feat(security): add support for operator users and operator ephemeral…

… service accounts
secutils-dev · May 12, 2024 · 88e4cfc · 88e4cfc
1 parent 6e6ca22
commit 88e4cfc
Show file tree

Hide file tree

Showing 13 changed files with 143 additions and 33 deletions.
diff --git a/dev/docker/kratos.local.toml b/dev/docker/kratos.local.toml
@@ -36,14 +36,14 @@ verification = { enabled = true }
 [selfservice.flows.registration.after.password]
 hooks = [
     # `body is base64 version of "function(ctx) { id: ctx.identity.id, email: ctx.identity.traits.email }", see https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks
-    { hook = "web_hook", config = { method = "POST", url = "http://host.docker.internal:7070/api/users/signup", response.ignore = true, body = "base64://ZnVuY3Rpb24oY3R4KSB7IGlkZW50aXR5OiBjdHguaWRlbnRpdHkgfQ==" } },
+    { hook = "web_hook", config = { method = "POST", url = "http://host.docker.internal:7070/api/users/signup", response.ignore = true, body = "base64://ZnVuY3Rpb24oY3R4KSB7IGlkZW50aXR5OiBjdHguaWRlbnRpdHkgfQ==", auth = { type = "api_key", config.name = "Authorization", config.value = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjIwMzEwNDc4MzksInN1YiI6IkBrcmF0b3MubG9jYWwifQ._tU8TYz7RJfS4yhSrSZ8b7jICm4fhvxKDcVYqA5iP80", config.in = "header" } } },
     { hook = "session" }
 ]
 
 [selfservice.flows.registration.after.webauthn]
 hooks = [
     # `body is base64 version of "function(ctx) { id: ctx.identity.id, email: ctx.identity.traits.email }", see https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks
-    { hook = "web_hook", config = { method = "POST", url = "http://host.docker.internal:7070/api/users/signup", response.ignore = true, body = "base64://ZnVuY3Rpb24oY3R4KSB7IGlkZW50aXR5OiBjdHguaWRlbnRpdHkgfQ==" } },
+    { hook = "web_hook", config = { method = "POST", url = "http://host.docker.internal:7070/api/users/signup", response.ignore = true, body = "base64://ZnVuY3Rpb24oY3R4KSB7IGlkZW50aXR5OiBjdHguaWRlbnRpdHkgfQ==", auth = { type = "api_key", config.name = "Authorization", config.value = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjIwMzEwNDc4MzksInN1YiI6IkBrcmF0b3MubG9jYWwifQ._tU8TYz7RJfS4yhSrSZ8b7jICm4fhvxKDcVYqA5iP80", config.in = "header" } } },
     { hook = "session" }
 ]
 
@@ -53,4 +53,4 @@ cipher = ["32-LONG-SECRET-NOT-SECURE-AT-ALL"]
 
