Compare commits

..

10 commits

106 changed files with 1723 additions and 652 deletions

7
.dockerignore Normal file
View file

@ -0,0 +1,7 @@
target
.env
tmp
Dockerfile
.dockerignore
justfile
config.toml

541
Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -1,31 +1,36 @@
cargo-features = ["codegen-backend"]
# cargo-features = ["codegen-backend"]
[profile.dev]
codegen-backend = "cranelift"
# [profile.dev]
# codegen-backend = "cranelift"
# # END OF
[package]
name = "minauthator"
description = "Identity provider and OAuth2 server for an small-scale organization."
version = "0.1.0"
edition = "2021"
[workspace]
resolver = "2"
members = [
"lib/kernel",
"lib/utils",
"lib/http_server",
"lib/admin_cli"
]
[dependencies]
[workspace.dependencies]
# commons utils
anyhow = "1.0"
thiserror = "2"
fully_pub = "0.1"
argon2 = "0.5"
strum = "0.26.3"
strum_macros = "0.26"
uuid = { version = "1.8", features = ["serde", "v4"] }
dotenvy = "0.15.7"
base64 = "0.22.1"
rand = "0.8.5"
rand_core = { version = "0.6.4", features = ["std"] }
url = "2.5.3"
argh = "0.1" # for CLI
sha2 = "0.10"
hex-literal = "0.4"
# CLI
argh = "0.1"
# Async
tokio = { version = "1.40.0", features = ["rt-multi-thread"] }
tokio = { version = "1.40.0", features = ["rt-multi-thread", "macros"] }
# Logging
log = "0.4"
@ -34,7 +39,6 @@ env_logger = "0.11"
# Serialization
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
serde_urlencoded = "0.7.1"
toml = "0.8"
chrono = { version = "0.4", features = ["serde"] }
@ -43,21 +47,6 @@ chrono = { version = "0.4", features = ["serde"] }
sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "chrono", "uuid"] }
redis = { version = "0.27.3", default-features = false, features = ["acl"] }
# Web
axum = { version = "0.7.7", features = ["json", "multipart"] }
axum-extra = { version = "0.9.4", features = ["cookie"] }
axum-template = { version = "2.4.0", features = ["minijinja"] }
axum_typed_multipart = "0.13.1"
minijinja = { version = "2.1", features = ["builtins"] }
# to make work the static assets server
tower-http = { version = "0.6.1", features = ["fs"] }
# Auth utils
totp-rs = "5.6"
minijinja-embed = "2.3.1"
axum-macros = "0.4.2"
jsonwebtoken = "9.3.0"
time = "0.3.36"
[build-dependencies]
minijinja-embed = "2.3.1"

37
Dockerfile Normal file
View file

@ -0,0 +1,37 @@
FROM rust:1.83-alpine3.20 AS builder
WORKDIR /usr/src/minauthator
COPY . .
RUN apk add musl-dev
RUN cargo install --bin minauthator-admin --locked --path lib/admin_cli
RUN cargo install --bin minauthator-server --locked --path lib/http_server
FROM alpine:3.20 AS base
RUN apk add sqlite
COPY --from=builder /usr/local/cargo/bin/minauthator-server /usr/local/bin/minauthator-server
COPY --from=builder /usr/local/cargo/bin/minauthator-admin /usr/local/bin/minauthator-admin
RUN mkdir -p \
/usr/local/src/minauthator/migrations \
/usr/local/lib/minauthator/assets \
/var/lib/minauthator \
/etc/minauthator
COPY --from=builder /usr/src/minauthator/migrations/all.sql /usr/local/src/minauthator/migrations
COPY --from=builder /usr/src/minauthator/init_db.sh /usr/local/bin/minauthator_init_db.sh
COPY --from=builder /usr/src/minauthator/assets /usr/local/lib/minauthator/assets
RUN addgroup -g 1000 app && \
adduser -S -u 1000 -G app -s /bin/sh app && \
chown -R app:app /var/lib/minauthator && \
chmod -R u=rwx,g=rwx,o= /var/lib/minauthator
USER app:app
ENV RUST_LOG=info
ENV RUST_BACKTRACE=1
ENV APP_JWT_SECRET="DummyAppSecret20241029"
CMD ["minauthator-server", "--listen-host", "0.0.0.0", "--listen-port", "8080"]

View file

@ -1,24 +1,45 @@
# Minauthator
Minauthator is an identity provider supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
Minauthator is an identity provider server supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software.
This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software (FOSS).
This project also aims to provide features while being frugal and minimalist.
**Project status: *early development, work-in-progress***
## Features
- Login
- Register
- OpenID Connect & OAuth 2.0
- Activation token
- Profile details
- Static apps
- User roles
- MFA/TOTP
- Email notifications
- Login page customization
- App carousel (App presentation to users)
- [x] Login
- [x] Register
- [x] OpenID Connect & OAuth 2.0
- [x] Activation token
- [x] Profile details
- [x] Static apps
- [x] Admin CLI to manage user.
- [x] User invitation with human token
- [ ] User roles
- [ ] User groups
- [ ] MFA/TOTP
- [ ] Email notifications
- [ ] Login page customization
- [x] App listing (App presentation to users)
- [x] Implicit OAuth 2.0 flow
- [ ] Email verification
- [ ] GPG keys verification and signing
- [ ] Docker deployment
- [ ] Full user panel & user privacy control
## Architecture
- Sqlite DB
- Kernel
- Http server
- Public API
- User API
- Third-party OAuth2 app/client API
- Web GUI (no Javascript)
- Admin CLI
## Deps
@ -28,4 +49,4 @@ This project aims to allow an organization to setup [single sign-on (SSO)](https
- [Authentik](https://goauthentik.io/)
- [Keycloak](https://www.keycloak.org/)
- [Kanidm](https://kanidm.com/)

56
TODO.md
View file

@ -1,5 +1,23 @@
# TODO
- [ ] i18n strings in the http website.
- [ ] Instance customization support
- [ ] Public endpoint to get user avatar by id
- [ ] Rework avatar upload to limit size and process the image?
- Authorize form
- [ ] Show details about permissions
- [ ] Show app logo
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
- [ ] feat(perms): add groups and roles
- [ ] UserWebGUI: add TOTP
- [ ] send emails to users
- [x] Login form
- [x] Register form
- [x] Redirect to login form if unauthenticated
@ -13,20 +31,12 @@
- [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c)
- .well-known/openid-configuration
- [x] architecture refactor
- [x] AdminCLI: init
- [x] AdminCLI: list users
- [x] AdminCLI: create and invite user
- [ ] i18n strings in the http website.
- [ ] App config
- Add app logo (URI?)
- [ ] Public endpoint to get user avatar by id
- [ ] Rework avatar upload to limit size and process the image?
- [ ] Authorize form
- Show details about permissions
- Show app logo
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
- [x] UserWebGUI: Invitation
- [x] UserWebGUI: Redirect to login when JWT expire
- [x] UserWebGUI: Show user authorizations.
@ -37,20 +47,6 @@
- [x] UserWebGUI: activate account with token
- [x] feat: add groups and roles models
- [ ] UserWebGUI: add TOTP
- [ ] send emails to users
- Architecture: do we have an admin API?
- [ ] AdminCLI: init
- [ ] AdminWebGUI: List users
- [ ] AdminWebGUI: Assign groups to users
- [ ] AdminWebGUI: Create invitation
# Minimal flow
- [ ] Invite user from command line bash script that will edit sqlite
- [ ] Activation UI
- [ ] Send email
- [X] basic docker setup
- [ ] make `docker stop` working (handle SIGTERM/SIGINT)
- [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/

3
admin.sh Executable file
View file

@ -0,0 +1,3 @@
#!/usr/bin/sh
cargo run -q --bin minauthator-admin -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets $@

View file

@ -48,28 +48,9 @@ slug = "basic"
name = "Basic"
description = "Basic user"
default = true
permissions = []
[[roles]]
slug = "admin"
name = "Administrator"
description = "Full power on organization instance"
permissions = [
"InviteUser", # creation of user
"ListUsers",
"EnableUser",
"DisableUser",
"AssignUserGroups"
]
# [[groups]]
# slug = "ca_member"
# name = "G1"
# description = "Lorem ipsum"
# roles = []
# [[groups]]
# slug = "bureau"
# name = "G2"
# description = "Lorem ipseum"
# roles = ["admin"]

