turned handling proxy grpc into auth strategy

libsql-server/src/auth/errors.rs

@@ -26,6 +26,10 @@ pub enum AuthError {
     AuthStringMalformed,
     #[error("Expected authorization header but none given")]
     AuthHeaderNotFound,
+    #[error("Expected authorization proxy header but none given")]
+    AuthProxyHeaderNotFound,
+    #[error("Failed to parse auth proxy header")]
+    AuthProxyHeaderInvalid,
     #[error("Non-ASCII auth header")]
     AuthHeaderNonAscii,
     #[error("Authentication failed")]
@@ -47,6 +51,8 @@ impl AuthError {
             Self::JwtImmature => "AUTH_JWT_IMMATURE",
             Self::AuthStringMalformed => "AUTH_HEADER_MALFORMED",
             Self::AuthHeaderNotFound => "AUTH_HEADER_NOT_FOUND",
+            Self::AuthProxyHeaderNotFound => "AUTH_PROXY_HEADER_NOT_FOUND",
+            Self::AuthProxyHeaderInvalid => "AUTH_PROXY_HEADER_INVALID",
             Self::AuthHeaderNonAscii => "AUTH_HEADER_MALFORMED",
             Self::Other => "AUTH_FAILED",
         }

libsql-server/src/auth/mod.rs

@@ -13,24 +13,23 @@ pub use authorized::Authorized;
 pub use errors::AuthError;
 pub use parsers::{parse_http_auth_header, parse_http_basic_auth_arg, parse_jwt_key};
 pub use permission::Permission;
-pub use user_auth_strategies::{Disabled, HttpBasic, Jwt, UserAuthContext, UserAuthStrategy};
+pub use user_auth_strategies::{
+    Disabled, HttpBasic, Jwt, ProxyGrpc, UserAuthContext, UserAuthStrategy,
+};
 
 #[derive(Clone)]
 pub struct Auth {
-    pub user_strategy: Arc<dyn UserAuthStrategy + Send + Sync>,
+    pub strategy: Arc<dyn UserAuthStrategy + Send + Sync>,
 }
 
 impl Auth {
-    pub fn new(user_strategy: impl UserAuthStrategy + Send + Sync + 'static) -> Self {
+    pub fn new(strategy: impl UserAuthStrategy + Send + Sync + 'static) -> Self {
         Self {
-            user_strategy: Arc::new(user_strategy),
+            strategy: Arc::new(strategy),
         }
     }
 
-    pub fn authenticate(
-        &self,
-        context: Result<UserAuthContext, AuthError>,
-    ) -> Result<Authenticated, AuthError> {
-        self.user_strategy.authenticate(context)
+    pub fn authenticate(&self, context: UserAuthContext) -> Result<Authenticated, AuthError> {
+        self.strategy.authenticate(context)
     }
 }

libsql-server/src/auth/parsers.rs

@@ -1,4 +1,4 @@
-use crate::auth::{constants::GRPC_AUTH_HEADER, AuthError};
+use crate::auth::AuthError;
 
 use anyhow::{bail, Context as _, Result};
 use axum::http::HeaderValue;
@@ -36,12 +36,20 @@ pub fn parse_jwt_key(data: &str) -> Result<jsonwebtoken::DecodingKey> {
     }
 }
 
-pub(crate) fn parse_grpc_auth_header(metadata: &MetadataMap) -> Result<UserAuthContext, AuthError> {
-    metadata
-        .get(GRPC_AUTH_HEADER)
-        .ok_or(AuthError::AuthHeaderNotFound)
-        .and_then(|h| h.to_str().map_err(|_| AuthError::AuthHeaderNonAscii))
-        .and_then(|t| UserAuthContext::from_auth_str(t))
+pub(crate) fn parse_grpc_auth_header(
+    metadata: &MetadataMap,
+    required_fields: &Vec<String>,
+) -> UserAuthContext {
+    let mut context = UserAuthContext::empty();
+    for field in required_fields.iter() {
+        metadata
+            .get(field)
+            .map(|header| header.to_str().ok())
+            .and_then(|r| r)
+            .map(|v| context.add_field(field.into(), v.into()));
+    }
+
+    context
 }
 
