio::test]
2271 async fn pre_auth_gate_deny_increments_counter() {
2272 let config = RateLimitConfig {
2273 max_attempts_per_minute: 100,
2274 pre_auth_max_per_minute: Some(1),
2275 max_tracked_keys: default_max_tracked_keys(),
2276 idle_eviction: default_idle_eviction(),
2277 burst: None,
2278 pre_auth_burst: None,
2279 };
2280 let state = Arc::new(AuthState {
2281 api_keys: ArcSwap::new(Arc::new(vec![])),
2282 rate_limiter: None,
2283 pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2284 #[cfg(feature = "oauth")]
2285 jwks_cache: None,
2286 seen_identities: SeenIdentitySet::new(),
2287 counters: AuthCounters::default(),
2288 });
2289 let app = auth_router(Arc::clone(&state));
2290 let metrics = Arc::new(crate::metrics::McpMetrics::new().expect("metrics registry"));
2291 let peer: SocketAddr = "10.0.0.30:54321".parse().expect("addr parses");
2292 let mk = || {
2293 let mut req = Request::builder()
2294 .method(axum::http::Method::POST)
2295 .uri("/mcp")
2296 .header("authorization", "Bearer not-a-real-token")
2297 .body(Body::empty())
2298 .expect("request builds");
2299 req.extensions_mut().insert(ConnectInfo(peer));
2300 req.extensions_mut().insert(Arc::clone(&metrics));
2301 req
2302 };
2303 let counter = |label: &str| metrics.rate_limited_total.with_label_values(&[label]).get();
2304
2305 let first = app.clone().oneshot(mk()).await.expect("first request");
2306 assert_eq!(first.status(), StatusCode::UNAUTHORIZED);
2307 assert_eq!(counter("auth_pre"), 0, "un-gated request must not count");
2308
2309 let gated = app.oneshot(mk()).await.expect("second request");
2310 assert_eq!(gated.status(), StatusCode::TOO_MANY_REQUESTS);
2311 assert_eq!(counter("auth_pre"), 1, "gated request must count once");
2312 assert_eq!(counter("auth_post"), 0, "post limiter never fired");
2313 }
2314
2315 #[cfg(feature = "metrics")]
2318 #[tokio::test]
2319 async fn post_failure_limiter_deny_increments_counter() {
2320 let config = RateLimitConfig {
2321 max_attempts_per_minute: 1, pre_auth_max_per_minute: None,
2323 max_tracked_keys: default_max_tracked_keys(),
2324 idle_eviction: default_idle_eviction(),
2325 burst: None,
2326 pre_auth_burst: None,
2327 };
2328 let state = Arc::new(AuthState {
2329 api_keys: ArcSwap::new(Arc::new(vec![])),
2330 rate_limiter: Some(build_rate_limiter(&config)),
2331 pre_auth_limiter: None,
2332 #[cfg(feature = "oauth")]
2333 jwks_cache: None,
2334 seen_identities: SeenIdentitySet::new(),
2335 counters: AuthCounters::default(),
2336 });
2337 let app = auth_router(Arc::clone(&state));
2338 let metrics = Arc::new(crate::metrics::McpMetrics::new().expect("metrics registry"));
2339 let peer: SocketAddr = "10.0.0.31:54321".parse().expect("addr parses");
2340 let mk = || {
2341 let mut req = Request::builder()
2342 .method(axum::http::Method::POST)
2343 .uri("/mcp")
2344 .header("authorization", "Bearer not-a-real-token")
2345 .body(Body::empty())
2346 .expect("request builds");
2347 req.extensions_mut().insert(ConnectInfo(peer));
2348 req.extensions_mut().insert(Arc::clone(&metrics));
2349 req
2350 };
2351 let counter = |label: &str| metrics.rate_limited_total.with_label_values(&[label]).get();
2352
2353 let first = app.clone().oneshot(mk()).await.expect("first request");
2355 assert_eq!(first.status(), StatusCode::UNAUTHORIZED);
2356 assert_eq!(counter("auth_post"), 0);
2357
2358 let limited = app.oneshot(mk()).await.expect("second request");
2360 assert_eq!(limited.status(), StatusCode::TOO_MANY_REQUESTS);
2361 assert_eq!(counter("auth_post"), 1, "deny must count once");
2362 assert_eq!(counter("auth_pre"), 0, "pre-auth gate disabled here");
2363 }
2364
2365 #[test]
2370 fn extract_bearer_accepts_canonical_case() {
2371 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2372 }
2373
2374 #[test]
2375 fn extract_bearer_is_case_insensitive_per_rfc7235() {
2376 for header in &[
2380 "bearer abc123",
2381 "BEARER abc123",
2382 "BeArEr abc123",
2383 "bEaReR abc123",
2384 ] {
2385 assert_eq!(
2386 extract_bearer(header),
