diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs index 6874060453..8ae32950b7 100644 --- a/crates/defguard/src/main.rs +++ b/crates/defguard/src/main.rs @@ -258,7 +258,6 @@ async fn main() -> Result<(), anyhow::Error> { pool.clone(), grpc_cert, grpc_key, - failed_logins.clone(), ) => error!("gRPC server returned early: {res:?}"), res = run_web_server( worker_state, diff --git a/crates/defguard_core/src/grpc/auth.rs b/crates/defguard_core/src/grpc/auth.rs deleted file mode 100644 index 72acbf722a..0000000000 --- a/crates/defguard_core/src/grpc/auth.rs +++ /dev/null @@ -1,92 +0,0 @@ -use std::sync::{Arc, Mutex}; - -use defguard_common::{ - auth::claims::{Claims, ClaimsError, ClaimsType}, - db::models::{Settings, User}, -}; -use defguard_proto::auth::{AuthenticateRequest, AuthenticateResponse, auth_service_server}; -use sqlx::PgPool; -use tonic::{Request, Response, Status}; - -use crate::auth::failed_login::{FailedLoginMap, check_failed_logins, log_failed_login_attempt}; - -pub(super) struct AuthServer { - pool: PgPool, - failed_logins: Arc>, -} - -impl AuthServer { - #[must_use] - pub fn new(pool: PgPool, failed_logins: Arc>) -> Self { - Self { - pool, - failed_logins, - } - } - - /// Creates JWT token for specified user - fn create_jwt(uid: &str) -> Result { - let settings = Settings::get_current_settings(); - let timeout = settings.authentication_timeout(); - Claims::new( - ClaimsType::Auth, - uid.into(), - String::new(), - timeout.as_secs(), - ) - .to_jwt() - } - - fn create_auth_token(uid: &str) -> Result { - Self::create_jwt(uid).map_err(|err| match err { - ClaimsError::Settings(err) => { - error!( - "Failed to create gRPC auth token for user {uid}: JWT signing is misconfigured: {err}" - ); - Status::failed_precondition("JWT signing is not configured") - } - ClaimsError::Jwt(err) => { - error!("Failed to create gRPC auth token for user {uid}: {err}"); - Status::internal("failed to create JWT token") - } - ClaimsError::UnexpectedClaimsType { expected, actual } => { - error!( - "Failed to create gRPC auth token for user {uid}: unexpected claims type mismatch while minting token (expected {expected:?}, got {actual:?})" - ); - Status::internal("failed to create JWT token") - } - }) - } -} - -#[tonic::async_trait] -impl auth_service_server::AuthService for AuthServer { - /// Authentication gRPC service. Verifies provided username and password - /// against LDAP and returns JWT token if correct. - async fn authenticate( - &self, - request: Request, - ) -> Result, Status> { - let request = request.into_inner(); - debug!("Authenticating user {}", request.username); - // check if user can proceed with login - check_failed_logins(&self.failed_logins, &request.username) - .map_err(|_| Status::resource_exhausted("too many login requests"))?; - - if let Ok(Some(user)) = User::find_by_username(&self.pool, &request.username).await { - if user.verify_password(&request.password).is_ok() { - let token = Self::create_auth_token(&request.username)?; - info!("Authentication successful for user {}", request.username); - Ok(Response::new(AuthenticateResponse { token })) - } else { - warn!("Invalid login credentials for user {}", request.username); - log_failed_login_attempt(&self.failed_logins, &request.username); - Err(Status::unauthenticated("invalid credentials")) - } - } else { - warn!("User {} not found", request.username); - log_failed_login_attempt(&self.failed_logins, &request.username); - Err(Status::unauthenticated("invalid credentials")) - } - } -} diff --git a/crates/defguard_core/src/grpc/mod.rs b/crates/defguard_core/src/grpc/mod.rs index dea48b23b0..eb68fcb26a 100644 --- a/crates/defguard_core/src/grpc/mod.rs +++ b/crates/defguard_core/src/grpc/mod.rs @@ -24,7 +24,6 @@ use sqlx::PgPool; use tokio::sync::{broadcast::Sender, mpsc::UnboundedSender}; use crate::{ - auth::failed_login::FailedLoginMap, db::AppEvent, enterprise::{ db::models::{ @@ -33,10 +32,9 @@ use crate::{ }, is_business_license_active, is_enterprise_license_active, }, - grpc::{auth::AuthServer, interceptor::JwtInterceptor, worker::WorkerServer}, + grpc::{interceptor::JwtInterceptor, worker::WorkerServer}, }; -mod auth; pub mod client_version; pub mod interceptor; pub mod proxy; @@ -52,8 +50,8 @@ pub mod proto { } use defguard_proto::{ - auth::auth_service_server::AuthServiceServer, enterprise::firewall::FirewallConfig, - gateway::Peer, worker::worker_service_server::WorkerServiceServer, + enterprise::firewall::FirewallConfig, gateway::Peer, + worker::worker_service_server::WorkerServiceServer, }; use tonic::transport::{Identity, Server, ServerTlsConfig, server::Router}; @@ -71,7 +69,6 @@ pub async fn run_grpc_server( pool: PgPool, grpc_cert: Option, grpc_key: Option, - failed_logins: Arc>, ) -> Result<(), anyhow::Error> { // Build gRPC services let server = if let (Some(cert), Some(key)) = (grpc_cert, grpc_key) { @@ -81,7 +78,7 @@ pub async fn run_grpc_server( Server::builder() }; - let router = build_grpc_service_router(server, pool, worker_state, failed_logins).await?; + let router = build_grpc_service_router(server, pool, worker_state).await?; // Run gRPC server let addr = SocketAddr::new( @@ -100,11 +97,7 @@ pub async fn build_grpc_service_router( server: Server, pool: PgPool, worker_state: Arc>, - failed_logins: Arc>, - // incompatible_components: Arc>, ) -> Result { - let auth_service = AuthServiceServer::new(AuthServer::new(pool.clone(), failed_logins)); - let worker_service = WorkerServiceServer::with_interceptor( WorkerServer::new(pool.clone(), worker_state), JwtInterceptor::new(ClaimsType::YubiBridge), @@ -112,7 +105,7 @@ pub async fn build_grpc_service_router( let (health_reporter, health_service) = tonic_health::server::health_reporter(); health_reporter - .set_serving::>() + .set_serving::>() .await; health_reporter .set_serving::>() @@ -122,8 +115,7 @@ pub async fn build_grpc_service_router( .http2_keepalive_interval(Some(TEN_SECS)) .tcp_keepalive(Some(TEN_SECS)) .add_service(health_service) - .add_service(auth_service); - let router = router.add_service(worker_service); + .add_service(worker_service); Ok(router) } diff --git a/crates/defguard_core/tests/integration/grpc/common/mod.rs b/crates/defguard_core/tests/integration/grpc/common/mod.rs index c6d19a25a7..527f7dc3b7 100644 --- a/crates/defguard_core/tests/integration/grpc/common/mod.rs +++ b/crates/defguard_core/tests/integration/grpc/common/mod.rs @@ -11,7 +11,6 @@ use defguard_common::{ }, }; use defguard_core::{ - auth::failed_login::FailedLoginMap, db::AppEvent, grpc::{AUTHORIZATION_HEADER, WorkerState, build_grpc_service_router}, }; @@ -118,15 +117,10 @@ pub(crate) async fn make_grpc_test_server(pool: &PgPool) -> TestGrpcServer { let (app_event_tx, app_event_rx) = unbounded_channel::(); let worker_state = Arc::new(Mutex::new(WorkerState::new(app_event_tx))); - let failed_logins = Arc::new(Mutex::new(FailedLoginMap::new())); - let grpc_router = build_grpc_service_router( - Server::builder(), - pool.clone(), - worker_state.clone(), - failed_logins, - ) - .await - .expect("failed to build gRPC router"); + let grpc_router = + build_grpc_service_router(Server::builder(), pool.clone(), worker_state.clone()) + .await + .expect("failed to build gRPC router"); TestGrpcServer::new( server_stream, diff --git a/crates/defguard_proto/build.rs b/crates/defguard_proto/build.rs index d8584959a6..367ccb94c7 100644 --- a/crates/defguard_proto/build.rs +++ b/crates/defguard_proto/build.rs @@ -4,8 +4,6 @@ fn main() -> Result<(), Box> { .skip_debug([ "ActivateUserRequest", "AuthInfoResponse", - "AuthenticateRequest", - "AuthenticateResponse", "ClientMfaFinishResponse", "CodeMfaSetupStartResponse", "CodeMfaSetupFinishResponse", @@ -19,7 +17,6 @@ fn main() -> Result<(), Box> { .protoc_arg("--experimental_allow_proto3_optional") .compile_protos( &[ - "../../proto/core/auth.proto", "../../proto/core/proxy.proto", "../../proto/worker/worker.proto", "../../proto/wireguard/gateway.proto", diff --git a/crates/defguard_proto/src/lib.rs b/crates/defguard_proto/src/lib.rs index 7b4d24624d..aa70796b42 100644 --- a/crates/defguard_proto/src/lib.rs +++ b/crates/defguard_proto/src/lib.rs @@ -6,9 +6,6 @@ pub mod proxy { pub mod gateway { tonic::include_proto!("gateway"); } -pub mod auth { - tonic::include_proto!("auth"); -} pub mod worker { tonic::include_proto!("worker"); } diff --git a/proto b/proto index 30c9e8e5c1..28d962c674 160000 --- a/proto +++ b/proto @@ -1 +1 @@ -Subproject commit 30c9e8e5c1d6c05c5aa8132fe48952eaca17f5b9 +Subproject commit 28d962c6746e7b2bad365f8c9cc41fd23cf1b322