Move secrets and oauth2 clients config

2025-11-21 23:00:50 +03:00 · 2022-02-01 09:34:18 +01:00
parent c0e5b66ea4
commit 7e24cd0948
30 changed files with 462 additions and 454 deletions
--- a/crates/handlers/src/oauth2/authorization.rs
+++ b/crates/handlers/src/oauth2/authorization.rs
@@ -20,7 +20,7 @@ use hyper::{
    http::uri::{Parts, PathAndQuery, Uri},
    StatusCode,
 };
-use mas_config::{CookiesConfig, OAuth2ClientConfig, OAuth2Config};
+use mas_config::{ClientsConfig, Encrypter};
 use mas_data_model::{
    Authentication, AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, BrowserSession,
    Pkce, StorageBackend, TokenType,
@@ -215,33 +215,34 @@ fn resolve_response_mode(
 pub fn filter(
    pool: &PgPool,
    templates: &Templates,
-    oauth2_config: &OAuth2Config,
-    cookies_config: &CookiesConfig,
+    encrypter: &Encrypter,
+    clients_config: &ClientsConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
-    let clients = oauth2_config.clients.clone();
+    let clients_config = clients_config.clone();
+    let clients_config_2 = clients_config.clone();
+
    let authorize = warp::path!("oauth2" / "authorize")
        .and(warp::get())
-        .map(move || clients.clone())
+        .map(move || clients_config.clone())
        .and(warp::query())
-        .and(optional_session(pool, cookies_config))
+        .and(optional_session(pool, encrypter))
        .and(transaction(pool))
        .and_then(get);

    let step = warp::path!("oauth2" / "authorize" / "step")
        .and(warp::get())
        .and(warp::query())
-        .and(session(pool, cookies_config))
+        .and(session(pool, encrypter))
        .and(transaction(pool))
        .and_then(step);

-    let clients = oauth2_config.clients.clone();
    authorize
        .or(step)
        .unify()
        .recover(recover)
        .unify()
        .and(warp::query())
-        .and(warp::any().map(move || clients.clone()))
+        .and(warp::any().map(move || clients_config_2.clone()))
        .and(with_templates(templates))
        .and_then(actually_reply)
        .boxed()
@@ -258,7 +259,7 @@ async fn recover(rejection: Rejection) -> Result<ReplyOrBackToClient, Rejection>
 async fn actually_reply(
    rep: ReplyOrBackToClient,
    q: PartialParams,
-    clients: Vec<OAuth2ClientConfig>,
+    clients: ClientsConfig,
    templates: Templates,
 ) -> Result<Box<dyn Reply>, Rejection> {
    let (redirect_uri, response_mode, state, params) = match rep {
@@ -278,11 +279,8 @@ async fn actually_reply(
            } = q;

            // First, disover the client
-            let client = client_id.and_then(|client_id| {
-                clients
-                    .into_iter()
-                    .find(|client| client.client_id == client_id)
-            });
+            let client = client_id
+                .and_then(|client_id| clients.iter().find(|client| client.client_id == client_id));

            let client = match client {
                Some(client) => client,
@@ -314,7 +312,7 @@ async fn actually_reply(
 }

 async fn get(
-    clients: Vec<OAuth2ClientConfig>,
+    clients: ClientsConfig,
    params: Params,
    maybe_session: Option<BrowserSession<PostgresqlBackend>>,
    mut txn: Transaction<'_, Postgres>,
@@ -337,7 +335,7 @@ async fn get(

    // First, find out what client it is
    let client = clients
-        .into_iter()
+        .iter()
        .find(|client| client.client_id == params.auth.client_id)
        .ok_or_else(|| anyhow::anyhow!("could not find client"))
        .wrap_error()?;
--- a/crates/handlers/src/oauth2/introspection.rs
+++ b/crates/handlers/src/oauth2/introspection.rs
@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-use mas_config::{HttpConfig, OAuth2ClientConfig, OAuth2Config};
+use mas_config::{ClientConfig, ClientsConfig, HttpConfig};
 use mas_data_model::TokenType;
 use mas_iana::oauth::{OAuthClientAuthenticationMethod, OAuthTokenTypeHint};
 use mas_storage::oauth2::{
@@ -29,7 +29,7 @@ use warp::{filters::BoxedFilter, Filter, Rejection, Reply};

 pub fn filter(
    pool: &PgPool,
-    oauth2_config: &OAuth2Config,
+    clients_config: &ClientsConfig,
    http_config: &HttpConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
    let audience = UrlBuilder::from(http_config)
@@ -40,7 +40,7 @@ pub fn filter(
        .and(
            warp::post()
                .and(connection(pool))
-                .and(client_authentication(oauth2_config, audience))
+                .and(client_authentication(clients_config, audience))
                .and_then(introspect)
                .recover(recover)
                .unify(),
@@ -66,7 +66,7 @@ const INACTIVE: IntrospectionResponse = IntrospectionResponse {
 async fn introspect(
    mut conn: PoolConnection<Postgres>,
    auth: OAuthClientAuthenticationMethod,
-    client: OAuth2ClientConfig,
+    client: ClientConfig,
    params: IntrospectionRequest,
 ) -> Result<Box<dyn Reply>, Rejection> {
    // Token introspection is only allowed by confidential clients
--- a/crates/handlers/src/oauth2/mod.rs
+++ b/crates/handlers/src/oauth2/mod.rs
@@ -15,7 +15,7 @@
 use std::sync::Arc;

