char/matrix-rust-sdk
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

client: Add login_with_sso

Browse source
This commit is contained in:
Kévin Commaille 2021-03-23 15:30:40 +01:00
parent 6f59e895b6
commit 8679e81555
3 changed files with 273 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
matrix_sdk/Cargo.toml
View file

@ -25,8 +25,9 @@ markdown = ["matrix-sdk-base/markdown"]
native-tls = ["reqwest/native-tls"]
rustls-tls = ["reqwest/rustls-tls"]
socks = ["reqwest/socks"]
sso_login = ["warp", "rand", "tokio-stream"]
docs = ["encryption", "sled_cryptostore", "sled_state_store"]
docs = ["encryption", "sled_cryptostore", "sled_state_store", "sso_login"]
[dependencies]
dashmap = { version = "4.0.2", optional = true }
@ -38,6 +39,7 @@ tracing = "0.1.22"
url = "2.2.0"
zeroize = "1.2.0"
mime = "0.3.16"
rand = { version = "0.8.2", optional = true }
matrix-sdk-common = { version = "0.2.0", path = "../matrix_sdk_common" }
@ -50,6 +52,16 @@ default_features = false
version = "0.11.0"
default_features = false
[dependencies.tokio-stream]
version = "0.1.4"
features = ["net"]
optional = true
[dependencies.warp]
version = "0.3.0"
default-features = false
optional = true
[target.'cfg(not(target_arch = "wasm32"))'.dependencies.backoff]
version = "0.3.0"
features = ["tokio"]

