Skip to main content

haystack_server/auth/
mod.rs

1//! Server-side authentication manager using SCRAM SHA-256.
2//!
3//! Manages user records, in-flight SCRAM handshakes, and active bearer
4//! tokens.
5
6pub mod users;
7
8use std::collections::HashMap;
9use std::time::{Duration, Instant};
10
11use base64::Engine;
12use base64::engine::general_purpose::STANDARD as BASE64;
13use hmac::{Hmac, Mac};
14use parking_lot::RwLock;
15use sha2::Sha256;
16use uuid::Uuid;
17
18use haystack_core::auth::{
19    DEFAULT_ITERATIONS, ScramCredentials, ScramHandshake, derive_credentials, extract_client_nonce,
20    format_auth_info, format_www_authenticate, generate_nonce, server_first_message,
21    server_verify_final,
22};
23
24use users::{UserRecord, load_users_from_str, load_users_from_toml};
25
26/// An authenticated user with associated permissions.
27#[derive(Debug, Clone)]
28pub struct AuthUser {
29    pub username: String,
30    pub permissions: Vec<String>,
31}
32
33/// Time-to-live for in-flight SCRAM handshakes.
34const HANDSHAKE_TTL: Duration = Duration::from_secs(60);
35
36/// Server-side authentication manager.
37///
38/// Holds user credentials, in-flight SCRAM handshakes, and active
39/// bearer tokens.
40pub struct AuthManager {
41    /// Username -> pre-computed SCRAM credentials + permissions.
42    users: HashMap<String, UserRecord>,
43    /// In-flight SCRAM handshakes: handshake_token -> (ScramHandshake, created_at).
44    handshakes: RwLock<HashMap<String, (ScramHandshake, Instant)>>,
45    /// Active bearer tokens: auth_token -> (AuthUser, created_at).
46    tokens: RwLock<HashMap<String, (AuthUser, Instant)>>,
47    /// Time-to-live for bearer tokens.
48    token_ttl: Duration,
49    /// Secret used to derive fake SCRAM challenges for unknown users,
50    /// preventing username enumeration attacks.
51    server_secret: [u8; 32],
52}
53
54impl AuthManager {
55    /// Create a new AuthManager with the given user records and token TTL.
56    pub fn new(users: HashMap<String, UserRecord>, token_ttl: Duration) -> Self {
57        let mut server_secret = [0u8; 32];
58        rand::RngExt::fill(&mut rand::rng(), &mut server_secret);
59        Self {
60            users,
61            handshakes: RwLock::new(HashMap::new()),
62            tokens: RwLock::new(HashMap::new()),
63            token_ttl,
64            server_secret,
65        }
66    }
67
68    /// Create an AuthManager with no users (auth effectively disabled).
69    pub fn empty() -> Self {
70        Self::new(HashMap::new(), Duration::from_secs(3600))
71    }
72
73    /// Builder method to configure the token TTL.
74    pub fn with_token_ttl(mut self, duration: Duration) -> Self {
75        self.token_ttl = duration;
76        self
77    }
78
79    /// Create an AuthManager from a TOML file.
80    pub fn from_toml(path: &str) -> Result<Self, String> {
81        let users = load_users_from_toml(path)?;
82        Ok(Self::new(users, Duration::from_secs(3600)))
83    }
84
85    /// Create an AuthManager from TOML content string.
86    pub fn from_toml_str(content: &str) -> Result<Self, String> {
87        let users = load_users_from_str(content)?;
88        Ok(Self::new(users, Duration::from_secs(3600)))
89    }
90
91    /// Returns true if authentication is enabled (there are registered users).
92    pub fn is_enabled(&self) -> bool {
93        !self.users.is_empty()
94    }
95
96    /// Derive deterministic fake SCRAM credentials for an unknown username.
