Compare commits

..

No commits in common. "master" and "feat_admin_cli_invite_user" have entirely different histories.

23 changed files with 71 additions and 307 deletions

View file

@ -1,7 +0,0 @@
target
.env
tmp
Dockerfile
.dockerignore
justfile
config.toml

8
Cargo.lock generated
View file

@ -879,12 +879,6 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hex-literal"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46"
[[package]] [[package]]
name = "hkdf" name = "hkdf"
version = "0.12.4" version = "0.12.4"
@ -1262,11 +1256,9 @@ dependencies = [
"dotenvy", "dotenvy",
"env_logger", "env_logger",
"fully_pub", "fully_pub",
"hex-literal",
"log", "log",
"serde", "serde",
"serde_json", "serde_json",
"sha2",
"sqlx", "sqlx",
"strum", "strum",
"strum_macros", "strum_macros",

View file

@ -1,11 +1,9 @@
# cargo-features = ["codegen-backend"] cargo-features = ["codegen-backend"]
# [profile.dev] [profile.dev]
# codegen-backend = "cranelift" codegen-backend = "cranelift"
# # END OF
[workspace] [workspace]
resolver = "2"
members = [ members = [
"lib/kernel", "lib/kernel",
"lib/utils", "lib/utils",
@ -23,14 +21,12 @@ strum_macros = "0.26"
uuid = { version = "1.8", features = ["serde", "v4"] } uuid = { version = "1.8", features = ["serde", "v4"] }
dotenvy = "0.15.7" dotenvy = "0.15.7"
url = "2.5.3" url = "2.5.3"
sha2 = "0.10"
hex-literal = "0.4"
# CLI # CLI
argh = "0.1" argh = "0.1"
# Async # Async
tokio = { version = "1.40.0", features = ["rt-multi-thread", "macros"] } tokio = { version = "1.40.0", features = ["rt-multi-thread"] }
# Logging # Logging
log = "0.4" log = "0.4"

View file

@ -1,37 +0,0 @@
FROM rust:1.83-alpine3.20 AS builder
WORKDIR /usr/src/minauthator
COPY . .
RUN apk add musl-dev
RUN cargo install --bin minauthator-admin --locked --path lib/admin_cli
RUN cargo install --bin minauthator-server --locked --path lib/http_server
FROM alpine:3.20 AS base
RUN apk add sqlite
COPY --from=builder /usr/local/cargo/bin/minauthator-server /usr/local/bin/minauthator-server
COPY --from=builder /usr/local/cargo/bin/minauthator-admin /usr/local/bin/minauthator-admin
RUN mkdir -p \
/usr/local/src/minauthator/migrations \
/usr/local/lib/minauthator/assets \
/var/lib/minauthator \
/etc/minauthator
COPY --from=builder /usr/src/minauthator/migrations/all.sql /usr/local/src/minauthator/migrations
COPY --from=builder /usr/src/minauthator/init_db.sh /usr/local/bin/minauthator_init_db.sh
COPY --from=builder /usr/src/minauthator/assets /usr/local/lib/minauthator/assets
RUN addgroup -g 1000 app && \
adduser -S -u 1000 -G app -s /bin/sh app && \
chown -R app:app /var/lib/minauthator && \
chmod -R u=rwx,g=rwx,o= /var/lib/minauthator
USER app:app
ENV RUST_LOG=info
ENV RUST_BACKTRACE=1
ENV APP_JWT_SECRET="DummyAppSecret20241029"
CMD ["minauthator-server", "--listen-host", "0.0.0.0", "--listen-port", "8080"]

