From 6ec284ba70e736bc24523b279303cee46b06071a Mon Sep 17 00:00:00 2001 From: Yves Fischer Date: Thu, 15 Dec 2016 20:50:23 +0100 Subject: Replace switch -u with header X-Allowed-Jid --- rust/src/handler.rs | 156 ++++++++++++++++++++++++++++++++++------------------ 1 file changed, 103 insertions(+), 53 deletions(-) (limited to 'rust/src/handler.rs') diff --git a/rust/src/handler.rs b/rust/src/handler.rs index 5fb7a03..f3e3f54 100644 --- a/rust/src/handler.rs +++ b/rust/src/handler.rs @@ -1,110 +1,142 @@ use std::cell::Cell; -use std::collections::{HashMap, HashSet}; +use std::collections::{HashMap}; use std::io; use std::marker::Sync; use std::ops::Add; use std::str::from_utf8; +use std::str::FromStr; use std::sync::{Arc, RwLock}; use std::thread; -use std::time::Duration; +use std::time::Duration as StdDuration; use sendxmpp; -use time; +use time::{get_time, Duration as TimeDuration}; use token; +use message::format_message; -use tiny_http::{Request, Response, StatusCode, Header}; +use ascii::AsciiString; +use tiny_http::{Request, Response, StatusCode, Header, HeaderField}; use rustc_serialize::base64::FromBase64; +pub struct HeaderInfos { + auth_username: String, + auth_password: String, + auth_method: String, + allowed_jids: Vec +} + pub struct AuthHandler { bot_jid: String, bot_password: String, - usernames: HashSet, valid_tokens_cache: Arc>>, tg: token::TokenGenerator, - last_interactive_request: Cell + last_interactive_request: Cell, + nosend: bool } type EmptyResponse = Response; +// HTTP Statuscodes defined as macro. This way they can be used like literals. +macro_rules! HTTP_HEADER_AUTHORIZATION { () => (r"Authorization") } +macro_rules! HTTP_HEADER_X_ALLOWED_JID { () => (r"X-Allowed-Jid") } +macro_rules! HTTP_HEADER_WWW_AUTHENTICATE { () => (r"WWW-Authenticate") } + +// Finds a header in a `tiny_http::Header` structure. macro_rules! get_header { ($headers:expr, $name:expr) => ($headers.iter() .filter(|h| h.field.equiv($name)) - .next().ok_or(stringify!(Header not found: $name))); + .next().ok_or(concat!("No Header found named: '", $name, "'"))); } - impl AuthHandler { - pub fn make(bot_jid: String, bot_password: String, - usernames: HashSet, validity: time::Duration, secret: Vec) -> AuthHandler { + pub fn make(bot_jid: String, bot_password: String, validity: TimeDuration, + secret: Vec, nosend: bool) -> AuthHandler { return AuthHandler { bot_jid: bot_jid, bot_password: bot_password, - usernames: usernames, valid_tokens_cache: Arc::new(RwLock::new(HashMap::new())), tg: token::TokenGenerator::new(validity.num_seconds(), secret), last_interactive_request: Cell::new(0), + nosend: nosend } } fn send_message(&self, user_jid: &str) { - let (valid_until, token) = self.tg.generate_token(user_jid, time::get_time().sec); - let message = format!("Token: {} for username: {} valid until {}", - token, user_jid, valid_until); - if sendxmpp::send_message(self.bot_jid.as_str(), self.bot_password.as_str(), - message.as_str(), user_jid).is_err() { - println!("Failed to send message"); + let (valid_from, valid_until, token) = self.tg.generate_token(user_jid, get_time().sec); + let message = format_message(token, valid_from, valid_until); + if self.nosend { + error!("Would send to {} message: {}", user_jid, message); + } else { + if sendxmpp::send_message(self.bot_jid.as_str(), self.bot_password.as_str(), + message.as_str(), user_jid).is_err() { + error!("Failed to send message"); + } } } // Result<(method, username, password), error-message> #[inline(always)] - fn _get_username_password<'a>(request: &'a Request) -> Result<(String, String, String), &'static str> { - let headers = request.headers(); - let auth_header: &Header = { try!(get_header!(headers, "Authorization")) }; + fn _get_username_password<'a>(headers: &'a [Header]) -> Result { + let auth_header = try!