move oauth into separate crate

This commit is contained in:
Manuel Gugger 2022-04-24 14:35:43 +02:00
parent 8c106eb9f2
commit b844315bf9
5 changed files with 118 additions and 62 deletions

View File

@ -25,4 +25,5 @@ serde_derive = "1.0.136"
quote = "1.0"
sea-orm = { version = "0.6.0", features = [ "sqlx-sqlite", "runtime-actix-native-tls", "macros" ], default-features = false }
actix_admin = { path = "actix_admin" }
actix_admin = { path = "actix_admin" }
azure_auth = { path = "azure_auth" }

21
azure_auth/Cargo.toml Normal file
View File

@ -0,0 +1,21 @@
[package]
name = "azure_auth"
version = "0.1.0"
edition = "2021"
[dependencies]
actix-web = "4.0.1"
actix-rt = "2.7.0"
actix-session = "0.5.0"
oauth2 = "4.1"
base64 = "0.13.0"
async-trait = "0.1.53"
rand = "0.8.5"
url = "2.2.2"
http = "0.2.6"
dotenv = "0.15"
futures = "0.3.21"
serde = "1.0.136"
serde_json = "1.0.79"
serde_derive = "1.0.136"

View File

@ -1,7 +1,11 @@
#[macro_use]
extern crate serde_derive;
use actix_session::{Session};
use actix_web::http::header;
use actix_web::{web, HttpResponse};
use http::{HeaderMap, Method};
use oauth2::basic::BasicClient;
use oauth2::reqwest::async_http_client;
use oauth2::{
AccessToken, AuthorizationCode, CsrfToken, //PkceCodeChallenge,
@ -9,13 +13,76 @@ use oauth2::{
};
use std::str;
use url::Url;
use oauth2::{
AuthUrl, ClientId, ClientSecret, TokenUrl,
};
pub async fn login(data: web::Data<super::AppState>) -> HttpResponse {
#[allow(non_snake_case)]
#[derive(Serialize, Deserialize, Debug)]
pub struct UserInfo {
mail: String,
userPrincipalName: String,
displayName: String,
givenName: String,
surname: String,
id: String,
}
// AppDataTrait
pub trait AppDataTrait {
fn get_oauth(&self) -> &BasicClient;
}
#[derive(Clone, Debug)]
pub struct AzureAuth {
auth_url: AuthUrl,
token_url: TokenUrl,
client_id: ClientId,
client_secret: ClientSecret
}
impl AzureAuth {
pub fn new(oauth2_server: &String, client_id: &String, client_secret: &String) -> Self {
let azure_auth = AzureAuth {
auth_url: AuthUrl::new(format!("https://{}/oauth2/v2.0/authorize", oauth2_server)).expect("Invalid authorization endpoint URL"),
token_url: TokenUrl::new(format!("https://{}/oauth2/v2.0/token", oauth2_server)).expect("Invalid token endpoint URL"),
client_id: ClientId::new(client_id.clone()),
client_secret: ClientSecret::new(client_secret.clone())
};
azure_auth
}
pub fn get_api_base_url() -> &'static str {
"https://graph.microsoft.com/v1.0"
}
pub fn get_oauth_client(self) -> BasicClient {
BasicClient::new(
self.client_id,
Some(self.client_secret),
self.auth_url,
Some(self.token_url),
)
}
pub fn create_scope<T: AppDataTrait + 'static>(self, _app_state: &T) -> actix_web::Scope {
let scope = web::scope("/auth")
.route("/login", web::get().to(login::<T>))
.route("/logout", web::get().to(logout))
.route("/auth", web::get().to(auth::<T>))
;
scope
}
}
pub async fn login<T: AppDataTrait>(data: web::Data<T>) -> HttpResponse {
// Create a PKCE code verifier and SHA-256 encode it as a code challenge.
// let (_pkce_code_challenge, _pkce_code_verifier) = PkceCodeChallenge::new_random_sha256();
// Generate the authorization URL to which we'll redirect the user.
let (auth_url, _csrf_token) = &data
.oauth
.get_oauth()
.authorize_url(CsrfToken::new_random)
// Set the desired scopes.
.add_scope(Scope::new("openid".to_string()))
@ -35,17 +102,6 @@ pub async fn logout(session: Session) -> HttpResponse {
.finish()
}
#[allow(non_snake_case)]
#[derive(Serialize, Deserialize, Debug)]
pub struct UserInfo {
mail: String,
userPrincipalName: String,
displayName: String,
givenName: String,
surname: String,
id: String,
}
async fn read_user(api_base_url: &str, access_token: &AccessToken) -> UserInfo {
let url = Url::parse(format!("{}/me", api_base_url).as_str()).unwrap();
@ -79,24 +135,25 @@ pub struct AuthRequest {
state: String,
}
pub async fn auth(
pub async fn auth<T: AppDataTrait>(
session: Session,
data: web::Data<super::AppState>,
data: web::Data<T>,
params: web::Query<AuthRequest>,
) -> HttpResponse {
let code = AuthorizationCode::new(params.code.clone());
let _state = CsrfToken::new(params.state.clone());
let api_base_url = AzureAuth::get_api_base_url();
// Exchange the code with a token.
let token = &data
.oauth
.get_oauth()
.exchange_code(code)
//.set_pkce_verifier()
.request_async(async_http_client)
.await
.expect("exchange_code failed");
let user_info = read_user(&data.api_base_url, token.access_token()).await;
let user_info = read_user(api_base_url, token.access_token()).await;
session.insert("user_info", &user_info).unwrap();

