matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-07-29 22:01:14 +03:00
Code Activity

Move clients to the database

Browse Source
This commit is contained in:
Quentin Gliech
2022-03-08 17:33:25 +01:00
parent 19a81afe51
commit 62f633a716
33 changed files with 1926 additions and 867 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/storage/src/lib.rs
View File

@ -41,7 +41,7 @@ impl StorageBackend for PostgresqlBackend {
type AuthenticationData = i64;
type AuthorizationGrantData = i64;
type BrowserSessionData = i64;
type ClientData = ();
type ClientData = i64;
type RefreshTokenData = i64;
type SessionData = i64;
type UserData = i64;

17
crates/storage/src/oauth2/access_token.rs
View File

@ -14,12 +14,11 @@
use anyhow::Context;
use chrono::{DateTime, Duration, Utc};
use mas_data_model::{
AccessToken, Authentication, BrowserSession, Client, Session, User, UserEmail,
};
use sqlx::PgExecutor;
use mas_data_model::{AccessToken, Authentication, BrowserSession, Session, User, UserEmail};
use sqlx::{PgConnection, PgExecutor};
use thiserror::Error;
use super::client::{lookup_client_by_client_id, ClientFetchError};
use crate::{DatabaseInconsistencyError, IdAndCreationTime, PostgresqlBackend};
pub async fn add_access_token(
@ -83,6 +82,7 @@ pub struct OAuth2AccessTokenLookup {
#[error("failed to lookup access token")]
pub enum AccessTokenLookupError {
Database(#[from] sqlx::Error),
ClientFetch(#[from] ClientFetchError),
Inconsistency(#[from] DatabaseInconsistencyError),
}
@ -95,7 +95,7 @@ impl AccessTokenLookupError {
#[allow(clippy::too_many_lines)]
pub async fn lookup_active_access_token(
executor: impl PgExecutor<'_>,
conn: &mut PgConnection,
token: &str,
) -> Result<(AccessToken<PostgresqlBackend>, Session<PostgresqlBackend>), AccessTokenLookupError> {
let res = sqlx::query_as!(
@ -142,7 +142,7 @@ pub async fn lookup_active_access_token(
"#,
token,
)
.fetch_one(executor)
.fetch_one(&mut *conn)
.await?;
let access_token = AccessToken {
@ -153,10 +153,7 @@ pub async fn lookup_active_access_token(
expires_after: Duration::seconds(res.access_token_expires_after.into()),
};
let client = Client {
data: (),
client_id: res.client_id,
};
let client = lookup_client_by_client_id(&mut *conn, &res.client_id).await?;
let primary_email = match (
res.user_email_id,

41
crates/storage/src/oauth2/authorization_grant.rs
View File

@ -24,15 +24,16 @@ use mas_data_model::{
};
use mas_iana::oauth::PkceCodeChallengeMethod;
use oauth2_types::{requests::ResponseMode, scope::Scope};
use sqlx::PgExecutor;
use sqlx::{PgConnection, PgExecutor};
use url::Url;
use super::client::lookup_client_by_client_id;
use crate::{DatabaseInconsistencyError, IdAndCreationTime, PostgresqlBackend};
#[allow(clippy::too_many_arguments)]
pub async fn new_authorization_grant(
executor: impl PgExecutor<'_>,
client_id: String,
client: Client<PostgresqlBackend>,
redirect_uri: Url,
scope: Scope,
code: Option<AuthorizationCode>,
@ -65,7 +66,7 @@ pub async fn new_authorization_grant(
($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14)
RETURNING id, created_at
"#,
&client_id,
&client.client_id,
redirect_uri.to_string(),
scope.to_string(),
state,
@ -85,11 +86,6 @@ pub async fn new_authorization_grant(
.await
.context("could not insert oauth2 authorization grant")?;
let client = Client {
data: (),
client_id,
};
Ok(AuthorizationGrant {
data: res.id,
stage: AuthorizationGrantStage::Pending,
@ -141,20 +137,21 @@ struct GrantLookup {
user_email_confirmed_at: Option<DateTime<Utc>>,
}
impl TryInto<AuthorizationGrant<PostgresqlBackend>> for GrantLookup {
type Error = DatabaseInconsistencyError;
impl GrantLookup {
#[allow(clippy::too_many_lines)]
fn try_into(self) -> Result<AuthorizationGrant<PostgresqlBackend>, Self::Error> {
async fn into_authorization_grant(
self,
executor: impl PgExecutor<'_>,
) -> Result<AuthorizationGrant<PostgresqlBackend>, DatabaseInconsistencyError> {
let scope: Scope = self
.grant_scope
.parse()
.map_err(|_e| DatabaseInconsistencyError)?;
let client = Client {
data: (),
client_id: self.client_id,
};
// TODO: don't unwrap
let client = lookup_client_by_client_id(executor, &self.client_id)
.await
.unwrap();
let last_authentication = match (
self.user_session_last_authentication_id,
@ -323,7 +320,7 @@ impl TryInto<AuthorizationGrant<PostgresqlBackend>> for GrantLookup {
}
pub async fn get_grant_by_id(
executor: impl PgExecutor<'_>,
conn: &mut PgConnection,
id: i64,
) -> anyhow::Result<AuthorizationGrant<PostgresqlBackend>> {
// TODO: handle "not found" cases
@ -381,17 +378,17 @@ pub async fn get_grant_by_id(
"#,
id,
)
.fetch_one(executor)
.fetch_one(&mut *conn)
.await
.context("failed to get grant by id")?;
let grant = res.try_into()?;
let grant = res.into_authorization_grant(&mut *conn).await?;
Ok(grant)
}
pub async fn lookup_grant_by_code(
executor: impl PgExecutor<'_>,
conn: &mut PgConnection,
code: &str,
) -> anyhow::Result<AuthorizationGrant<PostgresqlBackend>> {
// TODO: handle "not found" cases
@ -449,11 +446,11 @@ pub async fn lookup_grant_by_code(
"#,
code,
)
.fetch_one(executor)
.fetch_one(&mut *conn)
.await
.context("failed to lookup grant by code")?;
let grant = res.try_into()?;
let grant = res.into_authorization_grant(&mut *conn).await?;
Ok(grant)
}

