pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: pierre:9236b91f12b284534c2ed2081fdae960d8d2ba7a
Branches Tags
pierre:master
...
compare: pierre:aa5327d6037600496d598bbb4fb96761fb2a3b71
Branches Tags
pierre:master

8 Commits
9236b91f12 ... aa5327d603

Author SHA1 Message Date
Pierre Hubert
aa5327d603 Improve returned error code 2022-04-03 17:48:55 +02:00
Pierre Hubert
1ff9c7686e Improve some code 2022-04-03 17:46:01 +02:00
Pierre Hubert
188b4f836d Improve some code 2022-04-03 17:44:19 +02:00
Pierre Hubert
48f4d4c6c5 cargo clippy 2022-04-03 17:40:10 +02:00
Pierre Hubert
886bae32c8 Enable bruteforce protection on login endpoint 2022-04-03 17:33:01 +02:00
Pierre Hubert
9943df4952 Automatically clean failed login attempts 2022-04-03 16:45:25 +02:00
Pierre Hubert
05e911bfc5 Start to implement brute force protection 2022-04-03 16:21:09 +02:00
Pierre Hubert
b965fa6b4f Format code 2022-04-03 15:50:49 +02:00
24 changed files with 426 additions and 102 deletions
Show Stats Expand all files Collapse all files

6
README.md
View File

@ -1,3 +1,5 @@
TODO list # Basic OIDC
Basic OpenID provider. Still under early development.
TODO :
- [ ] Bruteforce protection - [ ] Bruteforce protection
- [ ] CRSF protection

130
src/actors/bruteforce_actor.rs Normal file
View File

@ -0,0 +1,130 @@
use std::collections::hash_map::Entry;
use std::collections::HashMap;
use std::net::IpAddr;
use actix::{Actor, AsyncContext, Context, Handler, Message};
use crate::constants::{FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL, KEEP_FAILED_LOGIN_ATTEMPTS_FOR};
use crate::utils::time::time;
#[derive(Message)]
#[rtype(result = "()")]
pub struct RecordFailedAttempt {
pub ip: IpAddr,
}
#[derive(Message)]
#[rtype(result = "usize")]
pub struct CountFailedAttempt {
pub ip: IpAddr,
}
#[derive(Debug, Default)]
pub struct BruteForceActor {
failed_attempts: HashMap<IpAddr, Vec<u64>>,
}
impl BruteForceActor {
pub fn clean_attempts(&mut self) {
let keys = self.failed_attempts
.keys()
.map(|i| *i)
.collect::<Vec<_>>();
for ip in keys {
// Remove old attempts
let attempts = self.failed_attempts.get_mut(&ip).unwrap();
attempts.retain(|i| i + KEEP_FAILED_LOGIN_ATTEMPTS_FOR > time());
// Remove empty entry keys
if attempts.is_empty() {
self.failed_attempts.remove(&ip);
}
}
}
pub fn insert_failed_attempt(&mut self, ip: IpAddr) {
if let Entry::Vacant(e) = self.failed_attempts.entry(ip) {
e.insert(vec![time()]);
} else {
self.failed_attempts.get_mut(&ip).unwrap().push(time());
}
}
pub fn count_failed_attempts(&mut self, ip: &IpAddr) -> usize {
self.failed_attempts.get(ip).map(Vec::len).unwrap_or(0)
}
}
impl Actor for BruteForceActor {
type Context = Context<Self>;
fn started(&mut self, ctx: &mut Self::Context) {
// Clean up at a regular interval failed attempts
ctx.run_interval(FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL, |act, _ctx| {
log::trace!("Cleaning up failed login attempts");
act.clean_attempts();
});
}
}
impl Handler<RecordFailedAttempt> for BruteForceActor {
type Result = ();
fn handle(&mut self, attempt: RecordFailedAttempt, _ctx: &mut Self::Context) -> Self::Result {
self.insert_failed_attempt(attempt.ip)
}
}
impl Handler<CountFailedAttempt> for BruteForceActor {
type Result = usize;
fn handle(&mut self, attempt: CountFailedAttempt, _ctx: &mut Self::Context) -> Self::Result {
self.count_failed_attempts(&attempt.ip)
}
}
#[cfg(test)]
mod test {
use std::net::{IpAddr, Ipv4Addr};
use crate::actors::bruteforce_actor::BruteForceActor;
use crate::utils::time::time;
const IP_1: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1));
const IP_2: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 2));
const IP_3: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 5));
#[test]
fn test_clean() {
let mut actor = BruteForceActor::default();
actor.failed_attempts.insert(IP_1, vec![1, 10]);
actor.failed_attempts.insert(IP_2, vec![1, 10, time() + 10]);
actor.failed_attempts.insert(IP_3, vec![time() + 10, time() + 20]);
actor.clean_attempts();
let keys = actor.failed_attempts.keys().collect::<Vec<_>>();
assert_eq!(keys.len(), 2);
assert_eq!(actor.count_failed_attempts(&IP_1), 0);
assert_eq!(actor.count_failed_attempts(&IP_2), 1);
assert_eq!(actor.count_failed_attempts(&IP_3), 2);
}
#[test]
fn test_insert_and_count() {
let mut actor = BruteForceActor::default();
assert_eq!(actor.count_failed_attempts(&IP_1), 0);
assert_eq!(actor.count_failed_attempts(&IP_2), 0);
actor.insert_failed_attempt(IP_1);
assert_eq!(actor.count_failed_attempts(&IP_1), 1);
assert_eq!(actor.count_failed_attempts(&IP_2), 0);
actor.insert_failed_attempt(IP_1);
assert_eq!(actor.count_failed_attempts(&IP_1), 2);
assert_eq!(actor.count_failed_attempts(&IP_2), 0);
actor.insert_failed_attempt(IP_2);
assert_eq!(actor.count_failed_attempts(&IP_1), 2);
assert_eq!(actor.count_failed_attempts(&IP_2), 1);
}
}