2387 Some("abc123"),
2388 "header {header:?} must parse as a Bearer token (RFC 7235 §2.1)"
2389 );
2390 }
2391 }
2392
2393 #[test]
2394 fn extract_bearer_rejects_other_schemes() {
2395 assert_eq!(extract_bearer("Basic dXNlcjpwYXNz"), None);
2396 assert_eq!(extract_bearer("Digest username=\"x\""), None);
2397 assert_eq!(extract_bearer("Token abc123"), None);
2398 }
2399
2400 #[test]
2401 fn extract_bearer_rejects_malformed() {
2402 assert_eq!(extract_bearer(""), None);
2404 assert_eq!(extract_bearer("Bearer"), None);
2405 assert_eq!(extract_bearer("Bearer "), None);
2406 assert_eq!(extract_bearer("Bearer "), None);
2407 }
2408
2409 #[test]
2410 fn extract_bearer_tolerates_extra_separator_whitespace() {
2411 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2413 assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2414 }
2415
2416 #[test]
2422 fn auth_identity_debug_redacts_raw_token() {
2423 let id = AuthIdentity {
2424 name: "alice".into(),
2425 role: "admin".into(),
2426 method: AuthMethod::OAuthJwt,
2427 raw_token: Some(SecretString::from("super-secret-jwt-payload-xyz")),
2428 sub: Some("keycloak-uuid-2f3c8b".into()),
2429 };
2430 let dbg = format!("{id:?}");
2431
2432 assert!(dbg.contains("alice"), "name should be visible: {dbg}");
2434 assert!(dbg.contains("admin"), "role should be visible: {dbg}");
2435 assert!(dbg.contains("OAuthJwt"), "method should be visible: {dbg}");
2436
2437 assert!(
2439 !dbg.contains("super-secret-jwt-payload-xyz"),
2440 "raw_token must be redacted in Debug output: {dbg}"
2441 );
2442 assert!(
2443 !dbg.contains("keycloak-uuid-2f3c8b"),
2444 "sub must be redacted in Debug output: {dbg}"
2445 );
2446 assert!(
2447 dbg.contains("<redacted>"),
2448 "redaction marker missing: {dbg}"
2449 );
2450 }
2451
2452 #[test]
2453 fn auth_identity_debug_marks_absent_secrets() {
2454 let id = AuthIdentity {
2457 name: "viewer-key".into(),
2458 role: "viewer".into(),
2459 method: AuthMethod::BearerToken,
2460 raw_token: None,
2461 sub: None,
2462 };
2463 let dbg = format!("{id:?}");
2464 assert!(
2465 dbg.contains("<none>"),
2466 "absent secrets should be marked: {dbg}"
2467 );
2468 assert!(
2469 !dbg.contains("<redacted>"),
2470 "no <redacted> marker when secrets are absent: {dbg}"
2471 );
2472 }
2473
2474 #[test]
2475 fn api_key_entry_debug_redacts_hash() {
2476 let entry = ApiKeyEntry {
2477 name: "viewer-key".into(),
2478 hash: "$argon2id$v=19$m=19456,t=2,p=1$c2FsdHNhbHQ$h4sh3dPa55w0rd".into(),
2480 role: "viewer".into(),
2481 expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
2482 };
2483 let dbg = format!("{entry:?}");
2484
2485 assert!(dbg.contains("viewer-key"));
2487 assert!(dbg.contains("viewer"));
2488 assert!(dbg.contains("2030-01-01T00:00:00+00:00"));
2489
2490 assert!(
2492 !dbg.contains("$argon2id$"),
2493 "argon2 hash leaked into Debug output: {dbg}"
2494 );
2495 assert!(
2496 !dbg.contains("h4sh3dPa55w0rd"),
2497 "hash digest leaked into Debug output: {dbg}"
2498 );
2499 assert!(
2500 dbg.contains("<redacted>"),
2501 "redaction marker missing: {dbg}"
2502 );
2503 }
2504
2505 #[test]
2516 fn auth_failure_class_as_str_exact_strings() {
2517 assert_eq!(
2518 AuthFailureClass::MissingCredential.as_str(),
2519 "missing_credential"
2520 );
2521 assert_eq!(
2522 AuthFailureClass::InvalidCredential.as_str(),
2523 "invalid_credential"
2524 );
2525 assert_eq!(
2526 AuthFailureClass::ExpiredCredential.as_str(),
2527 "expired_credential"
2528 );
2529 assert_eq!(AuthFailureClass::RateLimited.as_str(), "rate_limited");
2530 assert_eq!(AuthFailureClass::PreAuthGate.as_str(), "pre_auth_gate");
2531 }
2532
2533 #[test]
2534 fn auth_failure_class_response_body_exact_strings() {
2535 assert_eq!(
2536 AuthFailureClass::MissingCredential.response_body(),
2537 "unauthorized: missing credential"
2538 );
2539 assert_eq!(
2540 AuthFailureClass::InvalidCredential.response_body(),
2541 "unauthorized: invalid credential"
2542 );
2543 assert_eq!(
2544 AuthFailureClass::ExpiredCredential.response_body(),
2545 "unauthorized: expired credential"
