reivilibre/idcoop
1
0
Fork 0
Code Issues 23 Pull Requests Packages Projects Releases Wiki Activity

Apply clippy fixes

Browse Source 
Signed-off-by: Olivier 'reivilibre <olivier@librepush.net>
This commit is contained in:
Olivier 'reivilibre' 2024-06-25 22:09:10 +01:00
parent 073fa99bdc
commit 9bbae5411b
7 changed files with 22 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/config.rs
View File

@ -109,7 +109,7 @@ impl SecretConfig {
.await .await
.context("failed to load RSA private key")?; .context("failed to load RSA private key")?;
let rsa_key_pair = let rsa_key_pair =
RsaKeyPair::from_pem(&rsa_keypair_bytes).context("Failed to decode RSA key pair")?; RsaKeyPair::from_pem(rsa_keypair_bytes).context("Failed to decode RSA key pair")?;
Ok(Self { rsa_key_pair }) Ok(Self { rsa_key_pair })
} }

2
src/web.rs
View File

@ -114,7 +114,7 @@ pub async fn serve(
.layer(Extension(Arc::new(PasswordHashInflightLimiter::new(1)))) .layer(Extension(Arc::new(PasswordHashInflightLimiter::new(1))))
.layer(client_ip_source.into_extension()) .layer(client_ip_source.into_extension())
.layer(Extension(Arc::new(ratelimiters))) .layer(Extension(Arc::new(ratelimiters)))
.layer(Extension(VolatileCodeStore::new())); .layer(Extension(VolatileCodeStore::default()));
info!("Listening on {bind:?}"); info!("Listening on {bind:?}");
axum::Server::try_bind(&bind) axum::Server::try_bind(&bind)

9
src/web/login.rs
View File

@ -133,10 +133,10 @@ impl LoginSession {
// TODO this is only using the key, not the salt and persona // TODO this is only using the key, not the salt and persona
let mac_tag_bytes = Blake2sMac256::new_with_salt_and_personal(&self.xsrf_secret, &[], &[])? let mac_tag_bytes = Blake2sMac256::new_with_salt_and_personal(&self.xsrf_secret, &[], &[])?
.chain_update(&now_8bytes) .chain_update(now_8bytes)
.finalize() .finalize()
.into_bytes(); .into_bytes();
let mac_b64 = BASE64_URL_SAFE_NO_PAD.encode(&mac_tag_bytes); let mac_b64 = BASE64_URL_SAFE_NO_PAD.encode(mac_tag_bytes);
Ok(format!("{now_timestamp}.{mac_b64}")) Ok(format!("{now_timestamp}.{mac_b64}"))
} }
@ -158,7 +158,7 @@ impl LoginSession {
// TODO this is only using the key, not the salt and persona // TODO this is only using the key, not the salt and persona
// TODO perhaps the persona should be the user UUID hashed? // TODO perhaps the persona should be the user UUID hashed?
Blake2sMac256::new_with_salt_and_personal(&self.xsrf_secret, &[], &[])? Blake2sMac256::new_with_salt_and_personal(&self.xsrf_secret, &[], &[])?
.chain_update(&timestamp_8bytes) .chain_update(timestamp_8bytes)
.verify_slice(&mac_tag_bytes) .verify_slice(&mac_tag_bytes)
.context("bad MAC in XSRF token")?; .context("bad MAC in XSRF token")?;
@ -270,6 +270,7 @@ fn render_login_retry_form() -> Response {
(StatusCode::UNAUTHORIZED, "Wrong username or password!").into_response() // TODO(ui): this should re-render the login form for another go (StatusCode::UNAUTHORIZED, "Wrong username or password!").into_response() // TODO(ui): this should re-render the login form for another go
} }
#[allow(clippy::too_many_arguments)]
pub async fn post_login( pub async fn post_login(
Query(query): Query<LoginQuery>, Query(query): Query<LoginQuery>,
cookies: Cookies, cookies: Cookies,
@ -346,7 +347,7 @@ pub async fn post_login(
let login_session_token = thread_rng().gen::<[u8; LOGIN_SESSION_TOKEN_BYTES]>(); let login_session_token = thread_rng().gen::<[u8; LOGIN_SESSION_TOKEN_BYTES]>();
let login_session_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(login_session_token); let login_session_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(login_session_token);
let login_session_token_hash: [u8; LOGIN_SESSION_TOKEN_HASH_BYTES] = let login_session_token_hash: [u8; LOGIN_SESSION_TOKEN_HASH_BYTES] =
Blake2s256::digest(&login_session_token).into(); Blake2s256::digest(login_session_token).into();
let xsrf_secret = thread_rng().gen::<[u8; LOGIN_SESSION_XSRF_SECRET_BYTES]>(); let xsrf_secret = thread_rng().gen::<[u8; LOGIN_SESSION_XSRF_SECRET_BYTES]>();
// store session in the database // store session in the database

2
src/web/oauth_openid/application_session_access_token.rs
View File

@ -31,7 +31,7 @@ where
let Ok(TypedHeader(Authorization(bearer))) = TypedHeader::<Authorization<Bearer>>::from_request_parts(parts, state).await else { let Ok(TypedHeader(Authorization(bearer))) = TypedHeader::<Authorization<Bearer>>::from_request_parts(parts, state).await else {
return Err((StatusCode::UNAUTHORIZED, "No access token.")); return Err((StatusCode::UNAUTHORIZED, "No access token."));
}; };
let Ok(access_token) = BASE64_URL_SAFE_NO_PAD.decode(&bearer.token()) else { let Ok(access_token) = BASE64_URL_SAFE_NO_PAD.decode(bearer.token()) else {
return Err(( return Err((
StatusCode::UNAUTHORIZED, StatusCode::UNAUTHORIZED,
"Invalid access token." "Invalid access token."

