mirror of
https://github.com/nitnelave/lldap.git
synced 2023-04-12 14:25:13 +00:00
Implement refresh tokens
This commit is contained in:
parent
312d9b7a6f
commit
d5cb53ae8a
@ -43,6 +43,7 @@ tracing = "*"
|
|||||||
tracing-actix-web = "0.3.0-beta.2"
|
tracing-actix-web = "0.3.0-beta.2"
|
||||||
tracing-log = "*"
|
tracing-log = "*"
|
||||||
tracing-subscriber = "*"
|
tracing-subscriber = "*"
|
||||||
|
rand = { version = "0.8", features = ["small_rng", "getrandom"] }
|
||||||
|
|
||||||
[dependencies.sqlx]
|
[dependencies.sqlx]
|
||||||
version = "0.5"
|
version = "0.5"
|
||||||
|
@ -55,6 +55,7 @@ pub struct Group {
|
|||||||
#[derive(Clone, Serialize, Deserialize)]
|
#[derive(Clone, Serialize, Deserialize)]
|
||||||
pub struct JWTClaims {
|
pub struct JWTClaims {
|
||||||
pub exp: DateTime<Utc>,
|
pub exp: DateTime<Utc>,
|
||||||
|
pub iat: DateTime<Utc>,
|
||||||
pub user: String,
|
pub user: String,
|
||||||
pub groups: HashSet<String>,
|
pub groups: HashSet<String>,
|
||||||
}
|
}
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
use super::sql_tables::*;
|
use super::sql_tables::*;
|
||||||
use crate::domain::{error::*, sql_tables::Pool};
|
use crate::domain::{error::*, sql_tables::Pool};
|
||||||
use crate::infra::configuration::Configuration;
|
use crate::infra::configuration::Configuration;
|
||||||
|
use crate::infra::jwt_sql_tables::*;
|
||||||
use async_trait::async_trait;
|
use async_trait::async_trait;
|
||||||
use futures_util::StreamExt;
|
use futures_util::StreamExt;
|
||||||
use futures_util::TryStreamExt;
|
use futures_util::TryStreamExt;
|
||||||
use log::*;
|
use log::*;
|
||||||
use sea_query::Iden;
|
use sea_query::Iden;
|
||||||
use sea_query::{Expr, Order, Query, SimpleExpr, SqliteQueryBuilder};
|
use sea_query::{Expr, Order, Query, SimpleExpr};
|
||||||
use sqlx::Row;
|
use sqlx::Row;
|
||||||
use std::collections::HashSet;
|
use std::collections::HashSet;
|
||||||
|
|
||||||
@ -72,7 +73,7 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
.column(Users::Password)
|
.column(Users::Password)
|
||||||
.from(Users::Table)
|
.from(Users::Table)
|
||||||
.and_where(Expr::col(Users::UserId).eq(request.name.as_str()))
|
.and_where(Expr::col(Users::UserId).eq(request.name.as_str()))
|
||||||
.to_string(SqliteQueryBuilder);
|
.to_string(DbQueryBuilder {});
|
||||||
if let Ok(row) = sqlx::query(&query).fetch_one(&self.sql_pool).await {
|
if let Ok(row) = sqlx::query(&query).fetch_one(&self.sql_pool).await {
|
||||||
if passwords_match(
|
if passwords_match(
|
||||||
&request.password,
|
&request.password,
|
||||||
@ -109,7 +110,7 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
query_builder.to_string(SqliteQueryBuilder)
|
query_builder.to_string(DbQueryBuilder {})
|
||||||
};
|
};
|
||||||
|
|
||||||
let results = sqlx::query_as::<_, User>(&query)
|
let results = sqlx::query_as::<_, User>(&query)
|
||||||
@ -132,7 +133,7 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
)
|
)
|
||||||
.order_by(Groups::DisplayName, Order::Asc)
|
.order_by(Groups::DisplayName, Order::Asc)
|
||||||
.order_by(Memberships::UserId, Order::Asc)
|
.order_by(Memberships::UserId, Order::Asc)
|
||||||
.to_string(SqliteQueryBuilder);
|
.to_string(DbQueryBuilder {});
|
||||||
|
|
||||||
let mut results = sqlx::query(&query).fetch(&self.sql_pool);
|
let mut results = sqlx::query(&query).fetch(&self.sql_pool);
|
||||||
let mut groups = Vec::new();
|
let mut groups = Vec::new();
|
||||||
@ -178,7 +179,7 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
.equals(Memberships::Table, Memberships::GroupId),
|
.equals(Memberships::Table, Memberships::GroupId),
|
||||||
)
|
)
|
||||||
.and_where(Expr::col(Memberships::UserId).eq(user))
|
.and_where(Expr::col(Memberships::UserId).eq(user))
|
||||||
.to_string(SqliteQueryBuilder);
|
.to_string(DbQueryBuilder {});
|
||||||
|
|
||||||
sqlx::query(&query)
|
sqlx::query(&query)
|
||||||
// Extract the group id from the row.
