pierre/oidc-test-client
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement server (#3)
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
Use Actix as HTTP service

Reviewed-on: #3
This commit is contained in:
Pierre HUBERT
2023-04-28 07:15:09 +00:00
parent 001f2420e5
commit bf570c477f
16 changed files with 2708 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1776
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

13
Cargo.toml
View File

@@ -8,5 +8,16 @@ edition = "2021"
[dependencies] [dependencies]
log = "0.4.17" log = "0.4.17"
env_logger = "0.10.0" env_logger = "0.10.0"
clap = {version="4.2.4", features=["derive", "env"]} clap = { version = "4.2.4", features = ["derive", "env"] }
lazy_static = "1.4.0" lazy_static = "1.4.0"
actix-web = "4.3.1"
askama = "0.12.0"
serde = { version = "1.0.160", features = ["derive"] }
serde_json = "1.0.96"
reqwest = { version = "0.11.16", features = ["json"] }
urlencoding = "2.1.2"
futures-util = "0.3.28"
aes-gcm = "0.10.1"
base64 = "0.21.0"
rand = "0.8.5"
bincode = {version="2.0.0-rc.3",features=["serde"]}

6
assets/bootstrap.min.css vendored Normal file
View File

File diff suppressed because one or more lines are too long

127
assets/cover.css Normal file
View File

@@ -0,0 +1,127 @@
/*
* Globals
*/
/* Custom default button */
.btn-light,
.btn-light:hover,
.btn-light:focus {
color: #333;
text-shadow: none; /* Prevent inheritance from `body` */
}
/*
* Base structure
*/
body {
text-shadow: 0 .05rem .1rem rgba(0, 0, 0, .5);
box-shadow: inset 0 0 5rem rgba(0, 0, 0, .5);
}
.cover-container {
max-width: 42em;
}
main {
overflow-y: scroll;
}
/*
* Header
*/
.nav-masthead .nav-link {
color: rgba(255, 255, 255, .5);
border-bottom: .25rem solid transparent;
}
.nav-masthead .nav-link:hover,
.nav-masthead .nav-link:focus {
border-bottom-color: rgba(255, 255, 255, .25);
}
.nav-masthead .nav-link + .nav-link {
margin-left: 1rem;
}
.nav-masthead .active {
color: #fff;
border-bottom-color: #fff;
}
.bd-placeholder-img {
font-size: 1.125rem;
text-anchor: middle;
-webkit-user-select: none;
-moz-user-select: none;
user-select: none;
}
@media (min-width: 768px) {
.bd-placeholder-img-lg {
font-size: 3.5rem;
}
}
.b-example-divider {
width: 100%;
height: 3rem;
background-color: rgba(0, 0, 0, .1);
border: solid rgba(0, 0, 0, .15);
border-width: 1px 0;
box-shadow: inset 0 .5em 1.5em rgba(0, 0, 0, .1), inset 0 .125em .5em rgba(0, 0, 0, .15);
}
.b-example-vr {
flex-shrink: 0;
width: 1.5rem;
height: 100vh;
}
.bi {
vertical-align: -.125em;
fill: currentColor;
}
.nav-scroller {
position: relative;
z-index: 2;
height: 2.75rem;
overflow-y: hidden;
}
.nav-scroller .nav {
display: flex;
flex-wrap: nowrap;
padding-bottom: 1rem;
margin-top: -1px;
overflow-x: auto;
text-align: center;
white-space: nowrap;
-webkit-overflow-scrolling: touch;
}
.btn-bd-primary {
--bd-violet-bg: #712cf9;
--bd-violet-rgb: 112.520718, 44.062154, 249.437846;
--bs-btn-font-weight: 600;
--bs-btn-color: var(--bs-white);
--bs-btn-bg: var(--bd-violet-bg);
--bs-btn-border-color: var(--bd-violet-bg);
--bs-btn-hover-color: var(--bs-white);
--bs-btn-hover-bg: #6528e0;
--bs-btn-hover-border-color: #6528e0;
--bs-btn-focus-shadow-rgb: var(--bd-violet-rgb);
--bs-btn-active-color: var(--bs-btn-hover-color);
--bs-btn-active-bg: #5a23c8;
--bs-btn-active-border-color: #5a23c8;
}
.bd-mode-toggle {
z-index: 1500;
}

