Merge pull request #495 from sebadob/split-auth-service

split oidc flows business logic
sebadob · Jun 24, 2024 · 152dd52 · 152dd52
2 parents 843b793 + 7990d1a
commit 152dd52
Show file tree

Hide file tree

Showing 20 changed files with 1,509 additions and 1,414 deletions.
diff --git a/src/api/src/clients.rs b/src/api/src/clients.rs
@@ -16,8 +16,8 @@ use rauthy_models::entity::clients::Client;
 use rauthy_models::entity::clients_dyn::ClientDyn;
 use rauthy_models::entity::colors::ColorEntity;
 use rauthy_models::entity::logos::{Logo, LogoType};
-use rauthy_service::auth::get_bearer_token_from_header;
 use rauthy_service::client;
+use rauthy_service::oidc::helpers;
 use tracing::debug;
 
 /// Returns all existing OIDC clients with all their information, except for the client secrets.
@@ -169,7 +169,7 @@ pub async fn post_clients_dyn(
     }
 
     if let Some(token) = &*DYN_CLIENT_REG_TOKEN {
-        let bearer = get_bearer_token_from_header(req.headers())?;
+        let bearer = helpers::get_bearer_token_from_header(req.headers())?;
         if token != &bearer {
             return Ok(HttpResponse::Unauthorized()
                 .insert_header((
@@ -216,7 +216,7 @@ pub async fn get_clients_dyn(
         return Ok(HttpResponse::NotFound().finish());
     }
 
-    let bearer = get_bearer_token_from_header(req.headers())?;
+    let bearer = helpers::get_bearer_token_from_header(req.headers())?;
     let id = id.into_inner();
     let client_dyn = ClientDyn::find(&data, id.clone()).await?;
     client_dyn.validate_token(&bearer)?;
@@ -250,7 +250,7 @@ pub async fn put_clients_dyn(
         return Ok(HttpResponse::NotFound().finish());
     }
 
-    let bearer = get_bearer_token_from_header(req.headers())?;
+    let bearer = helpers::get_bearer_token_from_header(req.headers())?;
     let id = id.into_inner();
     let client_dyn = ClientDyn::find(&data, id.clone()).await?;
     client_dyn.validate_token(&bearer)?;

diff --git a/src/api/src/oidc.rs b/src/api/src/oidc.rs
@@ -42,7 +42,8 @@ use rauthy_models::templates::{
     AuthorizeHtml, CallbackHtml, Error1Html, ErrorHtml, FrontendAction,
 };
 use rauthy_models::JwtCommonClaims;
-use rauthy_service::{auth, login_delay};
+use rauthy_service::oidc::{authorize, logout, token_info, userinfo, validation};
+use rauthy_service::{login_delay, oidc};
 use spow::pow::Pow;
 use std::borrow::Cow;
 use std::ops::Add;
@@ -75,7 +76,7 @@ pub async fn get_authorize(
         .unwrap_or_default();
     let lang = Language::try_from(&req).unwrap_or_default();
 
-    let (client, origin_header) = match auth::validate_auth_req_param(
+    let (client, origin_header) = match validation::validate_auth_req_param(
         &data,
         &req,
         &req_data.client_id,
@@ -260,7 +261,7 @@ pub async fn post_authorize(
     let mut add_login_delay = true;
     let mut user_needs_mfa = false;
 
-    let res = match auth::authorize(
+    let res = match authorize::post_authorize(
         &data,
         &req,
         payload.into_inner(),
@@ -331,7 +332,7 @@ pub async fn post_authorize_refresh(
 ) -> Result<HttpResponse, ErrorResponse> {
     let session = principal.validate_session_auth()?;
 
-    let (client, header_origin) = auth::validate_auth_req_param(
+    let (client, header_origin) = validation::validate_auth_req_param(
         &data,
         &req,
         &req_data.client_id,
@@ -341,9 +342,14 @@ pub async fn post_authorize_refresh(
     )
     .await?;
 
-    let auth_step =
-        auth::authorize_refresh(&data, session, client, header_origin, req_data.into_inner())
-            .await?;
+    let auth_step = authorize::post_authorize_refresh(
+        &data,
+        session,
+        client,
+        header_origin,
+        req_data.into_inner(),
+    )
+    .await?;
     map_auth_step(auth_step, &req).await
 }
 
@@ -615,7 +621,7 @@ pub async fn get_logout(
     };
 
     let lang = Language::try_from(&req).unwrap_or_default();
-    let body = match auth::logout(req_data.into_inner(), session, &data, &lang).await {
+    let body = match logout::get_logout_html(req_data.into_inner(), session, &data, &lang).await {
         Ok(t) => t,
         Err(_) => {
             return HttpResponse::build(StatusCode::from_u16(302).unwrap())
@@ -885,13 +891,13 @@ pub async fn post_token(
         // the `urn:ietf:params:oauth:grant-type:device_code` needs
         // a fully customized handling here with customized error response
         // to meet the oauth rfc
-        return Ok(auth::grant_type_device_code(&data, ip, payload.into_inner()).await);
+        return Ok(oidc::grant_type_device_code(&data, ip, payload.into_inner()).await);
     }
 
     let start = SystemTime::now().duration_since(UNIX_EPOCH).unwrap();
     let has_password_been_hashed = payload.grant_type == "password";
 
