aerogramme/src/login/static_provider.rs

use std::collections::HashMap;
use std::path::PathBuf;
use std::sync::Arc;
use tokio::signal::unix::{signal, SignalKind};
use tokio::sync::watch;

use anyhow::{anyhow, bail, Result};
use async_trait::async_trait;

use crate::config::*;
use crate::login::*;
use crate::storage;

pub struct ContextualUserEntry {
    pub username: String,
    pub config: UserEntry,
}

#[derive(Default)]
pub struct UserDatabase {
    users: HashMap<String, Arc<ContextualUserEntry>>,
    users_by_email: HashMap<String, Arc<ContextualUserEntry>>,
}

pub struct StaticLoginProvider {
    user_db: watch::Receiver<UserDatabase>,
    in_memory_store: storage::in_memory::MemDb,
    garage_store: storage::garage::GarageRoot,
}

pub async fn update_user_list(config: PathBuf, up: watch::Sender<UserDatabase>) -> Result<()> {
    let mut stream = signal(SignalKind::user_defined1())
        .expect("failed to install SIGUSR1 signal hander for reload");

    loop {
        let ulist: UserList = match read_config(config.clone()) {
            Ok(x) => x,
            Err(e) => {
                tracing::warn!(path=%config.as_path().to_string_lossy(), error=%e, "Unable to load config");
                stream.recv().await;
                continue;
            }
        };

        let users = ulist
            .into_iter()
            .map(|(username, config)| {
                (
                    username.clone(),
                    Arc::new(ContextualUserEntry { username, config }),
                )
            })
            .collect::<HashMap<_, _>>();

        let mut users_by_email = HashMap::new();
        for (_, u) in users.iter() {
            for m in u.config.email_addresses.iter() {
                if users_by_email.contains_key(m) {
                    tracing::warn!("Several users have the same email address: {}", m);
                    stream.recv().await;
                    continue;
                }
                users_by_email.insert(m.clone(), u.clone());
            }
        }

        tracing::info!("{} users loaded", users.len());
        up.send(UserDatabase {
            users,
            users_by_email,
        })
        .context("update user db config")?;
        stream.recv().await;
        tracing::info!("Received SIGUSR1, reloading");
    }
}

impl StaticLoginProvider {
    pub async fn new(config: LoginStaticConfig) -> Result<Self> {
        let (tx, mut rx) = watch::channel(UserDatabase::default());

        tokio::spawn(update_user_list(config.user_list, tx));
        rx.changed().await?;

        Ok(Self {
            user_db: rx,
            in_memory_store: storage::in_memory::MemDb::new(),
            garage_store: storage::garage::GarageRoot::new()?,
        })
    }
}

#[async_trait]
impl LoginProvider for StaticLoginProvider {
    async fn login(&self, username: &str, password: &str) -> Result<Credentials> {
        tracing::debug!(user=%username, "login");
        let user = {
            let user_db = self.user_db.borrow();
            match user_db.users.get(username) {
                None => bail!("User {} does not exist", username),
                Some(u) => u.clone(),
            }
        };

        tracing::debug!(user=%username, "verify password");
        if !verify_password(password, &user.config.password)? {
            bail!("Wrong password");
        }

        tracing::debug!(user=%username, "fetch keys");
        let storage: storage::Builder = match &user.config.storage {
            StaticStorage::InMemory => self.in_memory_store.builder(username).await,
            StaticStorage::Garage(grgconf) => {
                self.garage_store.user(storage::garage::GarageConf {
                    region: grgconf.aws_region.clone(),
                    k2v_endpoint: grgconf.k2v_endpoint.clone(),
                    s3_endpoint: grgconf.s3_endpoint.clone(),
                    aws_access_key_id: grgconf.aws_access_key_id.clone(),
                    aws_secret_access_key: grgconf.aws_secret_access_key.clone(),
                    bucket: grgconf.bucket.clone(),
                })?
            }
        };

        let cr = CryptoRoot(user.config.crypto_root.clone());
        let keys = cr.crypto_keys(password)?;

        tracing::debug!(user=%username, "logged");
        Ok(Credentials { storage, keys })
    }

    async fn public_login(&self, email: &str) -> Result<PublicCredentials> {
        let user = {
            let user_db = self.user_db.borrow();
            match user_db.users_by_email.get(email) {
                None => bail!("Email {} does not exist", email),
                Some(u) => u.clone(),
            }
        };
        tracing::debug!(user=%user.username, "public_login");

        let storage: storage::Builder = match &user.config.storage {
            StaticStorage::InMemory => self.in_memory_store.builder(&user.username).await,
            StaticStorage::Garage(grgconf) => {
                self.garage_store.user(storage::garage::GarageConf {
                    region: grgconf.aws_region.clone(),
                    k2v_endpoint: grgconf.k2v_endpoint.clone(),
                    s3_endpoint: grgconf.s3_endpoint.clone(),
                    aws_access_key_id: grgconf.aws_access_key_id.clone(),
                    aws_secret_access_key: grgconf.aws_secret_access_key.clone(),
                    bucket: grgconf.bucket.clone(),
                })?
            }
        };

        let cr = CryptoRoot(user.config.crypto_root.clone());
        let public_key = cr.public_key()?;