97    ///
98    /// Uses HMAC(server_secret, username) so the same unknown username always
99    /// produces the same salt, making the response indistinguishable from a
100    /// real user's challenge to an outside observer.
101    fn fake_credentials(&self, username: &str) -> ScramCredentials {
102        let mut mac = <Hmac<Sha256>>::new_from_slice(&self.server_secret)
103            .expect("HMAC accepts keys of any size");
104        mac.update(username.as_bytes());
105        let fake_salt = mac.finalize().into_bytes();
106
107        // Derive credentials using a throwaway password; the handshake will
108        // always fail at the `handle_scram` step because the attacker does
109        // not know a valid password, but the challenge itself looks normal.
110        derive_credentials("", &fake_salt, DEFAULT_ITERATIONS)
111    }
112
113    /// Handle a HELLO request: look up user, create SCRAM handshake.
114    ///
115    /// `client_first_b64` is the optional base64-encoded client-first-message
116    /// containing the client nonce. If absent, the server generates a nonce
117    /// (but the handshake will fail if the client expects its own nonce).
118    ///
119    /// Returns the `WWW-Authenticate` header value for the 401 response.
120    /// Unknown users receive a fake but plausible challenge to prevent
121    /// username enumeration.
122    pub fn handle_hello(
123        &self,
124        username: &str,
125        client_first_b64: Option<&str>,
126    ) -> Result<String, String> {
127        let credentials = match self.users.get(username) {
128            Some(user_record) => user_record.credentials.clone(),
129            None => self.fake_credentials(username),
130        };
131
132        // Extract client nonce from client-first-message, or generate one
133        let client_nonce = match client_first_b64 {
134            Some(data) => {
135                extract_client_nonce(data).map_err(|e| format!("invalid client-first data: {e}"))?
136            }
137            None => generate_nonce(),
138        };
139
140        // Create server-first-message
141        let (handshake, server_first_b64) =
142            server_first_message(username, &client_nonce, &credentials);
143
144        // Lazy cleanup: remove expired handshakes before inserting.
145        {
146            let now = Instant::now();
147            self.handshakes
148                .write()
149                .retain(|_, (_, created)| now.duration_since(*created) < HANDSHAKE_TTL);
150        }
151
152        // Store handshake with a unique token and timestamp.
153        let handshake_token = Uuid::new_v4().to_string();
154        self.handshakes
155            .write()
156            .insert(handshake_token.clone(), (handshake, Instant::now()));
157
158        // Format the WWW-Authenticate header
159        let www_auth = format_www_authenticate(&handshake_token, "SHA-256", &server_first_b64);
160        Ok(www_auth)
161    }
162
163    /// Handle a SCRAM request: verify client proof, issue auth token.
164    ///
165    /// Returns `(auth_token, authentication_info_header_value)`.
166    pub fn handle_scram(
167        &self,
168        handshake_token: &str,
169        data: &str,
170    ) -> Result<(String, String), String> {
171        // Remove the handshake (one-time use) and check expiry.
172        let (handshake, created_at) = self
173            .handshakes
174            .write()
175            .remove(handshake_token)
176            .ok_or_else(|| "invalid or expired handshake token".to_string())?;
177        if created_at.elapsed() > HANDSHAKE_TTL {
178            return Err("handshake token expired".to_string());
179        }
180
181        let username = handshake.username.clone();
182
183        // Verify client proof
184        let server_sig = server_verify_final(&handshake, data)
185            .map_err(|e| format!("SCRAM verification failed: {e}"))?;
186
187        // Issue auth token
188        let auth_token = Uuid::new_v4().to_string();
189
190        // Look up permissions
191        let permissions = self
192            .users
193            .get(&username)
194            .map(|r| r.permissions.clone())
195            .unwrap_or_default();
196
197        // Store token -> (user, created_at) mapping
198        self.tokens.write().insert(
199            auth_token.clone(),
200            (
201                AuthUser {
202                    username,
203                    permissions,
204                },
205                Instant::now(),
206            ),
207        );
208
209        // Format the server-final data (v=<server_signature>)
210        let server_final_msg = format!("v={}", BASE64.encode(&server_sig));
211        let server_final_b64 = BASE64.encode(server_final_msg.as_bytes());
212        let auth_info = format_auth_info(&auth_token, &server_final_b64);
213
214        Ok((auth_token, auth_info))
215    }
216
217    /// Validate a bearer token and return the associated user.
