matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-20 12:02:22 +03:00
Code Activity

handlers: remove most usage of anyhow

Browse Source
This commit is contained in:
Quentin Gliech
2022-12-08 12:46:56 +01:00
parent a836cc864a
commit 68890b7291
24 changed files with 100 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
crates/handlers/src/compat/login.rs
View File

@@ -129,9 +129,6 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
#[error("unsupported login method")] #[error("unsupported login method")]
Unsupported, Unsupported,
@@ -151,7 +148,7 @@ impl_from_error_for_route!(mas_storage::DatabaseError);
impl IntoResponse for RouteError { impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response { fn into_response(self) -> axum::response::Response {
match self { match self {
Self::Internal(_) | Self::Anyhow(_) => MatrixError { Self::Internal(_) => MatrixError {
errcode: "M_UNKNOWN", errcode: "M_UNKNOWN",
error: "Internal server error", error: "Internal server error",
status: StatusCode::INTERNAL_SERVER_ERROR, status: StatusCode::INTERNAL_SERVER_ERROR,
@@ -187,7 +184,7 @@ pub(crate) async fn post(
State(homeserver): State<MatrixHomeserver>, State(homeserver): State<MatrixHomeserver>,
Json(input): Json<RequestBody>, Json(input): Json<RequestBody>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let session = match input.credentials { let session = match input.credentials {
Credentials::Password { Credentials::Password {
@@ -302,7 +299,7 @@ async fn user_password_login(
username: String, username: String,
password: String, password: String,
) -> Result<CompatSession, RouteError> { ) -> Result<CompatSession, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let device = Device::generate(&mut rng); let device = Device::generate(&mut rng);
let session = compat_login(txn, &mut rng, &clock, &username, &password, device) let session = compat_login(txn, &mut rng, &clock, &username, &password, device)

4
crates/handlers/src/compat/login_sso_complete.rs
View File

@@ -56,7 +56,7 @@ pub async fn get(
Path(id): Path<Ulid>, Path(id): Path<Ulid>,
Query(params): Query<Params>, Query(params): Query<Params>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (session_info, cookie_jar) = cookie_jar.session_info(); let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -124,7 +124,7 @@ pub async fn post(
Query(params): Query<Params>, Query(params): Query<Params>,
Form(form): Form<ProtectedForm<()>>, Form(form): Form<ProtectedForm<()>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let (session_info, cookie_jar) = cookie_jar.session_info(); let (session_info, cookie_jar) = cookie_jar.session_info();

13
crates/handlers/src/compat/login_sso_redirect.rs
View File

@@ -27,6 +27,8 @@ use sqlx::PgPool;
use thiserror::Error; use thiserror::Error;
use url::Url; use url::Url;
use crate::impl_from_error_for_route;
#[derive(Debug, Deserialize)] #[derive(Debug, Deserialize)]
pub struct Params { pub struct Params {
#[serde(rename = "redirectUrl")] #[serde(rename = "redirectUrl")]
@@ -39,9 +41,6 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
#[error("missing redirect_url")] #[error("missing redirect_url")]
MissingRedirectUrl, MissingRedirectUrl,
@@ -49,11 +48,7 @@ pub enum RouteError {
InvalidRedirectUrl, InvalidRedirectUrl,
} }
impl From<sqlx::Error> for RouteError { impl_from_error_for_route!(sqlx::Error);
fn from(e: sqlx::Error) -> Self {
Self::Internal(Box::new(e))
}
}
impl IntoResponse for RouteError { impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response { fn into_response(self) -> axum::response::Response {
@@ -67,7 +62,7 @@ pub async fn get(
State(url_builder): State<UrlBuilder>, State(url_builder): State<UrlBuilder>,
Query(params): Query<Params>, Query(params): Query<Params>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
// Check the redirectUrl parameter // Check the redirectUrl parameter
let redirect_url = params.redirect_url.ok_or(RouteError::MissingRedirectUrl)?; let redirect_url = params.redirect_url.ok_or(RouteError::MissingRedirectUrl)?;