1
src/actors/mod.rs
View File

@ -1 +1,2 @@
pub mod users_actor; pub mod users_actor;
pub mod bruteforce_actor;

10
src/actors/users_actor.rs
View File

@ -1,7 +1,7 @@
use actix::{Actor, Context, Handler, Message, MessageResult}; use actix::{Actor, Context, Handler, Message, MessageResult};
use crate::data::entity_manager::EntityManager; use crate::data::entity_manager::EntityManager;
use crate::data::user::{User, UserID, verify_password}; use crate::data::user::{verify_password, User, UserID};
#[derive(Debug)] #[derive(Debug)]
pub enum LoginResult { pub enum LoginResult {
@ -29,7 +29,6 @@ pub struct ChangePasswordRequest {
pub temporary: bool, pub temporary: bool,
} }
pub struct UsersActor { pub struct UsersActor {
manager: EntityManager<User>, manager: EntityManager<User>,
} }
@ -69,7 +68,10 @@ impl Handler<ChangePasswordRequest> for UsersActor {
type Result = MessageResult<ChangePasswordRequest>; type Result = MessageResult<ChangePasswordRequest>;
fn handle(&mut self, msg: ChangePasswordRequest, _ctx: &mut Self::Context) -> Self::Result { fn handle(&mut self, msg: ChangePasswordRequest, _ctx: &mut Self::Context) -> Self::Result {
MessageResult(ChangePasswordResult( MessageResult(ChangePasswordResult(self.manager.change_user_password(
self.manager.change_user_password(&msg.user_id, &msg.new_password, msg.temporary))) &msg.user_id,
&msg.new_password,
msg.temporary,
)))
} }
} }

7
src/constants.rs
View File

@ -1,3 +1,5 @@
use std::time::Duration;
/// File in storage containing users list /// File in storage containing users list
pub const USERS_LIST_FILE: &str = "users.json"; pub const USERS_LIST_FILE: &str = "users.json";
@ -28,3 +30,8 @@ pub const ADMIN_ROUTES: &str = "/admin";
/// Auth route /// Auth route
pub const LOGIN_ROUTE: &str = "/login"; pub const LOGIN_ROUTE: &str = "/login";
/// Bruteforce protection
pub const KEEP_FAILED_LOGIN_ATTEMPTS_FOR: u64 = 3600;
pub const MAX_FAILED_LOGIN_ATTEMPTS: usize = 15;
pub const FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);

