pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Rust Edition 2024
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Pierre HUBERT
2025-03-28 14:40:35 +01:00
parent 19f99cf9b9
commit b77e7895b7
26 changed files with 102 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
src/data/action_logger.rs
View File

@ -6,7 +6,7 @@ use actix::Addr;
use actix_identity::Identity;
use actix_remote_ip::RemoteIP;
use actix_web::dev::Payload;
use actix_web::{web, Error, FromRequest, HttpRequest};
use actix_web::{Error, FromRequest, HttpRequest, web};
use crate::actors::providers_states_actor::ProviderLoginState;
use crate::actors::users_actor;
@ -142,27 +142,56 @@ impl Action<'_> {
false => format!("performed FAILED webauthn attempt for user {user_id:?}"),
},
Action::StartLoginAttemptWithOpenIDProvider { provider_id, state } => format!(
"started new authentication attempt through an OpenID provider (prov={} / state={state})", provider_id.0
"started new authentication attempt through an OpenID provider (prov={} / state={state})",
provider_id.0
),
Action::ProviderError { message } => {
format!("failed provider authentication with message '{message}'")
}
Action::ProviderCBInvalidState { state } => {
format!("provided invalid callback state after provider authentication: '{state}'")
}
Action::ProviderRateLimited => {
"could not complete OpenID login because it has reached failed attempts rate limit!"
.to_string()
}
Action::ProviderFailedGetToken { state, code } => format!(
"could not complete login from provider because the id_token could not be retrieved! (state={:?} code = {code})",
state
),
Action::ProviderFailedGetUserInfo { provider } => format!(
"could not get user information from userinfo endpoint of provider {}!",
provider.id.0
),
Action::ProviderEmailNotValidated { provider } => format!(
"could not login using provider {} because its email was marked as not validated!",
provider.id.0
),
Action::ProviderMissingEmailInResponse { provider } => format!(
"could not login using provider {} because the email was not provided by userinfo endpoint!",
provider.id.0
),
Action::ProviderAccountNotFound { provider, email } => format!(
"could not login using provider {} because the email {email} could not be associated to any account!",
&provider.id.0
),
Action::ProviderAccountDisabled { provider, email } => format!(
"could not login using provider {} because the account associated to the email {email} is disabled!",
&provider.id.0
),
Action::ProviderAccountNotAllowedToLoginWithProvider { provider, email } => format!(
"could not login using provider {} because the account associated to the email {email} is not allowed to authenticate using this provider!",
&provider.id.0
),
Action::ProviderLoginFailed { provider, email } => format!(
"could not login using provider {} with the email {email} for an unknown reason!",
&provider.id.0
),
Action::ProviderLoginSuccessful { provider, user } => format!(
"successfully authenticated using provider {} as {}",
provider.id.0,
user.quick_identity()
),
Action::ProviderError { message } =>
format!("failed provider authentication with message '{message}'"),
Action::ProviderCBInvalidState { state } =>
format!("provided invalid callback state after provider authentication: '{state}'"),
Action::ProviderRateLimited => "could not complete OpenID login because it has reached failed attempts rate limit!".to_string(),
Action::ProviderFailedGetToken {state, code} => format!("could not complete login from provider because the id_token could not be retrieved! (state={:?} code = {code})",state),
Action::ProviderFailedGetUserInfo {provider} => format!("could not get user information from userinfo endpoint of provider {}!", provider.id.0),
Action::ProviderEmailNotValidated {provider}=>format!("could not login using provider {} because its email was marked as not validated!", provider.id.0),
Action::ProviderMissingEmailInResponse {provider}=>format!("could not login using provider {} because the email was not provided by userinfo endpoint!", provider.id.0),
Action::ProviderAccountNotFound { provider, email } =>
format!("could not login using provider {} because the email {email} could not be associated to any account!", &provider.id.0),
Action::ProviderAccountDisabled { provider, email } =>
format!("could not login using provider {} because the account associated to the email {email} is disabled!", &provider.id.0),
Action::ProviderAccountNotAllowedToLoginWithProvider { provider, email } =>
format!("could not login using provider {} because the account associated to the email {email} is not allowed to authenticate using this provider!", &provider.id.0),
Action::ProviderLoginFailed { provider, email } =>
format!("could not login using provider {} with the email {email} for an unknown reason!", &provider.id.0),
Action::ProviderLoginSuccessful {provider, user} =>
format!("successfully authenticated using provider {} as {}", provider.id.0, user.quick_identity()),
Action::Signout => "signed out".to_string(),
Action::UserNeed2FAOnLogin(user) => {
format!(
@ -181,7 +210,9 @@ impl Action<'_> {
format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
}
Action::TryLocalLoginFromUnauthorizedAccount(login) => {
format!("successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!")
format!(
"successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!"
)
}
Action::FailedLoginWithBadCredentials(login) => {
format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
@ -202,7 +233,10 @@ impl Action<'_> {
Action::NewOpenIDSession { client } => {
format!("opened a new OpenID session with {:?}", client.id)
}
Action::NewOpenIDSuccessfulImplicitAuth { client } => format!("finished an implicit flow connection for client {:?}", client.id),
Action::NewOpenIDSuccessfulImplicitAuth { client } => format!(
"finished an implicit flow connection for client {:?}",
client.id
),
Action::ChangedHisPassword => "changed his password".to_string(),
Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
Action::AddNewFactor(factor) => format!(