|
// Extract the group id from the row.
|
||||||
@ -196,6 +197,80 @@ impl BackendHandler for SqlBackendHandler {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[async_trait]
|
||||||
|
impl crate::infra::tcp_server::TcpBackendHandler for SqlBackendHandler {
|
||||||
|
async fn get_jwt_blacklist(&self) -> anyhow::Result<HashSet<u64>> {
|
||||||
|
use sqlx::Result;
|
||||||
|
let query = Query::select()
|
||||||
|
.column(JwtBlacklist::JwtHash)
|
||||||
|
.from(JwtBlacklist::Table)
|
||||||
|
.to_string(DbQueryBuilder {});
|
||||||
|
|
||||||
|
sqlx::query(&query)
|
||||||
|
.map(|row: DbRow| row.get::<i64, _>(&*JwtBlacklist::JwtHash.to_string()) as u64)
|
||||||
|
.fetch(&self.sql_pool)
|
||||||
|
.collect::<Vec<sqlx::Result<u64>>>()
|
||||||
|
.await
|
||||||
|
.into_iter()
|
||||||
|
.collect::<Result<HashSet<u64>>>()
|
||||||
|
.map_err(|e| anyhow::anyhow!(e))
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn create_refresh_token(&self, user: &str) -> Result<(String, chrono::Duration)> {
|
||||||
|
use rand::{distributions::Alphanumeric, rngs::SmallRng, Rng, SeedableRng};
|
||||||
|
use std::collections::hash_map::DefaultHasher;
|
||||||
|
use std::hash::{Hash, Hasher};
|
||||||
|
// TODO: Initialize the rng only once. Maybe Arc<Cell>?
|
||||||
|
let mut rng = SmallRng::from_entropy();
|
||||||
|
let refresh_token: String = std::iter::repeat(())
|
||||||
|
.map(|()| rng.sample(Alphanumeric))
|
||||||
|
.map(char::from)
|
||||||
|
.take(100)
|
||||||
|
.collect();
|
||||||
|
let refresh_token_hash = {
|
||||||
|
let mut s = DefaultHasher::new();
|
||||||
|
refresh_token.hash(&mut s);
|
||||||
|
s.finish()
|
||||||
|
};
|
||||||
|
let duration = chrono::Duration::days(30);
|
||||||
|
let query = Query::insert()
|
||||||
|
.into_table(JwtRefreshStorage::Table)
|
||||||
|
.columns(vec![
|
||||||
|
JwtRefreshStorage::RefreshTokenHash,
|
||||||
|
JwtRefreshStorage::UserId,
|
||||||
|
JwtRefreshStorage::ExpiryDate,
|
||||||
|
])
|
||||||
|
.values_panic(vec![
|
||||||
|
(refresh_token_hash as i64).into(),
|
||||||
|
user.into(),
|
||||||
|
(chrono::Utc::now() + duration).naive_utc().into(),
|
||||||
|
])
|
||||||
|
.to_string(DbQueryBuilder {});
|
||||||
|
sqlx::query(&query).execute(&self.sql_pool).await?;
|
||||||
|
Ok((refresh_token, duration))
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn check_token(&self, token: &str, user: &str) -> Result<bool> {
|
||||||
|
use std::collections::hash_map::DefaultHasher;
|
||||||
|
use std::hash::{Hash, Hasher};
|
||||||
|
let refresh_token_hash = {
|
||||||
|
let mut s = DefaultHasher::new();
|
||||||
|
token.hash(&mut s);
|
||||||
|
s.finish()
|
||||||
|
};
|
||||||
|
let query = Query::select()
|
||||||
|
.expr(SimpleExpr::Value(1.into()))
|
||||||
|
.from(JwtRefreshStorage::Table)
|
||||||
|
.and_where(Expr::col(JwtRefreshStorage::RefreshTokenHash).eq(refresh_token_hash as i64))
|
||||||
|
.and_where(Expr::col(JwtRefreshStorage::UserId).eq(user))
|
||||||
|
.to_string(DbQueryBuilder {});
|
||||||
|
Ok(sqlx::query(&query)
|
||||||
|
.fetch_optional(&self.sql_pool)
|
||||||
|
.await?