View file

@ -4,27 +4,50 @@ https://datatracker.ietf.org/doc/html/rfc6749
https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path-in-a-minijinja-template
# Need for groups and roles
## Oauth2 test
There is two kinds of role
-> authorize
- Role that will be used interllay to the tapp
- Roles that will be used exteranlly on oauth2 clients.
# User flow
- For now we only have roles and not groups
## Invitation flow
## Groups feature
- Create invite
- generate A random
- user.reset_password_token = A
- user.status = "Invited"
- Send email with link to https://instance/reset-password?token=A&reason=invitation
- GET /reset-password?token=A&reason=invitation
- verification of token
- show form
- POST /reset-password
- BODY: with params token
- check token validity
- set new password hash
- if user.status == "invited"
- enable new account (user.status = "active")
- send welcome email
- redirect to login page with a message
- we need to redirect to the login page, so the user remember how to login later, and can
verify the setup of his/her password manager.
Group will be later used to combine multiple roles.
We can instead send link to https://instance/invitation?token=A
# [[groups]]
# slug = "ca_member"
# name = "G1"
# description = "Lorem ipsum"
# roles = []
## Reset password flow
# [[groups]]
# slug = "bureau"
# name = "G2"
# description = "Lorem ipseum"
# roles = ["admin"]
- Reset password request
- generate A random
- user.reset_password_token = A
- Send email with link to https://instance/reset-password?token=A&reason=lost_password
- GET /reset-password?token=A&reason=lost_password
- verification of token
- show form
- POST /reset-password
- BODY: with params token
- check token validity
- set new password hash
- redirect to login page with a message
- we need to redirect to the login page, so the user remember how to login later, and can
verify the setup of his/her password manager.
We can instead send link to https://instance/reset-password?token=A

10
init_db.sh Executable file
View file

@ -0,0 +1,10 @@
#!/bin/sh
DEFAULT_DB_PATH="/var/lib/minauthator/minauthator.db"
DEFAULT_MIGRATION_PATH="/usr/local/src/minauthator/migrations/all.sql"
DB_PATH="${DB_PATH:-$DEFAULT_DB_PATH}"
MIGRATION_PATH="${MIGRATION_PATH:-$DEFAULT_MIGRATION_PATH}"
sqlite3 $DB_PATH < $MIGRATION_PATH

View file

@ -1,20 +1,32 @@
export RUST_BACKTRACE := "1"
export RUST_LOG := "trace"
export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets"
watch-run:
cargo-watch -x 'run -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets'
watch-server:
cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
run:
cargo run -- --database ./tmp/dbs/minauthator.db --config ./config.toml --static-assets ./assets
server:
cargo run --bin minauthator-server -- $CONTEXT_ARGS
docker-run:
docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator
docker-init-db:
docker run -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator /usr/local/bin/minauthator_init_db.sh
admin:
cargo run --bin minauthator-admin -- $CONTEXT_ARGS
docker-build:
docker build -t minauthator .
docker build -t lefuturiste/minauthator .
docker-init-db:
docker run \
-v ./tmp/docker/config:/etc/minauthator \
-v minauthator-db:/var/lib/minauthator \
lefuturiste/minauthator \
/usr/local/bin/minauthator_init_db.sh
docker-run:
docker run \
-p 127.0.0.1:3085:8080 \
-v ./tmp/docker/config:/etc/minauthator \
-v minauthator-db:/var/lib/minauthator \
lefuturiste/minauthator
init-db:
sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql

18
lib/admin_cli/Cargo.toml Normal file
View file

@ -0,0 +1,18 @@
[package]
name = "admin_cli"
edition = "2021"
[[bin]]
name = "minauthator-admin"
path = "src/main.rs"
[dependencies]
anyhow = { workspace = true }
thiserror = { workspace = true }
fully_pub = { workspace = true }
argh = { workspace = true }
tokio = { workspace = true }
log = { workspace = true }
env_logger = { workspace = true }
kernel = { path = "../kernel" }

View file

@ -0,0 +1 @@
pub mod users;

View file

@ -0,0 +1,115 @@
use anyhow::{Context, Result};
use argh::FromArgs;
use fully_pub::fully_pub;
use kernel::{context::KernelContext, models::user::User, repositories::users::get_users};
use log::info;
#[fully_pub]
#[derive(FromArgs, PartialEq, Debug)]
#[argh(
subcommand, name = "create",
description = "Create user in DB."
)]
struct CreateUserCommand {
/// aka login, username
#[argh(option)]
handle: String,
/// displayed name (eg. first name and last name)
#[argh(option)]
full_name: Option<String>,
/// use to identify and prove user identity
/// formated as specified in RFC 2821, RFC 3696
#[argh(option)]
email: String,
/// if true, create an invitation token
#[argh(switch)]
invite: bool
}
#[fully_pub]
#[derive(FromArgs, PartialEq, Debug)]
#[argh(
subcommand, name = "delete",
description = "Delete user in DB."
)]
struct DeleteUserCommand {
/// delete by user Uuid
#[argh(option)]
id: String
}
#[fully_pub]
#[derive(FromArgs, PartialEq, Debug)]
#[argh(
subcommand, name = "list",
description = "List users in DB."
)]
struct ListUsersCommand {
/// how many users to return
#[argh(option)]
limit: Option<usize>,
}
#[fully_pub]
#[derive(FromArgs, PartialEq, Debug)]
#[argh(subcommand)]
enum UsersSubCommands {
Create(CreateUserCommand),
List(ListUsersCommand),
Delete(DeleteUserCommand),
}
#[fully_pub]
#[derive(FromArgs, PartialEq, Debug)]
#[argh(
subcommand, name = "users",
description = "Manage instance users."
)]
struct UsersCommand {
#[argh(subcommand)]
nested: UsersSubCommands,
}
pub async fn list_users(cmd: ListUsersCommand, ctx: KernelContext) -> Result<()> {
for user in get_users(&ctx.storage).await? {
println!(
"{0: <36} | [{1:<8}] | {2: <15} | {3: <25}",
user.id, user.status, user.handle, user.email.unwrap_or("()".to_string())
);
}
Ok(())
}
pub async fn create_user(cmd: CreateUserCommand, ctx: KernelContext) -> Result<()> {
let mut user = User::new(cmd.handle);
user.email = Some(cmd.email);
user.full_name = cmd.full_name;
if cmd.invite {
user.invite();
println!("Generated invite code: {}", user.reset_password_token.as_ref().unwrap());
}
let _res = kernel::actions::users::create_user(ctx, user).await?;
info!("Created user.");
if cmd.invite {
// TODO: Send invitation email
info!("Not sending invitation email.");
}
Ok(())
}
pub async fn delete_user(cmd: DeleteUserCommand, ctx: KernelContext) -> Result<()> {
todo!()
}
pub async fn handle_command_tree(cmd: UsersCommand, ctx: KernelContext) -> Result<()> {
match cmd.nested {
UsersSubCommands::List(sc) => list_users(sc, ctx).await,
UsersSubCommands::Create(sc) => create_user(sc, ctx).await,
UsersSubCommands::Delete(sc) => delete_user(sc, ctx).await
}
}

49
lib/admin_cli/src/main.rs Normal file
View file

@ -0,0 +1,49 @@
use argh::FromArgs;
use anyhow::{Context, Result};
use commands::users;
use kernel::context::{get_kernel_context, StartKernelConfig};
use log::info;
pub mod commands;
#[derive(FromArgs, PartialEq, Debug)]
#[argh(subcommand)]
enum SubCommands {
Users(users::UsersCommand),
}
#[derive(FromArgs, PartialEq, Debug)]
/// Minauthator admin top level
struct AdminCliTopLevelCommand {
#[argh(subcommand)]
nested: SubCommands,
/// path to YAML config file to use to configure this instance
#[argh(option)]
config: Option<String>,
/// path to the Sqlite3 DB file to use
#[argh(option)]
database: Option<String>,
/// path to the static assets dir
#[argh(option)]
static_assets: Option<String>,
}
/// handle CLI arguments to run admin CLI
#[tokio::main]
pub async fn main() -> Result<()> {
info!("Starting minauth");
let command_input: AdminCliTopLevelCommand = argh::from_env();
let ctx = get_kernel_context(StartKernelConfig {
config_path: command_input.config.clone(),
database_path: command_input.database.clone()
}).await.context("Getting kernel context")?;
match command_input.nested {
SubCommands::Users(sc) => {
users::handle_command_tree(sc, ctx).await
}
}
}