8
src/web/oauth_openid/authorisation.rs
View File

@ -194,26 +194,26 @@ fn validate_authorisation_basics<'a>(
if &query.response_type != "code" { if &query.response_type != "code" {
return Err(fail_authorisation_with_redirect( return Err(fail_authorisation_with_redirect(
query, query,
&client_config, client_config,
AuthorisationRedirectableError::UnsupportedResponseType, AuthorisationRedirectableError::UnsupportedResponseType,
"We only support `code` authorisation responses here.".to_owned(), "We only support `code` authorisation responses here.".to_owned(),
)); ));
} }
if query.code_challenge.is_none() { if query.code_challenge.is_none() {
return Err(fail_authorisation_with_redirect( return Err(fail_authorisation_with_redirect(
&query, query,
client_config, client_config,
AuthorisationRedirectableError::InvalidRequest, AuthorisationRedirectableError::InvalidRequest,
"`code_challenge` not specified.".to_owned(), "`code_challenge` not specified.".to_owned(),
)); ));
} }
match query.code_challenge_method.as_ref().map(String::as_str) { match query.code_challenge_method.as_deref() {
None | Some("S256") | Some("plain") => { None | Some("S256") | Some("plain") => {
// OK: supported (None = 'plain') // OK: supported (None = 'plain')
} }
_other => { _other => {
return Err(fail_authorisation_with_redirect( return Err(fail_authorisation_with_redirect(
&query, query,
client_config, client_config,
AuthorisationRedirectableError::InvalidRequest, AuthorisationRedirectableError::InvalidRequest,
"`code_challenge_method` is not supported.".to_owned(), "`code_challenge_method` is not supported.".to_owned(),

10
src/web/oauth_openid/ext_codes.rs
View File

@ -92,8 +92,8 @@ impl VolatileCodeStoreInner {
) -> CodeRedemption { ) -> CodeRedemption {
if let Some(conflicted) = self.conflictable_codes.get(auth_code) { if let Some(conflicted) = self.conflictable_codes.get(auth_code) {
return CodeRedemption::Conflicted { return CodeRedemption::Conflicted {
access_token_to_invalidate: conflicted.access_token_hash.clone(), access_token_to_invalidate: conflicted.access_token_hash,
refresh_token_to_invalidate: conflicted.refresh_token_hash.clone(), refresh_token_to_invalidate: conflicted.refresh_token_hash,
}; };
} }
@ -146,8 +146,8 @@ pub struct VolatileCodeStore {
inner: Arc<Mutex<VolatileCodeStoreInner>>, inner: Arc<Mutex<VolatileCodeStoreInner>>,
} }
impl VolatileCodeStore { impl Default for VolatileCodeStore {
pub fn new() -> Self { fn default() -> Self {
let poke = Arc::new(Notify::new()); let poke = Arc::new(Notify::new());
let inner: Arc<Mutex<VolatileCodeStoreInner>> = Default::default(); let inner: Arc<Mutex<VolatileCodeStoreInner>> = Default::default();
@ -159,7 +159,9 @@ impl VolatileCodeStore {
VolatileCodeStore { inner, poke } VolatileCodeStore { inner, poke }
} }
}
impl VolatileCodeStore {
async fn expirer(inner: Arc<Mutex<VolatileCodeStoreInner>>, poke: Arc<Notify>) { async fn expirer(inner: Arc<Mutex<VolatileCodeStoreInner>>, poke: Arc<Notify>) {
let mut next_expiry: Option<u64> = None; let mut next_expiry: Option<u64> = None;
loop { loop {

12
src/web/oauth_openid/token.rs
View File

@ -176,17 +176,13 @@ pub async fn oidc_token(
// so double redemptions can invalidate the access token appropriately. // so double redemptions can invalidate the access token appropriately.
let access_token = thread_rng().gen::<AccessToken>(); let access_token = thread_rng().gen::<AccessToken>();
let access_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(access_token); let access_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(access_token);
let access_token_hash: AccessTokenHash = Blake2s256::digest(&access_token).into(); let access_token_hash: AccessTokenHash = Blake2s256::digest(access_token).into();
let refresh_token = thread_rng().gen::<RefreshToken>(); let refresh_token = thread_rng().gen::<RefreshToken>();
let refresh_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(refresh_token); let refresh_token_b64 = BASE64_URL_SAFE_NO_PAD.encode(refresh_token);
let refresh_token_hash: RefreshTokenHash = Blake2s256::digest(&refresh_token).into(); let refresh_token_hash: RefreshTokenHash = Blake2s256::digest(refresh_token).into();
// Redeem the auth code so we can check it and then maybe issue an access token. // Redeem the auth code so we can check it and then maybe issue an access token.
let binding = match code_store.redeem( let binding = match code_store.redeem(&auth_code, access_token_hash, refresh_token_hash) {
&auth_code,
access_token_hash.clone(),
refresh_token_hash.clone(),
) {
CodeRedemption::Invalid => { CodeRedemption::Invalid => {
return ( return (
StatusCode::BAD_REQUEST, StatusCode::BAD_REQUEST,
@ -382,7 +378,7 @@ pub async fn oidc_token(
} }
fn make_id_token(id_token: IdToken, secrets: &SecretConfig) -> eyre::Result<String> { fn make_id_token(id_token: IdToken, secrets: &SecretConfig) -> eyre::Result<String> {
let Ok(serde_json::Value::Object(map)) = serde_json::to_value(&id_token).context("failed to serialise ID Token content") else { let Ok(serde_json::Value::Object(map)) = serde_json::to_value(id_token).context("failed to serialise ID Token content") else {
bail!("ID Token not a map"); bail!("ID Token not a map");
}; };