pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Format code

Browse Source
This commit is contained in:
Pierre HUBERT 2022-04-03 15:50:49 +02:00
parent 9236b91f12
commit b965fa6b4f
20 changed files with 149 additions and 106 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/actors/users_actor.rs
View File

@ -1,7 +1,7 @@
use actix::{Actor, Context, Handler, Message, MessageResult}; use actix::{Actor, Context, Handler, Message, MessageResult};
use crate::data::entity_manager::EntityManager; use crate::data::entity_manager::EntityManager;
use crate::data::user::{User, UserID, verify_password}; use crate::data::user::{verify_password, User, UserID};
#[derive(Debug)] #[derive(Debug)]
pub enum LoginResult { pub enum LoginResult {
@ -29,7 +29,6 @@ pub struct ChangePasswordRequest {
pub temporary: bool, pub temporary: bool,
} }
pub struct UsersActor { pub struct UsersActor {
manager: EntityManager<User>, manager: EntityManager<User>,
} }
@ -69,7 +68,10 @@ impl Handler<ChangePasswordRequest> for UsersActor {
type Result = MessageResult<ChangePasswordRequest>; type Result = MessageResult<ChangePasswordRequest>;
fn handle(&mut self, msg: ChangePasswordRequest, _ctx: &mut Self::Context) -> Self::Result { fn handle(&mut self, msg: ChangePasswordRequest, _ctx: &mut Self::Context) -> Self::Result {
MessageResult(ChangePasswordResult( MessageResult(ChangePasswordResult(self.manager.change_user_password(
self.manager.change_user_password(&msg.user_id, &msg.new_password, msg.temporary))) &msg.user_id,
&msg.new_password,
msg.temporary,
)))
} }
} }

4
src/controllers/assets_controller.rs
View File

@ -1,7 +1,7 @@
use std::path::Path; use std::path::Path;
use actix_web::{HttpResponse, web}; use actix_web::{web, HttpResponse};
use include_dir::{Dir, include_dir}; use include_dir::{include_dir, Dir};
/// Assets directory /// Assets directory
static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets"); static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets");

6
src/controllers/base_controller.rs
View File

@ -16,7 +16,11 @@ pub fn redirect_user_for_login<P: Display>(redirect_uri: P) -> HttpResponse {
HttpResponse::Found() HttpResponse::Found()
.append_header(( .append_header((
"Location", "Location",
format!("{}?redirect={}", LOGIN_ROUTE, urlencoding::encode(&redirect_uri.to_string())) format!(
"{}?redirect={}",
LOGIN_ROUTE,
urlencoding::encode(&redirect_uri.to_string())
),
)) ))
.finish() .finish()
} }