View file

@ -1,45 +1,24 @@
# Minauthator # Minauthator
Minauthator is an identity provider server supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect). Minauthator is an identity provider supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software (FOSS). This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software.
This project also aims to provide features while being frugal and minimalist.
**Project status: *early development, work-in-progress*** **Project status: *early development, work-in-progress***
## Features ## Features
- [x] Login - Login
- [x] Register - Register
- [x] OpenID Connect & OAuth 2.0 - OpenID Connect & OAuth 2.0
- [x] Activation token - Activation token
- [x] Profile details - Profile details
- [x] Static apps - Static apps
- [x] Admin CLI to manage user. - User roles
- [x] User invitation with human token - MFA/TOTP
- [ ] User roles - Email notifications
- [ ] User groups - Login page customization
- [ ] MFA/TOTP - App carousel (App presentation to users)
- [ ] Email notifications
- [ ] Login page customization
- [x] App listing (App presentation to users)
- [x] Implicit OAuth 2.0 flow
- [ ] Email verification
- [ ] GPG keys verification and signing
- [ ] Docker deployment
- [ ] Full user panel & user privacy control
## Architecture
- Sqlite DB
- Kernel
- Http server
- Public API
- User API
- Third-party OAuth2 app/client API
- Web GUI (no Javascript)
- Admin CLI
## Deps ## Deps
@ -49,4 +28,4 @@ This project also aims to provide features while being frugal and minimalist.
- [Authentik](https://goauthentik.io/) - [Authentik](https://goauthentik.io/)
- [Keycloak](https://www.keycloak.org/) - [Keycloak](https://www.keycloak.org/)
- [Kanidm](https://kanidm.com/)

50
TODO.md
View file

@ -1,23 +1,5 @@
# TODO # TODO
- [ ] i18n strings in the http website.
- [ ] Instance customization support
- [ ] Public endpoint to get user avatar by id
- [ ] Rework avatar upload to limit size and process the image?
- Authorize form
- [ ] Show details about permissions
- [ ] Show app logo
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
- [ ] feat(perms): add groups and roles
- [ ] UserWebGUI: add TOTP
- [ ] send emails to users
- [x] Login form - [x] Login form
- [x] Register form - [x] Register form
- [x] Redirect to login form if unauthenticated - [x] Redirect to login form if unauthenticated
@ -31,12 +13,20 @@
- [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c) - [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c)
- .well-known/openid-configuration - .well-known/openid-configuration
- [x] architecture refactor
- [x] AdminCLI: init
- [x] AdminCLI: list users
- [x] AdminCLI: create and invite user
- [x] UserWebGUI: Invitation - [ ] i18n strings in the http website.
- [ ] App config
- Add app logo (URI?)
- [ ] Public endpoint to get user avatar by id
- [ ] Rework avatar upload to limit size and process the image?
- [ ] Authorize form
- Show details about permissions
- Show app logo
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
- [x] UserWebGUI: Redirect to login when JWT expire - [x] UserWebGUI: Redirect to login when JWT expire
- [x] UserWebGUI: Show user authorizations. - [x] UserWebGUI: Show user authorizations.
@ -47,6 +37,14 @@
- [x] UserWebGUI: activate account with token - [x] UserWebGUI: activate account with token
- [X] basic docker setup - [ ] feat(perms): add groups and roles
- [ ] make `docker stop` working (handle SIGTERM/SIGINT)
- [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/ - [ ] UserWebGUI: add TOTP
- [ ] send emails to users
- Architecture: do we have an admin API?
- [ ] AdminCLI: init
- [ ] AdminWebGUI: List users
- [ ] AdminWebGUI: Assign groups to users
- [ ] AdminWebGUI: Create invitation

View file

@ -1,10 +0,0 @@
#!/bin/sh
DEFAULT_DB_PATH="/var/lib/minauthator/minauthator.db"
DEFAULT_MIGRATION_PATH="/usr/local/src/minauthator/migrations/all.sql"
DB_PATH="${DB_PATH:-$DEFAULT_DB_PATH}"
MIGRATION_PATH="${MIGRATION_PATH:-$DEFAULT_MIGRATION_PATH}"
sqlite3 $DB_PATH < $MIGRATION_PATH

