Implement server (#3)
All checks were successful
continuous-integration/drone/push Build is passing

Use Actix as HTTP service

Reviewed-on: #3
This commit is contained in:
Pierre HUBERT 2023-04-28 07:15:09 +00:00
parent 001f2420e5
commit bf570c477f
16 changed files with 2708 additions and 58 deletions

1776
Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@ -8,5 +8,16 @@ edition = "2021"
[dependencies]
log = "0.4.17"
env_logger = "0.10.0"
clap = {version="4.2.4", features=["derive", "env"]}
clap = { version = "4.2.4", features = ["derive", "env"] }
lazy_static = "1.4.0"
actix-web = "4.3.1"
askama = "0.12.0"
serde = { version = "1.0.160", features = ["derive"] }
serde_json = "1.0.96"
reqwest = { version = "0.11.16", features = ["json"] }
urlencoding = "2.1.2"
futures-util = "0.3.28"
aes-gcm = "0.10.1"
base64 = "0.21.0"
rand = "0.8.5"
bincode = {version="2.0.0-rc.3",features=["serde"]}

6
assets/bootstrap.min.css vendored Normal file

File diff suppressed because one or more lines are too long

127
assets/cover.css Normal file
View File

@ -0,0 +1,127 @@
/*
* Globals
*/
/* Custom default button */
.btn-light,
.btn-light:hover,
.btn-light:focus {
color: #333;
text-shadow: none; /* Prevent inheritance from `body` */
}
/*
* Base structure
*/
body {
text-shadow: 0 .05rem .1rem rgba(0, 0, 0, .5);
box-shadow: inset 0 0 5rem rgba(0, 0, 0, .5);
}
.cover-container {
max-width: 42em;
}
main {
overflow-y: scroll;
}
/*
* Header
*/
.nav-masthead .nav-link {
color: rgba(255, 255, 255, .5);
border-bottom: .25rem solid transparent;
}
.nav-masthead .nav-link:hover,
.nav-masthead .nav-link:focus {
border-bottom-color: rgba(255, 255, 255, .25);
}
.nav-masthead .nav-link + .nav-link {
margin-left: 1rem;
}
.nav-masthead .active {
color: #fff;
border-bottom-color: #fff;
}
.bd-placeholder-img {
font-size: 1.125rem;
text-anchor: middle;
-webkit-user-select: none;
-moz-user-select: none;
user-select: none;
}
@media (min-width: 768px) {
.bd-placeholder-img-lg {
font-size: 3.5rem;
}
}
.b-example-divider {
width: 100%;
height: 3rem;
background-color: rgba(0, 0, 0, .1);
border: solid rgba(0, 0, 0, .15);
border-width: 1px 0;
box-shadow: inset 0 .5em 1.5em rgba(0, 0, 0, .1), inset 0 .125em .5em rgba(0, 0, 0, .15);
}
.b-example-vr {
flex-shrink: 0;
width: 1.5rem;
height: 100vh;
}
.bi {
vertical-align: -.125em;
fill: currentColor;
}
.nav-scroller {
position: relative;
z-index: 2;
height: 2.75rem;
overflow-y: hidden;
}
.nav-scroller .nav {
display: flex;
flex-wrap: nowrap;
padding-bottom: 1rem;
margin-top: -1px;
overflow-x: auto;
text-align: center;
white-space: nowrap;
-webkit-overflow-scrolling: touch;
}
.btn-bd-primary {
--bd-violet-bg: #712cf9;
--bd-violet-rgb: 112.520718, 44.062154, 249.437846;
--bs-btn-font-weight: 600;
--bs-btn-color: var(--bs-white);
--bs-btn-bg: var(--bd-violet-bg);
--bs-btn-border-color: var(--bd-violet-bg);
--bs-btn-hover-color: var(--bs-white);
--bs-btn-hover-bg: #6528e0;
--bs-btn-hover-border-color: #6528e0;
--bs-btn-focus-shadow-rgb: var(--bd-violet-rgb);
--bs-btn-active-color: var(--bs-btn-hover-color);
--bs-btn-active-bg: #5a23c8;
--bs-btn-active-border-color: #5a23c8;
}
.bd-mode-toggle {
z-index: 1500;
}