4
src/controllers/assets_controller.rs
View File

@ -1,7 +1,7 @@
use std::path::Path; use std::path::Path;
use actix_web::{HttpResponse, web}; use actix_web::{web, HttpResponse};
use include_dir::{Dir, include_dir}; use include_dir::{include_dir, Dir};
/// Assets directory /// Assets directory
static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets"); static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets");

14
src/controllers/base_controller.rs
View File

@ -1,6 +1,7 @@
use std::fmt::Display; use std::fmt::Display;
use actix_web::HttpResponse; use actix_web::HttpResponse;
use askama::Template;
use crate::constants::LOGIN_ROUTE; use crate::constants::LOGIN_ROUTE;
@ -16,7 +17,18 @@ pub fn redirect_user_for_login<P: Display>(redirect_uri: P) -> HttpResponse {
HttpResponse::Found() HttpResponse::Found()
.append_header(( .append_header((
"Location", "Location",
format!("{}?redirect={}", LOGIN_ROUTE, urlencoding::encode(&redirect_uri.to_string())) format!(
"{}?redirect={}",
LOGIN_ROUTE,
urlencoding::encode(&redirect_uri.to_string())
),
)) ))
.finish() .finish()
} }
/// Fatal error page message
#[derive(Template)]
#[template(path = "fatal_error.html")]
pub struct FatalErrorPage {
pub message: &'static str,
}

