conduit/src/database/uiaa.rs

use std::sync::Arc;

use crate::{client_server::SESSION_ID_LENGTH, utils, Error, Result};
use ruma::{
    api::client::{
        error::ErrorKind,
        r0::uiaa::{
            IncomingAuthData, IncomingPassword, IncomingUserIdentifier::MatrixId, UiaaInfo,
        },
    },
    signatures::CanonicalJsonValue,
    DeviceId, UserId,
};
use tracing::error;

use super::abstraction::Tree;

pub struct Uiaa {
    pub(super) userdevicesessionid_uiaainfo: Arc<dyn Tree>, // User-interactive authentication
    pub(super) userdevicesessionid_uiaarequest: Arc<dyn Tree>, // UiaaRequest = canonical json value
}

impl Uiaa {
    /// Creates a new Uiaa session. Make sure the session token is unique.
    pub fn create(
        &self,
        user_id: &UserId,
        device_id: &DeviceId,
        uiaainfo: &UiaaInfo,
        json_body: &CanonicalJsonValue,
    ) -> Result<()> {
        self.set_uiaa_request(
            user_id,
            device_id,
            uiaainfo.session.as_ref().expect("session should be set"), // TODO: better session error handling (why is it optional in ruma?)
            json_body,
        )?;
        self.update_uiaa_session(
            user_id,
            device_id,
            uiaainfo.session.as_ref().expect("session should be set"),
            Some(uiaainfo),
        )
    }

    pub fn try_auth(
        &self,
        user_id: &UserId,
        device_id: &DeviceId,
        auth: &IncomingAuthData,
        uiaainfo: &UiaaInfo,
        users: &super::users::Users,
        globals: &super::globals::Globals,
    ) -> Result<(bool, UiaaInfo)> {
        let mut uiaainfo = auth
            .session()
            .map(|session| self.get_uiaa_session(&user_id, &device_id, session))
            .unwrap_or_else(|| Ok(uiaainfo.clone()))?;

        if uiaainfo.session.is_none() {
            uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
        }

        match auth {
            // Find out what the user completed
            IncomingAuthData::Password(IncomingPassword {
                identifier,
                password,
                ..
            }) => {
                let username = match identifier {
                    MatrixId(username) => username,
                    _ => {
                        return Err(Error::BadRequest(
                            ErrorKind::Unrecognized,
                            "Identifier type not recognized.",
                        ))
                    }
                };

                let user_id =
                    UserId::parse_with_server_name(username.clone(), globals.server_name())
                        .map_err(|_| {
                            Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid.")
                        })?;

                // Check if password is correct
                if let Some(hash) = users.password_hash(&user_id)? {
                    let hash_matches =
                        argon2::verify_encoded(&hash, password.as_bytes()).unwrap_or(false);

                    if !hash_matches {
                        uiaainfo.auth_error = Some(ruma::api::client::error::ErrorBody {
                            kind: ErrorKind::Forbidden,
                            message: "Invalid username or password.".to_owned(),
                        });
                        return Ok((false, uiaainfo));
                    }
                }

                // Password was correct! Let's add it to `completed`
                uiaainfo.completed.push("m.login.password".to_owned());
            }
            IncomingAuthData::Dummy(_) => {
                uiaainfo.completed.push("m.login.dummy".to_owned());
            }
            k => error!("type not supported: {:?}", k),
        }

        // Check if a flow now succeeds
        let mut completed = false;
        'flows: for flow in &mut uiaainfo.flows {
            for stage in &flow.stages {
                if !uiaainfo.completed.contains(stage) {
                    continue 'flows;
                }
            }
            // We didn't break, so this flow succeeded!
            completed = true;
        }

        if !completed {
            self.update_uiaa_session(
                user_id,
                device_id,
                uiaainfo.session.as_ref().expect("session is always set"),
                Some(&uiaainfo),
            )?;
            return Ok((false, uiaainfo));
        }

