BasicOIDC/src/middlewares/auth_middleware.rs

//! # Authentication middleware

use std::future::{ready, Future, Ready};
use std::pin::Pin;
use std::rc::Rc;

use actix_identity::IdentityExt;
use actix_web::body::EitherBody;
use actix_web::http::{header, Method};
use actix_web::{
    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
    web, Error, HttpResponse,
};

use crate::constants::{
    ADMIN_ROUTES, AUTHENTICATED_ROUTES, AUTHORIZE_URI, TOKEN_URI, USERINFO_URI,
};
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user_for_login};
use crate::data::app_config::AppConfig;
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};

// There are two steps in middleware processing.
// 1. Middleware initialization, middleware factory gets called with
//    next service in chain as parameter.
// 2. Middleware's call method gets called with normal request.
pub struct AuthMiddleware;

// Middleware factory is `Transform` trait
// `S` - type of the next service
// `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;
    type Transform = AuthInnerMiddleware<S>;
    type InitError = ();
    type Future = Ready<Result<Self::Transform, Self::InitError>>;

    fn new_transform(&self, service: S) -> Self::Future {
        ready(Ok(AuthInnerMiddleware {
            service: Rc::new(service),
        }))
    }
}

#[derive(Debug)]
enum ConnStatus {
    SignedOut,
    RegularUser,
    Admin,
}

impl ConnStatus {
    pub fn is_auth(&self) -> bool {
        !matches!(self, ConnStatus::SignedOut)
    }

    pub fn is_admin(&self) -> bool {
        matches!(self, ConnStatus::Admin)
    }
}

pub struct AuthInnerMiddleware<S> {
    service: Rc<S>,
}

impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
where
    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
    S::Future: 'static,
    B: 'static,
{
    type Response = ServiceResponse<EitherBody<B>>;
    type Error = Error;

    #[allow(clippy::type_complexity)]
    type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>;

    forward_ready!(service);

    fn call(&self, req: ServiceRequest) -> Self::Future {
        let service = Rc::clone(&self.service);

        // Forward request
        Box::pin(async move {
            let config: &web::Data<AppConfig> = req.app_data().expect("AppData undefined!");

            // Check if POST request comes from another website (block invalid origins)
            let origin = req.headers().get(header::ORIGIN);
            if req.method() == Method::POST && req.path() != TOKEN_URI && req.path() != USERINFO_URI
            {
                if let Some(o) = origin {
                    if !o.to_str().unwrap_or("bad").eq(&config.website_origin) {
                        log::warn!(
                            "Blocked POST request from invalid origin! Origin given {:?}",
                            o
                        );
                        return Ok(req.into_response(
                            HttpResponse::Unauthorized()
                                .body("POST request from invalid origin!")
                                .map_into_right_body(),
                        ));
                    }
                }
            }

            if req.path().starts_with("/.git") {
                return Ok(req.into_response(
                    HttpResponse::Unauthorized()
                        .body("Hey don't touch this!")
                        .map_into_right_body(),
                ));
            }

            let id = req.get_identity().ok().map(|r| r.id().unwrap_or_default());
            let session_data = SessionIdentity::deserialize_session_data(id);
            let session = match session_data {
                Some(SessionIdentityData {
                    status: SessionStatus::SignedIn,
                    is_admin: true,
                    ..
                }) => ConnStatus::Admin,
                Some(SessionIdentityData {
                    status: SessionStatus::SignedIn,
                    ..
                }) => ConnStatus::RegularUser,
                _ => ConnStatus::SignedOut,
            };

            log::trace!("Connection data: {:#?}", session_data);
            log::debug!("Connection status: {:?}", session);

            // Redirect user to login page
            if !session.is_auth()
                && (req.path().starts_with(ADMIN_ROUTES)
                    || req.path().starts_with(AUTHENTICATED_ROUTES)
                    || req.path().eq(AUTHORIZE_URI))
            {
                log::debug!(
                    "Redirect unauthenticated user from {} to authorization route.",
                    req.path()
                );

                let path = req.uri().to_string();
                return Ok(req
                    .into_response(redirect_user_for_login(path))
                    .map_into_right_body());
            }

