BasicOIDC/src/main.rs

use core::time::Duration;
use std::sync::Arc;

use actix::Actor;
use actix_identity::config::LogoutBehaviour;
use actix_identity::IdentityMiddleware;
use actix_session::storage::CookieSessionStore;
use actix_session::SessionMiddleware;
use actix_web::cookie::{Key, SameSite};
use actix_web::middleware::Logger;
use actix_web::{get, middleware, web, App, HttpResponse, HttpServer};

use basic_oidc::actors::bruteforce_actor::BruteForceActor;
use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor;
use basic_oidc::actors::users_actor::{UsersActor, UsersBackend};
use basic_oidc::constants::*;
use basic_oidc::controllers::assets_controller::assets_route;
use basic_oidc::controllers::*;
use basic_oidc::data::app_config::AppConfig;
use basic_oidc::data::client::ClientManager;
use basic_oidc::data::entity_manager::EntityManager;
use basic_oidc::data::jwt_signer::JWTSigner;
use basic_oidc::data::user::User;
use basic_oidc::data::webauthn_manager::WebAuthManager;
use basic_oidc::middlewares::auth_middleware::AuthMiddleware;

#[get("/health")]
async fn health() -> &'static str {
    "Running"
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));

    let config = AppConfig::get();

    if !config.storage_path().exists() {
        log::error!(
            "Specified storage path {:?} does not exists!",
            config.storage_path()
        );
        panic!()
    }

    let mut users = EntityManager::<User>::open_or_create(config.users_file())
        .expect("Failed to load users list!");

    // Create initial user if required
    if users.is_empty() {
        log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME);
        let default_admin = User {
            username: DEFAULT_ADMIN_USERNAME.to_string(),
            authorized_clients: None,
            admin: true,
            ..Default::default()
        };

        users
            .insert(default_admin.clone())
            .expect("Failed to create initial user!");

        // Set default admin password
        users.change_user_password(&default_admin.uid, DEFAULT_ADMIN_PASSWORD, true);
    }

    let users_actor = UsersActor::new(users).start();
    let bruteforce_actor = BruteForceActor::default().start();
    let openid_sessions_actor = OpenIDSessionsActor::default().start();
    let jwt_signer = JWTSigner::gen_from_memory().expect("Failed to generate JWKS key");
    let webauthn_manager = Arc::new(WebAuthManager::init(config));

    log::info!("Server will listen on {}", config.listen_address);
    let listen_address = config.listen_address.to_string();

    HttpServer::new(move || {
        let mut clients = ClientManager::open_or_create(config.clients_file())
            .expect("Failed to load clients list!");
        clients.apply_environment_variables();

        let session_mw = SessionMiddleware::builder(
            CookieSessionStore::default(),
            Key::from(config.token_key.as_bytes()),
        )
        .cookie_name(SESSION_COOKIE_NAME.to_string())
        .cookie_secure(config.secure_cookie())
        .cookie_same_site(SameSite::Lax)
        .build();

        let identity_middleware = IdentityMiddleware::builder()
            .logout_behaviour(LogoutBehaviour::PurgeSession)
            .visit_deadline(Some(Duration::from_secs(MAX_INACTIVITY_DURATION)))
            .login_deadline(Some(Duration::from_secs(MAX_SESSION_DURATION)))
            .build();

