Compare commits

..

4 commits

Author SHA1 Message Date
aecf9509f5 Implement padlock proxy 2024-02-20 21:57:03 +00:00
fe7cea89c5 Add url, reqwest dependencies 2024-02-20 21:50:49 +00:00
d1f8e461b1 db: rename methods to clarify token kind 2024-02-20 21:00:08 +00:00
a50660ddc3 Sort dependencies properly 2024-02-20 19:59:26 +00:00
9 changed files with 548 additions and 51 deletions

305
Cargo.lock generated
View file

@ -178,10 +178,10 @@ dependencies = [
"axum-core", "axum-core",
"bytes", "bytes",
"futures-util", "futures-util",
"http", "http 1.0.0",
"http-body", "http-body 1.0.0",
"http-body-util", "http-body-util",
"hyper", "hyper 1.1.0",
"hyper-util", "hyper-util",
"itoa", "itoa",
"matchit", "matchit",
@ -211,8 +211,8 @@ dependencies = [
"async-trait", "async-trait",
"bytes", "bytes",
"futures-util", "futures-util",
"http", "http 1.0.0",
"http-body", "http-body 1.0.0",
"http-body-util", "http-body-util",
"mime", "mime",
"pin-project-lite", "pin-project-lite",
@ -529,6 +529,15 @@ dependencies = [
"serde", "serde",
] ]
[[package]]
name = "encoding_rs"
version = "0.8.33"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7268b386296a025e474d5140678f75d6de9493ae55a5d709eeb9dd08149945e1"
dependencies = [
"cfg-if",
]
[[package]] [[package]]
name = "equivalent" name = "equivalent"
version = "1.0.1" version = "1.0.1"
@ -586,6 +595,7 @@ dependencies = [
"ldap3", "ldap3",
"md-5", "md-5",
"rand", "rand",
"reqwest",
"rustls", "rustls",
"rustls-webpki", "rustls-webpki",
"sct", "sct",
@ -600,6 +610,7 @@ dependencies = [
"tracing", "tracing",
"tracing-error", "tracing-error",
"tracing-subscriber", "tracing-subscriber",
"url",
] ]
[[package]] [[package]]
@ -631,6 +642,21 @@ version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
[[package]]
name = "foreign-types"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
dependencies = [
"foreign-types-shared",
]
[[package]]
name = "foreign-types-shared"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]] [[package]]
name = "form_urlencoded" name = "form_urlencoded"
version = "1.2.1" version = "1.2.1"
@ -767,6 +793,25 @@ version = "0.28.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253" checksum = "4271d37baee1b8c7e4b708028c57d816cf9d2434acb33a549475f78c181f6253"
[[package]]
name = "h2"
version = "0.3.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9"
dependencies = [
"bytes",
"fnv",
"futures-core",
"futures-sink",
"futures-util",
"http 0.2.11",
"indexmap",
"slab",
"tokio",
"tokio-util",
"tracing",
]
[[package]] [[package]]
name = "h2" name = "h2"
version = "0.4.2" version = "0.4.2"
@ -778,7 +823,7 @@ dependencies = [
"futures-core", "futures-core",
"futures-sink", "futures-sink",
"futures-util", "futures-util",
"http", "http 1.0.0",
"indexmap", "indexmap",
"slab", "slab",
"tokio", "tokio",
@ -856,6 +901,17 @@ dependencies = [
"windows-sys 0.52.0", "windows-sys 0.52.0",
] ]
[[package]]
name = "http"
version = "0.2.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8947b1a6fad4393052c7ba1f4cd97bed3e953a95c79c92ad9b051a04611d9fbb"
dependencies = [
"bytes",
"fnv",
"itoa",
]
[[package]] [[package]]
name = "http" name = "http"
version = "1.0.0" version = "1.0.0"
@ -867,6 +923,17 @@ dependencies = [
"itoa", "itoa",
] ]
[[package]]
name = "http-body"
version = "0.4.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2"
dependencies = [
"bytes",
"http 0.2.11",
"pin-project-lite",
]
[[package]] [[package]]
