pierre
/
oidc-test-client
1
0
Fork 0
Code Issues Pull Requests 2 Packages Projects Releases Wiki Activity

Use light-openid to reduce code base size (#4)
continuous-integration/drone/push Build is passing Details 

Refactor code to publicly share "redundant" code

Reviewed-on: #4
This commit is contained in:
Pierre Hubert 2023-04-29 08:03:11 +00:00
parent 89c62c0f2f
commit 07fc94f930
10 changed files with 43 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
Cargo.lock generated
View File

@ -1041,6 +1041,23 @@ version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "348108ab3fba42ec82ff6e9564fc4ca0247bdccdc68dd8af9764bbc79c3c8ffb"
[[package]]
name = "light-openid"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "608aa1b7148a6eeab631c6267deca33407ff851ab50eea115e52c13a9bb184ee"
dependencies = [
"aes-gcm",
"base64",
"bincode",
"log",
"rand",
"reqwest",
"serde",
"serde_json",
"urlencoding",
]
[[package]]
name = "linux-raw-sys"
version = "0.3.4"
@ -1185,20 +1202,16 @@ name = "oidc-test-client"
version = "0.1.0"
dependencies = [
"actix-web",
"aes-gcm",
"askama",
"base64",
"bincode",
"clap",
"env_logger",
"futures-util",
"lazy_static",
"light-openid",
"log",
"rand",
"reqwest",
"serde",
"serde_json",
"urlencoding",
]
[[package]]
@ -1413,9 +1426,9 @@ checksum = "a5996294f19bd3aae0453a862ad728f60e6600695733dd5df01da90c54363a3c"
[[package]]
name = "reqwest"
version = "0.11.16"
version = "0.11.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "27b71749df584b7f4cac2c426c127a7c785a5106cc98f7a8feb044115f0fa254"
checksum = "13293b639a097af28fc8a90f22add145a9c954e49d77da06263d58cf44d5fb91"
dependencies = [
"base64",
"bytes",

8
Cargo.toml
View File

@ -6,6 +6,7 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
light-openid = { version = "1.0.1", features=["crypto-wrapper"] }
log = "0.4.17"
env_logger = "0.10.0"
clap = { version = "4.2.4", features = ["derive", "env"] }
@ -15,9 +16,4 @@ askama = "0.12.0"
serde = { version = "1.0.160", features = ["derive"] }
serde_json = "1.0.96"
reqwest = { version = "0.11.16", features = ["json"] }
urlencoding = "2.1.2"
futures-util = "0.3.28"
aes-gcm = "0.10.1"
base64 = "0.21.0"
rand = "0.8.5"
bincode = {version="2.0.0-rc.3",features=["serde"]}
futures-util = "0.3.28"

4
assets/cover.css
View File

@ -34,6 +34,10 @@ main {
* Header
*/
.title {
color: white;
}
.nav-masthead .nav-link {
color: rgba(255, 255, 255, .5);
border-bottom: .25rem solid transparent;

97
src/crypto_wrapper.rs
View File

@ -1,97 +0,0 @@
use std::io::ErrorKind;
use crate::Res;
use aes_gcm::aead::{Aead, OsRng};
use aes_gcm::{Aes256Gcm, Key, KeyInit, Nonce};
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _;
use bincode::{Decode, Encode};
use rand::Rng;
const NONCE_LEN: usize = 12;
pub struct CryptoWrapper {
key: Key<Aes256Gcm>,
}
impl CryptoWrapper {
/// Generate a new memory wrapper
pub fn new_random() -> Self {
Self {
key: Aes256Gcm::generate_key(&mut OsRng),
}
}
/// Encrypt some data
pub fn encrypt<T: Encode + Decode>(&self, data: &T) -> Res<String> {
let aes_key = Aes256Gcm::new(&self.key);
let nonce_bytes = rand::thread_rng().gen::<[u8; NONCE_LEN]>();
let serialized_data = bincode::encode_to_vec(data, bincode::config::standard())?;
let mut enc = aes_key
.encrypt(Nonce::from_slice(&nonce_bytes), serialized_data.as_slice())
.unwrap();
enc.extend_from_slice(&nonce_bytes);
Ok(BASE64_STANDARD.encode(enc))
}
/// Decrypt some data previously encrypted using the [`CryptoWrapper::encrypt`] method
pub fn decrypt<T: Decode>(&self, input: &str) -> Res<T> {
let bytes = BASE64_STANDARD.decode(input)?;
if bytes.len() < NONCE_LEN {
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Input string is smaller than nonce!",
)));
}
let (enc, nonce) = bytes.split_at(bytes.len() - NONCE_LEN);
assert_eq!(nonce.len(), NONCE_LEN);
let aes_key = Aes256Gcm::new(&self.key);
let dec = match aes_key.decrypt(Nonce::from_slice(nonce), enc) {
Ok(d) => d,
Err(e) => {
log::error!("Failed to decrypt wrapped data! {:#?}", e);
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Failed to decrypt wrapped data!",
)));
}
};
Ok(bincode::decode_from_slice(&dec, bincode::config::standard())?.0)
}
}
#[cfg(test)]
mod test {
use crate::crypto_wrapper::CryptoWrapper;
use bincode::{Decode, Encode};
#[derive(Encode, Decode, Eq, PartialEq, Debug)]
struct Message(String);
#[test]
fn encrypt_and_decrypt() {
let wrapper = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper.encrypt(&msg).unwrap();
let dec: Message = wrapper.decrypt(&enc).unwrap();
assert_eq!(dec, msg)
}
#[test]
fn encrypt_and_decrypt_invalid() {
let wrapper_1 = CryptoWrapper::new_random();
let wrapper_2 = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper_1.encrypt(&msg).unwrap();
wrapper_2.decrypt::<Message>(&enc).unwrap_err();
}
}