View file

@ -0,0 +1,52 @@
[package]
name = "http_server"
edition = "2021"
[dependencies]
kernel = { path = "../kernel" }
utils = { path = "../utils" }
# common
log = { workspace = true }
env_logger = { workspace = true }
strum = { workspace = true }
strum_macros = { workspace = true }
anyhow = { workspace = true }
thiserror = { workspace = true }
fully_pub = { workspace = true }
tokio = { workspace = true }
# Web
axum = { version = "0.7.7", features = ["json", "multipart"] }
axum-extra = { version = "0.9.4", features = ["cookie"] }
axum-template = { version = "2.4.0", features = ["minijinja"] }
axum_typed_multipart = "0.13.1"
minijinja = { version = "2.1", features = ["builtins"] }
# to make work the static assets server
tower-http = { version = "0.6.1", features = ["fs"] }
minijinja-embed = "2.3.1"
axum-macros = "0.4.2"
jsonwebtoken = "9.3.0"
time = "0.3.36"
serde = { workspace = true }
serde_json = { workspace = true }
serde_urlencoded = "0.7.1"
chrono = { workspace = true }
argh = { workspace = true }
sqlx = { workspace = true }
uuid = { workspace = true }
url = { workspace = true }
[build-dependencies]
minijinja-embed = "2.3.1"
[[bin]]
name = "minauthator-server"
path = "src/main.rs"

View file

@ -0,0 +1,14 @@
use axum::{extract::State, response::IntoResponse, Json};
use serde_json::json;
use crate::AppState;
pub async fn get_index(
State(app_state): State<AppState>,
) -> impl IntoResponse {
Json(json!({
"software": "Minauthator",
"name": app_state.config.instance.name,
"base_uri": app_state.config.instance.base_uri
}))
}

View file

@ -1,3 +1,5 @@
pub mod index;
pub mod oauth2;
pub mod read_user;
pub mod openid;
pub mod public_assets;

View file

@ -4,10 +4,9 @@ use fully_pub::fully_pub;
use log::error;
use serde::{Deserialize, Serialize};
use kernel::models::authorization::Authorization;
use crate::{
models::{authorization::Authorization, token_claims::AppUserTokenClaims},
server::AppState,
services::{app_session::AppClientSession, session::create_token}
services::{app_session::AppClientSession, session::create_token}, token_claims::AppUserTokenClaims, AppState
};
const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;
@ -43,7 +42,7 @@ pub async fn get_access_token(
)
.bind(&form.code)
.bind(&app_client_session.client_id)
.fetch_one(&app_state.db)
.fetch_one(&app_state.db.0)
.await;
let authorization = match authorizations_res {
Ok(val) => val,

View file

@ -1,9 +1,10 @@
use axum::{extract::State, response::IntoResponse, Json};
use fully_pub::fully_pub;
use kernel::models::authorization::AuthorizationScope;
use serde::Serialize;
use strum::IntoEnumIterator;
use crate::{models::authorization::AuthorizationScope, server::AppState};
use crate::AppState;
#[derive(Serialize)]
#[fully_pub]

View file

@ -0,0 +1,27 @@
use axum::{extract::{Path, State}, http::{header, HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse}};
use kernel::repositories::users::get_user_asset_by_id;
use crate::AppState;
pub async fn get_user_asset(
State(app_state): State<AppState>,
Path(asset_id): Path<String>
) -> impl IntoResponse {
let user_asset = match get_user_asset_by_id(&app_state.db, &asset_id).await {
Err(_) => {
return (
StatusCode::NOT_FOUND,
Html("Could not find user asset")
).into_response();
},
Ok(ua) => ua
};
let mut hm = HeaderMap::new();
hm.insert(
header::CONTENT_TYPE,
HeaderValue::from_str(&user_asset.mime_type).expect("Constructing header value.")
);
(hm, user_asset.content).into_response()
}

View file

@ -2,7 +2,8 @@ use axum::{extract::State, response::IntoResponse, Extension, Json};
use fully_pub::fully_pub;
use serde::Serialize;
use crate::{models::{token_claims::AppUserTokenClaims, user::User}, server::AppState};
use crate::{token_claims::AppUserTokenClaims, AppState};
use kernel::models::user::User;
#[derive(Serialize)]
#[fully_pub]
@ -19,10 +20,10 @@ pub async fn read_user_basic(
State(app_state): State<AppState>,
Extension(token_claims): Extension<AppUserTokenClaims>,
) -> impl IntoResponse {
// 1. This handler require client user authentification (JWT)
// 1. This handler require app user authentification (JWT)
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.user_id)
.fetch_one(&app_state.db)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");
let output = ReadUserBasicExtract {

View file

@ -1,10 +1,10 @@
use axum::{extract::State, response::IntoResponse, Extension};
use minijinja::context;
use kernel::models::{config::AppVisibility, config::Application};
use crate::{
models::{config::AppVisibility, config::Application},
renderer::TemplateRenderer,
server::AppState
AppState
};
pub async fn list_apps(

View file

@ -7,14 +7,15 @@ use serde::{Deserialize, Serialize};
use url::Url;
use uuid::Uuid;
use kernel::{
models::{authorization::Authorization, config::AppAuthorizeFlow}
};
use utils::get_random_alphanumerical;
use crate::{
models::{authorization::Authorization, config::AppAuthorizeFlow, token_claims::UserTokenClaims},
renderer::TemplateRenderer, server::AppState,
services::oauth2::{parse_scope, verify_redirect_uri},
utils::get_random_alphanumerical
renderer::TemplateRenderer, services::oauth2::{parse_scope, verify_redirect_uri}, token_claims::UserTokenClaims, AppState
};
#[derive(Serialize, Deserialize)]
#[derive(Debug, Serialize, Deserialize)]
#[fully_pub]
/// query params described in [RFC6749 section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
struct AuthorizationParams {
@ -105,7 +106,7 @@ pub async fn authorize_form(
.bind(&token_claims.sub)
.bind(&authorization_params.client_id)
.bind(sqlx::types::Json(&scopes))
.fetch_one(&app_state.db)
.fetch_one(&app_state.db.0)
.await;
match authorizations_res {
@ -119,7 +120,7 @@ pub async fn authorize_form(
.bind(existing_authorization.id)
.bind(authorization_code.clone())
.bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
.execute(&app_state.db)
.execute(&app_state.db.0)
.await.unwrap();
// Authorization already given, just redirect to the app
@ -219,7 +220,7 @@ pub async fn perform_authorize(
.bind(authorization.code)
.bind(authorization.last_used_at.map(|x| x.to_rfc3339_opts(SecondsFormat::Millis, true)))
.bind(authorization.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
.execute(&app_state.db)
.execute(&app_state.db.0)
.await;
if let Err(err) = res {
error!("Failed to save authorization in DB. {}", err);

View file

@ -1,15 +1,15 @@
use axum_extra::extract::{cookie::{Cookie, SameSite}, CookieJar};
use chrono::{SecondsFormat, Utc};
use kernel::models::user::{User, UserStatus};
use log::info;
use serde::Deserialize;
use axum::{extract::{Query, State}, http::{HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse, Redirect}, Extension, Form};
use axum::{extract::{Query, State}, http::StatusCode, response::{IntoResponse, Redirect}, Extension, Form};
use fully_pub::fully_pub;
use minijinja::context;
use time::Duration;
use utils::verify_password_hash;
use crate::{
consts::WEB_GUI_JWT_COOKIE_NAME, models::{token_claims::UserTokenClaims, user::{User, UserStatus}}, renderer::TemplateRenderer, server::AppState, services::{password::verify_password_hash, session::create_token}
};
use crate::{renderer::TemplateRenderer, services::session::create_token, token_claims::UserTokenClaims, AppState, WEB_GUI_JWT_COOKIE_NAME};
pub async fn login_form(
Extension(renderer): Extension<TemplateRenderer>
@ -47,7 +47,7 @@ pub async fn perform_login(
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE handle = $1 OR email = $2")
.bind(&login.login)
.bind(&login.login)
.fetch_one(&app_state.db)
.fetch_one(&app_state.db.0)
.await;
let password_hash = match &user_res {
@ -87,7 +87,7 @@ pub async fn perform_login(
let _result = sqlx::query("UPDATE users SET last_login_at = $2 WHERE id = $1")
.bind(user.id.clone())
.bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
.execute(&app_state.db)
.execute(&app_state.db.0)
.await.unwrap();
let jwt_max_age = Duration::days(15);

