Moved auth code to gateway

main
Jef Roosens 2021-11-09 10:42:16 +01:00
parent 4c67a43553
commit 26e2f5f3b1
Signed by: Jef Roosens
GPG Key ID: 955C0660072F691F
12 changed files with 2473 additions and 2 deletions

1
.gitignore vendored 100644
View File

@ -0,0 +1 @@
/target

1917
Cargo.lock generated 100644

File diff suppressed because it is too large Load Diff

42
Cargo.toml 100644
View File

@ -0,0 +1,42 @@
[package]
name = "rb-gw"
version = "0.1.0"
edition = "2018"
[lib]
name = "rb_gw"
path = "src/lib.rs"
[[bin]]
name = "rb-gw"
path = "src/main.rs"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
# Backend web framework
rocket = { version = "0.5.0-rc.1", features = [ "json", "uuid" ] }
# Used to provide Rocket routes with database connections
rocket_sync_db_pools = { version = "0.1.0-rc.1", default_features = false, features = [ "diesel_postgres_pool" ] }
# Used to (de)serialize JSON
serde = { version = "1.0.127", features = [ "derive" ] }
# ORM
diesel = { version = "1.4.7", features = ["postgres", "uuidv07", "chrono"] }
diesel_migrations = "1.4.0"
# To properly compile libpq statically
openssl = "0.10.36"
# For password hashing & verification
rust-argon2 = "0.8.3"
rand = "0.8.4"
uuid = { version = "0.8.2", features = ["serde"] }
# Authentification
jwt = "0.14.0"
hmac = "*"
sha2 = "*"
# Timestamps for JWT tokens
chrono = { version = "*", features = [ "serde" ] }
# Encoding of refresh tokens
base64 = "0.13.0"
# Reading in configuration files
figment = { version = "*", features = [ "yaml" ] }
mimalloc = { version = "0.1.26", default_features = false }

View File

@ -1,3 +1,10 @@
# rb-auth
# rb-gw
Authentification service for the Rusty Bever blogging software.
The gateway service serves several functions:
* Make the microservice architecture appear as a single API
* Route requests to their respective microservice
* Authenticate requests
This service is the only one that the end user will use & is also the only one
that allows connections from non-microservice sources.

58
admin.rs 100644
View File

@ -0,0 +1,58 @@
use diesel::PgConnection;
use rocket::serde::json::Json;
use uuid::Uuid;
use crate::{
auth::pass::hash_password,
db,
errors::{RbError, RbResult},
guards::Admin,
RbDbConn,
};
// #[get("/users")]
// pub async fn get_users(_admin: Admin, conn: RbDbConn) -> RbResult<Json<Vec<db::User>>>
// {
// Ok(Json(conn.run(|c| db::users::all(c)).await?))
// }
#[post("/users", data = "<user>")]
pub async fn create_user(_admin: Admin, conn: RbDbConn, user: Json<db::NewUser>) -> RbResult<()>
{
Ok(conn
.run(move |c| db::users::create(c, &user.into_inner()))
.await?)
}
#[get("/users/<user_id_str>")]
pub async fn get_user_info(
_admin: Admin,
conn: RbDbConn,
user_id_str: &str,
) -> RbResult<Json<db::User>>
{
let user_id = Uuid::parse_str(user_id_str).map_err(|_| RbError::UMUnknownUser)?;
match conn.run(move |c| db::users::find(c, user_id)).await {
Some(user) => Ok(Json(user)),
None => Err(RbError::UMUnknownUser),
}
}
pub fn create_admin_user(conn: &PgConnection, username: &str, password: &str) -> RbResult<bool>
{
let pass_hashed = hash_password(password)?;
let new_user = db::NewUser {
username: username.to_string(),
password: pass_hashed,
admin: true,
};
if db::users::find_by_username(conn, username).is_ok() {
db::users::create(conn, &new_user);
}
// db::users::create_or_update(conn, &new_user)
// .map_err(|_| RbError::Custom("Couldn't create admin."))?;
Ok(true)
}