-    let res = match auth::get_token_set(payload.into_inner(), &data, req).await {
+    let res = match oidc::get_token_set(payload.into_inner(), &data, req).await {
         Ok((token_set, headers)) => {
             let mut builder = HttpResponseBuilder::new(StatusCode::OK);
             for h in headers {
@@ -904,6 +910,7 @@ pub async fn post_token(
             if !has_password_been_hashed {
                 return Err(err);
             }
+            // TODO return always the same error here as well, just like during authorize?
             Err(err)
         }
     };
@@ -936,7 +943,7 @@ pub async fn post_token_info(
     data: web::Data<AppState>,
     req_data: actix_web_validator::Json<TokenValidationRequest>,
 ) -> Result<HttpResponse, ErrorResponse> {
-    auth::get_token_info(&data, &req_data.token)
+    token_info::get_token_info(&data, &req_data.token)
         .await
         .map(|i| HttpResponse::Ok().json(i))
 }
@@ -962,7 +969,7 @@ pub async fn post_token_info(
 //     req_data: actix_web_validator::Json<RefreshTokenRequest>,
 //     data: web::Data<AppState>,
 // ) -> Result<HttpResponse, ErrorResponse> {
-//     auth::validate_refresh_token(None, &req_data.refresh_token, &data)
+//     oidc::validate_refresh_token(None, &req_data.refresh_token, &data)
 //         .await
 //         .map(|token_set| HttpResponse::Ok().json(token_set))
 // }
@@ -987,7 +994,7 @@ pub async fn post_validate_token(
     data: web::Data<AppState>,
     req_data: actix_web_validator::Json<TokenValidationRequest>,
 ) -> Result<HttpResponse, ErrorResponse> {
-    auth::validate_token::<JwtCommonClaims>(&data, &req_data.token)
+    validation::validate_token::<JwtCommonClaims>(&data, &req_data.token)
         .await
         .map(|_| HttpResponse::Accepted().finish())
 }
@@ -1012,7 +1019,7 @@ pub async fn get_userinfo(
     data: web::Data<AppState>,
     req: HttpRequest,
 ) -> Result<HttpResponse, ErrorResponse> {
-    auth::get_userinfo(&data, req)
+    userinfo::get_userinfo(&data, req)
         .await
         .map(|u| HttpResponse::Ok().json(u))
 }
@@ -1037,7 +1044,7 @@ pub async fn post_userinfo(
     data: web::Data<AppState>,
     req: HttpRequest,
 ) -> Result<HttpResponse, ErrorResponse> {
-    auth::get_userinfo(&data, req)
+    userinfo::get_userinfo(&data, req)
         .await
         .map(|u| HttpResponse::Ok().json(u))
 }
@@ -1070,7 +1077,7 @@ pub async fn get_forward_auth(
     data: web::Data<AppState>,
     req: HttpRequest,
 ) -> Result<HttpResponse, ErrorResponse> {
-    let info = auth::get_userinfo(&data, req).await?;
+    let info = userinfo::get_userinfo(&data, req).await?;
 
     if *AUTH_HEADERS_ENABLE {
         Ok(HttpResponse::Ok()

diff --git a/src/common/src/utils.rs b/src/common/src/utils.rs
@@ -34,13 +34,6 @@ pub fn json_arr_to_vec(arr: &str) -> Vec<String> {
         .collect()
 }
 
-pub fn get_client_ip(req: &HttpRequest) -> String {
-    req.connection_info()
-        .peer_addr()
-        .unwrap_or("unknown")
-        .to_string()
-}
-
 pub fn get_local_hostname() -> String {
     let hostname_os = gethostname();
     hostname_os

diff --git a/src/models/src/entity/clients.rs b/src/models/src/entity/clients.rs
@@ -18,7 +18,7 @@ use rauthy_common::constants::{
     EPHEMERAL_CLIENTS_ALLOWED_FLOWS, EPHEMERAL_CLIENTS_ALLOWED_SCOPES, EPHEMERAL_CLIENTS_FORCE_MFA,
     IDX_CLIENTS, PROXY_MODE, RAUTHY_VERSION,
 };
-use rauthy_common::utils::{cache_entry_client, get_client_ip, get_rand};
+use rauthy_common::utils::{cache_entry_client, get_rand, real_ip_from_req};
 use rauthy_error::{ErrorResponse, ErrorResponseType};
 use redhac::{
     cache_get, cache_get_from, cache_get_value, cache_insert, cache_put, cache_remove, AckLevel,
@@ -849,7 +849,7 @@ impl Client {
             warn!(
                 "Invalid login for client '{}' from '{}'",
                 self.id,
-                get_client_ip(req)
+                real_ip_from_req(req)?
             );
 
             return Err(ErrorResponse::new(

diff --git a/src/models/src/entity/users.rs b/src/models/src/entity/users.rs
@@ -27,7 +27,7 @@ use rauthy_common::constants::{
     WEBAUTHN_NO_PASSWORD_EXPIRY,
 };
 use rauthy_common::password_hasher::{ComparePasswords, HashPassword};
-use rauthy_common::utils::{get_client_ip, new_store_id, real_ip_from_req};
+use rauthy_common::utils::{new_store_id, real_ip_from_req};
 use rauthy_error::{ErrorResponse, ErrorResponseType};
 use redhac::{
     cache_del, cache_get, cache_get_from, cache_get_value, cache_insert, cache_remove, AckLevel,
@@ -1390,7 +1390,7 @@ impl User {
             if ml.exp > OffsetDateTime::now_utc().unix_timestamp() {
                 warn!(
                     "Password reset request with already existing valid magic link from: {}",
-                    get_client_ip(&req)
+                    real_ip_from_req(&req)?
                 );
                 ml.invalidate(data).await?;
             }