View file

@ -1,7 +1,7 @@
use axum::response::{IntoResponse, Redirect};
use axum_extra::extract::CookieJar;
use crate::consts::WEB_GUI_JWT_COOKIE_NAME;
use crate::WEB_GUI_JWT_COOKIE_NAME;
pub async fn perform_logout(
cookies: CookieJar

View file

@ -1,14 +1,16 @@
use anyhow::Context;
use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
use fully_pub::fully_pub;
use log::error;
use log::{error, info};
use minijinja::context;
use crate::{
models::{token_claims::UserTokenClaims, user::User},
token_claims::UserTokenClaims,
renderer::TemplateRenderer,
server::AppState
AppState
};
use kernel::{models::{user::User, user_asset::UserAsset}, repositories::users::create_user_asset};
pub async fn me_page(
State(app_state): State<AppState>,
@ -17,7 +19,7 @@ pub async fn me_page(
) -> impl IntoResponse {
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.sub)
.fetch_one(&app_state.db)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");
@ -38,7 +40,7 @@ pub async fn me_update_details_form(
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.sub)
.fetch_one(&app_state.db)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");
@ -60,7 +62,7 @@ struct UserDetailsUpdateForm {
website: String,
#[form_data(limit = "5MiB")]
picture: FieldData<Bytes>
avatar: FieldData<Bytes>
}
@ -72,19 +74,43 @@ pub async fn me_perform_update_details(
) -> impl IntoResponse {
let template_path = "pages/me/details-form";
let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5, picture = $6 WHERE id = $1")
let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.sub)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");
let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5 WHERE id = $1")
.bind(&token_claims.sub)
.bind(details_update.handle)
.bind(details_update.email)
.bind(details_update.full_name)
.bind(details_update.website)
.bind(details_update.picture.contents.to_vec())
.execute(&app_state.db)
.execute(&app_state.db.0)
.await;
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
if !details_update.avatar.contents.is_empty() {
let user_asset = UserAsset::new(
&user,
details_update.avatar.contents.to_vec(),
details_update.avatar.metadata.content_type.expect("Expected mimetype on avatar content"),
details_update.avatar.metadata.name
);
let _update_res = sqlx::query("UPDATE users SET avatar_asset_id = $2 WHERE id = $1")
.bind(&token_claims.sub)
.fetch_one(&app_state.db)
.bind(user_asset.id.clone())
.execute(&app_state.db.0)
.await;
// TODO: handle possible error
let _ = create_user_asset(&app_state.db, user_asset)
.await
.context("Creating user avatar asset.");
info!("Uploaded new avatar as user asset");
}
let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.sub)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");
@ -94,7 +120,7 @@ pub async fn me_perform_update_details(
template_path,
context!(
success => true,
user => user_res
user => user
)
)
},
@ -104,7 +130,7 @@ pub async fn me_perform_update_details(
template_path,
context!(
error => Some("Cannot update user details.".to_string()),
user => user_res
user => user
)
)
}

View file

@ -6,3 +6,4 @@ pub mod me;
pub mod logout;
pub mod user_panel;
pub mod apps;
pub mod reset_password;

View file

@ -7,7 +7,10 @@ use fully_pub::fully_pub;
use sqlx::types::Json;
use uuid::Uuid;
use crate::{models::user::{User, UserStatus}, renderer::TemplateRenderer, server::AppState, services::password::get_password_hash};
use crate::{renderer::TemplateRenderer, AppState};
use kernel::models::user::{User, UserStatus};
use utils::get_password_hash;
pub async fn register_form(
State(app_state): State<AppState>
@ -43,12 +46,12 @@ pub async fn perform_register(
email: Some(register.email),
handle: register.handle,
full_name: None,
picture: None,
avatar_asset_id: None,
password_hash,
status: UserStatus::Active,
roles: Json(Vec::new()),
activation_token: None,
roles: Json(Vec::new()), // take the default role in the config
reset_password_token: None,
created_at: Utc::now(),
website: None,
last_login_at: None
@ -66,7 +69,7 @@ pub async fn perform_register(
.bind(user.roles)
.bind(user.password_hash)
.bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
.execute(&app_state.db)
.execute(&app_state.db.0)
.await;
match res {
Err(err) => {

View file

@ -0,0 +1,139 @@
use axum::{extract::{MatchedPath, Query, State}, http::StatusCode, response::{Html, IntoResponse, Redirect}, Extension, Form};
use log::{error, info};
use serde::{Deserialize, Serialize};
use minijinja::context;
use fully_pub::fully_pub;
use crate::{renderer::TemplateRenderer, AppState};
use kernel::models::user::{User, UserStatus};
use utils::get_password_hash;
#[derive(Debug, Deserialize, Serialize)]
#[fully_pub]
enum ResetPasswordReason {
LostPassword,
Invitation
}
#[derive(Debug, Deserialize, Serialize)]
#[fully_pub]
struct ResetPasswordQueryParams {
token: String
}
pub async fn reset_password_form(
State(app_state): State<AppState>,
path: MatchedPath,
Extension(renderer): Extension<TemplateRenderer>,
Query(query_params): Query<ResetPasswordQueryParams>
) -> impl IntoResponse {
let reason: ResetPasswordReason = match path.as_str() {
"/invitation" => ResetPasswordReason::Invitation,
"/reset-password" => ResetPasswordReason::LostPassword,
_ => unreachable!()
};
// 1. Verify token
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
.bind(&query_params.token)
.fetch_one(&app_state.db.0)
.await;
let _user = match user_res {
Ok(u) => u,
Err(sqlx::Error::RowNotFound) => {
return (
StatusCode::BAD_REQUEST,
Html("Invalid reset password token.")
).into_response();
},
Err(err) => {
error!("Failed to retreive user from reset password token. {}", err);
return (
StatusCode::INTERNAL_SERVER_ERROR,
Html("Internal server error: Failed to retreive user.")
).into_response();
}
};
renderer.render(
"pages/reset_password",
context!(
reason => reason,
token => query_params.token,
)
).into_response()
}
#[derive(Debug, Deserialize)]
#[fully_pub]
struct ResetPasswordForm {
token: String,
password: String,
password_confirmation: String
}
pub async fn perform_reset_password(
State(app_state): State<AppState>,
Form(reset_form): Form<ResetPasswordForm>
) -> impl IntoResponse {
// 1. Verify token
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
.bind(&reset_form.token)
.fetch_one(&app_state.db.0)
.await;
let user = match user_res {
Ok(u) => u,
Err(sqlx::Error::RowNotFound) => {
return (
StatusCode::BAD_REQUEST,
Html("Invalid reset password token.")
).into_response();
},
Err(err) => {
error!("Failed to retreive user from reset password token. {}", err);
return (
StatusCode::INTERNAL_SERVER_ERROR,
Html("Internal server error: Failed to retreive user.")
).into_response();
}
};
if reset_form.password != reset_form.password_confirmation {
return (
StatusCode::BAD_REQUEST,
Html("Form data error: The two passwords are differents.")
).into_response();
}
let password_hash = Some(
get_password_hash(reset_form.password)
.expect("To process password").1
);
if user.status == UserStatus::Invited {
info!("The password of an Invited user was set: activation of user account");
// TODO: send welcome email
}
let res = sqlx::query("UPDATE users
SET password_hash = $2, status = $3, reset_password_token = NULL
WHERE id = $1
")
.bind(user.id)
.bind(password_hash)
.bind(UserStatus::Active)
.execute(&app_state.db.0)
.await;
match res {
Err(err) => {
error!("Cannot update user: {}", err);
return (
StatusCode::INTERNAL_SERVER_ERROR,
Html("Internal server error: Failed to update user.")
).into_response();
},
Ok(_v) => {
info!("Changed user's password successfuly.");
}
};
// TODO: add either "Successfully changed password" or "Account enabled successfully" message
Redirect::to("/login").into_response()
}