2546 );
2547 assert_eq!(
2548 AuthFailureClass::RateLimited.response_body(),
2549 "rate limited"
2550 );
2551 assert_eq!(
2552 AuthFailureClass::PreAuthGate.response_body(),
2553 "rate limited (pre-auth)"
2554 );
2555 }
2556
2557 #[test]
2558 fn auth_failure_class_bearer_error_exact_strings() {
2559 assert_eq!(
2560 AuthFailureClass::MissingCredential.bearer_error(),
2561 (
2562 "invalid_request",
2563 "missing bearer token or mTLS client certificate"
2564 )
2565 );
2566 assert_eq!(
2567 AuthFailureClass::InvalidCredential.bearer_error(),
2568 ("invalid_token", "token is invalid")
2569 );
2570 assert_eq!(
2571 AuthFailureClass::ExpiredCredential.bearer_error(),
2572 ("invalid_token", "token is expired")
2573 );
2574 assert_eq!(
2575 AuthFailureClass::RateLimited.bearer_error(),
2576 ("invalid_request", "too many failed authentication attempts")
2577 );
2578 assert_eq!(
2579 AuthFailureClass::PreAuthGate.bearer_error(),
2580 (
2581 "invalid_request",
2582 "too many unauthenticated requests from this source"
2583 )
2584 );
2585 }
2586
2587 #[test]
2596 fn auth_config_summary_bearer_true_when_keys_present() {
2597 let (_token, hash) = generate_api_key().unwrap();
2598 let cfg = AuthConfig::with_keys(vec![ApiKeyEntry::new("k", hash, "viewer")]);
2599 let s = cfg.summary();
2600 assert!(s.enabled, "summary.enabled must reflect AuthConfig.enabled");
2601 assert!(
2602 s.bearer,
2603 "summary.bearer must be true when api_keys is non-empty (kills `!` deletion at L615)"
2604 );
2605 assert!(!s.mtls, "summary.mtls must be false when mtls is None");
2606 assert!(!s.oauth, "summary.oauth must be false when oauth is None");
2607 assert_eq!(s.api_keys.len(), 1);
2608 assert_eq!(s.api_keys[0].name, "k");
2609 assert_eq!(s.api_keys[0].role, "viewer");
2610 }
2611
2612 #[test]
2613 fn auth_config_summary_bearer_false_when_no_keys() {
2614 let cfg = AuthConfig::with_keys(vec![]);
2615 let s = cfg.summary();
2616 assert!(
2617 !s.bearer,
2618 "summary.bearer must be false when api_keys is empty (kills `!` deletion at L615)"
2619 );
2620 assert!(s.api_keys.is_empty());
2621 }
2622
2623 #[test]
2624 fn seen_identity_set_first_then_repeat() {
2625 let set = SeenIdentitySet::new();
2626 assert!(set.insert_is_first("alice"), "first sighting is first");
2627 assert!(
2628 !set.insert_is_first("alice"),
2629 "second sighting is not first"
2630 );
2631 assert!(set.insert_is_first("bob"));
2632 assert_eq!(set.len(), 2);
2633 }
2634
2635 #[test]
2636 fn seen_identity_set_evicts_oldest_at_cap() {
2637 let set = SeenIdentitySet::with_cap(2);
2638 assert!(set.insert_is_first("a"));
2639 assert!(set.insert_is_first("b"));
2640 assert!(set.insert_is_first("c"));
2642 assert_eq!(set.len(), 2);
2643 assert!(set.insert_is_first("a"));
2647 assert_eq!(set.len(), 2);
2648 assert!(set.insert_is_first("b"));
2650 for i in 0..32 {
2652 set.insert_is_first(&format!("churn-{i}"));
2653 assert!(set.len() <= 2, "cap invariant must hold");
2654 }
2655 }
2656
2657 #[test]
2658 fn seen_identity_set_cap_zero_is_raised_to_one() {
2659 let set = SeenIdentitySet::with_cap(0);
2660 assert!(set.insert_is_first("only"));
2661 assert_eq!(set.len(), 1);
2662 assert!(set.insert_is_first("next"));
2664 assert_eq!(set.len(), 1);
2665 }
2666
2667 #[test]
2668 fn seen_identity_set_fifo_does_not_refresh_on_repeat_hit() {
2669 let set = SeenIdentitySet::with_cap(2);
2672 assert!(set.insert_is_first("a")); assert!(set.insert_is_first("b")); assert!(!set.insert_is_first("a"));
2678 assert!(set.insert_is_first("c"));
2681 assert!(set.insert_is_first("a"));
2683 let set = SeenIdentitySet::with_cap(2);
2689 assert!(set.insert_is_first("x")); assert!(set.insert_is_first("y")); assert!(!set.insert_is_first("x")); assert!(set.insert_is_first("z")); assert!(
2694 !set.insert_is_first("y"),
2695 "y must still be present (FIFO did not evict it)"
2696 );
2697 assert!(
2698 set.insert_is_first("x"),
2699 "x must have been evicted by FIFO (would NOT have been evicted under LRU)"
2700 );
2701 }
2702}