ExternalVendorCode/chirpstack
1
0
Fork 0
mirror of https://github.com/chirpstack/chirpstack.git synced 2025-02-20 17:12:48 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Update openidconnect dependency.

Browse Source 
Fixes #423.
This commit is contained in:
Orne Brocaar 2024-07-11 09:47:51 +01:00
parent 2737284d2d
commit 920f485734
3 changed files with 74 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
Cargo.lock generated
View File

@ -579,7 +579,7 @@ dependencies = [
"hex",
"httpmock",
"rand",
"reqwest 0.12.3",
"reqwest",
"serde",
"serde_json",
"thiserror",
@ -608,12 +608,6 @@ version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
[[package]]
name = "base64"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
[[package]]
name = "base64"
version = "0.21.7"
@ -838,7 +832,7 @@ dependencies = [
"lazy_static",
"lrwn",
"mime_guess",
"oauth2 5.0.0-alpha.4",
"oauth2",
"openidconnect",
"p256",
"pbjson-types",
@ -855,7 +849,7 @@ dependencies = [
"rdkafka",
"redis",
"regex",
"reqwest 0.12.3",
"reqwest",
"rquickjs",
"rsa",
"rumqttc",
@ -1517,15 +1511,6 @@ dependencies = [
"log",
]
[[package]]
name = "encoding_rs"
version = "0.8.34"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b45de904aa0b010bce2ab45264d0631681847fa7b6f2eaa7dab7619943bc4f59"
dependencies = [
"cfg-if",
]
[[package]]
name = "equivalent"
version = "1.0.1"
@ -2200,20 +2185,6 @@ dependencies = [
"want",
]
[[package]]
name = "hyper-rustls"
version = "0.24.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590"
dependencies = [
"futures-util",
"http 0.2.12",
"hyper 0.14.28",
"rustls 0.21.10",
"tokio",
"tokio-rustls 0.24.1",
]
[[package]]
name = "hyper-rustls"
version = "0.25.0"
@ -2227,7 +2198,7 @@ dependencies = [
"rustls-native-certs 0.7.0",
"rustls-pki-types",
"tokio",
"tokio-rustls 0.25.0",
"tokio-rustls",
]
[[package]]
@ -2243,7 +2214,7 @@ dependencies = [
"rustls 0.22.3",
"rustls-pki-types",
"tokio",
"tokio-rustls 0.25.0",
"tokio-rustls",
"tower-service",
]
@ -2815,26 +2786,6 @@ dependencies = [
"syn 1.0.109",
]
[[package]]
name = "oauth2"
version = "4.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c38841cdd844847e3e7c8d29cef9dcfed8877f8f56f9071f77843ecf3baf937f"
dependencies = [
"base64 0.13.1",
"chrono",
"getrandom",
"http 0.2.12",
"rand",
"reqwest 0.11.27",
"serde",
"serde_json",
"serde_path_to_error",
"sha2",
"thiserror",
"url",
]
[[package]]
name = "oauth2"
version = "5.0.0-alpha.4"
@ -2846,7 +2797,7 @@ dependencies = [
"getrandom",
"http 1.1.0",
"rand",
"reqwest 0.12.3",
"reqwest",
"serde",
"serde_json",
"serde_path_to_error",
@ -2881,26 +2832,25 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
[[package]]
name = "openidconnect"
version = "3.5.0"
version = "4.0.0-alpha.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f47e80a9cfae4462dd29c41e987edd228971d6565553fbc14b8a11e666d91590"
checksum = "dd4c74c00c2727896cebfcd04018dea51902881e711c69f76a446314ab5596e2"
dependencies = [
"base64 0.13.1",
"base64 0.21.7",
"chrono",
"dyn-clone",
"ed25519-dalek",
"hmac",
"http 0.2.12",
"http 1.1.0",
"itertools 0.10.5",
"log",
"oauth2 4.4.2",
"oauth2",
"p256",
"p384",
"rand",
"rsa",
"serde",
"serde-value",
