technofab/jwt-authorizer
1
0
Fork 0
mirror of https://github.com/TECHNOFAB11/jwt-authorizer.git synced 2025-12-11 23:50:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #35 from cduvray/refactor

Browse source 
refactor: renaming, reorganising
This commit is contained in:
cduvray 2023-09-18 08:28:56 +02:00 committed by GitHub
commit f452f15b0b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 233 additions and 226 deletions
Download patch file Download diff file Expand all files Collapse all files

28
jwt-authorizer/src/authorizer.rs
View file

@ -9,7 +9,7 @@ use serde::de::DeserializeOwned;
use crate::{
error::{AuthError, InitError},
jwks::{key_store_manager::KeyStoreManager, KeyData, KeySource},
layer::{self, AsyncAuthorizationLayer, JwtSource},
layer::{self, AuthorizationLayer, JwtSource},
oidc, Refresh, RegisteredClaims,
};
@ -237,15 +237,15 @@ pub trait IntoLayer<C>
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C>;
fn into_layer(self) -> AuthorizationLayer<C>;
}
impl<C> IntoLayer<C> for Vec<Authorizer<C>>
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C> {
AsyncAuthorizationLayer::new(self.into_iter().map(Arc::new).collect())
fn into_layer(self) -> AuthorizationLayer<C> {
AuthorizationLayer::new(self.into_iter().map(Arc::new).collect())
}
}
@ -253,8 +253,8 @@ impl<C> IntoLayer<C> for Vec<Arc<Authorizer<C>>>
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C> {
AsyncAuthorizationLayer::new(self.into_iter().collect())
fn into_layer(self) -> AuthorizationLayer<C> {
AuthorizationLayer::new(self.into_iter().collect())
}
}
@ -262,8 +262,8 @@ impl<C, const N: usize> IntoLayer<C> for [Authorizer<C>; N]
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C> {
AsyncAuthorizationLayer::new(self.into_iter().map(Arc::new).collect())
fn into_layer(self) -> AuthorizationLayer<C> {
AuthorizationLayer::new(self.into_iter().map(Arc::new).collect())
}
}
@ -271,8 +271,8 @@ impl<C, const N: usize> IntoLayer<C> for [Arc<Authorizer<C>>; N]
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C> {
AsyncAuthorizationLayer::new(self.into_iter().collect())
fn into_layer(self) -> AuthorizationLayer<C> {
AuthorizationLayer::new(self.into_iter().collect())
}
}
@ -280,8 +280,8 @@ impl<C> IntoLayer<C> for Authorizer<C>
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C> {
AsyncAuthorizationLayer::new(vec![Arc::new(self)])
fn into_layer(self) -> AuthorizationLayer<C> {
AuthorizationLayer::new(vec![Arc::new(self)])
}
}
@ -289,8 +289,8 @@ impl<C> IntoLayer<C> for Arc<Authorizer<C>>
where
C: Clone + DeserializeOwned + Send,
{
fn into_layer(self) -> AsyncAuthorizationLayer<C> {
AsyncAuthorizationLayer::new(vec![self])
fn into_layer(self) -> AuthorizationLayer<C> {
AuthorizationLayer::new(vec![self])
}
}

