turned handling proxy grpc into auth strategy

libsql-server/src/auth/errors.rs

@@ -26,6 +26,10 @@ pub enum AuthError {
  AuthStringMalformed,
  #[error("Expected authorization header but none given")]
  AuthHeaderNotFound,
+ #[error("Expected authorization proxy header but none given")]
+ AuthProxyHeaderNotFound,
+ #[error("Failed to parse auth proxy header")]
+ AuthProxyHeaderInvalid,
  #[error("Non-ASCII auth header")]
  AuthHeaderNonAscii,
  #[error("Authentication failed")]
@@ -47,6 +51,8 @@ impl AuthError {
  Self::JwtImmature => "AUTH_JWT_IMMATURE",
  Self::AuthStringMalformed => "AUTH_HEADER_MALFORMED",
  Self::AuthHeaderNotFound => "AUTH_HEADER_NOT_FOUND",
+ Self::AuthProxyHeaderNotFound => "AUTH_PROXY_HEADER_NOT_FOUND",
+ Self::AuthProxyHeaderInvalid => "AUTH_PROXY_HEADER_INVALID",
  Self::AuthHeaderNonAscii => "AUTH_HEADER_MALFORMED",
  Self::Other => "AUTH_FAILED",
  }

libsql-server/src/auth/mod.rs

@@ -13,24 +13,23 @@ pub use authorized::Authorized;
 pub use errors::AuthError;
 pub use parsers::{parse_http_auth_header, parse_http_basic_auth_arg, parse_jwt_key};
 pub use permission::Permission;
-pub use user_auth_strategies::{Disabled, HttpBasic, Jwt, UserAuthContext, UserAuthStrategy};
+pub use user_auth_strategies::{
+ Disabled, HttpBasic, Jwt, ProxyGrpc, UserAuthContext, UserAuthStrategy,
+};
 
 #[derive(Clone)]
 pub struct Auth {
- pub user_strategy: Arc<dyn UserAuthStrategy + Send + Sync>,
+ pub strategy: Arc<dyn UserAuthStrategy + Send + Sync>,
 }
 
 impl Auth {
- pub fn new(user_strategy: impl UserAuthStrategy + Send + Sync + 'static) -> Self {
+ pub fn new(strategy: impl UserAuthStrategy + Send + Sync + 'static) -> Self {
  Self {
- user_strategy: Arc::new(user_strategy),
+ strategy: Arc::new(strategy),
  }
  }
 
- pub fn authenticate(
- &self,
- context: Result<UserAuthContext, AuthError>,
- ) -> Result<Authenticated, AuthError> {
- self.user_strategy.authenticate(context)
+ pub fn authenticate(&self, context: UserAuthContext) -> Result<Authenticated, AuthError> {
+ self.strategy.authenticate(context)
  }
 }

libsql-server/src/auth/parsers.rs

@@ -1,4 +1,4 @@
-use crate::auth::{constants::GRPC_AUTH_HEADER, AuthError};
+use crate::auth::AuthError;
 
 use anyhow::{bail, Context as _, Result};
 use axum::http::HeaderValue;
@@ -36,12 +36,20 @@ pub fn parse_jwt_key(data: &str) -> Result<jsonwebtoken::DecodingKey> {
  }
 }
 
-pub(crate) fn parse_grpc_auth_header(metadata: &MetadataMap) -> Result<UserAuthContext, AuthError> {
- metadata
- .get(GRPC_AUTH_HEADER)
- .ok_or(AuthError::AuthHeaderNotFound)
- .and_then(|h| h.to_str().map_err(|_| AuthError::AuthHeaderNonAscii))
- .and_then(|t| UserAuthContext::from_auth_str(t))
+pub(crate) fn parse_grpc_auth_header(
+ metadata: &MetadataMap,
+ required_fields: &Vec<String>,
+) -> UserAuthContext {
+ let mut context = UserAuthContext::empty();
+ for field in required_fields.iter() {
+ metadata
+ .get(field)
+ .map(|header| header.to_str().ok())
+ .and_then(|r| r)
+ .map(|v| context.add_field(field.into(), v.into()));
+ }
+
+ context
 }
 