 [courier]
 delivery_strategy = "http"
-http = { request_config = { url = "http://host.docker.internal:7070/api/users/email", method = "POST", body = "base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmVjaXBpZW50OiBjdHgucmVjaXBpZW50LAogIHRlbXBsYXRlX3R5cGU6IGN0eC50ZW1wbGF0ZV90eXBlLAogIGlkZW50aXR5OiBjdHgudGVtcGxhdGVfZGF0YS5pZGVudGl0eSwKICByZWNvdmVyeV9jb2RlOiBpZiAidGVtcGxhdGVfZGF0YSIgaW4gY3R4ICYmICJyZWNvdmVyeV9jb2RlIiBpbiBjdHgudGVtcGxhdGVfZGF0YSB0aGVuIGN0eC50ZW1wbGF0ZV9kYXRhLnJlY292ZXJ5X2NvZGUgZWxzZSBudWxsLAogIHJlY292ZXJ5X3VybDogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAicmVjb3ZlcnlfdXJsIiBpbiBjdHgudGVtcGxhdGVfZGF0YSB0aGVuIGN0eC50ZW1wbGF0ZV9kYXRhLnJlY292ZXJ5X3VybCBlbHNlIG51bGwsCiAgdmVyaWZpY2F0aW9uX3VybDogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAidmVyaWZpY2F0aW9uX3VybCIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS52ZXJpZmljYXRpb25fdXJsIGVsc2UgbnVsbCwKICB2ZXJpZmljYXRpb25fY29kZTogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAidmVyaWZpY2F0aW9uX2NvZGUiIGluIGN0eC50ZW1wbGF0ZV9kYXRhIHRoZW4gY3R4LnRlbXBsYXRlX2RhdGEudmVyaWZpY2F0aW9uX2NvZGUgZWxzZSBudWxsCn0=", headers = { "Content-Type" = "application/json" } } }
+http = { request_config = { url = "http://host.docker.internal:7070/api/users/email", method = "POST", body = "base64://ZnVuY3Rpb24oY3R4KSB7CiAgcmVjaXBpZW50OiBjdHgucmVjaXBpZW50LAogIHRlbXBsYXRlX3R5cGU6IGN0eC50ZW1wbGF0ZV90eXBlLAogIGlkZW50aXR5OiBjdHgudGVtcGxhdGVfZGF0YS5pZGVudGl0eSwKICByZWNvdmVyeV9jb2RlOiBpZiAidGVtcGxhdGVfZGF0YSIgaW4gY3R4ICYmICJyZWNvdmVyeV9jb2RlIiBpbiBjdHgudGVtcGxhdGVfZGF0YSB0aGVuIGN0eC50ZW1wbGF0ZV9kYXRhLnJlY292ZXJ5X2NvZGUgZWxzZSBudWxsLAogIHJlY292ZXJ5X3VybDogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAicmVjb3ZlcnlfdXJsIiBpbiBjdHgudGVtcGxhdGVfZGF0YSB0aGVuIGN0eC50ZW1wbGF0ZV9kYXRhLnJlY292ZXJ5X3VybCBlbHNlIG51bGwsCiAgdmVyaWZpY2F0aW9uX3VybDogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAidmVyaWZpY2F0aW9uX3VybCIgaW4gY3R4LnRlbXBsYXRlX2RhdGEgdGhlbiBjdHgudGVtcGxhdGVfZGF0YS52ZXJpZmljYXRpb25fdXJsIGVsc2UgbnVsbCwKICB2ZXJpZmljYXRpb25fY29kZTogaWYgInRlbXBsYXRlX2RhdGEiIGluIGN0eCAmJiAidmVyaWZpY2F0aW9uX2NvZGUiIGluIGN0eC50ZW1wbGF0ZV9kYXRhIHRoZW4gY3R4LnRlbXBsYXRlX2RhdGEudmVyaWZpY2F0aW9uX2NvZGUgZWxzZSBudWxsCn0=", headers = { "Content-Type" = "application/json" }, auth = { type = "api_key", config.name = "Authorization", config.value = "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjIwMzEwNDc4MzksInN1YiI6IkBrcmF0b3MubG9jYWwifQ._tU8TYz7RJfS4yhSrSZ8b7jICm4fhvxKDcVYqA5iP80", config.in = "header" } } }
diff --git a/src/config.rs b/src/config.rs
@@ -122,6 +122,7 @@ mod tests {
             security: SecurityConfig {
                 session_cookie_name: "id",
                 jwt_secret: None,
+                operators: None,
                 preconfigured_users: None,
             },
             utils: UtilsConfig {

diff --git a/src/config/raw_config.rs b/src/config/raw_config.rs
@@ -327,6 +327,7 @@ mod tests {
             security: SecurityConfig {
                 session_cookie_name: "id2",
                 jwt_secret: None,
+                operators: None,
                 preconfigured_users: Some(
                     {
                         "[email protected]": PreconfiguredUserConfig {

diff --git a/src/config/security_config.rs b/src/config/security_config.rs
@@ -1,6 +1,6 @@
 use crate::users::SubscriptionTier;
 use serde_derive::{Deserialize, Serialize};
-use std::collections::HashMap;
+use std::collections::{HashMap, HashSet};
 
 /// Describes the preconfigured user configuration.
 #[derive(Deserialize, Serialize, Debug, Clone, PartialEq)]
@@ -19,6 +19,8 @@ pub struct SecurityConfig {
     /// Secret key used to sign JWT tokens used for HTTP authentication. If not provided, HTTP
     /// authentication will be disabled.
     pub jwt_secret: Option<String>,
+    /// List of user or service account identifiers that should be treated as operators, if specified.
+    pub operators: Option<HashSet<String>>,
     /// List of the preconfigured users, if specified.
     pub preconfigured_users: Option<HashMap<String, PreconfiguredUserConfig>>,
 }
@@ -29,6 +31,7 @@ impl Default for SecurityConfig {
             session_cookie_name: "id".to_string(),
             jwt_secret: None,
             preconfigured_users: None,
+            operators: None,
         }
     }
 }
@@ -46,7 +49,9 @@ mod tests {
         assert_toml_snapshot!(SecurityConfig::default(), @"session_cookie_name = 'id'");
 