 pub fn parse_http_auth_header<'a>(
@@ -79,40 +87,26 @@ mod tests {
     #[test]
     fn parse_grpc_auth_header_returns_valid_context() {
         let mut map = tonic::metadata::MetadataMap::new();
-        map.insert("x-authorization", "bearer 123".parse().unwrap());
-        let context = parse_grpc_auth_header(&map).unwrap();
-        assert_eq!(context.scheme().as_ref().unwrap(), "bearer");
-        assert_eq!(context.token().as_ref().unwrap(), "123");
-    }
-
-    #[test]
-    fn parse_grpc_auth_header_error_no_header() {
-        let map = tonic::metadata::MetadataMap::new();
-        let result = parse_grpc_auth_header(&map);
+        map.insert(
+            crate::auth::constants::GRPC_AUTH_HEADER,
+            "bearer 123".parse().unwrap(),
+        );
+        let required_fields = vec!["x-authorization".into()];
+        let context = parse_grpc_auth_header(&map, &required_fields);
         assert_eq!(
-            result.unwrap_err().to_string(),
-            "Expected authorization header but none given"
+            context.custom_fields.get("x-authorization"),
+            Some(&"bearer 123".to_string())
         );
     }
 
-    #[test]
-    fn parse_grpc_auth_header_error_non_ascii() {
-        let mut map = tonic::metadata::MetadataMap::new();
-        map.insert("x-authorization", "bearer I❤NY".parse().unwrap());
-        let result = parse_grpc_auth_header(&map);
-        assert_eq!(result.unwrap_err().to_string(), "Non-ASCII auth header")
-    }
-
-    #[test]
-    fn parse_grpc_auth_header_error_malformed_auth_str() {
-        let mut map = tonic::metadata::MetadataMap::new();
-        map.insert("x-authorization", "bearer123".parse().unwrap());
-        let result = parse_grpc_auth_header(&map);
-        assert_eq!(
-            result.unwrap_err().to_string(),
-            "Auth string does not conform to '<scheme> <token>' form"
-        )
-    }
+    // #[test] TODO rewrite
+    // fn parse_grpc_auth_header_error_non_ascii() {
+    //     let mut map = tonic::metadata::MetadataMap::new();
+    //     map.insert("x-authorization", "bearer I❤NY".parse().unwrap());
+    //     let required_fields = Vec::new();
+    //     let result = parse_grpc_auth_header(&map, &required_fields);
+    //     assert_eq!(result.unwrap_err().to_string(), "Non-ASCII auth header")
+    // }
 
     #[test]
     fn parse_http_auth_header_returns_auth_header_param_when_valid() {

libsql-server/src/auth/user_auth_strategies/disabled.rs

@@ -4,10 +4,7 @@ use crate::auth::{AuthError, Authenticated};
 pub struct Disabled {}
 
 impl UserAuthStrategy for Disabled {
-    fn authenticate(
-        &self,
-        _context: Result<UserAuthContext, AuthError>,
-    ) -> Result<Authenticated, AuthError> {
+    fn authenticate(&self, _context: UserAuthContext) -> Result<Authenticated, AuthError> {
         tracing::trace!("executing disabled auth");
         Ok(Authenticated::FullAccess)
     }
@@ -26,7 +23,7 @@ mod tests {
     #[test]
     fn authenticates() {
         let strategy = Disabled::new();
-        let context = Ok(UserAuthContext::empty());
+        let context = UserAuthContext::empty();
 
         assert!(matches!(
             strategy.authenticate(context).unwrap(),

libsql-server/src/auth/user_auth_strategies/http_basic.rs

@@ -7,27 +7,31 @@ pub struct HttpBasic {
 }
 
 impl UserAuthStrategy for HttpBasic {
-    fn authenticate(
-        &self,
-        context: Result<UserAuthContext, AuthError>,
-    ) -> Result<Authenticated, AuthError> {
+    fn authenticate(&self, ctx: UserAuthContext) -> Result<Authenticated, AuthError> {
         tracing::trace!("executing http basic auth");
+        let auth_str = None
+            .or_else(|| ctx.custom_fields.get("authorization"))
+            .or_else(|| ctx.custom_fields.get("x-authorization"));
+
+        let (_, token) = auth_str
+            .ok_or(AuthError::AuthHeaderNotFound)
+            .map(|s| s.split_once(' ').ok_or(AuthError::AuthStringMalformed))
+            .and_then(|o| o)?;
 
         // NOTE: this naive comparison may leak information about the `expected_value`
         // using a timing attack
         let expected_value = self.credential.trim_end_matches('=');
-
-        let creds_match = match context?.token {
-            Some(s) => s.contains(expected_value),
-            None => expected_value.is_empty(),
-        };
-
+        let creds_match = token.contains(expected_value);
         if creds_match {
             return Ok(Authenticated::FullAccess);
         }
 