View file

@ -1,6 +1,6 @@
export RUST_BACKTRACE := "1" export RUST_BACKTRACE := "1"
export RUST_LOG := "trace" export RUST_LOG := "trace"
export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets" export CONTEXT_ARGS := "--config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets"
watch-server: watch-server:
cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS" cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
@ -11,22 +11,14 @@ server:
admin: admin:
cargo run --bin minauthator-admin -- $CONTEXT_ARGS cargo run --bin minauthator-admin -- $CONTEXT_ARGS
docker-build: docker-run:
docker build -t lefuturiste/minauthator . docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator
docker-init-db: docker-init-db:
docker run \ docker run -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator /usr/local/bin/minauthator_init_db.sh
-v ./tmp/docker/config:/etc/minauthator \
-v minauthator-db:/var/lib/minauthator \
lefuturiste/minauthator \
/usr/local/bin/minauthator_init_db.sh
docker-run: docker-build:
docker run \ docker build -t minauthator .
-p 127.0.0.1:3085:8080 \
-v ./tmp/docker/config:/etc/minauthator \
-v minauthator-db:/var/lib/minauthator \
lefuturiste/minauthator
init-db: init-db:
sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql

View file

@ -2,4 +2,3 @@ pub mod index;
pub mod oauth2; pub mod oauth2;
pub mod read_user; pub mod read_user;
pub mod openid; pub mod openid;
pub mod public_assets;

View file

@ -1,27 +0,0 @@
use axum::{extract::{Path, State}, http::{header, HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse}};
use kernel::repositories::users::get_user_asset_by_id;
use crate::AppState;
pub async fn get_user_asset(
State(app_state): State<AppState>,
Path(asset_id): Path<String>
) -> impl IntoResponse {
let user_asset = match get_user_asset_by_id(&app_state.db, &asset_id).await {
Err(_) => {
return (
StatusCode::NOT_FOUND,
Html("Could not find user asset")
).into_response();
},
Ok(ua) => ua
};
let mut hm = HeaderMap::new();
hm.insert(
header::CONTENT_TYPE,
HeaderValue::from_str(&user_asset.mime_type).expect("Constructing header value.")
);
(hm, user_asset.content).into_response()
}

View file

@ -1,8 +1,7 @@
use anyhow::Context;
use axum::{body::Bytes, extract::State, response::IntoResponse, Extension}; use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart}; use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
use fully_pub::fully_pub; use fully_pub::fully_pub;
use log::{error, info}; use log::error;
use minijinja::context; use minijinja::context;
use crate::{ use crate::{
@ -10,7 +9,7 @@ use crate::{
renderer::TemplateRenderer, renderer::TemplateRenderer,
AppState AppState
}; };
use kernel::{models::{user::User, user_asset::UserAsset}, repositories::users::create_user_asset}; use kernel::models::user::User;
pub async fn me_page( pub async fn me_page(
State(app_state): State<AppState>, State(app_state): State<AppState>,
@ -62,7 +61,7 @@ struct UserDetailsUpdateForm {
website: String, website: String,
#[form_data(limit = "5MiB")] #[form_data(limit = "5MiB")]
avatar: FieldData<Bytes> picture: FieldData<Bytes>
} }
@ -74,41 +73,17 @@ pub async fn me_perform_update_details(
) -> impl IntoResponse { ) -> impl IntoResponse {
let template_path = "pages/me/details-form"; let template_path = "pages/me/details-form";
let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1") let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5, picture = $6 WHERE id = $1")
.bind(&token_claims.sub)
.fetch_one(&app_state.db.0)
.await
.expect("To get user from claim");
let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5 WHERE id = $1")
.bind(&token_claims.sub) .bind(&token_claims.sub)
.bind(details_update.handle) .bind(details_update.handle)
.bind(details_update.email) .bind(details_update.email)
.bind(details_update.full_name) .bind(details_update.full_name)
.bind(details_update.website) .bind(details_update.website)
.bind(details_update.picture.contents.to_vec())
.execute(&app_state.db.0) .execute(&app_state.db.0)
.await; .await;
if !details_update.avatar.contents.is_empty() { let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
let user_asset = UserAsset::new(
&user,
details_update.avatar.contents.to_vec(),
details_update.avatar.metadata.content_type.expect("Expected mimetype on avatar content"),
details_update.avatar.metadata.name
);
let _update_res = sqlx::query("UPDATE users SET avatar_asset_id = $2 WHERE id = $1")
.bind(&token_claims.sub)
.bind(user_asset.id.clone())
.execute(&app_state.db.0)
.await;
// TODO: handle possible error
let _ = create_user_asset(&app_state.db, user_asset)
.await
.context("Creating user avatar asset.");
info!("Uploaded new avatar as user asset");
}
let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
.bind(&token_claims.sub) .bind(&token_claims.sub)
.fetch_one(&app_state.db.0) .fetch_one(&app_state.db.0)
.await .await
@ -120,7 +95,7 @@ pub async fn me_perform_update_details(
template_path, template_path,
context!( context!(
success => true, success => true,
user => user user => user_res
) )
) )
}, },
@ -130,7 +105,7 @@ pub async fn me_perform_update_details(
template_path, template_path,
context!( context!(
error => Some("Cannot update user details.".to_string()), error => Some("Cannot update user details.".to_string()),
user => user user => user_res
) )
) )
} }