         let config = SecurityConfig {
+            session_cookie_name: "id".to_string(),
             jwt_secret: Some("3024bf8975b03b84e405f36a7bacd1c1".to_string()),
+            operators: Some(["[email protected]".to_string()].into_iter().collect()),
             preconfigured_users: Some(
                 [(
                     "[email protected]".to_string(),
@@ -58,12 +63,12 @@ mod tests {
                 .into_iter()
                 .collect(),
             ),
-            ..Default::default()
         };
 
         assert_toml_snapshot!(config, @r###"
         session_cookie_name = 'id'
         jwt_secret = '3024bf8975b03b84e405f36a7bacd1c1'
+        operators = ['[email protected]']
         [preconfigured_users."[email protected]"]
         handle = 'test-handle'
         tier = 'basic'
@@ -85,13 +90,15 @@ mod tests {
                 session_cookie_name: "id".to_string(),
                 jwt_secret: None,
                 preconfigured_users: None,
+                operators: None,
             }
         );
 
         let config: SecurityConfig = toml::from_str(
             r#"
         session_cookie_name = 'id'
         jwt_secret = '3024bf8975b03b84e405f36a7bacd1c1'
+        operators = ['[email protected]']
 
         [preconfigured_users."[email protected]"]
         handle = 'test-handle'
@@ -115,6 +122,7 @@ mod tests {
                     .into_iter()
                     .collect(),
                 ),
+                operators: Some(["[email protected]".to_string()].into_iter().collect()),
                 ..Default::default()
             }
         );

diff --git a/src/security.rs b/src/security.rs
@@ -2,5 +2,6 @@ mod api_ext;
 mod credentials;
 mod jwt;
 pub mod kratos;
+mod operator;
 
-pub use self::credentials::Credentials;
+pub use self::{credentials::Credentials, operator::Operator};
diff --git a/src/security/api_ext.rs b/src/security/api_ext.rs
@@ -6,6 +6,7 @@ use crate::{
         credentials::Credentials,
         jwt::Claims,
         kratos::{Identity, Session},
+        Operator,
     },
     users::{User, UserId, UserSignupError, UserSubscription},
 };
@@ -90,6 +91,30 @@ where
         }))
     }
 
+    /// Checks if the user or service account with specified credentials is an operator.
+    pub async fn get_operator(&self, credentials: Credentials) -> anyhow::Result<Option<Operator>> {
+        let operator_id = match &credentials {
+            // If the user is authenticated with a session cookie, user's email is used as an
+            // operator identifier.
+            Credentials::SessionCookie(_) => {
+                self.get_identity(&credentials)
+                    .await?
+                    .ok_or_else(|| anyhow!("Session cookie is invalid"))?
+                    .traits
+                    .email
+            }
+            // For JWT, we treat `sub` claim as an operator identifier.
+            Credentials::Jwt(token) => self.get_jwt_claims(token).await?.sub,
+        };
+
+        let operators = self.api.config.security.operators.as_ref();
+        if operators.map_or(false, |operators| operators.contains(&operator_id)) {
+            Ok(Some(Operator::new(operator_id)))
+        } else {
+            Ok(None)
+        }
+    }
+
     /// Tries to retrieve user identity from Kratos using specified credentials.
     async fn get_identity(&self, credentials: &Credentials) -> anyhow::Result<Option<Identity>> {
         let client = reqwest::Client::new();
@@ -107,22 +132,13 @@ where
                     format!("{}={}", cookie.name(), cookie.value()).as_bytes(),
                 ),
             Credentials::Jwt(token) => {
-                let Some(jwt_secret) = self.api.config.security.jwt_secret.as_ref() else {
-                    return Err(anyhow!("JWT secret is not configured."));
-                };
-
-                let token = decode::<Claims>(
-                    token.as_ref(),
-                    &DecodingKey::from_secret(jwt_secret.as_bytes()),
-                    &Validation::default(),
-                )?;
-
+                let claims = self.get_jwt_claims(token).await?;
                 client.request(
                     reqwest::Method::GET,
                     format!(
                         "{}admin/identities?credentials_identifier={}",
                         self.api.config.components.kratos_admin_url.as_str(),
-                        urlencoding::encode(&token.claims.sub)
+                        urlencoding::encode(&claims.sub)
                     ),
                 )
             }
@@ -175,6 +191,19 @@ where
         })
     }
 