        // UIAA was successful! Remove this session and return true
        self.update_uiaa_session(
            user_id,
            device_id,
            uiaainfo.session.as_ref().expect("session is always set"),
            None,
        )?;
        Ok((true, uiaainfo))
    }

    fn set_uiaa_request(
        &self,
        user_id: &UserId,
        device_id: &DeviceId,
        session: &str,
        request: &CanonicalJsonValue,
    ) -> Result<()> {
        let mut userdevicesessionid = user_id.as_bytes().to_vec();
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(device_id.as_bytes());
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(session.as_bytes());

        self.userdevicesessionid_uiaarequest.insert(
            &userdevicesessionid,
            &serde_json::to_vec(request).expect("json value to vec always works"),
        )?;

        Ok(())
    }

    pub fn get_uiaa_request(
        &self,
        user_id: &UserId,
        device_id: &DeviceId,
        session: &str,
    ) -> Result<Option<CanonicalJsonValue>> {
        let mut userdevicesessionid = user_id.as_bytes().to_vec();
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(device_id.as_bytes());
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(session.as_bytes());

        self.userdevicesessionid_uiaarequest
            .get(&userdevicesessionid)?
            .map_or(Ok(None), |bytes| {
                Ok::<_, Error>(Some(
                    serde_json::from_str::<CanonicalJsonValue>(
                        &utils::string_from_bytes(&bytes).map_err(|_| {
                            Error::bad_database("Invalid uiaa request bytes in db.")
                        })?,
                    )
                    .map_err(|_| Error::bad_database("Invalid uiaa request in db."))?,
                ))
            })
    }

    fn update_uiaa_session(
        &self,
        user_id: &UserId,
        device_id: &DeviceId,
        session: &str,
        uiaainfo: Option<&UiaaInfo>,
    ) -> Result<()> {
        let mut userdevicesessionid = user_id.as_bytes().to_vec();
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(device_id.as_bytes());
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(session.as_bytes());

        if let Some(uiaainfo) = uiaainfo {
            self.userdevicesessionid_uiaainfo.insert(
                &userdevicesessionid,
                &serde_json::to_vec(&uiaainfo).expect("UiaaInfo::to_vec always works"),
            )?;
        } else {
            self.userdevicesessionid_uiaainfo
                .remove(&userdevicesessionid)?;
        }

        Ok(())
    }

    fn get_uiaa_session(
        &self,
        user_id: &UserId,
        device_id: &DeviceId,
        session: &str,
    ) -> Result<UiaaInfo> {
        let mut userdevicesessionid = user_id.as_bytes().to_vec();
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(device_id.as_bytes());
        userdevicesessionid.push(0xff);
        userdevicesessionid.extend_from_slice(session.as_bytes());

        let uiaainfo = serde_json::from_slice::<UiaaInfo>(
            &self
                .userdevicesessionid_uiaainfo
                .get(&userdevicesessionid)?
                .ok_or(Error::BadRequest(
                    ErrorKind::Forbidden,
                    "UIAA session does not exist.",
                ))?,
        )
        .map_err(|_| Error::bad_database("UiaaInfo in userdeviceid_uiaainfo is invalid."))?;

        Ok(uiaainfo)
    }
}
feat: swappable database backend 2021-06-08 16:10:00 +00:00			`use std::sync::Arc;`

improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`use crate::{client_server::SESSION_ID_LENGTH, utils, Error, Result};`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`use ruma::{`
			`api::client::{`
			`error::ErrorKind,`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`r0::uiaa::{`
			`IncomingAuthData, IncomingPassword, IncomingUserIdentifier::MatrixId, UiaaInfo,`
			`},`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`},`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`signatures::CanonicalJsonValue,`
Upgrade ruma 2020-07-26 13:41:28 +00:00			`DeviceId, UserId,`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`};`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`use tracing::error;`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
feat: swappable database backend 2021-06-08 16:10:00 +00:00			`use super::abstraction::Tree;`

feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`pub struct Uiaa {`
feat: swappable database backend 2021-06-08 16:10:00 +00:00			`pub(super) userdevicesessionid_uiaainfo: Arc<dyn Tree>, // User-interactive authentication`
			`pub(super) userdevicesessionid_uiaarequest: Arc<dyn Tree>, // UiaaRequest = canonical json value`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`