58
src/app_config.rs Normal file
View File

@@ -0,0 +1,58 @@
use clap::Parser;
const REDIRECT_URI: &str = "/redirect";
/// Basic OpenID test client
#[derive(Parser, Debug)]
pub struct AppConfig {
/// Listen URL
#[arg(short, long, env, default_value = "0.0.0.0:7510")]
pub listen_addr: String,
/// Public URL, the URL where this service is accessible, without the trailing slash
#[arg(short, long, env, default_value = "http://localhost:7510")]
pub public_url: String,
/// URL where the OpenID configuration can be found
#[arg(short, long, env)]
pub configuration_url: String,
/// OpenID client ID
#[arg(long, env)]
pub client_id: String,
/// OpenID client secret
#[arg(long, env)]
pub client_secret: String,
/// Proxy IP, might end with a "*"
#[clap(long, env)]
pub proxy_ip: Option<String>,
}
impl AppConfig {
pub fn get() -> &'static Self {
&CONF
}
pub fn redirect_url(&self) -> String {
format!("{}{}", self.public_url, REDIRECT_URI)
}
}
lazy_static::lazy_static! {
static ref CONF: AppConfig = {
AppConfig::parse()
};
}
#[cfg(test)]
mod test {
use crate::app_config::AppConfig;
#[test]
fn verify_cli() {
use clap::CommandFactory;
AppConfig::command().debug_assert();
}
}

97
src/crypto_wrapper.rs Normal file
View File

@@ -0,0 +1,97 @@
use std::io::ErrorKind;
use crate::Res;
use aes_gcm::aead::{Aead, OsRng};
use aes_gcm::{Aes256Gcm, Key, KeyInit, Nonce};
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _;
use bincode::{Decode, Encode};
use rand::Rng;
const NONCE_LEN: usize = 12;
pub struct CryptoWrapper {
key: Key<Aes256Gcm>,
}
impl CryptoWrapper {
/// Generate a new memory wrapper
pub fn new_random() -> Self {
Self {
key: Aes256Gcm::generate_key(&mut OsRng),
}
}
/// Encrypt some data
pub fn encrypt<T: Encode + Decode>(&self, data: &T) -> Res<String> {
let aes_key = Aes256Gcm::new(&self.key);
let nonce_bytes = rand::thread_rng().gen::<[u8; NONCE_LEN]>();
let serialized_data = bincode::encode_to_vec(data, bincode::config::standard())?;
let mut enc = aes_key
.encrypt(Nonce::from_slice(&nonce_bytes), serialized_data.as_slice())
.unwrap();
enc.extend_from_slice(&nonce_bytes);
Ok(BASE64_STANDARD.encode(enc))
}
/// Decrypt some data previously encrypted using the [`CryptoWrapper::encrypt`] method
pub fn decrypt<T: Decode>(&self, input: &str) -> Res<T> {
let bytes = BASE64_STANDARD.decode(input)?;
if bytes.len() < NONCE_LEN {
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Input string is smaller than nonce!",
)));
}
let (enc, nonce) = bytes.split_at(bytes.len() - NONCE_LEN);
assert_eq!(nonce.len(), NONCE_LEN);
let aes_key = Aes256Gcm::new(&self.key);
let dec = match aes_key.decrypt(Nonce::from_slice(nonce), enc) {
Ok(d) => d,
Err(e) => {
log::error!("Failed to decrypt wrapped data! {:#?}", e);
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Failed to decrypt wrapped data!",
)));
}
};
Ok(bincode::decode_from_slice(&dec, bincode::config::standard())?.0)
}
}
#[cfg(test)]
mod test {
use crate::crypto_wrapper::CryptoWrapper;
use bincode::{Decode, Encode};
#[derive(Encode, Decode, Eq, PartialEq, Debug)]
struct Message(String);
#[test]
fn encrypt_and_decrypt() {
let wrapper = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper.encrypt(&msg).unwrap();
let dec: Message = wrapper.decrypt(&enc).unwrap();
assert_eq!(dec, msg)
}
#[test]
fn encrypt_and_decrypt_invalid() {
let wrapper_1 = CryptoWrapper::new_random();
let wrapper_2 = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper_1.encrypt(&msg).unwrap();
wrapper_2.decrypt::<Message>(&enc).unwrap_err();
}
}