58
src/app_config.rs Normal file
View File

@ -0,0 +1,58 @@
use clap::Parser;
const REDIRECT_URI: &str = "/redirect";
/// Basic OpenID test client
#[derive(Parser, Debug)]
pub struct AppConfig {
/// Listen URL
#[arg(short, long, env, default_value = "0.0.0.0:7510")]
pub listen_addr: String,
/// Public URL, the URL where this service is accessible, without the trailing slash
#[arg(short, long, env, default_value = "http://localhost:7510")]
pub public_url: String,
/// URL where the OpenID configuration can be found
#[arg(short, long, env)]
pub configuration_url: String,
/// OpenID client ID
#[arg(long, env)]
pub client_id: String,
/// OpenID client secret
#[arg(long, env)]
pub client_secret: String,
/// Proxy IP, might end with a "*"
#[clap(long, env)]
pub proxy_ip: Option<String>,
}
impl AppConfig {
pub fn get() -> &'static Self {
&CONF
}
pub fn redirect_url(&self) -> String {
format!("{}{}", self.public_url, REDIRECT_URI)
}
}
lazy_static::lazy_static! {
static ref CONF: AppConfig = {
AppConfig::parse()
};
}
#[cfg(test)]
mod test {
use crate::app_config::AppConfig;
#[test]
fn verify_cli() {
use clap::CommandFactory;
AppConfig::command().debug_assert();
}
}

97
src/crypto_wrapper.rs Normal file
View File

@ -0,0 +1,97 @@
use std::io::ErrorKind;
use crate::Res;
use aes_gcm::aead::{Aead, OsRng};
use aes_gcm::{Aes256Gcm, Key, KeyInit, Nonce};
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine as _;
use bincode::{Decode, Encode};
use rand::Rng;
const NONCE_LEN: usize = 12;
pub struct CryptoWrapper {
key: Key<Aes256Gcm>,
}
impl CryptoWrapper {
/// Generate a new memory wrapper
pub fn new_random() -> Self {
Self {
key: Aes256Gcm::generate_key(&mut OsRng),
}
}
/// Encrypt some data
pub fn encrypt<T: Encode + Decode>(&self, data: &T) -> Res<String> {
let aes_key = Aes256Gcm::new(&self.key);
let nonce_bytes = rand::thread_rng().gen::<[u8; NONCE_LEN]>();
let serialized_data = bincode::encode_to_vec(data, bincode::config::standard())?;
let mut enc = aes_key
.encrypt(Nonce::from_slice(&nonce_bytes), serialized_data.as_slice())
.unwrap();
enc.extend_from_slice(&nonce_bytes);
Ok(BASE64_STANDARD.encode(enc))
}
/// Decrypt some data previously encrypted using the [`CryptoWrapper::encrypt`] method
pub fn decrypt<T: Decode>(&self, input: &str) -> Res<T> {
let bytes = BASE64_STANDARD.decode(input)?;
if bytes.len() < NONCE_LEN {
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Input string is smaller than nonce!",
)));
}
let (enc, nonce) = bytes.split_at(bytes.len() - NONCE_LEN);
assert_eq!(nonce.len(), NONCE_LEN);
let aes_key = Aes256Gcm::new(&self.key);
let dec = match aes_key.decrypt(Nonce::from_slice(nonce), enc) {
Ok(d) => d,
Err(e) => {
log::error!("Failed to decrypt wrapped data! {:#?}", e);
return Err(Box::new(std::io::Error::new(
ErrorKind::Other,
"Failed to decrypt wrapped data!",
)));
}
};
Ok(bincode::decode_from_slice(&dec, bincode::config::standard())?.0)
}
}
#[cfg(test)]
mod test {
use crate::crypto_wrapper::CryptoWrapper;
use bincode::{Decode, Encode};
#[derive(Encode, Decode, Eq, PartialEq, Debug)]
struct Message(String);
#[test]
fn encrypt_and_decrypt() {
let wrapper = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper.encrypt(&msg).unwrap();
let dec: Message = wrapper.decrypt(&enc).unwrap();
assert_eq!(dec, msg)
}
#[test]
fn encrypt_and_decrypt_invalid() {
let wrapper_1 = CryptoWrapper::new_random();
let wrapper_2 = CryptoWrapper::new_random();
let msg = Message("Pierre was here".to_string());
let enc = wrapper_1.encrypt(&msg).unwrap();
wrapper_2.decrypt::<Message>(&enc).unwrap_err();
}
}

