Add support for openid for authentication

The implementation is being dogfed with gitlab as the OpenID issuer.

In order to work, the issuer needs to:
- be discoverable (with `GET /.well-known/openid-configuration`)
- have a `userinfo_endpoint` in the openid configuration

Authentication is done through white-listing. If there are no whitelist
fields, then anyone can create an account, therefore can publish and own
crates in the registry.

When ktra is built with openid, all the user management endpoints are
disabled to avoid tampering through unauthenticated `POST` calls.

Also, there is no point storing a password, but as the password
interface is strongly coupled with the DbManager trait, for the time
being a dummy password is inserted for users. This is deemed not
dangerous as no authenticated routes is compiled when the "openid"
feature is present

A `user_by_login` function has been added to the DbManager trait because
the login is now dynamically computed from the OpenId issuer.

A `token_by_login` function has been added to the DbManager trait
to allow users to only query their existing token through openid instead
of always revoking the old ones.

An extra endpoint is added `GET /replace_token` to forcefully rotate the
token and invalidate the previous one

Author: gagbo

.github/workflows/push.yml

@@ -60,4 +60,34 @@ jobs:
         context: .
         file: ./docker/ktra.Dockerfile
         tags: ghcr.io/${{ github.repository_owner }}/ktra:${{ env.TAG }}
-        push: true
+        push: true
+
+    - name: "`db-redis + openid` build and push"
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./docker/ktra_openid.Dockerfile
+        tags: ghcr.io/${{ github.repository_owner }}/ktra:db-redis-openid-${{ env.TAG }}
+        no-cache: true
+        build-args: |
+          DB=db-redis
+        push: true
+
+    - name: "`db-mongo + openid` build and push"
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./docker/ktra_openid.Dockerfile
+        tags: ghcr.io/${{ github.repository_owner }}/ktra:db-mongo-openid-${{ env.TAG }}
+        no-cache: true
+        build-args: |
+          DB=db-mongo
+        push: true
+
+    - name: "`db-sled + openid` build and push"
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./docker/ktra_openid.Dockerfile
+        tags: ghcr.io/${{ github.repository_owner }}/ktra:openid-${{ env.TAG }}
+        push: true

.github/workflows/tests.yml

@@ -35,6 +35,33 @@ jobs:
           command: check
           args: --no-default-features --features=secure-auth,${{ matrix.db_feature }},crates-io-mirroring
 
+  check_openid:
+    name: Check ${{ matrix.db_feature }} with OpenId (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+        rust: [stable]
+        db_feature: [db-sled, db-redis, db-mongo]
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v2
+
+      - name: Install toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: ${{ matrix.rust }}
+          override: true
+
+      - name: Run cargo check
+        uses: actions-rs/cargo@v1
+        with:
+          command: check
+          args: --no-default-features --features=secure-auth,${{ matrix.db_feature }},crates-io-mirroring,openid
+
+
   test:
     name: Test ${{ matrix.db_feature }} (${{ matrix.os }})
     runs-on: ${{ matrix.os }}

Cargo.toml

@@ -17,6 +17,7 @@ default = ["secure-auth", "db-sled", "crates-io-mirroring"]
 secure-auth = ["rand", "rust-argon2"]
 crates-io-mirroring = ["reqwest", "tokio-util"]
 mirroring-dummy = []
+openid = ["openidconnect", "reqwest"]
 db-sled = ["sled"]
 db-redis = ["redis"]
 db-mongo = ["mongodb", "bson"]
@@ -41,7 +42,7 @@ toml = "0.5"
 clap = "2.33"
 async-trait = "0.1"
 
-reqwest = { version = "0.11", features = ["gzip", "brotli"], optional = true }
+reqwest = { version = "0.11", features = ["gzip", "brotli", "json"], optional = true }
 tokio-util = { version = "0.6", features = ["io"], optional = true }
 
 rand = { version = "0.8", optional = true }
@@ -52,3 +53,4 @@ redis = { version = "0.19", features = ["tokio-comp"], optional = true }
 mongodb = { version = "1.1", optional = true }
 bson = { version = "1.1", features = ["u2i"], optional = true }
 
