Enable avatar resolution (#45)

Also updates a variety of dependencies
2022-12-19 18:51:46 +00:00 · 2022-12-19 18:51:46 +00:00 · d59c4db602
commit d59c4db602
parent 782143415c
5 changed files with 1135 additions and 819 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -14,24 +14,24 @@ crate-type = ["cdylib", "rlib"]
 anyhow = "1.0.53"
 headers = "0.3.6"
 hex = "0.4.3"
-iri-string = { version = "0.4", features = ["serde-std"] }
+iri-string = { version = "0.6", features = ["serde"] }
 # openidconnect = "2.1.2"
-openidconnect = { git = "https://github.com/sbihel/openidconnect-rs", branch = "main", default-features = false, features = ["reqwest", "rustls-tls", "rustcrypto"] }
+openidconnect = { git = "https://github.com/sbihel/openidconnect-rs", branch = "replace-ring", default-features = false, features = ["reqwest", "rustls-tls"] }
 rand = "0.8.4"
-rsa = { version = "0.5.0", features = ["alloc"] }
+rsa = { version = "0.7.0" }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0.78"
-siwe = "0.2.0"
+siwe = "0.5.0"
 thiserror = "1.0.30"
 tracing = "0.1.30"
 url = { version = "2.2", features = ["serde"] }
 urlencoding = "2.1.0"
-sha2 = "0.9.0"
+sha2 = "0.10.0"
 cookie = "0.16.0"
 bincode = "1.3.3"
 async-trait = "0.1.52"
-ethers-core = "0.6.3"
-ethers-providers = "0.6.2"
+ethers-core = "1.0.2"
+ethers-providers = "1.0.2"
 lazy_static = "1.4"

 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
@ -56,12 +56,18 @@ matchit = "0.4.2"
 serde_urlencoded = "0.7.0"
 uuid = { version = "0.8", features = ["serde", "v4", "wasm-bindgen"] }
 wee_alloc = { version = "0.4" }
-worker = "0.0.9"
+worker = "0.0.12"
+time = { version = "0.3.17", features = ["wasm-bindgen"] }

 [profile.release]
 opt-level = "z"
 lto = true

+[dev-dependencies]
+env_logger = "0.10.0"
+test-log = "0.2.11"
+tokio = { version = "1.14.0", features = ["macros", "rt"] }
+
 # [target.'cfg(target_arch = "wasm32")'.profile.release]
 # opt-level = "z"

--- a/src/axum_lib.rs
+++ b/src/axum_lib.rs
@ -7,7 +7,7 @@ use axum::{
    },
    response::{self, IntoResponse, Redirect},
    routing::{delete, get, get_service, post},
-    AddExtensionLayer, Json, Router,
+    Json, Router,
 };
 use bb8_redis::{bb8, RedisConnectionManager};
 use figment::{
@ -25,7 +25,7 @@ use openidconnect::core::{
 };
 use rand::rngs::OsRng;
 use rsa::{
-    pkcs1::{FromRsaPrivateKey, ToRsaPrivateKey},
+    pkcs1::{DecodeRsaPrivateKey, EncodeRsaPrivateKey, LineEnding},
    RsaPrivateKey,
 };
 use std::net::SocketAddr;
@ -130,8 +130,9 @@ async fn sign_in(
    Query(params): Query<oidc::SignInParams>,
    TypedHeader(cookies): TypedHeader<headers::Cookie>,
    Extension(redis_client): Extension<RedisClient>,
+    Extension(config): Extension<config::Config>,
 ) -> Result<Redirect, CustomError> {
-    let url = oidc::sign_in(params, cookies, &redis_client).await?;
+    let url = oidc::sign_in(&config.base_url, params, cookies, &redis_client).await?;
    Ok(Redirect::to(
        url.as_str()
            .parse()
@ -273,7 +274,7 @@ pub async fn main() {
            .unwrap();

        info!("Generated key.");
-        info!("{:?}", private.to_pkcs1_pem().unwrap());
+        info!("{:?}", private.to_pkcs1_pem(LineEnding::LF).unwrap());
        private
    };