99
src/controllers/login_controller.rs
View File

@ -1,13 +1,16 @@
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::{HttpResponse, Responder, web}; use actix_web::{HttpRequest, HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use crate::actors::{bruteforce_actor, users_actor};
use crate::actors::bruteforce_actor::BruteForceActor;
use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor}; use crate::actors::users_actor::{ChangePasswordResult, LoginResult, UsersActor};
use crate::actors::users_actor; use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN};
use crate::constants::{APP_NAME, MIN_PASS_LEN}; use crate::controllers::base_controller::{FatalErrorPage, redirect_user};
use crate::controllers::base_controller::redirect_user; use crate::data::app_config::AppConfig;
use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionStatus};
use crate::utils::network_utils::{get_remote_ip, parse_ip};
#[derive(Template)] #[derive(Template)]
#[template(path = "base_login_page.html")] #[template(path = "base_login_page.html")]
@ -46,20 +49,45 @@ pub struct LoginRequestQuery {
} }
/// Authenticate user /// Authenticate user
pub async fn login_route(users: web::Data<Addr<UsersActor>>, pub async fn login_route(
query: web::Query<LoginRequestQuery>, http_req: HttpRequest,
req: Option<web::Form<LoginRequestBody>>, users: web::Data<Addr<UsersActor>>,
id: Identity) -> impl Responder { bruteforce: web::Data<Addr<BruteForceActor>>,
query: web::Query<LoginRequestQuery>,
req: Option<web::Form<LoginRequestBody>>,
config: web::Data<AppConfig>,
id: Identity,
) -> impl Responder {
let mut danger = String::new(); let mut danger = String::new();
let mut success = String::new(); let mut success = String::new();
let mut login = String::new(); let mut login = String::new();
let remote_ip = match parse_ip(&get_remote_ip(&http_req, config.proxy_ip.as_deref())) {
None => return HttpResponse::InternalServerError().body(
FatalErrorPage {
message: "Failed to determine remote ip address!"
}.render().unwrap()
),
Some(i) => i,
};
let failed_attempts = bruteforce.send(bruteforce_actor::CountFailedAttempt { ip: remote_ip })
.await.unwrap();
if failed_attempts > MAX_FAILED_LOGIN_ATTEMPTS {
return HttpResponse::TooManyRequests().body(
FatalErrorPage {
message: "Too many failed login attempts, please try again later!"
}.render().unwrap()
);
}
let redirect_uri = match query.redirect.as_deref() { let redirect_uri = match query.redirect.as_deref() {
None => "/", None => "/",
Some(s) => match s.starts_with('/') && !s.starts_with("//") { Some(s) => match s.starts_with('/') && !s.starts_with("//") {
true => s, true => s,
false => "/", false => "/",
} },
}; };
// Check if user session must be closed // Check if user session must be closed
@ -78,11 +106,14 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
if req.password.len() < MIN_PASS_LEN { if req.password.len() < MIN_PASS_LEN {
danger = "Password is too short!".to_string(); danger = "Password is too short!".to_string();
} else { } else {
let res: ChangePasswordResult = users.send(users_actor::ChangePasswordRequest { let res: ChangePasswordResult = users
user_id: SessionIdentity(&id).user_id(), .send(users_actor::ChangePasswordRequest {
new_password: req.password.clone(), user_id: SessionIdentity(&id).user_id(),
temporary: false, new_password: req.password.clone(),
}).await.unwrap(); temporary: false,
})
.await
.unwrap();
if !res.0 { if !res.0 {
danger = "Failed to change password!".to_string(); danger = "Failed to change password!".to_string();
@ -92,16 +123,16 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
} }
} }
} }
// Try to authenticate user // Try to authenticate user
else if let Some(req) = &req { else if let Some(req) = &req {
// TODO : check request origin (check for valid Referer)
login = req.login.clone(); login = req.login.clone();
let response: LoginResult = users.send(users_actor::LoginRequest { let response: LoginResult = users
login: login.clone(), .send(users_actor::LoginRequest {
password: req.password.clone(), login: login.clone(),
}).await.unwrap(); password: req.password.clone(),
})
.await
.unwrap();
match response { match response {
LoginResult::Success(user) => { LoginResult::Success(user) => {
@ -120,18 +151,18 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
} }
c => { c => {
// TODO : add bruteforce detection log::warn!("Failed login for ip {:?} / username {}: {:?}", remote_ip, login, c);
log::warn!("Failed login for username {} : {:?}", login, c);
danger = "Login failed.".to_string(); danger = "Login failed.".to_string();
bruteforce.send(bruteforce_actor::RecordFailedAttempt { ip: remote_ip }).await.unwrap();
} }
} }
} }
// Display password reset form if it is appropriate // Display password reset form if it is appropriate
if SessionIdentity(&id).need_new_password() { if SessionIdentity(&id).need_new_password() {
return HttpResponse::Ok() return HttpResponse::Ok().content_type("text/html").body(
.content_type("text/html") PasswordResetTemplate {
.body(PasswordResetTemplate {
_parent: BaseLoginPage { _parent: BaseLoginPage {
page_title: "Password reset", page_title: "Password reset",
danger, danger,
@ -140,13 +171,14 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
redirect_uri: urlencoding::encode(redirect_uri).to_string(), redirect_uri: urlencoding::encode(redirect_uri).to_string(),
}, },
min_pass_len: MIN_PASS_LEN, min_pass_len: MIN_PASS_LEN,
}.render().unwrap()); }
.render()
.unwrap(),
);
} }
HttpResponse::Ok().content_type("text/html").body(
HttpResponse::Ok() LoginTemplate {
.content_type("text/html")
.body(LoginTemplate {
_parent: BaseLoginPage { _parent: BaseLoginPage {
page_title: "Login", page_title: "Login",
danger, danger,
@ -155,7 +187,10 @@ pub async fn login_route(users: web::Data<Addr<UsersActor>>,
redirect_uri: urlencoding::encode(redirect_uri).to_string(), redirect_uri: urlencoding::encode(redirect_uri).to_string(),
}, },
login, login,
}.render().unwrap()) }
.render()
.unwrap(),
)
} }
/// Sign out user /// Sign out user

2
src/controllers/mod.rs
View File

@ -1,3 +1,3 @@
pub mod assets_controller; pub mod assets_controller;
pub mod login_controller;
pub mod base_controller; pub mod base_controller;
pub mod login_controller;

