pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Compare commits

base: pierre:master
Branches Tags
pierre:master
pierre:20251028
..
compare: pierre:92d04f33126211b05907d19c71a7f7128ed80b47
Branches Tags
pierre:master
pierre:20251028

6 Commits
master ... 92d04f3312

Author SHA1 Message Date
Pierre Hubert
92d04f3312 Fix bad comment
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-04-24 19:14:46 +02:00
Pierre Hubert
abd86ff22d Can set authorized authentication providers for a given account 2023-04-24 19:13:36 +02:00
Pierre Hubert
f64f01a958 Can block local login for an account
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-04-24 18:46:21 +02:00
Pierre Hubert
96ffc669d7 Add logo of popular brands
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-04-24 16:07:14 +02:00
Pierre Hubert
d9f659ce98 Add basic providers configuration
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-04-24 15:43:49 +02:00
Pierre Hubert
e73b5b8e5b Update dependencies
All checks were successful
continuous-integration/drone/push Build is passing
Details
2023-04-24 15:14:10 +02:00
76 changed files with 5085 additions and 14352 deletions
Expand all files Collapse all files

49
.drone.yml
View File

@@ -4,57 +4,10 @@ type: docker
name: default name: default
steps: steps:
# Code quality - name: cargo_check
- name: code_quality
image: rust image: rust
volumes:
- name: rust_registry
path: /usr/local/cargo/registry
commands: commands:
- rustup component add clippy - rustup component add clippy
- cargo clippy -- -D warnings - cargo clippy -- -D warnings
- cargo test - cargo test
# Build source code
- name: compile
image: rust
depends_on:
- code_quality
when:
event:
- tag
volumes:
- name: rust_registry
path: /usr/local/cargo/registry
- name: releases
path: /tmp/releases
commands:
- cargo build --release
- ls -lah target/release/basic-oidc
- cp target/release/basic-oidc /tmp/releases
# Auto-release to Gitea
- name: gitea_release
image: plugins/gitea-release
depends_on:
- compile
when:
event:
- tag
volumes:
- name: releases
path: /tmp/releases
environment:
PLUGIN_API_KEY:
from_secret: GITEA_API_KEY # needs permission write:repository
settings:
base_url: https://gitea.communiquons.org
files:
- /tmp/releases/basic-oidc
checksum: sha512
volumes:
- name: rust_registry
temp: { }
- name: releases
temp: {}

2
.gitignore vendored
View File

@@ -1,3 +1,3 @@
/target /target
.idea .idea
/storage storage

2752
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

69
Cargo.toml
View File

@@ -1,41 +1,40 @@
[package] [package]
name = "basic-oidc" name = "basic-oidc"
version = "0.1.5" version = "0.1.4"
edition = "2024" edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies] [dependencies]
actix = "0.13.5" actix = "0.13.0"
actix-identity = "0.9.0" actix-identity = "0.5.2"
actix-web = "4.12.1" actix-web = "4"
actix-session = { version = "0.11.0", features = ["cookie-session"] } actix-session = { version = "0.7.2", features = ["cookie-session"] }
actix-remote-ip = "0.1.0" clap = { version = "4.2.1", features = ["derive", "env"] }
clap = { version = "4.5.53", features = ["derive", "env"] } include_dir = "0.7.3"
include_dir = "0.7.4" log = "0.4.17"
log = "0.4.28" serde_json = "1.0.93"
serde_json = "1.0.145" serde_yaml = "0.9.16"
serde_yaml = "0.9.34" env_logger = "0.10.0"
env_logger = "0.11.8" serde = { version = "1.0.159", features = ["derive"] }
serde = { version = "1.0.228", features = ["derive"] } bcrypt = "0.14.0"
bcrypt = "0.17.1" uuid = { version = "1.2.2", features = ["v4"] }
uuid = { version = "1.18.1", features = ["v4"] } mime_guess = "2.0.4"
mime_guess = "2.0.5" askama = "0.12.0"
askama = "0.14.0" futures-util = "0.3.27"
urlencoding = "2.1.3" urlencoding = "2.1.2"
rand = "0.9.2" rand = "0.8.5"
base64 = "0.22.1" base64 = "0.21.0"
jwt-simple = { version = "0.12.13", default-features = false, features = ["pure-rust"] } jwt-simple = "0.11.4"
digest = "0.10.7" digest = "0.10.6"
sha2 = "0.10.9" sha2 = "0.10.6"
lazy-regex = "3.4.2" lazy-regex = "2.4.1"
totp_rfc6238 = "0.6.1" totp_rfc6238 = "0.5.1"
base32 = "0.5.1" base32 = "0.4.0"
qrcode-generator = "5.0.0" qrcode-generator = "4.1.8"
webauthn-rs = { version = "0.5.3", features = ["danger-allow-state-serialisation"] } webauthn-rs = { version = "0.4.8", features = ["danger-allow-state-serialisation"] }
url = "2.5.7" url = "2.3.1"
light-openid = { version = "1.0.4", features = ["crypto-wrapper"] } aes-gcm = { version = "0.10.1", features = ["aes"] }
bincode = "2.0.1" bincode = "1.3.3"
chrono = "0.4.42" chrono = "0.4.24"
lazy_static = "1.5.0" lazy_static = "1.4.0"
mailchecker = "6.0.19"

8
Dockerfile
View File

@@ -1,9 +1,5 @@
FROM debian:bookworm-slim FROM debian:bullseye-slim
RUN apt-get update \
&& apt-get install -y libcurl4 \
&& rm -rf /var/lib/apt/lists/*
COPY basic-oidc /usr/local/bin/basic-oidc COPY basic-oidc /usr/local/bin/basic-oidc
ENTRYPOINT ["/usr/local/bin/basic-oidc"] ENTRYPOINT /usr/local/bin/basic-oidc

72
README.md
View File

@@ -5,77 +5,36 @@ Basic & lightweight OpenID provider, written in Rust using the Actix framework.
**WARNING :** This tool has not been audited, use it at your own risks! **WARNING :** This tool has not been audited, use it at your own risks!
BasicOIDC operates without any database, just with three files : BasicOIDC operates without any database, just with two files :
* `clients.yaml`: a list of authorized relying parties. * `clients.yaml`: a list of authorized relying parties.
* `providers.yaml`: a list of upstream providers for authentication federation (this file is optional)
* `users.json`: a list of users, managed through a web UI. * `users.json`: a list of users, managed through a web UI.
## Configuration
You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax : You can configure a list of clients (Relying Parties) in a `clients.yaml` file with the following syntax :
```yaml ```yaml
# Client ID
- id: gitea - id: gitea
# Client name
name: Gitea name: Gitea
# Client description
description: Git with a cup of tea description: Git with a cup of tea
# Client secret. Specify this value to use authorization code flow, remove it for implicit authentication flow
secret: TOP_SECRET secret: TOP_SECRET
# The URL where user shall be redirected after authentication
redirect_uri: https://mygit.mywebsite.com/ redirect_uri: https://mygit.mywebsite.com/
# Optional, If you want new accounts to be granted access to this client by default # If you want new accounts to be granted access to this client by default
default: true default: true
# Optional, If you want the client to be granted to every user, regardless their account configuration # If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true granted_to_all_users: true
# Optional, If you want users to have performed recent second factor authentication before accessing this client, set this setting to true
enforce_2fa_auth: true
# Optional, claims to be added to the ID token payload.
# The following placeholders can be set, they will the replaced when the token is created:
# * {username}: user name of the user
# * {mail}: email address of the user
# * {first_name}: first name of the user
# * {last_name}: last name of the user
# * {uid}: user id of the user
claims_id_token:
groups: ["group_{user}"]
service: "auth"
# Optional, claims to be added to the user info endpoint response
# The placeholders of `claims_id_token` can also be used here
claims_user_info:
groups: ["group_{user}"]
service: "auth"
``` ```
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials. On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
In order to run BasicOIDC for development, you will need to create a least an empty `clients.yaml` file inside the storage directory. In order to run BasicOIDC for development, you will need to create a least an empty `clients.yaml` file inside the storage directory.
## Features Features :
* [x] `authorization_code` flow * [x] `authorization_code` flow
* [x] `implicit` flow
* [x] Client authentication using secrets * [x] Client authentication using secrets
* [x] Bruteforce protection * [x] Bruteforce protection
* [x] 2 factors authentication * [x] 2 factor authentication
* [x] TOTP (authenticator app) * [x] TOTP (authenticator app)
* [x] Using a security key (Webauthn) * [x] Using a security key (Webauthn)
* [ ] Fully responsive webui * [ ] Fully responsive webui
* [x] `robots.txt` prevents indexing * [x] `robots.txt` prevents indexing
* [x] Support authentication from upstream provider
## Add an upstream provider
You can add as much upstream provider as you want, using the following syntax in `providers.yaml`:
```yaml
- id: gitlab
name: GitLab
logo: gitlab # Can be either openid, gitea, gitlab, github, microsoft, google or a full URL
client_id: CLIENT_ID_GIVEN_BY_PROVIDER
client_secret: CLIENT_SECRET_GIVEN_BY_PROVIDER
configuration_url: https://gitlab.com/.well-known/openid-configuration
allow_auto_account_creation: true
```
> Warning! Self-registration has not been implemented, therfore the accounts must have been previously created through the administration.
## Compiling ## Compiling
You will need the Rust toolchain to compile this project. To build it for production, just run: You will need the Rust toolchain to compile this project. To build it for production, just run:
@@ -87,13 +46,11 @@ cargo build --release
If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address): If you want to test the solution with OAuth proxy, you can try to adapt the following commands (considering `192.168.2.103` is your local IP address):
```bash ```bash
export IP=192.168.2.103
# In a shell, start BasicOID # In a shell, start BasicOID
RUST_LOG=debug cargo run -- -s storage -w "http://$IP.nip.io:8000" RUST_LOG=debug cargo run -- -s storage -w "http://192.168.2.103.nip.io:8000"
# In another shell, run OAuth proxy # In another shell, run OAuth proxy
docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://$IP.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://$IP --redirect-url http://$IP:4180/oauth2/callback --cookie-secure=false docker run --rm -p 4180:4180 quay.io/oauth2-proxy/oauth2-proxy:latest --provider=oidc --email-domain=* --client-id=oauthproxy --client-secret=secretoauth --cookie-secret=SECRETCOOKIE1234 --oidc-issuer-url=http://192.168.2.103.nip.io:8000 --http-address 0.0.0.0:4180 --upstream http://192.168.2.103 --redirect-url http://192.168.2.103:4180/oauth2/callback --cookie-secure=false
``` ```
Corresponding client configuration: Corresponding client configuration:
@@ -109,20 +66,5 @@ Corresponding client configuration:
OAuth proxy can then be access on this URL: http://192.168.2.103:4180/ OAuth proxy can then be access on this URL: http://192.168.2.103:4180/
## Testing with upstream identity provider
The folder [sample_upstream_provider](sample_upstream_provider) contains a working scenario of authentication with an upstream provider.
Run the following command to run the scenario:
```bash
cd sample_upstream_provider
docker compose up
```
- Upstream provider (not to be directly used): http://localhost:9001
- BasicOIDC: http://localhost:8000
- Client 2: http://localhost:8012
- Client 1: http://localhost:8011
## Contributing ## Contributing
If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :) If you wish to contribute to this software, feel free to send an email to contact@communiquons.org to get an account on my system, managed by BasicOIDC :)

62
assets/css/base_login_page.css
View File

@@ -1,19 +1,20 @@
html, html,
body { body {
height: 100%; height: 100%;
} }
body { body {
display: flex; display: flex;
align-items: center; align-items: center;
padding-top: 40px; padding-top: 40px;
padding-bottom: 40px; padding-bottom: 40px;
/* background-color: #f5f5f5; */ /* background-color: #f5f5f5; */
} }
/* background */ /* background */
@media screen and (min-width: 767px) { @media screen and (min-width: 767px) {
.bg-login { .bg-login {
background-image: url(/assets/img/forest.jpg);
width: 100%; width: 100%;
height: 100%; height: 100%;
position: fixed; position: fixed;
@@ -25,57 +26,50 @@ body {
} }
.form-signin { .form-signin {
width: 100%; width: 100%;
max-width: 330px; max-width: 330px;
padding: 15px; padding: 15px;
margin: auto; margin: auto;
} }
.form-signin .checkbox { .form-signin .checkbox {
font-weight: 400; font-weight: 400;
} }
.form-signin .form-floating:focus-within { .form-signin .form-floating:focus-within {
z-index: 2; z-index: 2;
} }
.form-floating:first-child input { .form-floating:first-child input {
margin-bottom: -1px; margin-bottom: -1px;
border-bottom-right-radius: 0; border-bottom-right-radius: 0;
border-bottom-left-radius: 0; border-bottom-left-radius: 0;
} }
.form-floating:not(:first-child):not(:last-child) input { .form-floating:not(:first-child):not(:last-child) input {
margin-bottom: -1px; margin-bottom: -1px;
border-bottom-right-radius: 0; border-bottom-right-radius: 0;
border-bottom-left-radius: 0; border-bottom-left-radius: 0;
border-top-left-radius: 0; border-top-left-radius: 0;
border-top-right-radius: 0; border-top-right-radius: 0;
} }
.form-floating:last-child input { .form-floating:last-child input {
margin-bottom: 10px; margin-bottom: 10px;
border-top-left-radius: 0; border-top-left-radius: 0;
border-top-right-radius: 0; border-top-right-radius: 0;
} }
.form-control { .form-control {
background-color: var(--bs-gray-700); background-color: var(--bs-gray-700);
color: var(--bs-gray-100); color: var(--bs-gray-100);
} }
.form-control:focus { .form-control:focus {
background-color: var(--bs-gray-600); background-color: var(--bs-gray-600);
color: var(--bs-gray-100); color: var(--bs-gray-100);
} }
.text-muted { .text-muted {
color: #c6c4c4 !important; color: #c6c4c4 !important;
}
.form-floating > .form-control:focus ~ label::after,
.form-floating > .form-control:not(:placeholder-shown) ~ label::after,
.form-floating > .form-control-plaintext ~ label::after,
.form-floating > .form-select ~ label::after {
background-color: unset !important;
} }

12
assets/css/base_settings_page.css
View File

@@ -12,16 +12,4 @@ body {
.page_body { .page_body {
padding: 3rem; padding: 3rem;
overflow-y: scroll; overflow-y: scroll;
}
.nav-link.link-dark {
color: white !important;
}
.form-control::placeholder {
color: #555;
}
.table-break-works td {
word-break: break-all;
} }

6921
assets/css/bootstrap.css vendored
View File

File diff suppressed because it is too large Load Diff

1
assets/img/brands/openid.svg
View File

@@ -1 +0,0 @@
<svg role="img" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg"><title>OpenID</title><path d="M14.54.889l-3.63 1.773v18.17c-4.15-.52-7.27-2.78-7.27-5.5 0-2.58 2.8-4.75 6.63-5.41v-2.31C4.42 8.322 0 11.502 0 15.332c0 3.96 4.74 7.24 10.91 7.78l3.63-1.71V.888m.64 6.724v2.31c1.43.25 2.71.7 3.76 1.31l-1.97 1.11 7.03 1.53-.5-5.21-1.87 1.06c-1.74-1.06-3.96-1.81-6.45-2.11z"/></svg>
Side by Side

Before

Width:  |  Height:  |  Size: 382 B

6315
assets/js/bootstrap.bundle.min.js vendored
View File

File diff suppressed because one or more lines are too long

4
renovate.json
View File

@@ -1,3 +1,3 @@
{ {
"extends": ["local>renovate/presets"] "$schema": "https://docs.renovatebot.com/renovate-schema.json"
} }

26
sample_upstream_provider/dex-provider/dex.config.yaml
View File

@@ -1,26 +0,0 @@
issuer: http://127.0.0.1:9001/dex
storage:
type: memory
web:
http: 0.0.0.0:9001
oauth2:
# Automate some clicking
# Note: this might actually make some tests pass that otherwise wouldn't.
skipApprovalScreen: false
connectors:
# Note: this might actually make some tests pass that otherwise wouldn't.
- type: mockCallback
id: mock
name: Example
# Basic OP test suite requires two clients.
staticClients:
- id: foo
secret: bar
redirectURIs:
- http://localhost:8000/prov_cb
name: Auth

47
sample_upstream_provider/docker-compose.yaml
View File

@@ -1,47 +0,0 @@
services:
upstream:
image: dexidp/dex
user: "1000"
network_mode: host
volumes:
- ./dex-provider:/conf:ro
command: [ "dex", "serve", "/conf/dex.config.yaml" ]
client1:
image: pierre42100/oidc_test_client
user: "1000"
network_mode: host
environment:
- LISTEN_ADDR=0.0.0.0:8011
- PUBLIC_URL=http://127.0.0.1:8011
- CONFIGURATION_URL=http://localhost:8000/.well-known/openid-configuration
- CLIENT_ID=testclient1
- CLIENT_SECRET=secretone
client2:
image: pierre42100/oidc_test_client
user: "1000"
network_mode: host
environment:
- LISTEN_ADDR=0.0.0.0:8012
- PUBLIC_URL=http://127.0.0.1:8012
- CONFIGURATION_URL=http://localhost:8000/.well-known/openid-configuration
- CLIENT_ID=testclient2
- CLIENT_SECRET=secrettwo
basicoidc:
image: rust
user: "1000"
network_mode: host
environment:
- STORAGE_PATH=/storage
- DISABLE_LOCAL_LOGIN=true
#- RUST_LOG=debug
volumes:
- ../:/app
- ./storage:/storage
- ~/.cargo/registry:/usr/local/cargo/registry
command:
- bash
- -c
- cd /app && cargo run

1
sample_upstream_provider/storage/.gitignore vendored
View File

@@ -1 +0,0 @@
users.json

11
sample_upstream_provider/storage/clients.yaml
View File

@@ -1,11 +0,0 @@
- id: testclient1
name: Client 1
description: client1
secret: secretone
redirect_uri: http://127.0.0.1:8011/
granted_to_all_users: true
- id: testclient2
name: Client 2
description: client2
secret: secrettwo
redirect_uri: http://127.0.0.1:8012/

7
sample_upstream_provider/storage/providers.yaml
View File

@@ -1,7 +0,0 @@
- id: upstream
name: Upstream
logo: openid
client_id: foo
client_secret: bar
configuration_url: http://127.0.0.1:9001/dex/.well-known/openid-configuration
allow_auto_account_creation: true

2
src/actors/bruteforce_actor.rs
View File

@@ -1,5 +1,5 @@
use std::collections::HashMap;
use std::collections::hash_map::Entry; use std::collections::hash_map::Entry;
use std::collections::HashMap;
use std::net::IpAddr; use std::net::IpAddr;
use actix::{Actor, AsyncContext, Context, Handler, Message}; use actix::{Actor, AsyncContext, Context, Handler, Message};

1
src/actors/mod.rs
View File

@@ -1,4 +1,3 @@
pub mod bruteforce_actor; pub mod bruteforce_actor;
pub mod openid_sessions_actor; pub mod openid_sessions_actor;
pub mod providers_states_actor;
pub mod users_actor; pub mod users_actor;

130
src/actors/providers_states_actor.rs
View File

@@ -1,130 +0,0 @@
//! # Providers state actor
//!
//! This actor stores the content of the states
//! during authentication with upstream providers
use crate::constants::{
MAX_OIDC_PROVIDERS_STATES, OIDC_PROVIDERS_STATE_DURATION, OIDC_PROVIDERS_STATE_LEN,
OIDC_STATES_CLEANUP_INTERVAL,
};
use actix::{Actor, AsyncContext, Context, Handler, Message};
use std::collections::HashMap;
use std::collections::hash_map::Entry;
use std::net::IpAddr;
use crate::data::login_redirect::LoginRedirect;
use crate::data::provider::ProviderID;
use crate::utils::string_utils::rand_str;
use crate::utils::time::time;
#[derive(Debug, Clone, serde::Serialize)]
pub struct ProviderLoginState {
pub provider_id: ProviderID,
pub state_id: String,
pub redirect: LoginRedirect,
pub expire: u64,
}
impl ProviderLoginState {
pub fn new(prov_id: &ProviderID, redirect: LoginRedirect) -> Self {
Self {
provider_id: prov_id.clone(),
state_id: rand_str(OIDC_PROVIDERS_STATE_LEN),
redirect,
expire: time() + OIDC_PROVIDERS_STATE_DURATION,
}
}
}
#[derive(Message)]
#[rtype(result = "()")]
pub struct RecordState {
pub ip: IpAddr,
pub state: ProviderLoginState,
}
#[derive(Message)]
#[rtype(result = "Option<ProviderLoginState>")]
pub struct ConsumeState {
pub ip: IpAddr,
pub state_id: String,
}
#[derive(Debug, Default)]
pub struct ProvidersStatesActor {
states: HashMap<IpAddr, Vec<ProviderLoginState>>,
}
impl ProvidersStatesActor {
/// Clean outdated states
fn clean_old_states(&mut self) {
#[allow(clippy::map_clone)]
let keys = self.states.keys().map(|i| *i).collect::<Vec<_>>();
for ip in keys {
// Remove old states
let states = self.states.get_mut(&ip).unwrap();
states.retain(|i| i.expire < time());
// Remove empty entry keys
if states.is_empty() {
self.states.remove(&ip);
}
}
}
/// Add a new provider login state
pub fn insert_state(&mut self, ip: IpAddr, state: ProviderLoginState) {
if let Entry::Vacant(e) = self.states.entry(ip) {
e.insert(vec![state]);
} else {
let states = self.states.get_mut(&ip).unwrap();
// We limit the number of states per IP address
if states.len() > MAX_OIDC_PROVIDERS_STATES {
states.remove(0);
}
states.push(state);
}
}
/// Get & consume a login state
pub fn consume_state(&mut self, ip: IpAddr, state_id: &str) -> Option<ProviderLoginState> {
let idx = self
.states
.get(&ip)?
.iter()
.position(|val| val.state_id.as_str() == state_id)?;
Some(self.states.get_mut(&ip)?.remove(idx))
}
}
impl Actor for ProvidersStatesActor {
type Context = Context<Self>;
fn started(&mut self, ctx: &mut Self::Context) {
// Clean up at a regular interval failed attempts
ctx.run_interval(OIDC_STATES_CLEANUP_INTERVAL, |act, _ctx| {
log::trace!("Cleaning up old states");
act.clean_old_states();
});
}
}
impl Handler<RecordState> for ProvidersStatesActor {
type Result = ();
fn handle(&mut self, req: RecordState, _ctx: &mut Self::Context) -> Self::Result {
self.insert_state(req.ip, req.state);
}
}
impl Handler<ConsumeState> for ProvidersStatesActor {
type Result = Option<ProviderLoginState>;
fn handle(&mut self, req: ConsumeState, _ctx: &mut Self::Context) -> Self::Result {
self.consume_state(req.ip, &req.state_id)
}
}