View file

@ -4,7 +4,8 @@ use log::error;
use minijinja::context;
use serde::Deserialize;
use crate::{models::{authorization::Authorization, token_claims::UserTokenClaims}, renderer::TemplateRenderer, server::AppState};
use kernel::models::authorization::Authorization;
use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
pub async fn get_authorizations(
State(app_state): State<AppState>,
@ -13,7 +14,7 @@ pub async fn get_authorizations(
) -> impl IntoResponse {
let user_authorizations = sqlx::query_as::<_, Authorization>("SELECT * FROM authorizations WHERE user_id = $1")
.bind(&token_claims.sub)
.fetch_all(&app_state.db)
.fetch_all(&app_state.db.0)
.await
.expect("To get user authorization with user_id from claim");
renderer.render(
@ -37,7 +38,7 @@ pub async fn revoke_authorization(
) -> impl IntoResponse {
let delete_res = sqlx::query("DELETE FROM authorizations WHERE id = $1")
.bind(&form.authorization_id)
.execute(&app_state.db)
.execute(&app_state.db.0)
.await;
match delete_res {
Ok(_) => {},

View file

@ -1,24 +1,22 @@
use base64::{prelude::BASE64_STANDARD, Engine};
pub mod controllers;
pub mod router;
pub mod services;
pub mod middlewares;
pub mod renderer;
pub mod token_claims;
use fully_pub::fully_pub;
use anyhow::{Result, Context};
use kernel::{context::{AppSecrets, KernelContext}, models::config::Config, repositories::storage::Storage};
use log::info;
use minijinja::{context, Environment};
use sqlx::{Pool, Sqlite};
use crate::{models::config::{AppSecrets, Config}, router::build_router};
use minijinja::Environment;
fn build_templating_env(config: &Config) -> Environment<'static> {
let mut env = Environment::new();
use crate::{
router::build_router,
renderer::build_templating_env
};
minijinja_embed::load_templates!(&mut env);
env.add_global("gl", context! {
instance => config.instance
});
env.add_function("encode_b64str", |bin_val: Vec<u8>| {
BASE64_STANDARD.encode(bin_val)
});
env
}
pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";
#[derive(Debug)]
#[fully_pub]
@ -34,22 +32,20 @@ pub struct ServerConfig {
pub struct AppState {
secrets: AppSecrets,
config: Config,
db: Pool<Sqlite>,
db: Storage,
templating_env: Environment<'static>
}
pub async fn start_http_server(
server_config: ServerConfig,
config: Config,
secrets: AppSecrets,
db_pool: Pool<Sqlite>
ctx: KernelContext
) -> Result<()> {
// build state
let state = AppState {
templating_env: build_templating_env(&config),
config,
secrets,
db: db_pool
templating_env: build_templating_env(&ctx.config),
config: ctx.config,
secrets: ctx.secrets,
db: ctx.storage
};
// build routes

View file

@ -1,9 +1,9 @@
use argh::FromArgs;
use anyhow::{Context, Result};
use http_server::{start_http_server, ServerConfig};
use kernel::{consts::DEFAULT_ASSETS_PATH, context::{get_kernel_context, StartKernelConfig}};
use log::info;
use crate::{get_app_context, server::{start_http_server, ServerConfig}, DEFAULT_ASSETS_PATH};
#[derive(Debug, FromArgs)]
/// Minauthator daemon
struct ServerCliFlags {
@ -27,22 +27,21 @@ struct ServerCliFlags {
listen_port: u32
}
/// handle CLI arguments to start process daemon
pub async fn start_server_cli() -> Result<()> {
/// handle CLI arguments to start HTTP server daemon
#[tokio::main]
pub async fn main() -> Result<()> {
info!("Starting minauth");
let flags: ServerCliFlags = argh::from_env();
let (config, secrets, db_pool) = get_app_context(crate::StartAppConfig {
let kernel_context = get_kernel_context(StartKernelConfig {
config_path: flags.config,
database_path: flags.database
}).await.context("Getting app context")?;
}).await.context("Getting kernel context")?;
start_http_server(
ServerConfig {
assets_path: flags.static_assets.unwrap_or(DEFAULT_ASSETS_PATH.to_string()),
listen_host: flags.listen_host,
listen_port: flags.listen_port
},
config,
secrets,
db_pool
kernel_context
).await
}

View file

@ -5,9 +5,12 @@ use axum::{
response::{Html, IntoResponse, Response},
Extension
};
use utils::parse_basic_auth;
use crate::{
models::token_claims::AppUserTokenClaims, server::AppState, services::{app_session::AppClientSession, session::verify_token}, utils::parse_basic_auth
services::{app_session::AppClientSession, session::verify_token},
token_claims::AppUserTokenClaims,
AppState
};

View file

@ -1,6 +1,5 @@
use axum::{extract::{Request, State}, http::StatusCode, middleware::Next, response::Response, Extension};
use crate::{models::token_claims::UserTokenClaims, renderer::TemplateRenderer, server::AppState};
use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
pub async fn renderer_middleware(
State(app_state): State<AppState>,

View file

@ -7,7 +7,9 @@ use axum::{
use axum_extra::extract::CookieJar;
use crate::{
consts::WEB_GUI_JWT_COOKIE_NAME, models::token_claims::UserTokenClaims, server::AppState, services::session::verify_token
services::session::verify_token,
token_claims::UserTokenClaims,
AppState, WEB_GUI_JWT_COOKIE_NAME
};

View file

@ -1,9 +1,11 @@
use axum::{http::StatusCode, response::{Html, IntoResponse}};
use fully_pub::fully_pub;
use kernel::models::config::Config;
use log::error;
use minijinja::{context, Environment, Value};
use utils::encode_base64_picture;
use crate::models::token_claims::UserTokenClaims;
use crate::token_claims::UserTokenClaims;
#[derive(Debug, Clone)]
@ -43,3 +45,14 @@ impl TemplateRenderer {
}
}
pub fn build_templating_env(config: &Config) -> Environment<'static> {
let mut env = Environment::new();
minijinja_embed::load_templates!(&mut env);
env.add_global("gl", context! {
instance => config.instance
});
env.add_function("inline_picture", encode_base64_picture);
env
}

View file

@ -9,7 +9,7 @@ use crate::{
app_auth,
renderer::renderer_middleware
},
server::{AppState, ServerConfig}
AppState, ServerConfig
};
pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router<AppState> {
@ -19,6 +19,9 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
.route("/register", post(ui::register::perform_register))
.route("/login", get(ui::login::login_form))
.route("/login", post(ui::login::perform_login))
.route("/invitation", get(ui::reset_password::reset_password_form))
.route("/reset-password", get(ui::reset_password::reset_password_form))
.route("/reset-password", post(ui::reset_password::perform_reset_password))
.layer(middleware::from_fn_with_state(app_state.clone(), renderer_middleware))
.layer(middleware::from_fn_with_state(app_state.clone(), user_auth::auth_middleware));
@ -43,7 +46,9 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
let api_user_routes = Router::new()
.route("/api/user", get(api::read_user::read_user_basic))
.layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware));
.layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware))
.route("/api", get(api::index::get_index))
.route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
let well_known_routes = Router::new()
.route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));

View file

@ -1,4 +1,3 @@
pub mod password;
pub mod session;
pub mod oauth2;
pub mod app_session;

View file

@ -1,7 +1,7 @@
use std::str::FromStr;
use anyhow::{Result, Context};
use crate::models::{authorization::AuthorizationScope, config::Application};
use kernel::models::{authorization::AuthorizationScope, config::Application};
pub fn verify_redirect_uri(app: &Application, input_redirect_uri: &str) -> bool {
app.allowed_redirect_uris

View file

@ -1,8 +1,7 @@
use anyhow::Result;
use serde::{de::DeserializeOwned, Serialize};
use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
use crate::models::config::AppSecrets;
use kernel::context::AppSecrets;
pub fn create_token<T: Serialize>(secrets: &AppSecrets, claims: T) -> String {

View file

@ -0,0 +1,11 @@
{% extends "layouts/base.html" %}
{% block body %}
<h1>Internal server error</h1>
{% if error %}
<div class="alert alert-danger">
We are sorry. We've rencountered an unrecoverable error.
</div>
{% endif %}
{% endblock %}

View file

@ -55,10 +55,9 @@
/>
</div>
<div class="mb-3">
<label for="picture">Profile picture</label>
<!-- for now, no JPEG -->
<label for="avatar">Profile picture</label>
<input
id="picture" name="picture"
id="avatar" name="avatar"
type="file"
accept="image/gif, image/png, image/jpeg"
class="form-control"