51
src/controllers/login_controller.rs
View File

@ -1,10 +1,10 @@
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::{HttpResponse, Responder, web}; use actix_web::{web, HttpResponse, Responder};
use askama::Template; use askama::Template;
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
use crate::actors::users_actor; use crate::actors::users_actor;
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
use crate::constants::{APP_NAME, MIN_PASS_LEN}; use crate::constants::{APP_NAME, MIN_PASS_LEN};
use crate::controllers::base_controller::redirect_user; use crate::controllers::base_controller::redirect_user;
use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionStatus};
@ -46,10 +46,12 @@ pub struct LoginRequestQuery {
} }
/// Authenticate user /// Authenticate user
pub async fn login_route(users: web::Data<Addr<UsersActor>>, pub async fn login_route(
users: web::Data<Addr<UsersActor>>,
query: web::Query<LoginRequestQuery>, query: web::Query<LoginRequestQuery>,
req: Option<web::Form<LoginRequestBody>>, req: Option<web::Form<LoginRequestBody>>,
id: Identity) -> impl Responder { id: Identity,
) -> impl Responder {
let mut danger = String::new(); let mut danger = String::new();
let mut success = String::new(); let mut success = String::new();
let mut login = String::new(); let mut login = String::new();
@ -59,7 +61,7 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
Some(s) => match s.starts_with('/') && !s.starts_with("//") { Some(s) => match s.starts_with('/') && !s.starts_with("//") {
true => s, true => s,
false => "/", false => "/",
} },
}; };
// Check if user session must be closed // Check if user session must be closed
@ -78,11 +80,14 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
if req.password.len() < MIN_PASS_LEN { if req.password.len() < MIN_PASS_LEN {
danger = "Password is too short!".to_string(); danger = "Password is too short!".to_string();
} else { } else {
let res: ChangePasswordResult = users.send(users_actor::ChangePasswordRequest { let res: ChangePasswordResult = users
.send(users_actor::ChangePasswordRequest {
user_id: SessionIdentity(&id).user_id(), user_id: SessionIdentity(&id).user_id(),
new_password: req.password.clone(), new_password: req.password.clone(),
temporary: false, temporary: false,
}).await.unwrap(); })
.await
.unwrap();
if !res.0 { if !res.0 {
danger = "Failed to change password!".to_string(); danger = "Failed to change password!".to_string();
@ -92,16 +97,16 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
} }
} }
} }
// Try to authenticate user // Try to authenticate user
else if let Some(req) = &req { else if let Some(req) = &req {
// TODO : check request origin (check for valid Referer)
login = req.login.clone(); login = req.login.clone();
let response: LoginResult = users.send(users_actor::LoginRequest { let response: LoginResult = users
.send(users_actor::LoginRequest {
login: login.clone(), login: login.clone(),
password: req.password.clone(), password: req.password.clone(),
}).await.unwrap(); })
.await
.unwrap();
match response { match response {
LoginResult::Success(user) => { LoginResult::Success(user) => {
@ -120,7 +125,6 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
} }
c => { c => {
// TODO : add bruteforce detection
log::warn!("Failed login for username {} : {:?}", login, c); log::warn!("Failed login for username {} : {:?}", login, c);
danger = "Login failed.".to_string(); danger = "Login failed.".to_string();
} }
@ -129,9 +133,8 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
// Display password reset form if it is appropriate // Display password reset form if it is appropriate
if SessionIdentity(&id).need_new_password() { if SessionIdentity(&id).need_new_password() {
return HttpResponse::Ok() return HttpResponse::Ok().content_type("text/html").body(
.content_type("text/html") PasswordResetTemplate {
.body(PasswordResetTemplate {
_parent: BaseLoginPage { _parent: BaseLoginPage {
page_title: "Password reset", page_title: "Password reset",
danger, danger,
@ -140,13 +143,14 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
redirect_uri: urlencoding::encode(redirect_uri).to_string(), redirect_uri: urlencoding::encode(redirect_uri).to_string(),
}, },
min_pass_len: MIN_PASS_LEN, min_pass_len: MIN_PASS_LEN,
}.render().unwrap()); }
.render()
.unwrap(),
);
} }
HttpResponse::Ok().content_type("text/html").body(
HttpResponse::Ok() LoginTemplate {
.content_type("text/html")
.body(LoginTemplate {
_parent: BaseLoginPage { _parent: BaseLoginPage {
page_title: "Login", page_title: "Login",
danger, danger,
@ -155,7 +159,10 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
redirect_uri: urlencoding::encode(redirect_uri).to_string(), redirect_uri: urlencoding::encode(redirect_uri).to_string(),
}, },
login, login,
}.render().unwrap()) }
.render()
.unwrap(),
)
} }
/// Sign out user /// Sign out user

2
src/controllers/mod.rs
View File

@ -1,3 +1,3 @@
pub mod assets_controller; pub mod assets_controller;
pub mod login_controller;
pub mod base_controller; pub mod base_controller;
pub mod login_controller;