43
crates/handlers/src/compat/logout.rs
View File

@@ -15,19 +15,34 @@
use axum::{extract::State, response::IntoResponse, Json, TypedHeader}; use axum::{extract::State, response::IntoResponse, Json, TypedHeader};
use headers::{authorization::Bearer, Authorization}; use headers::{authorization::Bearer, Authorization};
use hyper::StatusCode; use hyper::StatusCode;
use mas_data_model::{TokenFormatError, TokenType}; use mas_data_model::TokenType;
use mas_storage::{compat::compat_logout, Clock}; use mas_storage::{compat::compat_logout, Clock, LookupError};
use sqlx::PgPool; use sqlx::PgPool;
use thiserror::Error;
use super::MatrixError; use super::MatrixError;
use crate::impl_from_error_for_route;
#[derive(Error, Debug)]
pub enum RouteError { pub enum RouteError {
#[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error("Missing access token")]
MissingAuthorization, MissingAuthorization,
#[error("Invalid token format")]
TokenFormat(#[from] mas_data_model::TokenFormatError),
#[error("Invalid access token")]
InvalidAuthorization, InvalidAuthorization,
#[error("Logout failed")]
LogoutFailed, LogoutFailed,
} }
impl_from_error_for_route!(sqlx::Error);
impl IntoResponse for RouteError { impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response { fn into_response(self) -> axum::response::Response {
match self { match self {
@@ -41,7 +56,7 @@ impl IntoResponse for RouteError {
error: "Missing access token", error: "Missing access token",
status: StatusCode::UNAUTHORIZED, status: StatusCode::UNAUTHORIZED,
}, },
Self::InvalidAuthorization | Self::LogoutFailed => MatrixError { Self::InvalidAuthorization | Self::LogoutFailed | Self::TokenFormat(_) => MatrixError {
errcode: "M_UNKNOWN_TOKEN", errcode: "M_UNKNOWN_TOKEN",
error: "Invalid access token", error: "Invalid access token",
status: StatusCode::UNAUTHORIZED, status: StatusCode::UNAUTHORIZED,
@@ -51,18 +66,6 @@ impl IntoResponse for RouteError {
} }
} }
impl From<sqlx::Error> for RouteError {
fn from(e: sqlx::Error) -> Self {
Self::Internal(Box::new(e))
}
}
impl From<TokenFormatError> for RouteError {
fn from(_e: TokenFormatError) -> Self {
Self::InvalidAuthorization
}
}
pub(crate) async fn post( pub(crate) async fn post(
State(pool): State<PgPool>, State(pool): State<PgPool>,
maybe_authorization: Option<TypedHeader<Authorization<Bearer>>>, maybe_authorization: Option<TypedHeader<Authorization<Bearer>>>,
@@ -79,9 +82,13 @@ pub(crate) async fn post(
return Err(RouteError::InvalidAuthorization); return Err(RouteError::InvalidAuthorization);
} }
compat_logout(&mut conn, &clock, token) compat_logout(&mut conn, &clock, token).await.map_err(|e| {
.await if e.not_found() {
.map_err(|_| RouteError::LogoutFailed)?; RouteError::LogoutFailed
} else {
RouteError::Internal(Box::new(e))
}
})?;
Ok(Json(serde_json::json!({}))) Ok(Json(serde_json::json!({})))
} }

7
crates/handlers/src/compat/refresh.rs
View File

@@ -38,9 +38,6 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
#[error("invalid token")] #[error("invalid token")]
InvalidToken, InvalidToken,
} }
@@ -48,7 +45,7 @@ pub enum RouteError {
impl IntoResponse for RouteError { impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response { fn into_response(self) -> axum::response::Response {
match self { match self {
Self::Internal(_) | Self::Anyhow(_) => MatrixError { Self::Internal(_) => MatrixError {
errcode: "M_UNKNOWN", errcode: "M_UNKNOWN",
error: "Internal error", error: "Internal error",
status: StatusCode::INTERNAL_SERVER_ERROR, status: StatusCode::INTERNAL_SERVER_ERROR,
@@ -85,7 +82,7 @@ pub(crate) async fn post(
State(pool): State<PgPool>, State(pool): State<PgPool>,
Json(input): Json<RequestBody>, Json(input): Json<RequestBody>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let token_type = TokenType::check(&input.refresh_token)?; let token_type = TokenType::check(&input.refresh_token)?;