156
src/actors/users_actor.rs
View File

@@ -1,16 +1,14 @@
use std::net::IpAddr; use std::net::IpAddr;
use crate::data::provider::{Provider, ProviderID}; use crate::data::provider::ProviderID;
use actix::{Actor, Context, Handler, Message, MessageResult};
use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID}; use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
use crate::utils::err::Res; use crate::utils::err::Res;
use crate::utils::string_utils::is_acceptable_login;
use actix::{Actor, Context, Handler, Message, MessageResult};
use light_openid::primitives::OpenIDUserInfo;
/// User storage interface /// User storage interface
pub trait UsersSyncBackend { pub trait UsersSyncBackend {
fn find_by_username_or_email(&self, u: &str) -> Res<Option<User>>; fn find_by_username_or_email(&self, u: &str) -> Res<Option<User>>;
fn find_by_email(&self, u: &str) -> Res<Option<User>>;
fn find_by_user_id(&self, id: &UserID) -> Res<Option<User>>; fn find_by_user_id(&self, id: &UserID) -> Res<Option<User>>;
fn get_entire_users_list(&self) -> Res<Vec<User>>; fn get_entire_users_list(&self) -> Res<Vec<User>>;
fn create_user_account(&mut self, settings: GeneralSettings) -> Res<UserID>; fn create_user_account(&mut self, settings: GeneralSettings) -> Res<UserID>;
@@ -37,10 +35,7 @@ pub enum LoginResult {
InvalidPassword, InvalidPassword,
AccountDisabled, AccountDisabled,
LocalAuthForbidden, LocalAuthForbidden,
AuthFromProviderForbidden,
Success(Box<User>), Success(Box<User>),
AccountAutoCreated(Box<User>),
CannotAutoCreateAccount(String),
} }
#[derive(Message)] #[derive(Message)]
@@ -50,14 +45,6 @@ pub struct LocalLoginRequest {
pub password: String, pub password: String,
} }
#[derive(Message)]
#[rtype(LoginResult)]
pub struct ProviderLoginRequest {
pub email: String,
pub user_info: OpenIDUserInfo,
pub provider: Provider,
}
#[derive(Message)] #[derive(Message)]
#[rtype(GetUserResult)] #[rtype(GetUserResult)]
pub struct GetUserRequest(pub UserID); pub struct GetUserRequest(pub UserID);
@@ -108,7 +95,7 @@ pub struct AddSuccessful2FALogin(pub UserID, pub IpAddr);
#[rtype(result = "bool")] #[rtype(result = "bool")]
pub struct Clear2FALoginHistory(pub UserID); pub struct Clear2FALoginHistory(pub UserID);
#[derive(Eq, PartialEq, Debug, Clone, serde::Serialize)] #[derive(Eq, PartialEq, Debug, Clone)]
pub struct AuthorizedAuthenticationSources { pub struct AuthorizedAuthenticationSources {
pub local: bool, pub local: bool,
pub upstream: Vec<ProviderID>, pub upstream: Vec<ProviderID>,
@@ -155,7 +142,7 @@ impl Handler<LocalLoginRequest> for UsersActor {
fn handle(&mut self, msg: LocalLoginRequest, _ctx: &mut Self::Context) -> Self::Result { fn handle(&mut self, msg: LocalLoginRequest, _ctx: &mut Self::Context) -> Self::Result {
match self.manager.find_by_username_or_email(&msg.login) { match self.manager.find_by_username_or_email(&msg.login) {
Err(e) => { Err(e) => {
log::error!("Failed to find user! {e}"); log::error!("Failed to find user! {}", e);
MessageResult(LoginResult::Error) MessageResult(LoginResult::Error)
} }
Ok(None) => MessageResult(LoginResult::AccountNotFound), Ok(None) => MessageResult(LoginResult::AccountNotFound),
@@ -182,110 +169,6 @@ impl Handler<LocalLoginRequest> for UsersActor {
} }
} }
impl Handler<ProviderLoginRequest> for UsersActor {
type Result = MessageResult<ProviderLoginRequest>;
fn handle(&mut self, msg: ProviderLoginRequest, _ctx: &mut Self::Context) -> Self::Result {
match self.manager.find_by_email(&msg.email) {
Err(e) => {
log::error!("Failed to find user! {e}");
MessageResult(LoginResult::Error)
}
Ok(None) => {
// Check if automatic account creation is enabled for this provider
if !msg.provider.allow_auto_account_creation {
return MessageResult(LoginResult::AccountNotFound);
}
// Extract username for account creation
let mut username = msg
.user_info
.preferred_username
.unwrap_or(msg.email.to_string());
// Determine username from email, if necessary
if !is_acceptable_login(&username)
|| matches!(
self.manager.find_by_username_or_email(&username),
Ok(Some(_))
)
{
username = msg.email.clone();
}
// Check if username is already taken
if matches!(
self.manager.find_by_username_or_email(&username),
Ok(Some(_))
) {
return MessageResult(LoginResult::CannotAutoCreateAccount(format!(
"username {username} is already taken!"
)));
}
if !is_acceptable_login(&username) {
return MessageResult(LoginResult::CannotAutoCreateAccount(
"could not determine acceptable login for user!".to_string(),
));
}
// Automatic account creation
let user_id = match self.manager.create_user_account(GeneralSettings {
uid: UserID::random(),
username,
first_name: msg.user_info.given_name.unwrap_or_default(),
last_name: msg.user_info.family_name.unwrap_or_default(),
email: msg.email.to_string(),
enabled: true,
two_factor_exemption_after_successful_login: false,
is_admin: false,
}) {
Ok(u) => u,
Err(e) => {
log::error!("Failed to create user account! {e}");
return MessageResult(LoginResult::CannotAutoCreateAccount(
"missing some user information".to_string(),
));
}
};
// Mark the provider as the only authorized source
if let Err(e) = self.manager.set_authorized_authentication_sources(
&user_id,
AuthorizedAuthenticationSources {
local: false,
upstream: vec![msg.provider.id],
},
) {
log::error!(
"Failed to set authorized authentication sources for newly created account! {e}"
);
}
// Extract user information to return them
let Ok(Some(user)) = self.manager.find_by_user_id(&user_id) else {
return MessageResult(LoginResult::CannotAutoCreateAccount(
"failed to get created user information".to_string(),
));
};
MessageResult(LoginResult::AccountAutoCreated(Box::new(user)))
}
Ok(Some(user)) => {
if !user.can_login_from_provider(&msg.provider) {
return MessageResult(LoginResult::AuthFromProviderForbidden);
}
if !user.enabled {
return MessageResult(LoginResult::AccountDisabled);
}
MessageResult(LoginResult::Success(Box::new(user)))
}
}
}
}
impl Handler<CreateAccount> for UsersActor { impl Handler<CreateAccount> for UsersActor {
type Result = <CreateAccount as actix::Message>::Result; type Result = <CreateAccount as actix::Message>::Result;
@@ -293,7 +176,7 @@ impl Handler<CreateAccount> for UsersActor {
match self.manager.create_user_account(msg.0) { match self.manager.create_user_account(msg.0) {
Ok(id) => Some(id), Ok(id) => Some(id),
Err(e) => { Err(e) => {
log::error!("Failed to create user account! {e}"); log::error!("Failed to create user account! {}", e);
None None
} }
} }
@@ -310,7 +193,7 @@ impl Handler<ChangePasswordRequest> for UsersActor {
{ {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to change user password! {e:?}"); log::error!("Failed to change user password! {:?}", e);
false false
} }
} }
@@ -324,7 +207,7 @@ impl Handler<Add2FAFactor> for UsersActor {
match self.manager.add_2fa_factor(&msg.0, msg.1) { match self.manager.add_2fa_factor(&msg.0, msg.1) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to add 2FA factor! {e}"); log::error!("Failed to add 2FA factor! {}", e);
false false
} }
} }
@@ -338,7 +221,7 @@ impl Handler<Remove2FAFactor> for UsersActor {
match self.manager.remove_2fa_factor(&msg.0, msg.1) { match self.manager.remove_2fa_factor(&msg.0, msg.1) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to remove 2FA factor! {e}"); log::error!("Failed to remove 2FA factor! {}", e);
false false
} }
} }
@@ -355,7 +238,7 @@ impl Handler<AddSuccessful2FALogin> for UsersActor {
{ {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to save successful 2FA authentication! {e}"); log::error!("Failed to save successful 2FA authentication! {}", e);
false false
} }
} }
@@ -392,7 +275,10 @@ impl Handler<SetAuthorizedAuthenticationSources> for UsersActor {
{ {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to set authorized authentication sources for user! {e}"); log::error!(
"Failed to set authorized authentication sources for user! {}",
e
);
false false
} }
} }
@@ -405,7 +291,7 @@ impl Handler<SetGrantedClients> for UsersActor {
match self.manager.set_granted_2fa_clients(&msg.0, msg.1) { match self.manager.set_granted_2fa_clients(&msg.0, msg.1) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to set granted 2FA clients! {e}"); log::error!("Failed to set granted 2FA clients! {}", e);
false false
} }
} }
@@ -419,7 +305,7 @@ impl Handler<GetUserRequest> for UsersActor {
MessageResult(GetUserResult(match self.manager.find_by_user_id(&msg.0) { MessageResult(GetUserResult(match self.manager.find_by_user_id(&msg.0) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to find user by id! {e}"); log::error!("Failed to find user by id! {}", e);
None None
} }
})) }))
@@ -433,7 +319,7 @@ impl Handler<VerifyUserPasswordRequest> for UsersActor {
self.manager self.manager
.verify_user_password(&msg.0, &msg.1) .verify_user_password(&msg.0, &msg.1)
.unwrap_or_else(|e| { .unwrap_or_else(|e| {
log::error!("Failed to verify user password! {e}"); log::error!("Failed to verify user password! {}", e);
false false
}) })
} }
@@ -447,7 +333,7 @@ impl Handler<FindUserByUsername> for UsersActor {
self.manager self.manager
.find_by_username_or_email(&msg.0) .find_by_username_or_email(&msg.0)
.unwrap_or_else(|e| { .unwrap_or_else(|e| {
log::error!("Failed to find user by username or email! {e}"); log::error!("Failed to find user by username or email! {}", e);
None None
}), }),
)) ))
@@ -461,7 +347,7 @@ impl Handler<GetAllUsers> for UsersActor {
match self.manager.get_entire_users_list() { match self.manager.get_entire_users_list() {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to get entire users list! {e}"); log::error!("Failed to get entire users list! {}", e);
vec![] vec![]
} }
} }
@@ -475,7 +361,7 @@ impl Handler<UpdateUserSettings> for UsersActor {
match self.manager.set_general_user_settings(msg.0) { match self.manager.set_general_user_settings(msg.0) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to update general user information! {e:?}"); log::error!("Failed to update general user information! {:?}", e);
false false
} }
} }
@@ -489,7 +375,7 @@ impl Handler<DeleteUserRequest> for UsersActor {
match self.manager.delete_account(&msg.0) { match self.manager.delete_account(&msg.0) {
Ok(_) => true, Ok(_) => true,
Err(e) => { Err(e) => {
log::error!("Failed to delete user account! {e}"); log::error!("Failed to delete user account! {}", e);
false false
} }
} }

17
src/constants.rs
View File

@@ -29,10 +29,6 @@ pub const MAX_SECOND_FACTOR_NAME_LEN: usize = 25;
/// exempted from this IP address to use 2FA /// exempted from this IP address to use 2FA
pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600; pub const SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN: u64 = 7 * 24 * 3600;
/// The maximum acceptable interval of time between last two factors authentication of a user and
/// access to a critical route / a critical client
pub const SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS: u64 = 60 * 10;
/// Minimum password length /// Minimum password length
pub const MIN_PASS_LEN: usize = 4; pub const MIN_PASS_LEN: usize = 4;
@@ -69,22 +65,9 @@ pub const OPEN_ID_AUTHORIZATION_CODE_LEN: usize = 120;
pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300; pub const OPEN_ID_AUTHORIZATION_CODE_TIMEOUT: u64 = 300;
pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50; pub const OPEN_ID_ACCESS_TOKEN_LEN: usize = 50;
pub const OPEN_ID_ACCESS_TOKEN_TIMEOUT: u64 = 3600; pub const OPEN_ID_ACCESS_TOKEN_TIMEOUT: u64 = 3600;
pub const OPEN_ID_ID_TOKEN_TIMEOUT: u64 = 3600;
pub const OPEN_ID_REFRESH_TOKEN_LEN: usize = 120; pub const OPEN_ID_REFRESH_TOKEN_LEN: usize = 120;
pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000; pub const OPEN_ID_REFRESH_TOKEN_TIMEOUT: u64 = 360000;
/// Webauthn constants /// Webauthn constants
pub const WEBAUTHN_REGISTER_CHALLENGE_EXPIRE: u64 = 3600; pub const WEBAUTHN_REGISTER_CHALLENGE_EXPIRE: u64 = 3600;
pub const WEBAUTHN_LOGIN_CHALLENGE_EXPIRE: u64 = 3600; pub const WEBAUTHN_LOGIN_CHALLENGE_EXPIRE: u64 = 3600;
/// OpenID providers login state constants
pub const OIDC_STATES_CLEANUP_INTERVAL: Duration = Duration::from_secs(60);
pub const MAX_OIDC_PROVIDERS_STATES: usize = 10;
pub const OIDC_PROVIDERS_STATE_LEN: usize = 40;
pub const OIDC_PROVIDERS_STATE_DURATION: u64 = 60 * 15;
/// OpenID providers configuration constants
pub const OIDC_PROVIDERS_LIFETIME: u64 = 3600;
/// OpenID provider callback URI
pub const OIDC_PROVIDER_CB_URI: &str = "/prov_cb";

14
src/controllers/admin_api.rs
View File

@@ -1,13 +1,11 @@
use crate::actors::users_actor; use crate::actors::users_actor;
use actix::Addr; use actix::Addr;
use actix_web::{HttpResponse, Responder, web}; use actix_web::{web, HttpResponse, Responder};
use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor}; use crate::actors::users_actor::{DeleteUserRequest, FindUserByUsername, UsersActor};
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::user::UserID; use crate::data::user::UserID;
use crate::utils::string_utils;
#[derive(serde::Deserialize)] #[derive(serde::Deserialize)]
pub struct FindUserNameReq { pub struct FindUserNameReq {
@@ -20,14 +18,9 @@ struct FindUserResult {
} }
pub async fn find_username( pub async fn find_username(
_critical: CriticalRoute,
req: web::Form<FindUserNameReq>, req: web::Form<FindUserNameReq>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
) -> impl Responder { ) -> impl Responder {
if !string_utils::is_acceptable_login(&req.username) {
return HttpResponse::BadRequest().json("Invalid login!");
}
let res = users let res = users
.send(FindUserByUsername(req.0.username)) .send(FindUserByUsername(req.0.username))
.await .await
@@ -43,7 +36,6 @@ pub struct DeleteUserReq {
} }
pub async fn delete_user( pub async fn delete_user(
_critical: CriticalRoute,
user: CurrentUser, user: CurrentUser,
req: web::Form<DeleteUserReq>, req: web::Form<DeleteUserReq>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
@@ -65,9 +57,7 @@ pub async fn delete_user(
let res = users.send(DeleteUserRequest(req.0.user_id)).await.unwrap(); let res = users.send(DeleteUserRequest(req.0.user_id)).await.unwrap();
if res { if res {
action_logger.log(Action::AdminDeleteUser { action_logger.log(Action::AdminDeleteUser(&user));
user: user.loggable(),
});
HttpResponse::Ok().finish() HttpResponse::Ok().finish()
} else { } else {
HttpResponse::InternalServerError().finish() HttpResponse::InternalServerError().finish()

84
src/controllers/admin_controller.rs
View File

@@ -2,7 +2,7 @@ use std::ops::Deref;
use std::sync::Arc; use std::sync::Arc;
use actix::Addr; use actix::Addr;
use actix_web::{HttpResponse, Responder, web}; use actix_web::{web, HttpResponse, Responder};
use askama::Template; use askama::Template;
use crate::actors::users_actor; use crate::actors::users_actor;
@@ -10,41 +10,37 @@ use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
use crate::constants::TEMPORARY_PASSWORDS_LEN; use crate::constants::TEMPORARY_PASSWORDS_LEN;
use crate::controllers::settings_controller::BaseSettingsPage; use crate::controllers::settings_controller::BaseSettingsPage;
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig;
use crate::data::client::{Client, ClientID, ClientManager}; use crate::data::client::{Client, ClientID, ClientManager};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::provider::{Provider, ProviderID, ProvidersManager}; use crate::data::provider::{Provider, ProviderID, ProvidersManager};
use crate::data::user::{GeneralSettings, GrantedClients, User, UserID}; use crate::data::user::{GeneralSettings, GrantedClients, User, UserID};
use crate::utils::string_utils;
use crate::utils::string_utils::rand_str; use crate::utils::string_utils::rand_str;
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/clients_list.html")] #[template(path = "settings/clients_list.html")]
struct ClientsListTemplate<'a> { struct ClientsListTemplate {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
clients: Vec<Client>, clients: Vec<Client>,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/providers_list.html")] #[template(path = "settings/providers_list.html")]
struct ProvidersListTemplate<'a> { struct ProvidersListTemplate {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
providers: Vec<Provider>, providers: Vec<Provider>,
redirect_url: String,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/users_list.html")] #[template(path = "settings/users_list.html")]
struct UsersListTemplate<'a> { struct UsersListTemplate {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
users: Vec<User>, users: Vec<User>,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/edit_user.html")] #[template(path = "settings/edit_user.html")]
struct EditUserTemplate<'a> { struct EditUserTemplate {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
u: User, u: User,
clients: Vec<Client>, clients: Vec<Client>,
providers: Vec<Provider>, providers: Vec<Provider>,
@@ -56,7 +52,7 @@ pub async fn clients_route(
) -> impl Responder { ) -> impl Responder {
HttpResponse::Ok().body( HttpResponse::Ok().body(
ClientsListTemplate { ClientsListTemplate {
p: BaseSettingsPage::get("Clients list", &user, None, None), _p: BaseSettingsPage::get("Clients list", &user, None, None),
clients: clients.cloned(), clients: clients.cloned(),
} }
.render() .render()
@@ -70,9 +66,8 @@ pub async fn providers_route(
) -> impl Responder { ) -> impl Responder {
HttpResponse::Ok().body( HttpResponse::Ok().body(
ProvidersListTemplate { ProvidersListTemplate {
p: BaseSettingsPage::get("OpenID Providers list", &user, None, None), _p: BaseSettingsPage::get("OpenID Providers list", &user, None, None),
providers: providers.cloned(), providers: providers.cloned(),
redirect_url: AppConfig::get().oidc_provider_redirect_url(),
} }
.render() .render()
.unwrap(), .unwrap(),
@@ -99,7 +94,6 @@ pub struct UpdateUserQuery {
} }
pub async fn users_route( pub async fn users_route(
_critical: CriticalRoute,
admin: CurrentUser, admin: CurrentUser,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
update_query: Option<web::Form<UpdateUserQuery>>, update_query: Option<web::Form<UpdateUserQuery>>,
@@ -108,16 +102,7 @@ pub async fn users_route(
let mut danger = None; let mut danger = None;
let mut success = None; let mut success = None;
// Check update query for invalid input if let Some(update) = update_query {
if update_query
.as_ref()
.map(|l| string_utils::is_acceptable_login(&l.username))
== Some(false)
{
danger = Some("Invalid login provided, the modifications could not be saved!".to_string());
}
// Perform request (if any)
else if let Some(update) = update_query {
let edited_user: Option<User> = users let edited_user: Option<User> = users
.send(users_actor::GetUserRequest(update.uid.clone())) .send(users_actor::GetUserRequest(update.uid.clone()))
.await .await
@@ -165,10 +150,7 @@ pub async fn users_route(
let factors_to_keep = update.0.two_factor.split(';').collect::<Vec<_>>(); let factors_to_keep = update.0.two_factor.split(';').collect::<Vec<_>>();
for factor in &edited_user.two_factor { for factor in &edited_user.two_factor {
if !factors_to_keep.contains(&factor.id.0.as_str()) { if !factors_to_keep.contains(&factor.id.0.as_str()) {
logger.log(Action::AdminRemoveUserFactor { logger.log(Action::AdminRemoveUserFactor(&edited_user, factor));
user: edited_user.loggable(),
factor: factor.loggable(),
});
users users
.send(users_actor::Remove2FAFactor( .send(users_actor::Remove2FAFactor(
edited_user.uid.clone(), edited_user.uid.clone(),
@@ -189,10 +171,10 @@ pub async fn users_route(
}; };
if edited_user.authorized_authentication_sources() != auth_sources { if edited_user.authorized_authentication_sources() != auth_sources {
logger.log(Action::AdminSetAuthorizedAuthenticationSources { logger.log(Action::AdminSetAuthorizedAuthenticationSources(
user: edited_user.loggable(), &edited_user,
sources: &auth_sources, &auth_sources,
}); ));
users users
.send(users_actor::SetAuthorizedAuthenticationSources( .send(users_actor::SetAuthorizedAuthenticationSources(
edited_user.uid.clone(), edited_user.uid.clone(),
@@ -219,10 +201,10 @@ pub async fn users_route(
}; };
if edited_user.granted_clients() != granted_clients { if edited_user.granted_clients() != granted_clients {
logger.log(Action::AdminSetNewGrantedClientsList { logger.log(Action::AdminSetNewGrantedClientsList(
user: edited_user.loggable(), &edited_user,
clients: &granted_clients, &granted_clients,
}); ));
users users
.send(users_actor::SetGrantedClients( .send(users_actor::SetGrantedClients(
edited_user.uid.clone(), edited_user.uid.clone(),
@@ -234,9 +216,7 @@ pub async fn users_route(
// Clear user 2FA history if requested // Clear user 2FA history if requested
if update.0.clear_2fa_history.is_some() { if update.0.clear_2fa_history.is_some() {
logger.log(Action::AdminClear2FAHistory { logger.log(Action::AdminClear2FAHistory(&edited_user));
user: edited_user.loggable(),
});
users users
.send(users_actor::Clear2FALoginHistory(edited_user.uid.clone())) .send(users_actor::Clear2FALoginHistory(edited_user.uid.clone()))
.await .await
@@ -247,9 +227,7 @@ pub async fn users_route(
let new_password = match update.0.gen_new_password.is_some() { let new_password = match update.0.gen_new_password.is_some() {
false => None, false => None,
true => { true => {
logger.log(Action::AdminResetUserPassword { logger.log(Action::AdminResetUserPassword(&edited_user));
user: edited_user.loggable(),
});
let temp_pass = rand_str(TEMPORARY_PASSWORDS_LEN); let temp_pass = rand_str(TEMPORARY_PASSWORDS_LEN);
users users
@@ -276,15 +254,11 @@ pub async fn users_route(
} else { } else {
success = Some(match is_creating { success = Some(match is_creating {
true => { true => {
logger.log(Action::AdminCreateUser { logger.log(Action::AdminCreateUser(&edited_user));
user: edited_user.loggable(),
});
format!("User {} was successfully created!", edited_user.full_name()) format!("User {} was successfully created!", edited_user.full_name())
} }
false => { false => {
logger.log(Action::AdminUpdateUser { logger.log(Action::AdminUpdateUser(&edited_user));
user: edited_user.loggable(),
});
format!("User {} was successfully updated!", edited_user.full_name()) format!("User {} was successfully updated!", edited_user.full_name())
} }
}); });
@@ -303,7 +277,7 @@ pub async fn users_route(
HttpResponse::Ok().body( HttpResponse::Ok().body(
UsersListTemplate { UsersListTemplate {
p: BaseSettingsPage::get("Users list", &admin, danger, success), _p: BaseSettingsPage::get("Users list", &admin, danger, success),
users, users,
} }
.render() .render()
@@ -312,7 +286,6 @@ pub async fn users_route(
} }
pub async fn create_user( pub async fn create_user(
_critical: CriticalRoute,
admin: CurrentUser, admin: CurrentUser,
clients: web::Data<Arc<ClientManager>>, clients: web::Data<Arc<ClientManager>>,
providers: web::Data<Arc<ProvidersManager>>, providers: web::Data<Arc<ProvidersManager>>,
@@ -330,7 +303,7 @@ pub async fn create_user(
HttpResponse::Ok().body( HttpResponse::Ok().body(
EditUserTemplate { EditUserTemplate {
p: BaseSettingsPage::get("Create a new user", admin.deref(), None, None), _p: BaseSettingsPage::get("Create a new user", admin.deref(), None, None),
u: user, u: user,
clients: clients.cloned(), clients: clients.cloned(),
providers: providers.cloned(), providers: providers.cloned(),
@@ -346,7 +319,6 @@ pub struct EditUserQuery {
} }
pub async fn edit_user( pub async fn edit_user(
_critical: CriticalRoute,
admin: CurrentUser, admin: CurrentUser,
clients: web::Data<Arc<ClientManager>>, clients: web::Data<Arc<ClientManager>>,
providers: web::Data<Arc<ProvidersManager>>, providers: web::Data<Arc<ProvidersManager>>,
@@ -361,7 +333,7 @@ pub async fn edit_user(
HttpResponse::Ok().body( HttpResponse::Ok().body(
EditUserTemplate { EditUserTemplate {
p: BaseSettingsPage::get( _p: BaseSettingsPage::get(
"Edit user account", "Edit user account",
admin.deref(), admin.deref(),
match edited_account.is_none() { match edited_account.is_none() {

4
src/controllers/assets_controller.rs
View File

@@ -1,7 +1,7 @@
use std::path::Path; use std::path::Path;
use actix_web::{HttpResponse, web}; use actix_web::{web, HttpResponse};
use include_dir::{Dir, include_dir}; use include_dir::{include_dir, Dir};
/// Assets directory /// Assets directory
static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets"); static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets");

14
src/controllers/login_api.rs
View File

@@ -1,10 +1,10 @@
use crate::actors::users_actor; use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor; use crate::actors::users_actor::UsersActor;
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::remote_ip::RemoteIP;
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP; use actix_web::{web, HttpRequest, HttpResponse, Responder};
use actix_web::{HttpRequest, HttpResponse, Responder, web};
use webauthn_rs::prelude::PublicKeyCredential; use webauthn_rs::prelude::PublicKeyCredential;
use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionStatus};
@@ -25,6 +25,10 @@ pub async fn auth_webauthn(
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
logger: ActionLogger, logger: ActionLogger,
) -> impl Responder { ) -> impl Responder {
if !SessionIdentity(Some(&id)).need_2fa_auth() {
return HttpResponse::Unauthorized().json("No 2FA required!");
}
let user_id = SessionIdentity(Some(&id)).user_id(); let user_id = SessionIdentity(Some(&id)).user_id();
match manager.finish_authentication(&user_id, &req.opaque_state, &req.credential) { match manager.finish_authentication(&user_id, &req.opaque_state, &req.credential) {
@@ -37,9 +41,7 @@ pub async fn auth_webauthn(
.await .await
.unwrap(); .unwrap();
let session = SessionIdentity(Some(&id)); SessionIdentity(Some(&id)).set_status(&http_req, SessionStatus::SignedIn);
session.record_2fa_auth(&http_req);
session.set_status(&http_req, SessionStatus::SignedIn);
logger.log(Action::LoginWebauthnAttempt { logger.log(Action::LoginWebauthnAttempt {
success: true, success: true,
user_id, user_id,
@@ -47,7 +49,7 @@ pub async fn auth_webauthn(
HttpResponse::Ok().body("You are authenticated!") HttpResponse::Ok().body("You are authenticated!")
} }
Err(e) => { Err(e) => {
log::error!("Failed to authenticate user using webauthn! {e:?}"); log::error!("Failed to authenticate user using webauthn! {:?}", e);
logger.log(Action::LoginWebauthnAttempt { logger.log(Action::LoginWebauthnAttempt {
success: false, success: false,
user_id, user_id,

