Skip to content

nexus crate shattering: extract nexus-authn #1457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

nexus crate shattering: extract nexus-authn #1457

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ee42417
nexus crate shattering: extract nexus-authn
jgallagher Jul 18, 2022
e309665
Move nested crates from nexus/src/ to nexus/
jgallagher Jul 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 29 additions & 2 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 6 additions & 4 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ members = [
"internal-dns",
"internal-dns-client",
"nexus",
"nexus/src/authz/authz-macros",
"nexus/src/db/db-macros",
"nexus/authn",
"nexus/authz-macros",
"nexus/db-macros",
"nexus/test-utils",
"nexus/test-utils-macros",
"nexus-client",
Expand Down Expand Up @@ -43,8 +44,9 @@ default-members = [
"internal-dns",
"internal-dns-client",
"nexus",
"nexus/src/authz/authz-macros",
"nexus/src/db/db-macros",
"nexus/authn",
"nexus/authz-macros",
"nexus/db-macros",
"package",
"rpaths",
"sled-agent",
Expand Down
10 changes: 5 additions & 5 deletions nexus/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,17 @@ path = "../rpaths"
anyhow = "1.0"
async-bb8-diesel = { git = "https://github.com/oxidecomputer/async-bb8-diesel", rev = "ab1f49e0b3f95557aa96bf593282199fafeef4bd" }
async-trait = "0.1.56"
authz-macros = { path = "src/authz/authz-macros" }
base64 = "0.13.0"
bb8 = "0.8.0"
clap = { version = "3.2", features = ["derive"] }
cookie = "0.16"
crucible-agent-client = { git = "https://github.com/oxidecomputer/crucible", rev = "2add0de8489f1d4de901bfe98fc28b0a6efcc3ea" }
diesel = { version = "2.0.0-rc.0", features = ["postgres", "r2d2", "chrono", "serde_json", "network-address", "uuid"] }
diesel-dtrace = { git = "https://github.com/oxidecomputer/diesel-dtrace" }
fatfs = "0.3.5"
futures = "0.3.21"
headers = "0.3.7"
hex = "0.4.3"
http = "0.2.7"
hyper = "0.14"
db-macros = { path = "src/db/db-macros" }
internal-dns-client = { path = "../internal-dns-client" }
ipnetwork = "0.18"
lazy_static = "1.4.0"
Expand All @@ -48,7 +44,6 @@ rand = "0.8.5"
ref-cast = "1.0"
reqwest = { version = "0.11.8", features = [ "json" ] }
ring = "0.16"
samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" }
serde_json = "1.0"
serde_urlencoded = "0.7.1"
serde_with = "2.0.0"
Expand All @@ -60,6 +55,10 @@ toml = "0.5.9"
tough = { version = "0.12", features = [ "http" ] }
usdt = "0.3.1"

authz-macros = { path = "authz-macros" }
db-macros = { path = "db-macros" }
nexus-authn = { path = "authn" }

[dependencies.api_identity]
path = "../api_identity"

Expand Down Expand Up @@ -119,6 +118,7 @@ features = [ "serde", "v4" ]
[dev-dependencies]
criterion = { version = "0.3", features = [ "async_tokio" ] }
expectorate = "1.0.5"
headers = "0.3.7"
itertools = "0.10.3"
nexus-test-utils-macros = { path = "test-utils-macros" }
nexus-test-utils = { path = "test-utils" }
Expand Down
34 changes: 34 additions & 0 deletions nexus/authn/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
[package]
name = "nexus-authn"
version = "0.1.0"
edition = "2021"
license = "MPL-2.0"

[dependencies]
async-trait = "0.1.56"
anyhow = "1.0"
base64 = "0.13.0"
chrono = { version = "0.4", features = ["serde"] }
cookie = "0.16"
headers = "0.3.7"
http = "0.2.7"
hyper = "0.14"
lazy_static = "1.4.0"
newtype_derive = "0.1.6"
# must match samael's crate!
openssl = "0.10"
openssl-sys = "0.9"
openssl-probe = "0.1.2"
samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" }
serde = { version = "1.0", features = ["derive"] }
serde_urlencoded = "0.7.1"
slog = { version = "2.7", features = ["max_level_trace", "release_max_level_debug"] }
thiserror = "1.0"
uuid = { version = "1.1.0", features = ["serde", "v4"] }

dropshot = { git = "https://github.com/oxidecomputer/dropshot", branch = "main", features = ["usdt-probes"] }

omicron-common = { path = "../../common" }

[dev-dependencies]
tokio = { version = "1.20", features = ["full"] }
0 nexus/src/authn/external/cookies.rs → nexus/authn/src/external/cookies.rs
View file
Open in desktop
File renamed without changes.
53 changes: 34 additions & 19 deletions nexus/src/authn/external/mod.rs → nexus/authn/src/external/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,12 @@