8
crates/handlers/src/lib.rs
View File

@@ -26,7 +26,6 @@
use std::{convert::Infallible, sync::Arc, time::Duration}; use std::{convert::Infallible, sync::Arc, time::Duration};
use anyhow::Context;
use axum::{ use axum::{
body::{Bytes, HttpBody}, body::{Bytes, HttpBody},
extract::FromRef, extract::FromRef,
@@ -402,13 +401,14 @@ async fn test_state(pool: PgPool) -> Result<AppState, anyhow::Error> {
} }
// XXX: that should be moved somewhere else // XXX: that should be moved somewhere else
fn rng_and_clock() -> Result<(mas_storage::Clock, rand_chacha::ChaChaRng), anyhow::Error> { fn clock_and_rng() -> (mas_storage::Clock, rand_chacha::ChaChaRng) {
let clock = mas_storage::Clock::default(); let clock = mas_storage::Clock::default();
// This rng is used to source the local rng // This rng is used to source the local rng
#[allow(clippy::disallowed_methods)] #[allow(clippy::disallowed_methods)]
let rng = rand::thread_rng(); let rng = rand::thread_rng();
let rng = rand_chacha::ChaChaRng::from_rng(rng).context("Failed to seed RNG")?; let rng = rand_chacha::ChaChaRng::from_rng(rng).expect("Failed to seed RNG");
Ok((clock, rng))
(clock, rng)
} }

3
crates/handlers/src/oauth2/authorization/complete.rs
View File

@@ -44,6 +44,7 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
// TODO: remove this one: needed because mas_policy returns errors from anyhow
#[error(transparent)] #[error(transparent)]
Anyhow(#[from] anyhow::Error), Anyhow(#[from] anyhow::Error),
@@ -160,7 +161,7 @@ pub(crate) async fn complete(
policy_factory: &PolicyFactory, policy_factory: &PolicyFactory,
mut txn: Transaction<'_, Postgres>, mut txn: Transaction<'_, Postgres>,
) -> Result<AuthorizationResponse<Option<AccessTokenResponse>>, GrantCompletionError> { ) -> Result<AuthorizationResponse<Option<AccessTokenResponse>>, GrantCompletionError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
// Verify that the grant is in a pending stage // Verify that the grant is in a pending stage
if !grant.stage.is_pending() { if !grant.stage.is_pending() {

3
crates/handlers/src/oauth2/authorization/mod.rs
View File

@@ -52,6 +52,7 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
// TODO: remove this one
#[error(transparent)] #[error(transparent)]
Anyhow(#[from] anyhow::Error), Anyhow(#[from] anyhow::Error),
@@ -135,7 +136,7 @@ pub(crate) async fn get(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Form(params): Form<Params>, Form(params): Form<Params>,
) -> Result<Response, RouteError> { ) -> Result<Response, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
// First, figure out what client it is // First, figure out what client it is

5
crates/handlers/src/oauth2/consent.rs
View File

@@ -44,6 +44,7 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync>), Internal(Box<dyn std::error::Error + Send + Sync>),
// TODO: remove this one, needed because of mas_policy
#[error(transparent)] #[error(transparent)]
Anyhow(#[from] anyhow::Error), Anyhow(#[from] anyhow::Error),
@@ -77,7 +78,7 @@ pub(crate) async fn get(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Path(grant_id): Path<Ulid>, Path(grant_id): Path<Ulid>,
) -> Result<Response, RouteError> { ) -> Result<Response, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (session_info, cookie_jar) = cookie_jar.session_info(); let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -130,7 +131,7 @@ pub(crate) async fn post(
Path(grant_id): Path<Ulid>, Path(grant_id): Path<Ulid>,
Form(form): Form<ProtectedForm<()>>, Form(form): Form<ProtectedForm<()>>,
) -> Result<Response, RouteError> { ) -> Result<Response, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
cookie_jar.verify_form(clock.now(), form)?; cookie_jar.verify_form(clock.now(), form)?;