10
src/lib.rs Normal file
View File

@ -0,0 +1,10 @@
use std::error::Error;
pub type Res<A = ()> = Result<A, Box<dyn Error>>;
pub mod app_config;
pub mod crypto_wrapper;
pub mod openid_primitives;
pub mod remote_ip;
pub mod state_manager;
pub mod time_utils;

View File

@ -1,50 +1,178 @@
use clap::Parser;
use actix_web::middleware::Logger;
use actix_web::{get, web, App, HttpResponse, HttpServer};
use askama::Template;
/// Basic OpenID test client
#[derive(Parser, Debug)]
struct AppConfig {
/// Listen URL
#[arg(short, long, env, default_value = "0.0.0.0:7510")]
listen_addr: String,
use oidc_test_client::app_config::AppConfig;
use oidc_test_client::openid_primitives::OpenIDConfig;
use oidc_test_client::remote_ip::RemoteIP;
use oidc_test_client::state_manager::StateManager;
/// Public URL, the URL where this service is accessible, without the trailing slash
#[arg(short, long, env, default_value = "http://localhost:7510")]
public_url: String,
/// URL where the OpenID configuration can be found
#[arg(short, long, env)]
configuration_url: String,
/// OpenID client ID
#[arg(long, env)]
client_id: String,
/// OpenID client secret
#[arg(long, env)]
client_secret: String,
#[get("/assets/bootstrap.min.css")]
async fn bootstrap() -> HttpResponse {
HttpResponse::Ok()
.content_type("text/css")
.body(include_str!("../assets/bootstrap.min.css"))
}
lazy_static::lazy_static! {
static ref CONF: AppConfig = {
AppConfig::parse()
};
#[get("/assets/cover.css")]
async fn cover() -> HttpResponse {
HttpResponse::Ok()
.content_type("text/css")
.body(include_str!("../assets/cover.css"))
}
fn main() {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
log::info!("Will listen on {}", CONF.listen_addr);
println!("Hello, world!");
#[derive(Template)]
#[template(path = "home.html")]
struct HomeTemplate {
redirect_url: String,
}
#[cfg(test)]
mod test {
use crate::AppConfig;
#[derive(Template)]
#[template(path = "result.html")]
struct ResultTemplate {
token: String,
user_info: String,
}
#[test]
fn verify_cli() {
use clap::CommandFactory;
AppConfig::command().debug_assert();
#[derive(Template)]
#[template(path = "error.html")]
struct ErrorTemplate<'a> {
message: &'a str,
}
impl<'a> ErrorTemplate<'a> {
pub fn build(message: &'a str) -> HttpResponse {
HttpResponse::Unauthorized()
.content_type("text/html")
.body(Self { message }.render().unwrap())
}
}
#[get("/")]
async fn home() -> HttpResponse {
HttpResponse::Ok().content_type("text/html").body(
HomeTemplate {
redirect_url: AppConfig::get().redirect_url(),
}
.render()
.unwrap(),
)
}
#[get("/start")]
async fn start(remote_ip: RemoteIP) -> HttpResponse {
let config = match OpenIDConfig::load_from(&AppConfig::get().configuration_url).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load OpenID configuration! {e}");
return ErrorTemplate::build("Failed to load OpenID configuration!");
}
};
let state = match StateManager::gen_state(&remote_ip) {
Ok(s) => s,
Err(e) => {
log::error!("Failed to generate state! {:?}", e);
return ErrorTemplate::build("Failed to generate state!");
}
};
let authorization_url = config.authorization_url(
&AppConfig::get().client_id,
&state,
&AppConfig::get().redirect_url(),
);
HttpResponse::Found()
.append_header(("Location", authorization_url))
.finish()
}
#[derive(serde::Deserialize)]
struct RedirectQuery {
state: String,
code: String,
}
#[get("/redirect")]
async fn redirect(remote_ip: RemoteIP, query: web::Query<RedirectQuery>) -> HttpResponse {
// First, validate state
if let Err(e) = StateManager::validate_state(&remote_ip, &query.state) {
log::error!("Failed to validate state {}: {:?}", query.state, e);
return ErrorTemplate::build("State could not be validated!");
}
// Then, load OpenID configuration
let config = match OpenIDConfig::load_from(&AppConfig::get().configuration_url).await {
Ok(c) => c,
Err(e) => {
log::error!("Failed to load OpenID configuration! {e}");
return ErrorTemplate::build("Failed to load OpenID configuration!");
}
};
// Query token endpoint
let (token, token_str) = match config
.request_token(
&AppConfig::get().client_id,
&AppConfig::get().client_secret,
&query.code,
&AppConfig::get().redirect_url(),
)
.await
{
Ok(t) => t,
Err(e) => {
log::error!("Failed to retrieve token! {}", e);
return ErrorTemplate::build("Failed to retrieve access token!");
}
};
// Query userinfo endpoint
let (_user_info, user_info_str) = match config.request_user_info(&token).await {
Ok(t) => t,
Err(e) => {
log::error!("Failed to retrieve user info! {}", e);
return ErrorTemplate::build("Failed to retrieve user info!");
}
};
HttpResponse::Ok().content_type("text/html").body(
ResultTemplate {
token: serde_json::to_string_pretty(
&serde_json::from_str::<serde_json::Value>(&token_str).unwrap(),
)
.unwrap(),
user_info: serde_json::to_string_pretty(
&serde_json::from_str::<serde_json::Value>(&user_info_str).unwrap(),
)
.unwrap(),
}
.render()
.unwrap(),
)
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
log::info!("Init state manager");
StateManager::init();
log::info!("Will listen on {}", AppConfig::get().listen_addr);
HttpServer::new(|| {
App::new()
.wrap(Logger::default())
.service(bootstrap)
.service(cover)
.service(home)
.service(start)
.service(redirect)
})
.bind(&AppConfig::get().listen_addr)
.expect("Failed to bind server!")
.run()
.await
}