380
crates/storage/src/oauth2/client.rs Normal file
View File

@ -0,0 +1,380 @@
// Copyright 2022 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use std::string::ToString;
use mas_data_model::{Client, JwksOrJwksUri};
use mas_iana::oauth::{OAuthAuthorizationEndpointResponseType, OAuthClientAuthenticationMethod};
use mas_jose::JsonWebKeySet;
use oauth2_types::requests::GrantType;
use sqlx::{PgConnection, PgExecutor};
use thiserror::Error;
use url::Url;
use warp::reject::Reject;
use crate::PostgresqlBackend;
#[derive(Debug)]
pub struct OAuth2ClientLookup {
id: i64,
client_id: String,
encrypted_client_secret: Option<String>,
redirect_uris: Vec<String>,
response_types: Vec<String>,
grant_type_authorization_code: bool,
grant_type_refresh_token: bool,
contacts: Vec<String>,
client_name: Option<String>,
logo_uri: Option<String>,
client_uri: Option<String>,
policy_uri: Option<String>,
tos_uri: Option<String>,
jwks_uri: Option<String>,
jwks: Option<serde_json::Value>,
id_token_signed_response_alg: Option<String>,
token_endpoint_auth_method: Option<String>,
token_endpoint_auth_signing_alg: Option<String>,
initiate_login_uri: Option<String>,
}
#[derive(Debug, Error)]
pub enum ClientFetchError {
#[error("malformed jwks column")]
MalformedJwks(#[source] serde_json::Error),
#[error("entry has both a jwks and a jwks_uri")]
BothJwksAndJwksUri,
#[error("could not parse URL in field {field:?}")]
ParseUrl {
field: &'static str,
source: url::ParseError,
},
#[error("could not parse field {field:?}")]
ParseField {
field: &'static str,
source: mas_iana::ParseError,
},
#[error(transparent)]
Database(#[from] sqlx::Error),
}
impl ClientFetchError {
#[must_use]
pub fn not_found(&self) -> bool {
matches!(self, Self::Database(sqlx::Error::RowNotFound))
}
}
impl Reject for ClientFetchError {}
impl TryInto<Client<PostgresqlBackend>> for OAuth2ClientLookup {
type Error = ClientFetchError;
#[allow(clippy::too_many_lines)] // TODO: refactor some of the field parsing
fn try_into(self) -> Result<Client<PostgresqlBackend>, Self::Error> {
let redirect_uris: Result<Vec<Url>, _> =
self.redirect_uris.iter().map(|s| s.parse()).collect();
let redirect_uris = redirect_uris.map_err(|source| ClientFetchError::ParseUrl {
field: "redirect_uris",
source,
})?;
let response_types: Result<Vec<OAuthAuthorizationEndpointResponseType>, _> =
self.response_types.iter().map(|s| s.parse()).collect();
let response_types = response_types.map_err(|source| ClientFetchError::ParseField {
field: "response_types",
source,
})?;
let mut grant_types = Vec::new();
if self.grant_type_authorization_code {
grant_types.push(GrantType::AuthorizationCode);
}
if self.grant_type_refresh_token {
grant_types.push(GrantType::RefreshToken);
}
let logo_uri = self
.logo_uri
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseUrl {
field: "logo_uri",
source,
})?;
let client_uri = self
.client_uri
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseUrl {
field: "client_uri",
source,
})?;
let policy_uri = self
.policy_uri
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseUrl {
field: "policy_uri",
source,
})?;
let tos_uri = self
.tos_uri
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseUrl {
field: "tos_uri",
source,
})?;
let id_token_signed_response_alg = self
.id_token_signed_response_alg
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseField {
field: "id_token_signed_response_alg",
source,
})?;
let token_endpoint_auth_method = self
.token_endpoint_auth_method
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseField {
field: "token_endpoint_auth_method",
source,
})?;
let token_endpoint_auth_signing_alg = self
.token_endpoint_auth_signing_alg
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseField {
field: "token_endpoint_auth_signing_alg",
source,
})?;
let initiate_login_uri = self
.initiate_login_uri
.map(|s| s.parse())
.transpose()
.map_err(|source| ClientFetchError::ParseUrl {
field: "initiate_login_uri",
source,
})?;
let jwks = match (self.jwks, self.jwks_uri) {
(None, None) => None,
(Some(jwks), None) => {
let jwks = serde_json::from_value(jwks).map_err(ClientFetchError::MalformedJwks)?;