11
crates/handlers/src/oauth2/registration.rs
View File

@@ -32,11 +32,14 @@ use thiserror::Error;
use tracing::info; use tracing::info;
use ulid::Ulid; use ulid::Ulid;
use crate::impl_from_error_for_route;
#[derive(Debug, Error)] #[derive(Debug, Error)]
pub(crate) enum RouteError { pub(crate) enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync>), Internal(Box<dyn std::error::Error + Send + Sync>),
// TODO: remove this, needed because of mas_policy
#[error(transparent)] #[error(transparent)]
Anyhow(#[from] anyhow::Error), Anyhow(#[from] anyhow::Error),
@@ -50,11 +53,7 @@ pub(crate) enum RouteError {
PolicyDenied(Vec<Violation>), PolicyDenied(Vec<Violation>),
} }
impl From<sqlx::Error> for RouteError { impl_from_error_for_route!(sqlx::Error);
fn from(e: sqlx::Error) -> Self {
Self::Internal(Box::new(e))
}
}
impl From<ClientMetadataVerificationError> for RouteError { impl From<ClientMetadataVerificationError> for RouteError {
fn from(e: ClientMetadataVerificationError) -> Self { fn from(e: ClientMetadataVerificationError) -> Self {
@@ -113,7 +112,7 @@ pub(crate) async fn post(
State(encrypter): State<Encrypter>, State(encrypter): State<Encrypter>,
Json(body): Json<ClientMetadata>, Json(body): Json<ClientMetadata>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
info!(?body, "Client registration"); info!(?body, "Client registration");
// Validate the body // Validate the body