184
src/controllers/login_controller.rs
View File

@@ -1,9 +1,7 @@
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP; use actix_web::{web, HttpRequest, HttpResponse, Responder};
use actix_web::{HttpRequest, HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use std::sync::Arc;
use crate::actors::bruteforce_actor::BruteForceActor; use crate::actors::bruteforce_actor::BruteForceActor;
use crate::actors::users_actor::{LoginResult, UsersActor}; use crate::actors::users_actor::{LoginResult, UsersActor};
@@ -13,70 +11,51 @@ use crate::controllers::base_controller::{
build_fatal_error_page, redirect_user, redirect_user_for_login, build_fatal_error_page, redirect_user, redirect_user_for_login,
}; };
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig; use crate::data::login_redirect::LoginRedirect;
use crate::data::force_2fa_auth::Force2FAAuth; use crate::data::remote_ip::RemoteIP;
use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
use crate::data::provider::{Provider, ProvidersManager};
use crate::data::session_identity::{SessionIdentity, SessionStatus}; use crate::data::session_identity::{SessionIdentity, SessionStatus};
use crate::data::user::User; use crate::data::user::User;
use crate::data::webauthn_manager::WebAuthManagerReq; use crate::data::webauthn_manager::WebAuthManagerReq;
use crate::utils::string_utils;
pub struct BaseLoginPage { struct BaseLoginPage<'a> {
pub danger: Option<String>, danger: Option<String>,
pub success: Option<String>, success: Option<String>,
pub background_image: &'static str, page_title: &'static str,
pub page_title: &'static str, app_name: &'static str,
pub app_name: &'static str, redirect_uri: &'a LoginRedirect,
pub redirect_uri: LoginRedirect,
}
impl Default for BaseLoginPage {
fn default() -> Self {
Self {
page_title: "Login",
danger: None,
success: None,
background_image: &AppConfig::get().login_background_image,
app_name: APP_NAME,
redirect_uri: LoginRedirect::default(),
}
}
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "login/login.html")] #[template(path = "login/login.html")]
struct LoginTemplate { struct LoginTemplate<'a> {
p: BaseLoginPage, _p: BaseLoginPage<'a>,
login: String, login: String,
show_local_login: bool,
providers: Vec<Provider>,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "login/password_reset.html")] #[template(path = "login/password_reset.html")]
struct PasswordResetTemplate { struct PasswordResetTemplate<'a> {
p: BaseLoginPage, _p: BaseLoginPage<'a>,
min_pass_len: usize, min_pass_len: usize,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "login/choose_second_factor.html")] #[template(path = "login/choose_second_factor.html")]
struct ChooseSecondFactorTemplate<'a> { struct ChooseSecondFactorTemplate<'a> {
p: BaseLoginPage, _p: BaseLoginPage<'a>,
user: &'a User, user: &'a User,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "login/otp_input.html")] #[template(path = "login/otp_input.html")]
struct LoginWithOTPTemplate { struct LoginWithOTPTemplate<'a> {
p: BaseLoginPage, _p: BaseLoginPage<'a>,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "login/webauthn_input.html")] #[template(path = "login/webauthn_input.html")]
struct LoginWithWebauthnTemplate { struct LoginWithWebauthnTemplate<'a> {
p: BaseLoginPage, _p: BaseLoginPage<'a>,
opaque_state: String, opaque_state: String,
challenge_json: String, challenge_json: String,
} }
@@ -98,7 +77,6 @@ pub struct LoginRequestQuery {
#[allow(clippy::too_many_arguments)] #[allow(clippy::too_many_arguments)]
pub async fn login_route( pub async fn login_route(
remote_ip: RemoteIP, remote_ip: RemoteIP,
providers: web::Data<Arc<ProvidersManager>>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
bruteforce: web::Data<Addr<BruteForceActor>>, bruteforce: web::Data<Addr<BruteForceActor>>,
query: web::Query<LoginRequestQuery>, query: web::Query<LoginRequestQuery>,
@@ -127,7 +105,7 @@ pub async fn login_route(
// Check if user session must be closed // Check if user session must be closed
if let Some(true) = query.logout { if let Some(true) = query.logout {
if let Some(id) = id { if let Some(id) = id {
logger.log(Action::SignOut); logger.log(Action::Signout);
id.logout(); id.logout();
} }
success = Some("Goodbye!".to_string()); success = Some("Goodbye!".to_string());
@@ -143,25 +121,16 @@ pub async fn login_route(
query.redirect.get_encoded() query.redirect.get_encoded()
)); ));
} }
// Check if the user has to validate a second factor // Check if the user has to valide a second factor
else if SessionIdentity(id.as_ref()).need_2fa_auth() { else if SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user(&get_2fa_url(&query.redirect, false)); return redirect_user(&format!(
"/2fa_auth?redirect={}",
query.redirect.get_encoded()
));
} }
// Check if given login is not acceptable // Try to authenticate user
else if req else if let Some(req) = &req {
.as_ref() login = req.login.clone();
.map(|r| string_utils::is_acceptable_login(&r.login))
== Some(false)
{
danger = Some(
"Given login could not be processed, because it has an invalid format!".to_string(),
);
}
// Try to authenticate user (local login)
else if let Some(req) = &req
&& !AppConfig::get().disable_local_login
{
login.clone_from(&req.login);
let response: LoginResult = users let response: LoginResult = users
.send(users_actor::LocalLoginRequest { .send(users_actor::LocalLoginRequest {
login: login.clone(), login: login.clone(),
@@ -173,20 +142,14 @@ pub async fn login_route(
match response { match response {
LoginResult::Success(user) => { LoginResult::Success(user) => {
let status = if user.need_reset_password { let status = if user.need_reset_password {
logger.log(Action::UserNeedNewPasswordOnLogin { logger.log(Action::UserNeedNewPasswordOnLogin(&user));
user: user.loggable(),
});
SessionStatus::NeedNewPassword SessionStatus::NeedNewPassword
} else if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0) } else if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0)
{ {
logger.log(Action::UserNeed2FAOnLogin { logger.log(Action::UserNeed2FAOnLogin(&user));
user: user.loggable(),
});
SessionStatus::Need2FA SessionStatus::Need2FA
} else { } else {
logger.log(Action::UserSuccessfullyAuthenticated { logger.log(Action::UserSuccessfullyAuthenticated(&user));
user: user.loggable(),
});
SessionStatus::SignedIn SessionStatus::SignedIn
}; };
@@ -196,16 +159,13 @@ pub async fn login_route(
LoginResult::AccountDisabled => { LoginResult::AccountDisabled => {
log::warn!("Failed login for username {} : account is disabled", &login); log::warn!("Failed login for username {} : account is disabled", &login);
logger.log(Action::TryLoginWithDisabledAccount { login: &login }); logger.log(Action::TryLoginWithDisabledAccount(&login));
danger = Some("Your account is disabled!".to_string()); danger = Some("Your account is disabled!".to_string());
} }
LoginResult::LocalAuthForbidden => { LoginResult::LocalAuthForbidden => {
log::warn!( log::warn!("Failed login for username {} : attempted to use local auth, but it is forbidden", &login);
"Failed login for username {} : attempted to use local auth, but it is forbidden", logger.log(Action::TryLocalLoginFromUnauthorizedAccount(&login));
&login
);
logger.log(Action::TryLocalLoginFromUnauthorizedAccount { login: &login });
danger = Some("You cannot login from local auth with your account!".to_string()); danger = Some("You cannot login from local auth with your account!".to_string());
} }
@@ -214,8 +174,13 @@ pub async fn login_route(
} }
c => { c => {
log::warn!("Failed login for ip {remote_ip:?} / username {login}: {c:?}"); log::warn!(
logger.log(Action::FailedLoginWithBadCredentials { login: &login }); "Failed login for ip {:?} / username {}: {:?}",
remote_ip,
login,
c
);
logger.log(Action::FailedLoginWithBadCredentials(&login));
danger = Some("Login failed.".to_string()); danger = Some("Login failed.".to_string());
bruteforce bruteforce
@@ -227,23 +192,17 @@ pub async fn login_route(
} }
} }
} }
// If there is only a single provider, trigger auto-login
else if AppConfig::get().disable_local_login && providers.len() == 1 {
return redirect_user(&providers.cloned()[0].login_url(&query.redirect));
}
HttpResponse::Ok().content_type("text/html").body( HttpResponse::Ok().content_type("text/html").body(
LoginTemplate { LoginTemplate {
p: BaseLoginPage { _p: BaseLoginPage {
page_title: "Login", page_title: "Login",
danger, danger,
success, success,
redirect_uri: query.0.redirect, app_name: APP_NAME,
..Default::default() redirect_uri: &query.redirect,
}, },
login, login,
show_local_login: !AppConfig::get().disable_local_login,
providers: providers.cloned(),
} }
.render() .render()
.unwrap(), .unwrap(),
@@ -283,7 +242,7 @@ pub async fn reset_password_route(
let user_id = SessionIdentity(id.as_ref()).user_id(); let user_id = SessionIdentity(id.as_ref()).user_id();
// Check if user is setting a new password // Check if user is setting a new password
if let Some(req) = &req { if let Some(req) = &req {
if req.password.len() < MIN_PASS_LEN { if req.password.len() < MIN_PASS_LEN {
danger = Some("Password is too short!".to_string()); danger = Some("Password is too short!".to_string());
@@ -301,7 +260,7 @@ pub async fn reset_password_route(
danger = Some("Failed to change password!".to_string()); danger = Some("Failed to change password!".to_string());
} else { } else {
SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn); SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
logger.log(Action::UserChangedPasswordOnLogin { user_id: &user_id }); logger.log(Action::UserChangedPasswordOnLogin(&user_id));
return redirect_user(query.redirect.get()); return redirect_user(query.redirect.get());
} }
} }
@@ -309,11 +268,12 @@ pub async fn reset_password_route(
HttpResponse::Ok().content_type("text/html").body( HttpResponse::Ok().content_type("text/html").body(
PasswordResetTemplate { PasswordResetTemplate {
p: BaseLoginPage { _p: BaseLoginPage {
page_title: "Password reset", page_title: "Password reset",
danger, danger,
redirect_uri: query.0.redirect, success: None,
..Default::default() app_name: APP_NAME,
redirect_uri: &query.redirect,
}, },
min_pass_len: MIN_PASS_LEN, min_pass_len: MIN_PASS_LEN,
} }
@@ -335,9 +295,8 @@ pub async fn choose_2fa_method(
id: Option<Identity>, id: Option<Identity>,
query: web::Query<ChooseSecondFactorQuery>, query: web::Query<ChooseSecondFactorQuery>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
force2faauth: Force2FAAuth,
) -> impl Responder { ) -> impl Responder {
if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force { if !SessionIdentity(id.as_ref()).need_2fa_auth() {
log::trace!("User does not require 2fa auth, redirecting"); log::trace!("User does not require 2fa auth, redirecting");
return redirect_user_for_login(query.redirect.get()); return redirect_user_for_login(query.redirect.get());
} }
@@ -354,15 +313,17 @@ pub async fn choose_2fa_method(
// Automatically choose factor if there is only one factor // Automatically choose factor if there is only one factor
if user.get_distinct_factors_types().len() == 1 && !query.force_display { if user.get_distinct_factors_types().len() == 1 && !query.force_display {
log::trace!("User has only one factor, using it by default"); log::trace!("User has only one factor, using it by default");
return redirect_user(&user.two_factor[0].login_url(&query.redirect, true)); return redirect_user(&user.two_factor[0].login_url(&query.redirect));
} }
HttpResponse::Ok().content_type("text/html").body( HttpResponse::Ok().content_type("text/html").body(
ChooseSecondFactorTemplate { ChooseSecondFactorTemplate {
p: BaseLoginPage { _p: BaseLoginPage {
page_title: "Two factor authentication", page_title: "Two factor authentication",
redirect_uri: query.0.redirect, danger: None,
..Default::default() success: None,
app_name: APP_NAME,
redirect_uri: &query.redirect,
}, },
user: &user, user: &user,
} }
@@ -383,7 +344,6 @@ pub struct LoginWithOTPForm {
} }
/// Login with OTP /// Login with OTP
#[allow(clippy::too_many_arguments)]
pub async fn login_with_otp( pub async fn login_with_otp(
id: Option<Identity>, id: Option<Identity>,
query: web::Query<LoginWithOTPQuery>, query: web::Query<LoginWithOTPQuery>,
@@ -392,11 +352,10 @@ pub async fn login_with_otp(
http_req: HttpRequest, http_req: HttpRequest,
remote_ip: RemoteIP, remote_ip: RemoteIP,
logger: ActionLogger, logger: ActionLogger,
force2faauth: Force2FAAuth,
) -> impl Responder { ) -> impl Responder {
let mut danger = None; let mut danger = None;
if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force { if !SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user_for_login(query.redirect.get()); return redirect_user_for_login(query.redirect.get());
} }
@@ -421,7 +380,7 @@ pub async fn login_with_otp(
{ {
logger.log(Action::OTPLoginAttempt { logger.log(Action::OTPLoginAttempt {
success: false, success: false,
user: user.loggable(), user: &user,
}); });
danger = Some("Specified code is invalid!".to_string()); danger = Some("Specified code is invalid!".to_string());
} else { } else {
@@ -433,12 +392,10 @@ pub async fn login_with_otp(
.await .await
.unwrap(); .unwrap();
let session = SessionIdentity(id.as_ref()); SessionIdentity(id.as_ref()).set_status(&http_req, SessionStatus::SignedIn);
session.record_2fa_auth(&http_req);
session.set_status(&http_req, SessionStatus::SignedIn);
logger.log(Action::OTPLoginAttempt { logger.log(Action::OTPLoginAttempt {
success: true, success: true,
user: user.loggable(), user: &user,
}); });
return redirect_user(query.redirect.get()); return redirect_user(query.redirect.get());
} }
@@ -446,12 +403,12 @@ pub async fn login_with_otp(
HttpResponse::Ok().body( HttpResponse::Ok().body(
LoginWithOTPTemplate { LoginWithOTPTemplate {
p: BaseLoginPage { _p: BaseLoginPage {
danger, danger,
success: None, success: None,
page_title: "Two-Factor Auth", page_title: "Two-Factor Auth",
redirect_uri: query.0.redirect, app_name: APP_NAME,
..Default::default() redirect_uri: &query.redirect,
}, },
} }
.render() .render()
@@ -471,9 +428,8 @@ pub async fn login_with_webauthn(
query: web::Query<LoginWithWebauthnQuery>, query: web::Query<LoginWithWebauthnQuery>,
manager: WebAuthManagerReq, manager: WebAuthManagerReq,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
force2faauth: Force2FAAuth,
) -> impl Responder { ) -> impl Responder {
if !SessionIdentity(id.as_ref()).need_2fa_auth() && !force2faauth.force { if !SessionIdentity(id.as_ref()).need_2fa_auth() {
return redirect_user_for_login(query.redirect.get()); return redirect_user_for_login(query.redirect.get());
} }
@@ -495,7 +451,7 @@ pub async fn login_with_webauthn(
let challenge = match manager.start_authentication(&user.uid, &pub_keys) { let challenge = match manager.start_authentication(&user.uid, &pub_keys) {
Ok(c) => c, Ok(c) => c,
Err(e) => { Err(e) => {
log::error!("Failed to generate webauthn challenge! {e:?}"); log::error!("Failed to generate webauthn challenge! {:?}", e);
return HttpResponse::InternalServerError().body(build_fatal_error_page( return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to generate webauthn challenge", "Failed to generate webauthn challenge",
)); ));
@@ -505,17 +461,19 @@ pub async fn login_with_webauthn(
let challenge_json = match serde_json::to_string(&challenge.login_challenge) { let challenge_json = match serde_json::to_string(&challenge.login_challenge) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to serialize challenge! {e:?}"); log::error!("Failed to serialize challenge! {:?}", e);
return HttpResponse::InternalServerError().body("Failed to serialize challenge!"); return HttpResponse::InternalServerError().body("Failed to serialize challenge!");
} }
}; };
HttpResponse::Ok().body( HttpResponse::Ok().body(
LoginWithWebauthnTemplate { LoginWithWebauthnTemplate {
p: BaseLoginPage { _p: BaseLoginPage {
danger: None,
success: None,
page_title: "Two-Factor Auth", page_title: "Two-Factor Auth",
redirect_uri: query.0.redirect, app_name: APP_NAME,
..Default::default() redirect_uri: &query.redirect,
}, },
opaque_state: challenge.opaque_state, opaque_state: challenge.opaque_state,
challenge_json: urlencoding::encode(&challenge_json).to_string(), challenge_json: urlencoding::encode(&challenge_json).to_string(),

1
src/controllers/mod.rs
View File

@@ -5,7 +5,6 @@ pub mod base_controller;
pub mod login_api; pub mod login_api;
pub mod login_controller; pub mod login_controller;
pub mod openid_controller; pub mod openid_controller;
pub mod providers_controller;
pub mod settings_controller; pub mod settings_controller;
pub mod two_factor_api; pub mod two_factor_api;
pub mod two_factors_controller; pub mod two_factors_controller;

350
src/controllers/openid_controller.rs
View File

@@ -4,25 +4,24 @@ use std::sync::Arc;
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::error::ErrorUnauthorized; use actix_web::error::ErrorUnauthorized;
use actix_web::{HttpRequest, HttpResponse, Responder, web}; use actix_web::{web, HttpRequest, HttpResponse, Responder};
use base64::Engine as _;
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD; use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use light_openid::primitives::{OpenIDConfig, OpenIDTokenResponse, OpenIDUserInfo}; use base64::Engine as _;
use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID}; use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, SessionID};
use crate::actors::users_actor::UsersActor; use crate::actors::users_actor::UsersActor;
use crate::actors::{openid_sessions_actor, users_actor}; use crate::actors::{openid_sessions_actor, users_actor};
use crate::constants::*; use crate::constants::*;
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user}; use crate::controllers::base_controller::build_fatal_error_page;
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::client::{AdditionalClaims, ClientID, ClientManager}; use crate::data::client::{ClientID, ClientManager};
use crate::data::code_challenge::CodeChallenge; use crate::data::code_challenge::CodeChallenge;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::id_token::IdToken; use crate::data::id_token::IdToken;
use crate::data::jwt_signer::{JWTSigner, JsonWebKey}; use crate::data::jwt_signer::{JWTSigner, JsonWebKey};
use crate::data::login_redirect::{LoginRedirect, get_2fa_url}; use crate::data::open_id_user_info::OpenIDUserInfo;
use crate::data::openid_config::OpenIDConfig;
use crate::data::session_identity::SessionIdentity; use crate::data::session_identity::SessionIdentity;
use crate::data::user::User; use crate::data::user::User;
use crate::utils::string_utils::rand_str; use crate::utils::string_utils::rand_str;
@@ -32,7 +31,6 @@ pub async fn get_configuration(req: HttpRequest) -> impl Responder {
let is_secure_request = req let is_secure_request = req
.headers() .headers()
.get("HTTP_X_FORWARDED_PROTO") .get("HTTP_X_FORWARDED_PROTO")
.or_else(|| req.headers().get("X-Forwarded-Proto"))
.map(|v| v.to_str().unwrap_or_default().to_lowercase().eq("https")) .map(|v| v.to_str().unwrap_or_default().to_lowercase().eq("https"))
.unwrap_or(false); .unwrap_or(false);
@@ -50,39 +48,20 @@ pub async fn get_configuration(req: HttpRequest) -> impl Responder {
host host
); );
HttpResponse::Ok() HttpResponse::Ok().json(OpenIDConfig {
.insert_header(("access-control-allow-origin", "*")) issuer: AppConfig::get().website_origin.clone(),
.json(OpenIDConfig { authorization_endpoint: AppConfig::get().full_url(AUTHORIZE_URI),
issuer: AppConfig::get().website_origin.clone(), token_endpoint: curr_origin.clone() + TOKEN_URI,
authorization_endpoint: AppConfig::get().full_url(AUTHORIZE_URI), userinfo_endpoint: curr_origin.clone() + USERINFO_URI,
token_endpoint: curr_origin.clone() + TOKEN_URI, jwks_uri: curr_origin + CERT_URI,
userinfo_endpoint: Some(curr_origin.clone() + USERINFO_URI), scopes_supported: vec!["openid", "profile", "email"],
jwks_uri: curr_origin + CERT_URI, response_types_supported: vec!["code", "id_token", "token id_token"],
scopes_supported: Some(vec![ subject_types_supported: vec!["public"],
"openid".to_string(), id_token_signing_alg_values_supported: vec!["RS256"],
"profile".to_string(), token_endpoint_auth_methods_supported: vec!["client_secret_post", "client_secret_basic"],
"email".to_string(), claims_supported: vec!["sub", "name", "given_name", "family_name", "email"],
]), code_challenge_methods_supported: vec!["plain", "S256"],
response_types_supported: vec![ })
"code".to_string(),
"id_token".to_string(),
"token id_token".to_string(),
],
subject_types_supported: vec!["public".to_string()],
id_token_signing_alg_values_supported: vec!["RS256".to_string()],
token_endpoint_auth_methods_supported: Some(vec![
"client_secret_post".to_string(),
"client_secret_basic".to_string(),
]),
claims_supported: Some(vec![
"sub".to_string(),
"name".to_string(),
"given_name".to_string(),
"family_name".to_string(),
"email".to_string(),
]),
code_challenge_methods_supported: Some(vec!["plain".to_string(), "S256".to_string()]),
})
} }
#[derive(serde::Deserialize, Debug)] #[derive(serde::Deserialize, Debug)]
@@ -100,7 +79,7 @@ pub struct AuthorizeQuery {
redirect_uri: String, redirect_uri: String,
/// RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. /// RECOMMENDED. Opaque value used to maintain state between the request and the callback. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
state: Option<String>, state: String,
/// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. /// OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
nonce: Option<String>, nonce: Option<String>,
@@ -111,83 +90,71 @@ pub struct AuthorizeQuery {
} }
fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse { fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> HttpResponse {
log::warn!("Failed to process sign in request ({error} => {description}): {query:?}"); log::warn!(
"Failed to process sign in request ({} => {}): {:?}",
error,
description,
query
);
HttpResponse::Found() HttpResponse::Found()
.append_header(( .append_header((
"Location", "Location",
format!( format!(
"{}?error={}?error_description={}{}", "{}?error={}?error_description={}&state={}",
query.redirect_uri, query.redirect_uri,
urlencoding::encode(error), urlencoding::encode(error),
urlencoding::encode(description), urlencoding::encode(description),
match &query.state { urlencoding::encode(&query.state)
Some(s) => format!("&state={}", urlencoding::encode(s)),
None => "".to_string(),
}
), ),
)) ))
.finish() .finish()
} }
#[allow(clippy::too_many_arguments)]
pub async fn authorize( pub async fn authorize(
req: HttpRequest,
user: CurrentUser, user: CurrentUser,
id: Identity, id: Identity,
query: web::Query<AuthorizeQuery>, query: web::Query<AuthorizeQuery>,
clients: web::Data<Arc<ClientManager>>, clients: web::Data<Arc<ClientManager>>,
sessions: web::Data<Addr<OpenIDSessionsActor>>, sessions: web::Data<Addr<OpenIDSessionsActor>>,
logger: ActionLogger, logger: ActionLogger,
jwt_signer: web::Data<JWTSigner>, ) -> impl Responder {
) -> actix_web::Result<HttpResponse> {
let client = match clients.find_by_id(&query.client_id) { let client = match clients.find_by_id(&query.client_id) {
None => { None => {
return Ok( return HttpResponse::BadRequest().body(build_fatal_error_page("Client is invalid!"));
HttpResponse::BadRequest().body(build_fatal_error_page("Client is invalid!"))
);
} }
Some(c) => c, Some(c) => c,
}; };
// Check if 2FA is required
if client.enforce_2fa_auth && user.should_request_2fa_for_critical_functions() {
let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
return Ok(redirect_user(&uri));
}
// Validate specified redirect URI
let redirect_uri = query.redirect_uri.trim().to_string(); let redirect_uri = query.redirect_uri.trim().to_string();
if !redirect_uri.starts_with(&client.redirect_uri) { if !redirect_uri.starts_with(&client.redirect_uri) {
return Ok( return HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"));
HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"))
);
} }
if !query.scope.split(' ').any(|x| x == "openid") { if !query.scope.split(' ').any(|x| x == "openid") {
return Ok(error_redirect( return error_redirect(&query, "invalid_request", "openid scope missing!");
&query,
"invalid_request",
"openid scope missing!",
));
} }
if query.state.as_ref().map(String::is_empty).unwrap_or(false) { if !query.response_type.eq("code") {
return Ok(error_redirect( return error_redirect(
&query, &query,
"invalid_request", "invalid_request",
"State is specified but empty!", "Only code response type is supported!",
)); );
}
if query.state.is_empty() {
return error_redirect(&query, "invalid_request", "State is empty!");
} }
let code_challenge = match query.0.code_challenge.clone() { let code_challenge = match query.0.code_challenge.clone() {
Some(chal) => { Some(chal) => {
let meth = query.0.code_challenge_method.as_deref().unwrap_or("plain"); let meth = query.0.code_challenge_method.as_deref().unwrap_or("plain");
if !meth.eq("S256") && !meth.eq("plain") { if !meth.eq("S256") && !meth.eq("plain") {
return Ok(error_redirect( return error_redirect(
&query, &query,
"invalid_request", "invalid_request",
"Only S256 and plain code challenge methods are supported!", "Only S256 and plain code challenge methods are supported!",
)); );
} }
Some(CodeChallenge { Some(CodeChallenge {
code_challenge: chal, code_challenge: chal,
@@ -199,112 +166,49 @@ pub async fn authorize(
// Check if user is authorized to access the application // Check if user is authorized to access the application
if !user.can_access_app(&client) { if !user.can_access_app(&client) {
return Ok(error_redirect( return error_redirect(
&query, &query,
"invalid_request", "invalid_request",
"User is not authorized to access this application!", "User is not authorized to access this application!",
)); );
} }
// Check that requested authorization flow is supported // Save all authentication information in memory
if query.response_type != "code" && query.response_type != "id_token" { let session = Session {
return Ok(error_redirect( session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
&query, client: client.id.clone(),
"invalid_request", user: user.uid.clone(),
"Unsupported authorization flow!", auth_time: SessionIdentity(Some(&id)).auth_time(),
)); redirect_uri,
} authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
access_token: None,
access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
refresh_token: "".to_string(),
refresh_token_expire_at: 0,
nonce: query.0.nonce,
code_challenge,
};
sessions
.send(openid_sessions_actor::PushNewSession(session.clone()))
.await
.unwrap();
match (client.has_secret(), query.response_type.as_str()) { log::trace!("New OpenID session: {:#?}", session);
(_, "code") => { logger.log(Action::NewOpenIDSession { client: &client });
// Save all authentication information in memory
let session = Session {
session_id: SessionID(rand_str(OPEN_ID_SESSION_LEN)),
client: client.id.clone(),
user: user.uid.clone(),
auth_time: SessionIdentity(Some(&id)).auth_time(),
redirect_uri,
authorization_code: rand_str(OPEN_ID_AUTHORIZATION_CODE_LEN),
authorization_code_expire_at: time() + OPEN_ID_AUTHORIZATION_CODE_TIMEOUT,
access_token: None,
access_token_expire_at: time() + OPEN_ID_ACCESS_TOKEN_TIMEOUT,
refresh_token: "".to_string(),
refresh_token_expire_at: 0,
nonce: query.0.nonce,
code_challenge,
};
sessions
.send(openid_sessions_actor::PushNewSession(session.clone()))
.await
.unwrap();
log::trace!("New OpenID session: {session:#?}"); HttpResponse::Found()
logger.log(Action::NewOpenIDSession { client: &client.id }); .append_header((
"Location",
Ok(HttpResponse::Found() format!(
.append_header(( "{}?state={}&session_state={}&code={}",
"Location", session.redirect_uri,
format!( urlencoding::encode(&query.0.state),
"{}?{}session_state={}&code={}", urlencoding::encode(&session.session_id.0),
session.redirect_uri, urlencoding::encode(&session.authorization_code)
match &query.0.state { ),
Some(state) => format!("state={}&", urlencoding::encode(state)), ))
None => "".to_string(), .finish()
},
urlencoding::encode(&session.session_id.0),
urlencoding::encode(&session.authorization_code)
),
))
.finish())
}
// id_token is available only if user has no secret configured
(false, "id_token") => {
let id_token = IdToken {
issuer: AppConfig::get().website_origin.to_string(),
subject_identifier: user.uid.0.clone(),
audience: client.id.0.to_string(),
expiration_time: time() + OPEN_ID_ID_TOKEN_TIMEOUT,
issued_at: time(),
auth_time: SessionIdentity(Some(&id)).auth_time(),
nonce: query.nonce.clone(),
email: user.email.clone(),
additional_claims: client.claims_id_token(&user),
};
log::trace!("New OpenID id token: {:#?}", &id_token);
logger.log(Action::NewOpenIDSuccessfulImplicitAuth { client: &client.id });
Ok(HttpResponse::Found()
.append_header((
"Location",
format!(
"{}?{}token_type=bearer&id_token={}&expires_in={OPEN_ID_ID_TOKEN_TIMEOUT}",
client.redirect_uri,
match &query.0.state {
Some(state) => format!("state={}&", urlencoding::encode(state)),
None => "".to_string(),
},
jwt_signer.sign_token(id_token.to_jwt_claims())?
),
))
.finish())
}
(secret, code) => {
log::warn!(
"For client {:?}, configured with secret {:?}, made request with code {}",
client.id,
secret,
code
);
Ok(error_redirect(
&query,
"invalid_request",
"Requested authentication flow is unsupported / not configured for this client!",
))
}
}
} }
#[derive(serde::Serialize)] #[derive(serde::Serialize)]
@@ -314,7 +218,12 @@ struct ErrorResponse {
} }
pub fn error_response<D: Debug>(query: &D, error: &str, description: &str) -> HttpResponse { pub fn error_response<D: Debug>(query: &D, error: &str, description: &str) -> HttpResponse {
log::warn!("request failed: {error} - {description} => '{query:#?}'"); log::warn!(
"request failed: {} - {} => '{:#?}'",
error,
description,
query
);
HttpResponse::BadRequest().json(ErrorResponse { HttpResponse::BadRequest().json(ErrorResponse {
error: error.to_string(), error: error.to_string(),
error_description: description.to_string(), error_description: description.to_string(),
@@ -346,6 +255,16 @@ pub struct TokenQuery {
refresh_token_query: Option<TokenRefreshTokenQuery>, refresh_token_query: Option<TokenRefreshTokenQuery>,
} }
#[derive(Debug, serde::Serialize)]
pub struct TokenResponse {
access_token: String,
token_type: &'static str,
refresh_token: String,
expires_in: u64,
#[serde(skip_serializing_if = "Option::is_none")]
id_token: Option<String>,
}
pub async fn token( pub async fn token(
req: HttpRequest, req: HttpRequest,
query: web::Form<TokenQuery>, query: web::Form<TokenQuery>,
@@ -359,10 +278,12 @@ pub async fn token(
let (client_id, client_secret) = let (client_id, client_secret) =
match (&query.client_id, &query.client_secret, authorization_header) { match (&query.client_id, &query.client_secret, authorization_header) {
// post authentication // post authentication
(Some(client_id), client_secret, None) => (client_id.clone(), client_secret.clone()), (Some(client_id), Some(client_secret), None) => {
(client_id.clone(), client_secret.to_string())
}
// Basic authentication // Basic authentication
(_, None, Some(v)) => { (None, None, Some(v)) => {
let token = match v.to_str().unwrap_or_default().strip_prefix("Basic ") { let token = match v.to_str().unwrap_or_default().strip_prefix("Basic ") {
None => { None => {
return Ok(error_response( return Ok(error_response(
@@ -379,7 +300,7 @@ pub async fn token(
let decode = String::from_utf8_lossy(&match BASE64_STANDARD.decode(token) { let decode = String::from_utf8_lossy(&match BASE64_STANDARD.decode(token) {
Ok(d) => d, Ok(d) => d,
Err(e) => { Err(e) => {
log::error!("Failed to decode authorization header: {e:?}"); log::error!("Failed to decode authorization header: {:?}", e);
return Ok(error_response( return Ok(error_response(
&query, &query,
"invalid_request", "invalid_request",
@@ -390,8 +311,8 @@ pub async fn token(
.to_string(); .to_string();
match decode.split_once(':') { match decode.split_once(':') {
None => (ClientID(decode), None), None => (ClientID(decode), "".to_string()),
Some((id, secret)) => (ClientID(id.to_string()), Some(secret.to_string())), Some((id, secret)) => (ClientID(id.to_string()), secret.to_string()),
} }
} }
@@ -399,7 +320,7 @@ pub async fn token(
return Ok(error_response( return Ok(error_response(
&query, &query,
"invalid_request", "invalid_request",
"Client authentication method on token endpoint unsupported!", "Authentication method unknown!",
)); ));
} }
}; };
@@ -408,8 +329,7 @@ pub async fn token(
.find_by_id(&client_id) .find_by_id(&client_id)
.ok_or_else(|| ErrorUnauthorized("Client not found"))?; .ok_or_else(|| ErrorUnauthorized("Client not found"))?;
// Retrieving token requires the client to have a defined secret if !client.secret.eq(&client_secret) {
if client.secret != client_secret {
return Ok(error_response( return Ok(error_response(
&query, &query,
"invalid_request", "invalid_request",
@@ -526,15 +446,14 @@ pub async fn token(
issued_at: time(), issued_at: time(),
auth_time: session.auth_time, auth_time: session.auth_time,
nonce: session.nonce, nonce: session.nonce,
email: user.email.to_string(), email: user.email,
additional_claims: client.claims_id_token(&user),
}; };
OpenIDTokenResponse { TokenResponse {
access_token: session.access_token.expect("Missing access token!"), access_token: session.access_token.expect("Missing access token!"),
token_type: "Bearer".to_string(), token_type: "Bearer",
refresh_token: Some(session.refresh_token), refresh_token: session.refresh_token,
expires_in: Some(session.access_token_expire_at - time()), expires_in: session.access_token_expire_at - time(),
id_token: Some(jwt_signer.sign_token(id_token.to_jwt_claims())?), id_token: Some(jwt_signer.sign_token(id_token.to_jwt_claims())?),
} }
} }
@@ -580,11 +499,11 @@ pub async fn token(
.await .await
.unwrap(); .unwrap();
OpenIDTokenResponse { TokenResponse {
access_token: session.access_token.expect("Missing access token!"), access_token: session.access_token.expect("Missing access token!"),
token_type: "Bearer".to_string(), token_type: "Bearer",
refresh_token: Some(session.refresh_token), refresh_token: session.refresh_token,
expires_in: Some(session.access_token_expire_at - time()), expires_in: session.access_token_expire_at - time(),
id_token: None, id_token: None,
} }
} }
@@ -599,9 +518,8 @@ pub async fn token(
}; };
Ok(HttpResponse::Ok() Ok(HttpResponse::Ok()
.insert_header(("Cache-Control", "no-store")) .append_header(("Cache-Control", "no-store"))
.insert_header(("Pragma", "no-cache")) .append_header(("Pragam", "no-cache"))
.insert_header(("access-control-allow-origin", "*"))
.json(token_response)) .json(token_response))
} }
@@ -636,7 +554,6 @@ pub async fn user_info_post(
query: web::Query<UserInfoQuery>, query: web::Query<UserInfoQuery>,
sessions: web::Data<Addr<OpenIDSessionsActor>>, sessions: web::Data<Addr<OpenIDSessionsActor>>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
clients: web::Data<Arc<ClientManager>>,
) -> impl Responder { ) -> impl Responder {
user_info( user_info(
req, req,
@@ -645,7 +562,6 @@ pub async fn user_info_post(
.or(query.0.access_token), .or(query.0.access_token),
sessions, sessions,
users, users,
clients,
) )
.await .await
} }
@@ -655,18 +571,8 @@ pub async fn user_info_get(
query: web::Query<UserInfoQuery>, query: web::Query<UserInfoQuery>,
sessions: web::Data<Addr<OpenIDSessionsActor>>, sessions: web::Data<Addr<OpenIDSessionsActor>>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
clients: web::Data<Arc<ClientManager>>,
) -> impl Responder { ) -> impl Responder {
user_info(req, query.0.access_token, sessions, users, clients).await user_info(req, query.0.access_token, sessions, users).await
}
#[derive(serde::Serialize)]
pub struct UserInfoWithCustomClaims {
#[serde(flatten)]
info: OpenIDUserInfo,
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(flatten)]
additional_claims: Option<AdditionalClaims>,
} }
/// Authenticate request using RFC6750 <https://datatracker.ietf.org/doc/html/rfc6750>/// /// Authenticate request using RFC6750 <https://datatracker.ietf.org/doc/html/rfc6750>///
@@ -675,7 +581,6 @@ async fn user_info(
token: Option<String>, token: Option<String>,
sessions: web::Data<Addr<OpenIDSessionsActor>>, sessions: web::Data<Addr<OpenIDSessionsActor>>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
clients: web::Data<Arc<ClientManager>>,
) -> impl Responder { ) -> impl Responder {
let token = match token { let token = match token {
Some(t) => t, Some(t) => t,
@@ -719,10 +624,6 @@ async fn user_info(
return user_info_error("invalid_request", "Access token has expired!"); return user_info_error("invalid_request", "Access token has expired!");
} }
let client = clients
.find_by_id(&session.client)
.expect("Could not extract client information!");
let user: Option<User> = users let user: Option<User> = users
.send(users_actor::GetUserRequest(session.user)) .send(users_actor::GetUserRequest(session.user))
.await .await
@@ -735,16 +636,13 @@ async fn user_info(
Some(u) => u, Some(u) => u,
}; };
HttpResponse::Ok().json(UserInfoWithCustomClaims { HttpResponse::Ok().json(OpenIDUserInfo {
info: OpenIDUserInfo { name: user.full_name(),
name: Some(user.full_name()), sub: user.uid.0,
sub: user.uid.0.to_string(), given_name: user.first_name,
given_name: Some(user.first_name.to_string()), family_name: user.last_name,
family_name: Some(user.last_name.to_string()), preferred_username: user.username,
preferred_username: Some(user.username.to_string()), email: user.email,
email: Some(user.email.to_string()), email_verified: true,
email_verified: Some(true),
},
additional_claims: client.claims_user_info(&user),
}) })
} }