4
src/lib.rs
View File

@ -3,8 +3,4 @@ use std::error::Error;
pub type Res<A = ()> = Result<A, Box<dyn Error>>;
pub mod app_config;
pub mod crypto_wrapper;
pub mod openid_primitives;
pub mod remote_ip;
pub mod state_manager;
pub mod time_utils;

27
src/main.rs
View File

@ -1,11 +1,11 @@
use actix_web::middleware::Logger;
use actix_web::{get, web, App, HttpResponse, HttpServer};
use askama::Template;
use light_openid::basic_state_manager::BasicStateManager;
use light_openid::primitives::OpenIDConfig;
use oidc_test_client::app_config::AppConfig;
use oidc_test_client::openid_primitives::OpenIDConfig;
use oidc_test_client::remote_ip::RemoteIP;
use oidc_test_client::state_manager::StateManager;
#[get("/assets/bootstrap.min.css")]
async fn bootstrap() -> HttpResponse {
@ -60,8 +60,8 @@ async fn home() -> HttpResponse {
}
#[get("/start")]
async fn start(remote_ip: RemoteIP) -> HttpResponse {
let config = match OpenIDConfig::load_from(&AppConfig::get().configuration_url).await {
async fn start(remote_ip: RemoteIP, state_manager: web::Data<BasicStateManager>) -> HttpResponse {
let config = match OpenIDConfig::load_from_url(&AppConfig::get().configuration_url).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load OpenID configuration! {e}");
@ -69,7 +69,7 @@ async fn start(remote_ip: RemoteIP) -> HttpResponse {
}
};
let state = match StateManager::gen_state(&remote_ip) {
let state = match state_manager.gen_state(remote_ip.0) {
Ok(s) => s,
Err(e) => {
log::error!("Failed to generate state! {:?}", e);
@ -77,7 +77,7 @@ async fn start(remote_ip: RemoteIP) -> HttpResponse {
}
};
let authorization_url = config.authorization_url(
let authorization_url = config.gen_authorization_url(
&AppConfig::get().client_id,
&state,
&AppConfig::get().redirect_url(),
@ -95,15 +95,19 @@ struct RedirectQuery {
}
#[get("/redirect")]
async fn redirect(remote_ip: RemoteIP, query: web::Query<RedirectQuery>) -> HttpResponse {
async fn redirect(
remote_ip: RemoteIP,
query: web::Query<RedirectQuery>,
state_manager: web::Data<BasicStateManager>,
) -> HttpResponse {
// First, validate state
if let Err(e) = StateManager::validate_state(&remote_ip, &query.state) {
if let Err(e) = state_manager.validate_state(remote_ip.0, &query.state) {
log::error!("Failed to validate state {}: {:?}", query.state, e);
return ErrorTemplate::build("State could not be validated!");
}
// Then, load OpenID configuration
let config = match OpenIDConfig::load_from(&AppConfig::get().configuration_url).await {
let config = match OpenIDConfig::load_from_url(&AppConfig::get().configuration_url).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load OpenID configuration! {e}");
@ -158,13 +162,14 @@ async fn main() -> std::io::Result<()> {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
log::info!("Init state manager");
StateManager::init();
let state_manager = web::Data::new(BasicStateManager::new());
log::info!("Will listen on {}", AppConfig::get().listen_addr);
HttpServer::new(|| {
HttpServer::new(move || {
App::new()
.wrap(Logger::default())
.app_data(state_manager.clone())
.service(bootstrap)
.service(cover)
.service(home)