name = "http-body" name = "http-body"
version = "1.0.0" version = "1.0.0"
@ -874,7 +941,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1cac85db508abc24a2e48553ba12a996e87244a0395ce011e62b37158745d643" checksum = "1cac85db508abc24a2e48553ba12a996e87244a0395ce011e62b37158745d643"
dependencies = [ dependencies = [
"bytes", "bytes",
"http", "http 1.0.0",
] ]
[[package]] [[package]]
@ -885,8 +952,8 @@ checksum = "41cb79eb393015dadd30fc252023adb0b2400a0caee0fa2a077e6e21a551e840"
dependencies = [ dependencies = [
"bytes", "bytes",
"futures-util", "futures-util",
"http", "http 1.0.0",
"http-body", "http-body 1.0.0",
"pin-project-lite", "pin-project-lite",
] ]
@ -902,6 +969,30 @@ version = "1.0.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
[[package]]
name = "hyper"
version = "0.14.28"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80"
dependencies = [
"bytes",
"futures-channel",
"futures-core",
"futures-util",
"h2 0.3.24",
"http 0.2.11",
"http-body 0.4.6",
"httparse",
"httpdate",
"itoa",
"pin-project-lite",
"socket2",
"tokio",
"tower-service",
"tracing",
"want",
]
[[package]] [[package]]
name = "hyper" name = "hyper"
version = "1.1.0" version = "1.1.0"
@ -911,9 +1002,9 @@ dependencies = [
"bytes", "bytes",
"futures-channel", "futures-channel",
"futures-util", "futures-util",
"h2", "h2 0.4.2",
"http", "http 1.0.0",
"http-body", "http-body 1.0.0",
"httparse", "httparse",
"httpdate", "httpdate",
"itoa", "itoa",
@ -921,6 +1012,19 @@ dependencies = [
"tokio", "tokio",
] ]
[[package]]
name = "hyper-tls"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905"
dependencies = [
"bytes",
"hyper 0.14.28",
"native-tls",
"tokio",
"tokio-native-tls",
]
[[package]] [[package]]
name = "hyper-util" name = "hyper-util"
version = "0.1.3" version = "0.1.3"
@ -929,9 +1033,9 @@ checksum = "ca38ef113da30126bbff9cd1705f9273e15d45498615d138b0c20279ac7a76aa"
dependencies = [ dependencies = [
"bytes", "bytes",
"futures-util", "futures-util",
"http", "http 1.0.0",
"http-body", "http-body 1.0.0",
"hyper", "hyper 1.1.0",
"pin-project-lite", "pin-project-lite",
"socket2", "socket2",
"tokio", "tokio",
@ -963,6 +1067,12 @@ dependencies = [
"hashbrown", "hashbrown",
] ]
[[package]]
name = "ipnet"
version = "2.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3"
[[package]] [[package]]
name = "itertools" name = "itertools"
version = "0.12.1" version = "0.12.1"
@ -1141,6 +1251,24 @@ dependencies = [
"windows-sys 0.48.0", "windows-sys 0.48.0",
] ]
[[package]]
name = "native-tls"
version = "0.2.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e"
dependencies = [
"lazy_static",
"libc",
"log",
"openssl",
"openssl-probe",
"openssl-sys",
"schannel",
"security-framework",
"security-framework-sys",
"tempfile",
]
[[package]] [[package]]
name = "nix" name = "nix"
version = "0.27.1" version = "0.27.1"
@ -1270,12 +1398,50 @@ version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
[[package]]
name = "openssl"
version = "0.10.64"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f"
dependencies = [
"bitflags 2.4.2",
"cfg-if",
"foreign-types",
"libc",
"once_cell",
"openssl-macros",
"openssl-sys",
]
[[package]]
name = "openssl-macros"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.48",
]
[[package]] [[package]]
name = "openssl-probe" name = "openssl-probe"
version = "0.1.5" version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
[[package]]
name = "openssl-sys"