			`impl Uiaa {`
			`/// Creates a new Uiaa session. Make sure the session token is unique.`
Update to latest ruma/master rev 2020-07-25 18:25:24 +00:00			`pub fn create(`
			`&self,`
			`user_id: &UserId,`
			`device_id: &DeviceId,`
			`uiaainfo: &UiaaInfo,`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`json_body: &CanonicalJsonValue,`
Update to latest ruma/master rev 2020-07-25 18:25:24 +00:00			`) -> Result<()> {`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`self.set_uiaa_request(`
			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session should be set"), // TODO: better session error handling (why is it optional in ruma?)`
			`json_body,`
			`)?;`
			`self.update_uiaa_session(`
			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session should be set"),`
			`Some(uiaainfo),`
			`)`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`

			`pub fn try_auth(`
			`&self,`
			`user_id: &UserId,`
Update to latest ruma/master rev 2020-07-25 18:25:24 +00:00			`device_id: &DeviceId,`
Keep track of State at event for state resolution feat: first steps towards joining rooms over federation Add state-res as a dependency of conduit Add reverse_topological_power_sort before append_pdu Implement statehashstatid_pduid tree for keeping track of state Clean up implementation of state_hash as key for tracking state 2020-08-06 12:29:59 +00:00			`auth: &IncomingAuthData,`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`uiaainfo: &UiaaInfo,`
			`users: &super::users::Users,`
			`globals: &super::globals::Globals,`
			`) -> Result<(bool, UiaaInfo)> {`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`let mut uiaainfo = auth`
			`.session()`
			`.map(\|session\| self.get_uiaa_session(&user_id, &device_id, session))`
			`.unwrap_or_else(\|\| Ok(uiaainfo.clone()))?;`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`if uiaainfo.session.is_none() {`
			`uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));`
			`}`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`match auth {`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`// Find out what the user completed`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`IncomingAuthData::Password(IncomingPassword {`
			`identifier,`
			`password,`
			`..`
			`}) => {`
			`let username = match identifier {`
			`MatrixId(username) => username,`
			`_ => {`
refactor: better error handling 2020-06-09 13:13:17 +00:00			`return Err(Error::BadRequest(`
			`ErrorKind::Unrecognized,`
			`"Identifier type not recognized.",`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`))`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`};`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`let user_id =`
			`UserId::parse_with_server_name(username.clone(), globals.server_name())`
refactor: better error handling 2020-06-09 13:13:17 +00:00			`.map_err(\|_\| {`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid.")`
			`})?;`

			`// Check if password is correct`
			`if let Some(hash) = users.password_hash(&user_id)? {`
			`let hash_matches =`
			`argon2::verify_encoded(&hash, password.as_bytes()).unwrap_or(false);`

			`if !hash_matches {`
			`uiaainfo.auth_error = Some(ruma::api::client::error::ErrorBody {`
			`kind: ErrorKind::Forbidden,`
			`message: "Invalid username or password.".to_owned(),`
			`});`
			`return Ok((false, uiaainfo));`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`
			`}`

improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			// Password was correct! Let's add it to `completed`
			`uiaainfo.completed.push("m.login.password".to_owned());`
			`}`
			`IncomingAuthData::Dummy(_) => {`
			`uiaainfo.completed.push("m.login.dummy".to_owned());`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`k => error!("type not supported: {:?}", k),`
			`}`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`// Check if a flow now succeeds`
			`let mut completed = false;`
			`'flows: for flow in &mut uiaainfo.flows {`
			`for stage in &flow.stages {`
			`if !uiaainfo.completed.contains(stage) {`
			`continue 'flows;`
			`}`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`// We didn't break, so this flow succeeded!`
			`completed = true;`
			`}`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`if !completed {`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`self.update_uiaa_session(`
			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session is always set"),`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`Some(&uiaainfo),`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`)?;`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00			`return Ok((false, uiaainfo));`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`
improvement: faster incoming transaction handling 2021-08-19 09:01:18 +00:00
			`// UIAA was successful! Remove this session and return true`
			`self.update_uiaa_session(`
			`user_id,`
			`device_id,`
			`uiaainfo.session.as_ref().expect("session is always set"),`
			`None,`
			`)?;`
			`Ok((true, uiaainfo))`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`

improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`fn set_uiaa_request(`
			`&self,`
			`user_id: &UserId,`
			`device_id: &DeviceId,`
			`session: &str,`
			`request: &CanonicalJsonValue,`
			`) -> Result<()> {`
			`let mut userdevicesessionid = user_id.as_bytes().to_vec();`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(device_id.as_bytes());`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(session.as_bytes());`