View file

@ -46,7 +46,7 @@ pub async fn perform_register(
email: Some(register.email), email: Some(register.email),
handle: register.handle, handle: register.handle,
full_name: None, full_name: None,
avatar_asset_id: None, picture: None,
password_hash, password_hash,
status: UserStatus::Active, status: UserStatus::Active,

View file

@ -47,8 +47,7 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
let api_user_routes = Router::new() let api_user_routes = Router::new()
.route("/api/user", get(api::read_user::read_user_basic)) .route("/api/user", get(api::read_user::read_user_basic))
.layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware)) .layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware))
.route("/api", get(api::index::get_index)) .route("/api", get(api::index::get_index));
.route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
let well_known_routes = Router::new() let well_known_routes = Router::new()
.route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration)); .route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));

View file

@ -55,9 +55,10 @@
/> />
</div> </div>
<div class="mb-3"> <div class="mb-3">
<label for="avatar">Profile picture</label> <label for="picture">Profile picture</label>
<!-- for now, no JPEG -->
<input <input
id="avatar" name="avatar" id="picture" name="picture"
type="file" type="file"
accept="image/gif, image/png, image/jpeg" accept="image/gif, image/png, image/jpeg"
class="form-control" class="form-control"

View file

@ -5,12 +5,9 @@
<a href="/me/details-form">Update details.</a> <a href="/me/details-form">Update details.</a>
<a href="/me/authorizations">Manage authorizations.</a> <a href="/me/authorizations">Manage authorizations.</a>
{% if user.avatar_asset_id %} <p>
<div class="my-3"> {% if user.picture %}
<img <img src="data:image/*;base64,{{ encode_b64str(user.picture) }}" style="width: 150px; height: 150px; object-fit: contain">
src="http://localhost:8085/api/user-assets/{{ user.avatar_asset_id }}"
style="width: 150px; height: 150px; object-fit: contain">
</div>
{% endif %} {% endif %}
<ul> <ul>
<li> <li>

View file

@ -18,8 +18,6 @@ chrono = { workspace = true }
toml = { workspace = true } toml = { workspace = true }
sqlx = { workspace = true } sqlx = { workspace = true }
dotenvy = { workspace = true } dotenvy = { workspace = true }
sha2 = { workspace = true }
hex-literal = { workspace = true }
uuid = { workspace = true } uuid = { workspace = true }
url = { workspace = true } url = { workspace = true }

View file

@ -1,4 +1,4 @@
pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db"; pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets"; pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml"; pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.yaml";

View file

@ -50,10 +50,9 @@ pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<Kerne
let config: Config = get_config(config_path) let config: Config = get_config(config_path)
.expect("Cannot get config."); .expect("Cannot get config.");
let _ = dotenvy::dotenv(); dotenvy::dotenv().context("loading .env")?;
let secrets = AppSecrets { let secrets = AppSecrets {
jwt_secret: env::var("APP_JWT_SECRET") jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
.context("Expected APP_JWT_SECRET environment variable to exists.")?
}; };
Ok(KernelContext { Ok(KernelContext {

View file

@ -1,4 +1,3 @@
pub mod config; pub mod config;
pub mod user; pub mod user;
pub mod user_asset;
pub mod authorization; pub mod authorization;