version = "0.9.100"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ae94056a791d0e1217d18b6cbdccb02c61e3054fc69893607f4067e3bb0b1fd1"
dependencies = [
"cc",
"libc",
"pkg-config",
"vcpkg",
]
[[package]] [[package]]
name = "overload" name = "overload"
version = "0.1.1" version = "0.1.1"
@ -1504,6 +1670,46 @@ version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f" checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f"
[[package]]
name = "reqwest"
version = "0.11.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c6920094eb85afde5e4a138be3f2de8bbdf28000f0029e72c45025a56b042251"
dependencies = [
"base64",
"bytes",
"encoding_rs",
"futures-core",
"futures-util",
"h2 0.3.24",
"http 0.2.11",
"http-body 0.4.6",
"hyper 0.14.28",
"hyper-tls",
"ipnet",
"js-sys",
"log",
"mime",
"native-tls",
"once_cell",
"percent-encoding",
"pin-project-lite",
"rustls-pemfile",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"system-configuration",
"tokio",
"tokio-native-tls",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"winreg",
]
[[package]] [[package]]
name = "ring" name = "ring"
version = "0.16.20" version = "0.16.20"
@ -2111,6 +2317,27 @@ dependencies = [
"unicode-xid", "unicode-xid",
] ]
[[package]]
name = "system-configuration"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7"
dependencies = [
"bitflags 1.3.2",
"core-foundation",
"system-configuration-sys",
]
[[package]]
name = "system-configuration-sys"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]] [[package]]
name = "tempfile" name = "tempfile"
version = "3.10.0" version = "3.10.0"
@ -2227,6 +2454,16 @@ dependencies = [
"syn 2.0.48", "syn 2.0.48",
] ]
[[package]]
name = "tokio-native-tls"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2"
dependencies = [
"native-tls",
"tokio",
]
[[package]] [[package]]
name = "tokio-rustls" name = "tokio-rustls"
version = "0.24.1" version = "0.24.1"
@ -2396,6 +2633,12 @@ dependencies = [
"tracing-log", "tracing-log",
] ]
[[package]]
name = "try-lock"
version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]] [[package]]
name = "typenum" name = "typenum"
version = "1.17.0" version = "1.17.0"
@ -2456,6 +2699,7 @@ dependencies = [
"form_urlencoded", "form_urlencoded",
"idna", "idna",
"percent-encoding", "percent-encoding",
"serde",
] ]
[[package]] [[package]]
@ -2488,6 +2732,15 @@ version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
[[package]]
name = "want"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e"
dependencies = [
"try-lock",
]
[[package]] [[package]]
name = "wasi" name = "wasi"
version = "0.11.0+wasi-snapshot-preview1" version = "0.11.0+wasi-snapshot-preview1"
@ -2519,6 +2772,18 @@ dependencies = [
"wasm-bindgen-shared", "wasm-bindgen-shared",
] ]
[[package]]
name = "wasm-bindgen-futures"
version = "0.4.41"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "877b9c3f61ceea0e56331985743b13f3d25c406a7098d45180fb5f09bc19ed97"
dependencies = [
"cfg-if",
"js-sys",
"wasm-bindgen",
"web-sys",
]
[[package]] [[package]]
name = "wasm-bindgen-macro" name = "wasm-bindgen-macro"
version = "0.2.91" version = "0.2.91"
@ -2733,6 +2998,16 @@ dependencies = [
"memchr", "memchr",
] ]
[[package]]
name = "winreg"
version = "0.50.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
dependencies = [
"cfg-if",
"windows-sys 0.48.0",
]
[[package]] [[package]]
name = "x509-parser" name = "x509-parser"
version = "0.15.1" version = "0.15.1"