2
src/data/code_challenge.rs
View File

@ -1,5 +1,5 @@
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use crate::utils::crypt_utils::sha256;

2
src/data/critical_route.rs
View File

@ -1,6 +1,6 @@
use crate::data::current_user::CurrentUser;
use crate::data::from_request_redirect::FromRequestRedirect;
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
use actix_web::dev::Payload;
use actix_web::{FromRequest, HttpRequest};
use std::future::Future;

2
src/data/current_user.rs
View File

@ -6,7 +6,7 @@ use actix::Addr;
use actix_identity::Identity;
use actix_web::dev::Payload;
use actix_web::error::ErrorInternalServerError;
use actix_web::{web, Error, FromRequest, HttpRequest};
use actix_web::{Error, FromRequest, HttpRequest, web};
use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor;

5
src/data/entity_manager.rs
View File

@ -20,7 +20,10 @@ where
/// Open entity
pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> {
if !path.as_ref().is_file() {
log::warn!("Entities at {:?} does not point to a file, creating a new empty entity container...", path.as_ref());
log::warn!(
"Entities at {:?} does not point to a file, creating a new empty entity container...",
path.as_ref()
);
return Ok(Self {
file_path: path.as_ref().to_path_buf(),
list: vec![],

2
src/data/force_2fa_auth.rs
View File

@ -2,7 +2,7 @@ use crate::data::current_user::CurrentUser;
use crate::data::session_identity::SessionIdentity;
use actix_identity::Identity;
use actix_web::dev::Payload;
use actix_web::{web, Error, FromRequest, HttpRequest};
use actix_web::{Error, FromRequest, HttpRequest, web};
use std::future::Future;
use std::pin::Pin;

4
src/data/jwt_signer.rs
View File

@ -1,12 +1,12 @@
use jwt_simple::algorithms::RSAKeyPairLike;
use jwt_simple::claims::JWTClaims;
use jwt_simple::prelude::RS256KeyPair;
use serde::de::DeserializeOwned;
use serde::Serialize;
use serde::de::DeserializeOwned;
use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE as BASE64_URL_URL_SAFE;
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use base64::Engine as _;
use crate::utils::err::Res;
use crate::utils::string_utils::rand_str;

4
src/data/provider_configuration.rs
View File

@ -26,7 +26,9 @@ impl ProviderConfiguration {
let state = urlencoding::encode(&state.state_id).to_string();
let callback_url = AppConfig::get().oidc_provider_redirect_url();
format!("{authorization_url}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={callback_url}")
format!(
"{authorization_url}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={callback_url}"
)
}
/// Retrieve the authorization token after a successful authentication, using an authorization code

4
src/data/totp_key.rs
View File

@ -80,7 +80,7 @@ impl TotpKey {
/// Get the code at a specific time
fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> {
let gen = TotpGenerator::new()
let generator = TotpGenerator::new()
.set_digit(NUM_DIGITS)
.unwrap()
.set_step(PERIOD)
@ -98,7 +98,7 @@ impl TotpKey {
Some(k) => k,
};
Ok(gen.get_code_with(&key, get_time))
Ok(generator.get_code_with(&key, get_time))
}
/// Check a code's validity

2
src/data/users_file_entity.rs
View File

@ -3,7 +3,7 @@ use std::net::IpAddr;
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBackend};
use crate::data::entity_manager::EntityManager;
use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
use crate::utils::err::{new_error, Res};
use crate::utils::err::{Res, new_error};
use crate::utils::time::time;
impl EntityManager<User> {