382
src/controllers/providers_controller.rs
View File

@@ -1,382 +0,0 @@
use std::sync::Arc;
use crate::actors::bruteforce_actor::BruteForceActor;
use crate::actors::providers_states_actor::{ProviderLoginState, ProvidersStatesActor};
use crate::actors::users_actor::{LoginResult, UsersActor};
use crate::actors::{bruteforce_actor, providers_states_actor, users_actor};
use crate::constants::MAX_FAILED_LOGIN_ATTEMPTS;
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
use crate::controllers::login_controller::BaseLoginPage;
use crate::data::action_logger::{Action, ActionLogger};
use crate::data::login_redirect::LoginRedirect;
use crate::data::provider::{ProviderID, ProvidersManager};
use crate::data::provider_configuration::ProviderConfigurationHelper;
use crate::data::session_identity::{SessionIdentity, SessionStatus};
use actix::Addr;
use actix_identity::Identity;
use actix_remote_ip::RemoteIP;
use actix_web::{HttpRequest, HttpResponse, Responder, web};
use askama::Template;
#[derive(askama::Template)]
#[template(path = "login/prov_login_error.html")]
struct ProviderLoginError<'a> {
p: BaseLoginPage,
message: &'a str,
}
impl<'a> ProviderLoginError<'a> {
pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> HttpResponse {
let body = Self {
p: BaseLoginPage {
page_title: "Upstream login",
redirect_uri: redirect_uri.clone(),
..Default::default()
},
message,
}
.render()
.unwrap();
HttpResponse::Unauthorized()
.content_type("text/html")
.body(body)
}
}
#[derive(serde::Deserialize)]
pub struct StartLoginQuery {
#[serde(default)]
redirect: LoginRedirect,
id: ProviderID,
}
/// Start user authentication using a provider
pub async fn start_login(
remote_ip: RemoteIP,
providers: web::Data<Arc<ProvidersManager>>,
states: web::Data<Addr<ProvidersStatesActor>>,
query: web::Query<StartLoginQuery>,
logger: ActionLogger,
id: Option<Identity>,
) -> impl Responder {
// Check if user is already authenticated
if SessionIdentity(id.as_ref()).is_authenticated() {
return redirect_user(query.redirect.get());
}
// Get provider information
let provider = match providers.find_by_id(&query.id) {
None => {
return HttpResponse::NotFound()
.body(build_fatal_error_page("Login provider not found!"));
}
Some(p) => p,
};
// Generate & save state
let state = ProviderLoginState::new(&provider.id, query.redirect.clone());
states
.send(providers_states_actor::RecordState {
ip: remote_ip.0,
state: state.clone(),
})
.await
.unwrap();
logger.log(Action::StartLoginAttemptWithOpenIDProvider {
provider_id: &provider.id,
state: &state.state_id,
});
// Get provider configuration
let config = match ProviderConfigurationHelper::get_configuration(&provider).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load provider configuration! {e}");
return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to load provider configuration!",
));
}
};
log::debug!("Provider configuration: {config:?}");
let url = config.auth_url(&provider, &state);
log::debug!("Redirect user on {url} for authentication",);
// Redirect user
redirect_user(&url)
}
#[derive(serde::Deserialize)]
pub struct FinishLoginSuccess {
code: String,
state: String,
}
#[derive(serde::Deserialize)]
pub struct FinishLoginError {
error: String,
error_description: Option<String>,
}
#[derive(serde::Deserialize)]
pub struct FinishLoginQuery {
#[serde(flatten)]
success: Option<FinishLoginSuccess>,
#[serde(flatten)]
error: Option<FinishLoginError>,
}
/// Finish user authentication using a provider
#[allow(clippy::too_many_arguments)]
pub async fn finish_login(
remote_ip: RemoteIP,
providers: web::Data<Arc<ProvidersManager>>,
users: web::Data<Addr<UsersActor>>,
states: web::Data<Addr<ProvidersStatesActor>>,
bruteforce: web::Data<Addr<BruteForceActor>>,
query: web::Query<FinishLoginQuery>,
logger: ActionLogger,
id: Option<Identity>,
http_req: HttpRequest,
) -> impl Responder {
// Check if user is already authenticated
if SessionIdentity(id.as_ref()).is_authenticated() {
return redirect_user("/");
}
let query = match query.0.success {
Some(q) => q,
None => {
let error_message = query
.0
.error
.map(|e| e.error_description.unwrap_or(e.error))
.unwrap_or("Authentication failed (unspecified error)!".to_string());
logger.log(Action::ProviderError {
message: error_message.as_str(),
});
return ProviderLoginError::get(&error_message, &LoginRedirect::default());
}
};
// Get & consume state
let state = states
.send(providers_states_actor::ConsumeState {
ip: remote_ip.0,
state_id: query.state.clone(),
})
.await
.unwrap();
let state = match state {
Some(s) => s,
None => {
logger.log(Action::ProviderCBInvalidState {
state: query.state.as_str(),
});
log::warn!("User returned invalid state!");
return ProviderLoginError::get("Invalid state!", &LoginRedirect::default());
}
};
// We perform rate limiting before attempting to use authorization code
let failed_attempts = bruteforce
.send(bruteforce_actor::CountFailedAttempt {
ip: remote_ip.into(),
})
.await
.unwrap();
if failed_attempts > MAX_FAILED_LOGIN_ATTEMPTS {
logger.log(Action::ProviderRateLimited);
return HttpResponse::TooManyRequests().body(build_fatal_error_page(
"Too many failed login attempts, please try again later!",
));
}
// Retrieve provider information & configuration
let provider = providers
.find_by_id(&state.provider_id)
.expect("Unable to retrieve provider information!");
let provider_config = match ProviderConfigurationHelper::get_configuration(&provider).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load provider configuration! {e}");
return HttpResponse::InternalServerError().body(build_fatal_error_page(
"Failed to load provider configuration!",
));
}
};
// Get access token & user information
let token = provider_config.get_token(&provider, &query.code).await;
let token = match token {
Ok(t) => t,
Err(e) => {
log::error!("Failed to retrieve login token! {e:?}");
bruteforce
.send(bruteforce_actor::RecordFailedAttempt {
ip: remote_ip.into(),
})
.await
.unwrap();
logger.log(Action::ProviderFailedGetToken {
state: &state,
code: query.code.as_str(),
});
return ProviderLoginError::get(
"Failed to retrieve login token from identity provider!",
&state.redirect,
);
}
};
// Use access token to get user information
let user_info = match provider_config.get_userinfo(&token).await {
Ok(info) => info,
Err(e) => {
log::error!("Failed to retrieve user information! {e:?}");
logger.log(Action::ProviderFailedGetUserInfo {
provider: &provider,
});
return ProviderLoginError::get(
"Failed to retrieve user information from identity provider!",
&state.redirect,
);
}
};
// Check if user email is validated
if user_info.email_verified == Some(false) {
logger.log(Action::ProviderEmailNotValidated {
provider: &provider,
});
return ProviderLoginError::get(
&format!(
"{} indicated that your email address has not been validated!",
provider.name
),
&state.redirect,
);
}
// Check if email was provided by the userinfo endpoint
let email = match &user_info.email {
Some(e) => e,
None => {
logger.log(Action::ProviderMissingEmailInResponse {
provider: &provider,
});
return ProviderLoginError::get(
&format!(
"{} did not provide your email address in its reply, so we could not identify you!",
provider.name
),
&state.redirect,
);
}
};
// Get user from local database
let result: LoginResult = users
.send(users_actor::ProviderLoginRequest {
email: email.clone(),
user_info: user_info.clone(),
provider: provider.clone(),
})
.await
.unwrap();
let user = match result {
LoginResult::Success(u) => u,
LoginResult::AccountAutoCreated(u) => {
logger.log(Action::ProviderAccountAutoCreated {
provider: &provider,
user: u.loggable(),
});
u
}
LoginResult::AccountNotFound => {
logger.log(Action::ProviderAccountNotFound {
provider: &provider,
email: email.as_str(),
});
return ProviderLoginError::get(
&format!("The email address {email} was not found in the database!"),
&state.redirect,
);
}
LoginResult::AccountDisabled => {
logger.log(Action::ProviderAccountDisabled {
provider: &provider,
email: email.as_str(),
});
return ProviderLoginError::get(
&format!("The account associated with the email address {email} is disabled!"),
&state.redirect,
);
}
LoginResult::AuthFromProviderForbidden => {
logger.log(Action::ProviderAccountNotAllowedToLoginWithProvider {
provider: &provider,
email: email.as_str(),
});
return ProviderLoginError::get(
&format!(
"The account associated with the email address {email} is not allowed to sign in using this provider!"
),
&state.redirect,
);
}
c => {
log::error!(
"Login from provider {} failed with error {:?}",
provider.id.0,
c
);
logger.log(Action::ProviderLoginFailed {
provider: &provider,
email: email.as_str(),
});
return ProviderLoginError::get("Failed to complete login!", &state.redirect);
}
};
logger.log(Action::ProviderLoginSuccessful {
provider: &provider,
user: user.loggable(),
});
let status = if user.has_two_factor() && !user.can_bypass_two_factors_for_ip(remote_ip.0) {
logger.log(Action::UserNeed2FAOnLogin {
user: user.loggable(),
});
SessionStatus::Need2FA
} else {
logger.log(Action::UserSuccessfullyAuthenticated {
user: user.loggable(),
});
SessionStatus::SignedIn
};
SessionIdentity(id.as_ref()).set_user(&http_req, &user, status);
redirect_user(&format!("/login?redirect={}", state.redirect.get_encoded()))
}

39
src/controllers/settings_controller.rs
View File

@@ -1,6 +1,5 @@
use actix::Addr; use actix::Addr;
use actix_remote_ip::RemoteIP; use actix_web::{web, HttpResponse, Responder};
use actix_web::{HttpResponse, Responder, web};
use askama::Template; use askama::Template;
use crate::actors::bruteforce_actor::BruteForceActor; use crate::actors::bruteforce_actor::BruteForceActor;
@@ -10,35 +9,35 @@ use crate::constants::{APP_NAME, MAX_FAILED_LOGIN_ATTEMPTS, MIN_PASS_LEN};
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::remote_ip::RemoteIP;
use crate::data::user::User; use crate::data::user::User;
pub(crate) struct BaseSettingsPage<'a> { pub(crate) struct BaseSettingsPage {
pub danger_message: Option<String>, pub danger_message: Option<String>,
pub success_message: Option<String>, pub success_message: Option<String>,
pub page_title: &'static str, pub page_title: &'static str,
pub app_name: &'static str, pub app_name: &'static str,
pub local_login_enabled: bool, pub is_admin: bool,
pub user: &'a User, pub user_name: String,
pub version: &'static str, pub version: &'static str,
pub ip_location_api: Option<&'static str>, pub ip_location_api: Option<&'static str>,
} }
impl<'a> BaseSettingsPage<'a> { impl BaseSettingsPage {
pub fn get( pub fn get(
page_title: &'static str, page_title: &'static str,
user: &'a User, user: &User,
danger_message: Option<String>, danger_message: Option<String>,
success_message: Option<String>, success_message: Option<String>,
) -> BaseSettingsPage<'a> { ) -> BaseSettingsPage {
Self { Self {
danger_message, danger_message,
success_message, success_message,
page_title, page_title,
app_name: APP_NAME, app_name: APP_NAME,
user, is_admin: user.admin,
user_name: user.username.to_string(),
version: env!("CARGO_PKG_VERSION"), version: env!("CARGO_PKG_VERSION"),
local_login_enabled: !AppConfig::get().disable_local_login,
ip_location_api: AppConfig::get().ip_location_service.as_deref(), ip_location_api: AppConfig::get().ip_location_service.as_deref(),
} }
} }
@@ -46,25 +45,25 @@ impl<'a> BaseSettingsPage<'a> {
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/account_details.html")] #[template(path = "settings/account_details.html")]
struct AccountDetailsPage<'a> { struct AccountDetailsPage {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
remote_ip: String, u: User,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/change_password.html")] #[template(path = "settings/change_password.html")]
struct ChangePasswordPage<'a> { struct ChangePasswordPage {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
min_pwd_len: usize, min_pwd_len: usize,
} }
/// Account details page /// Account details page
pub async fn account_settings_details_route(user: CurrentUser, ip: RemoteIP) -> impl Responder { pub async fn account_settings_details_route(user: CurrentUser) -> impl Responder {
let user = user.into(); let user = user.into();
HttpResponse::Ok().body( HttpResponse::Ok().body(
AccountDetailsPage { AccountDetailsPage {
p: BaseSettingsPage::get("Account details", &user, None, None), _p: BaseSettingsPage::get("Account details", &user, None, None),
remote_ip: ip.0.to_string(), u: user,
} }
.render() .render()
.unwrap(), .unwrap(),
@@ -147,7 +146,7 @@ pub async fn change_password_route(
HttpResponse::Ok().body( HttpResponse::Ok().body(
ChangePasswordPage { ChangePasswordPage {
p: BaseSettingsPage::get("Change password", &user, danger, success), _p: BaseSettingsPage::get("Change password", &user, danger, success),
min_pwd_len: MIN_PASS_LEN, min_pwd_len: MIN_PASS_LEN,
} }
.render() .render()

27
src/controllers/two_factor_api.rs
View File

@@ -1,12 +1,12 @@
use actix::Addr; use actix::Addr;
use actix_web::{HttpResponse, Responder, web}; use actix_web::{web, HttpResponse, Responder};
use uuid::Uuid;
use webauthn_rs::prelude::RegisterPublicKeyCredential; use webauthn_rs::prelude::RegisterPublicKeyCredential;
use crate::actors::users_actor; use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor; use crate::actors::users_actor::UsersActor;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN; use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
use crate::data::action_logger::{Action, ActionLogger}; use crate::data::action_logger::{Action, ActionLogger};
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::totp_key::TotpKey; use crate::data::totp_key::TotpKey;
use crate::data::user::{FactorID, TwoFactor, TwoFactorType}; use crate::data::user::{FactorID, TwoFactor, TwoFactorType};
@@ -29,7 +29,6 @@ pub struct AddTOTPRequest {
} }
pub async fn save_totp_factor( pub async fn save_totp_factor(
_critical: CriticalRoute,
user: CurrentUser, user: CurrentUser,
form: web::Json<AddTOTPRequest>, form: web::Json<AddTOTPRequest>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
@@ -39,10 +38,9 @@ pub async fn save_totp_factor(
if !key.check_code(&form.first_code).unwrap_or(false) { if !key.check_code(&form.first_code).unwrap_or(false) {
return HttpResponse::BadRequest().body(format!( return HttpResponse::BadRequest().body(format!(
"Given code is invalid (expected {}, {} or {})!", "Given code is invalid (expected {} or {})!",
key.previous_code().unwrap_or_default(),
key.current_code().unwrap_or_default(), key.current_code().unwrap_or_default(),
key.following_code().unwrap_or_default(), key.previous_code().unwrap_or_default()
)); ));
} }
@@ -52,13 +50,11 @@ pub async fn save_totp_factor(
} }
let factor = TwoFactor { let factor = TwoFactor {
id: FactorID::random(), id: FactorID(Uuid::new_v4().to_string()),
name: factor_name, name: factor_name,
kind: TwoFactorType::TOTP(key), kind: TwoFactorType::TOTP(key),
}; };
logger.log(Action::AddNewFactor { logger.log(Action::AddNewFactor(&factor));
factor: factor.loggable(),
});
let res = users let res = users
.send(users_actor::Add2FAFactor(user.uid.clone(), factor)) .send(users_actor::Add2FAFactor(user.uid.clone(), factor))
@@ -80,7 +76,6 @@ pub struct AddWebauthnRequest {
} }
pub async fn save_webauthn_factor( pub async fn save_webauthn_factor(
_critical: CriticalRoute,
user: CurrentUser, user: CurrentUser,
form: web::Json<AddWebauthnRequest>, form: web::Json<AddWebauthnRequest>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
@@ -95,19 +90,17 @@ pub async fn save_webauthn_factor(
let key = match manager.finish_registration(&user, &form.0.opaque_state, form.0.credential) { let key = match manager.finish_registration(&user, &form.0.opaque_state, form.0.credential) {
Ok(k) => k, Ok(k) => k,
Err(e) => { Err(e) => {
log::error!("Failed to register security key! {e:?}"); log::error!("Failed to register security key! {:?}", e);
return HttpResponse::InternalServerError().body("Failed to register key!"); return HttpResponse::InternalServerError().body("Failed to register key!");
} }
}; };
let factor = TwoFactor { let factor = TwoFactor {
id: FactorID::random(), id: FactorID(Uuid::new_v4().to_string()),
name: factor_name, name: factor_name,
kind: TwoFactorType::WEBAUTHN(Box::new(key)), kind: TwoFactorType::WEBAUTHN(Box::new(key)),
}; };
logger.log(Action::AddNewFactor { logger.log(Action::AddNewFactor(&factor));
factor: factor.loggable(),
});
let res = users let res = users
.send(users_actor::Add2FAFactor(user.uid.clone(), factor)) .send(users_actor::Add2FAFactor(user.uid.clone(), factor))
@@ -127,7 +120,6 @@ pub struct DeleteFactorRequest {
} }
pub async fn delete_factor( pub async fn delete_factor(
_critical: CriticalRoute,
user: CurrentUser, user: CurrentUser,
form: web::Json<DeleteFactorRequest>, form: web::Json<DeleteFactorRequest>,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
@@ -152,7 +144,6 @@ pub async fn delete_factor(
} }
pub async fn clear_login_history( pub async fn clear_login_history(
_critical: CriticalRoute,
user: CurrentUser, user: CurrentUser,
users: web::Data<Addr<UsersActor>>, users: web::Data<Addr<UsersActor>>,
logger: ActionLogger, logger: ActionLogger,