View file

@ -5,9 +5,12 @@
<a href="/me/details-form">Update details.</a>
<a href="/me/authorizations">Manage authorizations.</a>
<p>
{% if user.picture %}
<img src="data:image/*;base64,{{ encode_b64str(user.picture) }}" style="width: 150px; height: 150px; object-fit: contain">
{% if user.avatar_asset_id %}
<div class="my-3">
<img
src="http://localhost:8085/api/user-assets/{{ user.avatar_asset_id }}"
style="width: 150px; height: 150px; object-fit: contain">
</div>
{% endif %}
<ul>
<li>

View file

@ -0,0 +1,54 @@
{% extends "layouts/base.html" %}
{% block body %}
{% if reason == "Invitation" %}
<h1>Invitation</h1>
{% endif %}
{% if reason == "LostPassword" %}
<h1>Reset your password</h1>
{% endif %}
<!-- Reset password form -->
{% if error %}
<div class="alert alert-danger">
Error: {{ error }}
</div>
{% endif %}
{% if info %}
<div class="alert alert-info">
Info: {{ info }}
</div>
{% endif %}
{% if reason == "Invitation" %}
<p>
Pour activer votre compte, veuillez définir votre mot de passe.
</p>
{% endif %}
{% if reason == "LostPassword" %}
<p>
Votre mot de passe est perdu, veuillez définir un nouveau mot de passe.
</p>
{% endif %}
<form id="reset-password-form" method="post" action="/reset-password">
<div class="mb-3">
<label for="password" class="form-label">New password</label>
<input
id="password" name="password" type="password"
required
class="form-control"
/>
</div>
<div class="mb-3">
<label for="password" class="form-label">New password confirmation</label>
<input
id="password_confirmation" name="password_confirmation" type="password"
required
class="form-control"
/>
</div>
<input
id="token" name="token" type="hidden"
value="{{ token }}"
/>
<button type="submit" class="btn btn-primary">Change password</button>
</form>
{% endblock %}

View file

@ -1,10 +1,9 @@
use fully_pub::fully_pub;
use jsonwebtoken::get_current_timestamp;
use kernel::models::authorization::AuthorizationScope;
use serde::{Deserialize, Serialize};
use time::Duration;
use super::authorization::AuthorizationScope;
#[derive(Debug, Serialize, Deserialize, Clone)]
#[fully_pub]
struct UserTokenClaims {

25
lib/kernel/Cargo.toml Normal file
View file

@ -0,0 +1,25 @@
[package]
name = "kernel"
edition = "2021"
[dependencies]
utils = { path = "../utils" }
anyhow = { workspace = true }
thiserror = { workspace = true }
log = { workspace = true }
env_logger = { workspace = true }
fully_pub = { workspace = true }
strum = { workspace = true }
strum_macros = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
chrono = { workspace = true }
toml = { workspace = true }
sqlx = { workspace = true }
dotenvy = { workspace = true }
sha2 = { workspace = true }
hex-literal = { workspace = true }
uuid = { workspace = true }
url = { workspace = true }

View file

@ -0,0 +1 @@
pub mod users;

View file

@ -0,0 +1,44 @@
use crate::{context::KernelContext, models::user::User};
use anyhow::{Context, Result};
use chrono::SecondsFormat;
use thiserror::Error;
#[derive(Error, Debug)]
pub enum CreateUserErr {
#[error("Handle or email for user is already used.")]
HandleOrEmailNotUnique,
#[error("Database error.")]
DatabaseErr(String)
}
pub async fn create_user(ctx: KernelContext, user: User) -> Result<(), CreateUserErr> {
let res = sqlx::query("
INSERT INTO users
(id, handle, email, status, roles, password_hash, reset_password_token, created_at)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
")
.bind(user.id)
.bind(user.handle)
.bind(user.email)
.bind(user.status.to_string())
.bind(user.roles)
.bind(user.password_hash)
.bind(user.reset_password_token)
.bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
.execute(&ctx.storage.0)
.await;
match res {
Err(err) => {
let db_err = &err.as_database_error().unwrap();
if db_err.code().unwrap() == "2067" {
Err(CreateUserErr::HandleOrEmailNotUnique)
} else {
dbg!(&err);
Err(CreateUserErr::DatabaseErr(db_err.to_string()))
}
}
Ok(_) => Ok(())
}
}

4
lib/kernel/src/consts.rs Normal file
View file

@ -0,0 +1,4 @@
pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml";

64
lib/kernel/src/context.rs Normal file
View file

@ -0,0 +1,64 @@
use std::{env, fs};
use anyhow::{Result, Context, anyhow};
use fully_pub::fully_pub;
use log::info;
use sqlx::{Pool, Sqlite};
use crate::{
consts::{DEFAULT_CONFIG_PATH, DEFAULT_DB_PATH}, database::prepare_database, models::config::Config, repositories::storage::Storage
};
/// get server config
fn get_config(path: String) -> Result<Config> {
let inp_def_yaml = fs::read_to_string(path)
.expect("Should have been able to read the the config file");
toml::from_str(&inp_def_yaml)
.map_err(|e| anyhow!("Failed to parse config, {:?}", e))
}
#[fully_pub]
struct StartKernelConfig {
config_path: Option<String>,
database_path: Option<String>,
}
#[derive(Debug, Clone)]
#[fully_pub]
struct AppSecrets {
jwt_secret: String
}
#[derive(Debug, Clone)]
#[fully_pub]
struct KernelContext {
config: Config,
secrets: AppSecrets,
storage: Storage
}
pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
env_logger::init();
let _ = dotenvy::dotenv();
let database_path = &start_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
info!("Using database file at {}", database_path);
let storage = prepare_database(database_path).await.context("Could not prepare db.")?;
let config_path = start_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
info!("Using config file at {}", &config_path);
let config: Config = get_config(config_path)
.expect("Cannot get config.");
let _ = dotenvy::dotenv();
let secrets = AppSecrets {
jwt_secret: env::var("APP_JWT_SECRET")
.context("Expected APP_JWT_SECRET environment variable to exists.")?
};
Ok(KernelContext {
config,
secrets,
storage
})
}

View file

@ -1,8 +1,10 @@
use anyhow::{Context, Result};
use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, Pool, Sqlite, ConnectOptions};
use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, ConnectOptions};
use std::str::FromStr;
pub async fn prepare_database(sqlite_db_path: &str) -> Result<Pool<Sqlite>> {
use crate::repositories::storage::Storage;
pub async fn prepare_database(sqlite_db_path: &str) -> Result<Storage> {
let conn_str = format!("sqlite:{}", sqlite_db_path);
let pool = SqlitePoolOptions::new()
@ -14,6 +16,6 @@ pub async fn prepare_database(sqlite_db_path: &str) -> Result<Pool<Sqlite>> {
.await
.context("could not connect to database_url")?;
Ok(pool)
Ok(Storage(pool))
}

7
lib/kernel/src/lib.rs Normal file
View file

@ -0,0 +1,7 @@
pub mod models;
pub mod database;
pub mod consts;
pub mod context;
pub mod actions;
pub mod repositories;

View file

@ -1,5 +1,3 @@
use std::collections::HashSet;
use fully_pub::fully_pub;
use serde::{Deserialize, Serialize};
@ -50,20 +48,6 @@ struct Application {
login_uri: String
}
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Hash, Eq)]
#[fully_pub]
enum Permission {
ListUsers,
DisableUser,
EnableUser,
VerifyEmail,
InviteUser,
DeleteUser,
ResetUserPassword,
AssignUserGroups
}
#[derive(Debug, Clone, Serialize, Deserialize)]
#[fully_pub]
struct Role {
@ -71,8 +55,7 @@ struct Role {
name: String,
description: Option<String>,
#[serde(default = "_default_true")]
default: bool,
permissions: HashSet<Permission>
default: bool
}
// todo: Role hierarchy https://en.wikipedia.org/wiki/Role_hierarchy
@ -86,7 +69,6 @@ struct Config {
roles: Vec<Role>
}
#[derive(Debug, Clone)]
#[fully_pub]
struct AppSecrets {

View file

@ -1,4 +1,4 @@
pub mod config;
pub mod user;
pub mod user_asset;
pub mod authorization;
pub mod token_claims;