(get_header!(headers, HTTP_HEADER_AUTHORIZATION!())); let authorization: &str = auth_header.value.as_str(); + debug!("{}: {}", HTTP_HEADER_AUTHORIZATION!(), authorization); let mut authorization_split = authorization.split(' '); let method_value = try!(authorization_split.next().ok_or("No method in header value")); - let value = try!(authorization_split.next().ok_or("No username/password value in header value")); - let decoded_value = try!(value.from_base64().or(Err("Fail base64 decode"))); - let utf8_decoded_value = try!(from_utf8(&decoded_value).or(Err("fail to decode utf-8"))); + let encoded_value = try!(authorization_split.next().ok_or("No username/password value in header value")); + let decoded_value = try!(encoded_value.from_base64().or(Err("Failed base64 decode"))); + let utf8_decoded_value = try!(from_utf8(&decoded_value).or(Err("Failed to decode UTF-8"))); let mut username_password_split = utf8_decoded_value.split(':'); let username = try!(username_password_split.next().ok_or("No username in header")); let password = try!(username_password_split.next().ok_or("No password in header")); - Ok((String::from(method_value), String::from(username), String::from(password))) + + let allowed_jids_value: &str = try!(get_header!(headers, HTTP_HEADER_X_ALLOWED_JID!())).value.as_str(); + debug!("{}: {}", HTTP_HEADER_X_ALLOWED_JID!(), allowed_jids_value); + let allowed_jids_list: Vec = allowed_jids_value.split(',').map(String::from).collect(); + Ok(HeaderInfos { + auth_username: String::from(username), + auth_password: String::from(password), + auth_method: String::from(method_value), + allowed_jids: allowed_jids_list, + }) } fn authenticate_response(status_code: u16) -> io::Result { Ok(Response::new( StatusCode(status_code), vec![ - Header::from_bytes(&b"WWW-Authenticate"[..], &b"Basic realm=\"xmppmessage auth\""[..]).unwrap() + Header { + field: HeaderField::from_bytes(HTTP_HEADER_WWW_AUTHENTICATE!()).unwrap(), + value: AsciiString::from_str(r#"Basic realm="xmppmessage auth""#).unwrap() + } ], - io::empty(), - Some(0), - None, + io::empty(), None, None )) } fn _call_internal(&self, request: &Request) -> io::Result { - let current_time = time::now().to_timespec().sec; - return match AuthHandler::_get_username_password(request) { - Ok((_, username, password)) => { - let is_known_user = self.usernames.contains(&username); - if username.len() > 0 && password.len() == 0 { + let current_time = get_time().sec; + return match AuthHandler::_get_username_password(request.headers()) { + Ok(headerinfos) => { + let is_known_user = headerinfos.allowed_jids.contains(&headerinfos.auth_username); + if headerinfos.auth_method != "Basic" { + error!("Invalid authentication method. Responding with 405"); + return AuthHandler::authenticate_response(405) // Method not allowed + } else if headerinfos.auth_username.len() > 0 && headerinfos.auth_password.len() == 0 { // Request new token if current_time - self.last_interactive_request.get() < 2 { // If last error was not longer then 2 second ago then sleep - thread::sleep(Duration::from_secs(5)); + info!("Too many invalid token-requests, sleep 5 seconds"); + thread::sleep(StdDuration::from_secs(5)); return AuthHandler::authenticate_response(429) // Too many requests } else { self.last_interactive_request.set(current_time); if is_known_user { - self.send_message(&username); + self.send_message(&headerinfos.auth_username); } return AuthHandler::authenticate_response(401) //Token sent, retry now } } else { - match self.verify(&username, &password) { + match self.verify(&headerinfos) { Ok(true) => { if is_known_user { return Ok(Response::empty(200)) // Ok @@ -116,34 +148,34 @@ impl AuthHandler { Ok(false) => { if current_time - self.last_interactive_request.get() < 2 { // If last error was not longer then 2 seconds ago then sleep 5 seconds - thread::sleep(Duration::from_secs(5)); + thread::sleep(StdDuration::from_secs(5)); return Ok(Response::empty(429)) // Too Many Requests } else { self.last_interactive_request.set(current_time); // in this case we use the chance to delete outdated cache entries match self.clean_cache() { - Ok(num) => println!