working on auth flow code

avacore1337 · avacore1337 · commit cee7cb8fa373 · 2021-05-31T01:41:40.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,6 +32,7 @@ unicode-truncate = "0.2.0"
 dns-lookup = "1.0.6"
 rocket-client-addr = "0.4.6"
 openidconnect = "2.0.1"
+anyhow = "1.0.40"
 
 
 [dependencies.rocket_contrib]
diff --git a/devops/https-nginx.conf b/devops/https-nginx.conf
@@ -16,7 +16,7 @@ http {
     server {
         server_name queue.csc.kth.se;
 
-        location ~ ^/(api/|auth|login) {
+        location ~ ^/(api/|auth|login|oidc_auth) {
             proxy_pass http://localhost:8000;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
diff --git a/src/config.rs b/src/config.rs
@@ -48,8 +48,6 @@ pub fn from_env() -> Config {
         .expect("PORT environment variable should parse to an integer");
 
     let address = env::var("ROCKET_ADDRESS").unwrap_or_else(|_| "127.0.0.1".to_string());
-    // let application_id = env::var("APPLICATION_ID").unwrap_or_else(|_| "unset".to_string());
-    // let client_secret = env::var("CLIENT_SECRET").unwrap_or_else(|_| "unset".to_string());
 
     let mut database_config = HashMap::new();
     let mut databases = HashMap::new();
diff --git a/src/lib.rs b/src/lib.rs
@@ -78,7 +78,11 @@ pub fn rocket() -> rocket::Rocket {
         .mount("/", StaticFiles::from("public/build"))
         .mount(
             "/",
-            routes![routes::users::kth_auth, routes::users::kth_login,],
+            routes![
+                routes::users::kth_auth,
+                routes::users::kth_oidc_auth,
+                routes::users::kth_login,
+            ],
         )
         .mount(
             "/api",
diff --git a/src/routes/user_events.rs b/src/routes/user_events.rs
@@ -1,5 +1,5 @@
 use crate::auth::{validate_auth, Auth, AuthLevel};
-use crate::db::{self};
+use crate::db;
 use rocket::request::Form;
 
 use rocket_contrib::json::JsonValue;
diff --git a/src/routes/users.rs b/src/routes/users.rs
@@ -1,15 +1,29 @@
 use crate::auth::Auth;
 use crate::config::AppState;
-use crate::db::{self};
+use crate::db;
 use crate::errors::{Errors, FieldValidator};
 use crate::util::{handle_login, Ticket};
+use anyhow::{anyhow, Result};
+use openidconnect::core::{
+    CoreAuthenticationFlow, CoreClient, CoreProviderMetadata, CoreUserInfoClaims,
+};
+
+use openidconnect::{
+    AccessTokenHash, AuthorizationCode, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce,
+    PkceCodeChallenge, RedirectUrl, Scope,
+};
 use rocket::http::{Cookie, Cookies};
 use rocket::request::Form;
 use rocket::response::Redirect;
 use rocket::State;
 use rocket_client_addr::ClientAddr;
 use rocket_contrib::json::{Json, JsonValue};
 use serde::Deserialize;
+use std::env;
+
+use openidconnect::reqwest::http_client;
+
+use openidconnect::{OAuth2TokenResponse, TokenResponse};
 
 #[derive(Deserialize)]
 pub struct LoginUser {
@@ -59,9 +73,39 @@ pub fn post_users_login(
 
 #[get("/login")]
 pub fn kth_login() -> Redirect {
+    if let Ok(oidc) = env::var("USE_OIDC") {
+        println!("use oidc: {}", oidc);
+        match oidc.as_str() {
+            "true" => return use_oidc(),
+            _ => {}
+        }
+    }
     Redirect::to("https://login.kth.se/login?service=https://queue.csc.kth.se/auth")
 }
 