|
||||||
|
.is_some())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#[cfg(test)]
|
#[cfg(test)]
|
||||||
mockall::mock! {
|
mockall::mock! {
|
||||||
pub TestBackendHandler{}
|
pub TestBackendHandler{}
|
||||||
@ -247,7 +322,7 @@ mod tests {
|
|||||||
chrono::NaiveDateTime::from_timestamp(0, 0).into(),
|
chrono::NaiveDateTime::from_timestamp(0, 0).into(),
|
||||||
pass.into(),
|
pass.into(),
|
||||||
])
|
])
|
||||||
.to_string(SqliteQueryBuilder);
|
.to_string(DbQueryBuilder {});
|
||||||
sqlx::query(&query).execute(sql_pool).await.unwrap();
|
sqlx::query(&query).execute(sql_pool).await.unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -256,7 +331,7 @@ mod tests {
|
|||||||
.into_table(Groups::Table)
|
.into_table(Groups::Table)
|
||||||
.columns(vec![Groups::GroupId, Groups::DisplayName])
|
.columns(vec![Groups::GroupId, Groups::DisplayName])
|
||||||
.values_panic(vec![id.into(), name.into()])
|
.values_panic(vec![id.into(), name.into()])
|
||||||
.to_string(SqliteQueryBuilder);
|
.to_string(DbQueryBuilder {});
|
||||||
sqlx::query(&query).execute(sql_pool).await.unwrap();
|
sqlx::query(&query).execute(sql_pool).await.unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -265,7 +340,7 @@ mod tests {
|
|||||||
.into_table(Memberships::Table)
|
.into_table(Memberships::Table)
|
||||||
.columns(vec![Memberships::UserId, Memberships::GroupId])
|
.columns(vec![Memberships::UserId, Memberships::GroupId])
|
||||||
.values_panic(vec![user_id.into(), group_id.into()])
|
.values_panic(vec![user_id.into(), group_id.into()])
|
||||||
.to_string(SqliteQueryBuilder);
|
.to_string(DbQueryBuilder {});
|
||||||
sqlx::query(&query).execute(sql_pool).await.unwrap();
|
sqlx::query(&query).execute(sql_pool).await.unwrap();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3,6 +3,7 @@ use sea_query::*;
|
|||||||
pub type Pool = sqlx::sqlite::SqlitePool;
|
pub type Pool = sqlx::sqlite::SqlitePool;
|
||||||
pub type PoolOptions = sqlx::sqlite::SqlitePoolOptions;
|
pub type PoolOptions = sqlx::sqlite::SqlitePoolOptions;
|
||||||
pub type DbRow = sqlx::sqlite::SqliteRow;
|
pub type DbRow = sqlx::sqlite::SqliteRow;
|
||||||
|
pub type DbQueryBuilder = SqliteQueryBuilder;
|
||||||
|
|
||||||
#[derive(Iden)]
|
#[derive(Iden)]
|
||||||
pub enum Users {
|
pub enum Users {
|
||||||
@ -60,7 +61,7 @@ pub async fn init_table(pool: &Pool) -> sqlx::Result<()> {
|
|||||||
.col(ColumnDef::new(Users::Password).string_len(255).not_null())
|
.col(ColumnDef::new(Users::Password).string_len(255).not_null())
|
||||||
.col(ColumnDef::new(Users::TotpSecret).string_len(64))
|
.col(ColumnDef::new(Users::TotpSecret).string_len(64))
|
||||||
.col(ColumnDef::new(Users::MfaType).string_len(64))
|
.col(ColumnDef::new(Users::MfaType).string_len(64))
|
||||||
.to_string(SqliteQueryBuilder),
|
.to_string(DbQueryBuilder {}),
|
||||||
)
|
)
|
||||||
.execute(pool)
|
.execute(pool)
|
||||||
.await?;
|
.await?;
|
||||||
@ -79,7 +80,7 @@ pub async fn init_table(pool: &Pool) -> sqlx::Result<()> {
|
|||||||
.string_len(255)
|
.string_len(255)
|
||||||
.not_null(),
|
.not_null(),
|
||||||
)
|
)
|
||||||
.to_string(SqliteQueryBuilder),
|
.to_string(DbQueryBuilder {}),
|
||||||
)
|
)
|
||||||
.execute(pool)
|
.execute(pool)
|
||||||
.await?;
|
.await?;
|
||||||
@ -109,7 +110,7 @@ pub async fn init_table(pool: &Pool) -> sqlx::Result<()> {
|
|||||||
.on_delete(ForeignKeyAction::Cascade)
|
.on_delete(ForeignKeyAction::Cascade)
|
||||||
.on_update(ForeignKeyAction::Cascade),
|
.on_update(ForeignKeyAction::Cascade),
|
||||||
)
|
)
|
||||||
.to_string(SqliteQueryBuilder),
|
.to_string(DbQueryBuilder {}),
|
||||||
)
|
)
|
||||||
.execute(pool)
|
.execute(pool)
|
||||||
.await?;
|
.await?;
|
||||||
|
92
src/infra/jwt_sql_tables.rs
Normal file
92
src/infra/jwt_sql_tables.rs
Normal file
@ -0,0 +1,92 @@
|
|||||||
|
use sea_query::*;
|
||||||
|
|
||||||
|
pub use crate::domain::sql_tables::*;
|
||||||
|
|
||||||
|
/// Contains the refresh tokens for a given user.