97
src/openid_primitives.rs Normal file
View File

@ -0,0 +1,97 @@
use base64::engine::general_purpose::STANDARD as BASE64_STANDARD;
use base64::Engine;
use std::collections::HashMap;
use crate::Res;
#[derive(Debug, Clone, serde::Deserialize)]
pub struct OpenIDConfig {
pub authorization_endpoint: String,
pub token_endpoint: String,
pub userinfo_endpoint: String,
}
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct TokenResponse {
pub access_token: String,
pub token_type: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub refresh_token: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub expires_in: Option<u64>,
#[serde(skip_serializing_if = "Option::is_none")]
pub id_token: Option<String>,
}
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct UserInfo {
pub sub: String,
#[serde(skip_serializing_if = "Option::is_none")]
pub name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub given_name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub family_name: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub preferred_username: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub email: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub email_verified: Option<bool>,
}
impl OpenIDConfig {
/// Load OpenID configuration from a given URL
pub async fn load_from(url: &str) -> Res<Self> {
Ok(reqwest::get(url).await?.json().await?)
}
/// Get the authorization URL where a user should be redirect
pub fn authorization_url(&self, client_id: &str, state: &str, redirect_uri: &str) -> String {
let client_id = urlencoding::encode(client_id);
let state = urlencoding::encode(state);
let redirect_uri = urlencoding::encode(redirect_uri);
format!("{}?response_type=code&scope=openid%20profile%20email&client_id={client_id}&state={state}&redirect_uri={redirect_uri}", self.authorization_endpoint)
}
/// Query the token endpoint
pub async fn request_token(
&self,
client_id: &str,
client_secret: &str,
code: &str,
redirect_uri: &str,
) -> Res<(TokenResponse, String)> {
let authorization = BASE64_STANDARD.encode(format!("{}:{}", client_id, client_secret));
let mut params = HashMap::new();
params.insert("grant_type", "authorization_code");
params.insert("code", code);
params.insert("redirect_uri", redirect_uri);
let response = reqwest::Client::new()
.post(&self.token_endpoint)
.header("Authorization", format!("Basic {authorization}"))
.form(&params)
.send()
.await?
.text()
.await?;
Ok((serde_json::from_str(&response)?, response))
}
/// Query the UserInfo endpoint
pub async fn request_user_info(&self, token: &TokenResponse) -> Res<(UserInfo, String)> {
let response = reqwest::Client::new()
.get(&self.userinfo_endpoint)
.header("Authorization", format!("Bearer {}", token.access_token))
.send()
.await?
.text()
.await?;
Ok((serde_json::from_str(&response)?, response))
}
}