+#[derive(FromForm, Default)]
+pub struct Code {
+    code: Option<String>,
+    state: Option<String>,
+}
+
+#[get("/oidc-auth?<params..>")]
+pub fn kth_oidc_auth(
+    mut cookies: Cookies,
+    conn: db::DbConn,
+    state: State<AppState>,
+    params: Form<Code>,
+    client_addr: &ClientAddr,
+) -> Redirect {
+    match get_oidc_user(params) {
+        Ok(_) => println!("good login!"),
+        Err(err) => {
+            println!("oidc error: {:?}", err);
+        }
+    }
+    Redirect::to("/")
+}
+
 #[get("/auth?<params..>")]
 pub fn kth_auth(
     mut cookies: Cookies,
@@ -82,3 +126,129 @@ pub fn kth_auth(
     }
     Redirect::to("/")
 }
+
+pub fn get_client() -> Result<CoreClient> {
+    // "https://login.ug.kth.se/adfs/.well-known/openid-configuration".to_string(),
+    // println!(
+    //     "metadata: {:?}",
+    //     &IssuerUrl::new(
+    //         "https://login.ug.kth.se/adfs/.well-known/openid-configuration".to_string(),
+    //     )?
+    // );
+    let provider_metadata = CoreProviderMetadata::discover(
+        &IssuerUrl::new("https://login.ug.kth.se/adfs".to_string())?,
+        http_client,
+    )?;
+
+    // Create an OpenID Connect client by specifying the client ID, client secret, authorization URL
+    // and token URL.
+    let application_id = env::var("APPLICATION_ID").expect("OIDC need an application ID");
+    let client_secret = env::var("CLIENT_SECRET").expect("OIDC need a client secret");
+    let client = CoreClient::from_provider_metadata(
+        provider_metadata,
+        ClientId::new(application_id),
+        Some(ClientSecret::new(client_secret)),
+    )
+    // Set the URL the user will be redirected to after the authorization process.
+    .set_redirect_uri(RedirectUrl::new(
+        "https://queue.csc.kth.se/oidc-auth".to_string(),
+    )?);
+    Ok(client)
+}
+
+pub fn use_oidc() -> Redirect {
+    match generate_redirect() {
+        Ok(redirect) => redirect,
+        Err(err) => {
+            println!("oidc error: {:?}", err);
+
+            Redirect::to("https://queue.csc.kth.se/failed_login")
+        }
+    }
+}
+
+pub fn generate_redirect() -> Result<Redirect> {
+    println!("generating redirect");
+    let client = get_client()?;
+
+    // Generate the full authorization URL.
+    let (auth_url, _csrf_token, _nonce) = client
+        .authorize_url(
+            CoreAuthenticationFlow::AuthorizationCode,
+            CsrfToken::new_random,
+            Nonce::new_random,
+        )
+        // Set the desired scopes.
+        // .add_scope(Scope::new("openid".to_string()))
+        .url();
+
+    // This is the URL you should redirect the user to, in order to trigger the authorization
+    // process.
+    println!("Browse to: {}", auth_url);
+
+    Ok(Redirect::to(auth_url.to_string()))
+}
+
+pub fn get_oidc_user(params: Form<Code>) -> Result<()> {
+    let client = get_client()?;
+    println!("getting oidc_user");
+    let code = params
+        .code
+        .as_ref()
+        .ok_or_else(|| anyhow!("got no code in request"))?;
+    println!("code: {}", code);
+    let nonce = Nonce::new("fake_nonce".to_string());
+    // Once the user has been redirected to the redirect URL, you'll have access to the
+    // authorization code. For security reasons, your code should verify that the `state`
+    // parameter returned by the server matches `csrf_state`.
+
+    // Now you can exchange it for an access token and ID token.
+    let token_response = client
+        .exchange_code(AuthorizationCode::new(code.to_string()))
+        .request(http_client)?;
+
+    println!("Got token response");
+    // Extract the ID token claims after verifying its authenticity and nonce.
+    let id_token = token_response
+        .id_token()
+        .ok_or_else(|| anyhow!("Server did not return an ID token"))?;
+    let claims = id_token.claims(&client.id_token_verifier(), &nonce)?;
+
+    println!("Got the claims: {:?}", claims);
+    // Verify the access token hash to ensure that the access token hasn't been substituted for
+    // another user's.
+    if let Some(expected_access_token_hash) = claims.access_token_hash() {
+        let actual_access_token_hash =
+            AccessTokenHash::from_token(token_response.access_token(), &id_token.signing_alg()?)?;
+        if actual_access_token_hash != *expected_access_token_hash {
+            return Err(anyhow!("Invalid access token"));
+        }
+    }
+    println!("almost done now!");
+
+    // The authenticated user's identity is now available. See the IdTokenClaims struct for a
+    // complete listing of the available claims.
+    println!(
+        "User {} with e-mail address {} has authenticated successfully",
+        claims.subject().as_str(),
+        claims
+            .email()
+            .map(|email| email.as_str())
+            .unwrap_or("<not provided>"),
+    );
+
+    // If available, we can use the UserInfo endpoint to request additional information.
+
+    // The user_info request uses the AccessToken returned in the token response. To parse custom
+    // claims, use UserInfoClaims directly (with the desired type parameters) rather than using the
+    // CoreUserInfoClaims type alias.
+    let _userinfo: CoreUserInfoClaims = client
+        .user_info(token_response.access_token().to_owned(), None)
+        .map_err(|err| anyhow!("No user info endpoint: {:?}", err))?
+        .request(http_client)
+        .map_err(|err| anyhow!("Failed requesting user info: {:?}", err))?;
+
+    // See the OAuth2TokenResponse trait for a listing of other available fields such as
+    // access_token() and refresh_token().
+    Ok(())
+}