 pub fn parse_http_auth_header<'a>(
@@ -79,40 +87,26 @@ mod tests {
  #[test]
  fn parse_grpc_auth_header_returns_valid_context() {
  let mut map = tonic::metadata::MetadataMap::new();
- map.insert("x-authorization", "bearer 123".parse().unwrap());
- let context = parse_grpc_auth_header(&map).unwrap();
- assert_eq!(context.scheme().as_ref().unwrap(), "bearer");
- assert_eq!(context.token().as_ref().unwrap(), "123");
- }
-
- #[test]
- fn parse_grpc_auth_header_error_no_header() {
- let map = tonic::metadata::MetadataMap::new();
- let result = parse_grpc_auth_header(&map);
+ map.insert(
+ crate::auth::constants::GRPC_AUTH_HEADER,
+ "bearer 123".parse().unwrap(),
+ );
+ let required_fields = vec!["x-authorization".into()];
+ let context = parse_grpc_auth_header(&map, &required_fields);
  assert_eq!(
- result.unwrap_err().to_string(),
- "Expected authorization header but none given"
+ context.custom_fields.get("x-authorization"),
+ Some(&"bearer 123".to_string())
  );
  }
 
- #[test]
- fn parse_grpc_auth_header_error_non_ascii() {
- let mut map = tonic::metadata::MetadataMap::new();
- map.insert("x-authorization", "bearer I❤NY".parse().unwrap());
- let result = parse_grpc_auth_header(&map);
- assert_eq!(result.unwrap_err().to_string(), "Non-ASCII auth header")
- }
-
- #[test]
- fn parse_grpc_auth_header_error_malformed_auth_str() {
- let mut map = tonic::metadata::MetadataMap::new();
- map.insert("x-authorization", "bearer123".parse().unwrap());
- let result = parse_grpc_auth_header(&map);
- assert_eq!(
- result.unwrap_err().to_string(),
- "Auth string does not conform to '<scheme> <token>' form"
- )
- }
+ // #[test] TODO rewrite
+ // fn parse_grpc_auth_header_error_non_ascii() {
+ // let mut map = tonic::metadata::MetadataMap::new();
+ // map.insert("x-authorization", "bearer I❤NY".parse().unwrap());
+ // let required_fields = Vec::new();
+ // let result = parse_grpc_auth_header(&map, &required_fields);
+ // assert_eq!(result.unwrap_err().to_string(), "Non-ASCII auth header")
+ // }
 
  #[test]
  fn parse_http_auth_header_returns_auth_header_param_when_valid() {

libsql-server/src/auth/user_auth_strategies/disabled.rs

@@ -4,10 +4,7 @@ use crate::auth::{AuthError, Authenticated};
 pub struct Disabled {}
 
 impl UserAuthStrategy for Disabled {
- fn authenticate(
- &self,
- _context: Result<UserAuthContext, AuthError>,
- ) -> Result<Authenticated, AuthError> {
+ fn authenticate(&self, _context: UserAuthContext) -> Result<Authenticated, AuthError> {
  tracing::trace!("executing disabled auth");
  Ok(Authenticated::FullAccess)
  }
@@ -26,7 +23,7 @@ mod tests {
  #[test]
  fn authenticates() {
  let strategy = Disabled::new();
- let context = Ok(UserAuthContext::empty());
+ let context = UserAuthContext::empty();
 
  assert!(matches!(
  strategy.authenticate(context).unwrap(),

libsql-server/src/auth/user_auth_strategies/http_basic.rs

@@ -7,27 +7,31 @@ pub struct HttpBasic {
 }
 
 impl UserAuthStrategy for HttpBasic {
- fn authenticate(
- &self,
- context: Result<UserAuthContext, AuthError>,
- ) -> Result<Authenticated, AuthError> {
+ fn authenticate(&self, ctx: UserAuthContext) -> Result<Authenticated, AuthError> {
  tracing::trace!("executing http basic auth");
+ let auth_str = None
+ .or_else(|| ctx.custom_fields.get("authorization"))
+ .or_else(|| ctx.custom_fields.get("x-authorization"));
+
+ let (_, token) = auth_str
+ .ok_or(AuthError::AuthHeaderNotFound)
+ .map(|s| s.split_once(' ').ok_or(AuthError::AuthStringMalformed))
+ .and_then(|o| o)?;
 
  // NOTE: this naive comparison may leak information about the `expected_value`
  // using a timing attack
  let expected_value = self.credential.trim_end_matches('=');
-
- let creds_match = match context?.token {
- Some(s) => s.contains(expected_value),
- None => expected_value.is_empty(),
- };
-
+ let creds_match = token.contains(expected_value);
  if creds_match {
  return Ok(Authenticated::FullAccess);
  }
 