33
src/controllers/two_factors_controller.rs
View File

@@ -2,32 +2,29 @@ use std::ops::Deref;
use actix_web::{HttpResponse, Responder}; use actix_web::{HttpResponse, Responder};
use askama::Template; use askama::Template;
use base64::Engine as _;
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD; use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _;
use qrcode_generator::QrCodeEcc; use qrcode_generator::QrCodeEcc;
use crate::constants::MAX_SECOND_FACTOR_NAME_LEN; use crate::constants::MAX_SECOND_FACTOR_NAME_LEN;
use crate::controllers::settings_controller::BaseSettingsPage; use crate::controllers::settings_controller::BaseSettingsPage;
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::critical_route::CriticalRoute;
use crate::data::current_user::CurrentUser; use crate::data::current_user::CurrentUser;
use crate::data::totp_key::TotpKey; use crate::data::totp_key::TotpKey;
use crate::data::user::User; use crate::data::user::User;
use crate::data::webauthn_manager::WebAuthManagerReq; use crate::data::webauthn_manager::WebAuthManagerReq;
use crate::utils::time::fmt_time;
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/two_factors_page.html")] #[template(path = "settings/two_factors_page.html")]
struct TwoFactorsPage<'a> { struct TwoFactorsPage<'a> {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
user: &'a User, user: &'a User,
last_2fa_auth: Option<String>,
} }
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/add_2fa_totp_page.html")] #[template(path = "settings/add_2fa_totp_page.html")]
struct AddTotpPage<'a> { struct AddTotpPage {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
qr_code: String, qr_code: String,
account_name: String, account_name: String,
secret_key: String, secret_key: String,
@@ -36,20 +33,19 @@ struct AddTotpPage<'a> {
#[derive(Template)] #[derive(Template)]
#[template(path = "settings/add_webauthn_page.html")] #[template(path = "settings/add_webauthn_page.html")]
struct AddWebauhtnPage<'a> { struct AddWebauhtnPage {
p: BaseSettingsPage<'a>, _p: BaseSettingsPage,
opaque_state: String, opaque_state: String,
challenge_json: String, challenge_json: String,
max_name_len: usize, max_name_len: usize,
} }
/// Manage two factors authentication methods route /// Manage two factors authentication methods route
pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder { pub async fn two_factors_route(user: CurrentUser) -> impl Responder {
HttpResponse::Ok().body( HttpResponse::Ok().body(
TwoFactorsPage { TwoFactorsPage {
p: BaseSettingsPage::get("Two factor auth", &user, None, None), _p: BaseSettingsPage::get("Two factor auth", &user, None, None),
user: user.deref(), user: user.deref(),
last_2fa_auth: user.last_2fa_auth.map(fmt_time),
} }
.render() .render()
.unwrap(), .unwrap(),
@@ -57,7 +53,7 @@ pub async fn two_factors_route(_critical: CriticalRoute, user: CurrentUser) -> i
} }
/// Configure a new TOTP authentication factor /// Configure a new TOTP authentication factor
pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser) -> impl Responder { pub async fn add_totp_factor_route(user: CurrentUser) -> impl Responder {
let key = TotpKey::new_random(); let key = TotpKey::new_random();
let qr_code = qrcode_generator::to_png_to_vec( let qr_code = qrcode_generator::to_png_to_vec(
@@ -68,14 +64,14 @@ pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser)
let qr_code = match qr_code { let qr_code = match qr_code {
Ok(q) => q, Ok(q) => q,
Err(e) => { Err(e) => {
log::error!("Failed to generate QrCode! {e:?}"); log::error!("Failed to generate QrCode! {:?}", e);
return HttpResponse::InternalServerError().body("Failed to generate QrCode!"); return HttpResponse::InternalServerError().body("Failed to generate QrCode!");
} }
}; };
HttpResponse::Ok().body( HttpResponse::Ok().body(
AddTotpPage { AddTotpPage {
p: BaseSettingsPage::get("New authenticator app", &user, None, None), _p: BaseSettingsPage::get("New authenticator app", &user, None, None),
qr_code: BASE64_STANDARD.encode(qr_code), qr_code: BASE64_STANDARD.encode(qr_code),
account_name: key.account_name(&user, AppConfig::get()), account_name: key.account_name(&user, AppConfig::get()),
secret_key: key.get_secret(), secret_key: key.get_secret(),
@@ -88,14 +84,13 @@ pub async fn add_totp_factor_route(_critical: CriticalRoute, user: CurrentUser)
/// Configure a new security key factor /// Configure a new security key factor
pub async fn add_webauthn_factor_route( pub async fn add_webauthn_factor_route(
_critical: CriticalRoute,
user: CurrentUser, user: CurrentUser,
manager: WebAuthManagerReq, manager: WebAuthManagerReq,
) -> impl Responder { ) -> impl Responder {
let registration_request = match manager.start_register(&user) { let registration_request = match manager.start_register(&user) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to request new key! {e:?}"); log::error!("Failed to request new key! {:?}", e);
return HttpResponse::InternalServerError() return HttpResponse::InternalServerError()
.body("Failed to generate request for registration!"); .body("Failed to generate request for registration!");
} }
@@ -104,14 +99,14 @@ pub async fn add_webauthn_factor_route(
let challenge_json = match serde_json::to_string(&registration_request.creation_challenge) { let challenge_json = match serde_json::to_string(&registration_request.creation_challenge) {
Ok(r) => r, Ok(r) => r,
Err(e) => { Err(e) => {
log::error!("Failed to serialize challenge! {e:?}"); log::error!("Failed to serialize challenge! {:?}", e);
return HttpResponse::InternalServerError().body("Failed to serialize challenge!"); return HttpResponse::InternalServerError().body("Failed to serialize challenge!");
} }
}; };
HttpResponse::Ok().body( HttpResponse::Ok().body(
AddWebauhtnPage { AddWebauhtnPage {
p: BaseSettingsPage::get("New security key", &user, None, None), _p: BaseSettingsPage::get("New security key", &user, None, None),
opaque_state: registration_request.opaque_state, opaque_state: registration_request.opaque_state,
challenge_json: urlencoding::encode(&challenge_json).to_string(), challenge_json: urlencoding::encode(&challenge_json).to_string(),

361
src/data/action_logger.rs
View File

@@ -4,247 +4,74 @@ use std::pin::Pin;
use actix::Addr; use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_remote_ip::RemoteIP;
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::{Error, FromRequest, HttpRequest, web}; use actix_web::{web, Error, FromRequest, HttpRequest};
use crate::actors::providers_states_actor::ProviderLoginState;
use crate::actors::users_actor; use crate::actors::users_actor;
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor}; use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersActor};
use crate::data::app_config::{ActionLoggerFormat, AppConfig}; use crate::data::client::Client;
use crate::data::client::ClientID; use crate::data::remote_ip::RemoteIP;
use crate::data::provider::{Provider, ProviderID};
use crate::data::session_identity::SessionIdentity; use crate::data::session_identity::SessionIdentity;
use crate::data::user::{FactorID, GrantedClients, TwoFactor, TwoFactorType, User, UserID}; use crate::data::user::{FactorID, GrantedClients, TwoFactor, User, UserID};
use crate::utils::time::time;
#[derive(serde::Serialize)]
pub struct LoggableUser {
pub uid: UserID,
pub username: String,
pub email: String,
pub admin: bool,
}
impl LoggableUser {
pub fn quick_identity(&self) -> String {
format!(
"{} {} {} ({:?})",
match self.admin {
true => "admin",
false => "user",
},
self.username,
self.email,
self.uid
)
}
}
impl User {
pub fn loggable(&self) -> LoggableUser {
LoggableUser {
uid: self.uid.clone(),
username: self.username.clone(),
email: self.email.clone(),
admin: self.admin,
}
}
}
#[derive(Debug, serde::Serialize)]
pub enum LoggableFactorType {
TOTP,
WEBAUTHN,
}
#[derive(serde::Serialize)]
pub struct LoggableFactor {
pub id: FactorID,
pub name: String,
pub kind: LoggableFactorType,
}
impl LoggableFactor {
pub fn quick_description(&self) -> String {
format!(
"#{} of type {:?} and name '{}'",
self.id.0, self.kind, self.name
)
}
}
impl TwoFactor {
pub fn loggable(&self) -> LoggableFactor {
LoggableFactor {
id: self.id.clone(),
name: self.name.to_string(),
kind: match self.kind {
TwoFactorType::TOTP(_) => LoggableFactorType::TOTP,
TwoFactorType::WEBAUTHN(_) => LoggableFactorType::WEBAUTHN,
},
}
}
}
#[derive(serde::Serialize)]
#[serde(tag = "type")]
pub enum Action<'a> { pub enum Action<'a> {
AdminCreateUser { AdminCreateUser(&'a User),
user: LoggableUser, AdminUpdateUser(&'a User),
}, AdminDeleteUser(&'a User),
AdminUpdateUser { AdminResetUserPassword(&'a User),
user: LoggableUser, AdminRemoveUserFactor(&'a User, &'a TwoFactor),
}, AdminSetAuthorizedAuthenticationSources(&'a User, &'a AuthorizedAuthenticationSources),
AdminDeleteUser { AdminSetNewGrantedClientsList(&'a User, &'a GrantedClients),
user: LoggableUser, AdminClear2FAHistory(&'a User),
}, LoginWebauthnAttempt { success: bool, user_id: UserID },
AdminResetUserPassword { Signout,
user: LoggableUser, UserNeed2FAOnLogin(&'a User),
}, UserSuccessfullyAuthenticated(&'a User),
AdminRemoveUserFactor { UserNeedNewPasswordOnLogin(&'a User),
user: LoggableUser, TryLoginWithDisabledAccount(&'a str),
factor: LoggableFactor, TryLocalLoginFromUnauthorizedAccount(&'a str),
}, FailedLoginWithBadCredentials(&'a str),
AdminSetAuthorizedAuthenticationSources { UserChangedPasswordOnLogin(&'a UserID),
user: LoggableUser, OTPLoginAttempt { user: &'a User, success: bool },
sources: &'a AuthorizedAuthenticationSources, NewOpenIDSession { client: &'a Client },
},
AdminSetNewGrantedClientsList {
user: LoggableUser,
clients: &'a GrantedClients,
},
AdminClear2FAHistory {
user: LoggableUser,
},
LoginWebauthnAttempt {
success: bool,
user_id: UserID,
},
StartLoginAttemptWithOpenIDProvider {
provider_id: &'a ProviderID,
state: &'a str,
},
ProviderError {
message: &'a str,
},
ProviderCBInvalidState {
state: &'a str,
},
ProviderRateLimited,
ProviderFailedGetToken {
state: &'a ProviderLoginState,
code: &'a str,
},
ProviderFailedGetUserInfo {
provider: &'a Provider,
},
ProviderEmailNotValidated {
provider: &'a Provider,
},
ProviderMissingEmailInResponse {
provider: &'a Provider,
},
ProviderAccountNotFound {
provider: &'a Provider,
email: &'a str,
},
ProviderAccountAutoCreated {
provider: &'a Provider,
user: LoggableUser,
},
ProviderAccountDisabled {
provider: &'a Provider,
email: &'a str,
},
ProviderAccountNotAllowedToLoginWithProvider {
provider: &'a Provider,
email: &'a str,
},
ProviderLoginFailed {
provider: &'a Provider,
email: &'a str,
},
ProviderLoginSuccessful {
provider: &'a Provider,
user: LoggableUser,
},
SignOut,
UserNeed2FAOnLogin {
user: LoggableUser,
},
UserSuccessfullyAuthenticated {
user: LoggableUser,
},
UserNeedNewPasswordOnLogin {
user: LoggableUser,
},
TryLoginWithDisabledAccount {
login: &'a str,
},
TryLocalLoginFromUnauthorizedAccount {
login: &'a str,
},
FailedLoginWithBadCredentials {
login: &'a str,
},
UserChangedPasswordOnLogin {
user_id: &'a UserID,
},
OTPLoginAttempt {
user: LoggableUser,
success: bool,
},
NewOpenIDSession {
client: &'a ClientID,
},
NewOpenIDSuccessfulImplicitAuth {
client: &'a ClientID,
},
ChangedHisPassword, ChangedHisPassword,
ClearedHisLoginHistory, ClearedHisLoginHistory,
AddNewFactor { AddNewFactor(&'a TwoFactor),
factor: LoggableFactor, Removed2FAFactor { factor_id: &'a FactorID },
},
Removed2FAFactor {
factor_id: &'a FactorID,
},
} }
impl Action<'_> { impl<'a> Action<'a> {
pub fn as_string(&self) -> String { pub fn as_string(&self) -> String {
match self { match self {
Action::AdminDeleteUser { user } => { Action::AdminDeleteUser(user) => {
format!("deleted account of {}", user.quick_identity()) format!("deleted account of {}", user.quick_identity())
} }
Action::AdminCreateUser { user } => { Action::AdminCreateUser(user) => {
format!("created account of {}", user.quick_identity()) format!("created account of {}", user.quick_identity())
} }
Action::AdminUpdateUser { user } => { Action::AdminUpdateUser(user) => {
format!("updated account of {}", user.quick_identity()) format!("updated account of {}", user.quick_identity())
} }
Action::AdminResetUserPassword { user } => { Action::AdminResetUserPassword(user) => {
format!( format!(
"set a temporary password for the account of {}", "set a temporary password for the account of {}",
user.quick_identity() user.quick_identity()
) )
} }
Action::AdminRemoveUserFactor { user, factor } => format!( Action::AdminRemoveUserFactor(user, factor) => format!(
"removed 2 factor ({}) of user ({})", "removed 2 factor ({}) of user ({})",
factor.quick_description(), factor.quick_description(),
user.quick_identity() user.quick_identity()
), ),
Action::AdminClear2FAHistory { user } => { Action::AdminClear2FAHistory(user) => {
format!("cleared 2FA history of {}", user.quick_identity()) format!("cleared 2FA history of {}", user.quick_identity())
} }
Action::AdminSetAuthorizedAuthenticationSources { user, sources } => format!( Action::AdminSetAuthorizedAuthenticationSources(user, sources) => format!(
"update authorized authentication sources ({:?}) for user ({})", "update authorized authentication sources ({:?}) for user ({})",
sources, sources,
user.quick_identity() user.quick_identity()
), ),
Action::AdminSetNewGrantedClientsList { user, clients } => format!( Action::AdminSetNewGrantedClientsList(user, clients) => format!(
"set new granted clients list ({:?}) for user ({})", "set new granted clients list ({:?}) for user ({})",
clients, clients,
user.quick_identity() user.quick_identity()
@@ -253,87 +80,30 @@ impl Action<'_> {
true => format!("successfully performed webauthn attempt for user {user_id:?}"), true => format!("successfully performed webauthn attempt for user {user_id:?}"),
false => format!("performed FAILED webauthn attempt for user {user_id:?}"), false => format!("performed FAILED webauthn attempt for user {user_id:?}"),
}, },
Action::StartLoginAttemptWithOpenIDProvider { provider_id, state } => format!( Action::Signout => "signed out".to_string(),
"started new authentication attempt through an OpenID provider (prov={} / state={state})", Action::UserNeed2FAOnLogin(user) => {
provider_id.0
),
Action::ProviderError { message } => {
format!("failed provider authentication with message '{message}'")
}
Action::ProviderCBInvalidState { state } => {
format!("provided invalid callback state after provider authentication: '{state}'")
}
Action::ProviderRateLimited => {
"could not complete OpenID login because it has reached failed attempts rate limit!"
.to_string()
}
Action::ProviderFailedGetToken { state, code } => format!(
"could not complete login from provider because the id_token could not be retrieved! (state={state:?} code = {code})"
),
Action::ProviderFailedGetUserInfo { provider } => format!(
"could not get user information from userinfo endpoint of provider {}!",
provider.id.0
),
Action::ProviderEmailNotValidated { provider } => format!(
"could not login using provider {} because its email was marked as not validated!",
provider.id.0
),
Action::ProviderMissingEmailInResponse { provider } => format!(
"could not login using provider {} because the email was not provided by userinfo endpoint!",
provider.id.0
),
Action::ProviderAccountNotFound { provider, email } => format!(
"could not login using provider {} because the email {email} could not be associated to any account!",
&provider.id.0
),
Action::ProviderAccountAutoCreated { provider, user } => format!(
"triggered automatic account creation for {} from provider {} because it was not found in local accounts list!",
user.quick_identity(),
&provider.id.0
),
Action::ProviderAccountDisabled { provider, email } => format!(
"could not login using provider {} because the account associated to the email {email} is disabled!",
&provider.id.0
),
Action::ProviderAccountNotAllowedToLoginWithProvider { provider, email } => format!(
"could not login using provider {} because the account associated to the email {email} is not allowed to authenticate using this provider!",
&provider.id.0
),
Action::ProviderLoginFailed { provider, email } => format!(
"could not login using provider {} with the email {email} for an unknown reason!",
&provider.id.0
),
Action::ProviderLoginSuccessful { provider, user } => format!(
"successfully authenticated using provider {} as {}",
provider.id.0,
user.quick_identity()
),
Action::SignOut => "signed out".to_string(),
Action::UserNeed2FAOnLogin { user } => {
format!( format!(
"successfully authenticated as user {:?} but need to do 2FA authentication", "successfully authenticated as user {:?} but need to do 2FA authentication",
user.quick_identity() user.quick_identity()
) )
} }
Action::UserSuccessfullyAuthenticated { user } => { Action::UserSuccessfullyAuthenticated(user) => {
format!("successfully authenticated as {}", user.quick_identity()) format!("successfully authenticated as {}", user.quick_identity())
} }
Action::UserNeedNewPasswordOnLogin { user } => format!( Action::UserNeedNewPasswordOnLogin(user) => format!(
"successfully authenticated as {}, but need to set a new password", "successfully authenticated as {}, but need to set a new password",
user.quick_identity() user.quick_identity()
), ),
Action::TryLoginWithDisabledAccount { login } => { Action::TryLoginWithDisabledAccount(login) => {
format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT") format!("successfully authenticated as {login}, but this is a DISABLED ACCOUNT")
} }
Action::TryLocalLoginFromUnauthorizedAccount { login } => { Action::TryLocalLoginFromUnauthorizedAccount(login) => {
format!( format!("successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!")
"successfully locally authenticated as {login}, but this is a FORBIDDEN for this account!"
)
} }
Action::FailedLoginWithBadCredentials { login } => { Action::FailedLoginWithBadCredentials(login) => {
format!("attempted to authenticate as {login} but with a WRONG PASSWORD") format!("attempted to authenticate as {login} but with a WRONG PASSWORD")
} }
Action::UserChangedPasswordOnLogin { user_id } => { Action::UserChangedPasswordOnLogin(user_id) => {
format!("set a new password at login as user {user_id:?}") format!("set a new password at login as user {user_id:?}")
} }
Action::OTPLoginAttempt { user, success } => match success { Action::OTPLoginAttempt { user, success } => match success {
@@ -347,15 +117,11 @@ impl Action<'_> {
), ),
}, },
Action::NewOpenIDSession { client } => { Action::NewOpenIDSession { client } => {
format!("opened a new OpenID session with {:?}", client) format!("opened a new OpenID session with {:?}", client.id)
} }
Action::NewOpenIDSuccessfulImplicitAuth { client } => format!(
"finished an implicit flow connection for client {:?}",
client
),
Action::ChangedHisPassword => "changed his password".to_string(), Action::ChangedHisPassword => "changed his password".to_string(),
Action::ClearedHisLoginHistory => "cleared his login history".to_string(), Action::ClearedHisLoginHistory => "cleared his login history".to_string(),
Action::AddNewFactor { factor } => format!( Action::AddNewFactor(factor) => format!(
"added a new factor to his account : {}", "added a new factor to his account : {}",
factor.quick_description(), factor.quick_description(),
), ),
@@ -364,15 +130,6 @@ impl Action<'_> {
} }
} }
#[derive(serde::Serialize)]
struct JsonActionData<'a> {
time: u64,
ip: IpAddr,
user: Option<LoggableUser>,
#[serde(flatten)]
action: Action<'a>,
}
pub struct ActionLogger { pub struct ActionLogger {
ip: IpAddr, ip: IpAddr,
user: Option<User>, user: Option<User>,
@@ -380,27 +137,15 @@ pub struct ActionLogger {
impl ActionLogger { impl ActionLogger {
pub fn log(&self, action: Action) { pub fn log(&self, action: Action) {
match AppConfig::get().action_logger_format { log::info!(
ActionLoggerFormat::Text => log::info!( "{} from {} has {}",
"{} from {} has {}", match &self.user {
match &self.user { None => "Anonymous user".to_string(),
None => "Anonymous user".to_string(), Some(u) => u.quick_identity(),
Some(u) => u.loggable().quick_identity(),
},
self.ip,
action.as_string()
),
ActionLoggerFormat::Json => match serde_json::to_string(&JsonActionData {
time: time(),
ip: self.ip,
user: self.user.as_ref().map(User::loggable),
action,
}) {
Ok(j) => println!("{j}"),
Err(e) => log::error!("Failed to serialize event to JSON! {e}"),
}, },
ActionLoggerFormat::None => {} self.ip.to_string(),
} action.as_string()
)
} }
} }

58
src/data/app_config.rs
View File

@@ -2,18 +2,7 @@ use std::path::{Path, PathBuf};
use clap::Parser; use clap::Parser;
use crate::constants::{ use crate::constants::{APP_NAME, CLIENTS_LIST_FILE, PROVIDERS_LIST_FILE, USERS_LIST_FILE};
APP_NAME, CLIENTS_LIST_FILE, OIDC_PROVIDER_CB_URI, PROVIDERS_LIST_FILE, USERS_LIST_FILE,
};
/// Action logger format
#[derive(Copy, Clone, Eq, PartialEq, Debug, clap::ValueEnum, Default)]
pub enum ActionLoggerFormat {
#[default]
Text,
Json,
None,
}
/// Basic OIDC provider /// Basic OIDC provider
#[derive(Parser, Debug, Clone)] #[derive(Parser, Debug, Clone)]
@@ -27,14 +16,6 @@ pub struct AppConfig {
#[clap(short, long, env)] #[clap(short, long, env)]
pub storage_path: String, pub storage_path: String,
/// Overwrite clients list file path, if the file is not to be found in storage path
#[clap(long, env)]
pub clients_list_file_path: Option<String>,
/// Overwrite providers list file path, if the file is not to be found in storage path
#[clap(long, env)]
pub providers_list_file_path: Option<String>,
/// App token token /// App token token
#[clap(short, long, env, default_value = "")] #[clap(short, long, env, default_value = "")]
pub token_key: String, pub token_key: String,
@@ -49,24 +30,11 @@ pub struct AppConfig {
/// IP location service API /// IP location service API
/// ///
/// Operating instance of IP location service : https://gitlab.com/pierre42100/iplocationserver /// Up instance of IP location service : https://gitlab.com/pierre42100/iplocationserver
/// ///
/// Example: "https://api.geoip.rs" /// Example: "https://api.geoip.rs"
#[arg(long, short, env)] #[arg(long, short, env)]
pub ip_location_service: Option<String>, pub ip_location_service: Option<String>,
/// Action logger output format
#[arg(long, env, default_value_t, value_enum)]
pub action_logger_format: ActionLoggerFormat,
/// Login background image
#[arg(long, env, default_value = "/assets/img/forest.jpg")]
pub login_background_image: String,
/// Disable local login. If this option is set without any upstream providers set, it will be impossible
/// to authenticate
#[arg(long, env)]
pub disable_local_login: bool,
} }
lazy_static::lazy_static! { lazy_static::lazy_static! {
@@ -101,17 +69,11 @@ impl AppConfig {
} }
pub fn clients_file(&self) -> PathBuf { pub fn clients_file(&self) -> PathBuf {
match &self.clients_list_file_path { self.storage_path().join(CLIENTS_LIST_FILE)
None => self.storage_path().join(CLIENTS_LIST_FILE),
Some(p) => Path::new(p).to_path_buf(),
}
} }
pub fn providers_file(&self) -> PathBuf { pub fn providers_file(&self) -> PathBuf {
match &self.providers_list_file_path { self.storage_path().join(PROVIDERS_LIST_FILE)
None => self.storage_path().join(PROVIDERS_LIST_FILE),
Some(p) => Path::new(p).to_path_buf(),
}
} }
pub fn full_url(&self, uri: &str) -> String { pub fn full_url(&self, uri: &str) -> String {
@@ -122,21 +84,9 @@ impl AppConfig {
} }
} }
/// Get the URL where a upstream OpenID provider should redirect
/// the user after an authentication
pub fn oidc_provider_redirect_url(&self) -> String {
AppConfig::get().full_url(OIDC_PROVIDER_CB_URI)
}
pub fn domain_name(&self) -> &str { pub fn domain_name(&self) -> &str {
self.website_origin.split('/').nth(2).unwrap_or(APP_NAME) self.website_origin.split('/').nth(2).unwrap_or(APP_NAME)
} }
/// Get the domain without the port
pub fn domain_name_without_port(&self) -> &str {
let domain = self.domain_name();
domain.split_once(':').map(|i| i.0).unwrap_or(domain)
}
} }
#[cfg(test)] #[cfg(test)]