202
src/remote_ip.rs Normal file
View File

@ -0,0 +1,202 @@
use std::net::{IpAddr, Ipv6Addr};
use crate::app_config::AppConfig;
use actix_web::dev::Payload;
use actix_web::{Error, FromRequest, HttpRequest};
use futures_util::future::{ready, Ready};
use std::str::FromStr;
/// Parse an IP address
pub fn parse_ip(ip: &str) -> Option<IpAddr> {
let mut ip = match IpAddr::from_str(ip) {
Ok(ip) => ip,
Err(e) => {
log::warn!("Failed to parse an IP address: {}", e);
return None;
}
};
if let IpAddr::V6(ipv6) = &mut ip {
let mut octets = ipv6.octets();
for o in octets.iter_mut().skip(8) {
*o = 0;
}
ip = IpAddr::V6(Ipv6Addr::from(octets));
}
Some(ip)
}
/// Check if two ips matches
pub fn match_ip(pattern: &str, ip: &str) -> bool {
if pattern.eq(ip) {
return true;
}
if pattern.ends_with('*') && ip.starts_with(&pattern.replace('*', "")) {
return true;
}
false
}
/// Get the remote IP address
pub fn get_remote_ip(req: &HttpRequest, proxy_ip: Option<&str>) -> IpAddr {
let mut ip = req.peer_addr().unwrap().ip();
// We check if the request comes from a trusted reverse proxy
if let Some(proxy) = proxy_ip.as_ref() {
if match_ip(proxy, &ip.to_string()) {
if let Some(header) = req.headers().get("X-Forwarded-For") {
let header = header.to_str().unwrap();
let remote_ip = if let Some((upstream_ip, _)) = header.split_once(',') {
upstream_ip
} else {
header
};
if let Some(upstream_ip) = parse_ip(remote_ip) {
ip = upstream_ip;
}
}
}
}
ip
}
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
pub struct RemoteIP(pub IpAddr);
impl From<RemoteIP> for IpAddr {
fn from(i: RemoteIP) -> Self {
i.0
}
}
impl FromRequest for RemoteIP {
type Error = Error;
type Future = Ready<Result<Self, Error>>;
#[inline]
fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
ready(Ok(RemoteIP(get_remote_ip(
req,
AppConfig::get().proxy_ip.as_deref(),
))))
}
}
#[cfg(test)]
mod test {
use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
use std::str::FromStr;
use crate::remote_ip::{get_remote_ip, parse_ip};
use actix_web::test::TestRequest;
#[test]
fn test_get_remote_ip() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.to_http_request();
assert_eq!(
get_remote_ip(&req, None),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"1.1.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy_2() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"1.1.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_proxy_ipv6() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "10::1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.1")),
"10::".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_no_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, None),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn test_get_remote_ip_from_other_proxy() {
let req = TestRequest::default()
.peer_addr(SocketAddr::from_str("192.168.1.1:1000").unwrap())
.insert_header(("X-Forwarded-For", "1.1.1.1, 1.2.2.2"))
.to_http_request();
assert_eq!(
get_remote_ip(&req, Some("192.168.1.2")),
"192.168.1.1".parse::<IpAddr>().unwrap()
);
}
#[test]
fn parse_bad_ip() {
let ip = parse_ip("badbad");
assert_eq!(None, ip);
}
#[test]
fn parse_ip_v4_address() {
let ip = parse_ip("192.168.1.1").unwrap();
assert_eq!(ip, IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1)));
}
#[test]
fn parse_ip_v6_address() {
let ip = parse_ip("2a00:1450:4007:813::200e").unwrap();
assert_eq!(
ip,
IpAddr::V6(Ipv6Addr::new(0x2a00, 0x1450, 0x4007, 0x813, 0, 0, 0, 0))
);
}
#[test]
fn parse_ip_v6_address_2() {
let ip = parse_ip("::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 0)));
}
#[test]
fn parse_ip_v6_address_3() {
let ip = parse_ip("a::1").unwrap();
assert_eq!(ip, IpAddr::V6(Ipv6Addr::new(0xa, 0, 0, 0, 0, 0, 0, 0)));
}
}

