BasicOIDC/src/middlewares/auth_middleware.rs

161 lines
5.4 KiB
Rust
Raw Normal View History

2022-04-02 13:44:09 +00:00
//! # Authentication middleware
use std::future::{Future, ready, Ready};
2022-04-02 13:58:31 +00:00
use std::pin::Pin;
use std::rc::Rc;
2022-04-02 13:44:09 +00:00
use actix_identity::RequestIdentity;
2022-04-03 13:50:49 +00:00
use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
Error, HttpResponse, web,
2022-04-03 13:50:49 +00:00
};
use actix_web::body::EitherBody;
use actix_web::http::{header, Method};
2022-04-02 17:23:32 +00:00
use askama::Template;
2022-04-02 13:44:09 +00:00
2022-04-14 16:39:18 +00:00
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, AUTHORIZE_URI, TOKEN_URI, USERINFO_URI};
use crate::controllers::base_controller::{FatalErrorPage, redirect_user_for_login};
use crate::data::app_config::AppConfig;
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
2022-04-02 13:44:09 +00:00
// There are two steps in middleware processing.
// 1. Middleware initialization, middleware factory gets called with
// next service in chain as parameter.
// 2. Middleware's call method gets called with normal request.
pub struct AuthMiddleware;
// Middleware factory is `Transform` trait
// `S` - type of the next service
// `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
where
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
S::Future: 'static,
B: 'static,
2022-04-02 13:44:09 +00:00
{
2022-04-02 13:58:31 +00:00
type Response = ServiceResponse<EitherBody<B>>;
2022-04-02 13:44:09 +00:00
type Error = Error;
2022-04-02 13:58:31 +00:00
type Transform = AuthInnerMiddleware<S>;
2022-04-02 13:44:09 +00:00
type InitError = ();
type Future = Ready<Result<Self::Transform, Self::InitError>>;
fn new_transform(&self, service: S) -> Self::Future {
2022-04-03 13:50:49 +00:00
ready(Ok(AuthInnerMiddleware {
service: Rc::new(service),
}))
2022-04-02 13:44:09 +00:00
}
}
2022-04-02 15:03:51 +00:00
#[derive(Debug)]
enum ConnStatus {
2022-04-02 15:03:51 +00:00
SignedOut,
RegularUser,
Admin,
2022-04-02 15:03:51 +00:00
}
impl ConnStatus {
pub fn is_auth(&self) -> bool {
!matches!(self, ConnStatus::SignedOut)
}
pub fn is_admin(&self) -> bool {
matches!(self, ConnStatus::Admin)
}
}
2022-04-02 17:23:32 +00:00
2022-04-02 13:58:31 +00:00
pub struct AuthInnerMiddleware<S> {
service: Rc<S>,
2022-04-02 13:44:09 +00:00
}
2022-04-02 13:58:31 +00:00
impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
where
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static,
S::Future: 'static,
B: 'static,
2022-04-02 13:44:09 +00:00
{
2022-04-02 13:58:31 +00:00
type Response = ServiceResponse<EitherBody<B>>;
2022-04-02 13:44:09 +00:00
type Error = Error;
2022-04-02 15:03:51 +00:00
#[allow(clippy::type_complexity)]
type Future = Pin<Box<dyn Future<Output=Result<Self::Response, Self::Error>>>>;
2022-04-02 13:44:09 +00:00
forward_ready!(service);
fn call(&self, req: ServiceRequest) -> Self::Future {
2022-04-02 13:58:31 +00:00
let service = Rc::clone(&self.service);
2022-04-02 13:44:09 +00:00
// Forward request
2022-04-02 13:58:31 +00:00
Box::pin(async move {
let config: &web::Data<AppConfig> = req.app_data().expect("AppData undefined!");
// Check if POST request comes from another website (block invalid origins)
let origin = req.headers().get(header::ORIGIN);
2022-04-14 16:39:18 +00:00
if req.method() == Method::POST && req.path() != TOKEN_URI && req.path() != USERINFO_URI {
if let Some(o) = origin {
if !o.to_str().unwrap_or("bad").eq(&config.website_origin) {
2022-04-03 13:50:49 +00:00
log::warn!(
"Blocked POST request from invalid origin! Origin given {:?}",
o
);
return Ok(req.into_response(
HttpResponse::Unauthorized()
.body("POST request from invalid origin!")
2022-04-03 13:50:49 +00:00
.map_into_right_body(),
));
}
}
}
2022-04-02 13:58:31 +00:00
if req.path().starts_with("/.git") {
return Ok(req.into_response(
HttpResponse::Unauthorized()
.body("Hey don't touch this!")
2022-04-03 13:50:49 +00:00
.map_into_right_body(),
2022-04-02 13:58:31 +00:00
));
}
let session = match SessionIdentity::deserialize_session_data(req.get_identity()) {
2022-04-03 13:50:49 +00:00
Some(SessionIdentityData {
status: SessionStatus::SignedIn,
is_admin: true,
..
}) => ConnStatus::Admin,
2022-04-03 13:50:49 +00:00
Some(SessionIdentityData {
status: SessionStatus::SignedIn,
..
}) => ConnStatus::RegularUser,
_ => ConnStatus::SignedOut,
};
// Redirect user to login page
2022-04-03 13:50:49 +00:00
if !session.is_auth()
&& (req.path().starts_with(ADMIN_ROUTES)
2022-04-09 09:30:23 +00:00
|| req.path().starts_with(AUTHENTICATED_ROUTES) || req.path().eq(AUTHORIZE_URI))
2022-04-03 13:50:49 +00:00
{
2022-04-09 09:30:23 +00:00
let path = req.uri().to_string();
2022-04-03 13:50:49 +00:00
return Ok(req
.into_response(redirect_user_for_login(path))
.map_into_right_body());
}
2022-04-02 17:23:32 +00:00
// Restrict access to admin pages
if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
2022-04-03 13:50:49 +00:00
return Ok(req
.into_response(
HttpResponse::Unauthorized()
.body(FatalErrorPage {
message: "You are not allowed to access this resource."
}.render().unwrap()),
2022-04-03 13:50:49 +00:00
)
2022-04-02 17:23:32 +00:00
.map_into_right_body());
}
2022-04-02 15:03:51 +00:00
2022-04-02 13:58:31 +00:00
service
.call(req)
.await
.map(ServiceResponse::map_into_left_body)
})
2022-04-02 13:44:09 +00:00
}
}