91
src/data/client.rs
View File

@@ -1,14 +1,9 @@
use crate::data::entity_manager::EntityManager; use crate::data::entity_manager::EntityManager;
use crate::data::user::User;
use crate::utils::string_utils::apply_env_vars; use crate::utils::string_utils::apply_env_vars;
use serde_json::Value;
use std::collections::HashMap;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
pub struct ClientID(pub String); pub struct ClientID(pub String);
pub type AdditionalClaims = HashMap<String, Value>;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
pub struct Client { pub struct Client {
/// The ID of the client /// The ID of the client
@@ -21,8 +16,7 @@ pub struct Client {
pub description: String, pub description: String,
/// The secret used by the client to retrieve authenticated users information /// The secret used by the client to retrieve authenticated users information
/// This value is absent if implicit authentication flow is used pub secret: String,
pub secret: Option<String>,
/// The URI where the users should be redirected once authenticated /// The URI where the users should be redirected once authenticated
pub redirect_uri: String, pub redirect_uri: String,
@@ -34,16 +28,6 @@ pub struct Client {
/// Specify whether a client is granted to all users /// Specify whether a client is granted to all users
#[serde(default = "bool::default")] #[serde(default = "bool::default")]
pub granted_to_all_users: bool, pub granted_to_all_users: bool,
/// Specify whether recent Second Factor Authentication is required to access this client
#[serde(default = "bool::default")]
pub enforce_2fa_auth: bool,
/// Additional claims to return with the id token
claims_id_token: Option<AdditionalClaims>,
/// Additional claims to return through the user info endpoint
claims_user_info: Option<AdditionalClaims>,
} }
impl PartialEq for Client { impl PartialEq for Client {
@@ -54,78 +38,9 @@ impl PartialEq for Client {
impl Eq for Client {} impl Eq for Client {}
impl Client {
/// Check if the client has a secret defined
pub fn has_secret(&self) -> bool {
self.secret.is_some()
}
/// Process a single claim value
fn process_claim_string(&self, user: &User, str: &str) -> String {
str.replace("{username}", &user.username)
.replace("{mail}", &user.email)
.replace("{first_name}", &user.first_name)
.replace("{last_name}", &user.last_name)
.replace("{uid}", &user.uid.0)
}
/// Recurse claims processing
fn recurse_claims_processing(&self, user: &User, value: &Value) -> Value {
match value {
Value::String(s) => Value::String(self.process_claim_string(user, s)),
Value::Array(arr) => Value::Array(
arr.iter()
.map(|v| self.recurse_claims_processing(user, v))
.collect(),
),
Value::Object(obj) => obj
.iter()
.map(|(k, v)| {
(
self.process_claim_string(user, k),
self.recurse_claims_processing(user, v),
)
})
.collect(),
v => v.clone(),
}
}
/// Process additional claims, processing placeholders
fn process_additional_claims(
&self,
user: &User,
claims: &Option<AdditionalClaims>,
) -> Option<AdditionalClaims> {
let claims = claims.as_ref()?;
let res = claims
.iter()
.map(|(k, v)| {
(
self.process_claim_string(user, k),
self.recurse_claims_processing(user, v),
)
})
.collect();
Some(res)
}
/// Get additional claims for id_token for a successful authentication
pub fn claims_id_token(&self, user: &User) -> Option<AdditionalClaims> {
self.process_additional_claims(user, &self.claims_id_token)
}
/// Get additional claims for user info for a successful authentication
pub fn claims_user_info(&self, user: &User) -> Option<AdditionalClaims> {
self.process_additional_claims(user, &self.claims_user_info)
}
}
pub type ClientManager = EntityManager<Client>; pub type ClientManager = EntityManager<Client>;
impl ClientManager { impl EntityManager<Client> {
pub fn find_by_id(&self, u: &ClientID) -> Option<Client> { pub fn find_by_id(&self, u: &ClientID) -> Option<Client> {
for entry in self.iter() { for entry in self.iter() {
if entry.id.eq(u) { if entry.id.eq(u) {
@@ -147,7 +62,7 @@ impl ClientManager {
c.id = ClientID(apply_env_vars(&c.id.0)); c.id = ClientID(apply_env_vars(&c.id.0));
c.name = apply_env_vars(&c.name); c.name = apply_env_vars(&c.name);
c.description = apply_env_vars(&c.description); c.description = apply_env_vars(&c.description);
c.secret = c.secret.as_deref().map(apply_env_vars); c.secret = apply_env_vars(&c.secret);
c.redirect_uri = apply_env_vars(&c.redirect_uri); c.redirect_uri = apply_env_vars(&c.redirect_uri);
} }
} }

19
src/data/code_challenge.rs
View File

@@ -1,5 +1,5 @@
use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD; use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use base64::Engine as _;
use crate::utils::crypt_utils::sha256; use crate::utils::crypt_utils::sha256;
@@ -22,7 +22,7 @@ impl CodeChallenge {
encoded.eq(&self.code_challenge) encoded.eq(&self.code_challenge)
} }
s => { s => {
log::error!("Unknown code challenge method: {s}"); log::error!("Unknown code challenge method: {}", s);
false false
} }
} }
@@ -40,8 +40,8 @@ mod test {
code_challenge: "text1".to_string(), code_challenge: "text1".to_string(),
}; };
assert!(chal.verify_code("text1")); assert_eq!(true, chal.verify_code("text1"));
assert!(!chal.verify_code("text2")); assert_eq!(false, chal.verify_code("text2"));
} }
#[test] #[test]
@@ -51,8 +51,8 @@ mod test {
code_challenge: "uSOvC48D8TMh6RgW-36XppMlMgys-6KAE_wEIev9W2g".to_string(), code_challenge: "uSOvC48D8TMh6RgW-36XppMlMgys-6KAE_wEIev9W2g".to_string(),
}; };
assert!(chal.verify_code("HIwht3lCHfnsruA+7Sq8NP2mPj5cBZe0Ewf23eK9UQhK4TdCIt3SK7Fr/giCdnfjxYQILOPG2D562emggAa2lA==")); assert_eq!(true, chal.verify_code("HIwht3lCHfnsruA+7Sq8NP2mPj5cBZe0Ewf23eK9UQhK4TdCIt3SK7Fr/giCdnfjxYQILOPG2D562emggAa2lA=="));
assert!(!chal.verify_code("text1")); assert_eq!(false, chal.verify_code("text1"));
} }
#[test] #[test]
@@ -62,7 +62,10 @@ mod test {
code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM".to_string(), code_challenge: "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM".to_string(),
}; };
assert!(chal.verify_code("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")); assert_eq!(
assert!(!chal.verify_code("text1")); true,
chal.verify_code("dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk")
);
assert_eq!(false, chal.verify_code("text1"));
} }
} }

32
src/data/critical_route.rs
View File

@@ -1,32 +0,0 @@
use crate::data::current_user::CurrentUser;
use crate::data::from_request_redirect::FromRequestRedirect;
use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
use actix_web::dev::Payload;
use actix_web::{FromRequest, HttpRequest};
use std::future::Future;
use std::pin::Pin;
pub struct CriticalRoute;
impl FromRequest for CriticalRoute {
type Error = FromRequestRedirect;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
let req = req.clone();
Box::pin(async move {
let current_user = CurrentUser::from_request(&req, &mut Payload::None)
.await
.expect("Failed to extract user identity!");
if current_user.should_request_2fa_for_critical_functions() {
let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
return Err(FromRequestRedirect::new(uri));
}
Ok(Self)
})
}
}

98
src/data/crypto_wrapper.rs Normal file
View File

@@ -0,0 +1,98 @@
use std::io::ErrorKind;
use aes_gcm::aead::{Aead, OsRng};
use aes_gcm::{Aes256Gcm, Key, KeyInit, Nonce};
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _;
use rand::Rng;
use serde::de::DeserializeOwned;
use serde::Serialize;
use crate::utils::err::Res;
const NONCE_LEN: usize = 12;
pub struct CryptoWrapper {
key: Key<Aes256Gcm>,
}
impl CryptoWrapper {
/// Generate a new memory wrapper
pub fn new_random() -> Self {
Self {
key: Aes256Gcm::generate_key(&mut OsRng),
}
}
/// Encrypt some data
pub fn encrypt<T: Serialize + DeserializeOwned>(&self, data: &T) -> Res<String> {
let aes_key = Aes256Gcm::new(&self.key);
let nonce_bytes = rand::thread_rng().gen::<[u8; NONCE_LEN]>();
let serialized_data = bincode::serialize(data)?;
let mut enc = aes_key
.encrypt(Nonce::from_slice(&nonce_bytes), serialized_data.as_slice())
.unwrap();
enc.extend_from_slice(&nonce_bytes);
Ok(BASE64_STANDARD.encode(enc))
}
/// Decrypt some data previously encrypted using the [`CryptoWrapper::encrypt`] method
pub fn decrypt<T: DeserializeOwned>(&self, input: &str) -> Res<T> {
let bytes = BASE64_STANDARD.decode(input)?;
if bytes.len() < NONCE_LEN {
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Input string is smaller than nonce!",
)));
}
let (enc, nonce) = bytes.split_at(bytes.len() - NONCE_LEN);
assert_eq!(nonce.len(), NONCE_LEN);
let aes_key = Aes256Gcm::new(&self.key);
let dec = match aes_key.decrypt(Nonce::from_slice(nonce), enc) {
Ok(d) => d,
Err(e) => {
log::error!("Failed to decrypt wrapped data! {:#?}", e);
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Failed to decrypt wrapped data!",
)));
}
};
Ok(bincode::deserialize(&dec)?)
}
}
#[cfg(test)]
mod test {
use crate::data::crypto_wrapper::CryptoWrapper;
#[derive(serde::Serialize, serde::Deserialize, Eq, PartialEq, Debug)]
struct Message(String);
#[test]
fn encrypt_and_decrypt() {
let wrapper = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper.encrypt(&msg).unwrap();
let dec: Message = wrapper.decrypt(&enc).unwrap();
assert_eq!(dec, msg)
}
#[test]
fn encrypt_and_decrypt_invalid() {
let wrapper_1 = CryptoWrapper::new_random();
let wrapper_2 = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper_1.encrypt(&msg).unwrap();
wrapper_2.decrypt::<Message>(&enc).unwrap_err();
}
}

35
src/data/current_user.rs
View File

@@ -6,34 +6,18 @@ use actix::Addr;
use actix_identity::Identity; use actix_identity::Identity;
use actix_web::dev::Payload; use actix_web::dev::Payload;
use actix_web::error::ErrorInternalServerError; use actix_web::error::ErrorInternalServerError;
use actix_web::{Error, FromRequest, HttpRequest, web}; use actix_web::{web, Error, FromRequest, HttpRequest};
use crate::actors::users_actor; use crate::actors::users_actor;
use crate::actors::users_actor::UsersActor; use crate::actors::users_actor::UsersActor;
use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
use crate::data::session_identity::SessionIdentity; use crate::data::session_identity::SessionIdentity;
use crate::data::user::User; use crate::data::user::User;
use crate::utils::time::time;
pub struct CurrentUser { pub struct CurrentUser(User);
user: User,
pub auth_time: u64,
pub last_2fa_auth: Option<u64>,
}
impl CurrentUser {
pub fn should_request_2fa_for_critical_functions(&self) -> bool {
self.user.has_two_factor()
&& self
.last_2fa_auth
.map(|t| t + SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS < time())
.unwrap_or(true)
}
}
impl From<CurrentUser> for User { impl From<CurrentUser> for User {
fn from(user: CurrentUser) -> Self { fn from(user: CurrentUser) -> Self {
user.user user.0
} }
} }
@@ -41,7 +25,7 @@ impl Deref for CurrentUser {
type Target = User; type Target = User;
fn deref(&self) -> &Self::Target { fn deref(&self) -> &Self::Target {
&self.user &self.0
} }
} }
@@ -56,10 +40,7 @@ impl FromRequest for CurrentUser {
let identity: Identity = Identity::from_request(req, payload) let identity: Identity = Identity::from_request(req, payload)
.into_inner() .into_inner()
.expect("Failed to get identity!"); .expect("Failed to get identity!");
let id = SessionIdentity(Some(&identity)); let user_id = SessionIdentity(Some(&identity)).user_id();
let user_id = id.user_id();
let last_2fa_auth = id.last_2fa_auth();
let auth_time = id.auth_time();
Box::pin(async move { Box::pin(async move {
let user = match user_actor let user = match user_actor
@@ -76,11 +57,7 @@ impl FromRequest for CurrentUser {
} }
}; };
Ok(CurrentUser { Ok(CurrentUser(user))
user,
auth_time,
last_2fa_auth,
})
}) })
} }
} }

5
src/data/entity_manager.rs
View File

@@ -20,10 +20,7 @@ where
/// Open entity /// Open entity
pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> { pub fn open_or_create<A: AsRef<Path>>(path: A) -> Res<Self> {
if !path.as_ref().is_file() { if !path.as_ref().is_file() {
log::warn!( log::warn!("Entities at {:?} does not point to a file, creating a new empty entity container...", path.as_ref());
"Entities at {:?} does not point to a file, creating a new empty entity container...",
path.as_ref()
);
return Ok(Self { return Ok(Self {
file_path: path.as_ref().to_path_buf(), file_path: path.as_ref().to_path_buf(),
list: vec![], list: vec![],

45
src/data/force_2fa_auth.rs
View File

@@ -1,45 +0,0 @@
use crate::data::current_user::CurrentUser;
use crate::data::session_identity::SessionIdentity;
use actix_identity::Identity;
use actix_web::dev::Payload;
use actix_web::{Error, FromRequest, HttpRequest, web};
use std::future::Future;
use std::pin::Pin;
#[derive(serde::Deserialize)]
pub struct Force2FAAuthQuery {
#[serde(default)]
force_2fa: bool,
}
pub struct Force2FAAuth {
pub force: bool,
}
impl FromRequest for Force2FAAuth {
type Error = Error;
type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
let req = req.clone();
Box::pin(async move {
// It is impossible to force authentication for an unauthenticated user
let identity = Identity::from_request(&req, &mut Payload::None)
.into_inner()
.ok();
if !SessionIdentity(identity.as_ref()).is_authenticated() {
return Ok(Self { force: false });
}
let query = web::Query::<Force2FAAuthQuery>::from_request(&req, &mut Payload::None)
.into_inner()?;
let user = CurrentUser::from_request(&req, &mut Payload::None).await?;
Ok(Self {
force: query.force_2fa && user.has_two_factor(),
})
})
}
}

32
src/data/from_request_redirect.rs
View File

@@ -1,32 +0,0 @@
use actix_web::body::BoxBody;
use actix_web::http::StatusCode;
use actix_web::{HttpResponse, ResponseError};
use std::fmt::{Debug, Display, Formatter};
#[derive(Debug)]
pub struct FromRequestRedirect {
url: String,
}
impl FromRequestRedirect {
pub fn new(url: String) -> Self {
Self { url }
}
}
impl Display for FromRequestRedirect {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
write!(f, "Redirect to {}", self.url)
}
}
impl ResponseError for FromRequestRedirect {
fn status_code(&self) -> StatusCode {
StatusCode::FOUND
}
fn error_response(&self) -> HttpResponse<BoxBody> {
HttpResponse::Found()
.insert_header(("Location", self.url.as_str()))
.body("Redirecting...")
}
}

11
src/data/id_token.rs
View File

@@ -1,8 +1,7 @@
use crate::data::client::AdditionalClaims;
use jwt_simple::claims::Audiences; use jwt_simple::claims::Audiences;
use jwt_simple::prelude::{Duration, JWTClaims}; use jwt_simple::prelude::{Duration, JWTClaims};
#[derive(serde::Serialize, Debug)] #[derive(serde::Serialize)]
pub struct IdToken { pub struct IdToken {
/// REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components. /// REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
#[serde(rename = "iss")] #[serde(rename = "iss")]
@@ -25,19 +24,12 @@ pub struct IdToken {
#[serde(skip_serializing_if = "Option::is_none")] #[serde(skip_serializing_if = "Option::is_none")]
pub nonce: Option<String>, pub nonce: Option<String>,
pub email: String, pub email: String,
/// Additional claims
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(flatten)]
pub additional_claims: Option<AdditionalClaims>,
} }
#[derive(serde::Serialize, serde::Deserialize)] #[derive(serde::Serialize, serde::Deserialize)]
pub struct CustomIdTokenClaims { pub struct CustomIdTokenClaims {
auth_time: u64, auth_time: u64,
email: String, email: String,
#[serde(skip_serializing_if = "Option::is_none")]
#[serde(flatten)]
additional_claims: Option<AdditionalClaims>,
} }
impl IdToken { impl IdToken {
@@ -54,7 +46,6 @@ impl IdToken {
custom: CustomIdTokenClaims { custom: CustomIdTokenClaims {
auth_time: self.auth_time, auth_time: self.auth_time,
email: self.email, email: self.email,
additional_claims: self.additional_claims,
}, },
} }
} }

11
src/data/jwt_signer.rs
View File

@@ -1,20 +1,18 @@
use jwt_simple::algorithms::RSAKeyPairLike; use jwt_simple::algorithms::RSAKeyPairLike;
use jwt_simple::claims::JWTClaims; use jwt_simple::claims::JWTClaims;
use jwt_simple::prelude::RS256KeyPair; use jwt_simple::prelude::RS256KeyPair;
use serde::Serialize;
use serde::de::DeserializeOwned; use serde::de::DeserializeOwned;
use serde::Serialize;
use base64::Engine as _;
use base64::engine::general_purpose::URL_SAFE as BASE64_URL_URL_SAFE; use base64::engine::general_purpose::URL_SAFE as BASE64_URL_URL_SAFE;
use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD; use base64::engine::general_purpose::URL_SAFE_NO_PAD as BASE64_URL_SAFE_NO_PAD;
use base64::Engine as _;
use crate::utils::err::Res; use crate::utils::err::Res;
use crate::utils::string_utils::rand_str; use crate::utils::string_utils::rand_str;
const JWK_USE_SIGN: &str = "sig";
/// Json Web Key <https://datatracker.ietf.org/doc/html/rfc7517> /// Json Web Key <https://datatracker.ietf.org/doc/html/rfc7517>
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)] #[derive(serde::Serialize, serde::Deserialize)]
pub struct JsonWebKey { pub struct JsonWebKey {
#[serde(rename = "alg")] #[serde(rename = "alg")]
algorithm: String, algorithm: String,
@@ -26,8 +24,6 @@ pub struct JsonWebKey {
modulus: String, modulus: String,
#[serde(rename = "e")] #[serde(rename = "e")]
public_exponent: String, public_exponent: String,
#[serde(rename = "use", skip_serializing_if = "Option::is_none")]
usage: Option<String>,
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
@@ -48,7 +44,6 @@ impl JWTSigner {
key_id: self.0.key_id().as_ref().unwrap().to_string(), key_id: self.0.key_id().as_ref().unwrap().to_string(),
public_exponent: BASE64_URL_URL_SAFE.encode(components.e), public_exponent: BASE64_URL_URL_SAFE.encode(components.e),
modulus: BASE64_URL_SAFE_NO_PAD.encode(components.n), modulus: BASE64_URL_SAFE_NO_PAD.encode(components.n),
usage: Some(JWK_USE_SIGN.to_string()),
} }
} }

14
src/data/login_redirect.rs
View File

@@ -1,13 +1,7 @@
use actix_web::HttpRequest;
#[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)] #[derive(serde::Serialize, serde::Deserialize, Debug, Eq, PartialEq, Clone)]
pub struct LoginRedirect(String); pub struct LoginRedirect(String);
impl LoginRedirect { impl LoginRedirect {
pub fn from_req(req: &HttpRequest) -> Self {
Self(req.uri().to_string())
}
pub fn get(&self) -> &str { pub fn get(&self) -> &str {
match self.0.starts_with('/') && !self.0.starts_with("//") { match self.0.starts_with('/') && !self.0.starts_with("//") {
true => self.0.as_str(), true => self.0.as_str(),
@@ -25,11 +19,3 @@ impl Default for LoginRedirect {
Self("/".to_string()) Self("/".to_string())
} }
} }
/// Get the URL for 2FA authentication
pub fn get_2fa_url(redir: &LoginRedirect, force_2fa: bool) -> String {
format!(
"/2fa_auth?redirect={}&force_2fa={force_2fa}",
redir.get_encoded()
)
}

8
src/data/mod.rs
View File

@@ -3,16 +3,16 @@ pub mod action_logger;
pub mod app_config; pub mod app_config;
pub mod client; pub mod client;
pub mod code_challenge; pub mod code_challenge;
pub mod critical_route; pub mod crypto_wrapper;
pub mod current_user; pub mod current_user;
pub mod entity_manager; pub mod entity_manager;
pub mod force_2fa_auth;
pub mod from_request_redirect;
pub mod id_token; pub mod id_token;
pub mod jwt_signer; pub mod jwt_signer;
pub mod login_redirect; pub mod login_redirect;
pub mod open_id_user_info;
pub mod openid_config;
pub mod provider; pub mod provider;
pub mod provider_configuration; pub mod remote_ip;
pub mod session_identity; pub mod session_identity;
pub mod totp_key; pub mod totp_key;
pub mod user; pub mod user;

24
src/data/open_id_user_info.rs Normal file
View File

@@ -0,0 +1,24 @@
/// Refer to <https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> for more information
#[derive(Debug, serde::Serialize)]
pub struct OpenIDUserInfo {
/// Subject - Identifier for the End-User at the Issuer
pub sub: String,
/// End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
pub name: String,
/// Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
pub given_name: String,
/// Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
pub family_name: String,
/// Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The RP MUST NOT rely upon this value being unique, as discussed in
pub preferred_username: String,
/// End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 RFC5322 addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
pub email: String,
/// True if the End-User's e-mail address has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
pub email_verified: bool,
}

37
src/data/openid_config.rs Normal file
View File

@@ -0,0 +1,37 @@
#[derive(Debug, Clone, serde::Serialize)]
pub struct OpenIDConfig {
/// URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer
pub issuer: String,
/// REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint `OpenID.Core`
pub authorization_endpoint: String,
/// URL of the OP's OAuth 2.0 Token Endpoint `OpenID.Core`. This is REQUIRED unless only the Implicit Flow is used.
pub token_endpoint: String,
/// RECOMMENDED. URL of the OP's UserInfo Endpoint `[`OpenID.Core`]`. This URL MUST use the https scheme and MAY contain port, path, and query parameter components
pub userinfo_endpoint: String,
/// REQUIRED. URL of the OP's JSON Web Key Set `[`JWK`]` document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
pub jwks_uri: String,
/// RECOMMENDED. JSON array containing a list of the OAuth 2.0 `[`RFC6749`]` scope values that this server supports. The server MUST support the openid scope value. Servers MAY choose not to advertise some supported scope values even when this parameter is used, although those defined in `[`OpenID.Core`]` SHOULD be listed, if supported.
pub scopes_supported: Vec<&'static str>,
/// REQUIRED. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. Dynamic OpenID Providers MUST support the code, id_token, and the token id_token Response Type values.
pub response_types_supported: Vec<&'static str>,
/// REQUIRED. JSON array containing a list of the Subject Identifier types that this OP supports. Valid types include pairwise and public.
pub subject_types_supported: Vec<&'static str>,
/// REQUIRED. JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT `[`JWT`. The algorithm RS256 MUST be included. The value none MAY be supported, but MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint (such as when using the Authorization Code Flow).
pub id_token_signing_alg_values_supported: Vec<&'static str>,
/// OPTIONAL. JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt
pub token_endpoint_auth_methods_supported: Vec<&'static str>,
/// RECOMMENDED. JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list.
pub claims_supported: Vec<&'static str>,
pub code_challenge_methods_supported: Vec<&'static str>,
}

20
src/data/provider.rs
View File

@@ -1,5 +1,4 @@
use crate::data::entity_manager::EntityManager; use crate::data::entity_manager::EntityManager;
use crate::data::login_redirect::LoginRedirect;
use crate::utils::string_utils::apply_env_vars; use crate::utils::string_utils::apply_env_vars;
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
@@ -26,18 +25,9 @@ pub struct Provider {
/// ///
/// (.well-known/openid-configuration endpoint) /// (.well-known/openid-configuration endpoint)
pub configuration_url: String, pub configuration_url: String,
/// Set to true if accounts on BasicOIDC should be automatically created from this provider
#[serde(default)]
pub allow_auto_account_creation: bool,
} }
impl Provider { impl Provider {
/// Get URL-encoded provider id
pub fn id_encoded(&self) -> String {
urlencoding::encode(&self.id.0).to_string()
}
/// Get the URL where the logo can be located /// Get the URL where the logo can be located
pub fn logo_url(&self) -> &str { pub fn logo_url(&self) -> &str {
match self.logo.as_str() { match self.logo.as_str() {
@@ -46,19 +36,9 @@ impl Provider {
"github" => "/assets/img/brands/github.svg", "github" => "/assets/img/brands/github.svg",
"microsoft" => "/assets/img/brands/microsoft.svg", "microsoft" => "/assets/img/brands/microsoft.svg",
"google" => "/assets/img/brands/google.svg", "google" => "/assets/img/brands/google.svg",
"openid" => "/assets/img/brands/openid.svg",
s => s, s => s,
} }
} }
/// Get the URL to use to login with the provider
pub fn login_url(&self, redirect_url: &LoginRedirect) -> String {
format!(
"/login_with_prov?id={}&redirect={}",
self.id_encoded(),
redirect_url.get_encoded()
)
}
} }
impl PartialEq for Provider { impl PartialEq for Provider {

93
src/data/provider_configuration.rs
View File

@@ -1,93 +0,0 @@
use std::cell::RefCell;
use std::collections::HashMap;
use light_openid::primitives::{OpenIDConfig, OpenIDTokenResponse, OpenIDUserInfo};
use crate::actors::providers_states_actor::ProviderLoginState;
use crate::constants::OIDC_PROVIDERS_LIFETIME;
use crate::data::app_config::AppConfig;
use crate::data::provider::Provider;
use crate::utils::err::Res;
use crate::utils::time::time;
/// Provider configuration
#[derive(Debug, Clone)]
pub struct ProviderConfiguration {
pub discovery: OpenIDConfig,
pub expire: u64,
}
impl ProviderConfiguration {
/// Get the URL where a user should be redirected to authenticate
pub fn auth_url(&self, provider: &Provider, state: &ProviderLoginState) -> String {
let authorization_url = &self.discovery.authorization_endpoint;
let client_id = urlencoding::encode(&provider.client_id).to_string();
let state = urlencoding::encode(&state.state_id).to_string();
let callback_url = AppConfig::get().oidc_provider_redirect_url();
format!(
"{authorization_url}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={callback_url}"
)
}
/// Retrieve the authorization token after a successful authentication, using an authorization code
pub async fn get_token(
&self,
provider: &Provider,
authorization_code: &str,
) -> Res<OpenIDTokenResponse> {
let (token, _) = self
.discovery
.request_token(
&provider.client_id,
&provider.client_secret,
authorization_code,
&AppConfig::get().oidc_provider_redirect_url(),
)
.await?;
Ok(token)
}
/// Retrieve information about the user, using a given [OpenIDTokenResponse]
pub async fn get_userinfo(&self, token: &OpenIDTokenResponse) -> Res<OpenIDUserInfo> {
Ok(self.discovery.request_user_info(token).await?.0)
}
}
thread_local! {
static THREAD_CACHE: RefCell<HashMap<String, ProviderConfiguration>> = RefCell::new(Default::default());
}
pub struct ProviderConfigurationHelper {}
impl ProviderConfigurationHelper {
/// Get or refresh the configuration for a provider
pub async fn get_configuration(provider: &Provider) -> Res<ProviderConfiguration> {
let config = THREAD_CACHE.with(|i| i.borrow().get(&provider.configuration_url).cloned());
// Refresh config cache if needed
if config.is_none() || config.as_ref().unwrap().expire < time() {
let conf = Self::fetch_configuration(provider).await?;
THREAD_CACHE.with(|i| {
i.borrow_mut()
.insert(provider.configuration_url.clone(), conf.clone())
});
return Ok(conf);
}
// We can return immediately previously extracted value
Ok(config.unwrap())
}
/// Get fresh configuration from provider
async fn fetch_configuration(provider: &Provider) -> Res<ProviderConfiguration> {
Ok(ProviderConfiguration {
discovery: OpenIDConfig::load_from_url(&provider.configuration_url).await?,
expire: time() + OIDC_PROVIDERS_LIFETIME,
})
}
}

