ambee/giterated

1

use anyhow::Error;

2

use giterated_models::{

3

messages::authentication::{AuthenticationTokenResponse, TokenExtensionResponse},

4

model::{

5

authenticated::{UserAuthenticationToken, UserTokenMetadata},

instance::Instance,

user::User,

},

};

use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, TokenData, Validation};

11

use std::{sync::Arc, time::SystemTime};

12

use tokio::{fs::File, io::AsyncReadExt, sync::Mutex};

13

use toml::Table;

14

15

use crate::keys::PublicKeyCache;

16

17

pub struct AuthenticationTokenGranter {

18

pub config: Table,

19

pub instance: Instance,

20

}

21

22

impl AuthenticationTokenGranter {

23

async fn private_key(&self) -> Vec<u8> {

24

let _secret_key = self.config["authentication"]["secret_key"]

25

.as_str()

26

.unwrap();

27

let mut file = File::open(

28

self.config["giterated"]["keys"]["private"]

.as_str()

.unwrap(),

)

.await

.unwrap();

let mut key = vec![];

36

file.read_to_end(&mut key).await.unwrap();

key

}

pub(crate) async fn create_token_for(

42

&mut self,

43

user: &User,

44

generated_for: &Instance,

45

) -> String {

46

let private_key = self.private_key().await;

47

48

let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();

49

50

let claims = UserTokenMetadata {

51

user: user.clone(),

52

generated_for: generated_for.clone(),

53

exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()

54

+ std::time::Duration::from_secs(24 * 60 * 60))

.as_secs(),

};

encode(

&jsonwebtoken::Header::new(Algorithm::RS256),

&claims,

&encoding_key,

)

.unwrap()

}

pub async fn token_request(

67

&mut self,

68

issued_for: impl ToOwned<Owned = Instance>,

69

username: String,

70

_password: String,

71

) -> Result<AuthenticationTokenResponse, Error> {

72

let private_key = {

73

let mut file = File::open(

74

self.config["giterated"]["keys"]["private"]

.as_str()

.unwrap(),

)

.await

.unwrap();

let mut key = vec![];

82

file.read_to_end(&mut key).await.unwrap();

key

};

let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();

88

89

let claims = UserTokenMetadata {

90

user: User {

91

username,

92

instance: self.instance.clone(),

93

},

94

generated_for: issued_for.to_owned(),

95

exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()

96

+ std::time::Duration::from_secs(24 * 60 * 60))

.as_secs(),

};

let token = encode(

&jsonwebtoken::Header::new(Algorithm::RS256),

&claims,

&encoding_key,

)

.unwrap();

Ok(AuthenticationTokenResponse {

108

token: UserAuthenticationToken::from(token),

})

}

pub async fn extension_request(

113

&mut self,

114

issued_for: &Instance,

115

key_cache: &Arc<Mutex<PublicKeyCache>>,

116

token: UserAuthenticationToken,

117

) -> Result<TokenExtensionResponse, Error> {

118

let mut key_cache = key_cache.lock().await;

119

let server_public_key = key_cache.get(issued_for).await?;

120

drop(key_cache);

121

122

let verification_key = DecodingKey::from_rsa_pem(server_public_key.as_bytes()).unwrap();

123

124

let data: TokenData<UserTokenMetadata> = decode(

125

token.as_ref(),

126

&verification_key,

127

&Validation::new(Algorithm::RS256),

)

.unwrap();

if data.claims.generated_for != *issued_for {

panic!()

}

info!("Token Extension Request Token validated");

136

137

let private_key = {

138

let mut file = File::open(

139

self.config["giterated"]["keys"]["private"]

.as_str()

.unwrap(),

)

.await

.unwrap();

let mut key = vec![];

147

file.read_to_end(&mut key).await.unwrap();

key

};

let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap();

153

154

let claims = UserTokenMetadata {

155

// TODO: Probably exploitable

156

user: data.claims.user,

157

generated_for: issued_for.clone(),

158

exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap()

159

+ std::time::Duration::from_secs(24 * 60 * 60))

.as_secs(),

};

let token = encode(

&jsonwebtoken::Header::new(Algorithm::RS256),

&claims,

&encoding_key,

)

.unwrap();

Ok(TokenExtensionResponse {

171

new_token: Some(token),

})

}

}