View file

@ -0,0 +1,61 @@
use fully_pub::fully_pub;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use sqlx::types::Json;
use utils::get_random_human_token;
use uuid::Uuid;
#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
#[derive(strum_macros::Display)]
#[fully_pub]
enum UserStatus {
Disabled,
Invited,
Active
}
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
#[fully_pub]
struct User {
/// uuid
id: String,
handle: String,
full_name: Option<String>,
email: Option<String>,
website: Option<String>,
avatar_asset_id: Option<String>,
password_hash: Option<String>, // argon2 password hash
status: UserStatus,
roles: Json<Vec<String>>,
reset_password_token: Option<String>,
last_login_at: Option<DateTime<Utc>>,
created_at: DateTime<Utc>
}
impl User {
pub fn new(
handle: String
) -> User {
User {
id: Uuid::new_v4().to_string(),
handle,
full_name: None,
email: None,
website: None,
avatar_asset_id: None,
password_hash: None,
status: UserStatus::Disabled,
roles: Json(Vec::new()),
reset_password_token: None,
last_login_at: None,
created_at: Utc::now()
}
}
pub fn invite(self: &mut Self) {
self.reset_password_token = Some(get_random_human_token());
self.status = UserStatus::Invited;
}
}

View file

@ -0,0 +1,41 @@
use fully_pub::fully_pub;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use sha2::{Sha256, Digest};
use super::user::User;
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
#[fully_pub]
struct UserAsset {
/// uuid
id: String,
user_id: String,
mime_type: String,
fingerprint: String,
name: Option<String>,
content: Vec<u8>,
created_at: DateTime<Utc>
}
impl UserAsset {
pub fn new(
user: &User,
content: Vec<u8>,
mime_type: String,
name: Option<String>
) -> UserAsset {
let digest = Sha256::digest(&content);
UserAsset {
id: Uuid::new_v4().to_string(),
user_id: user.id.clone(),
fingerprint: format!("{:x}", digest),
mime_type,
content,
name,
created_at: Utc::now()
}
}
}

View file

@ -0,0 +1,2 @@
pub mod storage;
pub mod users;

View file

@ -0,0 +1,7 @@
use fully_pub::fully_pub;
use sqlx::{Pool, Sqlite};
/// storage interface
#[fully_pub]
#[derive(Clone, Debug)]
struct Storage(Pool<Sqlite>);

View file

@ -0,0 +1,48 @@
// user repositories
use crate::models::{user::User, user_asset::UserAsset};
use super::storage::Storage;
use anyhow::{Result, Context};
pub async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(user_id)
.fetch_one(&storage.0)
.await
.context("To get user by id.")
}
pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
sqlx::query_as::<_, User>("SELECT * FROM users")
.fetch_all(&storage.0)
.await
.context("To get users.")
}
pub async fn create_user_asset(storage: &Storage, asset: UserAsset) -> Result<()> {
sqlx::query("INSERT INTO user_assets
(id, user_id, mime_type, fingerprint, content, created_at)
VALUES ($1, $2, $3, $4, $5, $6)
")
.bind(&asset.id)
.bind(&asset.user_id)
.bind(&asset.mime_type)
.bind(&asset.fingerprint)
.bind(&asset.content)
.bind(&asset.created_at)
.execute(&storage.0)
.await
.context("While inserting user asset.")?;
// .bind(details_update.avatar.contents.to_vec())
Ok(())
}
pub async fn get_user_asset_by_id(storage: &Storage, id: &str) -> Result<UserAsset> {
sqlx::query_as("SELECT * FROM user_assets WHERE id = $1")
.bind(id)
.fetch_one(&storage.0)
.await
.context("To get user asset by id.")
}

10
lib/utils/Cargo.toml Normal file
View file

@ -0,0 +1,10 @@
[package]
name = "utils"
edition = "2021"
[dependencies]
anyhow = { workspace = true }
argon2 = "0.5"
base64 = "0.22"
rand = "0.8.5"
rand_core = { version = "0.6.4", features = ["std"] }

View file

@ -43,6 +43,18 @@ pub fn get_random_alphanumerical(length: usize) -> String {
.collect()
}
/// Generate easy to type token
pub fn get_random_human_token() -> String {
return format!(
"{}-{}-{}-{}-{}",
get_random_alphanumerical(4),
get_random_alphanumerical(4),
get_random_alphanumerical(4),
get_random_alphanumerical(4),
get_random_alphanumerical(4)
).to_uppercase();
}
pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
let header_val_components: Vec<&str> = header_value.split(" ").collect();
let encoded_header_value: &str = header_val_components
@ -61,3 +73,7 @@ pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
))
}
pub fn encode_base64_picture(picture_bytes: Vec<u8>) -> String {
let encoded = BASE64_STANDARD.encode(picture_bytes);
return format!("data:image/*;base64,{}", encoded);
}

View file

@ -5,16 +5,27 @@ CREATE TABLE users (
full_name TEXT,
email TEXT UNIQUE,
website TEXT,
picture BLOB,
roles TEXT NOT NULL, -- json array of user roles
avatar_asset_id TEXT,
status TEXT CHECK(status IN ('Active','Disabled')) NOT NULL DEFAULT 'Disabled',
status TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
password_hash TEXT,
activation_token TEXT,
reset_password_token TEXT,
last_login_at DATETIME,
created_at DATETIME NOT NULL
);
DROP TABLE IF EXISTS user_assets;
CREATE TABLE user_assets (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
mime_type TEXT NOT NULL,
fingerprint TEXT NOT NULL,
name TEXT, -- file name
content BLOB NOT NULL,
created_at DATETIME NOT NULL
);
DROP TABLE IF EXISTS authorizations;
CREATE TABLE authorizations (
id TEXT PRIMARY KEY,

View file

@ -1 +0,0 @@
pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";

View file

@ -1,62 +0,0 @@
pub mod models;
pub mod controllers;
pub mod router;
pub mod server;
pub mod database;
pub mod cli;
pub mod utils;
pub mod services;
pub mod middlewares;
pub mod renderer;
pub mod consts;
use std::{env, fs};
use anyhow::{Result, Context, anyhow};
use database::prepare_database;
use log::info;
use sqlx::{Pool, Sqlite};
use models::config::{AppSecrets, Config};
pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.yaml";
fn get_config(path: String) -> Result<Config> {
let inp_def_yaml = fs::read_to_string(path)
.expect("Should have been able to read the the config file");
toml::from_str(&inp_def_yaml)
.map_err(|e| anyhow!("Failed to parse config, {:?}", e))
}
struct StartAppConfig {
config_path: Option<String>,
database_path: Option<String>,
}
#[tokio::main]
async fn main() -> Result<()> {
cli::start_server_cli().await
}
async fn get_app_context(start_app_config: StartAppConfig) -> Result<(Config, AppSecrets, Pool<Sqlite>)> {
env_logger::init();
let _ = dotenvy::dotenv();
let database_path = &start_app_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
info!("Using database file at {}", database_path);
let pool = prepare_database(database_path).await.context("Could not prepare db.")?;
let config_path = start_app_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
info!("Using config file at {}", &config_path);
let config: Config = get_config(config_path)
.expect("Cannot get config.");
dotenvy::dotenv().context("loading .env")?;
let secrets = AppSecrets {
jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
};
Ok((config, secrets, pool))
}

View file

@ -1,31 +0,0 @@
use fully_pub::fully_pub;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use sqlx::types::Json;
#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
#[derive(strum_macros::Display)]
#[fully_pub]
enum UserStatus {
Active,
Disabled
}
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
#[fully_pub]
struct User {
/// uuid
id: String,
handle: String,
full_name: Option<String>,
email: Option<String>,
website: Option<String>,
picture: Option<Vec<u8>>, // embeded blob to store profile pic
password_hash: Option<String>, // argon2 password hash
status: UserStatus,
roles: Json<Vec<String>>,
activation_token: Option<String>,
last_login_at: Option<DateTime<Utc>>,
created_at: DateTime<Utc>
}