View File

@ -1,9 +1,6 @@
// setup
use sea_orm::sea_query::{ColumnDef, TableCreateStatement};
use sea_orm::{error::*, sea_query, ConnectionTrait, DbConn, ExecResult};
use sea_orm::{{ DatabaseConnection, ConnectOptions }};
use sea_orm::{ entity::*, query::*, SelectorTrait, ModelTrait, ColumnTrait, PaginatorTrait, EntityTrait };
use async_trait::async_trait;
pub mod post;
pub use post::Entity as Post;

View File

@ -1,35 +1,30 @@
#[macro_use]
extern crate serde_derive;
use actix_session::{Session, CookieSession};
use actix_web::{web, App, HttpResponse, HttpServer};
use tera::{ Tera, Context};
use oauth2::basic::BasicClient;
use oauth2::{
AuthUrl, ClientId, ClientSecret,
RedirectUrl, TokenUrl,
};
use oauth2::{ RedirectUrl };
use std::time::{Duration};
use std::env;
use sea_orm::{{ DatabaseConnection, ConnectOptions, EntityName }};
use actix_admin::{ActixAdminViewModelTrait, AppDataTrait, ActixAdminViewModel, ActixAdminModel};
use std::collections::HashMap;
use sea_orm::{{ DatabaseConnection, ConnectOptions }};
use actix_admin::{ AppDataTrait as ActixAdminAppDataTrait, ActixAdminViewModel, ActixAdminModel};
use azure_auth::{ AzureAuth, UserInfo, AppDataTrait as AzureAuthAppDataTrait };
mod web_auth;
mod entity;
use entity::{ Post };
#[derive(Debug, Clone)]
pub struct AppState {
pub oauth: BasicClient,
pub api_base_url: String,
pub tmpl: Tera,
pub db: DatabaseConnection,
pub view_model_map: HashMap<&'static str, ActixAdminViewModel>
}
impl AppDataTrait for AppState {
impl ActixAdminAppDataTrait for AppState {
fn get_db(&self) -> &DatabaseConnection {
&self.db
}
@ -39,9 +34,15 @@ impl AppDataTrait for AppState {
}
}
impl AzureAuthAppDataTrait for AppState {
fn get_oauth(&self) -> &BasicClient {
&self.oauth
}
}
async fn index(session: Session, data: web::Data<AppState>) -> HttpResponse {
let login = session.get::<web_auth::UserInfo>("user_info").unwrap();
let web_auth_link = if login.is_some() { "logout" } else { "login" };
let login = session.get::<UserInfo>("user_info").unwrap();
let web_auth_link = if login.is_some() { "/auth/logout" } else { "/auth/login" };
let mut ctx = Context::new();
ctx.insert("web_auth_link", web_auth_link);
@ -52,31 +53,13 @@ async fn index(session: Session, data: web::Data<AppState>) -> HttpResponse {
#[actix_rt::main]
async fn main() {
dotenv::dotenv().ok();
let oauth2_client_id = ClientId::new(
env::var("OAUTH2_CLIENT_ID")
.expect("Missing the OAUTH2_CLIENT_ID environment variable."),
);
let oauth2_client_secret = ClientSecret::new(
env::var("OAUTH2_CLIENT_SECRET")
.expect("Missing the OAUTH2_CLIENT_SECRET environment variable."),
);
let oauth2_server =
env::var("OAUTH2_SERVER").expect("Missing the OAUTH2_SERVER environment variable.");
let auth_url = AuthUrl::new(format!("https://{}/oauth2/v2.0/authorize", oauth2_server))
.expect("Invalid authorization endpoint URL");
let token_url = TokenUrl::new(format!("https://{}/oauth2/v2.0/token", oauth2_server))
.expect("Invalid token endpoint URL");
let api_base_url = "https://graph.microsoft.com/v1.0".to_string();
let oauth2_client_id = env::var("OAUTH2_CLIENT_ID").expect("Missing the OAUTH2_CLIENT_ID environment variable.");
let oauth2_client_secret = env::var("OAUTH2_CLIENT_SECRET").expect("Missing the OAUTH2_CLIENT_SECRET environment variable.");
let oauth2_server = env::var("OAUTH2_SERVER").expect("Missing the OAUTH2_SERVER environment variable.");
let azure_auth = AzureAuth::new(&oauth2_server, &oauth2_client_id, &oauth2_client_secret);
// Set up the config for the OAuth2 process.
let client = BasicClient::new(
oauth2_client_id,
Some(oauth2_client_secret),
auth_url,
Some(token_url),
)
let client = azure_auth.clone().get_oauth_client()
// This example will be running its own server at 127.0.0.1:5000.
.set_redirect_uri(
RedirectUrl::new("http://localhost:5000/auth".to_string())
@ -109,7 +92,6 @@ async fn main() {
let app_state = AppState {
oauth: client,
api_base_url,
tmpl: tera,
db: conn,
view_model_map: actix_admin.get_view_model_map()
@ -119,11 +101,9 @@ async fn main() {
App::new()
.app_data(web::Data::new(app_state.clone()))
.wrap(CookieSession::signed(&[0; 32]).secure(false))
.service(actix_admin.clone().create_scope(&app_state))
.route("/", web::get().to(index))
.route("/login", web::get().to(web_auth::login))
.route("/logout", web::get().to(web_auth::logout))
.route("/auth", web::get().to(web_auth::auth))
.service(actix_admin.clone().create_scope(&app_state))
.service(azure_auth.clone().create_scope(&app_state))
})
.bind("127.0.0.1:5000")
.expect("Can not bind to port 5000")