4
src/data/app_config.rs
View File

@ -23,6 +23,10 @@ pub struct AppConfig {
/// Website origin /// Website origin
#[clap(short, long, env, default_value = "http://localhost:8000")] #[clap(short, long, env, default_value = "http://localhost:8000")]
pub website_origin: String, pub website_origin: String,
/// Proxy IP, might end with a star "*"
#[clap(short, long, env)]
pub proxy_ip: Option<String>,
} }
impl AppConfig { impl AppConfig {

15
src/data/entity_manager.rs
View File

@ -8,7 +8,10 @@ pub struct EntityManager<E> {
list: Vec<E>, list: Vec<E>,
} }
impl<E> EntityManager<E> where E: serde::Serialize + serde::de::DeserializeOwned + Eq + Clone { impl<E> EntityManager<E>
where
E: serde::Serialize + serde::de::DeserializeOwned + Eq + Clone,
{
/// Open entity /// Open entity
pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> { pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> {
if !path.as_ref().is_file() { if !path.as_ref().is_file() {
@ -37,7 +40,10 @@ impl<E> EntityManager<E> where E: serde::Serialize + serde::de::DeserializeOwned
/// Save the list /// Save the list
fn save(&self) -> Res { fn save(&self) -> Res {
Ok(std::fs::write(&self.file_path, serde_json::to_string(&self.list)?)?) Ok(std::fs::write(
&self.file_path,
serde_json::to_string(&self.list)?,
)?)
} }
/// Insert a new element in the list /// Insert a new element in the list
@ -47,7 +53,10 @@ impl<E> EntityManager<E> where E: serde::Serialize + serde::de::DeserializeOwned
} }
/// Replace entries in the list that matches a criteria /// Replace entries in the list that matches a criteria
pub fn replace_entries<F>(&mut self, filter: F, el: &E) -> Res where F: Fn(&E) -> bool { pub fn replace_entries<F>(&mut self, filter: F, el: &E) -> Res
where
F: Fn(&E) -> bool,
{
for i in 0..self.list.len() { for i in 0..self.list.len() {
if filter(&self.list[i]) { if filter(&self.list[i]) {
self.list[i] = el.clone(); self.list[i] = el.clone();

4
src/data/mod.rs
View File

@ -1,5 +1,5 @@
pub mod app_config; pub mod app_config;
pub mod user;
pub mod service;
pub mod entity_manager; pub mod entity_manager;
pub mod service;
pub mod session_identity; pub mod session_identity;
pub mod user;

11
src/data/session_identity.rs
View File

@ -17,7 +17,6 @@ impl Default for SessionStatus {
} }
} }
#[derive(Debug, Serialize, Deserialize, Default)] #[derive(Debug, Serialize, Deserialize, Default)]
pub struct SessionIdentityData { pub struct SessionIdentityData {
pub id: UserID, pub id: UserID,
@ -33,7 +32,8 @@ impl<'a> SessionIdentity<'a> {
} }
pub fn deserialize_session_data(data: Option<String>) -> Option<SessionIdentityData> { pub fn deserialize_session_data(data: Option<String>) -> Option<SessionIdentityData> {
let res: Option<SessionIdentityData> = data.as_deref() let res: Option<SessionIdentityData> = data
.as_deref()
.map(serde_json::from_str) .map(serde_json::from_str)
.map(|f| match f { .map(|f| match f {
Ok(d) => Some(d), Ok(d) => Some(d),
@ -55,8 +55,7 @@ impl<'a> SessionIdentity<'a> {
} }
fn set_session_data(&self, data: &SessionIdentityData) { fn set_session_data(&self, data: &SessionIdentityData) {
let s = serde_json::to_string(data) let s = serde_json::to_string(data).expect("Failed to serialize session data!");
.expect("Failed to serialize session data!");
self.0.remember(s); self.0.remember(s);
} }
@ -88,8 +87,6 @@ impl<'a> SessionIdentity<'a> {
} }
pub fn user_id(&self) -> UserID { pub fn user_id(&self) -> UserID {
self.get_session_data() self.get_session_data().unwrap_or_default().id
.unwrap_or_default()
.id
} }
} }