View file

@ -23,7 +23,7 @@ struct User {
full_name: Option<String>, full_name: Option<String>,
email: Option<String>, email: Option<String>,
website: Option<String>, website: Option<String>,
avatar_asset_id: Option<String>, picture: Option<Vec<u8>>, // embeded blob to store profile pic
password_hash: Option<String>, // argon2 password hash password_hash: Option<String>, // argon2 password hash
status: UserStatus, status: UserStatus,
roles: Json<Vec<String>>, roles: Json<Vec<String>>,
@ -43,7 +43,7 @@ impl User {
full_name: None, full_name: None,
email: None, email: None,
website: None, website: None,
avatar_asset_id: None, picture: None,
password_hash: None, password_hash: None,
status: UserStatus::Disabled, status: UserStatus::Disabled,
roles: Json(Vec::new()), roles: Json(Vec::new()),

View file

@ -1,41 +0,0 @@
use fully_pub::fully_pub;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use sha2::{Sha256, Digest};
use super::user::User;
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
#[fully_pub]
struct UserAsset {
/// uuid
id: String,
user_id: String,
mime_type: String,
fingerprint: String,
name: Option<String>,
content: Vec<u8>,
created_at: DateTime<Utc>
}
impl UserAsset {
pub fn new(
user: &User,
content: Vec<u8>,
mime_type: String,
name: Option<String>
) -> UserAsset {
let digest = Sha256::digest(&content);
UserAsset {
id: Uuid::new_v4().to_string(),
user_id: user.id.clone(),
fingerprint: format!("{:x}", digest),
mime_type,
content,
name,
created_at: Utc::now()
}
}
}

View file

@ -1,6 +1,6 @@
// user repositories // user repositories
use crate::models::{user::User, user_asset::UserAsset}; use crate::models::user::User;
use super::storage::Storage; use super::storage::Storage;
use anyhow::{Result, Context}; use anyhow::{Result, Context};
@ -19,30 +19,3 @@ pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
.await .await
.context("To get users.") .context("To get users.")
} }
pub async fn create_user_asset(storage: &Storage, asset: UserAsset) -> Result<()> {
sqlx::query("INSERT INTO user_assets
(id, user_id, mime_type, fingerprint, content, created_at)
VALUES ($1, $2, $3, $4, $5, $6)
")
.bind(&asset.id)
.bind(&asset.user_id)
.bind(&asset.mime_type)
.bind(&asset.fingerprint)
.bind(&asset.content)
.bind(&asset.created_at)
.execute(&storage.0)
.await
.context("While inserting user asset.")?;
// .bind(details_update.avatar.contents.to_vec())
Ok(())
}
pub async fn get_user_asset_by_id(storage: &Storage, id: &str) -> Result<UserAsset> {
sqlx::query_as("SELECT * FROM user_assets WHERE id = $1")
.bind(id)
.fetch_one(&storage.0)
.await
.context("To get user asset by id.")
}

View file

@ -5,8 +5,8 @@ CREATE TABLE users (
full_name TEXT, full_name TEXT,
email TEXT UNIQUE, email TEXT UNIQUE,
website TEXT, website TEXT,
picture BLOB,
roles TEXT NOT NULL, -- json array of user roles roles TEXT NOT NULL, -- json array of user roles
avatar_asset_id TEXT,
status TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled', status TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
password_hash TEXT, password_hash TEXT,
@ -15,17 +15,6 @@ CREATE TABLE users (
created_at DATETIME NOT NULL created_at DATETIME NOT NULL
); );
DROP TABLE IF EXISTS user_assets;
CREATE TABLE user_assets (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
mime_type TEXT NOT NULL,
fingerprint TEXT NOT NULL,
name TEXT, -- file name
content BLOB NOT NULL,
created_at DATETIME NOT NULL
);
DROP TABLE IF EXISTS authorizations; DROP TABLE IF EXISTS authorizations;
CREATE TABLE authorizations ( CREATE TABLE authorizations (
id TEXT PRIMARY KEY, id TEXT PRIMARY KEY,