30
src/data/remote_ip.rs Normal file
View File

@@ -0,0 +1,30 @@
use std::net::IpAddr;
use actix_web::dev::Payload;
use actix_web::{Error, FromRequest, HttpRequest};
use futures_util::future::{ready, Ready};
use crate::data::app_config::AppConfig;
use crate::utils::network_utils::get_remote_ip;
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct RemoteIP(pub IpAddr);
impl From<RemoteIP> for IpAddr {
fn from(i: RemoteIP) -> Self {
i.0
}
}
impl FromRequest for RemoteIP {
type Error = Error;
type Future = Ready<Result<Self, Error>>;
#[inline]
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
ready(Ok(RemoteIP(get_remote_ip(
req,
AppConfig::get().proxy_ip.as_deref(),
))))
}
}

27
src/data/session_identity.rs
View File

@@ -5,27 +5,31 @@ use serde::{Deserialize, Serialize};
use crate::data::user::{User, UserID}; use crate::data::user::{User, UserID};
use crate::utils::time::time; use crate::utils::time::time;
#[derive(Debug, Serialize, Deserialize, Eq, PartialEq, Default)] #[derive(Debug, Serialize, Deserialize, Eq, PartialEq)]
pub enum SessionStatus { pub enum SessionStatus {
#[default]
Invalid, Invalid,
SignedIn, SignedIn,
NeedNewPassword, NeedNewPassword,
Need2FA, Need2FA,
} }
impl Default for SessionStatus {
fn default() -> Self {
Self::Invalid
}
}
#[derive(Debug, Serialize, Deserialize, Default)] #[derive(Debug, Serialize, Deserialize, Default)]
pub struct SessionIdentityData { pub struct SessionIdentityData {
pub id: Option<UserID>, pub id: Option<UserID>,
pub is_admin: bool, pub is_admin: bool,
pub auth_time: u64, pub auth_time: u64,
pub last_2fa_auth: Option<u64>,
pub status: SessionStatus, pub status: SessionStatus,
} }
pub struct SessionIdentity<'a>(pub Option<&'a Identity>); pub struct SessionIdentity<'a>(pub Option<&'a Identity>);
impl SessionIdentity<'_> { impl<'a> SessionIdentity<'a> {
fn get_session_data(&self) -> Option<SessionIdentityData> { fn get_session_data(&self) -> Option<SessionIdentityData> {
if let Some(id) = self.0 { if let Some(id) = self.0 {
Self::deserialize_session_data(id.id().ok()) Self::deserialize_session_data(id.id().ok())
@@ -41,7 +45,7 @@ impl SessionIdentity<'_> {
.map(|f| match f { .map(|f| match f {
Ok(d) => Some(d), Ok(d) => Some(d),
Err(e) => { Err(e) => {
log::warn!("Failed to deserialize session data! {e:?}"); log::warn!("Failed to deserialize session data! {:?}", e);
None None
} }
}) })
@@ -60,7 +64,7 @@ impl SessionIdentity<'_> {
log::debug!("Will set user session data."); log::debug!("Will set user session data.");
if let Err(e) = Identity::login(&req.extensions(), s) { if let Err(e) = Identity::login(&req.extensions(), s) {
log::error!("Failed to set session data! {e}"); log::error!("Failed to set session data! {}", e);
} }
log::debug!("Did set user session data."); log::debug!("Did set user session data.");
} }
@@ -71,7 +75,6 @@ impl SessionIdentity<'_> {
&SessionIdentityData { &SessionIdentityData {
id: Some(user.uid.clone()), id: Some(user.uid.clone()),
is_admin: user.admin, is_admin: user.admin,
last_2fa_auth: None,
auth_time: time(), auth_time: time(),
status, status,
}, },
@@ -84,12 +87,6 @@ impl SessionIdentity<'_> {
self.set_session_data(req, &sess); self.set_session_data(req, &sess);
} }
pub fn record_2fa_auth(&self, req: &HttpRequest) {
let mut sess = self.get_session_data().unwrap_or_default();
sess.last_2fa_auth = Some(time());
self.set_session_data(req, &sess);
}
pub fn is_authenticated(&self) -> bool { pub fn is_authenticated(&self) -> bool {
self.get_session_data() self.get_session_data()
.map(|s| s.status == SessionStatus::SignedIn) .map(|s| s.status == SessionStatus::SignedIn)
@@ -122,8 +119,4 @@ impl SessionIdentity<'_> {
pub fn auth_time(&self) -> u64 { pub fn auth_time(&self) -> u64 {
self.get_session_data().unwrap_or_default().auth_time self.get_session_data().unwrap_or_default().auth_time
} }
pub fn last_2fa_auth(&self) -> Option<u64> {
self.get_session_data().unwrap_or_default().last_2fa_auth
}
} }

31
src/data/totp_key.rs
View File

@@ -1,3 +1,5 @@
use std::io::ErrorKind;
use base32::Alphabet; use base32::Alphabet;
use rand::Rng; use rand::Rng;
use totp_rfc6238::{HashAlgorithm, TotpGenerator}; use totp_rfc6238::{HashAlgorithm, TotpGenerator};
@@ -7,7 +9,7 @@ use crate::data::user::User;
use crate::utils::err::Res; use crate::utils::err::Res;
use crate::utils::time::time; use crate::utils::time::time;
const BASE32_ALPHABET: Alphabet = Alphabet::Rfc4648 { padding: true }; const BASE32_ALPHABET: Alphabet = Alphabet::RFC4648 { padding: true };
const NUM_DIGITS: usize = 6; const NUM_DIGITS: usize = 6;
const PERIOD: u64 = 30; const PERIOD: u64 = 30;
@@ -19,7 +21,7 @@ pub struct TotpKey {
impl TotpKey { impl TotpKey {
/// Generate a new TOTP key /// Generate a new TOTP key
pub fn new_random() -> Self { pub fn new_random() -> Self {
let random_bytes = rand::rng().random::<[u8; 20]>(); let random_bytes = rand::thread_rng().gen::<[u8; 10]>();
Self { Self {
encoded: base32::encode(BASE32_ALPHABET, &random_bytes), encoded: base32::encode(BASE32_ALPHABET, &random_bytes),
} }
@@ -38,10 +40,10 @@ impl TotpKey {
pub fn url_for_user(&self, u: &User, conf: &AppConfig) -> String { pub fn url_for_user(&self, u: &User, conf: &AppConfig) -> String {
format!( format!(
"otpauth://totp/{}:{}?secret={}&issuer={}&algorithm=SHA1&digits={}&period={}", "otpauth://totp/{}:{}?secret={}&issuer={}&algorithm=SHA1&digits={}&period={}",
urlencoding::encode(conf.domain_name_without_port()), urlencoding::encode(conf.domain_name()),
urlencoding::encode(&u.username), urlencoding::encode(&u.username),
self.encoded, self.encoded,
urlencoding::encode(conf.domain_name_without_port()), urlencoding::encode(conf.domain_name()),
NUM_DIGITS, NUM_DIGITS,
PERIOD, PERIOD,
) )
@@ -51,7 +53,7 @@ impl TotpKey {
pub fn account_name(&self, u: &User, conf: &AppConfig) -> String { pub fn account_name(&self, u: &User, conf: &AppConfig) -> String {
format!( format!(
"{}:{}", "{}:{}",
urlencoding::encode(conf.domain_name_without_port()), urlencoding::encode(conf.domain_name()),
urlencoding::encode(&u.username) urlencoding::encode(&u.username)
) )
} }
@@ -71,14 +73,9 @@ impl TotpKey {
self.get_code_at(|| time() - PERIOD) self.get_code_at(|| time() - PERIOD)
} }
/// Get following code
pub fn following_code(&self) -> Res<String> {
self.get_code_at(|| time() + PERIOD)
}
/// Get the code at a specific time /// Get the code at a specific time
fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> { fn get_code_at<F: Fn() -> u64>(&self, get_time: F) -> Res<String> {
let generator = TotpGenerator::new() let gen = TotpGenerator::new()
.set_digit(NUM_DIGITS) .set_digit(NUM_DIGITS)
.unwrap() .unwrap()
.set_step(PERIOD) .set_step(PERIOD)
@@ -88,21 +85,20 @@ impl TotpKey {
let key = match base32::decode(BASE32_ALPHABET, &self.encoded) { let key = match base32::decode(BASE32_ALPHABET, &self.encoded) {
None => { None => {
return Err(Box::new(std::io::Error::other( return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Failed to decode base32 secret!", "Failed to decode base32 secret!",
))); )));
} }
Some(k) => k, Some(k) => k,
}; };
Ok(generator.get_code_with(&key, get_time)) Ok(gen.get_code_with(&key, get_time))
} }
/// Check a code's validity /// Check a code's validity
pub fn check_code(&self, code: &str) -> Res<bool> { pub fn check_code(&self, code: &str) -> Res<bool> {
Ok(self.previous_code()?.eq(code) Ok(self.current_code()?.eq(code) || self.previous_code()?.eq(code))
|| self.current_code()?.eq(code)
|| self.following_code()?.eq(code))
} }
} }
@@ -115,10 +111,7 @@ mod test {
let key = TotpKey::new_random(); let key = TotpKey::new_random();
let code = key.current_code().unwrap(); let code = key.current_code().unwrap();
let old_code = key.previous_code().unwrap(); let old_code = key.previous_code().unwrap();
let following_code = key.following_code().unwrap();
assert_ne!(code, old_code); assert_ne!(code, old_code);
assert_ne!(code, following_code);
assert_ne!(old_code, following_code);
} }
#[test] #[test]

53
src/data/user.rs
View File

@@ -1,4 +1,3 @@
use bincode::{Decode, Encode};
use std::collections::HashMap; use std::collections::HashMap;
use std::net::IpAddr; use std::net::IpAddr;
@@ -11,15 +10,9 @@ use crate::data::totp_key::TotpKey;
use crate::data::webauthn_manager::WebauthnPubKey; use crate::data::webauthn_manager::WebauthnPubKey;
use crate::utils::time::{fmt_time, time}; use crate::utils::time::{fmt_time, time};
#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize, Encode, Decode)] #[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
pub struct UserID(pub String); pub struct UserID(pub String);
impl UserID {
pub fn random() -> Self {
Self(uuid::Uuid::new_v4().to_string())
}
}
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
pub struct GeneralSettings { pub struct GeneralSettings {
pub uid: UserID, pub uid: UserID,
@@ -32,7 +25,7 @@ pub struct GeneralSettings {
pub is_admin: bool, pub is_admin: bool,
} }
#[derive(Eq, PartialEq, Clone, Debug, serde::Serialize)] #[derive(Eq, PartialEq, Clone, Debug)]
pub enum GrantedClients { pub enum GrantedClients {
AllClients, AllClients,
SomeClients(Vec<ClientID>), SomeClients(Vec<ClientID>),
@@ -52,12 +45,6 @@ impl GrantedClients {
#[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)] #[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
pub struct FactorID(pub String); pub struct FactorID(pub String);
impl FactorID {
pub fn random() -> Self {
Self(uuid::Uuid::new_v4().to_string())
}
}
#[derive(Clone, Debug, serde::Serialize, serde::Deserialize)] #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
pub enum TwoFactorType { pub enum TwoFactorType {
TOTP(TotpKey), TOTP(TotpKey),
@@ -72,6 +59,15 @@ pub struct TwoFactor {
} }
impl TwoFactor { impl TwoFactor {
pub fn quick_description(&self) -> String {
format!(
"#{} of type {} and name '{}'",
self.id.0,
self.type_str(),
self.name
)
}
pub fn type_str(&self) -> &'static str { pub fn type_str(&self) -> &'static str {
match self.kind { match self.kind {
TwoFactorType::TOTP(_) => "Authenticator app", TwoFactorType::TOTP(_) => "Authenticator app",
@@ -93,17 +89,11 @@ impl TwoFactor {
} }
} }
pub fn login_url(&self, redirect_uri: &LoginRedirect, force_2fa: bool) -> String { pub fn login_url(&self, redirect_uri: &LoginRedirect) -> String {
match self.kind { match self.kind {
TwoFactorType::TOTP(_) => format!( TwoFactorType::TOTP(_) => format!("/2fa_otp?redirect={}", redirect_uri.get_encoded()),
"/2fa_otp?redirect={}&force_2fa={force_2fa}",
redirect_uri.get_encoded()
),
TwoFactorType::WEBAUTHN(_) => { TwoFactorType::WEBAUTHN(_) => {
format!( format!("/2fa_webauthn?redirect={}", redirect_uri.get_encoded())
"/2fa_webauthn?redirect={}&force_2fa={force_2fa}",
redirect_uri.get_encoded()
)
} }
} }
} }
@@ -173,6 +163,19 @@ impl User {
format!("{} {}", self.first_name, self.last_name) format!("{} {}", self.first_name, self.last_name)
} }
pub fn quick_identity(&self) -> String {
format!(
"{} {} {} ({:?})",
match self.admin {
true => "admin",
false => "user",
},
self.username,
self.email,
self.uid
)
}
/// Get the list of sources from which a user can authenticate from /// Get the list of sources from which a user can authenticate from
pub fn authorized_authentication_sources(&self) -> AuthorizedAuthenticationSources { pub fn authorized_authentication_sources(&self) -> AuthorizedAuthenticationSources {
AuthorizedAuthenticationSources { AuthorizedAuthenticationSources {
@@ -307,7 +310,7 @@ impl Eq for User {}
impl Default for User { impl Default for User {
fn default() -> Self { fn default() -> Self {
Self { Self {
uid: UserID::random(), uid: UserID("".to_string()),
first_name: "".to_string(), first_name: "".to_string(),
last_name: "".to_string(), last_name: "".to_string(),
username: "".to_string(), username: "".to_string(),

26
src/data/users_file_entity.rs
View File

@@ -3,7 +3,7 @@ use std::net::IpAddr;
use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBackend}; use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBackend};
use crate::data::entity_manager::EntityManager; use crate::data::entity_manager::EntityManager;
use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID}; use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
use crate::utils::err::{Res, new_error}; use crate::utils::err::{new_error, Res};
use crate::utils::time::time; use crate::utils::time::time;
impl EntityManager<User> { impl EntityManager<User> {
@@ -18,7 +18,7 @@ impl EntityManager<User> {
}; };
if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) { if let Err(e) = self.replace_entries(|u| u.uid.eq(id), &update(user)) {
log::error!("Failed to update user information! {e:?}"); log::error!("Failed to update user information! {:?}", e);
return Err(e); return Err(e);
} }
@@ -31,10 +31,13 @@ fn hash_password<P: AsRef<[u8]>>(pwd: P) -> Res<String> {
} }
fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool { fn verify_password<P: AsRef<[u8]>>(pwd: P, hash: &str) -> bool {
bcrypt::verify(pwd, hash).unwrap_or_else(|e| { match bcrypt::verify(pwd, hash) {
log::warn!("Failed to verify password! {e:?}"); Ok(r) => r,
false Err(e) => {
}) log::warn!("Failed to verify password! {:?}", e);
false
}
}
} }
impl UsersSyncBackend for EntityManager<User> { impl UsersSyncBackend for EntityManager<User> {
@@ -47,15 +50,6 @@ impl UsersSyncBackend for EntityManager<User> {
Ok(None) Ok(None)
} }
fn find_by_email(&self, u: &str) -> Res<Option<User>> {
for entry in self.iter() {
if entry.email.eq(u) {
return Ok(Some(entry.clone()));
}
}
Ok(None)
}
fn find_by_user_id(&self, id: &UserID) -> Res<Option<User>> { fn find_by_user_id(&self, id: &UserID) -> Res<Option<User>> {
for entry in self.iter() { for entry in self.iter() {
if entry.uid.eq(id) { if entry.uid.eq(id) {
@@ -71,7 +65,7 @@ impl UsersSyncBackend for EntityManager<User> {
fn create_user_account(&mut self, settings: GeneralSettings) -> Res<UserID> { fn create_user_account(&mut self, settings: GeneralSettings) -> Res<UserID> {
let mut user = User { let mut user = User {
uid: UserID::random(), uid: UserID(uuid::Uuid::new_v4().to_string()),
..Default::default() ..Default::default()
}; };
user.update_general_settings(settings); user.update_general_settings(settings);

28
src/data/webauthn_manager.rs
View File

@@ -1,8 +1,7 @@
use std::io::ErrorKind;
use std::sync::Arc; use std::sync::Arc;
use actix_web::web; use actix_web::web;
use bincode::{Decode, Encode};
use light_openid::crypto_wrapper::CryptoWrapper;
use uuid::Uuid; use uuid::Uuid;
use webauthn_rs::prelude::{ use webauthn_rs::prelude::{
CreationChallengeResponse, Passkey, PublicKeyCredential, RegisterPublicKeyCredential, CreationChallengeResponse, Passkey, PublicKeyCredential, RegisterPublicKeyCredential,
@@ -14,6 +13,7 @@ use crate::constants::{
APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE, APP_NAME, WEBAUTHN_LOGIN_CHALLENGE_EXPIRE, WEBAUTHN_REGISTER_CHALLENGE_EXPIRE,
}; };
use crate::data::app_config::AppConfig; use crate::data::app_config::AppConfig;
use crate::data::crypto_wrapper::CryptoWrapper;
use crate::data::user::{User, UserID}; use crate::data::user::{User, UserID};
use crate::utils::err::Res; use crate::utils::err::Res;
use crate::utils::time::time; use crate::utils::time::time;
@@ -28,7 +28,7 @@ pub struct RegisterKeyRequest {
pub creation_challenge: CreationChallengeResponse, pub creation_challenge: CreationChallengeResponse,
} }
#[derive(Debug, serde::Serialize, serde::Deserialize, Encode, Decode)] #[derive(Debug, serde::Serialize, serde::Deserialize)]
struct RegisterKeyOpaqueData { struct RegisterKeyOpaqueData {
registration_state: String, registration_state: String,
user_id: UserID, user_id: UserID,
@@ -40,7 +40,7 @@ pub struct AuthRequest {
pub login_challenge: RequestChallengeResponse, pub login_challenge: RequestChallengeResponse,
} }
#[derive(Debug, Encode, Decode)] #[derive(Debug, serde::Serialize, serde::Deserialize)]
struct AuthStateOpaqueData { struct AuthStateOpaqueData {
authentication_state: String, authentication_state: String,
user_id: UserID, user_id: UserID,
@@ -108,11 +108,17 @@ impl WebAuthManager {
) -> Res<WebauthnPubKey> { ) -> Res<WebauthnPubKey> {
let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?; let state: RegisterKeyOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
if state.user_id != user.uid { if state.user_id != user.uid {
return Err(Box::new(std::io::Error::other("Invalid user for pubkey!"))); return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Invalid user for pubkey!",
)));
} }
if state.expire < time() { if state.expire < time() {
return Err(Box::new(std::io::Error::other("Challenge has expired!"))); return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Challenge has expired!",
)));
} }
let res = self.core.finish_passkey_registration( let res = self.core.finish_passkey_registration(
@@ -150,11 +156,17 @@ impl WebAuthManager {
) -> Res { ) -> Res {
let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?; let state: AuthStateOpaqueData = self.crypto_wrapper.decrypt(opaque_state)?;
if &state.user_id != user_id { if &state.user_id != user_id {
return Err(Box::new(std::io::Error::other("Invalid user for pubkey!"))); return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Invalid user for pubkey!",
)));
} }
if state.expire < time() { if state.expire < time() {
return Err(Box::new(std::io::Error::other("Challenge has expired!"))); return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Challenge has expired!",
)));
} }
self.core.finish_passkey_authentication( self.core.finish_passkey_authentication(

30
src/main.rs
View File

@@ -2,18 +2,16 @@ use core::time::Duration;
use std::sync::Arc; use std::sync::Arc;
use actix::Actor; use actix::Actor;
use actix_identity::config::LogoutBehaviour;
use actix_identity::IdentityMiddleware; use actix_identity::IdentityMiddleware;
use actix_identity::config::LogoutBehavior;
use actix_remote_ip::RemoteIPConfig;
use actix_session::SessionMiddleware;
use actix_session::storage::CookieSessionStore; use actix_session::storage::CookieSessionStore;
use actix_session::SessionMiddleware;
use actix_web::cookie::{Key, SameSite}; use actix_web::cookie::{Key, SameSite};
use actix_web::middleware::Logger; use actix_web::middleware::Logger;
use actix_web::{App, HttpResponse, HttpServer, get, middleware, web}; use actix_web::{get, middleware, web, App, HttpResponse, HttpServer};
use basic_oidc::actors::bruteforce_actor::BruteForceActor; use basic_oidc::actors::bruteforce_actor::BruteForceActor;
use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor; use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor;
use basic_oidc::actors::providers_states_actor::ProvidersStatesActor;
use basic_oidc::actors::users_actor::{UsersActor, UsersSyncBackend}; use basic_oidc::actors::users_actor::{UsersActor, UsersSyncBackend};
use basic_oidc::constants::*; use basic_oidc::constants::*;
use basic_oidc::controllers::assets_controller::assets_route; use basic_oidc::controllers::assets_controller::assets_route;
@@ -51,7 +49,7 @@ async fn main() -> std::io::Result<()> {
// Create initial user if required // Create initial user if required
if users.is_empty() { if users.is_empty() {
log::info!("Create default {DEFAULT_ADMIN_USERNAME} user"); log::info!("Create default {} user", DEFAULT_ADMIN_USERNAME);
let default_admin = User { let default_admin = User {
username: DEFAULT_ADMIN_USERNAME.to_string(), username: DEFAULT_ADMIN_USERNAME.to_string(),
authorized_clients: None, authorized_clients: None,
@@ -71,7 +69,6 @@ async fn main() -> std::io::Result<()> {
let users_actor = UsersActor::new(users).start(); let users_actor = UsersActor::new(users).start();
let bruteforce_actor = BruteForceActor::default().start(); let bruteforce_actor = BruteForceActor::default().start();
let providers_states_actor = ProvidersStatesActor::default().start();
let openid_sessions_actor = OpenIDSessionsActor::default().start(); let openid_sessions_actor = OpenIDSessionsActor::default().start();
let jwt_signer = JWTSigner::gen_from_memory().expect("Failed to generate JWKS key"); let jwt_signer = JWTSigner::gen_from_memory().expect("Failed to generate JWKS key");
let webauthn_manager = Arc::new(WebAuthManager::init(config)); let webauthn_manager = Arc::new(WebAuthManager::init(config));
@@ -100,7 +97,7 @@ async fn main() -> std::io::Result<()> {
.build(); .build();
let identity_middleware = IdentityMiddleware::builder() let identity_middleware = IdentityMiddleware::builder()
.logout_behavior(LogoutBehavior::PurgeSession) .logout_behaviour(LogoutBehaviour::PurgeSession)
.visit_deadline(Some(Duration::from_secs(MAX_INACTIVITY_DURATION))) .visit_deadline(Some(Duration::from_secs(MAX_INACTIVITY_DURATION)))
.login_deadline(Some(Duration::from_secs(MAX_SESSION_DURATION))) .login_deadline(Some(Duration::from_secs(MAX_SESSION_DURATION)))
.build(); .build();
@@ -108,15 +105,11 @@ async fn main() -> std::io::Result<()> {
App::new() App::new()
.app_data(web::Data::new(users_actor.clone())) .app_data(web::Data::new(users_actor.clone()))
.app_data(web::Data::new(bruteforce_actor.clone())) .app_data(web::Data::new(bruteforce_actor.clone()))
.app_data(web::Data::new(providers_states_actor.clone()))
.app_data(web::Data::new(openid_sessions_actor.clone())) .app_data(web::Data::new(openid_sessions_actor.clone()))
.app_data(web::Data::new(clients.clone())) .app_data(web::Data::new(clients.clone()))
.app_data(web::Data::new(providers.clone())) .app_data(web::Data::new(providers.clone()))
.app_data(web::Data::new(jwt_signer.clone())) .app_data(web::Data::new(jwt_signer.clone()))
.app_data(web::Data::new(webauthn_manager.clone())) .app_data(web::Data::new(webauthn_manager.clone()))
.app_data(web::Data::new(RemoteIPConfig {
proxy: AppConfig::get().proxy_ip.clone(),
}))
.wrap( .wrap(
middleware::DefaultHeaders::new().add(("Permissions-Policy", "interest-cohort=()")), middleware::DefaultHeaders::new().add(("Permissions-Policy", "interest-cohort=()")),
) )
@@ -124,7 +117,7 @@ async fn main() -> std::io::Result<()> {
.wrap(AuthMiddleware {}) .wrap(AuthMiddleware {})
.wrap(identity_middleware) .wrap(identity_middleware)
.wrap(session_mw) .wrap(session_mw)
// Main route // main route
.route( .route(
"/", "/",
web::get().to(|| async { web::get().to(|| async {
@@ -134,7 +127,7 @@ async fn main() -> std::io::Result<()> {
}), }),
) )
.route("/robots.txt", web::get().to(assets_controller::robots_txt)) .route("/robots.txt", web::get().to(assets_controller::robots_txt))
// Health route // health route
.service(health) .service(health)
// Assets serving // Assets serving
.route("/assets/{path:.*}", web::get().to(assets_route)) .route("/assets/{path:.*}", web::get().to(assets_route))
@@ -165,15 +158,6 @@ async fn main() -> std::io::Result<()> {
"/login/api/auth_webauthn", "/login/api/auth_webauthn",
web::post().to(login_api::auth_webauthn), web::post().to(login_api::auth_webauthn),
) )
// Providers controller
.route(
"/login_with_prov",
web::get().to(providers_controller::start_login),
)
.route(
OIDC_PROVIDER_CB_URI,
web::get().to(providers_controller::finish_login),
)
// Settings routes // Settings routes
.route( .route(
"/settings", "/settings",

