Compare commits
75 Commits
085851e169
...
renovate/l
| Author | SHA1 | Date | |
|---|---|---|---|
| 015d90d4f6 | |||
| ce4317299e | |||
| 14ede196c4 | |||
| 6d341069a0 | |||
| d4de81f1fb | |||
| 9a599fdde2 | |||
| 764ad3d5a1 | |||
| ffd93c5435 | |||
| 2a729d4153 | |||
| a128e4a597 | |||
| 96f3773375 | |||
| 5db16c2355 | |||
| e93e3f4d9c | |||
| 5abe3bfbd5 | |||
| 4deb1a5536 | |||
| 83efd5ac56 | |||
| 89f806a692 | |||
| 58a19c04e7 | |||
| 7d8931c365 | |||
| 05adc38408 | |||
| 97ff967b87 | |||
| c3215e0053 | |||
| fe968d6765 | |||
| 38bd624ef6 | |||
| e32b2be2b8 | |||
| 29f1c4d1f3 | |||
| 27562c4fbf | |||
| d329a8cf36 | |||
| d4253d897d | |||
| b2c91467e5 | |||
| 922cc4e45f | |||
| e0ec825947 | |||
| e82efde2b9 | |||
| 890e1ef1f1 | |||
| 2503500800 | |||
| 988c15e32e | |||
| 5bb6bdccd0 | |||
| 068284c456 | |||
| a9a9c26a3e | |||
| 34ce0fd1ae | |||
| 8ce29bbb63 | |||
| 52bdb70a8a | |||
| 23c53a8548 | |||
| 28efebdff1 | |||
| d44daf0c04 | |||
| 1cdf10d548 | |||
| 0dcb86c538 | |||
| 4fd42d0e17 | |||
| 9afeb3c67e | |||
| 7213096faf | |||
| 5d321e4cac | |||
| 77f7ba94ba | |||
| 830170303a | |||
| e6ad5b0090 | |||
| 7f42b9ca4f | |||
| 2e195cba32 | |||
| f972a0c1fc | |||
| 90991c89be | |||
| 505d76f804 | |||
| 76920f66d7 | |||
| d86d53ad64 | |||
| f63e0dd97b | |||
| e707b41e5e | |||
| 4f432402fb | |||
| ab0310347c | |||
| 06d46408b5 | |||
| ba55b66ed1 | |||
| 0eaca53a16 | |||
| e8e4aab0eb | |||
| 7abbb78dda | |||
| e26faee426 | |||
| a7a761f32a | |||
| c05718b2d7 | |||
| 0e83f64f24 | |||
| 8a14521d6e |
49
.drone.yml
49
.drone.yml
@@ -4,10 +4,57 @@ type: docker
|
||||
name: default
|
||||
|
||||
steps:
|
||||
- name: cargo_check
|
||||
# Code quality
|
||||
- name: code_quality
|
||||
image: rust
|
||||
volumes:
|
||||
- name: rust_registry
|
||||
path: /usr/local/cargo/registry
|
||||
commands:
|
||||
- rustup component add clippy
|
||||
- cargo clippy -- -D warnings
|
||||
- cargo test
|
||||
|
||||
# Build source code
|
||||
- name: compile
|
||||
image: rust
|
||||
depends_on:
|
||||
- code_quality
|
||||
when:
|
||||
event:
|
||||
- tag
|
||||
volumes:
|
||||
- name: rust_registry
|
||||
path: /usr/local/cargo/registry
|
||||
- name: releases
|
||||
path: /tmp/releases
|
||||
commands:
|
||||
- cargo build --release
|
||||
- ls -lah target/release/basic-oidc
|
||||
- cp target/release/basic-oidc /tmp/releases
|
||||
|
||||
# Auto-release to Gitea
|
||||
- name: gitea_release
|
||||
image: plugins/gitea-release
|
||||
depends_on:
|
||||
- compile
|
||||
when:
|
||||
event:
|
||||
- tag
|
||||
volumes:
|
||||
- name: releases
|
||||
path: /tmp/releases
|
||||
environment:
|
||||
PLUGIN_API_KEY:
|
||||
from_secret: GITEA_API_KEY # needs permission write:repository
|
||||
settings:
|
||||
base_url: https://gitea.communiquons.org
|
||||
files:
|
||||
- /tmp/releases/basic-oidc
|
||||
checksum: sha512
|
||||
|
||||
volumes:
|
||||
- name: rust_registry
|
||||
temp: { }
|
||||
- name: releases
|
||||
temp: {}
|
||||
2
.gitignore
vendored
2
.gitignore
vendored
@@ -1,3 +1,3 @@
|
||||
/target
|
||||
.idea
|
||||
storage
|
||||
/storage
|
||||
|
||||
190
Cargo.lock
generated
190
Cargo.lock
generated
@@ -59,7 +59,7 @@ dependencies = [
|
||||
"brotli",
|
||||
"bytes",
|
||||
"bytestring",
|
||||
"derive_more 2.0.1",
|
||||
"derive_more",
|
||||
"encoding_rs",
|
||||
"flate2",
|
||||
"foldhash",
|
||||
@@ -74,7 +74,7 @@ dependencies = [
|
||||
"mime",
|
||||
"percent-encoding",
|
||||
"pin-project-lite",
|
||||
"rand 0.9.1",
|
||||
"rand 0.9.2",
|
||||
"sha1",
|
||||
"smallvec",
|
||||
"tokio",
|
||||
@@ -85,15 +85,15 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "actix-identity"
|
||||
version = "0.8.0"
|
||||
version = "0.9.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "23b8ddc6f6a8b19c4016aaa13519968da9969bc3bc1c1c883cdb0f25dd6c8cf7"
|
||||
checksum = "810f47733f956175bd5b2ae17ae5237fa92bd1b6a4a65f646a7240dbe9ff2728"
|
||||
dependencies = [
|
||||
"actix-service",
|
||||
"actix-session",
|
||||
"actix-utils",
|
||||
"actix-web",
|
||||
"derive_more 1.0.0",
|
||||
"derive_more",
|
||||
"futures-core",
|
||||
"serde",
|
||||
"tracing",
|
||||
@@ -174,16 +174,16 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "actix-session"
|
||||
version = "0.10.1"
|
||||
version = "0.11.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "efe6976a74f34f1b6d07a6c05aadc0ed0359304a7781c367fa5b4029418db08f"
|
||||
checksum = "400c27fd4cdbe0082b7bbd29ac44a3070cbda1b2114138dc106ba39fe2f90dff"
|
||||
dependencies = [
|
||||
"actix-service",
|
||||
"actix-utils",
|
||||
"actix-web",
|
||||
"anyhow",
|
||||
"derive_more 1.0.0",
|
||||
"rand 0.8.5",
|
||||
"derive_more",
|
||||
"rand 0.9.2",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"tracing",
|
||||
@@ -218,7 +218,7 @@ dependencies = [
|
||||
"bytestring",
|
||||
"cfg-if",
|
||||
"cookie",
|
||||
"derive_more 2.0.1",
|
||||
"derive_more",
|
||||
"encoding_rs",
|
||||
"foldhash",
|
||||
"futures-core",
|
||||
@@ -339,12 +339,6 @@ dependencies = [
|
||||
"alloc-no-stdlib",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "android-tzdata"
|
||||
version = "0.1.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
|
||||
|
||||
[[package]]
|
||||
name = "android_system_properties"
|
||||
version = "0.1.5"
|
||||
@@ -574,9 +568,9 @@ checksum = "89e25b6adfb930f02d1981565a6e5d9c547ac15a96606256d3b59040e5cd4ca3"
|
||||
|
||||
[[package]]
|
||||
name = "base64urlsafedata"
|
||||
version = "0.5.2"
|
||||
version = "0.5.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e5913e643e4dfb43d5908e9e6f1386f8e0dfde086ecef124a6450c6195d89160"
|
||||
checksum = "215ee31f8a88f588c349ce2d20108b2ed96089b96b9c2b03775dc35dd72938e8"
|
||||
dependencies = [
|
||||
"base64 0.21.7",
|
||||
"pastey",
|
||||
@@ -601,7 +595,6 @@ dependencies = [
|
||||
"clap",
|
||||
"digest",
|
||||
"env_logger",
|
||||
"futures-util",
|
||||
"include_dir",
|
||||
"jwt-simple",
|
||||
"lazy-regex",
|
||||
@@ -611,7 +604,7 @@ dependencies = [
|
||||
"mailchecker",
|
||||
"mime_guess",
|
||||
"qrcode-generator",
|
||||
"rand 0.9.1",
|
||||
"rand 0.9.2",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"serde_yaml",
|
||||
@@ -634,9 +627,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "bcrypt"
|
||||
version = "0.17.0"
|
||||
version = "0.17.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "92758ad6077e4c76a6cadbce5005f666df70d4f13b19976b1a8062eef880040f"
|
||||
checksum = "abaf6da45c74385272ddf00e1ac074c7d8a6c1a1dda376902bd6a427522a8b2c"
|
||||
dependencies = [
|
||||
"base64 0.22.1",
|
||||
"blowfish",
|
||||
@@ -792,16 +785,15 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
|
||||
|
||||
[[package]]
|
||||
name = "chrono"
|
||||
version = "0.4.41"
|
||||
version = "0.4.42"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c469d952047f47f91b68d1cba3f10d63c11d73e4636f24f08daf0278abf01c4d"
|
||||
checksum = "145052bdd345b87320e369255277e3fb5152762ad123a901ef5c262dd38fe8d2"
|
||||
dependencies = [
|
||||
"android-tzdata",
|
||||
"iana-time-zone",
|
||||
"js-sys",
|
||||
"num-traits",
|
||||
"wasm-bindgen",
|
||||
"windows-link",
|
||||
"windows-link 0.2.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -816,9 +808,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "clap"
|
||||
version = "4.5.40"
|
||||
version = "4.5.51"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "40b6887a1d8685cebccf115538db5c0efe625ccac9696ad45c409d96566e910f"
|
||||
checksum = "4c26d721170e0295f191a69bd9a1f93efcdb0aff38684b61ab5750468972e5f5"
|
||||
dependencies = [
|
||||
"clap_builder",
|
||||
"clap_derive",
|
||||
@@ -826,9 +818,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "clap_builder"
|
||||
version = "4.5.40"
|
||||
version = "4.5.51"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e0c66c08ce9f0c698cbce5c0279d0bb6ac936d8674174fe48f736533b964f59e"
|
||||
checksum = "75835f0c7bf681bfd05abe44e965760fea999a5286c6eb2d59883634fd02011a"
|
||||
dependencies = [
|
||||
"anstream",
|
||||
"anstyle",
|
||||
@@ -838,9 +830,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "clap_derive"
|
||||
version = "4.5.40"
|
||||
version = "4.5.49"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d2c7947ae4cc3d851207c1adb5b5e260ff0cca11446b1d6d1423788e442257ce"
|
||||
checksum = "2a0b5487afeab2deb2ff4e03a807ad1a03ac532ff5a2cee5d86884440c7f7671"
|
||||
dependencies = [
|
||||
"heck",
|
||||
"proc-macro2",
|
||||
@@ -950,6 +942,12 @@ version = "0.8.21"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
|
||||
|
||||
[[package]]
|
||||
name = "crunchy"
|
||||
version = "0.2.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
|
||||
|
||||
[[package]]
|
||||
name = "crypto-bigint"
|
||||
version = "0.5.5"
|
||||
@@ -1028,34 +1026,13 @@ dependencies = [
|
||||
"powerfmt",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "derive_more"
|
||||
version = "1.0.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4a9b99b9cbbe49445b21764dc0625032a89b145a2642e67603e1c936f5458d05"
|
||||
dependencies = [
|
||||
"derive_more-impl 1.0.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "derive_more"
|
||||
version = "2.0.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "093242cf7570c207c83073cf82f79706fe7b8317e98620a47d5be7c3d8497678"
|
||||
dependencies = [
|
||||
"derive_more-impl 2.0.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "derive_more-impl"
|
||||
version = "1.0.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cb7330aeadfbe296029522e6c40f315320aba36fc43a5b3632f3795348f3bd22"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
"unicode-xid",
|
||||
"derive_more-impl",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -1259,9 +1236,9 @@ checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
|
||||
|
||||
[[package]]
|
||||
name = "form_urlencoded"
|
||||
version = "1.2.1"
|
||||
version = "1.2.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456"
|
||||
checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf"
|
||||
dependencies = [
|
||||
"percent-encoding",
|
||||
]
|
||||
@@ -1421,9 +1398,13 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "half"
|
||||
version = "1.8.3"
|
||||
version = "2.6.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "1b43ede17f21864e81be2fa654110bf1e793774238d86ef8555c37e6519c0403"
|
||||
checksum = "459196ed295495a68f7d7fe1d84f6c4b7ff0e21fe3017b2f283c6fac3ad803c9"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"crunchy",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hashbrown"
|
||||
@@ -1767,9 +1748,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "idna"
|
||||
version = "1.0.3"
|
||||
