2022-04-02 13:44:09 +00:00
|
|
|
//! # Authentication middleware
|
|
|
|
|
2022-04-03 15:33:01 +00:00
|
|
|
use std::future::{Future, ready, Ready};
|
2022-04-02 13:58:31 +00:00
|
|
|
use std::pin::Pin;
|
|
|
|
use std::rc::Rc;
|
2022-04-02 13:44:09 +00:00
|
|
|
|
2022-07-22 10:21:38 +00:00
|
|
|
use actix_identity::IdentityExt;
|
2022-04-03 13:50:49 +00:00
|
|
|
use actix_web::{
|
|
|
|
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
|
2022-04-03 15:33:01 +00:00
|
|
|
Error, HttpResponse, web,
|
2022-04-03 13:50:49 +00:00
|
|
|
};
|
2022-04-03 15:33:01 +00:00
|
|
|
use actix_web::body::EitherBody;
|
|
|
|
use actix_web::http::{header, Method};
|
2022-04-02 13:44:09 +00:00
|
|
|
|
2022-04-14 16:39:18 +00:00
|
|
|
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, AUTHORIZE_URI, TOKEN_URI, USERINFO_URI};
|
2022-04-23 18:31:09 +00:00
|
|
|
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user_for_login};
|
2022-04-03 13:48:45 +00:00
|
|
|
use crate::data::app_config::AppConfig;
|
2022-04-03 12:46:58 +00:00
|
|
|
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
|
2022-04-02 15:44:10 +00:00
|
|
|
|
2022-04-02 13:44:09 +00:00
|
|
|
// There are two steps in middleware processing.
|
|
|
|
// 1. Middleware initialization, middleware factory gets called with
|
|
|
|
// next service in chain as parameter.
|
|
|
|
// 2. Middleware's call method gets called with normal request.
|
|
|
|
pub struct AuthMiddleware;
|
|
|
|
|
|
|
|
// Middleware factory is `Transform` trait
|
|
|
|
// `S` - type of the next service
|
|
|
|
// `B` - type of response's body
|
|
|
|
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
|
2022-04-03 15:33:01 +00:00
|
|
|
where
|
|
|
|
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
|
|
|
|
S::Future: 'static,
|
|
|
|
B: 'static,
|
2022-04-02 13:44:09 +00:00
|
|
|
{
|
2022-04-02 13:58:31 +00:00
|
|
|
type Response = ServiceResponse<EitherBody<B>>;
|
2022-04-02 13:44:09 +00:00
|
|
|
type Error = Error;
|
2022-04-02 13:58:31 +00:00
|
|
|
type Transform = AuthInnerMiddleware<S>;
|
2022-04-02 13:44:09 +00:00
|
|
|
type InitError = ();
|
|
|
|
type Future = Ready<Result<Self::Transform, Self::InitError>>;
|
|
|
|
|
|
|
|
fn new_transform(&self, service: S) -> Self::Future {
|
2022-04-03 13:50:49 +00:00
|
|
|
ready(Ok(AuthInnerMiddleware {
|
|
|
|
service: Rc::new(service),
|
|
|
|
}))
|
2022-04-02 13:44:09 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-02 15:03:51 +00:00
|
|
|
#[derive(Debug)]
|
2022-04-03 12:46:58 +00:00
|
|
|
enum ConnStatus {
|
2022-04-02 15:03:51 +00:00
|
|
|
SignedOut,
|
|
|
|
RegularUser,
|
2022-04-02 15:17:54 +00:00
|
|
|
Admin,
|
2022-04-02 15:03:51 +00:00
|
|
|
}
|
|
|
|
|
2022-04-03 12:46:58 +00:00
|
|
|
impl ConnStatus {
|
2022-04-02 15:44:10 +00:00
|
|
|
pub fn is_auth(&self) -> bool {
|
2022-04-03 12:46:58 +00:00
|
|
|
!matches!(self, ConnStatus::SignedOut)
|
2022-04-02 15:44:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
pub fn is_admin(&self) -> bool {
|
2022-04-03 12:46:58 +00:00
|
|
|
matches!(self, ConnStatus::Admin)
|
2022-04-02 15:44:10 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-02 17:23:32 +00:00
|
|
|
|
2022-04-02 13:58:31 +00:00
|
|
|
pub struct AuthInnerMiddleware<S> {
|
|
|
|
service: Rc<S>,
|
2022-04-02 13:44:09 +00:00
|
|
|
}
|
|
|
|
|
2022-04-02 13:58:31 +00:00
|
|
|
impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
|
2022-04-03 15:33:01 +00:00
|
|
|
where
|
|
|
|
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
|
|
|
|
S::Future: 'static,
|
|
|
|
B: 'static,
|
2022-04-02 13:44:09 +00:00
|
|
|
{
|
2022-04-02 13:58:31 +00:00
|
|
|
type Response = ServiceResponse<EitherBody<B>>;
|
2022-04-02 13:44:09 +00:00
|
|
|
type Error = Error;
|
2022-04-02 15:03:51 +00:00
|
|
|
|
|
|
|
#[allow(clippy::type_complexity)]
|
2022-04-03 15:33:01 +00:00
|
|
|
type Future = Pin<Box<dyn Future<Output=Result<Self::Response, Self::Error>>>>;
|
2022-04-02 13:44:09 +00:00
|
|
|
|
|
|
|
forward_ready!(service);
|
|
|
|
|
2022-04-02 15:17:54 +00:00
|
|
|
fn call(&self, req: ServiceRequest) -> Self::Future {
|
2022-04-02 13:58:31 +00:00
|
|
|
let service = Rc::clone(&self.service);
|
2022-04-02 13:44:09 +00:00
|
|
|
|
|
|
|
// Forward request
|
2022-04-02 13:58:31 +00:00
|
|
|
Box::pin(async move {
|
2022-04-03 13:48:45 +00:00
|
|
|
let config: &web::Data<AppConfig> = req.app_data().expect("AppData undefined!");
|
|
|
|
|
|
|
|
// Check if POST request comes from another website (block invalid origins)
|
|
|
|
let origin = req.headers().get(header::ORIGIN);
|
2022-04-14 16:39:18 +00:00
|
|
|
if req.method() == Method::POST && req.path() != TOKEN_URI && req.path() != USERINFO_URI {
|
2022-04-03 13:48:45 +00:00
|
|
|
if let Some(o) = origin {
|
|
|
|
if !o.to_str().unwrap_or("bad").eq(&config.website_origin) {
|
2022-04-03 13:50:49 +00:00
|
|
|
log::warn!(
|
|
|
|
"Blocked POST request from invalid origin! Origin given {:?}",
|
|
|
|
o
|
|
|
|
);
|
2022-04-03 13:48:45 +00:00
|
|
|
return Ok(req.into_response(
|
|
|
|
HttpResponse::Unauthorized()
|
|
|
|
.body("POST request from invalid origin!")