 use hyper::Method;
-use mas_config::{CookiesConfig, HttpConfig, OAuth2Config};
+use mas_config::{ClientsConfig, Encrypter, HttpConfig};
 use mas_jose::StaticKeystore;
 use mas_templates::Templates;
 use mas_warp_utils::filters::cors::cors;
@@ -40,16 +40,16 @@ pub fn filter(
    pool: &PgPool,
    templates: &Templates,
    key_store: &Arc<StaticKeystore>,
-    oauth2_config: &OAuth2Config,
+    encrypter: &Encrypter,
+    clients_config: &ClientsConfig,
    http_config: &HttpConfig,
-    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(impl Reply,)> {
    let discovery = discovery(key_store.as_ref(), http_config);
    let keys = keys(key_store);
-    let authorization = authorization(pool, templates, oauth2_config, cookies_config);
-    let userinfo = userinfo(pool, oauth2_config);
-    let introspection = introspection(pool, oauth2_config, http_config);
-    let token = token(pool, key_store, oauth2_config, http_config);
+    let authorization = authorization(pool, templates, encrypter, clients_config);
+    let userinfo = userinfo(pool);
+    let introspection = introspection(pool, clients_config, http_config);
+    let token = token(pool, key_store, clients_config, http_config);

    let filter = discovery
        .or(keys)
--- a/crates/handlers/src/oauth2/token.rs
+++ b/crates/handlers/src/oauth2/token.rs
@@ -19,7 +19,7 @@ use chrono::{DateTime, Duration, Utc};
 use data_encoding::BASE64URL_NOPAD;
 use headers::{CacheControl, Pragma};
 use hyper::StatusCode;
-use mas_config::{HttpConfig, OAuth2ClientConfig, OAuth2Config};
+use mas_config::{ClientConfig, ClientsConfig, HttpConfig};
 use mas_data_model::{AuthorizationGrantStage, TokenType};
 use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod};
 use mas_jose::{
@@ -98,7 +98,7 @@ where
 pub fn filter(
    pool: &PgPool,
    key_store: &Arc<StaticKeystore>,
-    oauth2_config: &OAuth2Config,
+    clients_config: &ClientsConfig,
    http_config: &HttpConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
    let key_store = key_store.clone();
@@ -110,7 +110,7 @@ pub fn filter(
    warp::path!("oauth2" / "token")
        .and(
            warp::post()
-                .and(client_authentication(oauth2_config, audience))
+                .and(client_authentication(clients_config, audience))
                .and(warp::any().map(move || key_store.clone()))
                .and(warp::any().map(move || issuer.clone()))
                .and(connection(pool))
@@ -131,7 +131,7 @@ async fn recover(rejection: Rejection) -> Result<Box<dyn Reply>, Rejection> {

 async fn token(
    _auth: OAuthClientAuthenticationMethod,
-    client: OAuth2ClientConfig,
+    client: ClientConfig,
    req: AccessTokenRequest,
    key_store: Arc<StaticKeystore>,
    issuer: Url,
@@ -171,7 +171,7 @@ fn hash<H: Digest>(mut hasher: H, token: &str) -> anyhow::Result<String> {
 #[allow(clippy::too_many_lines)]
 async fn authorization_code_grant(
    grant: &AuthorizationCodeGrant,
-    client: &OAuth2ClientConfig,
+    client: &ClientConfig,
    key_store: &StaticKeystore,
    issuer: Url,
    conn: &mut PoolConnection<Postgres>,
@@ -328,7 +328,7 @@ async fn authorization_code_grant(

 async fn refresh_token_grant(
    grant: &RefreshTokenGrant,
-    client: &OAuth2ClientConfig,
+    client: &ClientConfig,
    conn: &mut PoolConnection<Postgres>,
 ) -> Result<AccessTokenResponse, Rejection> {
    let mut txn = conn.begin().await.wrap_error()?;
--- a/crates/handlers/src/oauth2/userinfo.rs
+++ b/crates/handlers/src/oauth2/userinfo.rs
@@ -12,7 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-use mas_config::OAuth2Config;
 use mas_data_model::{AccessToken, Session};
 use mas_storage::PostgresqlBackend;
 use mas_warp_utils::filters::authenticate::{authentication, recover_unauthorized};
@@ -26,7 +25,7 @@ struct UserInfo {
    username: String,
 }

-pub(super) fn filter(pool: &PgPool, _config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
+pub(super) fn filter(pool: &PgPool) -> BoxedFilter<(Box<dyn Reply>,)> {
    warp::path!("oauth2" / "userinfo")
        .and(
            warp::get()