+openidconnect = { version = "2.1.1", optional = true }

docker/ktra.Dockerfile

@@ -38,4 +38,4 @@ VOLUME /crates
 VOLUME /crates_io_crates
 EXPOSE 8000
 ENTRYPOINT [ "./ktra" ]
-CMD []
+CMD []

docker/ktra_openid.Dockerfile

@@ -0,0 +1,41 @@
+FROM rust:1.59-slim-bullseye as builder
+
+ARG DB="db-sled"
+ARG MIRRORING="crates-io-mirroring"
+
+RUN apt-get update &&\
+    apt-get upgrade -y &&\
+    apt-get install -y openssl pkg-config libssl-dev
+
+RUN useradd -m rust
+RUN mkdir /build && chown rust:rust /build
+USER rust
+
+COPY --chown=rust:rust ./src /build/src
+COPY --chown=rust:rust ./Cargo.toml /build/
+WORKDIR /build
+
+RUN cargo build --release --no-default-features --features=secure-auth,openid,${DB},${MIRRORING}
+
+FROM debian:bullseye-slim
+
+LABEL org.opencontainers.image.source https://github.com/moriturus/ktra
+LABEL org.opencontainers.image.documentation https://book.ktra.dev
+LABEL org.opencontainers.image.licenses "(Apache-2.0 OR MIT)"
+
+RUN apt-get update &&\
+    apt-get upgrade -y &&\
+    apt-get install -y libssl1.1 ca-certificates &&\
+    apt-get autoremove -y &&\
+    apt-get clean -y
+
+COPY LICENSE-APACHE ./
+COPY LICENSE-MIT ./
+
+COPY --from=builder /build/target/release/ktra ./
+
+VOLUME /crates
+VOLUME /crates_io_crates
+EXPOSE 8000
+ENTRYPOINT [ "./ktra" ]
+CMD []

src/config.rs

@@ -158,6 +158,18 @@ impl ServerConfig {
     }
 }
 
+#[derive(Debug, Clone, Deserialize, Default)]
+pub struct OpenIdConfig {
+    pub(crate) issuer_url: String,
+    pub(crate) redirect_url: String,
+    pub(crate) client_id: String,
+    pub(crate) client_secret: String,
+    #[serde(default)]
+    pub(crate) additional_scopes: Vec<String>,
+    pub(crate) gitlab_authorized_groups: Option<Vec<String>>,
+    pub(crate) gitlab_authorized_users: Option<Vec<String>>,
+}
+
 #[derive(Debug, Clone, Deserialize)]
 pub struct Config {
     #[serde(default)]
@@ -168,6 +180,8 @@ pub struct Config {
     pub index_config: IndexConfig,
     #[serde(default)]
     pub server_config: ServerConfig,
+    #[serde(default)]
+    pub openid_config: OpenIdConfig,
 }
 
 impl Default for Config {
@@ -177,6 +191,7 @@ impl Default for Config {
             db_config: Default::default(),
             index_config: Config::index_config_default(),
             server_config: Default::default(),
+            openid_config: Default::default(),
         }
     }
 }

src/db_manager/mongo_db_manager.rs

@@ -27,6 +27,7 @@ const ENTRIES_KEY: &str = "__ENTRIES__";
 const USERS_KEY: &str = "__USERS__";
 const PASSWORDS_KEY: &str = "__PASSWORDS__";
 const TOKENS_KEY: &str = "__TOKENS__";
+const OAUTH_NONCES_KEY: &str = "__OAUTH_NONCES__";
 
 #[derive(Clone, SerializeTrait, DeserializeTrait)]
 struct TokenMap {
@@ -228,6 +229,44 @@ impl DbManager for MongoDbManager {
             .ok_or_else(|| Error::InvalidToken(token.to_owned()))
     }
 