        Ok(PublicCredentials {
            storage,
            public_key,
        })
    }
}

pub fn hash_password(password: &str) -> Result<String> {
    use argon2::{
        password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
        Argon2,
    };
    let salt = SaltString::generate(&mut OsRng);
    let argon2 = Argon2::default();
    Ok(argon2
        .hash_password(password.as_bytes(), &salt)
        .map_err(|e| anyhow!("Argon2 error: {}", e))?
        .to_string())
}

pub fn verify_password(password: &str, hash: &str) -> Result<bool> {
    use argon2::{
        password_hash::{PasswordHash, PasswordVerifier},
        Argon2,
    };
    let parsed_hash =
        PasswordHash::new(hash).map_err(|e| anyhow!("Invalid hashed password: {}", e))?;
    Ok(Argon2::default()
        .verify_password(password.as_bytes(), &parsed_hash)
        .is_ok())
}
More construction of things 2022-05-19 10:10:48 +00:00			`use std::collections::HashMap;`
WIP refactor 2023-12-06 19:57:25 +00:00			`use std::path::PathBuf;`
cargo format 2023-12-27 13:58:28 +00:00			`use std::sync::Arc;`
add support for hot reloading 2023-12-14 12:03:04 +00:00			`use tokio::signal::unix::{signal, SignalKind};`
cargo format 2023-12-27 13:58:28 +00:00			`use tokio::sync::watch;`
More construction of things 2022-05-19 10:10:48 +00:00
			`use anyhow::{anyhow, bail, Result};`
			`use async_trait::async_trait;`

			`use crate::config::*;`
			`use crate::login::*;`
integrate storage choice in config 2023-11-17 15:42:25 +00:00			`use crate::storage;`
More construction of things 2022-05-19 10:10:48 +00:00
new new new storage interface 2023-12-16 10:13:32 +00:00			`pub struct ContextualUserEntry {`
			`pub username: String,`
			`pub config: UserEntry,`
			`}`

add support for hot reloading 2023-12-14 12:03:04 +00:00			`#[derive(Default)]`
			`pub struct UserDatabase {`
new new new storage interface 2023-12-16 10:13:32 +00:00			`users: HashMap<String, Arc<ContextualUserEntry>>,`
			`users_by_email: HashMap<String, Arc<ContextualUserEntry>>,`
More construction of things 2022-05-19 10:10:48 +00:00			`}`