15
src/data/entity_manager.rs
View File

@ -8,7 +8,10 @@ pub struct EntityManager<E> {
list: Vec<E>, list: Vec<E>,
} }
impl<E> EntityManager<E> where E: serde::Serialize + serde::de::DeserializeOwned + Eq + Clone { impl<E> EntityManager<E>
where
E: serde::Serialize + serde::de::DeserializeOwned + Eq + Clone,
{
/// Open entity /// Open entity
pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> { pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> {
if !path.as_ref().is_file() { if !path.as_ref().is_file() {
@ -37,7 +40,10 @@ impl<E> EntityManager<E> where E: serde::Serialize + serde::de::DeserializeOwned
/// Save the list /// Save the list
fn save(&self) -> Res { fn save(&self) -> Res {
Ok(std::fs::write(&self.file_path, serde_json::to_string(&self.list)?)?) Ok(std::fs::write(
&self.file_path,
serde_json::to_string(&self.list)?,
)?)
} }
/// Insert a new element in the list /// Insert a new element in the list
@ -47,7 +53,10 @@ impl<E> EntityManager<E> where E: serde::Serialize + serde::de::DeserializeOwned
} }
/// Replace entries in the list that matches a criteria /// Replace entries in the list that matches a criteria
pub fn replace_entries<F>(&mut self, filter: F, el: &E) -> Res where F: Fn(&E) -> bool { pub fn replace_entries<F>(&mut self, filter: F, el: &E) -> Res
where
F: Fn(&E) -> bool,
{
for i in 0..self.list.len() { for i in 0..self.list.len() {
if filter(&self.list[i]) { if filter(&self.list[i]) {
self.list[i] = el.clone(); self.list[i] = el.clone();

4
src/data/mod.rs
View File

@ -1,5 +1,5 @@
pub mod app_config; pub mod app_config;
pub mod user;
pub mod service;
pub mod entity_manager; pub mod entity_manager;
pub mod service;
pub mod session_identity; pub mod session_identity;
pub mod user;

11
src/data/session_identity.rs
View File

@ -17,7 +17,6 @@ impl Default for SessionStatus {
} }
} }
#[derive(Debug, Serialize, Deserialize, Default)] #[derive(Debug, Serialize, Deserialize, Default)]
pub struct SessionIdentityData { pub struct SessionIdentityData {
pub id: UserID, pub id: UserID,
@ -33,7 +32,8 @@ impl<'a> SessionIdentity<'a> {
} }
pub fn deserialize_session_data(data: Option<String>) -> Option<SessionIdentityData> { pub fn deserialize_session_data(data: Option<String>) -> Option<SessionIdentityData> {
let res: Option<SessionIdentityData> = data.as_deref() let res: Option<SessionIdentityData> = data
.as_deref()
.map(serde_json::from_str) .map(serde_json::from_str)
.map(|f| match f { .map(|f| match f {
Ok(d) => Some(d), Ok(d) => Some(d),
@ -55,8 +55,7 @@ impl<'a> SessionIdentity<'a> {
} }
fn set_session_data(&self, data: &SessionIdentityData) { fn set_session_data(&self, data: &SessionIdentityData) {
let s = serde_json::to_string(data) let s = serde_json::to_string(data).expect("Failed to serialize session data!");
.expect("Failed to serialize session data!");
self.0.remember(s); self.0.remember(s);
} }
@ -88,8 +87,6 @@ impl<'a> SessionIdentity<'a> {
} }
pub fn user_id(&self) -> UserID { pub fn user_id(&self) -> UserID {
self.get_session_data() self.get_session_data().unwrap_or_default().id
.unwrap_or_default()
.id
} }
} }

9
src/data/user.rs
View File

@ -80,10 +80,13 @@ impl EntityManager<User> {
} }
/// Update user information /// Update user information
fn update_user<F>(&mut self, id: &UserID, update: F) -> bool where F: FnOnce(User) -> User { fn update_user<F>(&mut self, id: &UserID, update: F) -> bool
where
F: FnOnce(User) -> User,
{
let user = match self.find_by_user_id(id) { let user = match self.find_by_user_id(id) {
None => return false, None => return false,
Some(user) => user Some(user) => user,
}; };
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) { if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
@ -96,7 +99,7 @@ impl EntityManager<User> {
pub fn change_user_password(&mut self, id: &UserID, password: &str, temporary: bool) -> bool { pub fn change_user_password(&mut self, id: &UserID, password: &str, temporary: bool) -> bool {
let new_hash = match hash_password(password) { let new_hash = match hash_password(password) {
Ok(h) => { h } Ok(h) => h,
Err(e) => { Err(e) => {
log::error!("Failed to hash user password! {}", e); log::error!("Failed to hash user password! {}", e);
return false; return false;