//! Authentication for requests to the external HTTP API

use crate::authn;
use crate::Context;
use crate::Error;
use crate::Kind;
use crate::Reason;
use crate::SchemeName;
use async_trait::async_trait;
use authn::Reason;
use uuid::Uuid;

pub mod cookies;
Expand Down Expand Up @@ -38,7 +41,7 @@ where
pub async fn authn_request(
&self,
rqctx: &dropshot::RequestContext<T>,
) -> Result<authn::Context, authn::Error> {
) -> Result<Context, Error> {
let log = &rqctx.log;
let request = &rqctx.request.lock().await;
let ctx = rqctx.context();
Expand All @@ -53,7 +56,7 @@ where
ctx: &T,
log: &slog::Logger,
request: &http::Request<hyper::Body>,
) -> Result<authn::Context, authn::Error> {
) -> Result<Context, Error> {
// For debuggability, keep track of the schemes that we've tried.
let mut schemes_tried = Vec::with_capacity(self.allowed_schemes.len());
for scheme_impl in &self.allowed_schemes {
Expand All @@ -67,19 +70,19 @@ where
// NOT that they simply didn't try), should we try the others
// instead of returning the failure here?
SchemeResult::Failed(reason) => {
return Err(authn::Error { reason, schemes_tried })
return Err(Error { reason, schemes_tried })
}
SchemeResult::Authenticated(details) => {
return Ok(authn::Context {
kind: authn::Kind::Authenticated(details),
return Ok(Context {
kind: Kind::Authenticated(details),
schemes_tried,
})
}
SchemeResult::NotRequested => (),
}
}

Ok(authn::Context { kind: authn::Kind::Unauthenticated, schemes_tried })
Ok(Context { kind: Kind::Unauthenticated, schemes_tried })
}
}

Expand All @@ -90,7 +93,7 @@ where
T: Send + Sync + 'static,
{
/// Returns the (unique) name for this scheme (for observability)
fn name(&self) -> authn::SchemeName;
fn name(&self) -> SchemeName;

/// Locate credentials in the HTTP request and attempt to verify them
async fn authn(
Expand Down Expand Up @@ -119,9 +122,21 @@ pub trait SiloUserSilo {
async fn silo_user_silo(&self, silo_user_id: Uuid) -> Result<Uuid, Reason>;
}

#[async_trait]
impl<T> SiloUserSilo for std::sync::Arc<T>
Copy link
Collaborator

@davepacheco davepacheco Jul 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the basic question, but why is this needed?

If I have x: T where T: SiloUserSilo, I can call x.silo_user_silo(). If I have x: Arc<T>, can't I already call x.silo_user_silo() because of Arc's Deref behavior?

I see there are several others of these (e.g, in session_cookie.rs) and I'm wondering under what conditions you need an impl like this.

where
T: SiloUserSilo + Send + Sync,
{
async fn silo_user_silo(&self, silo_user_id: Uuid) -> Result<Uuid, Reason> {
SiloUserSilo::silo_user_silo(&**self, silo_user_id).await
}
}

#[cfg(test)]
mod test {
use super::*;
use crate::Actor;
use crate::Details;
use anyhow::anyhow;
use std::sync::atomic::AtomicU8;
use std::sync::atomic::Ordering;
Expand All @@ -131,7 +146,7 @@ mod test {
#[derive(Debug)]
struct GruntScheme {
/// unique name for this grunt
name: authn::SchemeName,
name: SchemeName,

/// Specifies what to do with the next authn request that we get
///
Expand All @@ -142,7 +157,7 @@ mod test {
nattempts: Arc<AtomicU8>,