version = "1.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e"
|
||||
checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de"
|
||||
dependencies = [
|
||||
"idna_adapter",
|
||||
"smallvec",
|
||||
@@ -1951,9 +1932,9 @@ checksum = "d4345964bb142484797b161f473a503a434de77149dd8c7427788c6e13379388"
|
||||
|
||||
[[package]]
|
||||
name = "lazy-regex"
|
||||
version = "3.4.1"
|
||||
version = "3.4.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "60c7310b93682b36b98fa7ea4de998d3463ccbebd94d935d6b48ba5b6ffa7126"
|
||||
checksum = "191898e17ddee19e60bccb3945aa02339e81edd4a8c50e21fd4d48cdecda7b29"
|
||||
dependencies = [
|
||||
"lazy-regex-proc_macros",
|
||||
"once_cell",
|
||||
@@ -1962,9 +1943,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "lazy-regex-proc_macros"
|
||||
version = "3.4.1"
|
||||
version = "3.4.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4ba01db5ef81e17eb10a5e0f2109d1b3a3e29bac3070fdbd7d156bf7dbd206a1"
|
||||
checksum = "c35dc8b0da83d1a9507e12122c80dea71a9c7c613014347392483a83ea593e04"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
@@ -2003,7 +1984,7 @@ dependencies = [
|
||||
"base64 0.22.1",
|
||||
"bincode",
|
||||
"log",
|
||||
"rand 0.9.1",
|
||||
"rand 0.9.2",
|
||||
"reqwest",
|
||||
"serde",
|
||||
"serde_json",
|
||||
@@ -2051,15 +2032,15 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "log"
|
||||
version = "0.4.27"
|
||||
version = "0.4.28"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
|
||||
checksum = "34080505efa8e45a4b816c349525ebe327ceaa8559756f0356cba97ef3bf7432"
|
||||
|
||||
[[package]]
|
||||
name = "mailchecker"
|
||||
version = "6.0.17"
|
||||
version = "6.0.19"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "db3c69370540384985601e4adbbbc3046a658853e4909a4bd744bb390f6f9759"
|
||||
checksum = "abad4bc63045f04cfc55aa4c55d4ec0a890c377ce56463bfc2adc2bc059c4b84"
|
||||
dependencies = [
|
||||
"fast_chemail",
|
||||
"once_cell",
|
||||
@@ -2343,9 +2324,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "percent-encoding"
|
||||
version = "2.3.1"
|
||||
version = "2.3.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e"
|
||||
checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
|
||||
|
||||
[[package]]
|
||||
name = "pin-project-lite"
|
||||
@@ -2504,9 +2485,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "rand"
|
||||
version = "0.9.1"
|
||||
version = "0.9.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9fbfd9d094a40bf3ae768db9361049ace4c0e04a4fd6b359518bd7b73a73dd97"
|
||||
checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
|
||||
dependencies = [
|
||||
"rand_chacha 0.9.0",
|
||||
"rand_core 0.9.3",
|
||||
@@ -2822,28 +2803,38 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "serde"
|
||||
version = "1.0.219"
|
||||
version = "1.0.228"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
|
||||
checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
|
||||
dependencies = [
|
||||
"serde_core",
|
||||
"serde_derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_cbor_2"
|
||||
version = "0.12.0-dev"
|
||||
version = "0.13.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b46d75f449e01f1eddbe9b00f432d616fbbd899b809c837d0fbc380496a0dd55"
|
||||
checksum = "34aec2709de9078e077090abd848e967abab63c9fb3fdb5d4799ad359d8d482c"
|
||||
dependencies = [
|
||||
"half",
|
||||
"serde",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.219"
|
||||
name = "serde_core"
|
||||
version = "1.0.228"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
|
||||
checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
|
||||
dependencies = [
|
||||
"serde_derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "serde_derive"
|
||||
version = "1.0.228"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
@@ -2852,14 +2843,15 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "serde_json"
|
||||
version = "1.0.140"
|
||||
version = "1.0.145"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
|
||||
checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
|
||||
dependencies = [
|
||||
"itoa",
|
||||
"memchr",
|
||||
"ryu",
|
||||
"serde",
|
||||
"serde_core",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -3338,9 +3330,9 @@ checksum = "6d49784317cd0d1ee7ec5c716dd598ec5b4483ea832a2dced265471cc0f690ae"
|
||||
|
||||
[[package]]
|
||||
name = "url"
|
||||
version = "2.5.4"
|
||||
version = "2.5.7"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60"
|
||||
checksum = "08bc136a29a3d1758e07a9cca267be308aeebf5cfd5a10f3f67ab2097683ef5b"
|
||||
dependencies = [
|
||||
"form_urlencoded",
|
||||
"idna",
|
||||
@@ -3380,9 +3372,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
|
||||
|
||||
[[package]]
|
||||
name = "uuid"
|
||||
version = "1.17.0"
|
||||
version = "1.18.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3cf4199d1e5d15ddd86a694e4d0dffa9c323ce759fea589f00fef9d81cc1931d"
|
||||
checksum = "2f87b8aa10b915a06587d0dec516c282ff295b475d94abf425d62b57710070a2"
|
||||
dependencies = [
|
||||
"getrandom 0.3.2",
|
||||
"js-sys",
|
||||
@@ -3524,9 +3516,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "webauthn-attestation-ca"
|
||||
version = "0.5.2"
|
||||
version = "0.5.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "384e43534efe4e8f56c4eb1615a27e24d2ff29281385c843cf9f16ac1077dbdc"
|
||||
checksum = "f77a2892ec44032e6c48dad9aad1b05fada09c346ada11d8d32db119b4b4f205"
|
||||
dependencies = [
|
||||
"base64urlsafedata",
|
||||
"openssl",
|
||||
@@ -3538,9 +3530,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "webauthn-rs"
|
||||
version = "0.5.2"
|
||||
version = "0.5.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ed1f861a94557baeb0cf711e3e55d623c46b68f4aab7aa932562f785b8b5f1ab"
|
||||
checksum = "eb7c3a2f9c8bddd524e47bbd427bcf3a28aa074de55d74470b42a91a41937b8e"
|
||||
dependencies = [
|
||||
"base64urlsafedata",
|
||||
"serde",
|
||||
@@ -3552,9 +3544,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "webauthn-rs-core"
|
||||
version = "0.5.2"
|
||||
version = "0.5.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "269c210cd5f183aaca860bb5733187d1dd110ebed54640f8fc1aca31a04aa4dc"
|
||||
checksum = "19f1d80f3146382529fe70a3ab5d0feb2413a015204ed7843f9377cd39357fc4"
|
||||
dependencies = [
|
||||
"base64 0.21.7",
|
||||
"base64urlsafedata",
|
||||
@@ -3579,9 +3571,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "webauthn-rs-proto"
|
||||
version = "0.5.2"
|
||||
version = "0.5.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "144dbee9abb4bfad78fd283a2613f0312a0ed5955051b7864cfc98679112ae60"
|
||||
checksum = "9e786894f89facb9aaf1c5f6559670236723c98382e045521c76f3d5ca5047bd"
|
||||
dependencies = [
|
||||
"base64 0.21.7",
|
||||
"base64urlsafedata",
|
||||
@@ -3605,6 +3597,12 @@ version = "0.1.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38"
|
||||
|
||||
[[package]]
|
||||
name = "windows-link"
|
||||
version = "0.2.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "45e46c0661abb7180e7b9c281db115305d49ca1709ab8242adf09666d2173c65"
|
||||
|
||||
[[package]]
|
||||
name = "windows-registry"
|
||||
version = "0.4.0"
|
||||
@@ -3622,7 +3620,7 @@ version = "0.3.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c64fd11a4fd95df68efcfee5f44a294fe71b8bc6a91993e2791938abcc712252"
|
||||
dependencies = [
|
||||
"windows-link",
|
||||
"windows-link 0.1.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -3631,7 +3629,7 @@ version = "0.3.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "87fa48cc5d406560701792be122a10132491cff9d0aeb23583cc2dcafc847319"
|
||||
dependencies = [
|
||||
"windows-link",
|
||||
"windows-link 0.1.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
||||
29
Cargo.toml
29
Cargo.toml
@@ -7,36 +7,35 @@ edition = "2024"
|
||||
|
||||
[dependencies]
|
||||
actix = "0.13.5"
|
||||
actix-identity = "0.8.0"
|
||||
actix-identity = "0.9.0"
|
||||
actix-web = "4.11.0"
|
||||
actix-session = { version = "0.10.1", features = ["cookie-session"] }
|
||||
actix-session = { version = "0.11.0", features = ["cookie-session"] }
|
||||
actix-remote-ip = "0.1.0"
|
||||
clap = { version = "4.5.40", features = ["derive", "env"] }
|
||||
clap = { version = "4.5.51", features = ["derive", "env"] }
|
||||
include_dir = "0.7.4"
|
||||
log = "0.4.27"
|
||||
serde_json = "1.0.140"
|
||||
log = "0.4.28"
|
||||
serde_json = "1.0.145"
|
||||
serde_yaml = "0.9.34"
|
||||
env_logger = "0.11.8"
|
||||
serde = { version = "1.0.219", features = ["derive"] }
|
||||
bcrypt = "0.17.0"
|
||||
uuid = { version = "1.17.0", features = ["v4"] }
|
||||
serde = { version = "1.0.228", features = ["derive"] }
|
||||
bcrypt = "0.17.1"
|
||||
uuid = { version = "1.18.1", features = ["v4"] }
|
||||
mime_guess = "2.0.5"
|
||||
askama = "0.14.0"
|
||||
futures-util = "0.3.31"
|
||||
urlencoding = "2.1.3"
|
||||
rand = "0.9.1"
|
||||
rand = "0.9.2"
|
||||
base64 = "0.22.1"
|
||||
jwt-simple = { version = "0.12.12", default-features = false, features = ["pure-rust"] }
|
||||
digest = "0.10.7"
|
||||
sha2 = "0.10.9"
|
||||
lazy-regex = "3.4.1"
|
||||
lazy-regex = "3.4.2"
|
||||
totp_rfc6238 = "0.6.1"
|
||||
base32 = "0.5.1"
|
||||
qrcode-generator = "5.0.0"
|
||||
webauthn-rs = { version = "0.5.2", features = ["danger-allow-state-serialisation"] }
|
||||
url = "2.5.4"
|
||||
webauthn-rs = { version = "0.5.3", features = ["danger-allow-state-serialisation"] }
|
||||
url = "2.5.7"
|
||||
light-openid = { version = "1.0.4", features = ["crypto-wrapper"] }
|
||||
bincode = "2.0.1"
|
||||
chrono = "0.4.41"
|
||||
chrono = "0.4.42"
|
||||
lazy_static = "1.5.0"
|
||||
mailchecker = "6.0.17"
|
||||
mailchecker = "6.0.19"
|
||||
|
||||
18
README.md
18
README.md
@@ -67,10 +67,11 @@ You can add as much upstream provider as you want, using the following syntax in
|
||||
```yaml
|
||||
- id: gitlab
|
||||
name: GitLab
|
||||
logo: gitlab # Can be either gitea, gitlab, github, microsoft, google or a full URL
|
||||
logo: gitlab # Can be either openid, gitea, gitlab, github, microsoft, google or a full URL
|
||||
client_id: CLIENT_ID_GIVEN_BY_PROVIDER
|
||||
client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
|
||||
configuration_url: https://gitlab.com/.well-known/openid-configuration
|
||||
allow_auto_account_creation: true
|
||||
|
||||
```
|
||||
|
||||
@@ -108,5 +109,20 @@ Corresponding client configuration:
|
||||
|
||||
OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
|
||||
|
||||
## Testing with upstream identity provider
|
||||
The folder [sample_upstream_provider](sample_upstream_provider) contains a working scenario of authentication with an upstream provider.