218    ///
219    /// Returns `None` if the token is unknown or has expired. Expired
220    /// tokens are automatically removed under a single write lock to
221    /// avoid TOCTOU races.
222    pub fn validate_token(&self, token: &str) -> Option<AuthUser> {
223        let mut tokens = self.tokens.write();
224        match tokens.get(token) {
225            Some((user, created_at)) => {
226                if created_at.elapsed() <= self.token_ttl {
227                    Some(user.clone())
228                } else {
229                    // Token expired — remove immediately under the same lock.
230                    tokens.remove(token);
231                    None
232                }
233            }
234            None => None,
235        }
236    }
237
238    /// Remove a bearer token (logout / close).
239    pub fn revoke_token(&self, token: &str) -> bool {
240        self.tokens.write().remove(token).is_some()
241    }
242
243    /// Inject a token directly (for testing). The token is stamped with the
244    /// current instant so it will not be considered expired.
245    #[doc(hidden)]
246    pub fn inject_token(&self, token: String, user: AuthUser) {
247        self.tokens.write().insert(token, (user, Instant::now()));
248    }
249
250    /// Check whether a user has a required permission.
251    pub fn check_permission(user: &AuthUser, required: &str) -> bool {
252        // Admin has all permissions
253        if user.permissions.contains(&"admin".to_string()) {
254            return true;
255        }
256        user.permissions.contains(&required.to_string())
257    }
258}
259
260#[cfg(test)]
261mod tests {
262    use super::*;
263    use crate::auth::users::hash_password;
264
265    fn make_test_manager() -> AuthManager {
266        let hash = hash_password("s3cret");
267        let toml_str = format!(
268            r#"
269[users.admin]
270password_hash = "{hash}"
271permissions = ["read", "write", "admin"]
272
273[users.viewer]
274password_hash = "{hash}"
275permissions = ["read"]
276"#
277        );
278        AuthManager::from_toml_str(&toml_str).unwrap()
279    }
280
281    #[test]
282    fn empty_manager_is_disabled() {
283        let mgr = AuthManager::empty();
284        assert!(!mgr.is_enabled());
285    }
286
287    #[test]
288    fn manager_with_users_is_enabled() {
289        let mgr = make_test_manager();
290        assert!(mgr.is_enabled());
291    }
292
293    #[test]
294    fn hello_unknown_user_returns_fake_challenge() {
295        let mgr = make_test_manager();
296        // Unknown users now get a plausible SCRAM challenge instead of an
297        // error, preventing username enumeration.
298        let result = mgr.handle_hello("nonexistent", None);
299        assert!(result.is_ok());
300        let www_auth = result.unwrap();
301        assert!(www_auth.contains("SCRAM"));
302        assert!(www_auth.contains("SHA-256"));
303    }
304
305    #[test]
306    fn hello_known_user_succeeds() {
307        let mgr = make_test_manager();
308        let result = mgr.handle_hello("admin", None);
309        assert!(result.is_ok());
310        let www_auth = result.unwrap();
311        assert!(www_auth.contains("SCRAM"));
312        assert!(www_auth.contains("SHA-256"));
313    }
314
315    #[test]
316    fn hello_known_and_unknown_users_look_similar() {
317        let mgr = make_test_manager();
318        let known = mgr.handle_hello("admin", None).unwrap();
319        let unknown = mgr.handle_hello("nonexistent", None).unwrap();
320
321        // Both responses must have the same structural format so that an
322        // attacker cannot distinguish real from fake users.