            // Restrict access to admin pages
            if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
                return Ok(req
                    .into_response(HttpResponse::Unauthorized().body(build_fatal_error_page(
                        "You are not allowed to access this resource.",
                    )))
                    .map_into_right_body());
            }

            service
                .call(req)
                .await
                .map(ServiceResponse::map_into_left_body)
        })
    }
}
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`//! # Authentication middleware`

Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`use std::future::{ready, Future, Ready};`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`use std::pin::Pin;`
			`use std::rc::Rc;`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00
Update actix_identity 2022-07-22 10:21:38 +00:00			`use actix_identity::IdentityExt;`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`use actix_web::body::EitherBody;`
			`use actix_web::http::{header, Method};`
Format code 2022-04-03 13:50:49 +00:00			`use actix_web::{`
			`dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`web, Error, HttpResponse,`
Format code 2022-04-03 13:50:49 +00:00			`};`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`use crate::constants::{`
			`ADMIN_ROUTES, AUTHENTICATED_ROUTES, AUTHORIZE_URI, TOKEN_URI, USERINFO_URI,`
			`};`
Make usage of `FatalErrorPage` more convenient 2022-04-23 18:31:09 +00:00			`use crate::controllers::base_controller::{build_fatal_error_page, redirect_user_for_login};`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`use crate::data::app_config::AppConfig;`
Do not consider as valid sessions that are not completely signed in 2022-04-03 12:46:58 +00:00			`use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};`
Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`// There are two steps in middleware processing.`
			`// 1. Middleware initialization, middleware factory gets called with`
			`// next service in chain as parameter.`
			`// 2. Middleware's call method gets called with normal request.`
			`pub struct AuthMiddleware;`

			// Middleware factory is `Transform` trait
			// `S` - type of the next service
			// `B` - type of response's body
			`impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`where`
			`S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,`
			`S::Future: 'static,`
			`B: 'static,`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`{`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`type Response = ServiceResponse<EitherBody<B>>;`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`type Error = Error;`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`type Transform = AuthInnerMiddleware<S>;`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`type InitError = ();`
			`type Future = Ready<Result<Self::Transform, Self::InitError>>;`

			`fn new_transform(&self, service: S) -> Self::Future {`
Format code 2022-04-03 13:50:49 +00:00			`ready(Ok(AuthInnerMiddleware {`
			`service: Rc::new(service),`
			`}))`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`}`
			`}`

Get identity from middleware 2022-04-02 15:03:51 +00:00			`#[derive(Debug)]`
Do not consider as valid sessions that are not completely signed in 2022-04-03 12:46:58 +00:00			`enum ConnStatus {`
Get identity from middleware 2022-04-02 15:03:51 +00:00			`SignedOut,`
			`RegularUser,`
Delegate session lifetime to `actix-identity` crate 2022-04-02 15:17:54 +00:00			`Admin,`
Get identity from middleware 2022-04-02 15:03:51 +00:00			`}`

Do not consider as valid sessions that are not completely signed in 2022-04-03 12:46:58 +00:00			`impl ConnStatus {`
Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00			`pub fn is_auth(&self) -> bool {`
Do not consider as valid sessions that are not completely signed in 2022-04-03 12:46:58 +00:00			`!matches!(self, ConnStatus::SignedOut)`
Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00			`}`

			`pub fn is_admin(&self) -> bool {`
Do not consider as valid sessions that are not completely signed in 2022-04-03 12:46:58 +00:00			`matches!(self, ConnStatus::Admin)`
Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00			`}`
			`}`

Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`pub struct AuthInnerMiddleware<S> {`
			`service: Rc<S>,`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`}`

Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`where`
			`S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,`
			`S::Future: 'static,`
			`B: 'static,`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`{`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`type Response = ServiceResponse<EitherBody<B>>;`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`type Error = Error;`
Get identity from middleware 2022-04-02 15:03:51 +00:00
			`#[allow(clippy::type_complexity)]`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>;`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00
			`forward_ready!(service);`