190
jwt-authorizer/src/builder.rs Normal file
View file

@ -0,0 +1,190 @@
use std::sync::Arc;
use serde::de::DeserializeOwned;
use crate::{
authorizer::{FnClaimsChecker, KeySourceType},
error::InitError,
layer::{AuthorizationLayer, JwtSource},
Authorizer, Refresh, RefreshStrategy, RegisteredClaims, Validation,
};
/// Authorizer Layer builder
///
/// - initialisation of the Authorizer from jwks, rsa, ed, ec or secret
/// - can define a checker (jwt claims check)
pub struct JwtAuthorizer<C = RegisteredClaims>
where
C: Clone + DeserializeOwned,
{
key_source_type: KeySourceType,
refresh: Option<Refresh>,
claims_checker: Option<FnClaimsChecker<C>>,
validation: Option<Validation>,
jwt_source: JwtSource,
}
/// authorization layer builder
impl<C> JwtAuthorizer<C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
/// Builds Authorizer Layer from a OpenId Connect discover metadata
pub fn from_oidc(issuer: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::Discovery(issuer.to_string()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a JWKS endpoint
pub fn from_jwks_url(url: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::Jwks(url.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a RSA PEM file
pub fn from_rsa_pem(path: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::RSA(path.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from an RSA PEM raw text
pub fn from_rsa_pem_text(text: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::RSAString(text.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM file
pub fn from_ec_pem(path: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::EC(path.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM raw text
pub fn from_ec_pem_text(text: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::ECString(text.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM file
pub fn from_ed_pem(path: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::ED(path.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM raw text
pub fn from_ed_pem_text(text: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::EDString(text.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a secret phrase
pub fn from_secret(secret: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::Secret(secret.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Refreshes configuration for jwk store
pub fn refresh(mut self, refresh: Refresh) -> JwtAuthorizer<C> {
if self.refresh.is_some() {
tracing::warn!("More than one refresh configuration found!");
}
self.refresh = Some(refresh);
self
}
/// no refresh, jwks will be loaded juste once
pub fn no_refresh(mut self) -> JwtAuthorizer<C> {
if self.refresh.is_some() {
tracing::warn!("More than one refresh configuration found!");
}
self.refresh = Some(Refresh {
strategy: RefreshStrategy::NoRefresh,
..Default::default()
});
self
}
/// configures token content check (custom function), if false a 403 will be sent.
/// (AuthError::InvalidClaims())
pub fn check(mut self, checker_fn: fn(&C) -> bool) -> JwtAuthorizer<C> {
self.claims_checker = Some(FnClaimsChecker { checker_fn });
self
}
pub fn validation(mut self, validation: Validation) -> JwtAuthorizer<C> {
self.validation = Some(validation);
self
}
/// configures the source of the bearer token
///
/// (default: AuthorizationHeader)
pub fn jwt_source(mut self, src: JwtSource) -> JwtAuthorizer<C> {
self.jwt_source = src;
self
}
/// Build axum layer
#[deprecated(since = "0.10.0", note = "please use `IntoLayer::into_layer()` instead")]
pub async fn layer(self) -> Result<AuthorizationLayer<C>, InitError> {
let val = self.validation.unwrap_or_default();
let auth = Arc::new(
Authorizer::build(self.key_source_type, self.claims_checker, self.refresh, val, self.jwt_source).await?,
);
Ok(AuthorizationLayer::new(vec![auth]))
}
pub async fn build(self) -> Result<Authorizer<C>, InitError> {
let val = self.validation.unwrap_or_default();
Authorizer::build(self.key_source_type, self.claims_checker, self.refresh, val, self.jwt_source).await
}
}