        App::new()
            .app_data(web::Data::new(users_actor.clone()))
            .app_data(web::Data::new(bruteforce_actor.clone()))
            .app_data(web::Data::new(openid_sessions_actor.clone()))
            .app_data(web::Data::new(clients))
            .app_data(web::Data::new(jwt_signer.clone()))
            .app_data(web::Data::new(webauthn_manager.clone()))
            .wrap(
                middleware::DefaultHeaders::new().add(("Permissions-Policy", "interest-cohort=()")),
            )
            .wrap(Logger::default())
            .wrap(AuthMiddleware {})
            .wrap(identity_middleware)
            .wrap(session_mw)
            // main route
            .route(
                "/",
                web::get().to(|| async {
                    HttpResponse::Found()
                        .append_header(("Location", "/settings"))
                        .finish()
                }),
            )
            .route("/robots.txt", web::get().to(assets_controller::robots_txt))
            // health route
            .service(health)
            // Assets serving
            .route("/assets/{path:.*}", web::get().to(assets_route))
            // Login pages
            .route("/logout", web::get().to(login_controller::logout_route))
            .route("/login", web::get().to(login_controller::login_route))
            .route("/login", web::post().to(login_controller::login_route))
            .route(
                "/reset_password",
                web::get().to(login_controller::reset_password_route),
            )
            .route(
                "/reset_password",
                web::post().to(login_controller::reset_password_route),
            )
            .route(
                "/2fa_auth",
                web::get().to(login_controller::choose_2fa_method),
            )
            .route("/2fa_otp", web::get().to(login_controller::login_with_otp))
            .route("/2fa_otp", web::post().to(login_controller::login_with_otp))
            .route(
                "/2fa_webauthn",
                web::get().to(login_controller::login_with_webauthn),
            )
            // Login api
            .route(
                "/login/api/auth_webauthn",
                web::post().to(login_api::auth_webauthn),
            )
            // Settings routes
            .route(
                "/settings",
                web::get().to(settings_controller::account_settings_details_route),
            )
            .route(
                "/settings/change_password",
                web::get().to(settings_controller::change_password_route),
            )
            .route(
                "/settings/change_password",
                web::post().to(settings_controller::change_password_route),
            )
            .route(
                "/settings/two_factors",
                web::get().to(two_factors_controller::two_factors_route),
            )
            .route(
                "/settings/two_factors/add_totp",
                web::get().to(two_factors_controller::add_totp_factor_route),
            )
            .route(
                "/settings/two_factors/add_webauthn",
                web::get().to(two_factors_controller::add_webauthn_factor_route),
            )
            // User API
            .route(
                "/settings/api/two_factor/save_totp_factor",
                web::post().to(two_factor_api::save_totp_factor),
            )
            .route(
                "/settings/api/two_factor/save_webauthn_factor",
                web::post().to(two_factor_api::save_webauthn_factor),
            )
            .route(
                "/settings/api/two_factor/delete_factor",
                web::post().to(two_factor_api::delete_factor),
            )
            .route(
                "/settings/api/two_factor/clear_login_history",
                // Use POST to prevent CSRF
                web::post().to(two_factor_api::clear_login_history),
            )
            // Admin routes
            .route(
                "/admin",
                web::get().to(|| async {
                    HttpResponse::Found()
                        .append_header(("Location", "/settings"))
                        .finish()
                }),
            )
            .route(
                "/admin/clients",
                web::get().to(admin_controller::clients_route),
            )
            .route("/admin/users", web::get().to(admin_controller::users_route))
            .route(
                "/admin/users",
                web::post().to(admin_controller::users_route),
            )
            .route(
                "/admin/create_user",
                web::get().to(admin_controller::create_user),
            )
            .route(
                "/admin/edit_user",
                web::get().to(admin_controller::edit_user),
            )
            // Admin API
            .route(
                "/admin/api/find_username",
                web::post().to(admin_api::find_username),
            )
            .route(
                "/admin/api/delete_user",
                web::post().to(admin_api::delete_user),
            )
            // OpenID routes
            .route(
                "/.well-known/openid-configuration",
                web::get().to(openid_controller::get_configuration),
            )
            .route(AUTHORIZE_URI, web::get().to(openid_controller::authorize))
            .route(TOKEN_URI, web::post().to(openid_controller::token))
            .route(CERT_URI, web::get().to(openid_controller::cert_uri))
            .route(
                USERINFO_URI,
                web::post().to(openid_controller::user_info_post),
            )
            .route(
                USERINFO_URI,
                web::get().to(openid_controller::user_info_get),
            )
    })
    .bind(listen_address)?
    .run()
    .await
}
Update actix_identity 2022-07-22 10:21:38 +00:00			`use core::time::Duration;`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`use std::sync::Arc;`

Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`use actix::Actor;`
Update actix_identity 2022-07-22 10:21:38 +00:00			`use actix_identity::config::LogoutBehaviour;`
			`use actix_identity::IdentityMiddleware;`
			`use actix_session::storage::CookieSessionStore;`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`use actix_session::SessionMiddleware;`
Update actix_identity 2022-07-22 10:21:38 +00:00			`use actix_web::cookie::{Key, SameSite};`
Ready to implement login page 2022-03-30 08:29:10 +00:00			`use actix_web::middleware::Logger;`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`use actix_web::{get, middleware, web, App, HttpResponse, HttpServer};`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00
Automatically clean failed login attempts 2022-04-03 14:45:25 +00:00			`use basic_oidc::actors::bruteforce_actor::BruteForceActor;`
Save open id session 2022-04-09 10:18:59 +00:00			`use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor;`
Refactor users management (#2) * Create UserBackend trait 2022-11-19 17:18:46 +00:00			`use basic_oidc::actors::users_actor::{UsersActor, UsersBackend};`
Dynamically check username 2022-04-07 15:57:10 +00:00			`use basic_oidc::constants::*;`
Migrate to actix 2022-03-30 08:14:39 +00:00			`use basic_oidc::controllers::assets_controller::assets_route;`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`use basic_oidc::controllers::*;`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`use basic_oidc::data::app_config::AppConfig;`
Load a list of clients 2022-04-06 15:18:06 +00:00			`use basic_oidc::data::client::ClientManager;`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`use basic_oidc::data::entity_manager::EntityManager;`
Emit id_token 2022-04-13 17:07:58 +00:00			`use basic_oidc::data::jwt_signer::JWTSigner;`
Refactor users management * Shard `src/data/user.rs` into two different files * One for user data structure (same file) * One for user manipulation (new file: `user_file_entity.rs`) * Isolate password hashing and verification 2022-11-19 16:52:35 +00:00			`use basic_oidc::data::user::User;`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`use basic_oidc::data::webauthn_manager::WebAuthManager;`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`use basic_oidc::middlewares::auth_middleware::AuthMiddleware;`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00
			`#[get("/health")]`
Migrate to actix 2022-03-30 08:14:39 +00:00			`async fn health() -> &'static str {`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`"Running"`
Initial commit 2022-03-29 16:19:23 +00:00			`}`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00
Migrate to actix 2022-03-30 08:14:39 +00:00			`#[actix_web::main]`
			`async fn main() -> std::io::Result<()> {`
			`env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00
Add IP location service 2022-11-12 16:01:45 +00:00			`let config = AppConfig::get();`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00
			`if !config.storage_path().exists() {`
Fix coding style issue 2022-03-30 06:42:18 +00:00			`log::error!(`
			`"Specified storage path {:?} does not exists!",`
			`config.storage_path()`
			`);`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`panic!()`
			`}`

			`let mut users = EntityManager::<User>::open_or_create(config.users_file())`
			`.expect("Failed to load users list!");`

			`// Create initial user if required`
Fix coding style issue 2022-03-30 06:42:18 +00:00			`if users.is_empty() {`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME);`
Fix coding style issue 2022-03-30 06:42:18 +00:00			`let default_admin = User {`
			`username: DEFAULT_ADMIN_USERNAME.to_string(),`
Start to build edit user form 2022-04-07 15:32:29 +00:00			`authorized_clients: None,`
Fix coding style issue 2022-03-30 06:42:18 +00:00			`admin: true,`
			`..Default::default()`
			`};`

			`users`
Refactor users management * Shard `src/data/user.rs` into two different files * One for user data structure (same file) * One for user manipulation (new file: `user_file_entity.rs`) * Isolate password hashing and verification 2022-11-19 16:52:35 +00:00			`.insert(default_admin.clone())`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`.expect("Failed to create initial user!");`
Refactor users management * Shard `src/data/user.rs` into two different files * One for user data structure (same file) * One for user manipulation (new file: `user_file_entity.rs`) * Isolate password hashing and verification 2022-11-19 16:52:35 +00:00
			`// Set default admin password`
			`users.change_user_password(&default_admin.uid, DEFAULT_ADMIN_PASSWORD, true);`
Automatically create admin on first start 2022-03-29 17:32:31 +00:00			`}`

