ambee/giterated

1

use anyhow::Error;

2

use giterated_models::model::{

3

authenticated::{UserAuthenticationToken, UserTokenMetadata},

instance::Instance,

user::User,

};

use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, TokenData, Validation};

8

use std::{sync::Arc, time::SystemTime};

9

use tokio::{fs::File, io::AsyncReadExt, sync::Mutex};

10

use toml::Table;

11

12

use crate::keys::PublicKeyCache;

13

14

pub struct AuthenticationTokenGranter {

15

pub config: Table,

16

pub instance: Instance,

17

}

18

19

impl AuthenticationTokenGranter {

20

async fn private_key(&self) -> Vec<u8> {

21

let mut file = File::open(

22

self.config["giterated"]["keys"]["private"]

.as_str()

.unwrap(),

)

.await

.unwrap();

let mut key = vec![];

30

file.read_to_end(&mut key).await.unwrap();

key

}

pub(crate) async fn create_token_for(

36

&mut self,

37

user: &User,

38

generated_for: &Instance,

39

) -> String {

40

let private_key = self.private_key().await;

41

42

let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();

43

44

let claims = UserTokenMetadata {

45

user: user.clone(),

46

generated_for: generated_for.clone(),

47

exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()

48

+ std::time::Duration::from_secs(24 * 60 * 60))

.as_secs(),

};

encode(

&jsonwebtoken::Header::new(Algorithm::RS256),

&claims,

&encoding_key,

)

.unwrap()

}

pub async fn token_request(

61

&mut self,

62

issued_for: impl ToOwned<Owned = Instance>,

63

username: String,

64

_password: String,

65

) -> Result<UserAuthenticationToken, Error> {

66

let private_key = {

67

let mut file = File::open(

68

self.config["giterated"]["keys"]["private"]

.as_str()

.unwrap(),

)

.await

.unwrap();

let mut key = vec![];

76

file.read_to_end(&mut key).await.unwrap();

key

};

let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();

82

83

let claims = UserTokenMetadata {

84

user: User {

85

username,

86

instance: self.instance.clone(),

87

},

88

generated_for: issued_for.to_owned(),

89

exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()

90

+ std::time::Duration::from_secs(24 * 60 * 60))

.as_secs(),

};

let token = encode(

&jsonwebtoken::Header::new(Algorithm::RS256),

&claims,

&encoding_key,

)

.unwrap();

Ok(UserAuthenticationToken::from(token))

102

}

103

104

pub async fn extension_request(

105

&mut self,

106

issued_for: &Instance,

107

key_cache: &Arc<Mutex<PublicKeyCache>>,

108

token: UserAuthenticationToken,

109

) -> Result<Option<UserAuthenticationToken>, Error> {

110

let mut key_cache = key_cache.lock().await;

111

let server_public_key = key_cache.get(issued_for).await?;

112

drop(key_cache);

113

114

let verification_key = DecodingKey::from_rsa_pem(server_public_key.as_bytes()).unwrap();

115

116

let data: TokenData<UserTokenMetadata> = decode(

117

token.as_ref(),

118

&verification_key,

119

&Validation::new(Algorithm::RS256),

)

.unwrap();

if data.claims.generated_for != *issued_for {

panic!()

}

info!("Token Extension Request Token validated");

128

129

let private_key = {

130

let mut file = File::open(

131

self.config["giterated"]["keys"]["private"]

.as_str()

.unwrap(),

)

.await

.unwrap();

let mut key = vec![];

139

file.read_to_end(&mut key).await.unwrap();

key

};

let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();

145

146

let claims = UserTokenMetadata {

147

// TODO: Probably exploitable

148

user: data.claims.user,

149

generated_for: issued_for.clone(),

150

exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()

151

+ std::time::Duration::from_secs(24 * 60 * 60))

.as_secs(),

};

let token = encode(

&jsonwebtoken::Header::new(Algorithm::RS256),

&claims,

&encoding_key,

)

.unwrap();

Ok(Some(UserAuthenticationToken::from(token)))

163

}

164

}

165