-
-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #83 from sebadob/audit-part-4
Audit part 4
- Loading branch information
Showing
25 changed files
with
789 additions
and
232 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
create table api_keys | ||
( | ||
name varchar not null | ||
constraint api_keys_pk | ||
primary key, | ||
secret bytea not null, | ||
created bigint not null, | ||
expires bigint, | ||
enc_key_id varchar not null, | ||
access bytea not null | ||
); | ||
|
||
create index api_keys_enc_key_id_index | ||
on api_keys (enc_key_id); | ||
|
||
create index api_keys_expires_index | ||
on api_keys (expires); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
create table api_keys | ||
( | ||
name varchar not null | ||
constraint api_keys_pk | ||
primary key, | ||
secret blob not null, | ||
created bigint not null, | ||
expires bigint, | ||
enc_key_id varchar not null, | ||
access blob not null | ||
); | ||
|
||
create index api_keys_enc_key_id_index | ||
on api_keys (enc_key_id); | ||
|
||
create index api_keys_expires_index | ||
on api_keys (expires); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,112 @@ | ||
use actix_web::{get, web, Responder}; | ||
use actix_web_grants::proc_macro::has_roles; | ||
use crate::real_ip_from_req; | ||
use actix_web::{get, post, web, HttpRequest, HttpResponse, Responder}; | ||
use actix_web_grants::proc_macro::has_any_permission; | ||
use actix_web_lab::sse; | ||
use rauthy_common::constants::SSE_KEEP_ALIVE; | ||
use rauthy_common::error_response::{ErrorResponse, ErrorResponseType}; | ||
use rauthy_models::app_state::AppState; | ||
use rauthy_models::entity::api_keys::{AccessGroup, AccessRights, ApiKey}; | ||
use rauthy_models::entity::principal::Principal; | ||
use rauthy_models::entity::sessions::Session; | ||
use rauthy_models::events::event::Event; | ||
use rauthy_models::events::listener::EventRouterMsg; | ||
use rauthy_models::request::EventsListenParams; | ||
use std::time::Duration; | ||
use validator::Validate; | ||
|
||
/// Listen to the Events SSE stream | ||
#[utoipa::path( | ||
get, | ||
path = "/events", | ||
tag = "events", | ||
params(EventsListenParams), | ||
responses( | ||
(status = 200, description = "Ok"), | ||
(status = 400, description = "BadRequest", body = ErrorResponse), | ||
(status = 401, description = "Unauthorized", body = ErrorResponse), | ||
(status = 403, description = "Forbidden", body = ErrorResponse), | ||
(status = 404, description = "NotFound", body = ErrorResponse), | ||
), | ||
)] | ||
#[get("/events")] | ||
// #[has_roles("rauthy_admin")] // TODO ADD BACK IN AFTER LOCAL TESTING!!! | ||
pub async fn sse_events(data: web::Data<AppState>) -> Result<impl Responder, ErrorResponse> { | ||
let (tx, sse) = sse::channel(5); | ||
#[has_any_permission("session-auth", "api-key")] | ||
pub async fn sse_events( | ||
data: web::Data<AppState>, | ||
api_key: web::ReqData<Option<ApiKey>>, | ||
principal: web::ReqData<Option<Principal>>, | ||
req: HttpRequest, | ||
params: web::Query<EventsListenParams>, | ||
) -> Result<impl Responder, ErrorResponse> { | ||
params.validate()?; | ||
|
||
if let Err(err) = data | ||
.tx_events_router | ||
.send_async(EventRouterMsg::ClientReg { | ||
ip: "".to_string(), | ||
tx, | ||
}) | ||
.await | ||
{ | ||
Err(ErrorResponse::new( | ||
ErrorResponseType::Internal, | ||
format!("Cannot register SSE client: {:?}", err), | ||
)) | ||
if let Some(api_key) = api_key.into_inner() { | ||
api_key.has_access(AccessGroup::Events, AccessRights::Read)?; | ||
} else { | ||
Ok(sse.with_keep_alive(Duration::from_secs(*SSE_KEEP_ALIVE as u64))) | ||
Principal::from_req(principal)?.validate_rauthy_admin()?; | ||
} | ||
|
||
let (tx, sse) = sse::channel(10); | ||
|
||
match real_ip_from_req(&req) { | ||
None => Err(ErrorResponse::new( | ||
ErrorResponseType::NotFound, | ||
"Cannot extract client IP from HttpRequest. This is an internal network error." | ||
.to_string(), | ||
)), | ||
Some(ip) => { | ||
let params = params.into_inner(); | ||
if let Err(err) = data | ||
.tx_events_router | ||
.send_async(EventRouterMsg::ClientReg { | ||
ip, | ||
tx, | ||
latest: params.latest, | ||
}) | ||
.await | ||
{ | ||
Err(ErrorResponse::new( | ||
ErrorResponseType::Internal, | ||
format!("Cannot register SSE client: {:?}", err), | ||
)) | ||
} else { | ||
Ok(sse.with_keep_alive(Duration::from_secs(*SSE_KEEP_ALIVE as u64))) | ||
} | ||
} | ||
} | ||
} | ||
|
||
/// Create a TEST Event | ||
#[utoipa::path( | ||
post, | ||
path = "/events/test", | ||
tag = "events", | ||
responses( | ||
(status = 200, description = "Ok"), | ||
(status = 401, description = "Unauthorized", body = ErrorResponse), | ||
(status = 403, description = "Forbidden", body = ErrorResponse), | ||
), | ||
)] | ||
#[post("/events/test")] | ||
#[has_any_permission("session-auth", "api-key")] | ||
pub async fn post_event_test( | ||
data: web::Data<AppState>, | ||
api_key: web::ReqData<Option<ApiKey>>, | ||
principal: web::ReqData<Option<Principal>>, | ||
req: HttpRequest, | ||
session_req: web::ReqData<Option<Session>>, | ||
) -> Result<HttpResponse, ErrorResponse> { | ||
if let Some(api_key) = api_key.into_inner() { | ||
api_key.has_access(AccessGroup::Events, AccessRights::Create)?; | ||
} else { | ||
if session_req.is_some() { | ||
Session::extract_validate_csrf(session_req, &req)?; | ||
} | ||
Principal::from_req(principal)?.validate_rauthy_admin()?; | ||
} | ||
|
||
Event::test(real_ip_from_req(&req)) | ||
.send(&data.tx_events) | ||
.await?; | ||
|
||
Ok(HttpResponse::Ok().finish()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.