Add authentication layer

2024-06-29 14:43:56 +02:00
parent 738c53c8b9
commit e1739d9818
26 changed files with 1038 additions and 90 deletions
--- a/central_backend/src/server/servers.rs
+++ b/central_backend/src/server/servers.rs
@ -0,0 +1,134 @@
+use crate::app_config::AppConfig;
+use crate::constants;
+use crate::crypto::pki;
+use crate::energy::energy_actor::EnergyActorAddr;
+use crate::server::auth_middleware::AuthChecker;
+use crate::server::unsecure_server::*;
+use crate::server::web_api::*;
+use actix_cors::Cors;
+use actix_identity::config::LogoutBehaviour;
+use actix_identity::IdentityMiddleware;
+use actix_remote_ip::RemoteIPConfig;
+use actix_session::storage::CookieSessionStore;
+use actix_session::SessionMiddleware;
+use actix_web::cookie::{Key, SameSite};
+use actix_web::middleware::Logger;
+use actix_web::{web, App, HttpServer};
+use openssl::ssl::{SslAcceptor, SslMethod};
+use std::time::Duration;
+
+/// Start unsecure (HTTP) server
+pub async fn unsecure_server() -> anyhow::Result<()> {
+    log::info!(
+        "Unsecure server starting to listen on {} for {}",
+        AppConfig::get().unsecure_listen_address,
+        AppConfig::get().unsecure_origin()
+    );
+    HttpServer::new(|| {
+        App::new()
+            .wrap(Logger::default())
+            .route(
+                "/",
+                web::get().to(unsecure_server_controller::unsecure_home),
+            )
+            .route(
+                "/pki/{file}",
+                web::get().to(unsecure_pki_controller::serve_pki_file),
+            )
+    })
+    .bind(&AppConfig::get().unsecure_listen_address)?
+    .run()
+    .await?;
+
+    Ok(())
+}
+
+/// Start secure (HTTPS) server
+pub async fn secure_server(energy_actor: EnergyActorAddr) -> anyhow::Result<()> {
+    let web_ca = pki::CertData::load_web_ca()?;
+    let server_cert = pki::CertData::load_server()?;
+
+    let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
+    builder.set_private_key(&server_cert.key)?;
+    builder.set_certificate(&server_cert.cert)?;
+    builder.add_extra_chain_cert(web_ca.cert)?;
+
+    log::info!(
+        "Secure server starting to listen on {} for {}",
+        AppConfig::get().listen_address,
+        AppConfig::get().secure_origin()
+    );
+    HttpServer::new(move || {
+        let session_mw = SessionMiddleware::builder(
+            CookieSessionStore::default(),
+            Key::from(AppConfig::get().secret().as_bytes()),
+        )
+        .cookie_name(constants::SESSION_COOKIE_NAME.to_string())
+        .cookie_secure(AppConfig::get().cookie_secure)
+        .cookie_same_site(SameSite::Strict)
+        .cookie_domain(AppConfig::get().cookie_domain())
+        .cookie_http_only(true)
+        .build();
+
+        let identity_middleware = IdentityMiddleware::builder()
+            .logout_behaviour(LogoutBehaviour::PurgeSession)
+            .visit_deadline(Some(Duration::from_secs(
+                constants::MAX_INACTIVITY_DURATION,
+            )))
+            .login_deadline(Some(Duration::from_secs(constants::MAX_SESSION_DURATION)))
+            .build();
+
+        let mut cors = Cors::default()
+            .allowed_origin(&AppConfig::get().secure_origin())
+            .allowed_methods(vec!["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"])
+            .allowed_header("X-Auth-Token")
+            .allow_any_header()
+            .supports_credentials()
+            .max_age(3600);
+
+        if cfg!(debug_assertions) {
+            cors = cors.allow_any_origin();
+        }
+
+        App::new()
+            .app_data(web::Data::new(energy_actor.clone()))
+            .wrap(Logger::default())
+            .wrap(AuthChecker)
+            .wrap(identity_middleware)
+            .wrap(session_mw)
+            .wrap(cors)
+            .app_data(web::Data::new(RemoteIPConfig {
+                proxy: AppConfig::get().proxy_ip.clone(),
+            }))
+            .route("/", web::get().to(server_controller::secure_home))
+            .route(
+                "/web_api/server/config",
+                web::get().to(server_controller::config),
+            )
+            .route(
+                "/web_api/auth/password_auth",
+                web::post().to(auth_controller::password_auth),
+            )
+            .route(
+                "/web_api/auth/info",
+                web::get().to(auth_controller::auth_info),
+            )
+            .route(
+                "/web_api/auth/sign_out",
+                web::get().to(auth_controller::sign_out),
+            )
+            .route(
+                "/web_api/energy/curr_consumption",
+                web::get().to(energy_controller::curr_consumption),
+            )
+            .route(
+                "/web_api/energy/cached_consumption",
+                web::get().to(energy_controller::cached_consumption),
+            )
+    })
+    .bind_openssl(&AppConfig::get().listen_address, builder)?
+    .run()
+    .await?;
+
+    Ok(())
+}