Page MenuHomePhabricator

D12414.diff
No OneTemporary

D12414.diff

diff --git a/services/docker-compose.tests.yml b/services/docker-compose.tests.yml
--- a/services/docker-compose.tests.yml
+++ b/services/docker-compose.tests.yml
@@ -53,6 +53,7 @@
env_file: test-commons.env
environment:
BLOB_SERVICE_URL: 'http://blob-server:50053'
+ COMM_SERVICES_DISABLE_CSAT_VERIFICATION: 'true'
blob-server:
image: blob
@@ -63,6 +64,7 @@
env_file: test-commons.env
environment:
RUST_LOG: blob=trace,comm_lib=debug
+ COMM_SERVICES_DISABLE_CSAT_VERIFICATION: 'true'
identity-server:
image: identity
diff --git a/shared/comm-lib/src/auth/types.rs b/shared/comm-lib/src/auth/types.rs
--- a/shared/comm-lib/src/auth/types.rs
+++ b/shared/comm-lib/src/auth/types.rs
@@ -38,6 +38,19 @@
}
}
+impl std::fmt::Display for AuthorizationCredential {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ match self {
+ AuthorizationCredential::UserToken(UserIdentity { user_id, .. }) => {
+ write!(f, "UserTokenCredential(user_id={})", user_id)
+ }
+ AuthorizationCredential::ServicesToken(_) => {
+ write!(f, "ServicesTokenCredential")
+ }
+ }
+ }
+}
+
#[derive(Debug, Clone, Serialize, Deserialize, derive_more::Constructor)]
pub struct ServicesAuthToken {
#[serde(rename = "servicesToken")]
diff --git a/shared/comm-lib/src/http/auth.rs b/shared/comm-lib/src/http/auth.rs
--- a/shared/comm-lib/src/http/auth.rs
+++ b/shared/comm-lib/src/http/auth.rs
@@ -1,6 +1,7 @@
use actix_web::{
body::{EitherBody, MessageBody},
dev::{Service, ServiceRequest, ServiceResponse, Transform},
+ error::{ErrorForbidden, ErrorInternalServerError},
FromRequest, HttpMessage,
};
use actix_web_httpauth::{
@@ -14,7 +15,8 @@
use tracing::debug;
use crate::auth::{
- is_csat_verification_disabled, AuthorizationCredential, UserIdentity,
+ is_csat_verification_disabled, AuthService, AuthorizationCredential,
+ UserIdentity,
};
impl FromRequest for AuthorizationCredential {
@@ -120,9 +122,25 @@
};
};
- // TODO: call identity service, for now just allow every request
- req.extensions_mut().insert(credential);
+ let auth_service = req
+ .app_data::<AuthService>()
+ .expect("FATAL: missing AuthService app data. Check HTTP server config.");
+ match auth_service.verify_auth_credential(&credential).await {
+ Ok(true) => tracing::trace!("Request is authenticated with {credential}"),
+ Ok(false) => {
+ tracing::trace!("Request is not authenticated. Token: {credential:?}");
+ // allow for invalid tokens if verification is disabled
+ if !is_csat_verification_disabled() {
+ return Err((ErrorForbidden("invalid credentials"), req));
+ }
+ }
+ Err(err) => {
+ tracing::error!("Error verifying auth credential: {err}");
+ return Err((ErrorInternalServerError("internal error"), req));
+ }
+ };
+ req.extensions_mut().insert(credential);
Ok(req)
}

File Metadata

Mime Type
text/plain
Expires
Sun, Nov 24, 4:52 PM (20 h, 43 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2576794
Default Alt Text
D12414.diff (2 KB)

Event Timeline