fix: check github username in middleware and pass it to signer object afterwards

AlexMCon · AlexMCon · commit a2060a8a7f45 · 2024-03-06T15:10:46.000+02:00
diff --git a/fplus-http-server/src/main.rs b/fplus-http-server/src/main.rs
@@ -1,7 +1,7 @@
 use env_logger;
 use log::info;
 mod middleware;
-use middleware::gh_auth;
+use middleware::verifier_auth::VerifierAuth;
 pub(crate) mod router;
 use std::env;
 
@@ -12,8 +12,6 @@ use actix_web::{
     middleware::Logger,
 };
 
-use gh_auth::GHAuth;
-
 #[tokio::main]
 async fn main() -> std::io::Result<()> {
     dotenv::dotenv().ok();
@@ -36,7 +34,7 @@ async fn main() -> std::io::Result<()> {
             .service(router::application::create)
             .service(
                 web::scope("/api")
-                    .wrap(GHAuth) // Apply GitHubAuth to all routes under "/api"
+                    .wrap(VerifierAuth) // Apply GitHubAuth to all routes under "/api"
                     .service(router::application::trigger)
                     .service(router::application::propose)
                     .service(router::application::approve)
diff --git a/fplus-http-server/src/middleware/gh_auth.rs b/fplus-http-server/src/middleware/gh_auth.rs
diff --git a/fplus-http-server/src/middleware/mod.rs b/fplus-http-server/src/middleware/mod.rs
@@ -1 +1 @@
-pub mod gh_auth;
+pub mod verifier_auth;
diff --git a/fplus-http-server/src/middleware/verifier_auth.rs b/fplus-http-server/src/middleware/verifier_auth.rs
@@ -0,0 +1,140 @@
+use actix_web::{
+    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
+    Error, web,
+  };
+  use futures_util::future::{LocalBoxFuture, ready, Ready};
+  use reqwest::Client;
+  use serde::Deserialize;
+  
+  // Import any other modules that you reference in this file
+  use fplus_database::database::allocators::get_allocator;
+  #[derive(Deserialize, Debug)]
+  struct RepoQuery {
+    owner: String,
+    repo: String,
+    github_username: String
+  }
+  
+  pub struct VerifierAuth;
+  
+  impl<S, B> Transform<S, ServiceRequest> for VerifierAuth
+  where
+      S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
+      S::Future: 'static,
+      B: 'static,
+  {
+      type Response = ServiceResponse<B>;
+      type Error = Error;
+      type InitError = ();
+      type Transform = VerifierAuthMiddleware<S>;
+      type Future = Ready<Result<Self::Transform, Self::InitError>>;
+  
+      fn new_transform(&self, service: S) -> Self::Future {
+          ready(Ok(VerifierAuthMiddleware { service }))
+      }
+  }
+  
+  pub struct VerifierAuthMiddleware<S> {
+      service: S,
+  }
+  
+  impl<S, B> Service<ServiceRequest> for VerifierAuthMiddleware<S>
+  where
+      S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
+      S::Future: 'static,
+      B: 'static,
+  {
+      type Response = ServiceResponse<B>;
+      type Error = Error;
+      type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
+  
+      forward_ready!(service);
+  
+      fn call(&self, req: ServiceRequest) -> Self::Future {
+          let query_string = req.query_string();
+          let query: Result<web::Query<RepoQuery>, _> = web::Query::from_query(query_string);
+          let RepoQuery { owner, repo, github_username } = match query {
+              Ok(q) => q.into_inner(),
+              Err(_) => {
+                  return Box::pin(async {
+                      return Err(actix_web::error::ErrorBadRequest("Wrong query string format"));
+                  });
+              }
+          };
+  
+          let auth_header_value = req.headers().get("Authorization")
+              .and_then(|hv| hv.to_str().ok())
+              .filter(|hv| hv.starts_with("Bearer "))
+              .map(|hv| hv["Bearer ".len()..].to_string());
+          let fut = self.service.call(req);
+  
+          Box::pin(async move {
+              let mut user_handle = String::new();
+  
+              if let Some(token) = auth_header_value {
+                  // Make the asynchronous HTTP request here
+                  let client = Client::new();
+                  let user_info_result = client.get("https://api.github.com/user")
+                      .header("Authorization", format!("Bearer {}", token))
+                      .header("User-Agent", "Actix-web")
+                      .send()
+                      .await;
+      
+                  match user_info_result {
+                      Ok(response) => {
+                          //Raise an actix test error
+                          if response.status().is_success() {
+                              let user_info = response
+                                  .json::<serde_json::Value>()
+                                  .await
+                                  .expect("Failed to parse JSON");
+  
+                              if let Some(login) = user_info.get("login").and_then(|v| v.as_str()) {
+                                  user_handle = login.to_string();
+                              } else {
+                                  println!("GitHub handle information not found.");
+                                  return Err(actix_web::error::ErrorInternalServerError("GitHub handle information not found."))
+                              }
+                          } else {
+                              println!("Failed to get GitHub user info");
+                              return Err(actix_web::error::ErrorUnauthorized("Failed to get GitHub user info."))
+                          }
+                      },
+                      Err(e) => {
+                          println!("Request error: {:?}", e);
+                          return Err(actix_web::error::ErrorBadRequest(e))
+                      }
+                  }
+              }
+  
+              if github_username != user_handle {
+                  return Err(actix_web::error::ErrorBadRequest("Sent GitHub handle different than auth token owner."))
+              }
+  
+              match get_allocator(&owner, &repo).await {
+                  Ok(allocator) => {
+                      if let Some(allocator) = &allocator {
+                          if let Some(verifiers) = &allocator.verifiers_gh_handles {
+                              let verifier_handles: Vec<String> = verifiers.split(',')
+                                  .map(|s| s.trim().to_lowercase())
+                                  .collect();
+                              if verifier_handles.contains(&user_handle.to_lowercase()) {
+                                  println!("{} is a verifier.", user_handle);
+                              } else {
+                                  println!("The user is not a verifier.");
+                                  return Err(actix_web::error::ErrorUnauthorized("The user is not a verifier."))
+                              }
+                          }
+                      }
+                  },
+                  Err(e) => {
+                      println!("Failed to get allocator: {:?}", e);
+                  }
+              }
+      
+              let res = fut.await?;
+              return Ok(res)
+          })
+      }
+  }
+  
diff --git a/fplus-http-server/src/router/application.rs b/fplus-http-server/src/router/application.rs
@@ -1,7 +1,6 @@
 use actix_web::{get, post, web, HttpResponse, Responder};
 use fplus_lib::core::{
-    CompleteGovernanceReviewInfo, CompleteNewApplicationProposalInfo, CreateApplicationInfo,
-    LDNApplication, RefillInfo, DcReachedInfo, ValidationPullRequestData, GithubQueryParams, ApplicationQueryParams
+    application::file::VerifierInput, ApplicationQueryParams, CompleteGovernanceReviewInfo, CompleteNewApplicationProposalInfo, CreateApplicationInfo, DcReachedInfo, GithubQueryParams, LDNApplication, RefillInfo, ValidationPullRequestData, VerifierActionsQueryParams
 };
 
