use anyhow::Error; use giterated_models::authenticated::{UserAuthenticationToken, UserTokenMetadata}; use giterated_models::instance::Instance; use giterated_models::user::User; use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, TokenData, Validation}; use std::collections::HashMap; use std::{sync::Arc, time::SystemTime}; use tokio::{fs::File, io::AsyncReadExt, sync::Mutex}; use toml::Table; pub struct AuthenticationTokenGranter { pub config: Table, pub instance: Instance, } impl AuthenticationTokenGranter { async fn private_key(&self) -> Vec { let mut file = File::open( self.config["giterated"]["keys"]["private"] .as_str() .unwrap(), ) .await .unwrap(); let mut key = vec![]; file.read_to_end(&mut key).await.unwrap(); key } pub(crate) async fn create_token_for( &mut self, user: &User, generated_for: &Instance, ) -> String { let private_key = self.private_key().await; let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap(); let claims = UserTokenMetadata { user: user.clone(), generated_for: generated_for.clone(), exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap() + std::time::Duration::from_secs(24 * 60 * 60)) .as_secs(), }; encode( &jsonwebtoken::Header::new(Algorithm::RS256), &claims, &encoding_key, ) .unwrap() } pub async fn token_request( &mut self, issued_for: impl ToOwned, username: String, _password: String, ) -> Result { let private_key = { let mut file = File::open( self.config["giterated"]["keys"]["private"] .as_str() .unwrap(), ) .await .unwrap(); let mut key = vec![]; file.read_to_end(&mut key).await.unwrap(); key }; let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap(); let claims = UserTokenMetadata { user: User { username, instance: self.instance.clone(), }, generated_for: issued_for.to_owned(), exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap() + std::time::Duration::from_secs(24 * 60 * 60)) .as_secs(), }; let token = encode( &jsonwebtoken::Header::new(Algorithm::RS256), &claims, &encoding_key, ) .unwrap(); Ok(UserAuthenticationToken::from(token)) } pub async fn extension_request( &mut self, issued_for: &Instance, key_cache: &Arc>, token: UserAuthenticationToken, ) -> Result, Error> { let mut key_cache = key_cache.lock().await; let server_public_key = key_cache.get(issued_for).await?; drop(key_cache); let verification_key = DecodingKey::from_rsa_pem(server_public_key.as_bytes()).unwrap(); let data: TokenData = decode( token.as_ref(), &verification_key, &Validation::new(Algorithm::RS256), ) .unwrap(); if data.claims.generated_for != *issued_for { panic!() } let private_key = { let mut file = File::open( self.config["giterated"]["keys"]["private"] .as_str() .unwrap(), ) .await .unwrap(); let mut key = vec![]; file.read_to_end(&mut key).await.unwrap(); key }; let encoding_key = EncodingKey::from_rsa_pem(&private_key).unwrap(); let claims = UserTokenMetadata { // TODO: Probably exploitable user: data.claims.user, generated_for: issued_for.clone(), exp: (SystemTime::UNIX_EPOCH.elapsed().unwrap() + std::time::Duration::from_secs(24 * 60 * 60)) .as_secs(), }; let token = encode( &jsonwebtoken::Header::new(Algorithm::RS256), &claims, &encoding_key, ) .unwrap(); Ok(Some(UserAuthenticationToken::from(token))) } } #[derive(Default)] pub struct PublicKeyCache { pub keys: HashMap, } impl PublicKeyCache { pub async fn get(&mut self, instance: &Instance) -> Result { if let Some(key) = self.keys.get(instance) { Ok(key.clone()) } else { let key = reqwest::get(format!("https://{}/.giterated/pubkey.pem", instance)) .await? .text() .await?; self.keys.insert(instance.clone(), key); Ok(self.keys.get(instance).unwrap().clone()) } } }