@ -355,9 +356,9 @@ pub async fn main() {
        .route(&format!("{}/:id", oidc::CLIENT_PATH), post(client_update))
        .route(oidc::SIGNIN_PATH, get(sign_in))
        .route("/health", get(healthcheck))
-        .layer(AddExtensionLayer::new(private_key))
-        .layer(AddExtensionLayer::new(config.clone()))
-        .layer(AddExtensionLayer::new(redis_client))
+        .layer(Extension(private_key))
+        .layer(Extension(config.clone()))
+        .layer(Extension(redis_client))
        .layer(TraceLayer::new_for_http());

    let addr = SocketAddr::from((config.address, config.port));
--- a/src/oidc.rs
+++ b/src/oidc.rs
@ -2,6 +2,7 @@ use anyhow::{anyhow, Result};
 use chrono::{Duration, Utc};
 use cookie::{Cookie, SameSite};
 use ethers_core::{types::H160, utils::to_checksum};
+use ethers_providers::{Http, Middleware, Provider};
 use headers::{self, authorization::Bearer};
 use hex::FromHex;
 use iri_string::types::UriString;
@ -23,9 +24,12 @@ use openidconnect::{
    ResponseTypes, Scope, StandardClaims, SubjectIdentifier, TokenUrl, UserInfoUrl,
 };
 use rand::{distributions::Alphanumeric, thread_rng, Rng};
-use rsa::{pkcs1::ToRsaPrivateKey, RsaPrivateKey};
+use rsa::{
+    pkcs1::{EncodeRsaPrivateKey, LineEnding},
+    RsaPrivateKey,
+};
 use serde::{Deserialize, Serialize};
-use siwe::{Message, TimeStamp, Version};
+use siwe::{Message, TimeStamp, VerificationOpts, Version};
 use std::{str::FromStr, time};
 use thiserror::Error;
 use tracing::{error, info};
@ -88,7 +92,7 @@ pub enum CustomError {

 fn jwk(private_key: RsaPrivateKey) -> Result<CoreRsaPrivateSigningKey> {
    let pem = private_key
-        .to_pkcs1_pem()
+        .to_pkcs1_pem(LineEnding::LF)
        .map_err(|e| anyhow!("Failed to serialise key as PEM: {}", e))?;
    CoreRsaPrivateSigningKey::from_pem(&pem, Some(JsonWebKeyId::new(KID.to_string())))
        .map_err(|e| anyhow!("Invalid RSA private key: {}", e))
@ -167,31 +171,53 @@ pub fn metadata(base_url: Url) -> Result<CoreProviderMetadata, CustomError> {
    Ok(pm)
 }

-async fn resolve_name(eth_provider: Option<Url>, address: H160) -> String {
-    let address_string = to_checksum(&address, None);
-    if eth_provider.is_none() {
-        return address_string;
-    }
-
-    use ethers_providers::{Http, Middleware, Provider};
-    let provider = match Provider::<Http>::try_from(eth_provider.unwrap().to_string()) {
-        Ok(p) => p,
+fn build_provider(eth_provider: Url) -> Result<Provider<Http>> {
+    match Provider::<Http>::try_from(eth_provider.to_string()) {
+        Ok(p) => Ok(p),
        Err(e) => {
            error!("Failed to initialise Eth provider: {}", e);
-            return address_string;
-        }
-    };
-    match provider.lookup_address(address).await {
-        Ok(n) => n,
-        Err(e) => {
-            error!("Failed to resolve Eth domain: {}", e);
-            address_string
+            Err(e)?
        }
    }
 }

-async fn resolve_avatar(_eth_provider: Option<Url>, _address: H160) -> Option<Url> {
-    None
+async fn resolve_name(eth_provider: Option<Url>, address: H160) -> Result<String, String> {
+    let address_string = to_checksum(&address, None);
+    let eth_provider = if let Some(p) = eth_provider {
+        p
+    } else {
+        return Err(address_string);
+    };
+    let provider = if let Ok(p) = build_provider(eth_provider) {
+        p
+    } else {
+        return Err(address_string);
+    };
+    match provider.lookup_address(address).await {
+        Ok(n) => Ok(n),
+        Err(e) => {
+            error!("Failed to resolve Eth domain: {}", e);
+            Err(address_string)
+        }
+    }
+}
+
+async fn resolve_avatar(eth_provider: Option<Url>, ens_name: &str) -> Option<Url> {
+    if let Some(provider) = eth_provider {
+        if let Ok(p) = build_provider(provider) {
+            match p.resolve_avatar(ens_name).await {
+                Ok(a) => Some(a),
+                Err(e) => {
+                    error!("Could not resolve avatar: {}", e);
+                    None
+                }
+            }
+        } else {
+            None
+        }
+    } else {
+        None
+    }
 }