72
src/state_manager.rs Normal file
View File

@ -0,0 +1,72 @@
use std::error::Error;
use std::fmt;
use crate::crypto_wrapper::CryptoWrapper;
use crate::remote_ip::RemoteIP;
use crate::time_utils::time;
use crate::Res;
use bincode::{Decode, Encode};
use std::net::IpAddr;
pub struct StateManager;
static mut WRAPPER: Option<CryptoWrapper> = None;
#[derive(Encode, Decode, Debug)]
struct State {
ip: IpAddr,
expire: u64,
}
impl State {
pub fn new(ip: IpAddr) -> Self {
Self {
ip,
expire: time() + 15 * 60,
}
}
}
#[derive(Debug, Copy, Clone)]
enum StateError {
InvalidIp,
Expired,
}
impl Error for StateError {}
impl fmt::Display for StateError {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "StateManager error {:?}", self)
}
}
impl StateManager {
pub fn init() {
unsafe {
WRAPPER = Some(CryptoWrapper::new_random());
}
}
/// Generate a new state
pub fn gen_state(ip: &RemoteIP) -> Res<String> {
let state = State::new(ip.0);
unsafe { WRAPPER.as_ref().unwrap() }.encrypt(&state)
}
/// Validate generated state
pub fn validate_state(ip: &RemoteIP, state: &str) -> Res {
let state: State = unsafe { WRAPPER.as_ref().unwrap() }.decrypt(state)?;
if state.ip != ip.0 {
return Err(Box::new(StateError::InvalidIp));
}
if state.expire < time() {
return Err(Box::new(StateError::Expired));
}
Ok(())
}
}

9
src/time_utils.rs Normal file
View File

@ -0,0 +1,9 @@
use std::time::{SystemTime, UNIX_EPOCH};
/// Get current time since epoch
pub fn time() -> u64 {
SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs()
}

41
templates/base_page.html Normal file
View File

@ -0,0 +1,41 @@
<!doctype html>
<html lang="en" class="h-100" data-bs-theme="auto">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="OIDC basic test client">
<meta name="author" content="Pierre HUBERT">
<title>OIDC Test client</title>
<link href="/assets/bootstrap.min.css" rel="stylesheet" integrity="sha384-KK94CHFLLe+nY2dmCWGMq91rCGa5gtU4mk92HdvYe+M/SXH301p5ILy+dN9+nJOZ" crossorigin="anonymous">
<link href="/assets/cover.css" rel="stylesheet" />
<meta name="theme-color" content="#712cf9">
</head>
<body class="d-flex h-100 text-center text-bg-dark">
<div class="cover-container d-flex w-100 h-100 p-3 mx-auto flex-column">
<header class="mb-auto">
<div>
<h3 class="float-md-start mb-0">OIDC test client</h3>
</div>
</header>
<main class="px-3">
{% block content %}
TO_REPLACE
{% endblock content %}
</main>
<footer class="mt-auto text-white-50">
<p>&copy; Pierre HUBERT</p>
</footer>
</div>
</body>
</html>

9
templates/error.html Normal file
View File

@ -0,0 +1,9 @@
{% extends "base_page.html" %}
{% block content %}
<div class="alert alert-danger" role="alert">
{{ message }}
</div>
<a class="btn btn-primary" href="/start" role="button">Start again</a>
{% endblock content %}

11
templates/home.html Normal file
View File

@ -0,0 +1,11 @@
{% extends "base_page.html" %}
{% block content %}
<h1>Test OIDC Authentication flow.</h1>
<p class="lead">Get started testing OIDC authentication flow</p>
<p>Redirect URI: {{ redirect_url }}</p>
<p class="lead">
<a href="/start" class="btn btn-lg btn-light fw-bold border-white bg-white">Start</a>
</p>
{% endblock content %}

30
templates/result.html Normal file
View File

@ -0,0 +1,30 @@
{% extends "base_page.html" %}
{% block content %}
<style>
.card {
text-align: left;
margin-bottom: 20px;
}
</style>
<div class="alert alert-success" role="alert">
Login successful
</div>
<div class="card">
<div class="card-body">
<h5 class="card-title">Token response</h5>
<pre class="card-text">{{ token }}</pre>
</div>
</div>
<div class="card">
<div class="card-body">
<h5 class="card-title">User info</h5>
<pre class="card-text">{{ user_info }}</pre>
</div>
</div>
<a class="btn btn-primary" href="/start" role="button">Start again</a>
{% endblock content %}