Delegate session lifetime to `actix-identity` crate 2022-04-02 15:17:54 +00:00			`fn call(&self, req: ServiceRequest) -> Self::Future {`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`let service = Rc::clone(&self.service);`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00
			`// Forward request`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`Box::pin(async move {`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`let config: &web::Data<AppConfig> = req.app_data().expect("AppData undefined!");`

			`// Check if POST request comes from another website (block invalid origins)`
			`let origin = req.headers().get(header::ORIGIN);`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`if req.method() == Method::POST && req.path() != TOKEN_URI && req.path() != USERINFO_URI`
			`{`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`if let Some(o) = origin {`
			`if !o.to_str().unwrap_or("bad").eq(&config.website_origin) {`
Format code 2022-04-03 13:50:49 +00:00			`log::warn!(`
			`"Blocked POST request from invalid origin! Origin given {:?}",`
			`o`
			`);`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`return Ok(req.into_response(`
			`HttpResponse::Unauthorized()`
			`.body("POST request from invalid origin!")`
Format code 2022-04-03 13:50:49 +00:00			`.map_into_right_body(),`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`));`
			`}`
			`}`
			`}`

Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`if req.path().starts_with("/.git") {`
			`return Ok(req.into_response(`
			`HttpResponse::Unauthorized()`
			`.body("Hey don't touch this!")`
Format code 2022-04-03 13:50:49 +00:00			`.map_into_right_body(),`
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`));`
			`}`

Update actix_identity 2022-07-22 10:21:38 +00:00			`let id = req.get_identity().ok().map(\|r\| r.id().unwrap_or_default());`
			`let session_data = SessionIdentity::deserialize_session_data(id);`
			`let session = match session_data {`
Format code 2022-04-03 13:50:49 +00:00			`Some(SessionIdentityData {`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`status: SessionStatus::SignedIn,`
			`is_admin: true,`
			`..`
			`}) => ConnStatus::Admin,`
Format code 2022-04-03 13:50:49 +00:00			`Some(SessionIdentityData {`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`status: SessionStatus::SignedIn,`
			`..`
			`}) => ConnStatus::RegularUser,`
Do not consider as valid sessions that are not completely signed in 2022-04-03 12:46:58 +00:00			`_ => ConnStatus::SignedOut,`
Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00			`};`

Update actix_identity 2022-07-22 10:21:38 +00:00			`log::trace!("Connection data: {:#?}", session_data);`
			`log::debug!("Connection status: {:?}", session);`

Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00			`// Redirect user to login page`
Format code 2022-04-03 13:50:49 +00:00			`if !session.is_auth()`
			`&& (req.path().starts_with(ADMIN_ROUTES)`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`\|\| req.path().starts_with(AUTHENTICATED_ROUTES)`
			`\|\| req.path().eq(AUTHORIZE_URI))`
Format code 2022-04-03 13:50:49 +00:00			`{`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`log::debug!(`
			`"Redirect unauthenticated user from {} to authorization route.",`
			`req.path()`
			`);`
Refactor code 2022-07-22 12:28:44 +00:00
Check OpenID request parameters 2022-04-09 09:30:23 +00:00			`let path = req.uri().to_string();`
Format code 2022-04-03 13:50:49 +00:00			`return Ok(req`
			`.into_response(redirect_user_for_login(path))`
Redirect anonymous user from authenticated pages 2022-04-02 15:44:10 +00:00			`.map_into_right_body());`
			`}`

Restrict access to admin routes 2022-04-02 17:23:32 +00:00			`// Restrict access to admin pages`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) {`
Format code 2022-04-03 13:50:49 +00:00			`return Ok(req`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.into_response(HttpResponse::Unauthorized().body(build_fatal_error_page(`
			`"You are not allowed to access this resource.",`
			`)))`
Restrict access to admin routes 2022-04-02 17:23:32 +00:00			`.map_into_right_body());`
			`}`
Get identity from middleware 2022-04-02 15:03:51 +00:00
Restrict access to .git directory 2022-04-02 13:58:31 +00:00			`service`
			`.call(req)`
			`.await`
			`.map(ServiceResponse::map_into_left_body)`
			`})`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`}`
			`}`