5
diesel.toml 100644
View File

@ -0,0 +1,5 @@
# For documentation on how to configure this file,
# see diesel.rs/guides/configuring-diesel-cli
[print_schema]
file = "src/schema.rs"

69
rustfmt.toml 100644
View File

@ -0,0 +1,69 @@
binop_separator = "Front"
blank_lines_lower_bound = 0
blank_lines_upper_bound = 1
# Trying something new
brace_style = "AlwaysNextLine"
color = "Auto"
combine_control_expr = false
comment_width = 80
condense_wildcard_suffixes = false
control_brace_style = "AlwaysSameLine"
disable_all_formatting = false
edition = "2018"
emit_mode = "Files"
empty_item_single_line = true
enum_discrim_align_threshold = 0
error_on_line_overflow = false
error_on_unformatted = false
fn_args_layout = "Tall"
fn_single_line = false
force_explicit_abi = true
force_multiline_blocks = false
format_code_in_doc_comments = false
format_macro_bodies = true
format_macro_matchers = false
format_strings = false
group_imports = "StdExternalCrate"
hard_tabs = false
hide_parse_errors = false
ignore = []
imports_granularity = "Crate"
imports_indent = "Block"
imports_layout = "Mixed"
indent_style = "Block"
inline_attribute_width = 0
license_template_path = ""
make_backup = false
match_arm_blocks = true
match_arm_leading_pipes = "Never"
match_block_trailing_comma = true
max_width = 100
merge_derives = true
newline_style = "Auto"
normalize_comments = false
normalize_doc_attributes = false
overflow_delimited_expr = false
remove_nested_parens = true
reorder_impl_items = false
reorder_imports = true
reorder_modules = true
report_fixme = "Always"
report_todo = "Always"
required_version = "1.4.37"
skip_children = false
space_after_colon = true
space_before_colon = false
spaces_around_ranges = false
struct_field_align_threshold = 0
struct_lit_single_line = true
tab_spaces = 4
trailing_comma = "Vertical"
trailing_semicolon = true
type_punctuation_density = "Wide"
unstable_features = false
use_field_init_shorthand = false
use_small_heuristics = "Default"
use_try_shorthand = false
version = "One"
where_single_line = false
wrap_comments = false

118
src/auth/jwt.rs 100644
View File

@ -0,0 +1,118 @@
use chrono::Utc;
use diesel::PgConnection;
use hmac::{Hmac, NewMac};
use jwt::SignWithKey;
use rand::{thread_rng, Rng};
use serde::{Deserialize, Serialize};
use sha2::Sha256;
use crate::{
db,
errors::{RbError, RbResult},
RbJwtConf,
};
#[derive(Serialize)]
#[serde(rename_all = "camelCase")]
pub struct JWTResponse
{
token: String,
refresh_token: String,
}
#[derive(Serialize, Deserialize)]
pub struct Claims
{
pub id: uuid::Uuid,
pub username: String,
pub admin: bool,
pub exp: i64,
}
pub fn generate_jwt_token(
conn: &PgConnection,
jwt: &RbJwtConf,
user: &db::User,
) -> RbResult<JWTResponse>
{
let key: Hmac<Sha256> = Hmac::new_from_slice(jwt.key.as_bytes())
.map_err(|_| RbError::Custom("Couldn't create Hmac key."))?;
let current_time = Utc::now();
// Create the claims
let claims = Claims {
id: user.id,
username: user.username.clone(),
admin: user.admin,
exp: current_time.timestamp() + jwt.refresh_token_expire,
};
// Sign the claims into a new token
let token = claims
.sign_with_key(&key)
.map_err(|_| RbError::Custom("Couldn't sign JWT."))?;
// Generate a random refresh token
let mut refresh_token = vec![0u8; jwt.refresh_token_size];
thread_rng().fill(&mut refresh_token[..]);
let refresh_expire =
(current_time + chrono::Duration::seconds(jwt.refresh_token_expire)).naive_utc();
// Store refresh token in database
db::tokens::create(
conn,
&db::NewRefreshToken {
token: refresh_token.to_vec(),
user_id: user.id,
expires_at: refresh_expire,
},
)?;
Ok(JWTResponse {
token,
refresh_token: base64::encode(refresh_token),
})
}
pub fn refresh_token(
conn: &PgConnection,
jwt: &RbJwtConf,
refresh_token: &str,
) -> RbResult<JWTResponse>
{
let token_bytes =
base64::decode(refresh_token).map_err(|_| RbError::AuthInvalidRefreshToken)?;
// First, we request the token from the database to see if it's really a valid token
let (token_entry, user) =
db::tokens::find_with_user(conn, &token_bytes).ok_or(RbError::AuthInvalidRefreshToken)?;
// If we see that the token has already been used before, we block the user.
if token_entry.last_used_at.is_some() {
// If we fail to block the user, the end user must know
if let Err(err) = db::users::block(conn, token_entry.user_id) {
return Err(err);
}
return Err(RbError::AuthDuplicateRefreshToken);
}
// Then we check if the user is blocked
if user.blocked {
return Err(RbError::AuthBlockedUser);
}
// Now we check if the token has already expired
let cur_time = Utc::now().naive_utc();
if token_entry.expires_at < cur_time {
return Err(RbError::AuthTokenExpired);
}
// We update the last_used_at value for the refresh token
db::tokens::update_last_used_at(conn, &token_entry.token, cur_time)?;
generate_jwt_token(conn, jwt, &user)
}