97
src/openid_primitives.rs
View File

@ -1,97 +0,0 @@
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine;
use std::collections::HashMap;
use crate::Res;
#[derive(Debug, Clone, serde::Deserialize)]
pub struct OpenIDConfig {
pub authorization_endpoint: String,
pub token_endpoint: String,
pub userinfo_endpoint: String,
}
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct TokenResponse {
pub access_token: String,
pub token_type: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub refresh_token: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub expires_in: Option<u64>,
#[serde(skip_serializing_if = "Option::is_none")]
pub id_token: Option<String>,
}
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct UserInfo {
pub sub: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub given_name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub family_name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub preferred_username: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub email: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub email_verified: Option<bool>,
}
impl OpenIDConfig {
/// Load OpenID configuration from a given URL
pub async fn load_from(url: &str) -> Res<Self> {
Ok(reqwest::get(url).await?.json().await?)
}
/// Get the authorization URL where a user should be redirect
pub fn authorization_url(&self, client_id: &str, state: &str, redirect_uri: &str) -> String {
let client_id = urlencoding::encode(client_id);
let state = urlencoding::encode(state);
let redirect_uri = urlencoding::encode(redirect_uri);
format!("{}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={redirect_uri}", self.authorization_endpoint)
}
/// Query the token endpoint
pub async fn request_token(
&self,
client_id: &str,
client_secret: &str,
code: &str,
redirect_uri: &str,
) -> Res<(TokenResponse, String)> {
let authorization = BASE64_STANDARD.encode(format!("{}:{}", client_id, client_secret));
let mut params = HashMap::new();
params.insert("grant_type", "authorization_code");
params.insert("code", code);
params.insert("redirect_uri", redirect_uri);
let response = reqwest::Client::new()
.post(&self.token_endpoint)
.header("Authorization", format!("Basic {authorization}"))
.form(&params)
.send()
.await?
.text()
.await?;
Ok((serde_json::from_str(&response)?, response))
}
/// Query the UserInfo endpoint
pub async fn request_user_info(&self, token: &TokenResponse) -> Res<(UserInfo, String)> {
let response = reqwest::Client::new()
.get(&self.userinfo_endpoint)
.header("Authorization", format!("Bearer {}", token.access_token))
.send()
.await?
.text()
.await?;
Ok((serde_json::from_str(&response)?, response))
}
}

72
src/state_manager.rs
View File

@ -1,72 +0,0 @@
use std::error::Error;
use std::fmt;
use crate::crypto_wrapper::CryptoWrapper;
use crate::remote_ip::RemoteIP;
use crate::time_utils::time;
use crate::Res;
use bincode::{Decode, Encode};
use std::net::IpAddr;
pub struct StateManager;
static mut WRAPPER: Option<CryptoWrapper> = None;
#[derive(Encode, Decode, Debug)]
struct State {
ip: IpAddr,
expire: u64,
}
impl State {
pub fn new(ip: IpAddr) -> Self {
Self {
ip,
expire: time() + 15 * 60,
}
}
}
#[derive(Debug, Copy, Clone)]
enum StateError {
InvalidIp,
Expired,
}
impl Error for StateError {}
impl fmt::Display for StateError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "StateManager error {:?}", self)
}
}
impl StateManager {
pub fn init() {
unsafe {
WRAPPER = Some(CryptoWrapper::new_random());
}
}
/// Generate a new state
pub fn gen_state(ip: &RemoteIP) -> Res<String> {
let state = State::new(ip.0);
unsafe { WRAPPER.as_ref().unwrap() }.encrypt(&state)
}
/// Validate generated state
pub fn validate_state(ip: &RemoteIP, state: &str) -> Res {
let state: State = unsafe { WRAPPER.as_ref().unwrap() }.decrypt(state)?;
if state.ip != ip.0 {
return Err(Box::new(StateError::InvalidIp));
}
if state.expire < time() {
return Err(Box::new(StateError::Expired));
}
Ok(())
}
}

9
src/time_utils.rs
View File

@ -1,9 +0,0 @@
use std::time::{SystemTime, UNIX_EPOCH};
/// Get current time since epoch
pub fn time() -> u64 {
SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs()
}

2
templates/base_page.html
View File

@ -20,7 +20,7 @@
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="mb-auto">
<div>
<h3 class="float-md-start mb-0">OIDC test client</h3>
<a href="/"><h3 class="float-md-start mb-0 title">OIDC test client</h3></a>
</div>
</header>