10
src/lib.rs Normal file
View File

@@ -0,0 +1,10 @@
use std::error::Error;
pub type Res<A = ()> = Result<A, Box<dyn Error>>;
pub mod app_config;
pub mod crypto_wrapper;
pub mod openid_primitives;
pub mod remote_ip;
pub mod state_manager;
pub mod time_utils;

206
src/main.rs
View File

@@ -1,50 +1,178 @@
use clap::Parser; use actix_web::middleware::Logger;
use actix_web::{get, web, App, HttpResponse, HttpServer};
use askama::Template;
/// Basic OpenID test client use oidc_test_client::app_config::AppConfig;
#[derive(Parser, Debug)] use oidc_test_client::openid_primitives::OpenIDConfig;
struct AppConfig { use oidc_test_client::remote_ip::RemoteIP;
/// Listen URL use oidc_test_client::state_manager::StateManager;
#[arg(short, long, env, default_value = "0.0.0.0:7510")]
listen_addr: String,
/// Public URL, the URL where this service is accessible, without the trailing slash #[get("/assets/bootstrap.min.css")]
#[arg(short, long, env, default_value = "http://localhost:7510")] async fn bootstrap() -> HttpResponse {
public_url: String, HttpResponse::Ok()
.content_type("text/css")
/// URL where the OpenID configuration can be found .body(include_str!("../assets/bootstrap.min.css"))
#[arg(short, long, env)]
configuration_url: String,
/// OpenID client ID
#[arg(long, env)]
client_id: String,
/// OpenID client secret
#[arg(long, env)]
client_secret: String,
} }
lazy_static::lazy_static! { #[get("/assets/cover.css")]
static ref CONF: AppConfig = { async fn cover() -> HttpResponse {
AppConfig::parse() HttpResponse::Ok()
}; .content_type("text/css")
.body(include_str!("../assets/cover.css"))
} }
fn main() { #[derive(Template)]
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); #[template(path = "home.html")]
struct HomeTemplate {
log::info!("Will listen on {}", CONF.listen_addr); redirect_url: String,
println!("Hello, world!");
} }
#[cfg(test)] #[derive(Template)]
mod test { #[template(path = "result.html")]
use crate::AppConfig; struct ResultTemplate {
token: String,
user_info: String,
}
#[test] #[derive(Template)]
fn verify_cli() { #[template(path = "error.html")]
use clap::CommandFactory; struct ErrorTemplate<'a> {
AppConfig::command().debug_assert(); message: &'a str,
}
impl<'a> ErrorTemplate<'a> {
pub fn build(message: &'a str) -> HttpResponse {
HttpResponse::Unauthorized()
.content_type("text/html")
.body(Self { message }.render().unwrap())
} }
} }
#[get("/")]
async fn home() -> HttpResponse {
HttpResponse::Ok().content_type("text/html").body(
HomeTemplate {
redirect_url: AppConfig::get().redirect_url(),
}
.render()
.unwrap(),
)
}
#[get("/start")]
async fn start(remote_ip: RemoteIP) -> HttpResponse {
let config = match OpenIDConfig::load_from(&AppConfig::get().configuration_url).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load OpenID configuration! {e}");
return ErrorTemplate::build("Failed to load OpenID configuration!");
}
};
let state = match StateManager::gen_state(&remote_ip) {
Ok(s) => s,
Err(e) => {
log::error!("Failed to generate state! {:?}", e);
return ErrorTemplate::build("Failed to generate state!");
}
};
let authorization_url = config.authorization_url(
&AppConfig::get().client_id,
&state,
&AppConfig::get().redirect_url(),
);
HttpResponse::Found()
.append_header(("Location", authorization_url))
.finish()
}
#[derive(serde::Deserialize)]
struct RedirectQuery {
state: String,
code: String,
}
#[get("/redirect")]
async fn redirect(remote_ip: RemoteIP, query: web::Query<RedirectQuery>) -> HttpResponse {
// First, validate state
if let Err(e) = StateManager::validate_state(&remote_ip, &query.state) {
log::error!("Failed to validate state {}: {:?}", query.state, e);
return ErrorTemplate::build("State could not be validated!");
}
// Then, load OpenID configuration
let config = match OpenIDConfig::load_from(&AppConfig::get().configuration_url).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load OpenID configuration! {e}");
return ErrorTemplate::build("Failed to load OpenID configuration!");
}
};
// Query token endpoint
let (token, token_str) = match config
.request_token(
&AppConfig::get().client_id,
&AppConfig::get().client_secret,
&query.code,
&AppConfig::get().redirect_url(),
)
.await
{
Ok(t) => t,
Err(e) => {
log::error!("Failed to retrieve token! {}", e);
return ErrorTemplate::build("Failed to retrieve access token!");
}
};
// Query userinfo endpoint
let (_user_info, user_info_str) = match config.request_user_info(&token).await {
Ok(t) => t,
Err(e) => {
log::error!("Failed to retrieve user info! {}", e);
return ErrorTemplate::build("Failed to retrieve user info!");
}
};
HttpResponse::Ok().content_type("text/html").body(
ResultTemplate {
token: serde_json::to_string_pretty(
&serde_json::from_str::<serde_json::Value>(&token_str).unwrap(),
)
.unwrap(),
user_info: serde_json::to_string_pretty(
&serde_json::from_str::<serde_json::Value>(&user_info_str).unwrap(),
)
.unwrap(),
}
.render()
.unwrap(),
)
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
log::info!("Init state manager");
StateManager::init();
log::info!("Will listen on {}", AppConfig::get().listen_addr);
HttpServer::new(|| {
App::new()
.wrap(Logger::default())
.service(bootstrap)
.service(cover)
.service(home)
.service(start)
.service(redirect)
})
.bind(&AppConfig::get().listen_addr)
.expect("Failed to bind server!")
.run()
.await
}