View file

@ -1,35 +0,0 @@
use anyhow::{anyhow, Result};
use argon2::{
password_hash::{
rand_core::OsRng,
PasswordHash, PasswordHasher, PasswordVerifier, SaltString
},
Argon2
};
pub fn get_password_hash(password: String) -> Result<(String, String)> {
let salt = SaltString::generate(&mut OsRng);
// Argon2 with default params (Argon2id v19)
let argon2 = Argon2::default();
// Hash password to PHC string ($argon2id$v=19$...)
match argon2.hash_password(password.as_bytes(), &salt) {
Ok(val) => Ok((salt.to_string(), val.to_string())),
Err(_) => Err(anyhow!("Failed to process password."))
}
}
pub fn verify_password_hash(password_hash: String, password: String) -> Result<()> {
let parsed_hash = match PasswordHash::new(&password_hash) {
Ok(val) => val,
Err(_) => {
return Err(anyhow!("Failed to parse password hash"));
}
};
match Argon2::default().verify_password(password.as_bytes(), &parsed_hash) {
Ok(()) => Ok(()),
Err(_) => Err(anyhow!("Failed to verify password."))
}
}

View file

@ -0,0 +1,39 @@
#!/usr/bin/sh
set -eou pipefail
scenario_name="$1"
project_root="$(dirname $(cargo locate-project | jq -r .root))"
scenario_dir="$project_root/tests/hurl_integration/$1"
scenario_tmp_dir_path="$project_root/tmp/tests/$scenario_name"
database_path="$project_root/tmp/tests/$scenario_name/minauthator.db"
echo "Starting scenario $scenario_name."
mkdir -p $scenario_tmp_dir_path
if [ -f $database_path ]; then
rm $database_path
fi
sqlite3 $database_path < $project_root/migrations/all.sql
export DB_PATH=$database_path
if [ -f $scenario_dir/init_db.sh ]; then
$scenario_dir/init_db.sh
fi
pkill -f $project_root/target/debug/minauthator-server &
sleep 0.1
$project_root/target/debug/minauthator-server \
--config "$scenario_dir/config.toml" \
--database $database_path \
--listen-host "127.0.0.1" \
--listen-port "8086" \
--static-assets "$project_root/assets" &
server_pid=$!
sleep 0.2
hurl \
--variable base_url="http://localhost:8086" \
--test --error-format long \
$scenario_dir/main.hurl
kill $server_pid
echo "End of scenario."

View file

@ -0,0 +1,56 @@
[instance]
base_uri = "http://localhost:8086"
name = "Example org"
logo_uri = "https://example.org/logo.png"
[[applications]]
slug = "demo_app"
name = "Demo app"
description = "A super application where you can do everything you want."
client_id = "00000001-0000-0000-0000-000000000001"
client_secret = "dummy_client_secret"
login_uri = "https://localhost:9876"
allowed_redirect_uris = [
"http://localhost:9090/callback",
"http://localhost:9876/callback"
]
visibility = "Internal"
authorize_flow = "Implicit"
[[applications]]
slug = "wiki"
name = "Wiki app"
description = "The knowledge base of the exemple org."
client_id = "f9de1885-448d-44bb-8c48-7e985486a8c6"
client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
login_uri = "https://wiki.example.org/login"
allowed_redirect_uris = [
"https://wiki.example.org/oauth2/callback"
]
visibility = "Public"
authorize_flow = "Implicit"
[[applications]]
slug = "private_app"
name = "Demo app"
description = "Private app you should never discover"
client_id = "c8a08783-2342-4ce3-a3cb-9dc89b6bdf"
client_secret = "this_is_the_secret"
login_uri = "https://private-app.org"
allowed_redirect_uris = [
"http://localhost:9091/authorize",
]
visibility = "Private"
authorize_flow = "Implicit"
[[roles]]
slug = "basic"
name = "Basic"
description = "Basic user"
default = true
[[roles]]
slug = "admin"
name = "Administrator"
description = "Full power on organization instance"

View file

@ -0,0 +1,11 @@
#!/usr/bin/bash
password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
echo $password_hash
SQL=$(cat <<EOF
INSERT INTO users
(id, handle, email, roles, status, password_hash, created_at)
VALUES
('$(uuid)', 'root', 'root@example.org', '[]', 'Active', '$password_hash', '2024-11-30T00:00:00Z');
EOF)
echo $SQL | sqlite3 $DB_PATH

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

View file

@ -0,0 +1,88 @@
GET {{ base_url }}/api
HTTP 200
[Asserts]
jsonpath "$.software" == "Minauthator"
POST {{ base_url }}/login
[FormParams]
login: root
password: root
HTTP 303
[Captures]
user_jwt: cookie "minauthator_jwt"
[Asserts]
cookie "minauthator_jwt" exists
cookie "minauthator_jwt[Value]" contains "eyJ0"
cookie "minauthator_jwt[SameSite]" == "Lax"
GET {{ base_url }}/me
HTTP 200
Content-Type: text/html; charset=utf-8
[Asserts]
xpath "string(///h1)" == "Welcome root!"
POST {{ base_url }}/me/details-form
[MultipartFormData]
handle: root
email: root@johndoe.net
full_name: John Doe
website: https://johndoe.net
picture: file,john_doe_profile_pic.jpg; image/jpeg
HTTP 200
GET {{ base_url }}/me/authorizations
HTTP 200
[Asserts]
xpath "string(///h1)" == "Your authorizations"
xpath "string(///i)" == "You didn't authorized or accessed any applications for now."
# OAuth2 implicit flow (pre-granted app)
GET {{ base_url }}/authorize
[QueryStringParams]
client_id: 00000001-0000-0000-0000-000000000001
response_type: code
redirect_uri: http://localhost:9090/callback
state: Afk4kf6pbZkms78jM
scope: user_read_basic
HTTP 302
[Asserts]
header "Location" contains "http://localhost:9090/callback?code="
[Captures]
authorization_code: header "Location" regex "\\?code=(.*)&"
# OAuth2 get access token
POST {{ base_url }}/api/token
[BasicAuth]
00000001-0000-0000-0000-000000000001: dummy_client_secret
[FormParams]
code: {{ authorization_code }}
scope: user_read_basic
redirect_uri: http://localhost:9090/callback
grant_type: authorization_code
HTTP 200
Content-Type: application/json
[Asserts]
jsonpath "$.access_token" exists
jsonpath "$.access_token" matches "eyJ[[:alpha:]0-9].[[:alpha:]0-9].[[:alpha:]0-9]"
[Captures]
access_token: jsonpath "$.access_token"
# Get basic user info
GET {{ base_url }}/api/user
Authorization: JWT {{ access_token }}
HTTP 200
Content-Type: application/json
[Asserts]
jsonpath "$.handle" == "root"
jsonpath "$.email" == "root@johndoe.net"
GET {{ base_url }}/me/authorizations
HTTP 200
[Asserts]
xpath "string(///h1)" == "Your authorizations"
xpath "string(///main/ul/li)" contains "UserReadBasic"
GET {{ base_url }}/logout
HTTP 303
[Asserts]
cookie "minauthator_jwt" == ""

View file

@ -0,0 +1,9 @@
applications = []
roles = []
[instance]
base_uri = "http://localhost:8086"
name = "Example org"
logo_uri = "https://example.org/logo.png"

View file

@ -0,0 +1,9 @@
#!/usr/bin/bash
SQL=$(cat <<EOF
INSERT INTO users
(id, handle, email, roles, status, reset_password_token, created_at)
VALUES
('$(uuid)', 'invited_user', 'invited-user@example.org', '[]', 'Invited', 'Z433-Y001-V987-P500', '2024-11-30T00:00:00Z');
EOF)
echo $SQL | sqlite3 $DB_PATH

View file

@ -0,0 +1,28 @@
GET {{ base_url }}/api
HTTP 200
[Asserts]
jsonpath "$.software" == "Minauthator"
GET {{ base_url }}/invitation
[QueryStringParams]
token: Z433-Y001-V987-P500
HTTP 200
[Asserts]
xpath "string(///h1)" contains "Invitation"
POST {{ base_url }}/reset-password
[FormParams]
token: Z433-Y001-V987-P500
password: newpassword10!
password_confirmation: newpassword10!
HTTP 303
[Asserts]
header "Location" == "/login"
POST {{ base_url }}/login
[FormParams]
login: invited_user
password: newpassword10!
HTTP 303
[Asserts]
cookie "minauthator_jwt" exists

8
tests/manual/all.sh Executable file
View file

@ -0,0 +1,8 @@
#!/usr/bin/sh
set -xeuo pipefail
./login.sh
./authorize.sh
./access_token_request.sh
./get_user_info.sh

Some files were not shown because too many files have changed in this diff Show more