"serde_derive",
"serde_json",
"serde_path_to_error",
"serde_plain",
@ -3601,7 +3551,7 @@ dependencies = [
"sha1_smol",
"socket2 0.5.6",
"tokio",
"tokio-rustls 0.25.0",
"tokio-rustls",
"tokio-util",
"url",
]
@ -3661,47 +3611,6 @@ version = "1.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e898588f33fdd5b9420719948f9f2a32c922a246964576f71ba7f24f80610fbc"
[[package]]
name = "reqwest"
version = "0.11.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dd67538700a17451e7cba03ac727fb961abb7607553461627b97de0b89cf4a62"
dependencies = [
"base64 0.21.7",
"bytes",
"encoding_rs",
"futures-core",
"futures-util",
"h2",
"http 0.2.12",
"http-body 0.4.6",
"hyper 0.14.28",
"hyper-rustls 0.24.2",
"ipnet",
"js-sys",
"log",
"mime",
"once_cell",
"percent-encoding",
"pin-project-lite",
"rustls 0.21.10",
"rustls-pemfile 1.0.4",
"serde",
"serde_json",
"serde_urlencoded",
"sync_wrapper",
"system-configuration",
"tokio",
"tokio-rustls 0.24.1",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"webpki-roots 0.25.4",
"winreg 0.50.0",
]
[[package]]
name = "reqwest"
version = "0.12.3"
@ -3734,14 +3643,14 @@ dependencies = [
"serde_urlencoded",
"sync_wrapper",
"tokio",
"tokio-rustls 0.25.0",
"tokio-rustls",
"tower-service",
"url",
"wasm-bindgen",
"wasm-bindgen-futures",
"web-sys",
"webpki-roots 0.26.1",
"winreg 0.52.0",
"webpki-roots",
"winreg",
]
[[package]]
@ -3853,7 +3762,7 @@ dependencies = [
"rustls-webpki 0.102.2",
"thiserror",
"tokio",
"tokio-rustls 0.25.0",
"tokio-rustls",
"url",
]
@ -4536,27 +4445,6 @@ dependencies = [
"syn 2.0.58",
]
[[package]]
name = "system-configuration"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ba3a3adc5c275d719af8cb4272ea1c4a6d668a777f37e115f6d11ddbc1c8e0e7"
dependencies = [
"bitflags 1.3.2",
"core-foundation",
"system-configuration-sys",
]
[[package]]
name = "system-configuration-sys"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a75fb188eb626b924683e3b95e3a48e63551fcfb51949de2f06a9d91dbee93c9"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]]
name = "tcp-stream"
version = "0.26.1"
@ -4764,7 +4652,7 @@ dependencies = [
"rustls 0.22.3",
"tokio",
"tokio-postgres",
"tokio-rustls 0.25.0",
"tokio-rustls",
"x509-certificate",
]
@ -4782,16 +4670,6 @@ dependencies = [
"tokio-stream",
]
[[package]]
name = "tokio-rustls"
version = "0.24.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
dependencies = [
"rustls 0.21.10",
"tokio",
]
[[package]]
name = "tokio-rustls"
version = "0.25.0"
@ -5266,7 +5144,7 @@ dependencies = [
"serde_json",
"serde_urlencoded",
"tokio",
"tokio-rustls 0.25.0",
"tokio-rustls",
"tokio-util",
"tower-service",
"tracing",
@ -5360,12 +5238,6 @@ dependencies = [
"wasm-bindgen",
]
[[package]]
name = "webpki-roots"
version = "0.25.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1"
[[package]]
name = "webpki-roots"
version = "0.26.1"
@ -5600,16 +5472,6 @@ dependencies = [
"memchr",
]
[[package]]
name = "winreg"
version = "0.50.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "524e57b2c537c0f9b1e69f1965311ec12182b4122e45035b1508cd24d2adadb1"
dependencies = [
"cfg-if",
"windows-sys 0.48.0",
]
[[package]]
name = "winreg"
version = "0.52.0"