View file

@ -14,6 +14,7 @@ categories = ["authentication", "games"]
opt-level = 3 opt-level = 3
[dependencies] [dependencies]
async-trait = "0.1.77"
axum = "0.7.4" axum = "0.7.4"
base64 = "0.21.7" base64 = "0.21.7"
clap = { version = "4.5.0", features = ["derive"] } clap = { version = "4.5.0", features = ["derive"] }
@ -23,6 +24,7 @@ hmac = "0.12.1"
ldap3 = { version = "0.11.3", default-features = false, features = ["tls-rustls"] } ldap3 = { version = "0.11.3", default-features = false, features = ["tls-rustls"] }
md-5 = "0.10.6" md-5 = "0.10.6"
rand = "0.8.5" rand = "0.8.5"
reqwest = { version = "0.11.24", features = ["json"] }
secrecy = { version = "0.8.0", features = ["serde"] } secrecy = { version = "0.8.0", features = ["serde"] }
serde = { version = "1.0.196", features = ["derive"] } serde = { version = "1.0.196", features = ["derive"] }
sha2 = "0.10.8" sha2 = "0.10.8"
@ -34,9 +36,11 @@ toml = "0.8.10"
tracing = "0.1.40" tracing = "0.1.40"
tracing-error = "0.2.0" tracing-error = "0.2.0"
tracing-subscriber = { version = "0.3.18", features = ["env-filter"] } tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
url = { version = "2.5.0", features = ["serde"] }
# latest versions with ring 0.16 # latest versions with ring 0.16
rustls = "=0.21.7" rustls = "=0.21.7"
rustls-webpki = "=0.101.6" rustls-webpki = "=0.101.6"
sct = "=0.7.0" sct = "=0.7.0"
async-trait = "0.1.77" # end of overrides

View file

@ -25,12 +25,12 @@ these custom users are properly authenticated.
- [user token generation](https://wiki.factorio.com/Web_authentication_API) and storage (`POST - [user token generation](https://wiki.factorio.com/Web_authentication_API) and storage (`POST
/api-login`) /api-login`)
- LDAP authentication backend - LDAP authentication backend
- server padlock proxying (to allow e.g. factorio.com users to join servers using a custom auth
server)
### Planned ### Planned
- more authentication backends: user file, PAM(?) - more authentication backends: user file, PAM(?)
- server padlock proxying (to allow e.g. factorio.com users to join servers using a custom auth
server)
### Unplanned ### Unplanned
@ -42,9 +42,20 @@ these custom users are properly authenticated.
### Configuring factoriauth ### Configuring factoriauth
Copy `config.toml.example` to `config.toml` and adjust as necessary. `padlock-secret` needs to be a Copy `config.toml.example` to `config.toml` and adjust as necessary.
hex-encoded binary string of at least 32 bytes - either generate your own, or attempt to start
factoriauth once and copy the freshly generated secret from the error message. #### Padlock source
There are two possible sources for server padlock: either generated standalone by factoriauth for
completely self-contained setups, or through a padlock proxy.
For the standalone deployment, `padlock.secret` needs to be a hex-encoded binary string of at least
32 bytes - either generate your own, or attempt to start factoriauth once and copy the freshly
generated secret from the error message.
To use the padlock proxy, `padlock.proxy` needs to be set to the base URL of another factorio auth
server, e.g. `https://auth.factorio.com`. Server padlocks will be obtained from this auth server,
allowing users from both factoriauth and the upstream auth server to join the game server.
#### LDAP authentication backend notes #### LDAP authentication backend notes

View file

@ -1,6 +1,9 @@
padlock-secret = ""
listen = "[::]:80" listen = "[::]:80"
[padlock]
secret = ""
#proxy = "https://some-other-auth-server.example"
[database] [database]
connection-string = "sqlite://sqlite.db" connection-string = "sqlite://sqlite.db"