add support for hot reloading 2023-12-14 12:03:04 +00:00			`pub struct StaticLoginProvider {`
			`user_db: watch::Receiver<UserDatabase>,`
move storage logic into the storage module 2023-12-21 14:36:05 +00:00			`in_memory_store: storage::in_memory::MemDb,`
Replace with a single AWS HTTP client 2024-02-23 16:01:51 +00:00			`garage_store: storage::garage::GarageRoot,`
add support for hot reloading 2023-12-14 12:03:04 +00:00			`}`
WIP refactor 2023-12-06 19:57:25 +00:00
add support for hot reloading 2023-12-14 12:03:04 +00:00			`pub async fn update_user_list(config: PathBuf, up: watch::Sender<UserDatabase>) -> Result<()> {`
cargo format 2023-12-27 13:58:28 +00:00			`let mut stream = signal(SignalKind::user_defined1())`
			`.expect("failed to install SIGUSR1 signal hander for reload");`
WIP refactor 2023-12-06 19:57:25 +00:00
add support for hot reloading 2023-12-14 12:03:04 +00:00			`loop {`
			`let ulist: UserList = match read_config(config.clone()) {`
			`Ok(x) => x,`
			`Err(e) => {`
			`tracing::warn!(path=%config.as_path().to_string_lossy(), error=%e, "Unable to load config");`
avoid infinite loop 2023-12-21 08:32:48 +00:00			`stream.recv().await;`
add support for hot reloading 2023-12-14 12:03:04 +00:00			`continue;`
			`}`
			`};`
WIP refactor 2023-12-06 19:57:25 +00:00
add support for hot reloading 2023-12-14 12:03:04 +00:00			`let users = ulist`
Implement public_login 2022-05-31 13:30:32 +00:00			`.into_iter()`
cargo format 2023-12-27 13:58:28 +00:00			`.map(\|(username, config)\| {`
			`(`
			`username.clone(),`
			`Arc::new(ContextualUserEntry { username, config }),`
			`)`
			`})`
Implement public_login 2022-05-31 13:30:32 +00:00			`.collect::<HashMap<_, _>>();`
rework static login provider 2023-12-08 17:13:00 +00:00
add support for hot reloading 2023-12-14 12:03:04 +00:00			`let mut users_by_email = HashMap::new();`
			`for (_, u) in users.iter() {`
new new new storage interface 2023-12-16 10:13:32 +00:00			`for m in u.config.email_addresses.iter() {`
add support for hot reloading 2023-12-14 12:03:04 +00:00			`if users_by_email.contains_key(m) {`
			`tracing::warn!("Several users have the same email address: {}", m);`
avoid infinite loop 2023-12-21 08:32:48 +00:00			`stream.recv().await;`
cargo format 2023-12-27 13:58:28 +00:00			`continue;`
Implement public_login 2022-05-31 13:30:32 +00:00			`}`
add support for hot reloading 2023-12-14 12:03:04 +00:00			`users_by_email.insert(m.clone(), u.clone());`
Implement public_login 2022-05-31 13:30:32 +00:00			`}`
			`}`
add support for hot reloading 2023-12-14 12:03:04 +00:00
			`tracing::info!("{} users loaded", users.len());`
cargo format 2023-12-27 13:58:28 +00:00			`up.send(UserDatabase {`
			`users,`
			`users_by_email,`
			`})`
			`.context("update user db config")?;`
add support for hot reloading 2023-12-14 12:03:04 +00:00			`stream.recv().await;`
			`tracing::info!("Received SIGUSR1, reloading");`
			`}`
			`}`

			`impl StaticLoginProvider {`
			`pub async fn new(config: LoginStaticConfig) -> Result<Self> {`
			`let (tx, mut rx) = watch::channel(UserDatabase::default());`

			`tokio::spawn(update_user_list(config.user_list, tx));`
			`rx.changed().await?;`

cargo format 2023-12-27 13:58:28 +00:00			`Ok(Self {`
			`user_db: rx,`
			`in_memory_store: storage::in_memory::MemDb::new(),`
Also share HTTPClient for K2V 2024-02-23 16:31:29 +00:00			`garage_store: storage::garage::GarageRoot::new()?,`
cargo format 2023-12-27 13:58:28 +00:00			`})`
More construction of things 2022-05-19 10:10:48 +00:00			`}`
			`}`

			`#[async_trait]`
			`impl LoginProvider for StaticLoginProvider {`
			`async fn login(&self, username: &str, password: &str) -> Result<Credentials> {`
WIP login 2022-06-03 12:00:19 +00:00			`tracing::debug!(user=%username, "login");`
working in memory storage 2023-12-20 12:55:23 +00:00			`let user = {`
			`let user_db = self.user_db.borrow();`
			`match user_db.users.get(username) {`
			`None => bail!("User {} does not exist", username),`
			`Some(u) => u.clone(),`
			`}`
Implement public_login 2022-05-31 13:30:32 +00:00			`};`
Some refactoring 2022-05-19 12:33:49 +00:00
Add LMTP support 2022-06-15 16:40:39 +00:00			`tracing::debug!(user=%username, "verify password");`
new new new storage interface 2023-12-16 10:13:32 +00:00			`if !verify_password(password, &user.config.password)? {`
Implement public_login 2022-05-31 13:30:32 +00:00			`bail!("Wrong password");`
			`}`
Add LMTP support 2022-06-15 16:40:39 +00:00
			`tracing::debug!(user=%username, "fetch keys");`
Storage trait new implementation 2023-12-18 16:09:44 +00:00			`let storage: storage::Builder = match &user.config.storage {`
move storage logic into the storage module 2023-12-21 14:36:05 +00:00			`StaticStorage::InMemory => self.in_memory_store.builder(username).await,`
cargo format 2023-12-27 13:58:28 +00:00			`StaticStorage::Garage(grgconf) => {`
Replace with a single AWS HTTP client 2024-02-23 16:01:51 +00:00			`self.garage_store.user(storage::garage::GarageConf {`
cargo format 2023-12-27 13:58:28 +00:00			`region: grgconf.aws_region.clone(),`
			`k2v_endpoint: grgconf.k2v_endpoint.clone(),`
			`s3_endpoint: grgconf.s3_endpoint.clone(),`
			`aws_access_key_id: grgconf.aws_access_key_id.clone(),`
			`aws_secret_access_key: grgconf.aws_secret_access_key.clone(),`
			`bucket: grgconf.bucket.clone(),`
			`})?`
			`}`
WIP provider config 2023-11-17 17:46:22 +00:00			`};`