|
||||
|
||||
Run the following command to run the scenario:
|
||||
|
||||
```bash
|
||||
cd sample_upstream_provider
|
||||
docker compose up
|
||||
```
|
||||
|
||||
- Upstream provider (not to be directly used): http://localhost:9001
|
||||
- BasicOIDC: http://localhost:8000
|
||||
- Client 2: http://localhost:8012
|
||||
- Client 1: http://localhost:8011
|
||||
|
||||
## Contributing
|
||||
If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)
|
||||
|
||||
@@ -14,7 +14,6 @@ body {
|
||||
/* background */
|
||||
@media screen and (min-width: 767px) {
|
||||
.bg-login {
|
||||
background-image: url(/assets/img/forest.jpg);
|
||||
width: 100%;
|
||||
height: 100%;
|
||||
position: fixed;
|
||||
|
||||
@@ -21,3 +21,7 @@ body {
|
||||
.form-control::placeholder {
|
||||
color: #555;
|
||||
}
|
||||
|
||||
.table-break-works td {
|
||||
word-break: break-all;
|
||||
}
|
||||
1
assets/img/brands/openid.svg
Normal file
1
assets/img/brands/openid.svg
Normal file
@@ -0,0 +1 @@
|
||||
<svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>OpenID</title><path d="M14.54.889l-3.63 1.773v18.17c-4.15-.52-7.27-2.78-7.27-5.5 0-2.58 2.8-4.75 6.63-5.41v-2.31C4.42 8.322 0 11.502 0 15.332c0 3.96 4.74 7.24 10.91 7.78l3.63-1.71V.888m.64 6.724v2.31c1.43.25 2.71.7 3.76 1.31l-1.97 1.11 7.03 1.53-.5-5.21-1.87 1.06c-1.74-1.06-3.96-1.81-6.45-2.11z"/></svg>
|
||||
|
After Width: | Height: | Size: 382 B |
26
sample_upstream_provider/dex-provider/dex.config.yaml
Normal file
26
sample_upstream_provider/dex-provider/dex.config.yaml
Normal file
@@ -0,0 +1,26 @@
|
||||
issuer: http://127.0.0.1:9001/dex
|
||||
|
||||
storage:
|
||||
type: memory
|
||||
|
||||
web:
|
||||
http: 0.0.0.0:9001
|
||||
|
||||
oauth2:
|
||||
# Automate some clicking
|
||||
# Note: this might actually make some tests pass that otherwise wouldn't.
|
||||
skipApprovalScreen: false
|
||||
|
||||
connectors:
|
||||
# Note: this might actually make some tests pass that otherwise wouldn't.
|
||||
- type: mockCallback
|
||||
id: mock
|
||||
name: Example
|
||||
|
||||
# Basic OP test suite requires two clients.
|
||||
staticClients:
|
||||
- id: foo
|
||||
secret: bar
|
||||
redirectURIs:
|
||||
- http://localhost:8000/prov_cb
|
||||
name: Auth
|
||||
47
sample_upstream_provider/docker-compose.yaml
Normal file
47
sample_upstream_provider/docker-compose.yaml
Normal file
@@ -0,0 +1,47 @@
|
||||
services:
|
||||
upstream:
|
||||
image: dexidp/dex
|
||||
user: "1000"
|
||||
network_mode: host
|
||||
volumes:
|
||||
- ./dex-provider:/conf:ro
|
||||
command: [ "dex", "serve", "/conf/dex.config.yaml" ]
|
||||
|
||||
client1:
|
||||
image: pierre42100/oidc_test_client
|
||||
user: "1000"
|
||||
network_mode: host
|
||||
environment:
|
||||
- LISTEN_ADDR=0.0.0.0:8011
|
||||
- PUBLIC_URL=http://127.0.0.1:8011
|
||||
- CONFIGURATION_URL=http://localhost:8000/.well-known/openid-configuration
|
||||
- CLIENT_ID=testclient1
|
||||
- CLIENT_SECRET=secretone
|
||||
|
||||
client2:
|
||||
image: pierre42100/oidc_test_client
|
||||
user: "1000"
|
||||
network_mode: host
|
||||
environment:
|
||||
- LISTEN_ADDR=0.0.0.0:8012
|
||||
- PUBLIC_URL=http://127.0.0.1:8012
|
||||
- CONFIGURATION_URL=http://localhost:8000/.well-known/openid-configuration
|
||||
- CLIENT_ID=testclient2
|
||||
- CLIENT_SECRET=secrettwo
|
||||
|
||||
basicoidc:
|
||||
image: rust
|
||||
user: "1000"
|
||||
network_mode: host
|
||||
environment:
|
||||
- STORAGE_PATH=/storage
|
||||
- DISABLE_LOCAL_LOGIN=true
|
||||
#- RUST_LOG=debug
|
||||
volumes:
|
||||
- ../:/app
|
||||
- ./storage:/storage
|
||||
- ~/.cargo/registry:/usr/local/cargo/registry
|
||||
command:
|
||||
- bash
|
||||
- -c
|
||||
- cd /app && cargo run
|
||||
1
sample_upstream_provider/storage/.gitignore
vendored
Normal file
1
sample_upstream_provider/storage/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
users.json
|
||||
11
sample_upstream_provider/storage/clients.yaml
Normal file
11
sample_upstream_provider/storage/clients.yaml
Normal file
@@ -0,0 +1,11 @@
|
||||
- id: testclient1
|
||||
name: Client 1
|
||||
description: client1
|
||||
secret: secretone
|
||||
redirect_uri: http://127.0.0.1:8011/
|
||||
granted_to_all_users: true
|
||||
- id: testclient2
|
||||
name: Client 2
|
||||
description: client2
|
||||
secret: secrettwo
|
||||
redirect_uri: http://127.0.0.1:8012/
|
||||
7
sample_upstream_provider/storage/providers.yaml
Normal file
7
sample_upstream_provider/storage/providers.yaml
Normal file
@@ -0,0 +1,7 @@
|
||||
- id: upstream
|
||||
name: Upstream
|
||||
logo: openid
|
||||
client_id: foo
|
||||
client_secret: bar
|
||||
configuration_url: http://127.0.0.1:9001/dex/.well-known/openid-configuration
|
||||
allow_auto_account_creation: true
|
||||
@@ -17,7 +17,7 @@ use crate::data::provider::ProviderID;
|
||||
use crate::utils::string_utils::rand_str;
|
||||
use crate::utils::time::time;
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
#[derive(Debug, Clone, serde::Serialize)]
|
||||
pub struct ProviderLoginState {
|
||||
pub provider_id: ProviderID,
|
||||
pub state_id: String,
|
||||
|
||||
@@ -1,10 +1,11 @@
|
||||
use std::net::IpAddr;
|
||||
|
||||
use crate::data::provider::{Provider, ProviderID};
|
||||
use actix::{Actor, Context, Handler, Message, MessageResult};
|
||||
|
||||
use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
|
||||
use crate::utils::err::Res;
|
||||
use crate::utils::string_utils::is_acceptable_login;
|
||||
use actix::{Actor, Context, Handler, Message, MessageResult};
|
||||
use light_openid::primitives::OpenIDUserInfo;
|
||||
|
||||
/// User storage interface
|
||||
pub trait UsersSyncBackend {
|
||||
@@ -38,6 +39,8 @@ pub enum LoginResult {
|
||||
LocalAuthForbidden,
|
||||
AuthFromProviderForbidden,
|
||||
Success(Box<User>),
|
||||
AccountAutoCreated(Box<User>),
|
||||
CannotAutoCreateAccount(String),
|
||||
}
|
||||
|
||||
#[derive(Message)]
|
||||
@@ -51,6 +54,7 @@ pub struct LocalLoginRequest {
|
||||
#[rtype(LoginResult)]
|
||||
pub struct ProviderLoginRequest {
|
||||
pub email: String,
|
||||
pub user_info: OpenIDUserInfo,
|
||||
pub provider: Provider,
|
||||
}
|
||||
|
||||
@@ -104,7 +108,7 @@ pub struct AddSuccessful2FALogin(pub UserID, pub IpAddr);
|
||||
#[rtype(result = "bool")]
|
||||
pub struct Clear2FALoginHistory(pub UserID);
|
||||
|
||||
#[derive(Eq, PartialEq, Debug, Clone)]
|
||||
#[derive(Eq, PartialEq, Debug, Clone, serde::Serialize)]
|
||||
pub struct AuthorizedAuthenticationSources {
|
||||
pub local: bool,
|
||||
pub upstream: Vec<ProviderID>,
|
||||
@@ -151,7 +155,7 @@ impl Handler<LocalLoginRequest> for UsersActor {
|
||||
fn handle(&mut self, msg: LocalLoginRequest, _ctx: &mut Self::Context) -> Self::Result {
|
||||
match self.manager.find_by_username_or_email(&msg.login) {
|
||||
Err(e) => {
|
||||
log::error!("Failed to find user! {}", e);
|
||||
log::error!("Failed to find user! {e}");
|
||||
MessageResult(LoginResult::Error)
|
||||
}
|
||||
Ok(None) => MessageResult(LoginResult::AccountNotFound),
|
||||
@@ -184,10 +188,89 @@ impl Handler<ProviderLoginRequest> for UsersActor {
|
||||
fn handle(&mut self, msg: ProviderLoginRequest, _ctx: &mut Self::Context) -> Self::Result {
|
||||
match self.manager.find_by_email(&msg.email) {
|
||||
Err(e) => {
|
||||
log::error!("Failed to find user! {}", e);
|
||||
log::error!("Failed to find user! {e}");
|
||||
MessageResult(LoginResult::Error)
|
||||
}
|
||||
Ok(None) => MessageResult(LoginResult::AccountNotFound),
|
||||
Ok(None) => {
|
||||
// Check if automatic account creation is enabled for this provider
|
||||
if !msg.provider.allow_auto_account_creation {
|
||||
return MessageResult(LoginResult::AccountNotFound);
|
||||
}
|
||||
|
||||
// Extract username for account creation
|
||||
let mut username = msg
|
||||
.user_info
|
||||
.preferred_username
|
||||
.unwrap_or(msg.email.to_string());
|
||||
|
||||
// Determine username from email, if necessary
|
||||
if !is_acceptable_login(&username)
|
||||
|| matches!(
|
||||
self.manager.find_by_username_or_email(&username),
|
||||
Ok(Some(_))
|
||||
)
|
||||
{
|
||||
username = msg.email.clone();
|
||||
}
|
||||
|
||||
// Check if username is already taken
|
||||
if matches!(
|
||||
self.manager.find_by_username_or_email(&username),
|
||||
Ok(Some(_))
|
||||
) {
|
||||
return MessageResult(LoginResult::CannotAutoCreateAccount(format!(
|
||||
"username {username} is already taken!"
|
||||
)));
|
||||
}
|
||||
|
||||
if !is_acceptable_login(&username) {
|
||||
return MessageResult(LoginResult::CannotAutoCreateAccount(
|
||||
"could not determine acceptable login for user!".to_string(),
|
||||
));
|
||||
}
|
||||
|
||||
// Automatic account creation
|
||||
let user_id = match self.manager.create_user_account(GeneralSettings {
|
||||
uid: UserID::random(),
|
||||
username,
|
||||
first_name: msg.user_info.given_name.unwrap_or_default(),
|
||||
last_name: msg.user_info.family_name.unwrap_or_default(),
|
||||
email: msg.email.to_string(),
|
||||
enabled: true,
|
||||
two_factor_exemption_after_successful_login: false,
|
||||
is_admin: false,
|
||||
}) {
|
||||
Ok(u) => u,
|
||||
Err(e) => {
|
||||
log::error!("Failed to create user account! {e}");
|
||||
return MessageResult(LoginResult::CannotAutoCreateAccount(
|
||||
"missing some user information".to_string(),
|
||||
));
|
||||
}
|
||||
};
|
||||
|
||||
// Mark the provider as the only authorized source
|
||||
if let Err(e) = self.manager.set_authorized_authentication_sources(
|
||||
&user_id,
|
||||
AuthorizedAuthenticationSources {
|
||||
local: false,
|
||||
upstream: vec![msg.provider.id],
|
||||
},
|
||||
) {
|
||||
log::error!(
|
||||
"Failed to set authorized authentication sources for newly created account! {e}"
|
||||
);
|
||||
}
|
||||
|
||||
// Extract user information to return them
|
||||
let Ok(Some(user)) = self.manager.find_by_user_id(&user_id) else {
|
||||
return MessageResult(LoginResult::CannotAutoCreateAccount(
|
||||
"failed to get created user information".to_string(),
|
||||
));
|
||||
};
|
||||
|
||||
MessageResult(LoginResult::AccountAutoCreated(Box::new(user)))
|
||||
}
|
||||
Ok(Some(user)) => {
|
||||
if !user.can_login_from_provider(&msg.provider) {
|
||||
return MessageResult(LoginResult::AuthFromProviderForbidden);
|
||||
@@ -210,7 +293,7 @@ impl Handler<CreateAccount> for UsersActor {
|
||||
match self.manager.create_user_account(msg.0) {
|
||||
Ok(id) => Some(id),
|
||||
Err(e) => {
|
||||
log::error!("Failed to create user account! {}", e);
|
||||
log::error!("Failed to create user account! {e}");
|
||||
None
|
||||
}
|
||||
}
|
||||
@@ -227,7 +310,7 @@ impl Handler<ChangePasswordRequest> for UsersActor {
|
||||
{
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to change user password! {:?}", e);
|
||||
log::error!("Failed to change user password! {e:?}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -241,7 +324,7 @@ impl Handler<Add2FAFactor> for UsersActor {
|
||||
match self.manager.add_2fa_factor(&msg.0, msg.1) {
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to add 2FA factor! {}", e);
|
||||
log::error!("Failed to add 2FA factor! {e}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -255,7 +338,7 @@ impl Handler<Remove2FAFactor> for UsersActor {
|
||||
match self.manager.remove_2fa_factor(&msg.0, msg.1) {
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to remove 2FA factor! {}", e);
|
||||
log::error!("Failed to remove 2FA factor! {e}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -272,7 +355,7 @@ impl Handler<AddSuccessful2FALogin> for UsersActor {
|
||||
{
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to save successful 2FA authentication! {}", e);
|
||||
log::error!("Failed to save successful 2FA authentication! {e}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -309,10 +392,7 @@ impl Handler<SetAuthorizedAuthenticationSources> for UsersActor {
|
||||
{
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!(
|
||||
"Failed to set authorized authentication sources for user! {}",
|
||||
e
|
||||
);
|
||||
log::error!("Failed to set authorized authentication sources for user! {e}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -325,7 +405,7 @@ impl Handler<SetGrantedClients> for UsersActor {
|
||||
match self.manager.set_granted_2fa_clients(&msg.0, msg.1) {