+    /// Tries to parse JWT and extract claims.
+    async fn get_jwt_claims(&self, token: &str) -> anyhow::Result<Claims> {
+        let Some(jwt_secret) = self.api.config.security.jwt_secret.as_ref() else {
+            return Err(anyhow!("JWT secret is not configured."));
+        };
+        Ok(decode::<Claims>(
+            token,
+            &DecodingKey::from_secret(jwt_secret.as_bytes()),
+            &Validation::default(),
+        )?
+        .claims)
+    }
+
     /// Updates user's subscription.
     pub async fn update_subscription(
         &self,

diff --git a/src/security/operator.rs b/src/security/operator.rs
@@ -0,0 +1,14 @@
+/// Struct to represent an operator account.
+#[derive(Debug, Clone, PartialEq, Eq, Hash)]
+pub struct Operator(String);
+impl Operator {
+    /// Creates a new operator account with the provided ID.
+    pub fn new(id: impl Into<String>) -> Self {
+        Self(id.into())
+    }
+
+    /// Returns the ID of the operator account.
+    pub fn id(&self) -> &str {
+        &self.0
+    }
+}
diff --git a/src/server/extractors.rs b/src/server/extractors.rs
@@ -1,2 +1,4 @@
+mod credentials;
+mod operator;
 mod user;
 mod user_share;
diff --git a/src/server/extractors/credentials.rs b/src/server/extractors/credentials.rs
@@ -0,0 +1,24 @@
+use crate::{security::Credentials, server::app_state::AppState};
+use actix_web::{dev::Payload, error::ErrorUnauthorized, web, Error, FromRequest, HttpRequest};
+use actix_web_httpauth::extractors::bearer::BearerAuth;
+use anyhow::anyhow;
+use std::{future::Future, pin::Pin};
+
+impl FromRequest for Credentials {
+    type Error = Error;
+    type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
+
+    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
+        let req = req.clone();
+        Box::pin(async move {
+            let state = web::Data::<AppState>::extract(&req).await?;
+            Ok(match Option::<BearerAuth>::extract(&req).await? {
+                Some(bearer_auth) => Credentials::Jwt(bearer_auth.token().to_string()),
+                None => Credentials::SessionCookie(
+                    req.cookie(&state.config.security.session_cookie_name)
+                        .ok_or_else(|| ErrorUnauthorized(anyhow!("Unauthorized")))?,
+                ),
+            })
+        })
+    }
+}
diff --git a/src/server/extractors/operator.rs b/src/server/extractors/operator.rs
@@ -0,0 +1,32 @@
+use crate::{
+    security::{Credentials, Operator},
+    server::app_state::AppState,
+};
+use actix_web::{
+    dev::Payload,
+    error::{ErrorInternalServerError, ErrorUnauthorized},
+    web, Error, FromRequest, HttpRequest,
+};
+use anyhow::anyhow;
+use std::{future::Future, pin::Pin};
+
+impl FromRequest for Operator {
+    type Error = Error;
+    type Future = Pin<Box<dyn Future<Output = Result<Self, Self::Error>>>>;
+
+    fn from_request(req: &HttpRequest, _: &mut Payload) -> Self::Future {
+        let req = req.clone();
+        Box::pin(async move {
+            let state = web::Data::<AppState>::extract(&req).await?;
+            let credentials = Credentials::extract(&req).await?;
+            match state.api.security().get_operator(credentials).await {
+                Ok(Some(user)) => Ok(user),
+                Ok(None) => Err(ErrorUnauthorized(anyhow!("Unauthorized"))),
+                Err(err) => {
+                    log::error!("Failed to extract operator information due to: {err:?}");
+                    Err(ErrorInternalServerError(anyhow!("Internal server error")))
+                }
+            }
+        })
+    }
+}
diff --git a/src/server/extractors/user.rs b/src/server/extractors/user.rs
@@ -4,7 +4,6 @@ use actix_web::{
     error::{ErrorInternalServerError, ErrorUnauthorized},
     web, Error, FromRequest, HttpRequest,
 };
-use actix_web_httpauth::extractors::bearer::BearerAuth;
 use anyhow::anyhow;
 use std::{future::Future, pin::Pin};
 