27
crates/handlers/src/oauth2/token.rs
View File

@@ -14,7 +14,6 @@
use std::collections::HashMap; use std::collections::HashMap;
use anyhow::Context;
use axum::{extract::State, response::IntoResponse, Json}; use axum::{extract::State, response::IntoResponse, Json};
use chrono::{DateTime, Duration, Utc}; use chrono::{DateTime, Duration, Utc};
use headers::{CacheControl, HeaderMap, HeaderMapExt, Pragma}; use headers::{CacheControl, HeaderMap, HeaderMapExt, Pragma};
@@ -32,14 +31,11 @@ use mas_jose::{
}; };
use mas_keystore::{Encrypter, Keystore}; use mas_keystore::{Encrypter, Keystore};
use mas_router::UrlBuilder; use mas_router::UrlBuilder;
use mas_storage::{ use mas_storage::oauth2::{
oauth2::{
access_token::{add_access_token, revoke_access_token}, access_token::{add_access_token, revoke_access_token},
authorization_grant::{exchange_grant, lookup_grant_by_code}, authorization_grant::{exchange_grant, lookup_grant_by_code},
end_oauth_session, end_oauth_session,
refresh_token::{add_refresh_token, consume_refresh_token, lookup_active_refresh_token}, refresh_token::{add_refresh_token, consume_refresh_token, lookup_active_refresh_token},
},
DatabaseInconsistencyError,
}; };
use oauth2_types::{ use oauth2_types::{
errors::{ClientError, ClientErrorCode}, errors::{ClientError, ClientErrorCode},
@@ -80,9 +76,6 @@ pub(crate) enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
#[error("bad request")] #[error("bad request")]
BadRequest, BadRequest,
@@ -106,12 +99,15 @@ pub(crate) enum RouteError {
#[error("unauthorized client")] #[error("unauthorized client")]
UnauthorizedClient, UnauthorizedClient,
#[error("no suitable key found for signing")]
InvalidSigningKey,
} }
impl IntoResponse for RouteError { impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response { fn into_response(self) -> axum::response::Response {
match self { match self {
Self::Internal(_) | Self::Anyhow(_) => ( Self::Internal(_) | Self::InvalidSigningKey => (
StatusCode::INTERNAL_SERVER_ERROR, StatusCode::INTERNAL_SERVER_ERROR,
Json(ClientError::from(ClientErrorCode::ServerError)), Json(ClientError::from(ClientErrorCode::ServerError)),
), ),
@@ -206,7 +202,7 @@ async fn authorization_code_grant(
url_builder: &UrlBuilder, url_builder: &UrlBuilder,
mut txn: Transaction<'_, Postgres>, mut txn: Transaction<'_, Postgres>,
) -> Result<AccessTokenResponse, RouteError> { ) -> Result<AccessTokenResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
// TODO: there is a bunch of unnecessary cloning here // TODO: there is a bunch of unnecessary cloning here
// TODO: handle "not found" cases // TODO: handle "not found" cases
@@ -255,10 +251,7 @@ async fn authorization_code_grant(
}; };
// This should never happen, since we looked up in the database using the code // This should never happen, since we looked up in the database using the code
let code = authz_grant let code = authz_grant.code.as_ref().ok_or(RouteError::InvalidGrant)?;
.code
.as_ref()
.ok_or_else(|| anyhow::anyhow!(DatabaseInconsistencyError))?;
if client.client_id != session.client.client_id { if client.client_id != session.client.client_id {
return Err(RouteError::UnauthorizedClient); return Err(RouteError::UnauthorizedClient);
@@ -322,14 +315,14 @@ async fn authorization_code_grant(
.unwrap_or(JsonWebSignatureAlg::Rs256); .unwrap_or(JsonWebSignatureAlg::Rs256);
let key = key_store let key = key_store
.signing_key_for_algorithm(&alg) .signing_key_for_algorithm(&alg)
.context("no suitable key found")?; .ok_or(RouteError::InvalidSigningKey)?;
claims::AT_HASH.insert(&mut claims, hash_token(&alg, &access_token_str)?)?; claims::AT_HASH.insert(&mut claims, hash_token(&alg, &access_token_str)?)?;
claims::C_HASH.insert(&mut claims, hash_token(&alg, &grant.code)?)?; claims::C_HASH.insert(&mut claims, hash_token(&alg, &grant.code)?)?;
let signer = key.params().signing_key_for_alg(&alg)?; let signer = key.params().signing_key_for_alg(&alg)?;
let header = JsonWebSignatureHeader::new(alg) let header = JsonWebSignatureHeader::new(alg)
.with_kid(key.kid().context("key has no `kid` for some reason")?); .with_kid(key.kid().ok_or(RouteError::InvalidSigningKey)?);
let id_token = Jwt::sign_with_rng(&mut rng, header, claims, &signer)?; let id_token = Jwt::sign_with_rng(&mut rng, header, claims, &signer)?;
Some(id_token.as_str().to_owned()) Some(id_token.as_str().to_owned())
@@ -358,7 +351,7 @@ async fn refresh_token_grant(
client: &Client, client: &Client,
mut txn: Transaction<'_, Postgres>, mut txn: Transaction<'_, Postgres>,
) -> Result<AccessTokenResponse, RouteError> { ) -> Result<AccessTokenResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let (refresh_token, session) = lookup_active_refresh_token(&mut txn, &grant.refresh_token) let (refresh_token, session) = lookup_active_refresh_token(&mut txn, &grant.refresh_token)
.await? .await?