View file

@ -8,14 +8,16 @@ use rand::{
thread_rng, thread_rng,
}; };
use secrecy::ExposeSecret; use secrecy::ExposeSecret;
use serde::Deserialize;
use sha2::Sha256; use sha2::Sha256;
use thiserror::Error; use thiserror::Error;
use time::{macros::format_description, OffsetDateTime}; use time::{macros::format_description, OffsetDateTime};
use tokio::sync::Mutex; use tokio::sync::Mutex;
use tracing::{event, instrument, Level}; use tracing::{event, instrument, Level};
use url::Url;
use crate::{ use crate::{
config::AuthBackendConfig, config::{AuthBackendConfig, PadlockConfig},
db::{Database, UserTokenEntry}, db::{Database, UserTokenEntry},
secrets::{ secrets::{
PadlockGenerationSecret, Password, ServerHash, ServerPadlock, UserServerKey, UserToken, PadlockGenerationSecret, Password, ServerHash, ServerPadlock, UserServerKey, UserToken,
@ -38,6 +40,8 @@ pub enum AuthenticationError {
Database(#[from] sqlx::Error), Database(#[from] sqlx::Error),
#[error("Authentication backend error")] #[error("Authentication backend error")]
Backend(#[from] ldap3::LdapError), Backend(#[from] ldap3::LdapError),
#[error("Padlock proxy error")]
PadlockProxy(#[from] PadlockProxyError),
#[error("No authentication backends available")] #[error("No authentication backends available")]
NoBackends, NoBackends,
} }
@ -112,17 +116,18 @@ impl UserAuthenticator {
}; };
let mut db = self.db.lock().await; let mut db = self.db.lock().await;
let token = let token = if let Some(UserTokenEntry::Valid(old_token, _, _)) =
if let Some(UserTokenEntry::Valid(old_token, _, _)) = db.get_token(&username).await? { db.get_user_token(&username).await?
old_token {
} else { old_token
let new_token = } else {
UserToken::from(Alphanumeric.sample_string(&mut thread_rng(), Self::TOKEN_LEN)); let new_token =
UserToken::from(Alphanumeric.sample_string(&mut thread_rng(), Self::TOKEN_LEN));
db.save_token(&username, &new_token).await?; db.save_user_token(&username, &new_token).await?;
new_token new_token
}; };
Ok((username, token)) Ok((username, token))
} }
@ -138,9 +143,9 @@ impl UserAuthenticator {
) -> Result<(), AuthenticationError> { ) -> Result<(), AuthenticationError> {
let mut db = self.db.lock().await; let mut db = self.db.lock().await;
if let Some(UserTokenEntry::Valid(user_token, ..)) = &db.get_token(username).await? { if let Some(UserTokenEntry::Valid(user_token, ..)) = &db.get_user_token(username).await? {
if token == user_token { if token == user_token {
db.update_token_last_used(username, token).await?; db.update_user_token_last_used(username, token).await?;
return Ok(()); return Ok(());
} }
} }
@ -150,11 +155,11 @@ impl UserAuthenticator {
} }
#[derive(Debug)] #[derive(Debug)]
pub struct ServerPadlockGenerator { pub struct ServerPadlockSecret {
secret: PadlockGenerationSecret, secret: PadlockGenerationSecret,
} }
impl ServerPadlockGenerator { impl ServerPadlockSecret {
const HASH_LEN: usize = 32; const HASH_LEN: usize = 32;
pub fn new(secret: PadlockGenerationSecret) -> Self { pub fn new(secret: PadlockGenerationSecret) -> Self {
@ -178,6 +183,120 @@ impl ServerPadlockGenerator {
} }