9
src/data/user.rs
View File

@ -80,10 +80,13 @@ impl EntityManager<User> {
} }
/// Update user information /// Update user information
fn update_user<F>(&mut self, id: &UserID, update: F) -> bool where F: FnOnce(User) -> User { fn update_user<F>(&mut self, id: &UserID, update: F) -> bool
where
F: FnOnce(User) -> User,
{
let user = match self.find_by_user_id(id) { let user = match self.find_by_user_id(id) {
None => return false, None => return false,
Some(user) => user Some(user) => user,
}; };
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) { if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
@ -96,7 +99,7 @@ impl EntityManager<User> {
pub fn change_user_password(&mut self, id: &UserID, password: &str, temporary: bool) -> bool { pub fn change_user_password(&mut self, id: &UserID, password: &str, temporary: bool) -> bool {
let new_hash = match hash_password(password) { let new_hash = match hash_password(password) {
Ok(h) => { h } Ok(h) => h,
Err(e) => { Err(e) => {
log::error!("Failed to hash user password! {}", e); log::error!("Failed to hash user password! {}", e);
return false; return false;

6
src/lib.rs
View File

@ -1,6 +1,6 @@
pub mod data; pub mod actors;
pub mod utils;
pub mod constants; pub mod constants;
pub mod controllers; pub mod controllers;
pub mod actors; pub mod data;
pub mod middlewares; pub mod middlewares;
pub mod utils;

14
src/main.rs
View File

@ -6,8 +6,12 @@ use actix_web::cookie::time::Duration;
use actix_web::middleware::Logger; use actix_web::middleware::Logger;
use clap::Parser; use clap::Parser;
use basic_oidc::actors::bruteforce_actor::BruteForceActor;
use basic_oidc::actors::users_actor::UsersActor; use basic_oidc::actors::users_actor::UsersActor;
use basic_oidc::constants::{DEFAULT_ADMIN_PASSWORD, DEFAULT_ADMIN_USERNAME, MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION, SESSION_COOKIE_NAME}; use basic_oidc::constants::{
DEFAULT_ADMIN_PASSWORD, DEFAULT_ADMIN_USERNAME, MAX_INACTIVITY_DURATION, MAX_SESSION_DURATION,
SESSION_COOKIE_NAME,
};
use basic_oidc::controllers::assets_controller::assets_route; use basic_oidc::controllers::assets_controller::assets_route;
use basic_oidc::controllers::login_controller::{login_route, logout_route}; use basic_oidc::controllers::login_controller::{login_route, logout_route};
use basic_oidc::data::app_config::AppConfig; use basic_oidc::data::app_config::AppConfig;
@ -60,6 +64,7 @@ async fn main() -> std::io::Result<()> {
} }
let users_actor = UsersActor::new(users).start(); let users_actor = UsersActor::new(users).start();
let bruteforce_actor = BruteForceActor::default().start();
log::info!("Server will listen on {}", config.listen_address); log::info!("Server will listen on {}", config.listen_address);
let listen_address = config.listen_address.to_string(); let listen_address = config.listen_address.to_string();
@ -72,25 +77,20 @@ async fn main() -> std::io::Result<()> {
.login_deadline(Duration::seconds(MAX_SESSION_DURATION)) .login_deadline(Duration::seconds(MAX_SESSION_DURATION))
.same_site(SameSite::Strict); .same_site(SameSite::Strict);
App::new() App::new()
.app_data(web::Data::new(users_actor.clone())) .app_data(web::Data::new(users_actor.clone()))
.app_data(web::Data::new(bruteforce_actor.clone()))
.app_data(web::Data::new(config.clone())) .app_data(web::Data::new(config.clone()))
.wrap(Logger::default()) .wrap(Logger::default())
.wrap(AuthMiddleware {}) .wrap(AuthMiddleware {})
.wrap(IdentityService::new(policy)) .wrap(IdentityService::new(policy))
// /health route // /health route
.service(health) .service(health)
// Assets serving // Assets serving
.route("/assets/{path:.*}", web::get().to(assets_route)) .route("/assets/{path:.*}", web::get().to(assets_route))
// Login page // Login page
.route("/login", web::get().to(login_route)) .route("/login", web::get().to(login_route))
.route("/login", web::post().to(login_route)) .route("/login", web::post().to(login_route))
// Logout page // Logout page
.route("/logout", web::get().to(logout_route)) .route("/logout", web::get().to(logout_route))
}) })