 #[post("/application")]
@@ -27,20 +26,11 @@ pub async fn single(query: web::Query<ApplicationQueryParams>) -> impl Responder
     };
 }
 
-#[post("/testz")]
-pub async fn testz(
-    query: web::Query<ApplicationQueryParams>
-) -> impl Responder {
-    println!("testzzzz {:?} {:?}", query.owner, query.repo);
-    return HttpResponse::Ok()
-}
-
 #[post("/application/trigger")]
 pub async fn trigger(
     query: web::Query<ApplicationQueryParams>,
     info: web::Json<CompleteGovernanceReviewInfo>,
 ) -> impl Responder {
-
     let CompleteGovernanceReviewInfo { actor} = info.into_inner();
     let ldn_application = match LDNApplication::load(query.id.clone(), query.owner.clone(), query.repo.clone()).await {
         Ok(app) => app,
@@ -50,7 +40,7 @@ pub async fn trigger(
     };
     dbg!(&ldn_application);
     match ldn_application
-        .complete_governance_review(actor, query.id.clone(), query.repo.clone())
+        .complete_governance_review(actor, query.owner.clone(), query.repo.clone())
         .await
     {
         Ok(app) => HttpResponse::Ok().body(serde_json::to_string_pretty(&app).unwrap()),
@@ -64,7 +54,7 @@ pub async fn trigger(
 #[post("/application/propose")]
 pub async fn propose(
     info: web::Json<CompleteNewApplicationProposalInfo>,
-    query: web::Query<ApplicationQueryParams>,
+    query: web::Query<VerifierActionsQueryParams>,
 ) -> impl Responder {
     let CompleteNewApplicationProposalInfo {
         signer,
@@ -76,8 +66,14 @@ pub async fn propose(
             return HttpResponse::BadRequest().body(e.to_string());
         }
     };
+    let updated_signer = VerifierInput {
+        github_username: query.github_username.clone(), // Use the provided `github_username` parameter
+        signing_address: signer.signing_address,
+        created_at: signer.created_at,
+        message_cid: signer.message_cid,
+    };
     match ldn_application
-        .complete_new_application_proposal(signer, request_id, query.owner.clone(), query.repo.clone())
+        .complete_new_application_proposal(updated_signer, request_id, query.owner.clone(), query.repo.clone())
         .await
     {
         Ok(app) => HttpResponse::Ok().body(serde_json::to_string_pretty(&app).unwrap()),
@@ -89,7 +85,7 @@ pub async fn propose(
 
 #[post("/application/approve")]
 pub async fn approve(
-    query: web::Query<ApplicationQueryParams>,
+    query: web::Query<VerifierActionsQueryParams>,
     info: web::Json<CompleteNewApplicationProposalInfo>,
 ) -> impl Responder {
     let CompleteNewApplicationProposalInfo {
@@ -102,8 +98,14 @@ pub async fn approve(
             return HttpResponse::BadRequest().body(e.to_string());
         }
     };
+    let updated_signer = VerifierInput {
+        github_username: query.github_username.clone(), // Use the provided `github_username` parameter
+        signing_address: signer.signing_address,
+        created_at: signer.created_at,
+        message_cid: signer.message_cid,
+    };
     match ldn_application
-        .complete_new_application_approval(signer, request_id, query.owner.clone(), query.repo.clone())
+        .complete_new_application_approval(updated_signer, request_id, query.owner.clone(), query.repo.clone())
         .await
     {
         Ok(app) => HttpResponse::Ok().body(serde_json::to_string_pretty(&app).unwrap()),
diff --git a/fplus-lib/src/core/mod.rs b/fplus-lib/src/core/mod.rs

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-pub mod gh_auth;`
	`1`	`+pub mod verifier_auth;`