|
2022-04-03 13:50:49 +00:00
|
|
|
.map_into_right_body(),
|
2022-04-03 13:48:45 +00:00
|
|
|
));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-04-02 13:58:31 +00:00
|
|
|
if req.path().starts_with("/.git") {
|
|
|
|
return Ok(req.into_response(
|
|
|
|
HttpResponse::Unauthorized()
|
|
|
|
.body("Hey don't touch this!")
|
2022-04-03 13:50:49 +00:00
|
|
|
.map_into_right_body(),
|
2022-04-02 13:58:31 +00:00
|
|
|
));
|
|
|
|
}
|
|
|
|
|
2022-07-22 10:21:38 +00:00
|
|
|
let id = req.get_identity().ok().map(|r| r.id().unwrap_or_default());
|
|
|
|
let session_data = SessionIdentity::deserialize_session_data(id);
|
|
|
|
let session = match session_data {
|
2022-04-03 13:50:49 +00:00
|
|
|
Some(SessionIdentityData {
|
2022-04-03 15:33:01 +00:00
|
|
|
status: SessionStatus::SignedIn,
|
|
|
|
is_admin: true,
|
|
|
|
..
|
|
|
|
}) => ConnStatus::Admin,
|
2022-04-03 13:50:49 +00:00
|
|
|
Some(SessionIdentityData {
|
2022-04-03 15:33:01 +00:00
|
|
|
status: SessionStatus::SignedIn,
|
|
|
|
..
|
|
|
|
}) => ConnStatus::RegularUser,
|
2022-04-03 12:46:58 +00:00
|
|
|
_ => ConnStatus::SignedOut,
|
2022-04-02 15:44:10 +00:00
|
|
|
};
|
|
|
|
|
2022-07-22 10:21:38 +00:00
|
|
|
log::trace!("Connection data: {:#?}", session_data);
|
|
|
|
log::debug!("Connection status: {:?}", session);
|
|
|
|
|
2022-04-02 15:44:10 +00:00
|
|
|
// Redirect user to login page
|
2022-04-03 13:50:49 +00:00
|
|
|
if !session.is_auth()
|
|
|
|
&& (req.path().starts_with(ADMIN_ROUTES)
|
2022-04-09 09:30:23 +00:00
|
|
|
|| req.path().starts_with(AUTHENTICATED_ROUTES) || req.path().eq(AUTHORIZE_URI))
|
2022-04-03 13:50:49 +00:00
|
|
|
{
|
2022-07-22 12:28:44 +00:00
|
|
|
log::debug!("Redirect unauthenticated user from {} to authorization route.",
|
|
|
|
req.path());
|
|
|
|
|
2022-04-09 09:30:23 +00:00
|
|
|
let path = req.uri().to_string();
|
2022-04-03 13:50:49 +00:00
|
|
|
return Ok(req
|
|
|
|
.into_response(redirect_user_for_login(path))
|
2022-04-02 15:44:10 +00:00
|
|
|
.map_into_right_body());
|
|
|
|
}
|
|
|
|
|
2022-04-02 17:23:32 +00:00
|
|
|
// Restrict access to admin pages
|
2022-04-03 13:48:45 +00:00
|
|
|
if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
|
2022-04-03 13:50:49 +00:00
|
|
|
return Ok(req
|
|
|
|
.into_response(
|
2022-04-23 18:31:09 +00:00
|
|
|
HttpResponse::Unauthorized().body(
|
|
|
|
build_fatal_error_page("You are not allowed to access this resource.")),
|
2022-04-03 13:50:49 +00:00
|
|
|
)
|
2022-04-02 17:23:32 +00:00
|
|
|
.map_into_right_body());
|
|
|
|
}
|
2022-04-02 15:03:51 +00:00
|
|
|
|
2022-04-02 13:58:31 +00:00
|
|
|
service
|
|
|
|
.call(req)
|
|
|
|
.await
|
|
|
|
.map(ServiceResponse::map_into_left_body)
|
|
|
|
})
|
2022-04-02 13:44:09 +00:00
|
|
|
}
|
|
|
|
}
|