97
src/openid_primitives.rs Normal file
View File

@@ -0,0 +1,97 @@
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine;
use std::collections::HashMap;
use crate::Res;
#[derive(Debug, Clone, serde::Deserialize)]
pub struct OpenIDConfig {
pub authorization_endpoint: String,
pub token_endpoint: String,
pub userinfo_endpoint: String,
}
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct TokenResponse {
pub access_token: String,
pub token_type: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub refresh_token: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub expires_in: Option<u64>,
#[serde(skip_serializing_if = "Option::is_none")]
pub id_token: Option<String>,
}
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct UserInfo {
pub sub: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub given_name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub family_name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub preferred_username: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub email: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub email_verified: Option<bool>,
}
impl OpenIDConfig {
/// Load OpenID configuration from a given URL
pub async fn load_from(url: &str) -> Res<Self> {
Ok(reqwest::get(url).await?.json().await?)
}
/// Get the authorization URL where a user should be redirect
pub fn authorization_url(&self, client_id: &str, state: &str, redirect_uri: &str) -> String {
let client_id = urlencoding::encode(client_id);
let state = urlencoding::encode(state);
let redirect_uri = urlencoding::encode(redirect_uri);
format!("{}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={redirect_uri}", self.authorization_endpoint)
}
/// Query the token endpoint
pub async fn request_token(
&self,
client_id: &str,
client_secret: &str,
code: &str,
redirect_uri: &str,
) -> Res<(TokenResponse, String)> {
let authorization = BASE64_STANDARD.encode(format!("{}:{}", client_id, client_secret));
let mut params = HashMap::new();
params.insert("grant_type", "authorization_code");
params.insert("code", code);
params.insert("redirect_uri", redirect_uri);
let response = reqwest::Client::new()
.post(&self.token_endpoint)
.header("Authorization", format!("Basic {authorization}"))
.form(&params)
.send()
.await?
.text()
.await?;
Ok((serde_json::from_str(&response)?, response))
}
/// Query the UserInfo endpoint
pub async fn request_user_info(&self, token: &TokenResponse) -> Res<(UserInfo, String)> {
let response = reqwest::Client::new()
.get(&self.userinfo_endpoint)
.header("Authorization", format!("Bearer {}", token.access_token))
.send()
.await?
.text()
.await?;
Ok((serde_json::from_str(&response)?, response))
}
}