226
jwt-authorizer/src/layer.rs
View file

@ -11,195 +11,11 @@ use std::task::{Context, Poll};
use tower_layer::Layer;
use tower_service::Service;
use crate::authorizer::{Authorizer, FnClaimsChecker, KeySourceType};
use crate::claims::RegisteredClaims;
use crate::error::InitError;
use crate::jwks::key_store_manager::Refresh;
use crate::validation::Validation;
use crate::{AuthError, RefreshStrategy};
/// Authorizer Layer builder
///
/// - initialisation of the Authorizer from jwks, rsa, ed, ec or secret
/// - can define a checker (jwt claims check)
pub struct JwtAuthorizer<C = RegisteredClaims>
where
C: Clone + DeserializeOwned,
{
key_source_type: KeySourceType,
refresh: Option<Refresh>,
claims_checker: Option<FnClaimsChecker<C>>,
validation: Option<Validation>,
jwt_source: JwtSource,
}
/// authorization layer builder
impl<C> JwtAuthorizer<C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
/// Builds Authorizer Layer from a OpenId Connect discover metadata
pub fn from_oidc(issuer: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::Discovery(issuer.to_string()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a JWKS endpoint
pub fn from_jwks_url(url: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::Jwks(url.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a RSA PEM file
pub fn from_rsa_pem(path: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::RSA(path.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from an RSA PEM raw text
pub fn from_rsa_pem_text(text: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::RSAString(text.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM file
pub fn from_ec_pem(path: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::EC(path.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM raw text
pub fn from_ec_pem_text(text: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::ECString(text.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM file
pub fn from_ed_pem(path: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::ED(path.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a EC PEM raw text
pub fn from_ed_pem_text(text: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::EDString(text.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Builds Authorizer Layer from a secret phrase
pub fn from_secret(secret: &str) -> JwtAuthorizer<C> {
JwtAuthorizer {
key_source_type: KeySourceType::Secret(secret.to_owned()),
refresh: Default::default(),
claims_checker: None,
validation: None,
jwt_source: JwtSource::AuthorizationHeader,
}
}
/// Refreshes configuration for jwk store
pub fn refresh(mut self, refresh: Refresh) -> JwtAuthorizer<C> {
if self.refresh.is_some() {
tracing::warn!("More than one refresh configuration found!");
}
self.refresh = Some(refresh);
self
}
/// no refresh, jwks will be loaded juste once
pub fn no_refresh(mut self) -> JwtAuthorizer<C> {
if self.refresh.is_some() {
tracing::warn!("More than one refresh configuration found!");
}
self.refresh = Some(Refresh {
strategy: RefreshStrategy::NoRefresh,
..Default::default()
});
self
}
/// configures token content check (custom function), if false a 403 will be sent.
/// (AuthError::InvalidClaims())
pub fn check(mut self, checker_fn: fn(&C) -> bool) -> JwtAuthorizer<C> {
self.claims_checker = Some(FnClaimsChecker { checker_fn });
self
}
pub fn validation(mut self, validation: Validation) -> JwtAuthorizer<C> {
self.validation = Some(validation);
self
}
/// configures the source of the bearer token
///
/// (default: AuthorizationHeader)
pub fn jwt_source(mut self, src: JwtSource) -> JwtAuthorizer<C> {
self.jwt_source = src;
self
}
/// Build axum layer
#[deprecated(since = "0.10.0", note = "please use `IntoLayer::into_layer()` instead")]
pub async fn layer(self) -> Result<AsyncAuthorizationLayer<C>, InitError> {
let val = self.validation.unwrap_or_default();
let auth = Arc::new(
Authorizer::build(self.key_source_type, self.claims_checker, self.refresh, val, self.jwt_source).await?,
);
Ok(AsyncAuthorizationLayer::new(vec![auth]))
}
pub async fn build(self) -> Result<Authorizer<C>, InitError> {
let val = self.validation.unwrap_or_default();
Authorizer::build(self.key_source_type, self.claims_checker, self.refresh, val, self.jwt_source).await