4
chirpstack/Cargo.toml
View File

@ -126,8 +126,10 @@
elliptic-curve = { version = "0.13", features = ["pem"] }
p256 = "0.13"
rcgen = { version = "0.13.1", features = ["x509-parser"] }
openidconnect = { version = "3.5", features = ["accept-rfc3339-timestamps"] }
oauth2 = "5.0.0-alpha.4"
openidconnect = { version = "4.0.0-alpha.2", features = [
"accept-rfc3339-timestamps",
] }
# MQTT
rumqttc = { version = "0.24", features = ["url"] }

88
chirpstack/src/api/oidc.rs
View File

@ -7,11 +7,10 @@ use openidconnect::core::{
CoreClient, CoreGenderClaim, CoreIdTokenClaims, CoreIdTokenVerifier, CoreProviderMetadata,
CoreResponseType,
};
use openidconnect::reqwest::async_http_client;
use openidconnect::{AdditionalClaims, UserInfoClaims};
use openidconnect::{reqwest, AdditionalClaims, UserInfoClaims};
use openidconnect::{
AuthenticationFlow, AuthorizationCode, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce,
OAuth2TokenResponse, RedirectUrl, Scope,
AuthenticationFlow, AuthorizationCode, ClientId, ClientSecret, CsrfToken, EndpointMaybeSet,
EndpointNotSet, EndpointSet, IssuerUrl, Nonce, OAuth2TokenResponse, RedirectUrl, Scope,
};
use serde::{Deserialize, Serialize};
use serde_json::Value;
@ -24,6 +23,15 @@ use crate::storage::{get_async_redis_conn, redis_key};
pub type User = UserInfoClaims<CustomClaims, CoreGenderClaim>;
type Client = CoreClient<
EndpointSet,
EndpointNotSet,
EndpointNotSet,
EndpointNotSet,
EndpointMaybeSet,
EndpointMaybeSet,
>;
#[derive(Debug, Serialize, Deserialize)]
pub struct CustomClaims {
#[serde(flatten)]
@ -90,9 +98,13 @@ pub async fn get_user(code: &str, state: &str) -> Result<User> {
let nonce = get_nonce(&state).await?;
let client = get_client().await?;
let http_client = reqwest::ClientBuilder::new()
.redirect(reqwest::redirect::Policy::none())
.build()?;
let token_response = client
.exchange_code(AuthorizationCode::new(code.to_string()))
.request_async(async_http_client)
.exchange_code(AuthorizationCode::new(code.to_string()))?
.request_async(&http_client)
.await?;
let id_token_verifier: CoreIdTokenVerifier = client.id_token_verifier();
@ -106,41 +118,13 @@ pub async fn get_user(code: &str, state: &str) -> Result<User> {
let userinfo_claims: User = client
.user_info(token_response.access_token().to_owned(), None)
.context("No user info endpoint")?
.request_async(async_http_client)
.request_async(&http_client)
.await
.context("Failed requesting user info")?;
Ok(userinfo_claims)
}
async fn get_client() -> Result<CoreClient> {
let conf = config::get();
if conf.user_authentication.enabled != "openid_connect" {
return Err(anyhow!("OIDC is not enabled"));
}
let client_id = ClientId::new(conf.user_authentication.openid_connect.client_id.clone());
let client_secret = ClientSecret::new(
conf.user_authentication
.openid_connect
.client_secret
.clone(),
);
let provider_url =
IssuerUrl::new(conf.user_authentication.openid_connect.provider_url.clone())?;
let redirect_url =
RedirectUrl::new(conf.user_authentication.openid_connect.redirect_url.clone())?;
let provider_metadata =
CoreProviderMetadata::discover_async(provider_url, async_http_client).await?;
let client =
CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret))
.set_redirect_uri(redirect_url);
Ok(client)
}
async fn store_nonce(state: &CsrfToken, nonce: &Nonce) -> Result<()> {
trace!("Storing nonce");
let key = redis_key(format!("auth:oidc:{}", state.secret()));
@ -167,3 +151,37 @@ async fn get_nonce(state: &CsrfToken) -> Result<Nonce> {
Ok(Nonce::new(v))
}
async fn get_client() -> Result<Client> {
let conf = config::get();
if conf.user_authentication.enabled != "openid_connect" {
return Err(anyhow!("OIDC is not enabled"));
}
let http_client = reqwest::ClientBuilder::new()
.redirect(reqwest::redirect::Policy::none())
.build()?;
let provider_metadata = CoreProviderMetadata::discover_async(
IssuerUrl::new(conf.user_authentication.openid_connect.provider_url.clone())?,
&http_client,
)
.await?;
let client = CoreClient::from_provider_metadata(
provider_metadata,
ClientId::new(conf.user_authentication.openid_connect.client_id.clone()),
Some(ClientSecret::new(
conf.user_authentication
.openid_connect
.client_secret
.clone(),
)),
)
.set_redirect_uri(RedirectUrl::new(
conf.user_authentication.openid_connect.redirect_url.clone(),
)?);
Ok(client)
}