|
||||||
|
#[derive(Iden)]
|
||||||
|
pub enum JwtRefreshStorage {
|
||||||
|
Table,
|
||||||
|
RefreshTokenHash,
|
||||||
|
UserId,
|
||||||
|
ExpiryDate,
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Contains the blacklisted JWT that haven't expired yet.
|
||||||
|
#[derive(Iden)]
|
||||||
|
pub enum JwtBlacklist {
|
||||||
|
Table,
|
||||||
|
JwtHash,
|
||||||
|
UserId,
|
||||||
|
ExpiryDate,
|
||||||
|
}
|
||||||
|
|
||||||
|
/// This needs to be initialized after the domain tables are.
|
||||||
|
pub async fn init_table(pool: &Pool) -> sqlx::Result<()> {
|
||||||
|
sqlx::query(
|
||||||
|
&Table::create()
|
||||||
|
.table(JwtRefreshStorage::Table)
|
||||||
|
.if_not_exists()
|
||||||
|
.col(
|
||||||
|
ColumnDef::new(JwtRefreshStorage::RefreshTokenHash)
|
||||||
|
.big_integer()
|
||||||
|
.not_null()
|
||||||
|
.primary_key(),
|
||||||
|
)
|
||||||
|
.col(
|
||||||
|
ColumnDef::new(JwtRefreshStorage::UserId)
|
||||||
|
.string_len(255)
|
||||||
|
.not_null(),
|
||||||
|
)
|
||||||
|
.col(
|
||||||
|
ColumnDef::new(JwtRefreshStorage::ExpiryDate)
|
||||||
|
.date_time()
|
||||||
|
.not_null(),
|
||||||
|
)
|
||||||
|
.foreign_key(
|
||||||
|
ForeignKey::create()
|
||||||
|
.name("JwtRefreshStorageUserForeignKey")
|
||||||
|
.table(JwtRefreshStorage::Table, Users::Table)
|
||||||
|
.col(JwtRefreshStorage::UserId, Users::UserId)
|
||||||
|
.on_delete(ForeignKeyAction::Cascade)
|
||||||
|
.on_update(ForeignKeyAction::Cascade),
|
||||||
|
)
|
||||||
|
.to_string(DbQueryBuilder {}),
|
||||||
|
)
|
||||||
|
.execute(pool)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
sqlx::query(
|
||||||
|
&Table::create()
|
||||||
|
.table(JwtBlacklist::Table)
|
||||||
|
.if_not_exists()
|
||||||
|
.col(
|
||||||
|
ColumnDef::new(JwtBlacklist::JwtHash)
|
||||||
|
.big_integer()
|
||||||
|
.not_null()
|
||||||
|
.primary_key(),
|
||||||
|
)
|
||||||
|
.col(
|
||||||
|
ColumnDef::new(JwtBlacklist::UserId)
|
||||||
|
.string_len(255)
|
||||||
|
.not_null(),
|
||||||
|
)
|
||||||
|
.col(
|
||||||
|
ColumnDef::new(JwtBlacklist::ExpiryDate)
|
||||||
|
.date_time()
|
||||||
|
.not_null(),
|
||||||
|
)
|
||||||
|
.foreign_key(
|
||||||
|
ForeignKey::create()
|
||||||
|
.name("JwtBlacklistUserForeignKey")
|
||||||
|
.table(JwtBlacklist::Table, Users::Table)
|
||||||
|
.col(JwtBlacklist::UserId, Users::UserId)
|
||||||
|
.on_delete(ForeignKeyAction::Cascade)
|
||||||
|
.on_update(ForeignKeyAction::Cascade),
|
||||||
|
)
|
||||||
|
.to_string(DbQueryBuilder {}),
|
||||||
|
)
|
||||||
|
.execute(pool)
|
||||||
|
.await?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
@ -1,5 +1,6 @@
|
|||||||
pub mod cli;
|
pub mod cli;
|
||||||
pub mod configuration;
|
pub mod configuration;
|
||||||
|
pub mod jwt_sql_tables;
|
||||||
pub mod ldap_handler;
|
