Page MenuHomePhabricator
Differential D12435

[identity] last tonic status message conversions
ClosedPublic
Actions

Authored by varun on Jun 13 2024, 1:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Apr 23, 4:20 PM
Unknown Object (File)
Mon, Apr 14, 2:33 PM
Unknown Object (File)
Sun, Apr 13, 5:41 AM
Unknown Object (File)
Sun, Apr 13, 3:31 AM
Unknown Object (File)
Sat, Apr 12, 4:06 PM
Unknown Object (File)
Sun, Apr 6, 9:07 AM
Unknown Object (File)
Feb 28 2025, 2:26 PM
Unknown Object (File)
Feb 28 2025, 2:25 PM
View All 59 Files
Subscribers
ashoat
tomek

Details

Reviewers
bartek
Commits
rCOMMa3512b23fe43: [identity] last tonic status message conversions
Summary

Depends on D12434

there are a lot of tonic status messages that need to be converted to snake_case and dedup'd.

i've arbitrarily broken this work up into chunks to make it easier to review

this is the last diff to resolve https://linear.app/comm/issue/ENG-6477/convert-identity-service-errors-to-snake-case-and-dedup-them

Test Plan

git grep for the old status messages, change client error handling where needed

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Revision Contents
Changeset List

PathSize
native/
account/
2 lines
profile/
2 lines
services/
identity/
src/
5 lines
8 lines
grpc_services/
8 lines
21 lines
2 lines
2 lines
shared/
comm-opaque2/
src/
10 lines
10 lines
grpc_clients/
src/
identity/
7 lines
7 lines
web/
account/
2 lines

Diff 41312

View Options

native/account/log-in-panel.react.js

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines
View Options

native/profile/delete-account.react.js

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines
View Options

services/identity/src/constants.rs

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines
View Options

services/identity/src/device_list.rs

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines
View Options

services/identity/src/grpc_services/shared.rs

Loading...
View Options

services/identity/src/reserved_users.rs

Loading...
View Options

services/identity/src/siwe.rs

Loading...
View Options

services/identity/src/tunnelbroker.rs

Loading...
View Options

shared/comm-opaque2/src/error.rs

Loading...
View Options

shared/comm-opaque2/src/grpc.rs

Loading...
View Options

shared/grpc_clients/src/identity/authenticated.rs

Loading...
View Options

shared/grpc_clients/src/identity/shared.rs

Loading...
View Options

web/account/traditional-login-form.react.js

Loading...