feat: Improve auth

.github/workflows/linters.yml

@@ -13,16 +13,14 @@ on:
       - 'Cargo.toml'
       - 'Cargo.lock'
       - '.github/workflows/linters.yml'
-      - 'keystone/**'
-      - 'fuzz/**'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
 env:
   CARGO_TERM_COLOR: always
-  rust_min: 1.76.0
+  rust_min: 1.85.0
 
 jobs:
   rustfmt:

Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "openstack_keystone"
 version = "0.1.0"
-edition = "2021"
+edition = "2024"
 license = "Apache-2.0"
 authors = ["Artem Goncharov (gtema)"]
-rust-version = "1.83"  # MSRV
+rust-version = "1.85"  # MSRV
 repository = "https://github.com/gtema/keystone"
 
 [[bin]]
@@ -29,6 +29,7 @@ derive_builder = { version = "^0.20" }
 dyn-clone = { version = "^1.0" }
 eyre = { version = "^0.6" }
 fernet = { version = "^0.2" }
+mockall_double = { version = "^0.3" }
 regex = { version = "^1.11"}
 rmp = { version = "^0.8" }
 sea-orm = { version = "^1.1", features = ["sqlx-mysql", "sqlx-postgres", "runtime-tokio"] }
@@ -44,11 +45,12 @@ tracing-subscriber = { version = "^0.3" }
 utoipa = { version = "^5.3", features = ["axum_extras", "chrono"] }
 utoipa-axum = { version = "^0.2" }
 utoipa-swagger-ui = { version = "^9.0", features = ["axum", "vendored"], default-features = false }
-uuid = { version = "^1.13", features = ["v4"] }
+uuid = { version = "^1.14", features = ["v4"] }
 
 [dev-dependencies]
 criterion = { version = "^0.5", features = ["async_tokio"] }
 http-body-util = "^0.1"
+mockall = { version = "^0.13" }
 sea-orm = { version = "*", features = ["mock"]}
 tempfile = { version = "^3.17" }
 

benches/fernet_token.rs

@@ -1,4 +1,4 @@
-use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion};
+use criterion::{BenchmarkId, Criterion, criterion_group, criterion_main};
 use std::fs::File;
 use std::io::Write;
 use std::path::PathBuf;

loadtest/Cargo.toml

@@ -1,8 +1,9 @@
 [package]
 name = "load_test"
 version = "0.1.0"
+rust-version = "1.85"  # MSRV
 edition = "2024"
 
 [dependencies]
-goose = "0.17.2"
-tokio = "1.43.0"
+goose = { version = "^0.17" }
+tokio = { version = "^1.43" }

src/api/auth.rs

@@ -13,51 +13,45 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use axum::{
-    extract::{Request, State},
-    http::StatusCode,
-    middleware::Next,
-    response::Response,
+    extract::{FromRef, FromRequestParts},
+    http::{StatusCode, request::Parts},
 };
 use std::sync::Arc;
 
 use crate::keystone::ServiceState;
-use crate::provider::Provider;
 use crate::token::{Token, TokenApi};
 
 #[derive(Debug, Clone)]
-pub struct Auth {
-    pub token: Token,
-}
+pub struct Auth(pub Token);
 
-pub async fn auth<P>(
-    State(state): State<Arc<ServiceState<P>>>,
-    mut req: Request,
-    next: Next,
-) -> Result<Response, StatusCode>
+impl<S> FromRequestParts<S> for Auth
 where
-    P: Provider,
+    ServiceState: FromRef<S>,
+    S: Send + Sync,
 {
-    let auth_header = req
-        .headers()
-        .get("X-Auth-Token")
-        .and_then(|header| header.to_str().ok());
-
-    let auth_header = if let Some(auth_header) = auth_header {
-        auth_header
-    } else {
-        return Err(StatusCode::UNAUTHORIZED);
-    };
-
-    // insert the current user into a request extension so the handler can
-    // extract it
-    state
-        .provider
-        .get_token_provider()
-        .validate_token(auth_header.to_string(), None)
-        .await
-        .map(|token| {
-            req.extensions_mut().insert(Auth { token });
-        })
-        .map_err(|_| StatusCode::UNAUTHORIZED)?;
-    Ok(next.run(req).await)
+    type Rejection = (StatusCode, &'static str);
+
+    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        let auth_header = parts
+            .headers
+            .get("X-Auth-Token")
+            .and_then(|header| header.to_str().ok());
+
+        let auth_header = if let Some(auth_header) = auth_header {
+            auth_header
+        } else {
+            return Err((StatusCode::UNAUTHORIZED, "not authorized"));
+        };
+
+        let state = Arc::from_ref(state);
+
+        Ok(Self(
+            state
+                .provider
+                .get_token_provider()
+                .validate_token(auth_header.to_string(), None)
+                .await
+                .map_err(|_| (StatusCode::UNAUTHORIZED, "not authorized"))?,
+        ))
+    }
 }

src/api/error.rs

@@ -13,9 +13,9 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use axum::{
+    Json,
     http::StatusCode,
     response::{IntoResponse, Response},
-    Json,
 };
 use serde_json::json;
 use thiserror::Error;

src/api/mod.rs

@@ -12,12 +12,10 @@
 //
 // SPDX-License-Identifier: Apache-2.0
 
-use std::sync::Arc;
 use utoipa::OpenApi;
 use utoipa_axum::router::OpenApiRouter;
 
 use crate::keystone::ServiceState;
-use crate::provider::Provider;
 
 pub mod auth;
 pub mod error;
@@ -27,9 +25,6 @@ pub mod v3;
 #[openapi(info(version = "3.14.0"))]
 pub struct ApiDoc;
 
-pub fn openapi_router<P>() -> OpenApiRouter<Arc<ServiceState<P>>>
-where
-    P: Provider + 'static,
-{
+pub fn openapi_router() -> OpenApiRouter<ServiceState> {
     OpenApiRouter::new().nest("/v3", v3::openapi_router())
 }