Some(JwksOrJwksUri::Jwks(jwks))
}
(None, Some(jwks_uri)) => {
let jwks_uri = jwks_uri
.parse()
.map_err(|source| ClientFetchError::ParseUrl {
field: "jwks_uri",
source,
})?;
Some(JwksOrJwksUri::JwksUri(jwks_uri))
}
_ => return Err(ClientFetchError::BothJwksAndJwksUri),
};
Ok(Client {
data: self.id,
client_id: self.client_id,
encrypted_client_secret: self.encrypted_client_secret,
redirect_uris,
response_types,
grant_types,
contacts: self.contacts,
client_name: self.client_name,
logo_uri,
client_uri,
policy_uri,
tos_uri,
jwks,
id_token_signed_response_alg,
token_endpoint_auth_method,
token_endpoint_auth_signing_alg,
initiate_login_uri,
})
}
}
pub async fn lookup_client(
executor: impl PgExecutor<'_>,
id: i64,
) -> Result<Client<PostgresqlBackend>, ClientFetchError> {
let res = sqlx::query_as!(
OAuth2ClientLookup,
r#"
SELECT
c.id,
c.client_id,
c.encrypted_client_secret,
ARRAY(SELECT redirect_uri FROM oauth2_client_redirect_uris r WHERE r.oauth2_client_id = c.id) AS "redirect_uris!",
c.response_types,
c.grant_type_authorization_code,
c.grant_type_refresh_token,
c.contacts,
c.client_name,
c.logo_uri,
c.client_uri,
c.policy_uri,
c.tos_uri,
c.jwks_uri,
c.jwks,
c.id_token_signed_response_alg,
c.token_endpoint_auth_method,
c.token_endpoint_auth_signing_alg,
c.initiate_login_uri
FROM oauth2_clients c
WHERE c.id = $1
"#,
id,
)
.fetch_one(executor)
.await?;
let client = res.try_into()?;
Ok(client)
}
pub async fn lookup_client_by_client_id(
executor: impl PgExecutor<'_>,
client_id: &str,
) -> Result<Client<PostgresqlBackend>, ClientFetchError> {
let res = sqlx::query_as!(
OAuth2ClientLookup,
r#"
SELECT
c.id,
c.client_id,
c.encrypted_client_secret,
ARRAY(SELECT redirect_uri FROM oauth2_client_redirect_uris r WHERE r.oauth2_client_id = c.id) AS "redirect_uris!",
c.response_types,
c.grant_type_authorization_code,
c.grant_type_refresh_token,
c.contacts,
c.client_name,
c.logo_uri,
c.client_uri,
c.policy_uri,
c.tos_uri,
c.jwks_uri,
c.jwks,
c.id_token_signed_response_alg,
c.token_endpoint_auth_method,
c.token_endpoint_auth_signing_alg,
c.initiate_login_uri
FROM oauth2_clients c
WHERE c.client_id = $1
"#,
client_id,
)
.fetch_one(executor)
.await?;
let client = res.try_into()?;
Ok(client)
}
pub async fn insert_client_from_config(
conn: &mut PgConnection,
client_id: &str,
client_auth_method: OAuthClientAuthenticationMethod,
encrypted_client_secret: Option<&str>,
jwks: Option<&JsonWebKeySet>,
jwks_uri: Option<&Url>,
redirect_uris: &[Url],
) -> anyhow::Result<()> {
let response_types = vec![
OAuthAuthorizationEndpointResponseType::Code.to_string(),
OAuthAuthorizationEndpointResponseType::CodeIdToken.to_string(),
OAuthAuthorizationEndpointResponseType::CodeIdTokenToken.to_string(),
OAuthAuthorizationEndpointResponseType::CodeToken.to_string(),
OAuthAuthorizationEndpointResponseType::IdToken.to_string(),
OAuthAuthorizationEndpointResponseType::IdTokenToken.to_string(),
OAuthAuthorizationEndpointResponseType::None.to_string(),
OAuthAuthorizationEndpointResponseType::Token.to_string(),
];
let jwks = jwks.map(serde_json::to_value).transpose()?;
let jwks_uri = jwks_uri.map(Url::as_str);
let client_auth_method = client_auth_method.to_string();
let id = sqlx::query_scalar!(
r#"
INSERT INTO oauth2_clients
(client_id,
encrypted_client_secret,
response_types,
grant_type_authorization_code,
grant_type_refresh_token,
token_endpoint_auth_method,
jwks,
jwks_uri,
contacts)
VALUES
($1, $2, $3, $4, $5, $6, $7, $8, '{}')
RETURNING id
"#,
client_id,
encrypted_client_secret,
&response_types,
true,
true,
client_auth_method,
jwks,
jwks_uri,
)
.fetch_one(&mut *conn)
.await?;
let redirect_uris: Vec<String> = redirect_uris.iter().map(ToString::to_string).collect();
sqlx::query!(
r#"
INSERT INTO oauth2_client_redirect_uris (oauth2_client_id, redirect_uri)
SELECT $1, uri FROM UNNEST($2::text[]) uri
"#,
id,
&redirect_uris,
)
.execute(&mut *conn)
.await?;
Ok(())
}
pub async fn truncate_clients(executor: impl PgExecutor<'_>) -> anyhow::Result<()> {
sqlx::query!("TRUNCATE oauth2_client_redirect_uris, oauth2_clients")
.execute(executor)
.await?;
Ok(())
}