68
src/auth/mod.rs 100644
View File

@ -0,0 +1,68 @@
use rocket::{serde::json::Json, State};
use serde::Deserialize;
use self::{
jwt::{generate_jwt_token, JWTResponse},
pass::verify_user,
};
use crate::{errors::RbResult, guards::User, RbConfig, RbDbConn};
pub mod jwt;
pub mod pass;
#[derive(Deserialize)]
pub struct Credentials
{
username: String,
password: String,
}
#[post("/login")]
pub async fn already_logged_in(_user: User) -> String
{
String::from("You're already logged in!")
}
#[post("/login", data = "<credentials>", rank = 2)]
pub async fn login(
conn: RbDbConn,
conf: &State<RbConfig>,
credentials: Json<Credentials>,
) -> RbResult<Json<JWTResponse>>
{
let credentials = credentials.into_inner();
let jwt = conf.jwt.clone();
// Get the user, if credentials are valid
let user = conn
.run(move |c| verify_user(c, &credentials.username, &credentials.password))
.await?;
Ok(Json(
conn.run(move |c| generate_jwt_token(c, &jwt, &user))
.await?,
))
}
#[derive(Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct RefreshTokenRequest
{
pub refresh_token: String,
}
#[post("/refresh", data = "<refresh_token_request>")]
pub async fn refresh_token(
conn: RbDbConn,
conf: &State<RbConfig>,
refresh_token_request: Json<RefreshTokenRequest>,
) -> RbResult<Json<JWTResponse>>
{
let refresh_token = refresh_token_request.into_inner().refresh_token;
let jwt = conf.jwt.clone();
Ok(Json(
conn.run(move |c| crate::auth::jwt::refresh_token(c, &jwt, &refresh_token))
.await?,
))
}

36
src/auth/pass.rs 100644
View File

@ -0,0 +1,36 @@
use argon2::verify_encoded;
use diesel::PgConnection;
use rand::{thread_rng, Rng};
use crate::{
db,
errors::{RbError, RbResult},
};
pub fn verify_user(conn: &PgConnection, username: &str, password: &str) -> RbResult<db::User>
{
// TODO handle non-"NotFound" Diesel errors accordingely
let user = db::users::find_by_username(conn, username).map_err(|_| RbError::AuthUnknownUser)?;
// Check if a user is blocked
if user.blocked {
return Err(RbError::AuthBlockedUser);
}
match verify_encoded(user.password.as_str(), password.as_bytes()) {
Ok(true) => Ok(user),
_ => Err(RbError::AuthInvalidPassword),
}
}
pub fn hash_password(password: &str) -> RbResult<String>
{
// Generate a random salt
let mut salt = [0u8; 64];
thread_rng().fill(&mut salt[..]);
// Encode the actual password
let config = argon2::Config::default();
argon2::hash_encoded(password.as_bytes(), &salt, &config)
.map_err(|_| RbError::Custom("Couldn't hash password."))
}