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to set granted 2FA clients! {}", e);
|
||||
log::error!("Failed to set granted 2FA clients! {e}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -339,7 +419,7 @@ impl Handler<GetUserRequest> for UsersActor {
|
||||
MessageResult(GetUserResult(match self.manager.find_by_user_id(&msg.0) {
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
log::error!("Failed to find user by id! {}", e);
|
||||
log::error!("Failed to find user by id! {e}");
|
||||
None
|
||||
}
|
||||
}))
|
||||
@@ -353,7 +433,7 @@ impl Handler<VerifyUserPasswordRequest> for UsersActor {
|
||||
self.manager
|
||||
.verify_user_password(&msg.0, &msg.1)
|
||||
.unwrap_or_else(|e| {
|
||||
log::error!("Failed to verify user password! {}", e);
|
||||
log::error!("Failed to verify user password! {e}");
|
||||
false
|
||||
})
|
||||
}
|
||||
@@ -367,7 +447,7 @@ impl Handler<FindUserByUsername> for UsersActor {
|
||||
self.manager
|
||||
.find_by_username_or_email(&msg.0)
|
||||
.unwrap_or_else(|e| {
|
||||
log::error!("Failed to find user by username or email! {}", e);
|
||||
log::error!("Failed to find user by username or email! {e}");
|
||||
None
|
||||
}),
|
||||
))
|
||||
@@ -381,7 +461,7 @@ impl Handler<GetAllUsers> for UsersActor {
|
||||
match self.manager.get_entire_users_list() {
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
log::error!("Failed to get entire users list! {}", e);
|
||||
log::error!("Failed to get entire users list! {e}");
|
||||
vec![]
|
||||
}
|
||||
}
|
||||
@@ -395,7 +475,7 @@ impl Handler<UpdateUserSettings> for UsersActor {
|
||||
match self.manager.set_general_user_settings(msg.0) {
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to update general user information! {:?}", e);
|
||||
log::error!("Failed to update general user information! {e:?}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -409,7 +489,7 @@ impl Handler<DeleteUserRequest> for UsersActor {
|
||||
match self.manager.delete_account(&msg.0) {
|
||||
Ok(_) => true,
|
||||
Err(e) => {
|
||||
log::error!("Failed to delete user account! {}", e);
|
||||
log::error!("Failed to delete user account! {e}");
|
||||
false
|
||||
}
|
||||
}
|
||||
|
||||
@@ -65,7 +65,9 @@ pub async fn delete_user(
|
||||
|
||||
let res = users.send(DeleteUserRequest(req.0.user_id)).await.unwrap();
|
||||
if res {
|
||||
action_logger.log(Action::AdminDeleteUser(&user));
|
||||
action_logger.log(Action::AdminDeleteUser {
|
||||
user: user.loggable(),
|
||||
});
|
||||
HttpResponse::Ok().finish()
|
||||
} else {
|
||||
HttpResponse::InternalServerError().finish()
|
||||
|
||||
@@ -165,7 +165,10 @@ pub async fn users_route(
|
||||
let factors_to_keep = update.0.two_factor.split(';').collect::<Vec<_>>();
|
||||
for factor in &edited_user.two_factor {
|
||||
if !factors_to_keep.contains(&factor.id.0.as_str()) {
|
||||
logger.log(Action::AdminRemoveUserFactor(&edited_user, factor));
|
||||
logger.log(Action::AdminRemoveUserFactor {
|
||||
user: edited_user.loggable(),
|
||||
factor: factor.loggable(),
|
||||
});
|
||||
users
|
||||
.send(users_actor::Remove2FAFactor(
|
||||
edited_user.uid.clone(),
|
||||
@@ -186,10 +189,10 @@ pub async fn users_route(
|
||||
};
|
||||
|
||||
if edited_user.authorized_authentication_sources() != auth_sources {
|
||||
logger.log(Action::AdminSetAuthorizedAuthenticationSources(
|
||||
&edited_user,
|
||||
&auth_sources,
|
||||
));
|
||||
logger.log(Action::AdminSetAuthorizedAuthenticationSources {
|
||||
user: edited_user.loggable(),
|
||||
sources: &auth_sources,
|
||||
});
|
||||
users
|
||||
.send(users_actor::SetAuthorizedAuthenticationSources(
|
||||
edited_user.uid.clone(),
|
||||
@@ -216,10 +219,10 @@ pub async fn users_route(
|
||||
};
|
||||
|
||||
if edited_user.granted_clients() != granted_clients {
|
||||
logger.log(Action::AdminSetNewGrantedClientsList(
|
||||
&edited_user,
|
||||
&granted_clients,
|
||||
));
|
||||
logger.log(Action::AdminSetNewGrantedClientsList {
|
||||
user: edited_user.loggable(),
|
||||
clients: &granted_clients,
|
||||
});
|
||||
users
|
||||
.send(users_actor::SetGrantedClients(
|
||||
edited_user.uid.clone(),
|
||||
@@ -231,7 +234,9 @@ pub async fn users_route(
|
||||
|
||||
// Clear user 2FA history if requested
|
||||
if update.0.clear_2fa_history.is_some() {
|
||||
logger.log(Action::AdminClear2FAHistory(&edited_user));
|
||||
logger.log(Action::AdminClear2FAHistory {
|
||||
user: edited_user.loggable(),
|
||||
});
|
||||
users
|
||||
.send(users_actor::Clear2FALoginHistory(edited_user.uid.clone()))
|
||||
.await
|
||||
@@ -242,7 +247,9 @@ pub async fn users_route(
|
||||
let new_password = match update.0.gen_new_password.is_some() {
|
||||
false => None,
|
||||
true => {
|
||||
logger.log(Action::AdminResetUserPassword(&edited_user));
|
||||
logger.log(Action::AdminResetUserPassword {
|
||||
user: edited_user.loggable(),
|
||||
});
|
||||
|
||||
let temp_pass = rand_str(TEMPORARY_PASSWORDS_LEN);
|
||||
users
|
||||
@@ -269,11 +276,15 @@ pub async fn users_route(
|
||||
} else {
|
||||
success = Some(match is_creating {
|
||||
true => {
|
||||
logger.log(Action::AdminCreateUser(&edited_user));
|
||||
logger.log(Action::AdminCreateUser {
|
||||
user: edited_user.loggable(),
|
||||
});
|
||||
format!("User {} was successfully created!", edited_user.full_name())
|
||||
}
|
||||
false => {
|
||||
logger.log(Action::AdminUpdateUser(&edited_user));
|
||||
logger.log(Action::AdminUpdateUser {
|
||||
user: edited_user.loggable(),
|
||||
});
|
||||
format!("User {} was successfully updated!", edited_user.full_name())
|
||||
}
|
||||
});
|
||||
|
||||
@@ -47,7 +47,7 @@ pub async fn auth_webauthn(
|
||||
HttpResponse::Ok().body("You are authenticated!")
|
||||
}
|
||||
Err(e) => {
|
||||
log::error!("Failed to authenticate user using webauthn! {:?}", e);
|
||||
log::error!("Failed to authenticate user using webauthn! {e:?}");
|
||||
logger.log(Action::LoginWebauthnAttempt {
|
||||
success: false,
|
||||
user_id,
|
||||
|
||||
@@ -13,6 +13,7 @@ use crate::controllers::base_controller::{
|
||||
build_fatal_error_page, redirect_user, redirect_user_for_login,
|
||||
};
|
||||
use crate::data::action_logger::{Action, ActionLogger};
|
||||
use crate::data::app_config::AppConfig;
|
||||
use crate::data::force_2fa_auth::Force2FAAuth;
|
||||
use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
|
||||
use crate::data::provider::{Provider, ProvidersManager};
|
||||
@@ -21,46 +22,61 @@ use crate::data::user::User;
|
||||
use crate::data::webauthn_manager::WebAuthManagerReq;
|
||||
use crate::utils::string_utils;
|
||||
|
||||
pub struct BaseLoginPage<'a> {
|
||||
pub struct BaseLoginPage {
|
||||
pub danger: Option<String>,
|
||||
pub success: Option<String>,
|
||||
pub background_image: &'static str,
|
||||
pub page_title: &'static str,
|
||||
pub app_name: &'static str,
|
||||
pub redirect_uri: &'a LoginRedirect,
|
||||
pub redirect_uri: LoginRedirect,
|
||||
}
|
||||
|
||||
impl Default for BaseLoginPage {
|
||||
fn default() -> Self {
|
||||
Self {
|
||||
page_title: "Login",
|
||||
danger: None,
|
||||
success: None,
|
||||
background_image: &AppConfig::get().login_background_image,
|
||||
app_name: APP_NAME,
|
||||
redirect_uri: LoginRedirect::default(),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Template)]
|
||||
#[template(path = "login/login.html")]
|
||||
struct LoginTemplate<'a> {
|
||||
p: BaseLoginPage<'a>,
|
||||
struct LoginTemplate {
|
||||
p: BaseLoginPage,
|
||||
login: String,
|
||||
show_local_login: bool,
|
||||
providers: Vec<Provider>,
|
||||
}
|
||||
|
||||
#[derive(Template)]
|
||||
#[template(path = "login/password_reset.html")]
|
||||
struct PasswordResetTemplate<'a> {
|
||||
p: BaseLoginPage<'a>,
|
||||
struct PasswordResetTemplate {
|
||||
p: BaseLoginPage,
|
||||
min_pass_len: usize,
|
||||
}
|
||||
|
||||
#[derive(Template)]
|
||||
#[template(path = "login/choose_second_factor.html")]
|
||||
struct ChooseSecondFactorTemplate<'a> {
|
||||
p: BaseLoginPage<'a>,
|
||||
p: BaseLoginPage,
|
||||
user: &'a User,
|
||||
}
|
||||
|
||||
#[derive(Template)]
|
||||
#[template(path = "login/otp_input.html")]
|
||||
struct LoginWithOTPTemplate<'a> {
|
||||
p: BaseLoginPage<'a>,
|
||||
struct LoginWithOTPTemplate {
|
||||
p: BaseLoginPage,
|
||||
}
|
||||
|
||||
#[derive(Template)]
|
||||
#[template(path = "login/webauthn_input.html")]
|
||||
struct LoginWithWebauthnTemplate<'a> {
|
||||
p: BaseLoginPage<'a>,
|
||||
struct LoginWithWebauthnTemplate {
|
||||
p: BaseLoginPage,
|
||||
opaque_state: String,
|
||||
challenge_json: String,
|
||||
}
|
||||
@@ -111,7 +127,7 @@ pub async fn login_route(
|
||||
// Check if user session must be closed
|
||||
if let Some(true) = query.logout {
|
||||
if let Some(id) = id {
|
||||
logger.log(Action::Signout);
|
||||
logger.log(Action::SignOut);
|
||||
id.logout();
|
||||
}
|
||||
success = Some("Goodbye!".to_string());
|
||||
@@ -141,8 +157,10 @@ pub async fn login_route(
|
||||
"Given login could not be processed, because it has an invalid format!".to_string(),
|
||||
);
|
||||
}
|
||||
// Try to authenticate user
|
||||
else if let Some(req) = &req {
|
||||
// Try to authenticate user (local login)
|
||||
else if let Some(req) = &req
|
||||
&& !AppConfig::get().disable_local_login
|
||||
{
|
||||
login.clone_from(&req.login);
|
||||
let response: LoginResult = users
|
||||
.send(users_actor::LocalLoginRequest {
|
||||
@@ -155,14 +173,20 @@ pub async fn login_route(
|
||||
match response {
|
||||
LoginResult::Success(user) => {
|
||||
let status = if user.need_reset_password {
|
||||
logger.log(Action::UserNeedNewPasswordOnLogin(&user));
|
||||
logger.log(Action::UserNeedNewPasswordOnLogin {
|
||||
user: user.loggable(),
|
||||
});
|
||||
SessionStatus::NeedNewPassword
|
||||
} else if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0)
|
||||
{
|
||||
logger.log(Action::UserNeed2FAOnLogin(&user));
|
||||
logger.log(Action::UserNeed2FAOnLogin {
|
||||
user: user.loggable(),
|
||||
});
|
||||
SessionStatus::Need2FA
|
||||
} else {
|
||||
logger.log(Action::UserSuccessfullyAuthenticated(&user));
|
||||
logger.log(Action::UserSuccessfullyAuthenticated {
|
||||
user: user.loggable(),
|
||||
});
|
||||
SessionStatus::SignedIn
|
||||
};
|
||||
|
||||
@@ -172,7 +196,7 @@ pub async fn login_route(
|
||||
|
||||
LoginResult::AccountDisabled => {
|
||||
log::warn!("Failed login for username {} : account is disabled", &login);
|
||||
logger.log(Action::TryLoginWithDisabledAccount(&login));
|
||||
logger.log(Action::TryLoginWithDisabledAccount { login: &login });
|
||||
danger = Some("Your account is disabled!".to_string());
|
||||
}
|
||||
|
||||
@@ -181,7 +205,7 @@ pub async fn login_route(
|
||||
"Failed login for username {} : attempted to use local auth, but it is forbidden",
|
||||
&login
|
||||
);
|
||||
logger.log(Action::TryLocalLoginFromUnauthorizedAccount(&login));
|
||||
logger.log(Action::TryLocalLoginFromUnauthorizedAccount { login: &login });
|
||||
danger = Some("You cannot login from local auth with your account!".to_string());
|
||||
}
|
||||
|
||||
@@ -190,13 +214,8 @@ pub async fn login_route(
|
||||
}
|
||||
|
||||
c => {
|
||||
log::warn!(
|
||||
"Failed login for ip {:?} / username {}: {:?}",
|
||||
remote_ip,
|
||||
login,
|
||||
c
|
||||
);
|
||||
logger.log(Action::FailedLoginWithBadCredentials(&login));
|
||||
log::warn!("Failed login for ip {remote_ip:?} / username {login}: {c:?}");
|
||||
logger.log(Action::FailedLoginWithBadCredentials { login: &login });
|
||||
danger = Some("Login failed.".to_string());
|
||||
|
||||
bruteforce
|
||||
@@ -208,6 +227,10 @@ pub async fn login_route(
|
||||
}
|
||||
}
|
||||
}
|
||||
// If there is only a single provider, trigger auto-login
|
||||
else if AppConfig::get().disable_local_login && providers.len() == 1 {
|
||||
return redirect_user(&providers.cloned()[0].login_url(&query.redirect));
|
||||
}
|
||||
|
||||
HttpResponse::Ok().content_type("text/html").body(
|
||||
LoginTemplate {
|
||||
@@ -215,10 +238,11 @@ pub async fn login_route(
|
||||
page_title: "Login",
|
||||
danger,
|
||||
success,
|
||||
app_name: APP_NAME,
|
||||
redirect_uri: &query.redirect,
|
||||
redirect_uri: query.0.redirect,
|
||||
..Default::default()
|
||||
},
|
||||
login,
|
||||