pub mod ldap_handler;
|
||||||
pub mod ldap_server;
|
pub mod ldap_server;
|
||||||
pub mod logging;
|
pub mod logging;
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
use crate::domain::{error::Error, handler::*};
|
use crate::domain::handler::*;
|
||||||
use crate::infra::configuration::Configuration;
|
use crate::infra::configuration::Configuration;
|
||||||
use actix_files::{Files, NamedFile};
|
use actix_files::{Files, NamedFile};
|
||||||
use actix_http::HttpServiceBuilder;
|
use actix_http::HttpServiceBuilder;
|
||||||
@ -12,6 +12,7 @@ use actix_web::{
|
|||||||
};
|
};
|
||||||
use actix_web_httpauth::{extractors::bearer::BearerAuth, middleware::HttpAuthentication};
|
use actix_web_httpauth::{extractors::bearer::BearerAuth, middleware::HttpAuthentication};
|
||||||
use anyhow::{Context, Result};
|
use anyhow::{Context, Result};
|
||||||
|
use async_trait::async_trait;
|
||||||
use chrono::prelude::*;
|
use chrono::prelude::*;
|
||||||
use futures_util::FutureExt;
|
use futures_util::FutureExt;
|
||||||
use futures_util::TryFutureExt;
|
use futures_util::TryFutureExt;
|
||||||
@ -19,13 +20,24 @@ use hmac::{Hmac, NewMac};
|
|||||||
use jwt::{SignWithKey, VerifyWithKey};
|
use jwt::{SignWithKey, VerifyWithKey};
|
||||||
use log::*;
|
use log::*;
|
||||||
use sha2::Sha512;
|
use sha2::Sha512;
|
||||||
use std::collections::HashSet;
|
use std::collections::{hash_map::DefaultHasher, HashSet};
|
||||||
|
use std::hash::{Hash, Hasher};
|
||||||
use std::path::PathBuf;
|
use std::path::PathBuf;
|
||||||
use time::ext::NumericalDuration;
|
use time::ext::NumericalDuration;
|
||||||
|
|
||||||
type Token<S> = jwt::Token<jwt::Header, JWTClaims, S>;
|
type Token<S> = jwt::Token<jwt::Header, JWTClaims, S>;
|
||||||
type SignedToken = Token<jwt::token::Signed>;
|
type SignedToken = Token<jwt::token::Signed>;
|
||||||
|
|
||||||
|
type DomainError = crate::domain::error::Error;
|
||||||
|
type DomainResult<T> = crate::domain::error::Result<T>;
|
||||||
|
|
||||||
|
#[async_trait]
|
||||||
|
pub trait TcpBackendHandler: BackendHandler {
|
||||||
|
async fn get_jwt_blacklist(&self) -> Result<HashSet<u64>>;
|
||||||
|
async fn create_refresh_token(&self, user: &str) -> DomainResult<(String, chrono::Duration)>;
|
||||||
|
async fn check_token(&self, token: &str, user: &str) -> DomainResult<bool>;
|
||||||
|
}
|
||||||
|
|
||||||
async fn index(req: HttpRequest) -> actix_web::Result<NamedFile> {
|
async fn index(req: HttpRequest) -> actix_web::Result<NamedFile> {
|
||||||
let mut path = PathBuf::new();
|
let mut path = PathBuf::new();
|
||||||
path.push("app");
|
path.push("app");
|
||||||
@ -34,11 +46,11 @@ async fn index(req: HttpRequest) -> actix_web::Result<NamedFile> {
|
|||||||
Ok(NamedFile::open(path)?)
|
Ok(NamedFile::open(path)?)