Create users actor 2022-03-30 09:40:03 +00:00			`let users_actor = UsersActor::new(users).start();`
Automatically clean failed login attempts 2022-04-03 14:45:25 +00:00			`let bruteforce_actor = BruteForceActor::default().start();`
Save open id session 2022-04-09 10:18:59 +00:00			`let openid_sessions_actor = OpenIDSessionsActor::default().start();`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`let jwt_signer = JWTSigner::gen_from_memory().expect("Failed to generate JWKS key");`
Add IP location service 2022-11-12 16:01:45 +00:00			`let webauthn_manager = Arc::new(WebAuthManager::init(config));`
Create users actor 2022-03-30 09:40:03 +00:00
Migrate to actix 2022-03-30 08:14:39 +00:00			`log::info!("Server will listen on {}", config.listen_address);`
Block POST requests from unknown origins 2022-04-03 13:48:45 +00:00			`let listen_address = config.listen_address.to_string();`
Migrate to actix 2022-03-30 08:14:39 +00:00
Create users actor 2022-03-30 09:40:03 +00:00			`HttpServer::new(move \|\| {`
Can specify environment variables in client configuration 2022-04-15 19:58:07 +00:00			`let mut clients = ClientManager::open_or_create(config.clients_file())`
Load a list of clients 2022-04-06 15:18:06 +00:00			`.expect("Failed to load clients list!");`
Can specify environment variables in client configuration 2022-04-15 19:58:07 +00:00			`clients.apply_environment_variables();`
Load a list of clients 2022-04-06 15:18:06 +00:00
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`let session_mw = SessionMiddleware::builder(`
			`CookieSessionStore::default(),`
			`Key::from(config.token_key.as_bytes()),`
			`)`
			`.cookie_name(SESSION_COOKIE_NAME.to_string())`
			`.cookie_secure(config.secure_cookie())`
			`.cookie_same_site(SameSite::Lax)`
			`.build();`
Update actix_identity 2022-07-22 10:21:38 +00:00
			`let identity_middleware = IdentityMiddleware::builder()`
			`.logout_behaviour(LogoutBehaviour::PurgeSession)`
			`.visit_deadline(Some(Duration::from_secs(MAX_INACTIVITY_DURATION)))`
			`.login_deadline(Some(Duration::from_secs(MAX_SESSION_DURATION)))`
			`.build();`
Add actix-identity crate 2022-03-30 14:58:00 +00:00
Migrate to actix 2022-03-30 08:14:39 +00:00			`App::new()`
Create users actor 2022-03-30 09:40:03 +00:00			`.app_data(web::Data::new(users_actor.clone()))`
Automatically clean failed login attempts 2022-04-03 14:45:25 +00:00			`.app_data(web::Data::new(bruteforce_actor.clone()))`
Save open id session 2022-04-09 10:18:59 +00:00			`.app_data(web::Data::new(openid_sessions_actor.clone()))`
Load a list of clients 2022-04-06 15:18:06 +00:00			`.app_data(web::Data::new(clients))`
Emit id_token 2022-04-13 17:07:58 +00:00			`.app_data(web::Data::new(jwt_signer.clone()))`
Generate & return webauthn registration challenge 2022-04-20 19:06:53 +00:00			`.app_data(web::Data::new(webauthn_manager.clone()))`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.wrap(`
			`middleware::DefaultHeaders::new().add(("Permissions-Policy", "interest-cohort=()")),`
			`)`
Ready to implement login page 2022-03-30 08:29:10 +00:00			`.wrap(Logger::default())`
Start to implement auth middleware 2022-04-02 13:44:09 +00:00			`.wrap(AuthMiddleware {})`
Update actix_identity 2022-07-22 10:21:38 +00:00			`.wrap(identity_middleware)`
			`.wrap(session_mw)`
Add home route 2022-04-04 15:43:53 +00:00			`// main route`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/",`
			`web::get().to(\|\| async {`
			`HttpResponse::Found()`
			`.append_header(("Location", "/settings"))`
			`.finish()`
			`}),`
			`)`
Block pages indexing 2022-04-23 18:41:31 +00:00			`.route("/robots.txt", web::get().to(assets_controller::robots_txt))`
Display account details 2022-04-04 15:39:23 +00:00			`// health route`
Migrate to actix 2022-03-30 08:14:39 +00:00			`.service(health)`
Create users actor 2022-03-30 09:40:03 +00:00			`// Assets serving`
Migrate to actix 2022-03-30 08:14:39 +00:00			`.route("/assets/{path:.*}", web::get().to(assets_route))`
Managed to authenticate user using Webauthn 2022-04-23 18:17:49 +00:00			`// Login pages`
			`.route("/logout", web::get().to(login_controller::logout_route))`
Refactor login flow 2022-04-19 15:49:57 +00:00			`.route("/login", web::get().to(login_controller::login_route))`
			`.route("/login", web::post().to(login_controller::login_route))`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/reset_password",`
			`web::get().to(login_controller::reset_password_route),`