show_local_login: !AppConfig::get().disable_local_login,
|
||||
providers: providers.cloned(),
|
||||
}
|
||||
.render()
|
||||
@@ -277,7 +301,7 @@ pub async fn reset_password_route(
|
||||
danger = Some("Failed to change password!".to_string());
|
||||
} else {
|
||||
SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
|
||||
logger.log(Action::UserChangedPasswordOnLogin(&user_id));
|
||||
logger.log(Action::UserChangedPasswordOnLogin { user_id: &user_id });
|
||||
return redirect_user(query.redirect.get());
|
||||
}
|
||||
}
|
||||
@@ -288,9 +312,8 @@ pub async fn reset_password_route(
|
||||
p: BaseLoginPage {
|
||||
page_title: "Password reset",
|
||||
danger,
|
||||
success: None,
|
||||
app_name: APP_NAME,
|
||||
redirect_uri: &query.redirect,
|
||||
redirect_uri: query.0.redirect,
|
||||
..Default::default()
|
||||
},
|
||||
min_pass_len: MIN_PASS_LEN,
|
||||
}
|
||||
@@ -338,10 +361,8 @@ pub async fn choose_2fa_method(
|
||||
ChooseSecondFactorTemplate {
|
||||
p: BaseLoginPage {
|
||||
page_title: "Two factor authentication",
|
||||
danger: None,
|
||||
success: None,
|
||||
app_name: APP_NAME,
|
||||
redirect_uri: &query.redirect,
|
||||
redirect_uri: query.0.redirect,
|
||||
..Default::default()
|
||||
},
|
||||
user: &user,
|
||||
}
|
||||
@@ -400,7 +421,7 @@ pub async fn login_with_otp(
|
||||
{
|
||||
logger.log(Action::OTPLoginAttempt {
|
||||
success: false,
|
||||
user: &user,
|
||||
user: user.loggable(),
|
||||
});
|
||||
danger = Some("Specified code is invalid!".to_string());
|
||||
} else {
|
||||
@@ -417,7 +438,7 @@ pub async fn login_with_otp(
|
||||
session.set_status(&http_req, SessionStatus::SignedIn);
|
||||
logger.log(Action::OTPLoginAttempt {
|
||||
success: true,
|
||||
user: &user,
|
||||
user: user.loggable(),
|
||||
});
|
||||
return redirect_user(query.redirect.get());
|
||||
}
|
||||
@@ -429,8 +450,8 @@ pub async fn login_with_otp(
|
||||
danger,
|
||||
success: None,
|
||||
page_title: "Two-Factor Auth",
|
||||
app_name: APP_NAME,
|
||||
redirect_uri: &query.redirect,
|
||||
redirect_uri: query.0.redirect,
|
||||
..Default::default()
|
||||
},
|
||||
}
|
||||
.render()
|
||||
@@ -474,7 +495,7 @@ pub async fn login_with_webauthn(
|
||||
let challenge = match manager.start_authentication(&user.uid, &pub_keys) {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
log::error!("Failed to generate webauthn challenge! {:?}", e);
|
||||
log::error!("Failed to generate webauthn challenge! {e:?}");
|
||||
return HttpResponse::InternalServerError().body(build_fatal_error_page(
|
||||
"Failed to generate webauthn challenge",
|
||||
));
|
||||
@@ -484,7 +505,7 @@ pub async fn login_with_webauthn(
|
||||
let challenge_json = match serde_json::to_string(&challenge.login_challenge) {
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
log::error!("Failed to serialize challenge! {:?}", e);
|
||||
log::error!("Failed to serialize challenge! {e:?}");
|
||||
return HttpResponse::InternalServerError().body("Failed to serialize challenge!");
|
||||
}
|
||||
};
|
||||
@@ -492,11 +513,9 @@ pub async fn login_with_webauthn(
|
||||
HttpResponse::Ok().body(
|
||||
LoginWithWebauthnTemplate {
|
||||
p: BaseLoginPage {
|
||||
danger: None,
|
||||
success: None,
|
||||
page_title: "Two-Factor Auth",
|
||||
app_name: APP_NAME,
|
||||
redirect_uri: &query.redirect,
|
||||
redirect_uri: query.0.redirect,
|
||||
..Default::default()
|
||||
},
|
||||
opaque_state: challenge.opaque_state,
|
||||
challenge_json: urlencoding::encode(&challenge_json).to_string(),
|
||||
|
||||
@@ -111,12 +111,7 @@ pub struct AuthorizeQuery {
|
||||
}
|
||||
|
||||
fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse {
|
||||
log::warn!(
|
||||
"Failed to process sign in request ({} => {}): {:?}",
|
||||
error,
|
||||
description,
|
||||
query
|
||||
);
|
||||
log::warn!("Failed to process sign in request ({error} => {description}): {query:?}");
|
||||
HttpResponse::Found()
|
||||
.append_header((
|
||||
"Location",
|
||||
@@ -243,8 +238,8 @@ pub async fn authorize(
|
||||
.await
|
||||
.unwrap();
|
||||
|
||||
log::trace!("New OpenID session: {:#?}", session);
|
||||
logger.log(Action::NewOpenIDSession { client: &client });
|
||||
log::trace!("New OpenID session: {session:#?}");
|
||||
logger.log(Action::NewOpenIDSession { client: &client.id });
|
||||
|
||||
Ok(HttpResponse::Found()
|
||||
.append_header((
|
||||
@@ -278,7 +273,7 @@ pub async fn authorize(
|
||||
};
|
||||
|
||||
log::trace!("New OpenID id token: {:#?}", &id_token);
|
||||
logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client });
|
||||
logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client.id });
|
||||
|
||||
Ok(HttpResponse::Found()
|
||||
.append_header((
|
||||
@@ -319,12 +314,7 @@ struct ErrorResponse {
|
||||
}
|
||||
|
||||
pub fn error_response<D: Debug>(query: &D, error: &str, description: &str) -> HttpResponse {
|
||||
log::warn!(
|
||||
"request failed: {} - {} => '{:#?}'",
|
||||
error,
|
||||
description,
|
||||
query
|
||||
);
|
||||
log::warn!("request failed: {error} - {description} => '{query:#?}'");
|
||||
HttpResponse::BadRequest().json(ErrorResponse {
|
||||
error: error.to_string(),
|
||||
error_description: description.to_string(),
|
||||
@@ -389,7 +379,7 @@ pub async fn token(
|
||||
let decode = String::from_utf8_lossy(&match BASE64_STANDARD.decode(token) {
|
||||
Ok(d) => d,
|
||||
Err(e) => {
|
||||
log::error!("Failed to decode authorization header: {:?}", e);
|
||||
log::error!("Failed to decode authorization header: {e:?}");
|
||||
return Ok(error_response(
|
||||
&query,
|
||||
"invalid_request",
|
||||
|
||||
@@ -1,16 +1,10 @@
|
||||
use std::sync::Arc;
|
||||
|
||||
use actix::Addr;
|
||||
use actix_identity::Identity;
|
||||
use actix_remote_ip::RemoteIP;
|
||||
use actix_web::{HttpRequest, HttpResponse, Responder, web};
|
||||
use askama::Template;
|
||||
|
||||
use crate::actors::bruteforce_actor::BruteForceActor;
|
||||
use crate::actors::providers_states_actor::{ProviderLoginState, ProvidersStatesActor};
|
||||
use crate::actors::users_actor::{LoginResult, UsersActor};
|
||||
use crate::actors::{bruteforce_actor, providers_states_actor, users_actor};
|
||||
use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS};
|
||||
use crate::constants::MAX_FAILED_LOGIN_ATTEMPTS;
|
||||
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
|
||||
use crate::controllers::login_controller::BaseLoginPage;
|
||||
use crate::data::action_logger::{Action, ActionLogger};
|
||||
@@ -18,11 +12,16 @@ use crate::data::login_redirect::LoginRedirect;
|
||||
use crate::data::provider::{ProviderID, ProvidersManager};
|
||||
use crate::data::provider_configuration::ProviderConfigurationHelper;
|
||||
use crate::data::session_identity::{SessionIdentity, SessionStatus};
|
||||
use actix::Addr;
|
||||
use actix_identity::Identity;
|
||||
use actix_remote_ip::RemoteIP;
|
||||
use actix_web::{HttpRequest, HttpResponse, Responder, web};
|
||||
use askama::Template;
|
||||
|
||||
#[derive(askama::Template)]
|
||||
#[template(path = "login/prov_login_error.html")]
|
||||
struct ProviderLoginError<'a> {
|
||||
p: BaseLoginPage<'a>,
|
||||
p: BaseLoginPage,
|
||||
message: &'a str,
|
||||
}
|
||||
|
||||
@@ -30,11 +29,9 @@ impl<'a> ProviderLoginError<'a> {
|
||||
pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> HttpResponse {
|
||||
let body = Self {
|
||||
p: BaseLoginPage {
|
||||
danger: None,
|
||||
success: None,
|
||||
page_title: "Upstream login",
|
||||
app_name: APP_NAME,
|
||||
redirect_uri,
|
||||
redirect_uri: redirect_uri.clone(),
|
||||
..Default::default()
|
||||
},
|
||||
message,
|
||||
}
|
||||
@@ -96,14 +93,14 @@ pub async fn start_login(
|
||||
let config = match ProviderConfigurationHelper::get_configuration(&provider).await {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
log::error!("Failed to load provider configuration! {}", e);
|
||||
log::error!("Failed to load provider configuration! {e}");
|
||||
return HttpResponse::InternalServerError().body(build_fatal_error_page(
|
||||
"Failed to load provider configuration!",
|
||||
));
|
||||
}
|
||||
};
|
||||
|
||||
log::debug!("Provider configuration: {:?}", config);
|
||||
log::debug!("Provider configuration: {config:?}");
|
||||
|
||||
let url = config.auth_url(&provider, &state);
|
||||
log::debug!("Redirect user on {url} for authentication",);
|
||||
@@ -210,7 +207,7 @@ pub async fn finish_login(
|
||||
let provider_config = match ProviderConfigurationHelper::get_configuration(&provider).await {
|
||||
Ok(c) => c,
|
||||
Err(e) => {
|
||||
log::error!("Failed to load provider configuration! {}", e);
|
||||
log::error!("Failed to load provider configuration! {e}");
|
||||
return HttpResponse::InternalServerError().body(build_fatal_error_page(
|
||||
"Failed to load provider configuration!",
|
||||
));
|
||||
@@ -222,7 +219,7 @@ pub async fn finish_login(
|
||||
let token = match token {
|
||||
Ok(t) => t,
|
||||
Err(e) => {
|
||||
log::error!("Failed to retrieve login token! {:?}", e);
|
||||
log::error!("Failed to retrieve login token! {e:?}");
|
||||
|
||||
bruteforce
|
||||
.send(bruteforce_actor::RecordFailedAttempt {
|
||||
@@ -247,7 +244,7 @@ pub async fn finish_login(
|
||||
let user_info = match provider_config.get_userinfo(&token).await {
|
||||
Ok(info) => info,
|
||||
Err(e) => {
|
||||
log::error!("Failed to retrieve user information! {:?}", e);
|
||||
log::error!("Failed to retrieve user information! {e:?}");
|
||||
|
||||
logger.log(Action::ProviderFailedGetUserInfo {
|
||||
provider: &provider,
|
||||
@@ -275,7 +272,7 @@ pub async fn finish_login(
|
||||
}
|
||||
|
||||
// Check if email was provided by the userinfo endpoint
|
||||
let email = match user_info.email {
|
||||
let email = match &user_info.email {
|
||||
Some(e) => e,
|
||||
None => {
|
||||
logger.log(Action::ProviderMissingEmailInResponse {
|
||||
@@ -295,6 +292,7 @@ pub async fn finish_login(
|
||||
let result: LoginResult = users
|
||||
.send(users_actor::ProviderLoginRequest {
|
||||
email: email.clone(),
|
||||
user_info: user_info.clone(),
|
||||
provider: provider.clone(),
|
||||
})
|
||||
.await
|
||||
@@ -302,6 +300,13 @@ pub async fn finish_login(
|
||||
|
||||
let user = match result {
|
||||
LoginResult::Success(u) => u,
|
||||
LoginResult::AccountAutoCreated(u) => {
|
||||
logger.log(Action::ProviderAccountAutoCreated {
|
||||
provider: &provider,
|
||||
user: u.loggable(),
|
||||
});
|
||||
u
|
||||
}
|
||||
LoginResult::AccountNotFound => {
|
||||
logger.log(Action::ProviderAccountNotFound {
|
||||
provider: &provider,
|
||||
@@ -357,14 +362,18 @@ pub async fn finish_login(
|
||||
|
||||
logger.log(Action::ProviderLoginSuccessful {
|
||||
provider: &provider,
|
||||
user: &user,
|
||||
user: user.loggable(),
|
||||
});
|
||||
|
||||
let status = if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0) {
|
||||
logger.log(Action::UserNeed2FAOnLogin(&user));
|
||||
logger.log(Action::UserNeed2FAOnLogin {
|
||||
user: user.loggable(),
|
||||
});
|
||||
SessionStatus::Need2FA
|
||||
} else {
|
||||
logger.log(Action::UserSuccessfullyAuthenticated(&user));
|
||||
logger.log(Action::UserSuccessfullyAuthenticated {
|
||||
user: user.loggable(),
|
||||
});
|
||||
SessionStatus::SignedIn
|
||||
};
|
||||
|
||||
|
||||
@@ -18,6 +18,7 @@ pub(crate) struct BaseSettingsPage<'a> {
|
||||
pub success_message: Option<String>,
|
||||
pub page_title: &'static str,
|
||||
pub app_name: &'static str,
|
||||
pub local_login_enabled: bool,
|
||||
pub user: &'a User,
|
||||
pub version: &'static str,
|
||||
pub ip_location_api: Option<&'static str>,
|
||||
@@ -37,6 +38,7 @@ impl<'a> BaseSettingsPage<'a> {
|
||||
app_name: APP_NAME,
|
||||
user,
|
||||
version: env!("CARGO_PKG_VERSION"),
|
||||
local_login_enabled: !AppConfig::get().disable_local_login,
|
||||
ip_location_api: AppConfig::get().ip_location_service.as_deref(),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
use actix::Addr;
|
||||
use actix_web::{HttpResponse, Responder, web};
|
||||
use uuid::Uuid;
|
||||
use webauthn_rs::prelude::RegisterPublicKeyCredential;
|
||||
|
||||
use crate::actors::users_actor;
|
||||
@@ -53,11 +52,13 @@ pub async fn save_totp_factor(
|
||||
}
|
||||
|
||||
let factor = TwoFactor {
|
||||
id: FactorID(Uuid::new_v4().to_string()),