+    #[tracing::instrument(skip(self, login))]
+    async fn token_by_login(&self, login: &str) -> Result<Option<String>, Error> {
+        match self.user_by_login(login).await {
+            Ok(user) => {
+                let collection = self
+                    .client
+                    .database(&self.database_name)
+                    .collection(TOKENS_KEY);
+                Ok(collection
+                    .find_one(doc! { "id": user.id }, None)
+                    .map_err(Error::Db)
+                    .await?
+                    .and_then(|d| d.get("token").cloned())
+                    .and_then(|b| b.as_str().map(ToString::to_string)))
+            }
+            Err(_) => Ok(None),
+        }
+    }
+
+    #[tracing::instrument(skip(self, name))]
+    async fn token_by_username(&self, name: &str) -> Result<Option<String>, Error> {
+        match self.user_by_username(name).await {
+            Ok(user) => {
+                let collection = self
+                    .client
+                    .database(&self.database_name)
+                    .collection(TOKENS_KEY);
+                Ok(collection
+                    .find_one(doc! { "id": user.id }, None)
+                    .map_err(Error::Db)
+                    .await?
+                    .and_then(|d| d.get("token").cloned())
+                    .and_then(|b| b.as_str().map(ToString::to_string)))
+            }
+            Err(_) => Ok(None),
+        }
+    }
+
     #[tracing::instrument(skip(self, user_id, token))]
     async fn set_token(&self, user_id: u32, token: &str) -> Result<(), Error> {
         let token = token.to_owned();
@@ -240,19 +279,27 @@ impl DbManager for MongoDbManager {
     async fn user_by_username(&self, name: &str) -> Result<User, Error> {
         let name = name.to_owned();
         let login = format!("{}{}", self.login_prefix, name);
+        self.user_by_login(&login)
+            .await
+            .map_err(|_| Error::InvalidUsername(name.to_string()))
+    }
+
+    #[tracing::instrument(skip(self, login))]
+    async fn user_by_login(&self, login: &str) -> Result<User, Error> {
+        let login = login.to_owned();
         let collection = self
             .client
             .database(&self.database_name)
             .collection(USERS_KEY);
 
         collection
-            .find_one(doc! { "login": login }, None)
+            .find_one(doc! { "login": login.clone() }, None)
             .map_err(Error::Db)
             .await?
             .map(from_document::<User>)
             .transpose()
             .map_err(Error::BsonDeserialization)?
-            .ok_or_else(|| Error::InvalidUsername(name))
+            .ok_or_else(|| Error::InvalidLogin(login))
     }
 
     #[tracing::instrument(skip(self, user, password))]
@@ -492,6 +539,42 @@ impl DbManager for MongoDbManager {
             Err(Error::multiple(errors))
         }
     }
+
+    #[cfg(feature = "openid")]
+    async fn store_nonce_by_csrf(
+        &self,
+        state: openidconnect::CsrfToken,
+        nonce: openidconnect::Nonce,
+    ) -> Result<(), Error> {
+        let collection = self
+            .client
+            .database(&self.database_name)
+            .collection(OAUTH_NONCES_KEY);
+        let nonces_query_document = doc! {"state": state.secret().to_string() };
+
+        self.update_or_insert_one(OAUTH_NONCES_KEY, nonces_query_document, nonce)
+            .await
+    }
+
+    #[cfg(feature = "openid")]
+    async fn get_nonce_by_csrf(
+        &self,
+        state: openidconnect::CsrfToken,
+    ) -> Result<openidconnect::Nonce, Error> {
+        let collection = self
+            .client
+            .database(&self.database_name)
+            .collection(OAUTH_NONCES_KEY);
+
+        collection
+            .find_one(doc! { "state": state.secret().to_string() }, None)
+            .map_err(Error::Db)
+            .await?
+            .map(from_document::<openidconnect::Nonce>)
+            .transpose()
+            .map_err(Error::BsonDeserialization)?
+            .ok_or_else(|| Error::InvalidCsrfToken(state.secret().to_string()))
+    }
 }
 
 impl MongoDbManager {