6
src/lib.rs
View File

@ -1,6 +1,6 @@
pub mod data; pub mod actors;
pub mod utils;
pub mod constants; pub mod constants;
pub mod controllers; pub mod controllers;
pub mod actors; pub mod data;
pub mod middlewares; pub mod middlewares;
pub mod utils;

15
src/main.rs
View File

@ -1,13 +1,16 @@
use actix::Actor; use actix::Actor;
use actix_identity::{CookieIdentityPolicy, IdentityService}; use actix_identity::{CookieIdentityPolicy, IdentityService};
use actix_web::{App, get, HttpServer, web};
use actix_web::cookie::SameSite;
use actix_web::cookie::time::Duration; use actix_web::cookie::time::Duration;
use actix_web::cookie::SameSite;
use actix_web::middleware::Logger; use actix_web::middleware::Logger;
use actix_web::{get, web, App, HttpServer};
use clap::Parser; use clap::Parser;
use basic_oidc::actors::users_actor::UsersActor; use basic_oidc::actors::users_actor::UsersActor;
use basic_oidc::constants::{DEFAULT_ADMIN_PASSWORD, DEFAULT_ADMIN_USERNAME, MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME}; use basic_oidc::constants::{
DEFAULT_ADMIN_PASSWORD, DEFAULT_ADMIN_USERNAME, MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION,
SESSION_COOKIE_NAME,
};
use basic_oidc::controllers::assets_controller::assets_route; use basic_oidc::controllers::assets_controller::assets_route;
use basic_oidc::controllers::login_controller::{login_route, logout_route}; use basic_oidc::controllers::login_controller::{login_route, logout_route};
use basic_oidc::data::app_config::AppConfig; use basic_oidc::data::app_config::AppConfig;
@ -72,25 +75,19 @@ async fn main() -> std::io::Result<()> {
.login_deadline(Duration::seconds(MAX_SESSION_DURATION)) .login_deadline(Duration::seconds(MAX_SESSION_DURATION))
.same_site(SameSite::Strict); .same_site(SameSite::Strict);
App::new() App::new()
.app_data(web::Data::new(users_actor.clone())) .app_data(web::Data::new(users_actor.clone()))
.app_data(web::Data::new(config.clone())) .app_data(web::Data::new(config.clone()))
.wrap(Logger::default()) .wrap(Logger::default())
.wrap(AuthMiddleware {}) .wrap(AuthMiddleware {})
.wrap(IdentityService::new(policy)) .wrap(IdentityService::new(policy))
// /health route // /health route
.service(health) .service(health)
// Assets serving // Assets serving
.route("/assets/{path:.*}", web::get().to(assets_route)) .route("/assets/{path:.*}", web::get().to(assets_route))
// Login page // Login page
.route("/login", web::get().to(login_route)) .route("/login", web::get().to(login_route))
.route("/login", web::post().to(login_route)) .route("/login", web::post().to(login_route))
// Logout page // Logout page
.route("/logout", web::get().to(logout_route)) .route("/logout", web::get().to(logout_route))
}) })