         Err(AuthError::BasicRejected)
     }
+
+    fn required_fields(&self) -> Vec<String> {
+        vec!["authorization".to_string(), "x-authorization".to_string()]
+    }
 }
 
 impl HttpBasic {
@@ -48,7 +52,7 @@ mod tests {
 
     #[test]
     fn authenticates_with_valid_credential() {
-        let context = Ok(UserAuthContext::basic(CREDENTIAL));
+        let context = UserAuthContext::basic(CREDENTIAL);
 
         assert!(matches!(
             strategy().authenticate(context).unwrap(),
@@ -59,7 +63,7 @@ mod tests {
     #[test]
     fn authenticates_with_valid_trimmed_credential() {
         let credential = CREDENTIAL.trim_end_matches('=');
-        let context = Ok(UserAuthContext::basic(credential));
+        let context = UserAuthContext::basic(credential);
 
         assert!(matches!(
             strategy().authenticate(context).unwrap(),
@@ -69,7 +73,7 @@ mod tests {
 
     #[test]
     fn errors_when_credentials_do_not_match() {
-        let context = Ok(UserAuthContext::basic("abc"));
+        let context = UserAuthContext::basic("abc");
 
         assert_eq!(
             strategy().authenticate(context).unwrap_err(),

libsql-server/src/auth/user_auth_strategies/jwt.rs

@@ -12,28 +12,27 @@ pub struct Jwt {
 }
 
 impl UserAuthStrategy for Jwt {
-    fn authenticate(
-        &self,
-        context: Result<UserAuthContext, AuthError>,
-    ) -> Result<Authenticated, AuthError> {
+    fn authenticate(&self, ctx: UserAuthContext) -> Result<Authenticated, AuthError> {
         tracing::trace!("executing jwt auth");
+        let auth_str = None
+            .or_else(|| ctx.custom_fields.get("authorization"))
+            .or_else(|| ctx.custom_fields.get("x-authorization"))
+            .ok_or_else(|| AuthError::AuthHeaderNotFound)?;
 
-        let ctx = context?;
-
-        let UserAuthContext {
-            scheme: Some(scheme),
-            token: Some(token),
-        } = ctx
-        else {
-            return Err(AuthError::HttpAuthHeaderInvalid);
-        };
+        let (scheme, token) = auth_str
+            .split_once(' ')
+            .ok_or(AuthError::AuthStringMalformed)?;
 
         if !scheme.eq_ignore_ascii_case("bearer") {
             return Err(AuthError::HttpAuthHeaderUnsupportedScheme);
         }
 
         return validate_jwt(&self.key, &token);
     }
+
+    fn required_fields(&self) -> Vec<String> {
+        vec!["authentication".to_string()]
+    }
 }
 
 impl Jwt {
@@ -155,7 +154,7 @@ mod tests {
         };
         let token = encode(&token, &enc);
 
-        let context = Ok(UserAuthContext::bearer(token.as_str()));
+        let context = UserAuthContext::bearer(token.as_str());
 
         assert!(matches!(
             strategy(dec).authenticate(context).unwrap(),
@@ -177,8 +176,7 @@ mod tests {
         };
         let token = encode(&token, &enc);
 
-        let context = Ok(UserAuthContext::bearer(token.as_str()));
-
+        let context = UserAuthContext::bearer(token.as_str());
         let Authenticated::Legacy(a) = strategy(dec).authenticate(context).unwrap() else {
             panic!()
         };
@@ -190,7 +188,7 @@ mod tests {
     #[test]
     fn errors_when_jwt_token_invalid() {
         let (_enc, dec) = key_pair();
-        let context = Ok(UserAuthContext::bearer("abc"));
+        let context = UserAuthContext::bearer("abc");
 
         assert_eq!(
             strategy(dec).authenticate(context).unwrap_err(),
@@ -210,7 +208,7 @@ mod tests {
 
         let token = encode(&token, &enc);
 
-        let context = Ok(UserAuthContext::bearer(token.as_str()));
+        let context = UserAuthContext::bearer(token.as_str());
 
         assert_eq!(
             strategy(dec).authenticate(context).unwrap_err(),
@@ -232,7 +230,7 @@ mod tests {
 
         let token = encode(&token, &enc);
 
-        let context = Ok(UserAuthContext::bearer(token.as_str()));
+        let context = UserAuthContext::bearer(token.as_str());
 
         let Authenticated::Authorized(a) = strategy(dec).authenticate(context).unwrap() else {
             panic!()