feat(auth): rust client support for bearer auth

Author: matt-codecov

Cargo.lock

@@ -36,6 +36,7 @@ futures-util = "0.3.31"
 http = "1.3.1"
 humantime = "2.2.0"
 humantime-serde = "1.1.1"
+jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 merni = "0.1.3"
 mimalloc = { version = "0.1.48", features = ["v3", "override"] }
 rand = "0.9.1"

Cargo.toml

@@ -15,6 +15,7 @@ async-compression = { version = "0.4.27", features = ["tokio", "zstd"] }
 bytes = { workspace = true }
 futures-util = { workspace = true }
 infer = { version = "0.19.0", default-features = false }
+jsonwebtoken = { workspace = true }
 objectstore-types = { workspace = true }
 reqwest = { workspace = true, features = ["json", "stream"] }
 sentry-core = { version = ">=0.41", features = ["client"] }

clients/rust/Cargo.toml

@@ -0,0 +1,84 @@
+use std::collections::{BTreeMap, HashSet};
+
+use jsonwebtoken::{Algorithm, EncodingKey, Header, encode, get_current_timestamp};
+use objectstore_types::Permission;
+use serde::{Deserialize, Serialize};
+
+use crate::ScopeInner;
+
+const DEFAULT_EXPIRY_SECONDS: u64 = 60;
+const DEFAULT_PERMISSIONS: [Permission; 3] = [
+    Permission::ObjectRead,
+    Permission::ObjectWrite,
+    Permission::ObjectDelete,
+];
+
+struct SecretKey {
+    kid: String,
+    secret_key: String,
+}
+
+struct TokenGenerator {
+    kid: String,
+    encoding_key: EncodingKey,
+    expiry_seconds: u64,
+    permissions: HashSet<Permission>,
+}
+
+#[derive(Serialize, Deserialize)]
+struct JwtRes {
+    #[serde(rename = "os:usecase")]
+    usecase: String,
+
+    #[serde(flatten)]
+    scopes: BTreeMap<String, String>,
+}
+
+#[derive(Serialize, Deserialize)]
+struct JwtClaims {
+    exp: u64,
+    permissions: HashSet<Permission>,
+    res: JwtRes,
+}
+
+impl TokenGenerator {
+    pub fn new(secret_key: SecretKey) -> crate::Result<TokenGenerator> {
+        let encoding_key = EncodingKey::from_ed_pem(secret_key.secret_key.as_bytes())?;
+        Ok(TokenGenerator {
+            kid: secret_key.kid,
+            encoding_key,
+            expiry_seconds: DEFAULT_EXPIRY_SECONDS,
+            permissions: HashSet::from(DEFAULT_PERMISSIONS),
+        })
+    }
+
+    pub fn expiry_seconds(mut self, expiry_seconds: u64) -> Self {
+        self.expiry_seconds = expiry_seconds;
+        self
+    }
+
+    pub fn permissions(mut self, permissions: &[Permission]) -> Self {
+        self.permissions = HashSet::from_iter(permissions.iter().cloned());
+        self
+    }
+
+    pub fn sign_for_scope(&self, scope: &ScopeInner) -> crate::Result<String> {
+        let claims = JwtClaims {
+            exp: get_current_timestamp() + self.expiry_seconds,
+            permissions: self.permissions.clone(),
+            res: JwtRes {
+                usecase: scope.usecase().name().into(),
+                scopes: scope
+                    .scopes()
+                    .iter()
+                    .map(|scope| (scope.name().to_string(), scope.value().to_string()))
+                    .collect(),
+            },
+        };
+
+        let mut header = Header::new(Algorithm::EdDSA);
+        header.kid = Some(self.kid.clone());
+
+        Ok(encode(&header, &claims, &self.encoding_key)?)
+    }
+}

clients/rust/src/auth.rs

@@ -7,7 +7,7 @@ use futures_util::stream::BoxStream;
 use objectstore_types::ExpirationPolicy;
 use url::Url;
 
-pub use objectstore_types::{Compression, scope as scope_types};
+pub use objectstore_types::{scope as scope_types, Compression};
 
 const USER_AGENT: &str = concat!("objectstore-client/", env!("CARGO_PKG_VERSION"));
 
@@ -227,6 +227,11 @@ impl ScopeInner {
         &self.usecase
     }
 
+    #[inline]
+    pub(crate) fn scopes(&self) -> &scope_types::Scopes {
+        &self.scopes
+    }
+
     fn as_path_segment(&self) -> String {
         if self.scopes.is_empty() {
             return "_".to_string();

clients/rust/src/client.rs

@@ -16,6 +16,9 @@ pub enum Error {
     /// Error when scope validation fails.
     #[error(transparent)]
     InvalidScope(#[from] objectstore_types::scope::InvalidScopeError),
+    /// Error when creating auth tokens, such as invalid keys.
+    #[error(transparent)]
+    TokenError(#[from] jsonwebtoken::errors::Error),
     /// Error when URL manipulation fails.
     #[error("{message}")]
     InvalidUrl {

clients/rust/src/error.rs

@@ -2,6 +2,7 @@
 #![warn(missing_docs)]
 #![warn(missing_debug_implementations)]
 
+mod auth;
 mod client;
 mod delete;
 mod error;
@@ -11,6 +12,7 @@ pub mod utils;
 
 pub use objectstore_types::{Compression, ExpirationPolicy};
 
+pub use auth::*;
 pub use client::*;
 pub use delete::*;
 pub use error::*;

clients/rust/src/lib.rs

@@ -21,7 +21,7 @@ figment = { version = "0.10.19", features = ["env", "test", "yaml"] }
 futures-util = { workspace = true }
 humantime = { workspace = true }
 humantime-serde = { workspace = true }
-jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
+jsonwebtoken = { workspace = true }
 merni = { workspace = true }
 mimalloc = { workspace = true }
 num_cpus = "1.17.0"