202
src/remote_ip.rs Normal file
View File

@@ -0,0 +1,202 @@
use std::net::{IpAddr, Ipv6Addr};
use crate::app_config::AppConfig;
use actix_web::dev::Payload;
use actix_web::{Error, FromRequest, HttpRequest};
use futures_util::future::{ready, Ready};
use std::str::FromStr;
/// Parse an IP address
pub fn parse_ip(ip: &str) -> Option<IpAddr> {
let mut ip = match IpAddr::from_str(ip) {
Ok(ip) => ip,
Err(e) => {
log::warn!("Failed to parse an IP address: {}", e);
return None;
}
};
if let IpAddr::V6(ipv6) = &mut ip {
let mut octets = ipv6.octets();
for o in octets.iter_mut().skip(8) {
*o = 0;
}
ip = IpAddr::V6(Ipv6Addr::from(octets));
}
Some(ip)
}
/// Check if two ips matches
pub fn match_ip(pattern: &str, ip: &str) -> bool {
if pattern.eq(ip) {
return true;
}
if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) {
return true;
}
false
}
/// Get the remote IP address
pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> IpAddr {
let mut ip = req.peer_addr().unwrap().ip();
// We check if the request comes from a trusted reverse proxy
if let Some(proxy) = proxy_ip.as_ref() {
if match_ip(proxy, &ip.to_string()) {
if let Some(header) = req.headers().get("X-Forwarded-For") {
let header = header.to_str().unwrap();
let remote_ip = if let Some((upstream_ip, _)) = header.split_once(',') {
upstream_ip
} else {
header
};
if let Some(upstream_ip) = parse_ip(remote_ip) {
ip = upstream_ip;
}
}
}
}
ip
}
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct RemoteIP(pub IpAddr);
impl From<RemoteIP> for IpAddr {
fn from(i: RemoteIP) -> Self {
i.0
}
}
impl FromRequest for RemoteIP {
type Error = Error;
type Future = Ready<Result<Self, Error>>;
#[inline]
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
ready(Ok(RemoteIP(get_remote_ip(
req,
AppConfig::get().proxy_ip.as_deref(),
))))
}
}
#[cfg(test)]
mod test {
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
use std::str::FromStr;
use crate::remote_ip::{get_remote_ip, parse_ip};
use actix_web::test::TestRequest;
#[test]
fn test_get_remote_ip() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.to_http_request();
assert_eq!(
get_remote_ip(&req, None),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"1.1.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy_2() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"1.1.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy_ipv6() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "10::1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"10::".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_no_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, None),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_other_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.2")),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn parse_bad_ip() {
let ip = parse_ip("badbad");
assert_eq!(None, ip);
}
#[test]
fn parse_ip_v4_address() {
let ip = parse_ip("192.168.1.1").unwrap();
assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)));
}
#[test]
fn parse_ip_v6_address() {
let ip = parse_ip("2a00:1450:4007:813::200e").unwrap();
assert_eq!(
ip,
IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0))
);
}
#[test]
fn parse_ip_v6_address_2() {
let ip = parse_ip("::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0)));
}
#[test]
fn parse_ip_v6_address_3() {
let ip = parse_ip("a::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0)));
}
}