42
crates/handlers/src/oauth2/userinfo.rs
View File

@@ -12,7 +12,6 @@
// See the License for the specific language governing permissions and // See the License for the specific language governing permissions and
// limitations under the License. // limitations under the License.
use anyhow::Context;
use axum::{ use axum::{
extract::State, extract::State,
response::{IntoResponse, Response}, response::{IntoResponse, Response},
@@ -35,6 +34,8 @@ use serde_with::skip_serializing_none;
use sqlx::PgPool; use sqlx::PgPool;
use thiserror::Error; use thiserror::Error;
use crate::impl_from_error_for_route;
#[skip_serializing_none] #[skip_serializing_none]
#[derive(Serialize)] #[derive(Serialize)]
struct UserInfo { struct UserInfo {
@@ -57,48 +58,35 @@ pub enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>), Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
#[error("failed to authenticate")] #[error("failed to authenticate")]
AuthorizationVerificationError(#[from] AuthorizationVerificationError), AuthorizationVerificationError(#[from] AuthorizationVerificationError),
#[error("no suitable key found for signing")]
InvalidSigningKey,
} }
impl_from_error_for_route!(sqlx::Error);
impl_from_error_for_route!(mas_keystore::WrongAlgorithmError);
impl_from_error_for_route!(mas_jose::jwt::JwtSignatureError);
impl IntoResponse for RouteError { impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response { fn into_response(self) -> axum::response::Response {
match self { match self {
Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(), Self::Internal(_) | Self::InvalidSigningKey => {
Self::Anyhow(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(), (StatusCode::INTERNAL_SERVER_ERROR, self.to_string()).into_response()
}
Self::AuthorizationVerificationError(_e) => StatusCode::UNAUTHORIZED.into_response(), Self::AuthorizationVerificationError(_e) => StatusCode::UNAUTHORIZED.into_response(),
} }
} }
} }
impl From<sqlx::Error> for RouteError {
fn from(e: sqlx::Error) -> Self {
Self::Internal(Box::new(e))
}
}
impl From<mas_keystore::WrongAlgorithmError> for RouteError {
fn from(e: mas_keystore::WrongAlgorithmError) -> Self {
Self::Internal(Box::new(e))
}
}
impl From<mas_jose::jwt::JwtSignatureError> for RouteError {
fn from(e: mas_jose::jwt::JwtSignatureError) -> Self {
Self::Internal(Box::new(e))
}
}
pub async fn get( pub async fn get(
State(url_builder): State<UrlBuilder>, State(url_builder): State<UrlBuilder>,
State(pool): State<PgPool>, State(pool): State<PgPool>,
State(key_store): State<Keystore>, State(key_store): State<Keystore>,
user_authorization: UserAuthorization, user_authorization: UserAuthorization,
) -> Result<Response, RouteError> { ) -> Result<Response, RouteError> {
let (_clock, mut rng) = crate::rng_and_clock()?; let (_clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let session = user_authorization.protected(&mut conn).await?; let session = user_authorization.protected(&mut conn).await?;
@@ -121,11 +109,11 @@ pub async fn get(
if let Some(alg) = session.client.userinfo_signed_response_alg { if let Some(alg) = session.client.userinfo_signed_response_alg {
let key = key_store let key = key_store
.signing_key_for_algorithm(&alg) .signing_key_for_algorithm(&alg)
.context("no suitable key found")?; .ok_or(RouteError::InvalidSigningKey)?;
let signer = key.params().signing_key_for_alg(&alg)?; let signer = key.params().signing_key_for_alg(&alg)?;
let header = JsonWebSignatureHeader::new(alg) let header = JsonWebSignatureHeader::new(alg)
.with_kid(key.kid().context("key has no `kid` for some reason")?); .with_kid(key.kid().ok_or(RouteError::InvalidSigningKey)?);
let user_info = SignedUserInfo { let user_info = SignedUserInfo {
iss: url_builder.oidc_issuer().to_string(), iss: url_builder.oidc_issuer().to_string(),

8
crates/handlers/src/upstream_oauth2/authorize.rs
View File

@@ -37,9 +37,6 @@ pub(crate) enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error>), Internal(Box<dyn std::error::Error>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
} }
impl_from_error_for_route!(sqlx::Error); impl_from_error_for_route!(sqlx::Error);
@@ -53,9 +50,6 @@ impl IntoResponse for RouteError {
match self { match self {
Self::ProviderNotFound => (StatusCode::NOT_FOUND, "Provider not found").into_response(), Self::ProviderNotFound => (StatusCode::NOT_FOUND, "Provider not found").into_response(),
Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(), Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(),
Self::Anyhow(e) => {
(StatusCode::INTERNAL_SERVER_ERROR, format!("{e:?}")).into_response()
}
} }
} }
} }
@@ -68,7 +62,7 @@ pub(crate) async fn get(
Path(provider_id): Path<Ulid>, Path(provider_id): Path<Ulid>,
Query(query): Query<OptionalPostAuthAction>, Query(query): Query<OptionalPostAuthAction>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;