new new new storage interface 2023-12-16 10:13:32 +00:00			`let cr = CryptoRoot(user.config.crypto_root.clone());`
it compiles again! 2023-12-13 15:09:01 +00:00			`let keys = cr.crypto_keys(password)?;`
Implement public_login 2022-05-31 13:30:32 +00:00
Add LMTP support 2022-06-15 16:40:39 +00:00			`tracing::debug!(user=%username, "logged");`
Implement public_login 2022-05-31 13:30:32 +00:00			`Ok(Credentials { storage, keys })`
			`}`

			`async fn public_login(&self, email: &str) -> Result<PublicCredentials> {`
working in memory storage 2023-12-20 12:55:23 +00:00			`let user = {`
			`let user_db = self.user_db.borrow();`
			`match user_db.users_by_email.get(email) {`
			`None => bail!("Email {} does not exist", email),`
			`Some(u) => u.clone(),`
			`}`
Implement public_login 2022-05-31 13:30:32 +00:00			`};`
working in memory storage 2023-12-20 12:55:23 +00:00			`tracing::debug!(user=%user.username, "public_login");`
Implement public_login 2022-05-31 13:30:32 +00:00
Storage trait new implementation 2023-12-18 16:09:44 +00:00			`let storage: storage::Builder = match &user.config.storage {`
move storage logic into the storage module 2023-12-21 14:36:05 +00:00			`StaticStorage::InMemory => self.in_memory_store.builder(&user.username).await,`
cargo format 2023-12-27 13:58:28 +00:00			`StaticStorage::Garage(grgconf) => {`
Replace with a single AWS HTTP client 2024-02-23 16:01:51 +00:00			`self.garage_store.user(storage::garage::GarageConf {`
cargo format 2023-12-27 13:58:28 +00:00			`region: grgconf.aws_region.clone(),`
			`k2v_endpoint: grgconf.k2v_endpoint.clone(),`
			`s3_endpoint: grgconf.s3_endpoint.clone(),`
			`aws_access_key_id: grgconf.aws_access_key_id.clone(),`
			`aws_secret_access_key: grgconf.aws_secret_access_key.clone(),`
			`bucket: grgconf.bucket.clone(),`
			`})?`
			`}`
Implement public_login 2022-05-31 13:30:32 +00:00			`};`

new new new storage interface 2023-12-16 10:13:32 +00:00			`let cr = CryptoRoot(user.config.crypto_root.clone());`
it compiles again! 2023-12-13 15:09:01 +00:00			`let public_key = cr.public_key()?;`
Implement public_login 2022-05-31 13:30:32 +00:00
			`Ok(PublicCredentials {`
			`storage,`
			`public_key,`
			`})`
More construction of things 2022-05-19 10:10:48 +00:00			`}`
			`}`
CLI skeleton 2022-05-19 13:14:36 +00:00
implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`pub fn hash_password(password: &str) -> Result<String> {`
			`use argon2::{`
			`password_hash::{rand_core::OsRng, PasswordHasher, SaltString},`
			`Argon2,`
			`};`
			`let salt = SaltString::generate(&mut OsRng);`
			`let argon2 = Argon2::default();`
			`Ok(argon2`
			`.hash_password(password.as_bytes(), &salt)`
			`.map_err(\|e\| anyhow!("Argon2 error: {}", e))?`
			`.to_string())`
CLI skeleton 2022-05-19 13:14:36 +00:00			`}`

implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`pub fn verify_password(password: &str, hash: &str) -> Result<bool> {`
			`use argon2::{`
Implement some crypto 2022-05-20 10:49:53 +00:00			`password_hash::{PasswordHash, PasswordVerifier},`
implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`Argon2,`
			`};`
			`let parsed_hash =`
clippy lint fix 2023-05-15 16:23:23 +00:00			`PasswordHash::new(hash).map_err(\|e\| anyhow!("Invalid hashed password: {}", e))?;`
implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`Ok(Argon2::default()`
			`.verify_password(password.as_bytes(), &parsed_hash)`
			`.is_ok())`
CLI skeleton 2022-05-19 13:14:36 +00:00			`}`