72
src/state_manager.rs Normal file
View File

@@ -0,0 +1,72 @@
use std::error::Error;
use std::fmt;
use crate::crypto_wrapper::CryptoWrapper;
use crate::remote_ip::RemoteIP;
use crate::time_utils::time;
use crate::Res;
use bincode::{Decode, Encode};
use std::net::IpAddr;
pub struct StateManager;
static mut WRAPPER: Option<CryptoWrapper> = None;
#[derive(Encode, Decode, Debug)]
struct State {
ip: IpAddr,
expire: u64,
}
impl State {
pub fn new(ip: IpAddr) -> Self {
Self {
ip,
expire: time() + 15 * 60,
}
}
}
#[derive(Debug, Copy, Clone)]
enum StateError {
InvalidIp,
Expired,
}
impl Error for StateError {}
impl fmt::Display for StateError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "StateManager error {:?}", self)
}
}
impl StateManager {
pub fn init() {
unsafe {
WRAPPER = Some(CryptoWrapper::new_random());
}
}
/// Generate a new state
pub fn gen_state(ip: &RemoteIP) -> Res<String> {
let state = State::new(ip.0);
unsafe { WRAPPER.as_ref().unwrap() }.encrypt(&state)
}
/// Validate generated state
pub fn validate_state(ip: &RemoteIP, state: &str) -> Res {
let state: State = unsafe { WRAPPER.as_ref().unwrap() }.decrypt(state)?;
if state.ip != ip.0 {
return Err(Box::new(StateError::InvalidIp));
}
if state.expire < time() {
return Err(Box::new(StateError::Expired));
}
Ok(())
}
}

9
src/time_utils.rs Normal file
View File

@@ -0,0 +1,9 @@
use std::time::{SystemTime, UNIX_EPOCH};
/// Get current time since epoch
pub fn time() -> u64 {
SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs()
}

41
templates/base_page.html Normal file
View File

@@ -0,0 +1,41 @@
<!doctype html>
<html lang="en" class="h-100" data-bs-theme="auto">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="OIDC basic test client">
<meta name="author" content="Pierre HUBERT">
<title>OIDC Test client</title>
<link href="/assets/bootstrap.min.css" rel="stylesheet" integrity="sha384-KK94CHFLLe+nY2dmCWGMq91rCGa5gtU4mk92HdvYe+M/SXH301p5ILy+dN9+nJOZ" crossorigin="anonymous">
<link href="/assets/cover.css" rel="stylesheet" />
<meta name="theme-color" content="#712cf9">
</head>
<body class="d-flex h-100 text-center text-bg-dark">
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="mb-auto">
<div>
<h3 class="float-md-start mb-0">OIDC test client</h3>
</div>
</header>
<main class="px-3">
{% block content %}
TO_REPLACE
{% endblock content %}
</main>
<footer class="mt-auto text-white-50">
<p>&copy; Pierre HUBERT</p>
</footer>
</div>
</body>
</html>

9
templates/error.html Normal file
View File

@@ -0,0 +1,9 @@
{% extends "base_page.html" %}
{% block content %}
<div class="alert alert-danger" role="alert">
{{ message }}
</div>
<a class="btn btn-primary" href="/start" role="button">Start again</a>
{% endblock content %}

11
templates/home.html Normal file
View File

@@ -0,0 +1,11 @@
{% extends "base_page.html" %}
{% block content %}
<h1>Test OIDC Authentication flow.</h1>
<p class="lead">Get started testing OIDC authentication flow</p>
<p>Redirect URI: {{ redirect_url }}</p>
<p class="lead">
<a href="/start" class="btn btn-lg btn-light fw-bold border-white bg-white">Start</a>
</p>
{% endblock content %}

30
templates/result.html Normal file
View File

@@ -0,0 +1,30 @@
{% extends "base_page.html" %}
{% block content %}
<style>
.card {
text-align: left;
margin-bottom: 20px;
}
</style>
<div class="alert alert-success" role="alert">
Login successful
</div>
<div class="card">
<div class="card-body">
<h5 class="card-title">Token response</h5>
<pre class="card-text">{{ token }}</pre>
</div>
</div>
<div class="card">
<div class="card-body">
<h5 class="card-title">User info</h5>
<pre class="card-text">{{ user_info }}</pre>
</div>
</div>
<a class="btn btn-primary" href="/start" role="button">Start again</a>
{% endblock content %}