8
crates/handlers/src/upstream_oauth2/callback.rs
View File

@@ -90,9 +90,6 @@ pub(crate) enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error>), Internal(Box<dyn std::error::Error>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
} }
impl_from_error_for_route!(mas_storage::DatabaseError); impl_from_error_for_route!(mas_storage::DatabaseError);
@@ -109,9 +106,6 @@ impl IntoResponse for RouteError {
match self { match self {
Self::SessionNotFound => (StatusCode::NOT_FOUND, "Session not found").into_response(), Self::SessionNotFound => (StatusCode::NOT_FOUND, "Session not found").into_response(),
Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(), Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(),
Self::Anyhow(e) => {
(StatusCode::INTERNAL_SERVER_ERROR, format!("{e:?}")).into_response()
}
e => (StatusCode::BAD_REQUEST, e.to_string()).into_response(), e => (StatusCode::BAD_REQUEST, e.to_string()).into_response(),
} }
} }
@@ -128,7 +122,7 @@ pub(crate) async fn get(
Path(provider_id): Path<Ulid>, Path(provider_id): Path<Ulid>,
Query(params): Query<QueryParams>, Query(params): Query<QueryParams>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;

10
crates/handlers/src/upstream_oauth2/link.rs
View File

@@ -67,9 +67,6 @@ pub(crate) enum RouteError {
#[error(transparent)] #[error(transparent)]
Internal(Box<dyn std::error::Error>), Internal(Box<dyn std::error::Error>),
#[error(transparent)]
Anyhow(#[from] anyhow::Error),
} }
impl_from_error_for_route!(sqlx::Error); impl_from_error_for_route!(sqlx::Error);
@@ -84,9 +81,6 @@ impl IntoResponse for RouteError {
match self { match self {
Self::LinkNotFound => (StatusCode::NOT_FOUND, "Link not found").into_response(), Self::LinkNotFound => (StatusCode::NOT_FOUND, "Link not found").into_response(),
Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(), Self::Internal(e) => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(),
Self::Anyhow(e) => {
(StatusCode::INTERNAL_SERVER_ERROR, format!("{e:?}")).into_response()
}
e => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(), e => (StatusCode::INTERNAL_SERVER_ERROR, e.to_string()).into_response(),
} }
} }
@@ -107,7 +101,7 @@ pub(crate) async fn get(
Path(link_id): Path<Ulid>, Path(link_id): Path<Ulid>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar); let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar);
let (session_id, _post_auth_action) = sessions_cookie let (session_id, _post_auth_action) = sessions_cookie
@@ -204,7 +198,7 @@ pub(crate) async fn post(
Form(form): Form<ProtectedForm<FormData>>, Form(form): Form<ProtectedForm<FormData>>,
) -> Result<impl IntoResponse, RouteError> { ) -> Result<impl IntoResponse, RouteError> {
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let form = cookie_jar.verify_form(clock.now(), form)?; let form = cookie_jar.verify_form(clock.now(), form)?;
let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar); let sessions_cookie = UpstreamSessionsCookie::load(&cookie_jar);

4
crates/handlers/src/views/account/emails/add.rs
View File

@@ -42,7 +42,7 @@ pub(crate) async fn get(
State(pool): State<PgPool>, State(pool): State<PgPool>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.begin().await?; let mut conn = pool.begin().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);
@@ -73,7 +73,7 @@ pub(crate) async fn post(
Query(query): Query<OptionalPostAuthAction>, Query(query): Query<OptionalPostAuthAction>,
Form(form): Form<ProtectedForm<EmailForm>>, Form(form): Form<ProtectedForm<EmailForm>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let form = cookie_jar.verify_form(clock.now(), form)?; let form = cookie_jar.verify_form(clock.now(), form)?;