			`)`
			`.route(`
			`"/reset_password",`
			`web::post().to(login_controller::reset_password_route),`
			`)`
			`.route(`
			`"/2fa_auth",`
			`web::get().to(login_controller::choose_2fa_method),`
			`)`
Display form to enter OTP code 2022-04-19 17:24:07 +00:00			`.route("/2fa_otp", web::get().to(login_controller::login_with_otp))`
			`.route("/2fa_otp", web::post().to(login_controller::login_with_otp))`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/2fa_webauthn",`
			`web::get().to(login_controller::login_with_webauthn),`
			`)`
Managed to authenticate user using Webauthn 2022-04-23 18:17:49 +00:00			`// Login api`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/login/api/auth_webauthn",`
			`web::post().to(login_api::auth_webauthn),`
			`)`
Display account details 2022-04-04 15:39:23 +00:00			`// Settings routes`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/settings",`
			`web::get().to(settings_controller::account_settings_details_route),`
			`)`
			`.route(`
			`"/settings/change_password",`
			`web::get().to(settings_controller::change_password_route),`
			`)`
			`.route(`
			`"/settings/change_password",`
			`web::post().to(settings_controller::change_password_route),`
			`)`
			`.route(`
			`"/settings/two_factors",`
			`web::get().to(two_factors_controller::two_factors_route),`
			`)`
			`.route(`
			`"/settings/two_factors/add_totp",`
			`web::get().to(two_factors_controller::add_totp_factor_route),`
			`)`
			`.route(`
			`"/settings/two_factors/add_webauthn",`
			`web::get().to(two_factors_controller::add_webauthn_factor_route),`
			`)`
Can register Authenticator app 2022-04-19 09:01:31 +00:00			`// User API`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/settings/api/two_factor/save_totp_factor",`
			`web::post().to(two_factor_api::save_totp_factor),`
			`)`
			`.route(`
			`"/settings/api/two_factor/save_webauthn_factor",`
			`web::post().to(two_factor_api::save_webauthn_factor),`
			`)`
			`.route(`
			`"/settings/api/two_factor/delete_factor",`
			`web::post().to(two_factor_api::delete_factor),`
			`)`
User can delete his own 2FA login history 2022-11-12 10:50:32 +00:00			`.route(`
			`"/settings/api/two_factor/clear_login_history",`
			`// Use POST to prevent CSRF`
			`web::post().to(two_factor_api::clear_login_history),`
			`)`
Load a list of clients 2022-04-06 15:18:06 +00:00			`// Admin routes`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/admin",`
			`web::get().to(\|\| async {`
			`HttpResponse::Found()`
			`.append_header(("Location", "/settings"))`
			`.finish()`
			`}),`
			`)`
			`.route(`
			`"/admin/clients",`
			`web::get().to(admin_controller::clients_route),`
			`)`
Display the list of users 2022-04-06 16:03:00 +00:00			`.route("/admin/users", web::get().to(admin_controller::users_route))`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/admin/users",`
			`web::post().to(admin_controller::users_route),`
			`)`
			`.route(`
			`"/admin/create_user",`
			`web::get().to(admin_controller::create_user),`
			`)`
			`.route(`
			`"/admin/edit_user",`
			`web::get().to(admin_controller::edit_user),`
			`)`
Dynamically check username 2022-04-07 15:57:10 +00:00			`// Admin API`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/admin/api/find_username",`
			`web::post().to(admin_api::find_username),`
			`)`
			`.route(`
			`"/admin/api/delete_user",`
			`web::post().to(admin_api::delete_user),`
			`)`
Check OpenID request parameters 2022-04-09 09:30:23 +00:00			`// OpenID routes`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`"/.well-known/openid-configuration",`
			`web::get().to(openid_controller::get_configuration),`
			`)`
Add `/openid/token` route 2022-04-12 18:40:44 +00:00			`.route(AUTHORIZE_URI, web::get().to(openid_controller::authorize))`
			`.route(TOKEN_URI, web::post().to(openid_controller::token))`
Emit id_token 2022-04-13 17:07:58 +00:00			`.route(CERT_URI, web::get().to(openid_controller::cert_uri))`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.route(`
			`USERINFO_URI,`
			`web::post().to(openid_controller::user_info_post),`
			`)`
			`.route(`
			`USERINFO_URI,`
			`web::get().to(openid_controller::user_info_get),`
			`)`
Migrate to actix 2022-03-30 08:14:39 +00:00			`})`
Merge factors type for authentication 2022-11-11 11:26:02 +00:00			`.bind(listen_address)?`
			`.run()`
			`.await`
Fix coding style issue 2022-03-30 06:42:18 +00:00			`}`