@@ -16,15 +15,7 @@ impl FromRequest for User {
         let req = req.clone();
         Box::pin(async move {
             let state = web::Data::<AppState>::extract(&req).await?;
-
-            let credentials = match Option::<BearerAuth>::extract(&req).await? {
-                Some(bearer_auth) => Credentials::Jwt(bearer_auth.token().to_string()),
-                None => Credentials::SessionCookie(
-                    req.cookie(&state.config.security.session_cookie_name)
-                        .ok_or_else(|| ErrorUnauthorized(anyhow!("Unauthorized")))?,
-                ),
-            };
-
+            let credentials = Credentials::extract(&req).await?;
             match state.api.security().authenticate(credentials).await {
                 Ok(Some(user)) => Ok(user),
                 Ok(None) => Err(ErrorUnauthorized(anyhow!("Unauthorized"))),

diff --git a/src/server/handlers/security_users_email.rs b/src/server/handlers/security_users_email.rs
@@ -9,7 +9,10 @@ use std::{collections::HashMap, str::FromStr};
 
 use crate::{
     logging::UserLogContext,
-    security::kratos::{EmailTemplateType, Identity},
+    security::{
+        kratos::{EmailTemplateType, Identity},
+        Operator,
+    },
 };
 use time::OffsetDateTime;
 use url::Url;
@@ -27,6 +30,7 @@ pub struct EmailParams {
 
 pub async fn security_users_email(
     state: web::Data<AppState>,
+    operator: Operator,
     body_params: web::Json<EmailParams>,
 ) -> Result<HttpResponse, SecutilsError> {
     let kratos_email = body_params.into_inner();
@@ -38,6 +42,7 @@ pub async fn security_users_email(
     let (destination, content) = match parse_email_params(&kratos_email) {
         Ok(content) => {
             log::info!(
+                operator:serde = operator.id(),
                 user:serde = identity_context;
                 "Received Kratos {} email request for {}.",
                 kratos_email.template_type,
@@ -50,6 +55,7 @@ pub async fn security_users_email(
         }
         Err(err) => {
             log::error!(
+                operator:serde = operator.id(),
                 user:serde = identity_context;
                 "Received unsupported ({}) Kratos email request for {}: {err:?}.",
                 kratos_email.template_type,
@@ -78,7 +84,7 @@ pub async fn security_users_email(
         .schedule_notification(destination, content, OffsetDateTime::now_utc())
         .await
     {
-        log::error!("Failed to schedule Kratos email notification: {err:?}");
+        log::error!(operator:serde = operator.id(); "Failed to schedule Kratos email notification: {err:?}");
     }
 
     Ok(HttpResponse::NoContent().finish())

diff --git a/src/server/handlers/security_users_signup.rs b/src/server/handlers/security_users_signup.rs
@@ -1,5 +1,5 @@
 use crate::{
-    security::kratos::Identity,
+    security::{kratos::Identity, Operator},
     server::{app_state::AppState, http_errors::generic_internal_server_error},
     users::{SubscriptionTier, User, UserId, UserSignupError, UserSubscription},
 };
@@ -16,6 +16,7 @@ pub struct SignupParams {
 /// Signups user with the provided identity.
 pub async fn security_users_signup(
     state: web::Data<AppState>,
+    operator: Operator,
     body_params: web::Json<SignupParams>,
 ) -> impl Responder {
     let body_params = body_params.into_inner();
@@ -42,7 +43,7 @@ pub async fn security_users_signup(
             match security_api.generate_user_handle().await {
                 Ok(handle) => handle,
                 Err(err) => {
-                    log::error!("Failed to generate user handle: {err:?}");
+                    log::error!(operator:serde = operator.id(); "Failed to generate user handle: {err:?}");
                     return generic_internal_server_error();
                 }
             },
@@ -68,11 +69,11 @@ pub async fn security_users_signup(
 
     match security_api.signup(&user).await {
         Ok(_) => {
-            log::info!(user:serde = user.log_context(); "Successfully signed up a new user.");
+            log::info!(operator:serde = operator.id(), user:serde = user.log_context(); "Successfully signed up a new user.");
             HttpResponse::Ok().finish()
         }
         Err(err) => {
-            log::error!(user:serde = user.log_context(); "Failed to signup a user: {err:?}");
+            log::error!(operator:serde = operator.id(), user:serde = user.log_context(); "Failed to signup a user: {err:?}");
             return match err.downcast_ref::<UserSignupError>() {
                 Some(err) => match err {
                     UserSignupError::EmailAlreadyRegistered => HttpResponse::BadRequest().json(