52
src/middlewares/auth_middleware.rs
View File

@ -5,13 +5,16 @@ use std::pin::Pin;
use std::rc::Rc; use std::rc::Rc;
use actix_identity::RequestIdentity; use actix_identity::RequestIdentity;
use actix_web::{dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, HttpResponse, web}; use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
Error, HttpResponse, web,
};
use actix_web::body::EitherBody; use actix_web::body::EitherBody;
use actix_web::http::{header, Method}; use actix_web::http::{header, Method};
use askama::Template; use askama::Template;
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES}; use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES};
use crate::controllers::base_controller::redirect_user_for_login; use crate::controllers::base_controller::{FatalErrorPage, redirect_user_for_login};
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionIdentityData, SessionStatus};
@ -37,7 +40,9 @@ impl<S, B> Transform<S, ServiceRequest> for AuthMiddleware
type Future = Ready<Result<Self::Transform, Self::InitError>>; type Future = Ready<Result<Self::Transform, Self::InitError>>;
fn new_transform(&self, service: S) -> Self::Future { fn new_transform(&self, service: S) -> Self::Future {
ready(Ok(AuthInnerMiddleware { service: Rc::new(service) })) ready(Ok(AuthInnerMiddleware {
service: Rc::new(service),
}))
} }
} }
@ -58,9 +63,6 @@ impl ConnStatus {
} }
} }
#[derive(Template)]
#[template(path = "access_denied.html")]
struct AccessDeniedTemplate {}
pub struct AuthInnerMiddleware<S> { pub struct AuthInnerMiddleware<S> {
service: Rc<S>, service: Rc<S>,
@ -92,11 +94,14 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
if req.method() == Method::POST { if req.method() == Method::POST {
if let Some(o) = origin { if let Some(o) = origin {
if !o.to_str().unwrap_or("bad").eq(&config.website_origin) { if !o.to_str().unwrap_or("bad").eq(&config.website_origin) {
log::warn!("Blocked POST request from invalid origin! Origin given {:?}", o); log::warn!(
"Blocked POST request from invalid origin! Origin given {:?}",
o
);
return Ok(req.into_response( return Ok(req.into_response(
HttpResponse::Unauthorized() HttpResponse::Unauthorized()
.body("POST request from invalid origin!") .body("POST request from invalid origin!")
.map_into_right_body() .map_into_right_body(),
)); ));
} }
} }
@ -106,28 +111,43 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
return Ok(req.into_response( return Ok(req.into_response(
HttpResponse::Unauthorized() HttpResponse::Unauthorized()
.body("Hey don't touch this!") .body("Hey don't touch this!")
.map_into_right_body() .map_into_right_body(),
)); ));
} }
let session = match SessionIdentity::deserialize_session_data(req.get_identity()) { let session = match SessionIdentity::deserialize_session_data(req.get_identity()) {
Some(SessionIdentityData { status: SessionStatus::SignedIn, is_admin: true, .. }) => ConnStatus::Admin, Some(SessionIdentityData {
Some(SessionIdentityData { status: SessionStatus::SignedIn, .. }) => ConnStatus::RegularUser, status: SessionStatus::SignedIn,
is_admin: true,
..
}) => ConnStatus::Admin,
Some(SessionIdentityData {
status: SessionStatus::SignedIn,
..
}) => ConnStatus::RegularUser,
_ => ConnStatus::SignedOut, _ => ConnStatus::SignedOut,
}; };
// Redirect user to login page // Redirect user to login page
if !session.is_auth() && (req.path().starts_with(ADMIN_ROUTES) || if !session.is_auth()
req.path().starts_with(AUTHENTICATED_ROUTES)) { && (req.path().starts_with(ADMIN_ROUTES)
|| req.path().starts_with(AUTHENTICATED_ROUTES))
{
let path = req.path().to_string(); let path = req.path().to_string();
return Ok(req.into_response(redirect_user_for_login(path)) return Ok(req
.into_response(redirect_user_for_login(path))
.map_into_right_body()); .map_into_right_body());
} }
// Restrict access to admin pages // Restrict access to admin pages
if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) { if !session.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
return Ok(req.into_response(HttpResponse::Unauthorized() return Ok(req
.body(AccessDeniedTemplate {}.render().unwrap())) .into_response(
HttpResponse::Unauthorized()
.body(FatalErrorPage {
message: "You are not allowed to access this resource."
}.render().unwrap()),
)
.map_into_right_body()); .map_into_right_body());
} }