			`self.userdevicesessionid_uiaarequest.insert(`
			`&userdevicesessionid,`
feat: swappable database backend 2021-06-08 16:10:00 +00:00			`&serde_json::to_vec(request).expect("json value to vec always works"),`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`)?;`

			`Ok(())`
			`}`

			`pub fn get_uiaa_request(`
			`&self,`
			`user_id: &UserId,`
			`device_id: &DeviceId,`
			`session: &str,`
			`) -> Result<Option<CanonicalJsonValue>> {`
			`let mut userdevicesessionid = user_id.as_bytes().to_vec();`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(device_id.as_bytes());`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(session.as_bytes());`

			`self.userdevicesessionid_uiaarequest`
			`.get(&userdevicesessionid)?`
			`.map_or(Ok(None), \|bytes\| {`
			`Ok::<_, Error>(Some(`
			`serde_json::from_str::<CanonicalJsonValue>(`
			`&utils::string_from_bytes(&bytes).map_err(\|_\| {`
			`Error::bad_database("Invalid uiaa request bytes in db.")`
			`})?,`
			`)`
			`.map_err(\|_\| Error::bad_database("Invalid uiaa request in db."))?,`
			`))`
			`})`
			`}`

feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`fn update_uiaa_session(`
			`&self,`
			`user_id: &UserId,`
Update to latest ruma/master rev 2020-07-25 18:25:24 +00:00			`device_id: &DeviceId,`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`session: &str,`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`uiaainfo: Option<&UiaaInfo>,`
			`) -> Result<()> {`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`let mut userdevicesessionid = user_id.as_bytes().to_vec();`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(device_id.as_bytes());`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(session.as_bytes());`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
			`if let Some(uiaainfo) = uiaainfo {`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`self.userdevicesessionid_uiaainfo.insert(`
			`&userdevicesessionid,`
feat: swappable database backend 2021-06-08 16:10:00 +00:00			`&serde_json::to_vec(&uiaainfo).expect("UiaaInfo::to_vec always works"),`
refactor: better error handling 2020-06-09 13:13:17 +00:00			`)?;`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`} else {`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`self.userdevicesessionid_uiaainfo`
			`.remove(&userdevicesessionid)?;`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`}`

			`Ok(())`
			`}`

			`fn get_uiaa_session(`
			`&self,`
			`user_id: &UserId,`
Update to latest ruma/master rev 2020-07-25 18:25:24 +00:00			`device_id: &DeviceId,`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00			`session: &str,`
			`) -> Result<UiaaInfo> {`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`let mut userdevicesessionid = user_id.as_bytes().to_vec();`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(device_id.as_bytes());`
			`userdevicesessionid.push(0xff);`
			`userdevicesessionid.extend_from_slice(session.as_bytes());`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
			`let uiaainfo = serde_json::from_slice::<UiaaInfo>(`
			`&self`
improvement: uiaa works like in synapse 2021-05-04 17:03:18 +00:00			`.userdevicesessionid_uiaainfo`
			`.get(&userdevicesessionid)?`
refactor: better error handling 2020-06-09 13:13:17 +00:00			`.ok_or(Error::BadRequest(`
			`ErrorKind::Forbidden,`
			`"UIAA session does not exist.",`
			`))?,`
			`)`
improvement: log bad database errors automatically 2020-06-11 08:03:08 +00:00			`.map_err(\|_\| Error::bad_database("UiaaInfo in userdeviceid_uiaainfo is invalid."))?;`
feat: user interactive authentication 2020-06-06 16:44:50 +00:00
			`Ok(uiaainfo)`
			`}`
			`}`