|
||||||
}
|
}
|
||||||
|
|
||||||
fn error_to_http_response<T>(error: Error) -> ApiResult<T> {
|
fn error_to_http_response<T>(error: DomainError) -> ApiResult<T> {
|
||||||
ApiResult::Right(
|
ApiResult::Right(
|
||||||
match error {
|
match error {
|
||||||
Error::AuthenticationError(_) => HttpResponse::Unauthorized(),
|
DomainError::AuthenticationError(_) => HttpResponse::Unauthorized(),
|
||||||
Error::DatabaseError(_) => HttpResponse::InternalServerError(),
|
DomainError::DatabaseError(_) => HttpResponse::InternalServerError(),
|
||||||
}
|
}
|
||||||
.body(error.to_string()),
|
.body(error.to_string()),
|
||||||
)
|
)
|
||||||
@ -51,7 +63,7 @@ async fn user_list_handler<Backend>(
|
|||||||
info: web::Json<ListUsersRequest>,
|
info: web::Json<ListUsersRequest>,
|
||||||
) -> ApiResult<Vec<User>>
|
) -> ApiResult<Vec<User>>
|
||||||
where
|
where
|
||||||
Backend: BackendHandler + 'static,
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
let req: ListUsersRequest = info.clone();
|
let req: ListUsersRequest = info.clone();
|
||||||
data.backend_handler
|
data.backend_handler
|
||||||
@ -64,6 +76,7 @@ where
|
|||||||
fn create_jwt(key: &Hmac<Sha512>, user: String, groups: HashSet<String>) -> SignedToken {
|
fn create_jwt(key: &Hmac<Sha512>, user: String, groups: HashSet<String>) -> SignedToken {
|
||||||
let claims = JWTClaims {
|
let claims = JWTClaims {
|
||||||
exp: Utc::now() + chrono::Duration::days(1),
|
exp: Utc::now() + chrono::Duration::days(1),
|
||||||
|
iat: Utc::now(),
|
||||||
user,
|
user,
|
||||||
groups,
|
groups,
|
||||||
};
|
};
|
||||||
@ -74,22 +87,42 @@ fn create_jwt(key: &Hmac<Sha512>, user: String, groups: HashSet<String>) -> Sign
|
|||||||
jwt::Token::new(header, claims).sign_with_key(key).unwrap()
|
jwt::Token::new(header, claims).sign_with_key(key).unwrap()
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn post_authorize<Backend>(
|
async fn get_refresh<Backend>(
|
||||||
data: web::Data<AppState<Backend>>,
|
data: web::Data<AppState<Backend>>,
|
||||||
request: web::Json<BindRequest>,
|
request: HttpRequest,
|
||||||
) -> ApiResult<String>
|
) -> ApiResult<String>
|
||||||
where
|
where
|
||||||
Backend: BackendHandler + 'static,
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
let req: BindRequest = request.clone();
|
let backend_handler = &data.backend_handler;
|
||||||
data.backend_handler
|
let jwt_key = &data.jwt_key;
|
||||||
.bind(req)
|
let (refresh_token, user) = match request.cookie("refresh_token") {
|
||||||
// If the authentication was successful, we need to fetch the groups to create the JWT
|
None => {
|
||||||
// token.
|
return ApiResult::Right(HttpResponse::Unauthorized().body("Missing refresh token"))
|
||||||
.and_then(|_| data.backend_handler.get_user_groups(request.name.clone()))
|
}
|
||||||
.await
|
Some(t) => match t.value().split_once("+") {
|
||||||
.map(|groups| {
|
None => {
|
||||||
let token = create_jwt(&data.jwt_key, request.name.clone(), groups);
|
return ApiResult::Right(HttpResponse::Unauthorized().body("Invalid refresh token"))
|
||||||
|
}
|
||||||
|
Some((t, u)) => (t.to_string(), u.to_string()),
|
||||||
|
},
|
||||||
|
};
|
||||||
|
let res_found = data.backend_handler.check_token(&refresh_token, &user).await;
|
||||||
|
// Async closures are not supported yet.
|
||||||
|
match res_found {
|
||||||
|
Ok(found) => {
|
||||||
|
if found {
|
||||||
|
backend_handler.get_user_groups(user.to_string()).await
|
||||||
|
} else {
|
||||||
|
Err(DomainError::AuthenticationError(
|
||||||
|
"Invalid refresh token".to_string(),
|
||||||
|
))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Err(e) => Err(e),
|
||||||
|
}
|
||||||
|
.map(|groups| create_jwt(jwt_key, user.to_string(), groups))
|
||||||
|
.map(|token| {
|
||||||
ApiResult::Right(
|
ApiResult::Right(
|
||||||
HttpResponse::Ok()
|
HttpResponse::Ok()
|
||||||
.cookie(
|
.cookie(
|
||||||
@ -106,9 +139,57 @@ where
|
|||||||
.unwrap_or_else(error_to_http_response)
|
.unwrap_or_else(error_to_http_response)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async fn post_authorize<Backend>(
|
||||||
|
data: web::Data<AppState<Backend>>,
|
||||||
|
request: web::Json<BindRequest>,
|
||||||
|
) -> ApiResult<String>
|
||||||
|
where
|
||||||
|
Backend: TcpBackendHandler + 'static,
|
||||||
|
{
|
||||||
|
let req: BindRequest = request.clone();
|
||||||
|
data.backend_handler
|
||||||
|
.bind(req)
|
||||||
|
// If the authentication was successful, we need to fetch the groups to create the JWT
|
||||||
|
// token.