  Err(AuthError::BasicRejected)
  }
+
+ fn required_fields(&self) -> Vec<String> {
+ vec!["authorization".to_string(), "x-authorization".to_string()]
+ }
 }
 
 impl HttpBasic {
@@ -48,7 +52,7 @@ mod tests {
 
  #[test]
  fn authenticates_with_valid_credential() {
- let context = Ok(UserAuthContext::basic(CREDENTIAL));
+ let context = UserAuthContext::basic(CREDENTIAL);
 
  assert!(matches!(
  strategy().authenticate(context).unwrap(),
@@ -59,7 +63,7 @@ mod tests {
  #[test]
  fn authenticates_with_valid_trimmed_credential() {
  let credential = CREDENTIAL.trim_end_matches('=');
- let context = Ok(UserAuthContext::basic(credential));
+ let context = UserAuthContext::basic(credential);
 
  assert!(matches!(
  strategy().authenticate(context).unwrap(),
@@ -69,7 +73,7 @@ mod tests {
 
  #[test]
  fn errors_when_credentials_do_not_match() {
- let context = Ok(UserAuthContext::basic("abc"));
+ let context = UserAuthContext::basic("abc");
 
  assert_eq!(
  strategy().authenticate(context).unwrap_err(),

libsql-server/src/auth/user_auth_strategies/jwt.rs

@@ -12,28 +12,27 @@ pub struct Jwt {
 }
 
 impl UserAuthStrategy for Jwt {
- fn authenticate(
- &self,
- context: Result<UserAuthContext, AuthError>,
- ) -> Result<Authenticated, AuthError> {
+ fn authenticate(&self, ctx: UserAuthContext) -> Result<Authenticated, AuthError> {
  tracing::trace!("executing jwt auth");
+ let auth_str = None
+ .or_else(|| ctx.custom_fields.get("authorization"))
+ .or_else(|| ctx.custom_fields.get("x-authorization"))
+ .ok_or_else(|| AuthError::AuthHeaderNotFound)?;
 
- let ctx = context?;
-
- let UserAuthContext {
- scheme: Some(scheme),
- token: Some(token),
- } = ctx
- else {
- return Err(AuthError::HttpAuthHeaderInvalid);
- };
+ let (scheme, token) = auth_str
+ .split_once(' ')
+ .ok_or(AuthError::AuthStringMalformed)?;
 
  if !scheme.eq_ignore_ascii_case("bearer") {
  return Err(AuthError::HttpAuthHeaderUnsupportedScheme);
  }
 
  return validate_jwt(&self.key, &token);
  }
+
+ fn required_fields(&self) -> Vec<String> {
+ vec!["authentication".to_string()]
+ }
 }
 
 impl Jwt {
@@ -155,7 +154,7 @@ mod tests {
  };
  let token = encode(&token, &enc);
 
- let context = Ok(UserAuthContext::bearer(token.as_str()));
+ let context = UserAuthContext::bearer(token.as_str());
 
  assert!(matches!(
  strategy(dec).authenticate(context).unwrap(),
@@ -177,8 +176,7 @@ mod tests {
  };
  let token = encode(&token, &enc);
 
- let context = Ok(UserAuthContext::bearer(token.as_str()));
-
+ let context = UserAuthContext::bearer(token.as_str());
  let Authenticated::Legacy(a) = strategy(dec).authenticate(context).unwrap() else {
  panic!()
  };
@@ -190,7 +188,7 @@ mod tests {
  #[test]
  fn errors_when_jwt_token_invalid() {
  let (_enc, dec) = key_pair();
- let context = Ok(UserAuthContext::bearer("abc"));
+ let context = UserAuthContext::bearer("abc");
 
  assert_eq!(
  strategy(dec).authenticate(context).unwrap_err(),
@@ -210,7 +208,7 @@ mod tests {
 
  let token = encode(&token, &enc);
 
- let context = Ok(UserAuthContext::bearer(token.as_str()));
+ let context = UserAuthContext::bearer(token.as_str());
 
  assert_eq!(
  strategy(dec).authenticate(context).unwrap_err(),
@@ -232,7 +230,7 @@ mod tests {
 
  let token = encode(&token, &enc);
 
- let context = Ok(UserAuthContext::bearer(token.as_str()));
+ let context = UserAuthContext::bearer(token.as_str());
 
  let Authenticated::Authorized(a) = strategy(dec).authenticate(context).unwrap() else {
  panic!()