 async fn resolve_claims(
@ -204,11 +230,17 @@ async fn resolve_claims(
        chain_id,
        to_checksum(&address, None)
    ));
+    let ens_name = resolve_name(eth_provider.clone(), address).await;
+    let username = match ens_name.clone() {
+        Ok(n) | Err(n) => n,
+    };
+    let avatar = match ens_name {
+        Ok(n) => resolve_avatar(eth_provider.clone(), &n).await,
+        Err(_) => None,
+    };
    StandardClaims::new(subject_id)
-        .set_preferred_username(Some(EndUserUsername::new(
-            resolve_name(eth_provider.clone(), address).await,
-        )))
-        .set_picture(resolve_avatar(eth_provider, address).await.map(|a| {
+        .set_preferred_username(Some(EndUserUsername::new(username)))
+        .set_picture(avatar.map(|a| {
            let mut avatar_localized = LocalizedClaim::new();
            avatar_localized.insert(None, EndUserPictureUrl::new(a.to_string()));
            avatar_localized
@ -296,7 +328,7 @@ pub async fn token(
    .set_auth_time(Some(code_entry.auth_time));

    let pem = private_key
-        .to_pkcs1_pem()
+        .to_pkcs1_pem(LineEnding::LF)
        .map_err(|e| anyhow!("Failed to serialise key as PEM: {}", e))?;

    let id_token = CoreIdToken::new(
@ -519,6 +551,7 @@ pub struct SignInParams {
 }

 pub async fn sign_in(
+    base_url: &Url,
    params: SignInParams,
    // cookies_header: String,
    cookies: headers::Cookie,
@ -572,17 +605,34 @@ pub async fn sign_in(
        .to_eip4361_message()
        .map_err(|e| anyhow!("Failed to serialise message: {}", e))?;
    info!("{}", message);
+
+    let domain = if let Some(d) = base_url.domain() {
+        match d.try_into() {
+            Ok(dd) => Some(dd),
+            Err(e) => {
+                error!("Failed to translate domain into authority: {}", e);
+                None
+            }
+        }
+    } else {
+        None
+    };
    message
-        .verify(signature)
-        .map_err(|e| anyhow!("Failed signature validation: {}", e))?;
+        .verify(
+            &signature,
+            &VerificationOpts {
+                domain,
+                nonce: Some(session_entry.siwe_nonce.clone()),
+                timestamp: None,
+            },
+        )
+        .await
+        .map_err(|e| anyhow!("Failed message verification: {}", e))?;

    let domain = params.redirect_uri.url();
    if *domain != Url::from_str(siwe_cookie.message.resources.get(0).unwrap().as_ref()).unwrap() {
        return Err(anyhow!("Conflicting domains in message and redirect").into());
    }
-    if session_entry.siwe_nonce != siwe_cookie.message.nonce {
-        return Err(anyhow!("Conflicting nonces in message and session").into());
-    }

    let code_entry = CodeEntry {
        address: siwe_cookie.message.address,
@ -775,3 +825,29 @@ pub async fn userinfo(
        }
    }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use test_log::test;
+
+    #[test(tokio::test)]
+    async fn test_claims() {
+        let res = resolve_claims(
+            Some("https://cloudflare-eth.com".try_into().unwrap()),
+            <[u8; 20]>::from_hex("d8da6bf26964af9d7eed9e03e53415d37aa96045")
+                .unwrap()
+                .into(),
+            1,
+        )
+        .await;
+        assert_eq!(
+            res.preferred_username().map(|u| u.to_string()),
+            Some("vitalik.eth".to_string())
+        );
+        assert_eq!(
+            res.picture().map(|u| u.get(None).unwrap().as_str()),
+            Some("https://ipfs.io/ipfs/QmSP4nq9fnN9dAiCj42ug9Wa79rqmQerZXZch82VqpiH7U/image.gif")
+        );
+    }
+}
--- a/src/worker_lib.rs
+++ b/src/worker_lib.rs
@ -4,7 +4,7 @@ use headers::{
    authorization::{Basic, Bearer, Credentials},
    Authorization, ContentType, Header, HeaderValue,
 };
-use rsa::{pkcs1::FromRsaPrivateKey, RsaPrivateKey};
+use rsa::{pkcs1::DecodeRsaPrivateKey, RsaPrivateKey};
 use worker::*;

 use super::db::CFClient;
@ -324,8 +324,9 @@ pub async fn main(req: Request, env: Env) -> Result<Response> {
                return Response::error("Missing cookies", 400);
            }
            let url = req.url()?;
+            let base_url = ctx.var(BASE_URL_KEY)?.to_string().parse().unwrap();
            let db_client = CFClient { ctx, url };
-            match oidc::sign_in(params, cookies.unwrap(), &db_client).await {
+            match oidc::sign_in(&base_url, params, cookies.unwrap(), &db_client).await {
                Ok(url) => Response::redirect(url),
                Err(e) => e.into(),
            }