4
crates/handlers/src/views/account/emails/mod.rs
View File

@@ -57,7 +57,7 @@ pub(crate) async fn get(
State(pool): State<PgPool>, State(pool): State<PgPool>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
@@ -139,7 +139,7 @@ pub(crate) async fn post(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Form(form): Form<ProtectedForm<ManagementForm>>, Form(form): Form<ProtectedForm<ManagementForm>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let (session_info, cookie_jar) = cookie_jar.session_info(); let (session_info, cookie_jar) = cookie_jar.session_info();

2
crates/handlers/src/views/account/emails/verify.rs
View File

@@ -50,7 +50,7 @@ pub(crate) async fn get(
Path(id): Path<Ulid>, Path(id): Path<Ulid>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);

2
crates/handlers/src/views/account/mod.rs
View File

@@ -32,7 +32,7 @@ pub(crate) async fn get(
State(pool): State<PgPool>, State(pool): State<PgPool>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);

4
crates/handlers/src/views/account/password.rs
View File

@@ -46,7 +46,7 @@ pub(crate) async fn get(
State(pool): State<PgPool>, State(pool): State<PgPool>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (session_info, cookie_jar) = cookie_jar.session_info(); let (session_info, cookie_jar) = cookie_jar.session_info();
@@ -85,7 +85,7 @@ pub(crate) async fn post(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Form(form): Form<ProtectedForm<ChangeForm>>, Form(form): Form<ProtectedForm<ChangeForm>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let form = cookie_jar.verify_form(clock.now(), form)?; let form = cookie_jar.verify_form(clock.now(), form)?;

2
crates/handlers/src/views/index.rs
View File

@@ -29,7 +29,7 @@ pub async fn get(
State(pool): State<PgPool>, State(pool): State<PgPool>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<impl IntoResponse, FancyError> { ) -> Result<impl IntoResponse, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);

4
crates/handlers/src/views/login.rs
View File

@@ -47,7 +47,7 @@ pub(crate) async fn get(
Query(query): Query<OptionalPostAuthAction>, Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);
@@ -80,7 +80,7 @@ pub(crate) async fn post(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Form(form): Form<ProtectedForm<LoginForm>>, Form(form): Form<ProtectedForm<LoginForm>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let form = cookie_jar.verify_form(clock.now(), form)?; let form = cookie_jar.verify_form(clock.now(), form)?;

4
crates/handlers/src/views/reauth.rs
View File

@@ -41,7 +41,7 @@ pub(crate) async fn get(
Query(query): Query<OptionalPostAuthAction>, Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);
@@ -81,7 +81,7 @@ pub(crate) async fn post(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Form(form): Form<ProtectedForm<ReauthForm>>, Form(form): Form<ProtectedForm<ReauthForm>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let form = cookie_jar.verify_form(clock.now(), form)?; let form = cookie_jar.verify_form(clock.now(), form)?;

4
crates/handlers/src/views/register.rs
View File

@@ -63,7 +63,7 @@ pub(crate) async fn get(
Query(query): Query<OptionalPostAuthAction>, Query(query): Query<OptionalPostAuthAction>,
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut conn = pool.acquire().await?; let mut conn = pool.acquire().await?;
let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng); let (csrf_token, cookie_jar) = cookie_jar.csrf_token(clock.now(), &mut rng);
@@ -98,7 +98,7 @@ pub(crate) async fn post(
cookie_jar: PrivateCookieJar<Encrypter>, cookie_jar: PrivateCookieJar<Encrypter>,
Form(form): Form<ProtectedForm<RegisterForm>>, Form(form): Form<ProtectedForm<RegisterForm>>,
) -> Result<Response, FancyError> { ) -> Result<Response, FancyError> {
let (clock, mut rng) = crate::rng_and_clock()?; let (clock, mut rng) = crate::clock_and_rng();
let mut txn = pool.begin().await?; let mut txn = pool.begin().await?;
let form = cookie_jar.verify_form(clock.now(), form)?; let form = cookie_jar.verify_form(clock.now(), form)?;