|
||||
id: FactorID::random(),
|
||||
name: factor_name,
|
||||
kind: TwoFactorType::TOTP(key),
|
||||
};
|
||||
logger.log(Action::AddNewFactor(&factor));
|
||||
logger.log(Action::AddNewFactor {
|
||||
factor: factor.loggable(),
|
||||
});
|
||||
|
||||
let res = users
|
||||
.send(users_actor::Add2FAFactor(user.uid.clone(), factor))
|
||||
@@ -94,17 +95,19 @@ pub async fn save_webauthn_factor(
|
||||
let key = match manager.finish_registration(&user, &form.0.opaque_state, form.0.credential) {
|
||||
Ok(k) => k,
|
||||
Err(e) => {
|
||||
log::error!("Failed to register security key! {:?}", e);
|
||||
log::error!("Failed to register security key! {e:?}");
|
||||
return HttpResponse::InternalServerError().body("Failed to register key!");
|
||||
}
|
||||
};
|
||||
|
||||
let factor = TwoFactor {
|
||||
id: FactorID(Uuid::new_v4().to_string()),
|
||||
id: FactorID::random(),
|
||||
name: factor_name,
|
||||
kind: TwoFactorType::WEBAUTHN(Box::new(key)),
|
||||
};
|
||||
logger.log(Action::AddNewFactor(&factor));
|
||||
logger.log(Action::AddNewFactor {
|
||||
factor: factor.loggable(),
|
||||
});
|
||||
|
||||
let res = users
|
||||
.send(users_actor::Add2FAFactor(user.uid.clone(), factor))
|
||||
|
||||
@@ -68,7 +68,7 @@ pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser)
|
||||
let qr_code = match qr_code {
|
||||
Ok(q) => q,
|
||||
Err(e) => {
|
||||
log::error!("Failed to generate QrCode! {:?}", e);
|
||||
log::error!("Failed to generate QrCode! {e:?}");
|
||||
return HttpResponse::InternalServerError().body("Failed to generate QrCode!");
|
||||
}
|
||||
};
|
||||
@@ -95,7 +95,7 @@ pub async fn add_webauthn_factor_route(
|
||||
let registration_request = match manager.start_register(&user) {
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
log::error!("Failed to request new key! {:?}", e);
|
||||
log::error!("Failed to request new key! {e:?}");
|
||||
return HttpResponse::InternalServerError()
|
||||
.body("Failed to generate request for registration!");
|
||||
}
|
||||
@@ -104,7 +104,7 @@ pub async fn add_webauthn_factor_route(
|
||||
let challenge_json = match serde_json::to_string(®istration_request.creation_challenge) {
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
log::error!("Failed to serialize challenge! {:?}", e);
|
||||
log::error!("Failed to serialize challenge! {e:?}");
|
||||
return HttpResponse::InternalServerError().body("Failed to serialize challenge!");
|
||||
}
|
||||
};
|
||||
|
||||
@@ -11,21 +11,113 @@ use actix_web::{Error, FromRequest, HttpRequest, web};
|
||||
use crate::actors::providers_states_actor::ProviderLoginState;
|
||||
use crate::actors::users_actor;
|
||||
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
|
||||
use crate::data::client::Client;
|
||||
use crate::data::app_config::{ActionLoggerFormat, AppConfig};
|
||||
use crate::data::client::ClientID;
|
||||
use crate::data::provider::{Provider, ProviderID};
|
||||
|
||||
use crate::data::session_identity::SessionIdentity;
|
||||
use crate::data::user::{FactorID, GrantedClients, TwoFactor, User, UserID};
|
||||
use crate::data::user::{FactorID, GrantedClients, TwoFactor, TwoFactorType, User, UserID};
|
||||
use crate::utils::time::time;
|
||||
|
||||
#[derive(serde::Serialize)]
|
||||
pub struct LoggableUser {
|
||||
pub uid: UserID,
|
||||
pub username: String,
|
||||
pub email: String,
|
||||
pub admin: bool,
|
||||
}
|
||||
|
||||
impl LoggableUser {
|
||||
pub fn quick_identity(&self) -> String {
|
||||
format!(
|
||||
"{} {} {} ({:?})",
|
||||
match self.admin {
|
||||
true => "admin",
|
||||
false => "user",
|
||||
},
|
||||
self.username,
|
||||
self.email,
|
||||
self.uid
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
impl User {
|
||||
pub fn loggable(&self) -> LoggableUser {
|
||||
LoggableUser {
|
||||
uid: self.uid.clone(),
|
||||
username: self.username.clone(),
|
||||
email: self.email.clone(),
|
||||
admin: self.admin,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, serde::Serialize)]
|
||||
pub enum LoggableFactorType {
|
||||
TOTP,
|
||||
WEBAUTHN,
|
||||
}
|
||||
|
||||
#[derive(serde::Serialize)]
|
||||
pub struct LoggableFactor {
|
||||
pub id: FactorID,
|
||||
pub name: String,
|
||||
pub kind: LoggableFactorType,
|
||||
}
|
||||
|
||||
impl LoggableFactor {
|
||||
pub fn quick_description(&self) -> String {
|
||||
format!(
|
||||
"#{} of type {:?} and name '{}'",
|
||||
self.id.0, self.kind, self.name
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
impl TwoFactor {
|
||||
pub fn loggable(&self) -> LoggableFactor {
|
||||
LoggableFactor {
|
||||
id: self.id.clone(),
|
||||
name: self.name.to_string(),
|
||||
kind: match self.kind {
|
||||
TwoFactorType::TOTP(_) => LoggableFactorType::TOTP,
|
||||
TwoFactorType::WEBAUTHN(_) => LoggableFactorType::WEBAUTHN,
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(serde::Serialize)]
|
||||
#[serde(tag = "type")]
|
||||
pub enum Action<'a> {
|
||||
AdminCreateUser(&'a User),
|
||||
AdminUpdateUser(&'a User),
|
||||
AdminDeleteUser(&'a User),
|
||||
AdminResetUserPassword(&'a User),
|
||||
AdminRemoveUserFactor(&'a User, &'a TwoFactor),
|
||||
AdminSetAuthorizedAuthenticationSources(&'a User, &'a AuthorizedAuthenticationSources),
|
||||
AdminSetNewGrantedClientsList(&'a User, &'a GrantedClients),
|
||||
AdminClear2FAHistory(&'a User),
|
||||
AdminCreateUser {
|
||||
user: LoggableUser,
|
||||
},
|
||||
AdminUpdateUser {
|
||||
user: LoggableUser,
|
||||
},
|
||||
AdminDeleteUser {
|
||||
user: LoggableUser,
|
||||
},
|
||||
AdminResetUserPassword {
|
||||
user: LoggableUser,
|
||||
},
|
||||
AdminRemoveUserFactor {
|
||||
user: LoggableUser,
|
||||
factor: LoggableFactor,
|
||||
},
|
||||
AdminSetAuthorizedAuthenticationSources {
|
||||
user: LoggableUser,
|
||||
sources: &'a AuthorizedAuthenticationSources,
|
||||
},
|
||||
AdminSetNewGrantedClientsList {
|
||||
user: LoggableUser,
|
||||
clients: &'a GrantedClients,
|
||||
},
|
||||
AdminClear2FAHistory {
|
||||
user: LoggableUser,
|
||||
},
|
||||
LoginWebauthnAttempt {
|
||||
success: bool,
|
||||
user_id: UserID,
|
||||
@@ -58,6 +150,10 @@ pub enum Action<'a> {
|
||||
provider: &'a Provider,
|
||||
email: &'a str,
|
||||
},
|
||||
ProviderAccountAutoCreated {
|
||||
provider: &'a Provider,
|
||||
user: LoggableUser,
|
||||
},
|
||||
ProviderAccountDisabled {
|
||||
provider: &'a Provider,
|
||||
email: &'a str,
|
||||
@@ -73,29 +169,45 @@ pub enum Action<'a> {
|
||||
},
|
||||
ProviderLoginSuccessful {
|
||||
provider: &'a Provider,
|
||||
user: &'a User,
|
||||
user: LoggableUser,
|
||||
},
|
||||
SignOut,
|
||||
UserNeed2FAOnLogin {
|
||||
user: LoggableUser,
|
||||
},
|
||||
UserSuccessfullyAuthenticated {
|
||||
user: LoggableUser,
|
||||
},
|
||||
UserNeedNewPasswordOnLogin {
|
||||
user: LoggableUser,
|
||||
},
|
||||
TryLoginWithDisabledAccount {
|
||||
login: &'a str,
|
||||
},
|
||||
TryLocalLoginFromUnauthorizedAccount {
|
||||
login: &'a str,
|
||||
},
|
||||
FailedLoginWithBadCredentials {
|
||||
login: &'a str,
|
||||
},
|
||||
UserChangedPasswordOnLogin {
|
||||
user_id: &'a UserID,
|
||||
},
|
||||
Signout,
|
||||
UserNeed2FAOnLogin(&'a User),
|
||||
UserSuccessfullyAuthenticated(&'a User),
|
||||
UserNeedNewPasswordOnLogin(&'a User),
|
||||
TryLoginWithDisabledAccount(&'a str),
|
||||
TryLocalLoginFromUnauthorizedAccount(&'a str),
|
||||
FailedLoginWithBadCredentials(&'a str),
|
||||
UserChangedPasswordOnLogin(&'a UserID),
|
||||
OTPLoginAttempt {
|
||||
user: &'a User,
|
||||
user: LoggableUser,
|
||||
success: bool,
|
||||
},
|
||||
NewOpenIDSession {
|
||||
client: &'a Client,
|
||||
client: &'a ClientID,
|
||||
},
|
||||
NewOpenIDSuccessfulImplicitAuth {
|
||||
client: &'a Client,
|
||||
client: &'a ClientID,
|
||||
},
|
||||
ChangedHisPassword,
|
||||
ClearedHisLoginHistory,
|
||||
AddNewFactor(&'a TwoFactor),
|
||||
AddNewFactor {
|
||||
factor: LoggableFactor,
|
||||
},
|
||||
Removed2FAFactor {
|
||||
factor_id: &'a FactorID,
|
||||
},
|
||||
@@ -104,35 +216,35 @@ pub enum Action<'a> {
|
||||
impl Action<'_> {
|
||||
pub fn as_string(&self) -> String {
|
||||
match self {
|
||||
Action::AdminDeleteUser(user) => {
|
||||
Action::AdminDeleteUser { user } => {
|
||||
format!("deleted account of {}", user.quick_identity())
|
||||
}
|
||||
Action::AdminCreateUser(user) => {
|
||||
Action::AdminCreateUser { user } => {
|
||||
format!("created account of {}", user.quick_identity())
|
||||
}
|
||||
Action::AdminUpdateUser(user) => {
|
||||
Action::AdminUpdateUser { user } => {
|
||||
format!("updated account of {}", user.quick_identity())
|
||||
}
|
||||
Action::AdminResetUserPassword(user) => {
|
||||
Action::AdminResetUserPassword { user } => {
|
||||
format!(
|
||||
"set a temporary password for the account of {}",
|
||||
user.quick_identity()
|
||||
)
|
||||
}
|
||||
Action::AdminRemoveUserFactor(user, factor) => format!(
|
||||
Action::AdminRemoveUserFactor { user, factor } => format!(
|
||||
"removed 2 factor ({}) of user ({})",
|
||||
factor.quick_description(),
|
||||
user.quick_identity()
|
||||
),
|
||||
Action::AdminClear2FAHistory(user) => {
|
||||
Action::AdminClear2FAHistory { user } => {
|
||||
format!("cleared 2FA history of {}", user.quick_identity())
|
||||
}
|
||||
Action::AdminSetAuthorizedAuthenticationSources(user, sources) => format!(
|
||||
Action::AdminSetAuthorizedAuthenticationSources { user, sources } => format!(
|
||||
"update authorized authentication sources ({:?}) for user ({})",
|
||||
sources,
|
||||
user.quick_identity()
|
||||
),
|
||||
Action::AdminSetNewGrantedClientsList(user, clients) => format!(
|
||||
Action::AdminSetNewGrantedClientsList { user, clients } => format!(
|
||||
"set new granted clients list ({:?}) for user ({})",
|
||||
clients,
|
||||
user.quick_identity()
|
||||
@@ -156,8 +268,7 @@ impl Action<'_> {
|
||||
.to_string()
|
||||
}
|
||||
Action::ProviderFailedGetToken { state, code } => format!(
|
||||
"could not complete login from provider because the id_token could not be retrieved! (state={:?} code = {code})",
|
||||
state
|
||||
"could not complete login from provider because the id_token could not be retrieved! (state={state:?} code = {code})"
|
||||
),
|
||||
Action::ProviderFailedGetUserInfo { provider } => format!(
|
||||
"could not get user information from userinfo endpoint of provider {}!",
|
||||
@@ -175,6 +286,11 @@ impl Action<'_> {
|
||||
"could not login using provider {} because the email {email} could not be associated to any account!",
|
||||
&provider.id.0
|
||||
),
|
||||
Action::ProviderAccountAutoCreated { provider, user } => format!(
|
||||
"triggered automatic account creation for {} from provider {} because it was not found in local accounts list!",
|
||||
user.quick_identity(),
|
||||
&provider.id.0
|
||||
),
|
||||
Action::ProviderAccountDisabled { provider, email } => format!(
|
||||
"could not login using provider {} because the account associated to the email {email} is disabled!",
|
||||
&provider.id.0
|
||||
@@ -192,32 +308,32 @@ impl Action<'_> {
|
||||
provider.id.0,
|
||||
user.quick_identity()
|
||||
),
|
||||
Action::Signout => "signed out".to_string(),
|
||||
Action::UserNeed2FAOnLogin(user) => {
|
||||
Action::SignOut => "signed out".to_string(),
|
||||
Action::UserNeed2FAOnLogin { user } => {
|
||||
format!(
|
||||
"successfully authenticated as user {:?} but need to do 2FA authentication",
|
||||
user.quick_identity()
|
||||
)
|
||||
}
|
||||
Action::UserSuccessfullyAuthenticated(user) => {
|
||||
Action::UserSuccessfullyAuthenticated { user } => {
|
||||
format!("successfully authenticated as {}", user.quick_identity())
|
||||
}
|
||||
Action::UserNeedNewPasswordOnLogin(user) => format!(
|
||||
Action::UserNeedNewPasswordOnLogin { user } => format!(
|
||||
"successfully authenticated as {}, but need to set a new password",
|
||||
user.quick_identity()
|
||||
),
|
||||
Action::TryLoginWithDisabledAccount(login) => {
|
||||
Action::TryLoginWithDisabledAccount { login } => {
|
||||
format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
|
||||
}
|
||||
Action::TryLocalLoginFromUnauthorizedAccount(login) => {
|
||||
Action::TryLocalLoginFromUnauthorizedAccount { login } => {
|
||||
format!(
|
||||
"successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!"