1
src/utils/mod.rs
View File

@ -1,2 +1,3 @@
pub mod err; pub mod err;
pub mod time; pub mod time;
pub mod network_utils;

98
src/utils/network_utils.rs Normal file
View File

@ -0,0 +1,98 @@
use std::net::{IpAddr, Ipv6Addr};
use std::str::FromStr;
use actix_web::HttpRequest;
/// Check if two ips matches
pub fn match_ip(pattern: &str, ip: &str) -> bool {
if pattern.eq(ip) {
return true;
}
if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) {
return true;
}
false
}
/// Get the remote IP address
pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> String {
let mut ip = req.peer_addr().unwrap().ip().to_string();
// We check if the request comes from a trusted reverse proxy
if let Some(proxy) = proxy_ip.as_ref() {
if match_ip(proxy, &ip) {
if let Some(header) = req.headers().get("X-Forwarded-For") {
let header = header.to_str().unwrap();
if let Some((upstream_ip, _)) = header.split_once(',') {
ip = upstream_ip.to_string();
} else {
ip = header.to_string();
}
}
}
}
ip
}
/// Parse an IP address
pub fn parse_ip(ip: &str) -> Option<IpAddr> {
let mut ip = match IpAddr::from_str(ip) {
Ok(ip) => ip,
Err(e) => {
log::warn!("Failed to parse an IP address: {}", e);
return None;
}
};
if let IpAddr::V6(ipv6) = &mut ip {
let mut octets = ipv6.octets();
for i in 8..16 {
octets[i] = 0;
}
ip = IpAddr::V6(Ipv6Addr::from(octets));
}
Some(ip)
}
#[cfg(test)]
mod test {
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
use crate::utils::network_utils::parse_ip;
#[test]
fn parse_bad_ip() {
let ip = parse_ip("badbad");
assert_eq!(None, ip);
}
#[test]
fn parse_ip_v4_address() {
let ip = parse_ip("192.168.1.1").unwrap();
assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)));
}
#[test]
fn parse_ip_v6_address() {
let ip = parse_ip("2a00:1450:4007:813::200e").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0)));
}
#[test]
fn parse_ip_v6_address_2() {
let ip = parse_ip("::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0)));
}
#[test]
fn parse_ip_v6_address_3() {
let ip = parse_ip("a::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0)));
}
}

5
src/utils/time.rs
View File

@ -2,5 +2,8 @@ use std::time::{SystemTime, UNIX_EPOCH};
/// Get the current time since epoch /// Get the current time since epoch
pub fn time() -> u64 { pub fn time() -> u64 {
SystemTime::now().duration_since(UNIX_EPOCH).unwrap().as_secs() SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs()
} }

2
templates/access_denied.html → templates/fatal_error.html
View File

@ -7,6 +7,6 @@
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/> <link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
</head> </head>
<body> <body>
<p>You are not allowed to access this resource.</p> <p>{{ message }}</p>
</body> </body>
</html> </html>