57
src/middlewares/auth_middleware.rs
View File

@ -1,13 +1,16 @@
//! # Authentication middleware //! # Authentication middleware
use std::future::{Future, ready, Ready}; use std::future::{ready, Future, Ready};
use std::pin::Pin; use std::pin::Pin;
use std::rc::Rc; use std::rc::Rc;
use actix_identity::RequestIdentity; use actix_identity::RequestIdentity;
use actix_web::{dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, HttpResponse, web};
use actix_web::body::EitherBody; use actix_web::body::EitherBody;
use actix_web::http::{header, Method}; use actix_web::http::{header, Method};
use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
web, Error, HttpResponse,
};
use askama::Template; use askama::Template;
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES}; use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
@ -25,8 +28,8 @@ pub struct AuthMiddleware;
// `S` - type of the next service // `S` - type of the next service
// `B` - type of response's body // `B` - type of response's body
impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
where where
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static, S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
S::Future: 'static, S::Future: 'static,
B: 'static, B: 'static,
{ {
@ -37,7 +40,9 @@ impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
type Future = Ready<Result<Self::Transform, Self::InitError>>; type Future = Ready<Result<Self::Transform, Self::InitError>>;
fn new_transform(&self, service: S) -> Self::Future { fn new_transform(&self, service: S) -> Self::Future {
ready(Ok(AuthInnerMiddleware { service: Rc::new(service) })) ready(Ok(AuthInnerMiddleware {
service: Rc::new(service),
}))
} }
} }
@ -67,8 +72,8 @@ pub struct AuthInnerMiddleware<S> {
} }
impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S> impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
where where
S: Service<ServiceRequest, Response=ServiceResponse<B>, Error=Error> + 'static, S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error> + 'static,
S::Future: 'static, S::Future: 'static,
B: 'static, B: 'static,
{ {
@ -76,7 +81,7 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
type Error = Error; type Error = Error;
#[allow(clippy::type_complexity)] #[allow(clippy::type_complexity)]
type Future = Pin<Box<dyn Future<Output=Result<Self::Response, Self::Error>>>>; type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>>>>;
forward_ready!(service); forward_ready!(service);
@ -92,11 +97,14 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
if req.method() == Method::POST { if req.method() == Method::POST {
if let Some(o) = origin { if let Some(o) = origin {
if !o.to_str().unwrap_or("bad").eq(&config.website_origin) { if !o.to_str().unwrap_or("bad").eq(&config.website_origin) {
log::warn!("Blocked POST request from invalid origin! Origin given {:?}", o); log::warn!(
"Blocked POST request from invalid origin! Origin given {:?}",
o
);
return Ok(req.into_response( return Ok(req.into_response(
HttpResponse::Unauthorized() HttpResponse::Unauthorized()
.body("POST request from invalid origin!") .body("POST request from invalid origin!")
.map_into_right_body() .map_into_right_body(),
)); ));
} }
} }
@ -106,28 +114,41 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
return Ok(req.into_response( return Ok(req.into_response(
HttpResponse::Unauthorized() HttpResponse::Unauthorized()
.body("Hey don't touch this!") .body("Hey don't touch this!")
.map_into_right_body() .map_into_right_body(),
)); ));
} }
let session = match SessionIdentity::deserialize_session_data(req.get_identity()) { let session = match SessionIdentity::deserialize_session_data(req.get_identity()) {
Some(SessionIdentityData { status: SessionStatus::SignedIn, is_admin: true, .. }) => ConnStatus::Admin, Some(SessionIdentityData {
Some(SessionIdentityData { status: SessionStatus::SignedIn, .. }) => ConnStatus::RegularUser, status: SessionStatus::SignedIn,
is_admin: true,
..
}) => ConnStatus::Admin,
Some(SessionIdentityData {
status: SessionStatus::SignedIn,
..
}) => ConnStatus::RegularUser,
_ => ConnStatus::SignedOut, _ => ConnStatus::SignedOut,
}; };
// Redirect user to login page // Redirect user to login page
if !session.is_auth() && (req.path().starts_with(ADMIN_ROUTES) || if !session.is_auth()
req.path().starts_with(AUTHENTICATED_ROUTES)) { && (req.path().starts_with(ADMIN_ROUTES)
|| req.path().starts_with(AUTHENTICATED_ROUTES))
{
let path = req.path().to_string(); let path = req.path().to_string();
return Ok(req.into_response(redirect_user_for_login(path)) return Ok(req
.into_response(redirect_user_for_login(path))
.map_into_right_body()); .map_into_right_body());
} }
// Restrict access to admin pages // Restrict access to admin pages
if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) { if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
return Ok(req.into_response(HttpResponse::Unauthorized() return Ok(req
.body(AccessDeniedTemplate {}.render().unwrap())) .into_response(
HttpResponse::Unauthorized()
.body(AccessDeniedTemplate {}.render().unwrap()),
)
.map_into_right_body()); .map_into_right_body());
} }

5
src/utils/time.rs
View File

@ -2,5 +2,8 @@ use std::time::{SystemTime, UNIX_EPOCH};
/// Get the current time since epoch /// Get the current time since epoch
pub fn time() -> u64 { pub fn time() -> u64 {
SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs()
} }