|
||||
)
|
||||
}
|
||||
Action::FailedLoginWithBadCredentials(login) => {
|
||||
Action::FailedLoginWithBadCredentials { login } => {
|
||||
format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
|
||||
}
|
||||
Action::UserChangedPasswordOnLogin(user_id) => {
|
||||
Action::UserChangedPasswordOnLogin { user_id } => {
|
||||
format!("set a new password at login as user {user_id:?}")
|
||||
}
|
||||
Action::OTPLoginAttempt { user, success } => match success {
|
||||
@@ -231,15 +347,15 @@ impl Action<'_> {
|
||||
),
|
||||
},
|
||||
Action::NewOpenIDSession { client } => {
|
||||
format!("opened a new OpenID session with {:?}", client.id)
|
||||
format!("opened a new OpenID session with {:?}", client)
|
||||
}
|
||||
Action::NewOpenIDSuccessfulImplicitAuth { client } => format!(
|
||||
"finished an implicit flow connection for client {:?}",
|
||||
client.id
|
||||
client
|
||||
),
|
||||
Action::ChangedHisPassword => "changed his password".to_string(),
|
||||
Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
|
||||
Action::AddNewFactor(factor) => format!(
|
||||
Action::AddNewFactor { factor } => format!(
|
||||
"added a new factor to his account : {}",
|
||||
factor.quick_description(),
|
||||
),
|
||||
@@ -248,6 +364,15 @@ impl Action<'_> {
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(serde::Serialize)]
|
||||
struct JsonActionData<'a> {
|
||||
time: u64,
|
||||
ip: IpAddr,
|
||||
user: Option<LoggableUser>,
|
||||
#[serde(flatten)]
|
||||
action: Action<'a>,
|
||||
}
|
||||
|
||||
pub struct ActionLogger {
|
||||
ip: IpAddr,
|
||||
user: Option<User>,
|
||||
@@ -255,15 +380,27 @@ pub struct ActionLogger {
|
||||
|
||||
impl ActionLogger {
|
||||
pub fn log(&self, action: Action) {
|
||||
log::info!(
|
||||
match AppConfig::get().action_logger_format {
|
||||
ActionLoggerFormat::Text => log::info!(
|
||||
"{} from {} has {}",
|
||||
match &self.user {
|
||||
None => "Anonymous user".to_string(),
|
||||
Some(u) => u.quick_identity(),
|
||||
Some(u) => u.loggable().quick_identity(),
|
||||
},
|
||||
self.ip,
|
||||
action.as_string()
|
||||
)
|
||||
),
|
||||
ActionLoggerFormat::Json => match serde_json::to_string(&JsonActionData {
|
||||
time: time(),
|
||||
ip: self.ip,
|
||||
user: self.user.as_ref().map(User::loggable),
|
||||
action,
|
||||
}) {
|
||||
Ok(j) => println!("{j}"),
|
||||
Err(e) => log::error!("Failed to serialize event to JSON! {e}"),
|
||||
},
|
||||
ActionLoggerFormat::None => {}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -6,6 +6,15 @@ use crate::constants::{
|
||||
APP_NAME, CLIENTS_LIST_FILE, OIDC_PROVIDER_CB_URI, PROVIDERS_LIST_FILE, USERS_LIST_FILE,
|
||||
};
|
||||
|
||||
/// Action logger format
|
||||
#[derive(Copy, Clone, Eq, PartialEq, Debug, clap::ValueEnum, Default)]
|
||||
pub enum ActionLoggerFormat {
|
||||
#[default]
|
||||
Text,
|
||||
Json,
|
||||
None,
|
||||
}
|
||||
|
||||
/// Basic OIDC provider
|
||||
#[derive(Parser, Debug, Clone)]
|
||||
#[clap(author, version, about, long_about = None)]
|
||||
@@ -18,6 +27,14 @@ pub struct AppConfig {
|
||||
#[clap(short, long, env)]
|
||||
pub storage_path: String,
|
||||
|
||||
/// Overwrite clients list file path, if the file is not to be found in storage path
|
||||
#[clap(long, env)]
|
||||
pub clients_list_file_path: Option<String>,
|
||||
|
||||
/// Overwrite providers list file path, if the file is not to be found in storage path
|
||||
#[clap(long, env)]
|
||||
pub providers_list_file_path: Option<String>,
|
||||
|
||||
/// App token token
|
||||
#[clap(short, long, env, default_value = "")]
|
||||
pub token_key: String,
|
||||
@@ -32,11 +49,24 @@ pub struct AppConfig {
|
||||
|
||||
/// IP location service API
|
||||
///
|
||||
/// Up instance of IP location service : https://gitlab.com/pierre42100/iplocationserver
|
||||
/// Operating instance of IP location service : https://gitlab.com/pierre42100/iplocationserver
|
||||
///
|
||||
/// Example: "https://api.geoip.rs"
|
||||
#[arg(long, short, env)]
|
||||
pub ip_location_service: Option<String>,
|
||||
|
||||
/// Action logger output format
|
||||
#[arg(long, env, default_value_t, value_enum)]
|
||||
pub action_logger_format: ActionLoggerFormat,
|
||||
|
||||
/// Login background image
|
||||
#[arg(long, env, default_value = "/assets/img/forest.jpg")]
|
||||
pub login_background_image: String,
|
||||
|
||||
/// Disable local login. If this option is set without any upstream providers set, it will be impossible
|
||||
/// to authenticate
|
||||
#[arg(long, env)]
|
||||
pub disable_local_login: bool,
|
||||
}
|
||||
|
||||
lazy_static::lazy_static! {
|
||||
@@ -71,11 +101,17 @@ impl AppConfig {
|
||||
}
|
||||
|
||||
pub fn clients_file(&self) -> PathBuf {
|
||||
self.storage_path().join(CLIENTS_LIST_FILE)
|
||||
match &self.clients_list_file_path {
|
||||
None => self.storage_path().join(CLIENTS_LIST_FILE),
|
||||
Some(p) => Path::new(p).to_path_buf(),
|
||||
}
|
||||
}
|
||||
|
||||
pub fn providers_file(&self) -> PathBuf {
|
||||
self.storage_path().join(PROVIDERS_LIST_FILE)
|
||||
match &self.providers_list_file_path {
|
||||
None => self.storage_path().join(PROVIDERS_LIST_FILE),
|
||||
Some(p) => Path::new(p).to_path_buf(),
|
||||
}
|
||||
}
|
||||
|
||||
pub fn full_url(&self, uri: &str) -> String {
|
||||
|
||||
@@ -125,7 +125,7 @@ impl Client {
|
||||
|
||||
pub type ClientManager = EntityManager<Client>;
|
||||
|
||||
impl EntityManager<Client> {
|
||||
impl ClientManager {
|
||||
pub fn find_by_id(&self, u: &ClientID) -> Option<Client> {
|
||||
for entry in self.iter() {
|
||||
if entry.id.eq(u) {
|
||||
|
||||
@@ -22,7 +22,7 @@ impl CodeChallenge {
|
||||
encoded.eq(&self.code_challenge)
|
||||
}
|
||||
s => {
|
||||
log::error!("Unknown code challenge method: {}", s);
|
||||
log::error!("Unknown code challenge method: {s}");
|
||||
false
|
||||
}
|
||||
}
|
||||
@@ -40,8 +40,8 @@ mod test {
|
||||
code_challenge: "text1".to_string(),
|
||||
};
|
||||
|
||||
assert_eq!(true, chal.verify_code("text1"));
|
||||
assert_eq!(false, chal.verify_code("text2"));
|
||||
assert!(chal.verify_code("text1"));
|
||||
assert!(!chal.verify_code("text2"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -51,8 +51,8 @@ mod test {
|
||||
code_challenge: "uSOvC48D8TMh6RgW-36XppMlMgys-6KAE_wEIev9W2g".to_string(),
|
||||
};
|
||||
|
||||
assert_eq!(true, chal.verify_code("HIwht3lCHfnsruA+7Sq8NP2mPj5cBZe0Ewf23eK9UQhK4TdCIt3SK7Fr/giCdnfjxYQILOPG2D562emggAa2lA=="));
|
||||
assert_eq!(false, chal.verify_code("text1"));
|
||||
assert!(chal.verify_code("HIwht3lCHfnsruA+7Sq8NP2mPj5cBZe0Ewf23eK9UQhK4TdCIt3SK7Fr/giCdnfjxYQILOPG2D562emggAa2lA=="));
|
||||
assert!(!chal.verify_code("text1"));
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -62,10 +62,7 @@ mod test {
|
||||
code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM".to_string(),
|
||||
};
|
||||
|
||||
assert_eq!(
|
||||
true,
|
||||
chal.verify_code("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")
|
||||
);
|
||||
assert_eq!(false, chal.verify_code("text1"));
|
||||
assert!(chal.verify_code("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"));
|
||||
assert!(!chal.verify_code("text1"));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,6 +26,10 @@ pub struct Provider {
|
||||
///
|
||||
/// (.well-known/openid-configuration endpoint)
|
||||
pub configuration_url: String,
|
||||
|
||||
/// Set to true if accounts on BasicOIDC should be automatically created from this provider
|
||||
#[serde(default)]
|
||||
pub allow_auto_account_creation: bool,
|
||||
}
|
||||
|
||||
impl Provider {
|
||||
@@ -42,6 +46,7 @@ impl Provider {
|
||||
"github" => "/assets/img/brands/github.svg",
|
||||
"microsoft" => "/assets/img/brands/microsoft.svg",
|
||||
"google" => "/assets/img/brands/google.svg",
|
||||
"openid" => "/assets/img/brands/openid.svg",
|
||||
s => s,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -46,7 +46,7 @@ impl SessionIdentity<'_> {
|
||||
.map(|f| match f {
|
||||
Ok(d) => Some(d),
|
||||
Err(e) => {
|
||||
log::warn!("Failed to deserialize session data! {:?}", e);
|
||||
log::warn!("Failed to deserialize session data! {e:?}");
|
||||
None
|
||||
}
|
||||
})
|
||||
@@ -65,7 +65,7 @@ impl SessionIdentity<'_> {
|
||||
|
||||
log::debug!("Will set user session data.");
|
||||
if let Err(e) = Identity::login(&req.extensions(), s) {
|
||||
log::error!("Failed to set session data! {}", e);
|
||||
log::error!("Failed to set session data! {e}");
|
||||
}
|
||||
log::debug!("Did set user session data.");
|
||||
}
|
||||
|
||||
@@ -14,6 +14,12 @@ use crate::utils::time::{fmt_time, time};
|
||||
#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize, Encode, Decode)]
|
||||
pub struct UserID(pub String);
|
||||
|
||||
impl UserID {
|
||||
pub fn random() -> Self {
|
||||
Self(uuid::Uuid::new_v4().to_string())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
pub struct GeneralSettings {
|
||||
pub uid: UserID,
|
||||
@@ -26,7 +32,7 @@ pub struct GeneralSettings {
|
||||
pub is_admin: bool,
|
||||
}
|
||||
|
||||
#[derive(Eq, PartialEq, Clone, Debug)]
|
||||
#[derive(Eq, PartialEq, Clone, Debug, serde::Serialize)]
|
||||
pub enum GrantedClients {
|
||||
AllClients,
|
||||
SomeClients(Vec<ClientID>),
|
||||
@@ -46,6 +52,12 @@ impl GrantedClients {
|
||||
#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
|
||||
pub struct FactorID(pub String);
|
||||
|
||||
impl FactorID {