101
src/main.rs 100644
View File

@ -0,0 +1,101 @@
#[macro_use]
extern crate rocket;
#[macro_use]
extern crate diesel_migrations;
#[macro_use]
extern crate diesel;
use figment::{
providers::{Env, Format, Yaml},
Figment,
};
use rocket::{
fairing::AdHoc,
http::Status,
serde::json::{json, Value},
Build, Orbit, Request, Rocket,
};
use rocket_sync_db_pools::database;
use serde::{Deserialize, Serialize};
pub mod auth;
// pub mod db;
// pub mod errors;
// pub mod guards;
pub(crate) mod schema;
#[database("postgres_rb")]
pub struct RbDbConn(diesel::PgConnection);
#[catch(default)]
fn default_catcher(status: Status, _: &Request) -> Value
{
json!({"status": status.code, "message": ""})
}
embed_migrations!();
async fn run_db_migrations(rocket: Rocket<Build>) -> Result<Rocket<Build>, Rocket<Build>>
{
let conn = RbDbConn::get_one(&rocket)
.await
.expect("database connection");
conn.run(|c| match embedded_migrations::run(c) {
Ok(()) => Ok(rocket),
Err(_) => Err(rocket),
})
.await
}
async fn create_admin_user<'a>(rocket: &'a Rocket<Orbit>)
{
let config = rocket.state::<RbConfig>().expect("RbConfig instance");
let admin_user = config.admin_user.clone();
let admin_pass = config.admin_pass.clone();
let conn = RbDbConn::get_one(&rocket)
.await
.expect("database connection");
conn.run(move |c| {
admin::create_admin_user(c, &admin_user, &admin_pass).expect("failed to create admin user")
})
.await;
}
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct RbJwtConf
{
key: String,
refresh_token_size: usize,
refresh_token_expire: i64,
}
#[derive(Debug, Deserialize, Serialize)]
pub struct RbConfig
{
admin_user: String,
admin_pass: String,
jwt: RbJwtConf,
}
#[launch]
fn rocket() -> _
{
let figment = Figment::from(rocket::config::Config::default())
.merge(Yaml::file("Rb.yaml").nested())
.merge(Env::prefixed("RB_").global());
rocket::custom(figment)
.attach(RbDbConn::fairing())
.attach(AdHoc::try_on_ignite(
"Run database migrations",
run_db_migrations,
))
// .attach(AdHoc::try_on_ignite("Create admin user", create_admin_user))
.attach(AdHoc::config::<RbConfig>())
.register("/", catchers![default_catcher])
.mount(
"/api/auth",
routes![auth::already_logged_in, auth::login, auth::refresh_token,],
)
}

49
src/schema.rs 100644
View File

@ -0,0 +1,49 @@
table! {
posts (id) {
id -> Uuid,
section_id -> Uuid,
title -> Nullable<Varchar>,
publish_date -> Date,
content -> Text,
}
}
table! {
refresh_tokens (token) {
token -> Bytea,
user_id -> Uuid,
expires_at -> Timestamp,
last_used_at -> Nullable<Timestamp>,
}
}
table! {
sections (id) {
id -> Uuid,
title -> Varchar,
shortname -> Varchar,
description -> Nullable<Text>,
is_default -> Bool,
has_titles -> Bool,
}
}
table! {
users (id) {
id -> Uuid,
username -> Varchar,
password -> Text,
blocked -> Bool,
admin -> Bool,
}
}
joinable!(posts -> sections (section_id));
joinable!(refresh_tokens -> users (user_id));
allow_tables_to_appear_in_same_query!(
posts,
refresh_tokens,
sections,
users,
);