|
||||||
|
.and_then(|_| data.backend_handler.get_user_groups(request.name.clone()))
|
||||||
|
.and_then(|g| async {
|
||||||
|
Ok((
|
||||||
|
g,
|
||||||
|
data.backend_handler
|
||||||
|
.create_refresh_token(&request.name)
|
||||||
|
.await?,
|
||||||
|
))
|
||||||
|
})
|
||||||
|
.await
|
||||||
|
.map(|(groups, (refresh_token, max_age))| {
|
||||||
|
let token = create_jwt(&data.jwt_key, request.name.clone(), groups);
|
||||||
|
ApiResult::Right(
|
||||||
|
HttpResponse::Ok()
|
||||||
|
.cookie(
|
||||||
|
Cookie::build("token", token.as_str())
|
||||||
|
.max_age(1.days())
|
||||||
|
.path("/api")
|
||||||
|
.http_only(true)
|
||||||
|
.same_site(SameSite::Strict)
|
||||||
|
.finish(),
|
||||||
|
)
|
||||||
|
.cookie(
|
||||||
|
Cookie::build("refresh_token", refresh_token + "+" + &request.name)
|
||||||
|
.max_age(max_age.num_days().days())
|
||||||
|
.path("/api/authorize/refresh")
|
||||||
|
.http_only(true)
|
||||||
|
.same_site(SameSite::Strict)
|
||||||
|
.finish(),
|
||||||
|
)
|
||||||
|
.body(token.as_str().to_owned()),
|
||||||
|
)
|
||||||
|
})
|
||||||
|
.unwrap_or_else(error_to_http_response)
|
||||||
|
}
|
||||||
|
|
||||||
fn api_config<Backend>(cfg: &mut web::ServiceConfig)
|
fn api_config<Backend>(cfg: &mut web::ServiceConfig)
|
||||||
where
|
where
|
||||||
Backend: BackendHandler + 'static,
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
let json_config = web::JsonConfig::default()
|
let json_config = web::JsonConfig::default()
|
||||||
.limit(4096)
|
.limit(4096)
|
||||||
@ -134,7 +215,7 @@ async fn token_validator<Backend>(
|
|||||||
credentials: BearerAuth,
|
credentials: BearerAuth,
|
||||||
) -> Result<ServiceRequest, actix_web::Error>
|
) -> Result<ServiceRequest, actix_web::Error>
|
||||||
where
|
where
|
||||||
Backend: BackendHandler + 'static,
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
let state = req
|
let state = req
|
||||||
.app_data::<web::Data<AppState<Backend>>>()
|
.app_data::<web::Data<AppState<Backend>>>()
|
||||||
@ -144,6 +225,14 @@ where
|
|||||||
if token.claims().exp.lt(&Utc::now()) {
|
if token.claims().exp.lt(&Utc::now()) {
|
||||||
return Err(ErrorUnauthorized("Expired JWT"));
|
return Err(ErrorUnauthorized("Expired JWT"));
|
||||||
}
|
}
|
||||||
|
let jwt_hash = {
|
||||||
|
let mut s = DefaultHasher::new();
|
||||||
|
credentials.token().hash(&mut s);
|
||||||
|
s.finish()
|
||||||
|
};
|
||||||
|
if state.jwt_blacklist.contains(&jwt_hash) {
|
||||||
|
return Err(ErrorUnauthorized("JWT was logged out"));
|
||||||
|
}
|
||||||
let groups = &token.claims().groups;
|
let groups = &token.claims().groups;
|
||||||
if groups.contains("lldap_admin") {
|
if groups.contains("lldap_admin") {
|
||||||
debug!("Got authorized token for user {}", &token.claims().user);
|
debug!("Got authorized token for user {}", &token.claims().user);
|
||||||
@ -155,13 +244,18 @@ where
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn http_config<Backend>(cfg: &mut web::ServiceConfig, backend_handler: Backend, jwt_secret: String)
|
fn http_config<Backend>(
|
||||||
where
|
cfg: &mut web::ServiceConfig,
|
||||||
Backend: BackendHandler + 'static,
|
backend_handler: Backend,
|
||||||
|
jwt_secret: String,
|
||||||
|
jwt_blacklist: HashSet<u64>,
|
||||||
|
) where
|
||||||
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
cfg.data(AppState::<Backend> {
|
cfg.data(AppState::<Backend> {
|
||||||
backend_handler,
|
backend_handler,
|
||||||
jwt_key: Hmac::new_varkey(&jwt_secret.as_bytes()).unwrap(),
|
jwt_key: Hmac::new_varkey(&jwt_secret.as_bytes()).unwrap(),
|
||||||
|
jwt_blacklist,
|
||||||
})
|
})
|
||||||
// Serve index.html and main.js, and default to index.html.