|
||||
pub fn random() -> Self {
|
||||
Self(uuid::Uuid::new_v4().to_string())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
|
||||
pub enum TwoFactorType {
|
||||
TOTP(TotpKey),
|
||||
@@ -60,15 +72,6 @@ pub struct TwoFactor {
|
||||
}
|
||||
|
||||
impl TwoFactor {
|
||||
pub fn quick_description(&self) -> String {
|
||||
format!(
|
||||
"#{} of type {} and name '{}'",
|
||||
self.id.0,
|
||||
self.type_str(),
|
||||
self.name
|
||||
)
|
||||
}
|
||||
|
||||
pub fn type_str(&self) -> &'static str {
|
||||
match self.kind {
|
||||
TwoFactorType::TOTP(_) => "Authenticator app",
|
||||
@@ -170,19 +173,6 @@ impl User {
|
||||
format!("{} {}", self.first_name, self.last_name)
|
||||
}
|
||||
|
||||
pub fn quick_identity(&self) -> String {
|
||||
format!(
|
||||
"{} {} {} ({:?})",
|
||||
match self.admin {
|
||||
true => "admin",
|
||||
false => "user",
|
||||
},
|
||||
self.username,
|
||||
self.email,
|
||||
self.uid
|
||||
)
|
||||
}
|
||||
|
||||
/// Get the list of sources from which a user can authenticate from
|
||||
pub fn authorized_authentication_sources(&self) -> AuthorizedAuthenticationSources {
|
||||
AuthorizedAuthenticationSources {
|
||||
@@ -317,7 +307,7 @@ impl Eq for User {}
|
||||
impl Default for User {
|
||||
fn default() -> Self {
|
||||
Self {
|
||||
uid: UserID(uuid::Uuid::new_v4().to_string()),
|
||||
uid: UserID::random(),
|
||||
first_name: "".to_string(),
|
||||
last_name: "".to_string(),
|
||||
username: "".to_string(),
|
||||
|
||||
@@ -18,7 +18,7 @@ impl EntityManager<User> {
|
||||
};
|
||||
|
||||
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
|
||||
log::error!("Failed to update user information! {:?}", e);
|
||||
log::error!("Failed to update user information! {e:?}");
|
||||
return Err(e);
|
||||
}
|
||||
|
||||
@@ -31,28 +31,25 @@ fn hash_password<P: AsRef<[u8]>>(pwd: P) -> Res<String> {
|
||||
}
|
||||
|
||||
fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool {
|
||||
match bcrypt::verify(pwd, hash) {
|
||||
Ok(r) => r,
|
||||
Err(e) => {
|
||||
log::warn!("Failed to verify password! {:?}", e);
|
||||
bcrypt::verify(pwd, hash).unwrap_or_else(|e| {
|
||||
log::warn!("Failed to verify password! {e:?}");
|
||||
false
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
impl UsersSyncBackend for EntityManager<User> {
|
||||
fn find_by_email(&self, u: &str) -> Res<Option<User>> {
|
||||
fn find_by_username_or_email(&self, u: &str) -> Res<Option<User>> {
|
||||
for entry in self.iter() {
|
||||
if entry.email.eq(u) {
|
||||
if entry.username.eq(u) || entry.email.eq(u) {
|
||||
return Ok(Some(entry.clone()));
|
||||
}
|
||||
}
|
||||
Ok(None)
|
||||
}
|
||||
|
||||
fn find_by_username_or_email(&self, u: &str) -> Res<Option<User>> {
|
||||
fn find_by_email(&self, u: &str) -> Res<Option<User>> {
|
||||
for entry in self.iter() {
|
||||
if entry.username.eq(u) || entry.email.eq(u) {
|
||||
if entry.email.eq(u) {
|
||||
return Ok(Some(entry.clone()));
|
||||
}
|
||||
}
|
||||
@@ -74,7 +71,7 @@ impl UsersSyncBackend for EntityManager<User> {
|
||||
|
||||
fn create_user_account(&mut self, settings: GeneralSettings) -> Res<UserID> {
|
||||
let mut user = User {
|
||||
uid: UserID(uuid::Uuid::new_v4().to_string()),
|
||||
uid: UserID::random(),
|
||||
..Default::default()
|
||||
};
|
||||
user.update_general_settings(settings);
|
||||
|
||||
@@ -108,15 +108,11 @@ impl WebAuthManager {
|
||||
) -> Res<WebauthnPubKey> {
|
||||
let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
|
||||
if state.user_id != user.uid {
|
||||
return Err(Box::new(std::io::Error::other(
|
||||
"Invalid user for pubkey!",
|
||||
)));
|
||||
return Err(Box::new(std::io::Error::other("Invalid user for pubkey!")));
|
||||
}
|
||||
|
||||
if state.expire < time() {
|
||||
return Err(Box::new(std::io::Error::other(
|
||||
"Challenge has expired!",
|
||||
)));
|
||||
return Err(Box::new(std::io::Error::other("Challenge has expired!")));
|
||||
}
|
||||
|
||||
let res = self.core.finish_passkey_registration(
|
||||
@@ -154,15 +150,11 @@ impl WebAuthManager {
|
||||
) -> Res {
|
||||
let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
|
||||
if &state.user_id != user_id {
|
||||
return Err(Box::new(std::io::Error::other(
|
||||
"Invalid user for pubkey!",
|
||||
)));
|
||||
return Err(Box::new(std::io::Error::other("Invalid user for pubkey!")));
|
||||
}
|
||||
|
||||
if state.expire < time() {
|
||||
return Err(Box::new(std::io::Error::other(
|
||||
"Challenge has expired!",
|
||||
)));
|
||||
return Err(Box::new(std::io::Error::other("Challenge has expired!")));
|
||||
}
|
||||
|
||||
self.core.finish_passkey_authentication(
|
||||
|
||||
@@ -3,7 +3,7 @@ use std::sync::Arc;
|
||||
|
||||
use actix::Actor;
|
||||
use actix_identity::IdentityMiddleware;
|
||||
use actix_identity::config::LogoutBehaviour;
|
||||
use actix_identity::config::LogoutBehavior;
|
||||
use actix_remote_ip::RemoteIPConfig;
|
||||
use actix_session::SessionMiddleware;
|
||||
use actix_session::storage::CookieSessionStore;
|
||||
@@ -51,7 +51,7 @@ async fn main() -> std::io::Result<()> {
|
||||
|
||||
// Create initial user if required
|
||||
if users.is_empty() {
|
||||
log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME);
|
||||
log::info!("Create default {DEFAULT_ADMIN_USERNAME} user");
|
||||
let default_admin = User {
|
||||
username: DEFAULT_ADMIN_USERNAME.to_string(),
|
||||
authorized_clients: None,
|
||||
@@ -100,7 +100,7 @@ async fn main() -> std::io::Result<()> {
|
||||
.build();
|
||||
|
||||
let identity_middleware = IdentityMiddleware::builder()
|
||||
.logout_behaviour(LogoutBehaviour::PurgeSession)
|
||||
.logout_behavior(LogoutBehavior::PurgeSession)
|
||||
.visit_deadline(Some(Duration::from_secs(MAX_INACTIVITY_DURATION)))
|
||||
.login_deadline(Some(Duration::from_secs(MAX_SESSION_DURATION)))
|
||||
.build();
|
||||
|
||||
@@ -89,26 +89,22 @@ where
|
||||
Box::pin(async move {
|
||||
// Check if POST request comes from another website (block invalid origins)
|
||||
let origin = req.headers().get(header::ORIGIN);
|
||||
if req.method() == Method::POST && req.path() != TOKEN_URI && req.path() != USERINFO_URI
|
||||
{
|
||||
if let Some(o) = origin {
|
||||
if !o
|
||||
if req.method() == Method::POST
|
||||
&& req.path() != TOKEN_URI
|
||||
&& req.path() != USERINFO_URI
|
||||
&& let Some(o) = origin
|
||||
&& !o
|
||||
.to_str()
|
||||
.unwrap_or("bad")
|
||||
.eq(&AppConfig::get().website_origin)
|
||||
{
|
||||
log::warn!(
|
||||
"Blocked POST request from invalid origin! Origin given {:?}",
|
||||
o
|
||||
);
|
||||
log::warn!("Blocked POST request from invalid origin! Origin given {o:?}");
|
||||
return Ok(req.into_response(
|
||||
HttpResponse::Unauthorized()
|
||||
.body("POST request from invalid origin!")
|
||||
.map_into_right_body(),
|
||||
));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if req.path().starts_with("/.git") {
|
||||
return Ok(req.into_response(
|
||||
@@ -133,8 +129,8 @@ where
|
||||
_ => ConnStatus::SignedOut,
|
||||
};
|
||||
|
||||
log::trace!("Connection data: {:#?}", session_data);
|
||||
log::debug!("Connection status: {:?}", session);
|
||||
log::trace!("Connection data: {session_data:#?}");
|
||||
log::debug!("Connection status: {session:?}");
|
||||
|
||||
// Redirect user to login page
|
||||
if !session.is_auth()
|
||||
|
||||
@@ -47,7 +47,7 @@ mod test {
|
||||
unsafe {
|
||||
env::set_var(VAR_ONE, "good");
|
||||
}
|
||||
let src = format!("This is ${{{}}}", VAR_ONE);
|
||||
let src = format!("This is ${{{VAR_ONE}}}");
|
||||
assert_eq!("This is good", apply_env_vars(&src));
|
||||
}
|
||||
|
||||
@@ -55,7 +55,7 @@ mod test {
|
||||
|
||||
#[test]
|
||||
fn test_invalid_var_syntax() {
|
||||
let src = format!("This is ${{{}}}", VAR_INVALID);
|
||||
let src = format!("This is ${{{VAR_INVALID}}}");
|
||||
assert_eq!(src, apply_env_vars(&src));
|
||||
}
|
||||
|
||||
|
||||
@@ -30,6 +30,12 @@
|
||||
font-size: 3.5rem;
|
||||
}
|
||||
}
|
||||
|
||||
@media screen and (min-width: 767px) {
|
||||
.bg-login {
|
||||
background-image: url({{ p.background_image }});
|
||||
}
|
||||
}
|
||||
</style>
|
||||
|
||||
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
|
||||
</style>
|
||||
|
||||
<!-- Local login -->
|
||||
{% if show_local_login %}
|
||||
<form action="/login?redirect={{ p.redirect_uri.get_encoded() }}" method="post">
|
||||
<div>
|
||||
<div class="form-floating">
|
||||
@@ -36,6 +38,7 @@
|
||||
<button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button>
|
||||
|
||||
</form>
|
||||
{% endif %}
|
||||
|
||||
<!-- Upstream providers -->
|
||||
{% if !providers.is_empty() %}
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
Account details
|
||||
</a>
|
||||
</li>
|
||||
{% if p.user.allow_local_login %}
|
||||
{% if p.user.allow_local_login && p.local_login_enabled %}
|
||||
<li>
|
||||
<a href="/settings/change_password" class="nav-link link-dark">
|
||||
Change password
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{% extends "base_settings_page.html" %}
|
||||
{% block content %}
|
||||
|
||||
<table class="table table-hover" style="max-width: 800px;" aria-describedby="Clients list">
|
||||
<table class="table table-hover table-break-works" style="max-width: 800px;" aria-describedby="Clients list">
|
||||
<thead>
|
||||
<tr>
|
||||
<th scope="col">ID</th>
|
||||
|
||||
Reference in New Issue
Block a user