}
}
use crate::authorizer::Authorizer;
use crate::AuthError;
/// Trait for authorizing requests.
pub trait AsyncAuthorizer<B> {
pub trait Authorize<B> {
type RequestBody;
type Future: Future<Output = Result<Request<Self::RequestBody>, AuthError>>;
@ -209,7 +25,7 @@ pub trait AsyncAuthorizer<B> {
fn authorize(&self, request: Request<B>) -> Self::Future;
}
impl<B, S, C> AsyncAuthorizer<B> for AsyncAuthorizationService<S, C>
impl<B, S, C> Authorize<B> for AuthorizationService<S, C>
where
B: Send + Sync + 'static,
C: Clone + DeserializeOwned + Send + Sync + 'static,
@ -256,34 +72,34 @@ where
// -------------- Layer -----------------
#[derive(Clone)]
pub struct AsyncAuthorizationLayer<C>
pub struct AuthorizationLayer<C>
where
C: Clone + DeserializeOwned + Send,
{
auths: Vec<Arc<Authorizer<C>>>,
}
impl<C> AsyncAuthorizationLayer<C>
impl<C> AuthorizationLayer<C>
where
C: Clone + DeserializeOwned + Send,
{
pub fn new(auths: Vec<Arc<Authorizer<C>>>) -> AsyncAuthorizationLayer<C> {
pub fn new(auths: Vec<Arc<Authorizer<C>>>) -> AuthorizationLayer<C> {
Self { auths }
}
}
impl<S, C> Layer<S> for AsyncAuthorizationLayer<C>
impl<S, C> Layer<S> for AuthorizationLayer<C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
type Service = AsyncAuthorizationService<S, C>;
type Service = AuthorizationService<S, C>;
fn layer(&self, inner: S) -> Self::Service {
AsyncAuthorizationService::new(inner, self.auths.clone())
AuthorizationService::new(inner, self.auths.clone())
}
}
// ---------- AsyncAuthorizationService --------
// ---------- AuthorizationService --------
/// Source of the bearer token
#[derive(Clone)]
@ -301,7 +117,7 @@ pub enum JwtSource {
}
#[derive(Clone)]
pub struct AsyncAuthorizationService<S, C>
pub struct AuthorizationService<S, C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
@ -309,7 +125,7 @@ where
pub auths: Vec<Arc<Authorizer<C>>>,
}
impl<S, C> AsyncAuthorizationService<S, C>
impl<S, C> AuthorizationService<S, C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
@ -328,19 +144,19 @@ where
}
}
impl<S, C> AsyncAuthorizationService<S, C>
impl<S, C> AuthorizationService<S, C>
where
C: Clone + DeserializeOwned + Send + Sync,
{
/// Authorize requests using a custom scheme.
///
/// The `Authorization` header is required to have the value provided.
pub fn new(inner: S, auths: Vec<Arc<Authorizer<C>>>) -> AsyncAuthorizationService<S, C> {
pub fn new(inner: S, auths: Vec<Arc<Authorizer<C>>>) -> AuthorizationService<S, C> {
Self { inner, auths }
}
}
impl<ReqBody, S, C> Service<Request<ReqBody>> for AsyncAuthorizationService<S, C>
impl<ReqBody, S, C> Service<Request<ReqBody>> for AuthorizationService<S, C>
where
ReqBody: Send + Sync + 'static,
S: Service<Request<ReqBody>> + Clone,
@ -370,7 +186,7 @@ where
}
#[pin_project]
/// Response future for [`AsyncAuthorizationService`].
/// Response future for [`AuthorizationService`].
pub struct ResponseFuture<S, ReqBody, C>
where
S: Service<Request<ReqBody>>,
@ -378,7 +194,7 @@ where
C: Clone + DeserializeOwned + Send + Sync + 'static,
{
#[pin]
state: State<<AsyncAuthorizationService<S, C> as AsyncAuthorizer<ReqBody>>::Future, S::Future>,
state: State<<AuthorizationService<S, C> as Authorize<ReqBody>>::Future, S::Future>,
service: S,
}
@ -433,7 +249,7 @@ where
mod tests {
use crate::{authorizer::Authorizer, IntoLayer, JwtAuthorizer, RegisteredClaims};
use super::AsyncAuthorizationLayer;
use super::AuthorizationLayer;
#[tokio::test]
async fn auth_into_layer() {
@ -447,7 +263,7 @@ mod tests {
let auth1 = JwtAuthorizer::from_secret("aaa").build().await.unwrap();
let auth2 = JwtAuthorizer::from_secret("bbb").build().await.unwrap();
let layer: AsyncAuthorizationLayer<RegisteredClaims> = [auth1, auth2].into_layer();
let layer: AuthorizationLayer<RegisteredClaims> = [auth1, auth2].into_layer();
assert_eq!(2, layer.auths.len());
}
@ -456,7 +272,7 @@ mod tests {
let auth1 = JwtAuthorizer::from_secret("aaa").build().await.unwrap();
let auth2 = JwtAuthorizer::from_secret("bbb").build().await.unwrap();
let layer: AsyncAuthorizationLayer<RegisteredClaims> = vec![auth1, auth2].into_layer();
let layer: AuthorizationLayer<RegisteredClaims> = vec![auth1, auth2].into_layer();
assert_eq!(2, layer.auths.len());
}