("Removed {} cache entries", num), - Err(e) => println!("{}", e), + Ok(num) => debug!("Removed {} cache entries", num), + Err(e) => error!("{}", e), }; return AuthHandler::authenticate_response(401) // Authentication failed, username or password wrong } }, Err(msg) => { - println!("verify failed: {}", msg); + error!("verify failed: {}", msg); return Err(io::Error::new(io::ErrorKind::Other, "Server Error")) // Server Error } } } }, Err(e) => { - info!("{}. Request Authentication", e); + info!("Error: {}. Responding with 401", e); return AuthHandler::authenticate_response(401) // No Authorization header }, }; } fn clean_cache(&self) -> Result { - let now = time::get_time().sec; + let now = get_time().sec; let guard = self.valid_tokens_cache.clone(); let mut cache = try!(guard.write().or(Err("Failed to get write lock on cache"))); let outdated_keys = cache.iter().filter(|&(_, &v)| v < now).map(|(k, _)| k.clone()) @@ -152,11 +184,11 @@ impl AuthHandler { Ok(num) } - fn verify(&self, username: &str, password: &str) -> Result { - let pw_token = token::normalize_token(password); + fn verify(&self, headerinfos: &HeaderInfos) -> Result { + let pw_token = token::normalize_token(&headerinfos.auth_password); let guard = self.valid_tokens_cache.clone(); - let key = String::from(username).add(":").add(pw_token.as_str()); - let current_time = time::now().to_timespec().sec; + let key = headerinfos.auth_username.clone().add(":").add(pw_token.as_str()); + let current_time = get_time().sec; // try cache: let result1 = { @@ -174,24 +206,24 @@ impl AuthHandler { match result1 { Ok(true) => Ok(true), _ => { - let t1 = time::get_time().sec - self.tg.valid_duration_secs; - let (valid_until1, token1) = self.tg.generate_token_norm(username, t1); + let t1 = get_time().sec - self.tg.valid_duration_secs; + let (valid_from1, valid_until1, token1) = self.tg.generate_token_norm(&headerinfos.auth_username, t1); if pw_token == token1 { let mut cache = try!(guard.write().or(Err("Failed to get write lock on cache"))); - println!("Cache for {} until {}", username, valid_until1); + debug!("Cache for {} from {} until {}", headerinfos.auth_username, valid_from1, valid_until1); cache.insert(key, valid_until1); return Ok(true) } else { - let t2 = time::get_time().sec; - let (valid_until2, token2) = self.tg.generate_token_norm(username, t2); + let t2 = get_time().sec; + let (valid_from2, valid_until2, token2) = self.tg.generate_token_norm(&headerinfos.auth_username, t2); if pw_token == token2 { let mut cache = try!(guard.write().or(Err("Failed to get write lock on cache"))); - println!("Cache for {} until {}", username, valid_until2); + debug!("Cache for {} from {} until {}", headerinfos.auth_username, valid_from2, valid_until2); cache.insert(key, valid_until2); return Ok(true) } } - println!("Invalid token for {}", username); + warn!("Invalid token for {}", headerinfos.auth_username); Ok(false) } } @@ -207,4 +239,22 @@ impl AuthHandler { } unsafe impl Sync for AuthHandler { +} + +#[cfg(test)] +mod tests { + use super::*; + use time::{Duration as TimeDuration}; + + #[test] + fn test_handler_creation() { + let handler = AuthHandler::make("jid".to_string(), "pw".to_string(), + TimeDuration::hours(123), + vec!(1,2,3), + true); + assert_eq!(handler.bot_jid, "jid"); + assert_eq!(handler.bot_password, "pw"); + assert_eq!(handler.tg.valid_duration_secs, 60*60*123); + assert_eq!(handler.nosend, true); + } } \ No newline at end of file -- cgit v1.2.1