323        assert!(known.starts_with("SCRAM handshakeToken="));
324        assert!(unknown.starts_with("SCRAM handshakeToken="));
325        assert!(known.contains("hash=SHA-256"));
326        assert!(unknown.contains("hash=SHA-256"));
327        assert!(known.contains("data="));
328        assert!(unknown.contains("data="));
329    }
330
331    #[test]
332    fn fake_challenge_is_deterministic_per_username() {
333        let mgr = make_test_manager();
334        // The fake salt must be deterministic so that repeated HELLO requests
335        // for the same unknown username produce consistent parameters.
336        let creds1 = mgr.fake_credentials("ghost");
337        let creds2 = mgr.fake_credentials("ghost");
338        assert_eq!(creds1.salt, creds2.salt);
339        assert_eq!(creds1.stored_key, creds2.stored_key);
340        assert_eq!(creds1.server_key, creds2.server_key);
341
342        // Different usernames produce different fake salts.
343        let creds3 = mgr.fake_credentials("phantom");
344        assert_ne!(creds1.salt, creds3.salt);
345    }
346
347    #[test]
348    fn validate_token_returns_none_for_unknown() {
349        let mgr = make_test_manager();
350        assert!(mgr.validate_token("nonexistent-token").is_none());
351    }
352
353    #[test]
354    fn check_permission_admin_has_all() {
355        let user = AuthUser {
356            username: "admin".to_string(),
357            permissions: vec!["admin".to_string()],
358        };
359        assert!(AuthManager::check_permission(&user, "read"));
360        assert!(AuthManager::check_permission(&user, "write"));
361        assert!(AuthManager::check_permission(&user, "admin"));
362    }
363
364    #[test]
365    fn check_permission_viewer_limited() {
366        let user = AuthUser {
367            username: "viewer".to_string(),
368            permissions: vec!["read".to_string()],
369        };
370        assert!(AuthManager::check_permission(&user, "read"));
371        assert!(!AuthManager::check_permission(&user, "write"));
372        assert!(!AuthManager::check_permission(&user, "admin"));
373    }
374
375    #[test]
376    fn revoke_token_returns_false_for_unknown() {
377        let mgr = make_test_manager();
378        assert!(!mgr.revoke_token("nonexistent-token"));
379    }
380
381    #[test]
382    fn validate_token_succeeds_before_expiry() {
383        let mgr = make_test_manager();
384        // Manually insert a token with Instant::now() (fresh, not expired).
385        let user = AuthUser {
386            username: "admin".to_string(),
387            permissions: vec!["admin".to_string()],
388        };
389        mgr.tokens
390            .write()
391            .insert("good-token".to_string(), (user, Instant::now()));
392
393        assert!(mgr.validate_token("good-token").is_some());
394    }
395
396    #[test]
397    fn validate_token_fails_after_expiry() {
398        // Use a very short TTL so the token is already expired.
399        let mgr = make_test_manager().with_token_ttl(Duration::from_secs(0));
400
401        let user = AuthUser {
402            username: "admin".to_string(),
403            permissions: vec!["admin".to_string()],
404        };
405        // Insert a token that was created "now" -- with a 0s TTL it is
406        // immediately expired.
407        mgr.tokens
408            .write()
409            .insert("expired-token".to_string(), (user, Instant::now()));
410
411        // Even though the token exists, it should be reported as expired.
412        assert!(mgr.validate_token("expired-token").is_none());
413
414        // The expired token should have been removed from the map.
415        assert!(mgr.tokens.read().get("expired-token").is_none());
416    }
417
418    #[test]
419    fn with_token_ttl_sets_custom_duration() {
420        let mgr = AuthManager::empty().with_token_ttl(Duration::from_secs(120));
421        assert_eq!(mgr.token_ttl, Duration::from_secs(120));
422    }
423}