/// actor to use when authenticated
actor: authn::Actor,
actor: Actor,
}

// Values of the "next" bool
Expand All @@ -152,7 +167,7 @@ mod test {

#[async_trait]
impl HttpAuthnScheme<()> for GruntScheme {
fn name(&self) -> authn::SchemeName {
fn name(&self) -> SchemeName {
self.name
}

Expand All @@ -165,9 +180,9 @@ mod test {
self.nattempts.fetch_add(1, Ordering::SeqCst);
match self.next.load(Ordering::SeqCst) {
SKIP => SchemeResult::NotRequested,
OK => SchemeResult::Authenticated(authn::Details {
actor: self.actor,
}),
OK => {
SchemeResult::Authenticated(Details { actor: self.actor })
}
FAIL => SchemeResult::Failed(Reason::BadCredentials {
actor: self.actor,
source: anyhow!("grunt error"),
Expand All @@ -194,8 +209,8 @@ mod test {
let flag1 = Arc::new(AtomicU8::new(SKIP));
let count1 = Arc::new(AtomicU8::new(0));
let mut expected_count1 = 0;
let name1 = authn::SchemeName("grunt1");
let actor1 = authn::Actor::UserBuiltin {
let name1 = SchemeName("grunt1");
let actor1 = Actor::UserBuiltin {
user_builtin_id: "1c91bab2-4841-669f-cc32-de80da5bbf39"
.parse()
.unwrap(),
Expand All @@ -210,8 +225,8 @@ mod test {
let flag2 = Arc::new(AtomicU8::new(SKIP));
let count2 = Arc::new(AtomicU8::new(0));
let mut expected_count2 = 0;
let name2 = authn::SchemeName("grunt2");
let actor2 = authn::Actor::UserBuiltin {
let name2 = SchemeName("grunt2");
let actor2 = Actor::UserBuiltin {
user_builtin_id: "799684af-533a-cb66-b5ac-ab55a791d5ef"
.parse()
.unwrap(),
Expand Down
39 changes: 34 additions & 5 deletions nexus/src/authn/external/session_cookie.rs → nexus/authn/src/external/session_cookie.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,7 @@

use super::cookies::parse_cookies;
use super::{HttpAuthnScheme, Reason, SchemeResult};
use crate::authn;
use crate::authn::{Actor, Details};
use crate::{Actor, Details, SchemeName};
use anyhow::anyhow;
use async_trait::async_trait;
use chrono::{DateTime, Duration, Utc};
Expand Down Expand Up @@ -49,10 +48,40 @@ pub trait SessionStore {
fn session_absolute_timeout(&self) -> Duration;
}

#[async_trait]
impl<T> SessionStore for std::sync::Arc<T>
where
T: SessionStore + Send + Sync,
{
type SessionModel = T::SessionModel;

async fn session_fetch(&self, token: String) -> Option<Self::SessionModel> {
SessionStore::session_fetch(&**self, token).await
}

async fn session_update_last_used(
&self,
token: String,
) -> Option<Self::SessionModel> {
SessionStore::session_update_last_used(&**self, token).await
}

async fn session_expire(&self, token: String) -> Option<()> {
SessionStore::session_expire(&**self, token).await
}

fn session_idle_timeout(&self) -> Duration {
SessionStore::session_idle_timeout(&**self)
}

fn session_absolute_timeout(&self) -> Duration {
SessionStore::session_absolute_timeout(&**self)
}
}

// generic cookie name is recommended by OWASP
pub const SESSION_COOKIE_COOKIE_NAME: &str = "session";
pub const SESSION_COOKIE_SCHEME_NAME: authn::SchemeName =
authn::SchemeName("session_cookie");
pub const SESSION_COOKIE_SCHEME_NAME: SchemeName = SchemeName("session_cookie");

/// Generate session cookie header
pub fn session_cookie_header_value(token: &str, max_age: Duration) -> String {
Expand Down Expand Up @@ -83,7 +112,7 @@ where
T: Send + Sync + 'static + SessionStore,
T::SessionModel: Send + Sync + 'static + Session,
{
fn name(&self) -> authn::SchemeName {
fn name(&self) -> SchemeName {
SESSION_COOKIE_SCHEME_NAME
}

Expand Down
Loading