} }
#[derive(Debug, Error)]
pub enum PadlockProxyError {
#[error("upstream responded with error")]
Upstream(#[from] reqwest::Error),
#[error("database error")]
Database(#[from] sqlx::Error),
#[error("invalid upstream URL")]
InvalidUrl(#[from] url::ParseError),
#[error("unknown server_hash")]
UnknownHash(ServerHash),
}
#[derive(Debug)]
pub struct ServerPadlockProxy {
client: reqwest::Client,
upstream: Url,
database: Arc<Mutex<Box<dyn Database + Send>>>,
}
impl ServerPadlockProxy {
pub fn new(
upstream: &Url,
database: Arc<Mutex<Box<dyn Database + Send>>>,
) -> Result<Self, PadlockProxyError> {
let client = reqwest::Client::new();
let upstream = upstream.join("generate-server-padlock-2")?;
Ok(Self {
client,
upstream,
database,
})
}
#[instrument]
pub async fn generate_hash(&self) -> Result<ServerHash, PadlockProxyError> {
#[derive(Deserialize)]
struct ServerPadlockResponse {
server_hash: ServerHash,
server_padlock: ServerPadlock,
}
let response: ServerPadlockResponse = self
.client
.post(self.upstream.clone())
.query(&[("api_version", 6)])
.send()
.await?
.json()
.await?;
self.database
.lock()
.await
.save_server_padlock(&response.server_hash, &response.server_padlock)
.await?;
Ok(response.server_hash)
}
#[instrument]
pub async fn generate_padlock(
&self,
server_hash: &ServerHash,
) -> Result<ServerPadlock, PadlockProxyError> {
let Some(padlock) = self
.database
.lock()
.await
.get_server_padlock(server_hash)
.await?
else {
return Err(PadlockProxyError::UnknownHash(server_hash.clone()));
};
Ok(padlock)
}
}
#[derive(Debug)]
pub enum ServerPadlockGenerator {
Secret(ServerPadlockSecret),
Proxy(ServerPadlockProxy),
}
impl ServerPadlockGenerator {
pub fn new(
config: PadlockConfig,
db: Arc<Mutex<Box<dyn Database + Send>>>,
) -> Result<Self, PadlockProxyError> {
match config {
PadlockConfig::Secret(s) => Ok(Self::Secret(ServerPadlockSecret::new(s))),
PadlockConfig::Proxy(u) => ServerPadlockProxy::new(&u, db).map(Self::Proxy),
}
}
pub async fn generate_hash(&self) -> Result<ServerHash, PadlockProxyError> {
match self {
ServerPadlockGenerator::Secret(_) => Ok(ServerPadlockSecret::generate_hash()),
ServerPadlockGenerator::Proxy(p) => p.generate_hash().await,
}
}
pub async fn generate_padlock(
&self,
server_hash: &ServerHash,
) -> Result<ServerPadlock, PadlockProxyError> {
match self {
ServerPadlockGenerator::Secret(s) => Ok(s.generate_padlock(server_hash)),
ServerPadlockGenerator::Proxy(p) => p.generate_padlock(server_hash).await,
}
}
}
#[derive(Debug)] #[derive(Debug)]
pub struct UserServerKeyGenerator { pub struct UserServerKeyGenerator {
user_authenticator: Arc<UserAuthenticator>, user_authenticator: Arc<UserAuthenticator>,
@ -206,7 +325,7 @@ impl UserServerKeyGenerator {
.verify_user_token(username, token) .verify_user_token(username, token)
.await?; .await?;
let padlock = self.padlock_generator.generate_padlock(server_hash); let padlock = self.padlock_generator.generate_padlock(server_hash).await?;
#[allow(clippy::expect_used)] #[allow(clippy::expect_used)]
let timestamp = OffsetDateTime::now_utc() let timestamp = OffsetDateTime::now_utc()