|
// Serve index.html and main.js, and default to index.html.
|
||||||
.route(
|
.route(
|
||||||
@ -169,6 +263,7 @@ where
|
|||||||
web::get().to(index),
|
web::get().to(index),
|
||||||
)
|
)
|
||||||
.service(web::resource("/api/authorize").route(web::post().to(post_authorize::<Backend>)))
|
.service(web::resource("/api/authorize").route(web::post().to(post_authorize::<Backend>)))
|
||||||
|
.service(web::resource("/api/authorize/refresh").route(web::get().to(get_refresh::<Backend>)))
|
||||||
// API endpoint.
|
// API endpoint.
|
||||||
.service(
|
.service(
|
||||||
web::scope("/api")
|
web::scope("/api")
|
||||||
@ -200,28 +295,33 @@ where
|
|||||||
|
|
||||||
struct AppState<Backend>
|
struct AppState<Backend>
|
||||||
where
|
where
|
||||||
Backend: BackendHandler + 'static,
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
pub backend_handler: Backend,
|
pub backend_handler: Backend,
|
||||||
pub jwt_key: Hmac<Sha512>,
|
pub jwt_key: Hmac<Sha512>,
|
||||||
|
pub jwt_blacklist: HashSet<u64>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn build_tcp_server<Backend>(
|
pub async fn build_tcp_server<Backend>(
|
||||||
config: &Configuration,
|
config: &Configuration,
|
||||||
backend_handler: Backend,
|
backend_handler: Backend,
|
||||||
server_builder: ServerBuilder,
|
server_builder: ServerBuilder,
|
||||||
) -> Result<ServerBuilder>
|
) -> Result<ServerBuilder>
|
||||||
where
|
where
|
||||||
Backend: BackendHandler + 'static,
|
Backend: TcpBackendHandler + 'static,
|
||||||
{
|
{
|
||||||
let jwt_secret = config.jwt_secret.clone();
|
let jwt_secret = config.jwt_secret.clone();
|
||||||
|
let jwt_blacklist = backend_handler.get_jwt_blacklist().await?;
|
||||||
server_builder
|
server_builder
|
||||||
.bind("http", ("0.0.0.0", config.http_port), move || {
|
.bind("http", ("0.0.0.0", config.http_port), move || {
|
||||||
let backend_handler = backend_handler.clone();
|
let backend_handler = backend_handler.clone();
|
||||||
let jwt_secret = jwt_secret.clone();
|
let jwt_secret = jwt_secret.clone();
|
||||||
|
let jwt_blacklist = jwt_blacklist.clone();
|
||||||
HttpServiceBuilder::new()
|
HttpServiceBuilder::new()
|
||||||
.finish(map_config(
|
.finish(map_config(
|
||||||
App::new().configure(move |cfg| http_config(cfg, backend_handler, jwt_secret)),
|
App::new().configure(move |cfg| {
|
||||||
|
http_config(cfg, backend_handler, jwt_secret, jwt_blacklist)
|
||||||
|
}),
|
||||||
|_| AppConfig::default(),
|
|_| AppConfig::default(),
|
||||||
))
|
))
|
||||||
.tcp()
|
.tcp()
|
||||||
|
@ -20,8 +20,9 @@ async fn run_server(config: Configuration) -> Result<()> {
|
|||||||
backend_handler.clone(),
|
backend_handler.clone(),
|
||||||
actix_server::Server::build(),
|
actix_server::Server::build(),
|
||||||
)?;
|
)?;
|
||||||
|
infra::jwt_sql_tables::init_table(&sql_pool).await?;
|
||||||
let server_builder =
|
let server_builder =
|
||||||
infra::tcp_server::build_tcp_server(&config, backend_handler, server_builder)?;
|
infra::tcp_server::build_tcp_server(&config, backend_handler, server_builder).await?;
|
||||||
server_builder.workers(1).run().await?;
|
server_builder.workers(1).run().await?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user