42
src/middlewares/auth_middleware.rs
View File

@@ -1,15 +1,15 @@
//! # Authentication middleware //! # Authentication middleware
use std::future::{Future, Ready, ready}; use std::future::{ready, Future, Ready};
use std::pin::Pin; use std::pin::Pin;
use std::rc::Rc; use std::rc::Rc;
use actix_identity::IdentityExt; use actix_identity::IdentityExt;
use actix_web::body::EitherBody; use actix_web::body::EitherBody;
use actix_web::http::{Method, header}; use actix_web::http::{header, Method};
use actix_web::{ use actix_web::{
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
Error, HttpResponse, Error, HttpResponse,
dev::{Service, ServiceRequest, ServiceResponse, Transform, forward_ready},
}; };
use crate::constants::{ use crate::constants::{
@@ -89,21 +89,25 @@ where
Box::pin(async move { Box::pin(async move {
// Check if POST request comes from another website (block invalid origins) // Check if POST request comes from another website (block invalid origins)
let origin = req.headers().get(header::ORIGIN); let origin = req.headers().get(header::ORIGIN);
if req.method() == Method::POST if req.method() == Method::POST && req.path() != TOKEN_URI && req.path() != USERINFO_URI
&& req.path() != TOKEN_URI
&& req.path() != USERINFO_URI
&& let Some(o) = origin
&& !o
.to_str()
.unwrap_or("bad")
.eq(&AppConfig::get().website_origin)
{ {
log::warn!("Blocked POST request from invalid origin! Origin given {o:?}"); if let Some(o) = origin {
return Ok(req.into_response( if !o
HttpResponse::Unauthorized() .to_str()
.body("POST request from invalid origin!") .unwrap_or("bad")
.map_into_right_body(), .eq(&AppConfig::get().website_origin)
)); {
log::warn!(
"Blocked POST request from invalid origin! Origin given {:?}",
o
);
return Ok(req.into_response(
HttpResponse::Unauthorized()
.body("POST request from invalid origin!")
.map_into_right_body(),
));
}
}
} }
if req.path().starts_with("/.git") { if req.path().starts_with("/.git") {
@@ -129,8 +133,8 @@ where
_ => ConnStatus::SignedOut, _ => ConnStatus::SignedOut,
}; };
log::trace!("Connection data: {session_data:#?}"); log::trace!("Connection data: {:#?}", session_data);
log::debug!("Connection status: {session:?}"); log::debug!("Connection status: {:?}", session);
// Redirect user to login page // Redirect user to login page
if !session.is_auth() if !session.is_auth()

1
src/utils/mod.rs
View File

@@ -1,4 +1,5 @@
pub mod crypt_utils; pub mod crypt_utils;
pub mod err; pub mod err;
pub mod network_utils;
pub mod string_utils; pub mod string_utils;
pub mod time; pub mod time;

178
src/utils/network_utils.rs Normal file
View File

@@ -0,0 +1,178 @@
use std::net::{IpAddr, Ipv6Addr};
use std::str::FromStr;
use actix_web::HttpRequest;
/// Check if two ips matches
pub fn match_ip(pattern: &str, ip: &str) -> bool {
if pattern.eq(ip) {
return true;
}
if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) {
return true;
}
false
}
/// Get the remote IP address
pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> IpAddr {
let mut ip = req.peer_addr().unwrap().ip();
// We check if the request comes from a trusted reverse proxy
if let Some(proxy) = proxy_ip.as_ref() {
if match_ip(proxy, &ip.to_string()) {
if let Some(header) = req.headers().get("X-Forwarded-For") {
let header = header.to_str().unwrap();
let remote_ip = if let Some((upstream_ip, _)) = header.split_once(',') {
upstream_ip
} else {
header
};
if let Some(upstream_ip) = parse_ip(remote_ip) {
ip = upstream_ip;
}
}
}
}
ip
}
/// Parse an IP address
pub fn parse_ip(ip: &str) -> Option<IpAddr> {
let mut ip = match IpAddr::from_str(ip) {
Ok(ip) => ip,
Err(e) => {
log::warn!("Failed to parse an IP address: {}", e);
return None;
}
};
if let IpAddr::V6(ipv6) = &mut ip {
let mut octets = ipv6.octets();
for o in octets.iter_mut().skip(8) {
*o = 0;
}
ip = IpAddr::V6(Ipv6Addr::from(octets));
}
Some(ip)
}
#[cfg(test)]
mod test {
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
use std::str::FromStr;
use actix_web::test::TestRequest;
use crate::utils::network_utils::{get_remote_ip, parse_ip};
#[test]
fn test_get_remote_ip() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.to_http_request();
assert_eq!(
get_remote_ip(&req, None),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"1.1.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy_2() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"1.1.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy_ipv6() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "10::1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"10::".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_no_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, None),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_other_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.2")),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn parse_bad_ip() {
let ip = parse_ip("badbad");
assert_eq!(None, ip);
}
#[test]
fn parse_ip_v4_address() {
let ip = parse_ip("192.168.1.1").unwrap();
assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)));
}
#[test]
fn parse_ip_v6_address() {
let ip = parse_ip("2a00:1450:4007:813::200e").unwrap();
assert_eq!(
ip,
IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0))
);
}
#[test]
fn parse_ip_v6_address_2() {
let ip = parse_ip("::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0)));
}
#[test]
fn parse_ip_v6_address_3() {
let ip = parse_ip("a::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0)));
}
}

32
src/utils/string_utils.rs
View File

@@ -1,9 +1,14 @@
use lazy_regex::regex_find; use lazy_regex::regex_find;
use rand::distr::{Alphanumeric, SampleString}; use rand::distributions::Alphanumeric;
use rand::Rng;
/// Generate a random string of a given size /// Generate a random string of a given size
pub fn rand_str(len: usize) -> String { pub fn rand_str(len: usize) -> String {
Alphanumeric.sample_string(&mut rand::rng(), len) rand::thread_rng()
.sample_iter(&Alphanumeric)
.map(char::from)
.take(len)
.collect()
} }
/// Parse environment variables /// Parse environment variables
@@ -31,23 +36,16 @@ pub fn apply_env_vars(val: &str) -> String {
val val
} }
/// Check out whether a given login is acceptable or not
pub fn is_acceptable_login(login: &str) -> bool {
mailchecker::is_valid(login) || lazy_regex::regex!("^[a-zA-Z0-9-+]+$").is_match(login)
}
#[cfg(test)] #[cfg(test)]
mod test { mod test {
use crate::utils::string_utils::{apply_env_vars, is_acceptable_login}; use crate::utils::string_utils::apply_env_vars;
use std::env; use std::env;
const VAR_ONE: &str = "VAR_ONE"; const VAR_ONE: &str = "VAR_ONE";
#[test] #[test]
fn test_apply_env_var() { fn test_apply_env_var() {
unsafe { env::set_var(VAR_ONE, "good");
env::set_var(VAR_ONE, "good"); let src = format!("This is ${{{}}}", VAR_ONE);
}
let src = format!("This is ${{{VAR_ONE}}}");
assert_eq!("This is good", apply_env_vars(&src)); assert_eq!("This is good", apply_env_vars(&src));
} }
@@ -55,15 +53,7 @@ mod test {
#[test] #[test]
fn test_invalid_var_syntax() { fn test_invalid_var_syntax() {
let src = format!("This is ${{{VAR_INVALID}}}"); let src = format!("This is ${{{}}}", VAR_INVALID);
assert_eq!(src, apply_env_vars(&src)); assert_eq!(src, apply_env_vars(&src));
} }
#[test]
fn test_is_acceptable_login() {
assert!(is_acceptable_login("admin"));
assert!(is_acceptable_login("someone@somewhere.fr"));
assert!(!is_acceptable_login("someone@somewhere.#fr"));
assert!(!is_acceptable_login("bad bad"));
}
} }

26
src/utils/time.rs
View File

@@ -1,4 +1,4 @@
use chrono::DateTime; use chrono::{DateTime, NaiveDateTime, Utc};
use std::time::{SystemTime, UNIX_EPOCH}; use std::time::{SystemTime, UNIX_EPOCH};
/// Get the current time since epoch /// Get the current time since epoch
@@ -11,25 +11,13 @@ pub fn time() -> u64 {
/// Format unix timestamp to a human-readable string /// Format unix timestamp to a human-readable string
pub fn fmt_time(timestamp: u64) -> String { pub fn fmt_time(timestamp: u64) -> String {
// Create a DateTime from the timestamp // Create a NaiveDateTime from the timestamp
let datetime = let naive =
DateTime::from_timestamp(timestamp as i64, 0).expect("Failed to parse timestamp!"); NaiveDateTime::from_timestamp_opt(timestamp as i64, 0).expect("Failed to parse timestamp!");
// Create a normal DateTime from the NaiveDateTime
let datetime: DateTime<Utc> = DateTime::from_utc(naive, Utc);
// Format the datetime how you want // Format the datetime how you want
datetime.format("%Y-%m-%d %H:%M:%S").to_string() datetime.format("%Y-%m-%d %H:%M:%S").to_string()
} }
#[cfg(test)]
mod test {
use crate::utils::time::{fmt_time, time};
#[test]
fn test_time() {
assert!(time() > 10);
}
#[test]
fn test_fmt_time() {
assert_eq!(fmt_time(1693475465), "2023-08-31 09:51:05");
}
}

14
templates/login/base_login_page.html
View File

@@ -8,7 +8,7 @@
<!-- No indexing --> <!-- No indexing -->
<meta name="robots" content="noindex, nofollow"> <meta name="robots" content="noindex, nofollow">
<title>{{ p.app_name }} - {{ p.page_title }}</title> <title>{{ _p.app_name }} - {{ _p.page_title }}</title>
<!-- Bootstrap core CSS --> <!-- Bootstrap core CSS -->
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/> <link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
@@ -31,11 +31,7 @@
} }
} }
@media screen and (min-width: 767px) {
.bg-login {
background-image: url({{ p.background_image }});
}
}
</style> </style>
@@ -49,15 +45,15 @@
<main class="form-signin"> <main class="form-signin">
<h1 class="h3 mb-3 fw-normal" style="margin-bottom: 2rem !important;">{{ p.page_title }}</h1> <h1 class="h3 mb-3 fw-normal">{{ _p.page_title }}</h1>
{% if let Some(danger) = p.danger %} {% if let Some(danger) = _p.danger %}
<div class="alert alert-danger" role="alert"> <div class="alert alert-danger" role="alert">
{{ danger }} {{ danger }}
</div> </div>
{% endif %} {% endif %}
{% if let Some(success) = p.success %} {% if let Some(success) = _p.success %}
<div class="alert alert-success" role="alert"> <div class="alert alert-success" role="alert">
{{ success }} {{ success }}
</div> </div>

8
templates/login/choose_second_factor.html
View File

@@ -5,16 +5,14 @@
<p>You need to validate a second factor to complete your login.</p> <p>You need to validate a second factor to complete your login.</p>
{% for factor in user.get_distinct_factors_types() %} {% for factor in user.get_distinct_factors_types() %}
<!-- We can ask to force 2FA, because once we are here, it means 2FA is required anyway... --> <a class="btn btn-primary btn-lg" href="{{ factor.login_url(_p.redirect_uri) }}" style="width: 100%; display: flex;">
<a class="btn btn-primary btn-lg" href="{{ factor.login_url(p.redirect_uri, true) }}" <img src="{{ factor.type_image() }}" alt="Factor icon" style="margin-right: 1em;" />
style="width: 100%; display: flex;">
<img src="{{ factor.type_image() }}" alt="Factor icon" style="margin-right: 1em;"/>
<div style="text-align: left;"> <div style="text-align: left;">
{{ factor.type_str() }} <br/> {{ factor.type_str() }} <br/>
<small style="font-size: 0.7em;">{{ factor.description_str() }}</small> <small style="font-size: 0.7em;">{{ factor.description_str() }}</small>
</div> </div>
</a> </a>
<br/> <br />
{% endfor %} {% endfor %}
</div> </div>

37
templates/login/login.html
View File

@@ -1,26 +1,6 @@
{% extends "base_login_page.html" %} {% extends "base_login_page.html" %}
{% block content %} {% block content %}
<style> <form action="/login?redirect={{ _p.redirect_uri.get_encoded() }}" method="post">
#providers {
margin-top: 40px;
}
.provider-button {
width: 100%;
display: flex;
margin-top: 10px;
}
.provider-button img {
margin-right: 1em;
width: 1em;
}
</style>
<!-- Local login -->
{% if show_local_login %}
<form action="/login?redirect={{ p.redirect_uri.get_encoded() }}" method="post">
<div> <div>
<div class="form-floating"> <div class="form-floating">
<input name="login" type="text" required class="form-control" id="floatingName" placeholder="unsername" <input name="login" type="text" required class="form-control" id="floatingName" placeholder="unsername"
@@ -38,20 +18,5 @@
<button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button> <button class="w-100 btn btn-lg btn-primary" type="submit">Sign in</button>
</form> </form>
{% endif %}
<!-- Upstream providers -->
{% if !providers.is_empty() %}
<div id="providers">
{% for prov in providers %}
<a class="btn btn-secondary btn-lg provider-button" href="{{ prov.login_url(p.redirect_uri) }}">
<img src="{{ prov.logo_url() }}" alt="Provider icon"/>
<div style="text-align: left;">
Login using {{ prov.name }} <br/>
</div>
</a>
{% endfor %}
</div>
{% endif %}
{% endblock content %} {% endblock content %}

2
templates/login/otp_input.html
View File

@@ -28,7 +28,7 @@
<div style="margin-top: 10px;"> <div style="margin-top: 10px;">
<a href="/2fa_auth?force_display=true&redirect={{ p.redirect_uri.get_encoded() }}&force_2fa=true">Sign in using another factor</a><br/> <a href="/2fa_auth?force_display=true&redirect={{ _p.redirect_uri.get_encoded() }}">Sign in using another factor</a><br/>
<a href="/logout">Sign out</a> <a href="/logout">Sign out</a>
</div> </div>

2
templates/login/password_reset.html
View File

@@ -1,6 +1,6 @@
{% extends "base_login_page.html" %} {% extends "base_login_page.html" %}
{% block content %} {% block content %}
<form action="/reset_password?redirect={{ p.redirect_uri.get_encoded() }}" method="post" id="reset_password_form"> <form action="/reset_password?redirect={{ _p.redirect_uri.get_encoded() }}" method="post" id="reset_password_form">
<div> <div>
<p>You need to configure a new password:</p> <p>You need to configure a new password:</p>

13
templates/login/prov_login_error.html
View File

@@ -1,13 +0,0 @@
{% extends "base_login_page.html" %}
{% block content %}
<div class="alert alert-danger" style="margin-bottom: 10px;">
<strong>Authentication failed!</strong>
<p style="margin-top: 10px; text-align: justify;">{{ message }}</p>
</div>
<a href="/login?redirect={{ p.redirect_uri.get_encoded() }}">Go back to login</a>
{% endblock content %}

4
templates/login/webauthn_input.html
View File

@@ -12,13 +12,13 @@
</div> </div>
<div style="margin-top: 10px;"> <div style="margin-top: 10px;">
<a href="/2fa_auth?force_display=true&redirect={{ p.redirect_uri.get_encoded() }}&force_2fa=true">Sign in using another factor</a><br/> <a href="/2fa_auth?force_display=true&redirect={{ _p.redirect_uri.get_encoded() }}">Sign in using another factor</a><br/>
<a href="/logout">Sign out</a> <a href="/logout">Sign out</a>
</div> </div>
<script src="/assets/js/base64_lib.js"></script> <script src="/assets/js/base64_lib.js"></script>
<script> <script>
const REDIRECT_URI = decodeURIComponent("{{ p.redirect_uri.get_encoded() }}"); const REDIRECT_URI = decodeURIComponent("{{ _p.redirect_uri.get_encoded() }}");
const OPAQUE_STATE = "{{ opaque_state }}"; const OPAQUE_STATE = "{{ opaque_state }}";
const AUTH_CHALLENGE = JSON.parse(decodeURIComponent("{{ challenge_json }}")); const AUTH_CHALLENGE = JSON.parse(decodeURIComponent("{{ challenge_json }}"));
// Decode data // Decode data

14
templates/settings/account_details.html
View File

@@ -5,31 +5,29 @@
<tbody> <tbody>
<tr> <tr>
<th scope="row">User ID</th> <th scope="row">User ID</th>
<td>{{ p.user.uid.0 }}</td> <td>{{ u.uid.0 }}</td>
</tr> </tr>
<tr> <tr>
<th scope="row">First name</th> <th scope="row">First name</th>
<td>{{ p.user.first_name }}</td> <td>{{ u.first_name }}</td>
</tr> </tr>
<tr> <tr>
<th scope="row">Last name</th> <th scope="row">Last name</th>
<td>{{ p.user.last_name }}</td> <td>{{ u.last_name }}</td>
</tr> </tr>
<tr> <tr>
<th scope="row">Username</th> <th scope="row">Username</th>
<td>{{ p.user.username }}</td> <td>{{ u.username }}</td>
</tr> </tr>
<tr> <tr>
<th scope="row">Email</th> <th scope="row">Email</th>
<td>{{ p.user.email }}</td> <td>{{ u.email }}</td>
</tr> </tr>
<tr> <tr>
<th scope="row">Account type</th> <th scope="row">Account type</th>
<td>{% if p.user.admin %}Admin{% else %}Regular user{% endif %}</td> <td>{% if u.admin %}Admin{% else %}Regular user{% endif %}</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Your IP address: {{ remote_ip }}</p>
{% endblock content %} {% endblock content %}

24
templates/settings/base_settings_page.html
View File

@@ -2,7 +2,7 @@
<html lang="en"> <html lang="en">
<head> <head>
<meta charset="UTF-8"> <meta charset="UTF-8">
<title>{{ p.page_title }} - {{ p.app_name }}</title> <title>{{ _p.page_title }} - {{ _p.app_name }}</title>
<!-- Bootstrap core CSS --> <!-- Bootstrap core CSS -->
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/> <link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
@@ -12,10 +12,10 @@
<body> <body>
<div class="d-flex flex-column flex-shrink-0 p-3 bg-light" style="width: 280px;"> <div class="d-flex flex-column flex-shrink-0 p-3 bg-light" style="width: 280px;">
<a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto link-dark text-decoration-none"> <a href="/" class="d-flex align-items-center mb-3 mb-md-0 me-md-auto link-dark text-decoration-none">
<span class="fs-4">{{ p.app_name }}</span> <span class="fs-4">{{ _p.app_name }}</span>
</a> </a>
{% if p.user.admin %} {% if _p.is_admin %}
<span>Version {{ p.version }}</span> <span>Version {{ _p.version }}</span>
{% endif %} {% endif %}
<hr> <hr>
<ul class="nav nav-pills flex-column mb-auto"> <ul class="nav nav-pills flex-column mb-auto">
@@ -24,20 +24,18 @@
Account details Account details
</a> </a>
</li> </li>
{% if p.user.allow_local_login && p.local_login_enabled %}
<li> <li>
<a href="/settings/change_password" class="nav-link link-dark"> <a href="/settings/change_password" class="nav-link link-dark">
Change password Change password
</a> </a>
</li> </li>
{% endif %}
<li> <li>
<a href="/settings/two_factors" class="nav-link link-dark"> <a href="/settings/two_factors" class="nav-link link-dark">
Two-factor authentication Two-factor authentication
</a> </a>
</li> </li>
{% if p.user.admin %} {% if _p.is_admin %}
<hr/> <hr/>
<li> <li>
<a href="/admin/clients" class="nav-link link-dark"> <a href="/admin/clients" class="nav-link link-dark">
@@ -61,7 +59,7 @@
<a href="#" class="d-flex align-items-center link-dark text-decoration-none dropdown-toggle" id="dropdownUser" <a href="#" class="d-flex align-items-center link-dark text-decoration-none dropdown-toggle" id="dropdownUser"
data-bs-toggle="dropdown" aria-expanded="false"> data-bs-toggle="dropdown" aria-expanded="false">
<img src="/assets/img/account.png" alt="" width="32" height="32" class="rounded-circle me-2"> <img src="/assets/img/account.png" alt="" width="32" height="32" class="rounded-circle me-2">
<strong>{{ p.user.username }}</strong> <strong>{{ _p.user_name }}</strong>
</a> </a>
<ul class="dropdown-menu text-small shadow" aria-labelledby="dropdownUser"> <ul class="dropdown-menu text-small shadow" aria-labelledby="dropdownUser">
<li><a class="dropdown-item" href="/logout">Sign out</a></li> <li><a class="dropdown-item" href="/logout">Sign out</a></li>
@@ -70,14 +68,14 @@
</div> </div>
<div class="page_body" style="flex: 1"> <div class="page_body" style="flex: 1">
{% if let Some(msg) = p.danger_message %} {% if let Some(msg) = _p.danger_message %}
<div class="alert alert-danger">{{ msg }}</div> <div class="alert alert-danger">{{ msg }}</div>
{% endif %} {% endif %}
{% if let Some(msg) = p.success_message %} {% if let Some(msg) = _p.success_message %}
<div class="alert alert-success">{{ msg }}</div> <div class="alert alert-success">{{ msg }}</div>
{% endif %} {% endif %}
<h2 class="bd-title mt-0" style="margin-bottom: 40px;">{{ p.page_title }}</h2> <h2 class="bd-title mt-0" style="margin-bottom: 40px;">{{ _p.page_title }}</h2>
{% block content %} {% block content %}
TO_REPLACE TO_REPLACE
@@ -92,8 +90,8 @@
}) })
</script> </script>
{% if p.ip_location_api.is_some() %} {% if _p.ip_location_api.is_some() %}
<script>const IP_LOCATION_API = "{{ p.ip_location_api.unwrap() }}"</script> <script>const IP_LOCATION_API = "{{ _p.ip_location_api.unwrap() }}"</script>
{% endif %} {% endif %}
<script src="/assets/js/ip_location_service.js"></script> <script src="/assets/js/ip_location_service.js"></script>
</body> </body>

2
templates/settings/clients_list.html
View File

@@ -1,7 +1,7 @@
{% extends "base_settings_page.html" %} {% extends "base_settings_page.html" %}
{% block content %} {% block content %}
<table class="table table-hover table-break-works" style="max-width: 800px;" aria-describedby="Clients list"> <table class="table table-hover" style="max-width: 800px;" aria-describedby="Clients list">
<thead> <thead>
<tr> <tr>
<th scope="col">ID</th> <th scope="col">ID</th>

2
templates/settings/edit_user.html
View File

@@ -195,7 +195,7 @@
</div> </div>
</fieldset> </fieldset>
<input type="submit" class="btn btn-primary mt-4" value="{{ p.page_title }}"> <input type="submit" class="btn btn-primary mt-4" value="{{ _p.page_title }}">
</form> </form>
<script> <script>

2
templates/settings/providers_list.html
View File

@@ -34,6 +34,4 @@
</tbody> </tbody>
</table> </table>
<p>Redirect URL for new clients: {{ redirect_url }}</p>
{% endblock content %} {% endblock content %}

18
templates/settings/two_factors_page.html
View File

@@ -26,9 +26,7 @@
<tbody> <tbody>
{% for f in user.two_factor %} {% for f in user.two_factor %}
<tr id="factor-{{ f.id.0 }}"> <tr id="factor-{{ f.id.0 }}">
<td><img src="{{ f.type_image() }}" alt="Factor icon" style="height: 1.5em; margin-right: 0.5em;"/>{{ <td><img src="{{ f.type_image() }}" alt="Factor icon" style="height: 1.5em; margin-right: 0.5em;" />{{ f.type_str() }}</td>
f.type_str() }}
</td>
<td>{{ f.name }}</td> <td>{{ f.name }}</td>
<td><a href="javascript:delete_factor('{{ f.id.0 }}');">Delete</a></td> <td><a href="javascript:delete_factor('{{ f.id.0 }}');">Delete</a></td>
</tr> </tr>
@@ -55,9 +53,7 @@
{% for e in user.get_formatted_2fa_successful_logins() %} {% for e in user.get_formatted_2fa_successful_logins() %}
<tr> <tr>
<td>{{ e.ip }}</td> <td>{{ e.ip }}</td>
<td> <td><locateip ip="{{ e.ip }}"></locateip></td>
<locateip ip="{{ e.ip }}"></locateip>
</td>
<td>{{ e.fmt_time() }}</td> <td>{{ e.fmt_time() }}</td>
<td>{% if e.can_bypass_2fa %}YES{% else %}NO{% endif %}</td> <td>{% if e.can_bypass_2fa %}YES{% else %}NO{% endif %}</td>
</tr> </tr>
@@ -67,10 +63,6 @@
{% endif %} {% endif %}
</div> </div>
{% if let Some(last_2fa_auth) = last_2fa_auth %}
<p>Last successful 2FA authentication on this browser: {{ last_2fa_auth }}</p>
{% endif %}
<script> <script>
async function delete_factor(id) { async function delete_factor(id) {
if (!confirm("Do you really want to remove this factor?")) if (!confirm("Do you really want to remove this factor?"))
@@ -80,7 +72,7 @@
const res = await fetch("/settings/api/two_factor/delete_factor", { const res = await fetch("/settings/api/two_factor/delete_factor", {
method: "post", method: "post",
headers: { headers: {
'Content-Type': 'application/json', 'Content-Type': 'application/json',
}, },
body: JSON.stringify({ body: JSON.stringify({
id: id, id: id,
@@ -92,7 +84,7 @@
if (res.status == 200) if (res.status == 200)
document.getElementById("factor-" + id).remove(); document.getElementById("factor-" + id).remove();
} catch (e) { } catch(e) {
console.error(e); console.error(e);
alert("Failed to remove factor!"); alert("Failed to remove factor!");
} }
@@ -112,7 +104,7 @@
if (res.status == 200) if (res.status == 200)
document.getElementById("2fa_history_container").remove(); document.getElementById("2fa_history_container").remove();
} catch (e) { } catch(e) {
console.error(e); console.error(e);
alert("Failed to clear 2FA history!"); alert("Failed to clear 2FA history!");
} }