View file

@ -1,6 +1,7 @@
use std::net::{Ipv6Addr, SocketAddr, SocketAddrV6}; use std::net::{Ipv6Addr, SocketAddr, SocketAddrV6};
use serde::Deserialize; use serde::Deserialize;
use url::Url;
use crate::secrets::PadlockGenerationSecret; use crate::secrets::PadlockGenerationSecret;
@ -11,16 +12,23 @@ fn default_listen_addr() -> SocketAddr {
#[derive(Debug, Clone, Deserialize)] #[derive(Debug, Clone, Deserialize)]
#[serde(rename_all = "kebab-case")] #[serde(rename_all = "kebab-case")]
pub struct Config { pub struct Config {
#[serde(with = "hex::serde")]
pub padlock_secret: PadlockGenerationSecret,
#[serde(default = "default_listen_addr")] #[serde(default = "default_listen_addr")]
pub listen: SocketAddr, pub listen: SocketAddr,
pub padlock: PadlockConfig,
pub database: DatabaseConfig, pub database: DatabaseConfig,
#[serde(default)] #[serde(default)]
pub auth_backends: Vec<AuthBackendConfig>, pub auth_backends: Vec<AuthBackendConfig>,
} }
#[derive(Debug, Clone, Deserialize)]
#[serde(rename_all = "kebab-case")]
#[allow(clippy::module_name_repetitions)]
pub enum PadlockConfig {
Secret(#[serde(with = "hex::serde")] PadlockGenerationSecret),
Proxy(Url),
}
#[derive(Debug, Clone, Deserialize)] #[derive(Debug, Clone, Deserialize)]
#[serde(rename_all = "kebab-case")] #[serde(rename_all = "kebab-case")]
#[allow(clippy::module_name_repetitions)] #[allow(clippy::module_name_repetitions)]

View file

@ -5,7 +5,7 @@ use secrecy::ExposeSecret;
use sqlx::{query, query_as, sqlite::SqliteConnectOptions, Connection, SqliteConnection}; use sqlx::{query, query_as, sqlite::SqliteConnectOptions, Connection, SqliteConnection};
use tracing::instrument; use tracing::instrument;
use crate::secrets::UserToken; use crate::secrets::{ServerHash, ServerPadlock, UserToken};
// TODO: check again if it's possible to pass this as a parameter to query! // TODO: check again if it's possible to pass this as a parameter to query!
// const TABLE_USER_TOKENS: &str = "user_tokens"; // const TABLE_USER_TOKENS: &str = "user_tokens";
@ -25,15 +25,33 @@ pub enum UserTokenEntry {
#[async_trait] #[async_trait]
pub trait Database: Debug { pub trait Database: Debug {
async fn get_token(&mut self, username: &str) -> Result<Option<UserTokenEntry>, sqlx::Error>; async fn get_user_token(
&mut self,
username: &str,
) -> Result<Option<UserTokenEntry>, sqlx::Error>;
async fn save_token(&mut self, username: &str, token: &UserToken) -> Result<(), sqlx::Error>; async fn save_user_token(
async fn update_token_last_used(
&mut self, &mut self,
username: &str, username: &str,
token: &UserToken, token: &UserToken,
) -> Result<(), sqlx::Error>; ) -> Result<(), sqlx::Error>;
async fn update_user_token_last_used(
&mut self,
username: &str,
token: &UserToken,
) -> Result<(), sqlx::Error>;
async fn get_server_padlock(
&mut self,
server_hash: &ServerHash,
) -> Result<Option<ServerPadlock>, sqlx::Error>;
async fn save_server_padlock(
&mut self,
server_hash: &ServerHash,
server_padlock: &ServerPadlock,
) -> Result<(), sqlx::Error>;
} }
#[derive(Debug)] #[derive(Debug)]
@ -70,6 +88,15 @@ impl SqliteDatabase {
.execute(&mut self.conn) .execute(&mut self.conn)
.await?; .await?;
query!(
"CREATE TABLE IF NOT EXISTS server_padlocks (
hash TEXT NOT NULL UNIQUE,
padlock TEXT NOT NULL
) STRICT"
)
.execute(&mut self.conn)
.await?;
Ok(()) Ok(())
} }
} }
@ -77,7 +104,10 @@ impl SqliteDatabase {
#[async_trait] #[async_trait]
impl Database for SqliteDatabase { impl Database for SqliteDatabase {
#[instrument] #[instrument]
async fn get_token(&mut self, username: &str) -> Result<Option<UserTokenEntry>, sqlx::Error> { async fn get_user_token(
&mut self,
username: &str,
) -> Result<Option<UserTokenEntry>, sqlx::Error> {
struct TokenRow { struct TokenRow {
token: String, token: String,
valid: bool, valid: bool,
@ -110,7 +140,11 @@ impl Database for SqliteDatabase {
} }
#[instrument] #[instrument]
async fn save_token(&mut self, username: &str, token: &UserToken) -> Result<(), sqlx::Error> { async fn save_user_token(
&mut self,
username: &str,
token: &UserToken,
) -> Result<(), sqlx::Error> {
let token_inner = token.0.expose_secret(); let token_inner = token.0.expose_secret();
query!( query!(
"INSERT INTO user_tokens "INSERT INTO user_tokens
@ -128,7 +162,7 @@ impl Database for SqliteDatabase {
} }
#[instrument] #[instrument]
async fn update_token_last_used( async fn update_user_token_last_used(
&mut self, &mut self,
username: &str, username: &str,
token: &UserToken, token: &UserToken,
@ -146,4 +180,41 @@ impl Database for SqliteDatabase {
Ok(()) Ok(())
} }
#[instrument]
async fn get_server_padlock(
&mut self,
server_hash: &ServerHash,
) -> Result<Option<ServerPadlock>, sqlx::Error> {
let server_hash = &server_hash.0;
let padlock = query!(
"SELECT padlock FROM server_padlocks WHERE hash = $1",
server_hash
)
.fetch_optional(&mut self.conn)
.await?;
Ok(padlock.map(|d| ServerPadlock::from(d.padlock)))
}
#[instrument]
async fn save_server_padlock(
&mut self,
server_hash: &ServerHash,
server_padlock: &ServerPadlock,
) -> Result<(), sqlx::Error> {
let server_hash = &server_hash.0;
let server_padlock = server_padlock.0.expose_secret();
query!(
"INSERT INTO server_padlocks (hash, padlock) VALUES ($1, $2)",
server_hash,
server_padlock
)
.execute(&mut self.conn)
.await?;
Ok(())
}
} }