1
crates/storage/src/oauth2/mod.rs
View File

@ -19,6 +19,7 @@ use crate::PostgresqlBackend;
pub mod access_token;
pub mod authorization_grant;
pub mod client;
pub mod refresh_token;
pub async fn end_oauth_session(

15
crates/storage/src/oauth2/refresh_token.rs
View File

@ -15,12 +15,13 @@
use anyhow::Context;
use chrono::{DateTime, Duration, Utc};
use mas_data_model::{
AccessToken, Authentication, BrowserSession, Client, RefreshToken, Session, User, UserEmail,
AccessToken, Authentication, BrowserSession, RefreshToken, Session, User, UserEmail,
};
use sqlx::PgExecutor;
use sqlx::{PgConnection, PgExecutor};
use thiserror::Error;
use warp::reject::Reject;
use super::client::{lookup_client_by_client_id, ClientFetchError};
use crate::{DatabaseInconsistencyError, IdAndCreationTime, PostgresqlBackend};
pub async fn add_refresh_token(
@ -82,6 +83,7 @@ struct OAuth2RefreshTokenLookup {
#[error("could not lookup refresh token")]
pub enum RefreshTokenLookupError {
Fetch(#[from] sqlx::Error),
ClientFetch(#[from] ClientFetchError),
Conversion(#[from] DatabaseInconsistencyError),
}
@ -96,7 +98,7 @@ impl RefreshTokenLookupError {
#[allow(clippy::too_many_lines)]
pub async fn lookup_active_refresh_token(
executor: impl PgExecutor<'_>,
conn: &mut PgConnection,
token: &str,
) -> Result<(RefreshToken<PostgresqlBackend>, Session<PostgresqlBackend>), RefreshTokenLookupError>
{
@ -148,7 +150,7 @@ pub async fn lookup_active_refresh_token(
"#,
token,
)
.fetch_one(executor)
.fetch_one(&mut *conn)
.await?;
let access_token = match (
@ -175,10 +177,7 @@ pub async fn lookup_active_refresh_token(
access_token,
};
let client = Client {
data: (),
client_id: res.client_id,
};
let client = lookup_client_by_client_id(&mut *conn, &res.client_id).await?;
let primary_email = match (
res.user_email_id,