3
jwt-authorizer/src/lib.rs
View file

@ -6,12 +6,13 @@ use serde::de::DeserializeOwned;
pub use self::error::AuthError;
pub use authorizer::{Authorizer, IntoLayer};
pub use builder::JwtAuthorizer;
pub use claims::{NumericDate, OneOrArray, RegisteredClaims};
pub use jwks::key_store_manager::{Refresh, RefreshStrategy};
pub use layer::JwtAuthorizer;
pub use validation::Validation;
pub mod authorizer;
pub mod builder;
pub mod claims;
pub mod error;
pub mod jwks;

6
jwt-authorizer/tests/tests.rs
View file

@ -14,7 +14,7 @@ mod tests {
use http::{header, HeaderValue};
use jwt_authorizer::{
authorizer::Authorizer,
layer::{AsyncAuthorizationLayer, JwtSource},
layer::{AuthorizationLayer, JwtSource},
validation::Validation,
IntoLayer, JwtAuthorizer, JwtClaims,
};
@ -28,7 +28,7 @@ mod tests {
sub: String,
}
async fn app(layer: AsyncAuthorizationLayer<User>) -> Router {
async fn app(layer: AuthorizationLayer<User>) -> Router {
Router::new().route("/public", get(|| async { "hello" })).route(
"/protected",
get(|JwtClaims(user): JwtClaims<User>| async move { format!("hello: {}", user.sub) }).layer(
@ -48,7 +48,7 @@ mod tests {
}
async fn proteced_request_with_header_and_layer(
layer: AsyncAuthorizationLayer<User>,
layer: AuthorizationLayer<User>,
header_name: &str,
header_value: &str,
) -> Response {

6
jwt-authorizer/tests/tonic.rs
View file

@ -3,7 +3,7 @@ use std::{sync::Once, task::Poll};
use axum::body::HttpBody;
use futures_core::future::BoxFuture;
use http::header::AUTHORIZATION;
use jwt_authorizer::{layer::AsyncAuthorizationService, IntoLayer, JwtAuthorizer};
use jwt_authorizer::{layer::AuthorizationService, IntoLayer, JwtAuthorizer};
use serde::{Deserialize, Serialize};
use tonic::{server::UnaryService, transport::NamedService, IntoRequest, Status};
use tower::{buffer::Buffer, Service};
@ -82,7 +82,7 @@ impl NamedService for GreeterServer {
async fn app(
jwt_auth: JwtAuthorizer<User>,
expected_sub: String,
) -> AsyncAuthorizationService<Buffer<tonic::transport::server::Routes, http::Request<tonic::transport::Body>>, User> {
) -> AuthorizationService<Buffer<tonic::transport::server::Routes, http::Request<tonic::transport::Body>>, User> {
let layer = jwt_auth.build().await.unwrap().into_layer();
tonic::transport::Server::builder()
.layer(layer)
@ -144,7 +144,7 @@ where
}
async fn make_protected_request<S: Clone>(
app: AsyncAuthorizationService<S, User>,
app: AuthorizationService<S, User>,
bearer: Option<&str>,
message: &str,
) -> Result<tonic::Response<HelloMessage>, Status>