View file

@ -129,8 +129,8 @@ async fn main() -> Result<()> {
); );
} }
let user_authenticator = Arc::new(UserAuthenticator::new(database, auth_backends)); let user_authenticator = Arc::new(UserAuthenticator::new(Arc::clone(&database), auth_backends));
let padlock_generator = Arc::new(ServerPadlockGenerator::new(config.padlock_secret)); let padlock_generator = Arc::new(ServerPadlockGenerator::new(config.padlock, database)?);
let user_server_key_generator = Arc::new(UserServerKeyGenerator::new( let user_server_key_generator = Arc::new(UserServerKeyGenerator::new(
Arc::clone(&user_authenticator), Arc::clone(&user_authenticator),
Arc::clone(&padlock_generator), Arc::clone(&padlock_generator),

View file

@ -180,8 +180,14 @@ async fn generate_server_padlock_2(
) -> ApiResult<Json<ServerPadlockResponse>> { ) -> ApiResult<Json<ServerPadlockResponse>> {
event!(Level::INFO, "Creating server padlock"); event!(Level::INFO, "Creating server padlock");
let server_hash = ServerPadlockGenerator::generate_hash(); let server_hash = server_padlock_generator
let server_padlock = server_padlock_generator.generate_padlock(&server_hash); .generate_hash()
.await
.map_err(AuthenticationError::from)?;
let server_padlock = server_padlock_generator
.generate_padlock(&server_hash)
.await
.map_err(AuthenticationError::from)?;
Ok(Json(ServerPadlockResponse { Ok(Json(ServerPadlockResponse {
server_hash, server_hash,