256
matrix_sdk/src/client.rs
View file

@ -15,6 +15,12 @@
#[cfg(feature = "encryption")]
use std::{collections::BTreeMap, io::Write, path::PathBuf};
#[cfg(feature = "sso_login")]
use std::{
collections::HashMap,
io::{Error as IoError, ErrorKind as IoErrorKind},
ops::Range,
};
use std::{
convert::TryInto,
fmt::{self, Debug},
@ -29,9 +35,19 @@ use std::{
use dashmap::DashMap;
use futures_timer::Delay as sleep;
use http::HeaderValue;
#[cfg(feature = "sso_login")]
use http::Response;
use mime::{self, Mime};
#[cfg(feature = "sso_login")]
use rand::{thread_rng, Rng};
use reqwest::header::InvalidHeaderValue;
#[cfg(feature = "sso_login")]
use tokio::{net::TcpListener, sync::oneshot};
#[cfg(feature = "sso_login")]
use tokio_stream::wrappers::TcpListenerStream;
use url::Url;
#[cfg(feature = "sso_login")]
use warp::Filter;
#[cfg(feature = "encryption")]
use zeroize::Zeroizing;
@ -120,6 +136,12 @@ const SYNC_REQUEST_TIMEOUT: Duration = Duration::from_secs(15);
const DEFAULT_UPLOAD_SPEED: u64 = 125_000;
/// 5 min minimal upload request timeout, used to clamp the request timeout.
const MIN_UPLOAD_REQUEST_TIMEOUT: Duration = Duration::from_secs(60 * 5);
/// The range of ports the SSO server will try to bind to randomly
#[cfg(feature = "sso_login")]
const SSO_SERVER_BIND_RANGE: Range<u16> = 20000..30000;
/// The number of timesthe SSO server will try to bind to a random port
#[cfg(feature = "sso_login")]
const SSO_SERVER_BIND_TRIES: u8 = 10;
/// An async/await enabled Matrix client.
///
@ -738,6 +760,200 @@ impl Client {
Ok(response)
}
/// Login to the server via Single Sign-On.
///
/// This takes care of the whole SSO flow:
/// * Spawn a local http server
/// * Provide a callback to open the SSO login URL in a web browser
/// * Wait for the local http server to get the loginToken
/// * Call [`login_with_token`]
///
/// If cancellation is needed the method should be wrapped in a cancellable
/// task. **Note** that users with root access to the system have the ability
/// to snoop in on the data/token that is passed to the local HTTP server
/// that will be spawned.
///
/// If you need more control over the SSO login process, you should use
/// [`get_sso_login_url`] and [`login_with_token`] directly.
///
/// This should only be used for the first login.
///
/// The [`restore_login`] method should be used to restore a
/// logged in client after the first login.
///
/// A device id should be provided to restore the correct stores, if the
/// device id isn't provided a new device will be created.
///
/// # Arguments
///
/// * `use_sso_login_url` - A callback that will receive the SSO Login URL. It
/// should usually be used to open the SSO URL in a browser and must return
/// `Ok(())` if the URL was successfully opened. If it returns `Err`, the
/// error will be forwarded.
///
/// * `server_url` - The local URL the server is going to try to bind to, e.g.
/// `http://localhost:3030`. If `None`, the server will try to open a random
/// port on localhost.
///
/// * `server_response` - The text that will be shown on the webpage at the end
/// of the login process. This can be an HTML page. If `None`, a default
/// text will be displayed.
///
/// * `device_id` - A unique id that will be associated with this session. If
/// not given the homeserver will create one. Can be an existing device_id
/// from a previous login call. Note that this should be provided only
/// if the client also holds the encryption keys for this device.
///
/// * `initial_device_display_name` - A public display name that will be
/// associated with the device_id. Only necessary the first time you
/// login with this device_id. It can be changed later.
///
/// # Example
/// ```no_run
/// # use matrix_sdk::Client;
/// # use futures::executor::block_on;
/// # use url::Url;
/// # let homeserver = Url::parse("https://example.com").unwrap();
/// # block_on(async {
/// let client = Client::new(homeserver).unwrap();
///
/// let response = client
/// .login_with_sso(
/// |sso_url| async move {
/// // Open sso_url
/// Ok(())
/// },
/// None,
/// None,
/// None,
/// Some("My app")
/// )
/// .await
/// .unwrap();
///
/// println!("Logged in as {}, got device_id {} and access_token {}",
/// response.user_id, response.device_id, response.access_token);
/// # })
/// ```
///
/// [`get_sso_login_url`]: #method.get_sso_login_url
/// [`login_with_token`]: #method.login_with_token
/// [`restore_login`]: #method.restore_login
#[cfg(all(feature = "sso_login", not(target_arch = "wasm32")))]
#[cfg_attr(
feature = "docs",
doc(cfg(all(sso_login, not(target_arch = "wasm32"))))
)]
pub async fn login_with_sso<C>(
&self,
use_sso_login_url: impl Fn(String) -> C,
server_url: Option<&str>,
server_response: Option<&str>,
device_id: Option<&str>,
initial_device_display_name: Option<&str>,
) -> Result<login::Response>
where
C: Future<Output = Result<()>>,
{
info!("Logging in to {}", self.homeserver);
let (signal_tx, signal_rx) = oneshot::channel();
let (data_tx, data_rx) = oneshot::channel();
let data_tx_mutex = Arc::new(std::sync::Mutex::new(Some(data_tx)));
let mut redirect_url = match server_url {
Some(s) => match Url::parse(s) {
Ok(url) => url,
Err(err) => return Err(IoError::new(IoErrorKind::InvalidData, err).into()),
},
None => Url::parse("http://localhost:0/").unwrap(),
};
let response = match server_response {
Some(s) => s.to_string(),
None => String::from(
"The Single Sign-On login process is complete. You can close this page now.",
),
};
let route = warp::get()
.and(warp::query::<HashMap<String, String>>())
.map(move |p: HashMap<String, String>| {
if let Some(data_tx) = data_tx_mutex.lock().unwrap().take() {
if let Some(token) = p.get("loginToken") {
data_tx.send(Some(token.to_owned())).unwrap();
} else {
data_tx.send(None).unwrap();
}
}
Response::builder().body(response.clone())
});
let listener = {
if redirect_url
.port()
.expect("The redirect URL doesn't include a port")
== 0
{
let host = redirect_url
.host_str()
.expect("The redirect URL doesn't have a host");
let mut n = 0u8;
let mut port = 0u16;
let mut res = Err(IoError::new(IoErrorKind::Other, ""));
let mut rng = thread_rng();
while res.is_err() && n < SSO_SERVER_BIND_TRIES {
port = rng.gen_range(SSO_SERVER_BIND_RANGE);
res = TcpListener::bind((host, port)).await;
n += 1;
}
match res {
Ok(s) => {
redirect_url
.set_port(Some(port))
.expect("Could not set new port on redirect URL");
s
}
Err(err) => return Err(err.into()),
}
} else {
match TcpListener::bind(redirect_url.as_str()).await {
Ok(s) => s,
Err(err) => return Err(err.into()),
}
}
};
let server = warp::serve(route).serve_incoming_with_graceful_shutdown(
TcpListenerStream::new(listener),
async {
signal_rx.await.ok();
},
);
tokio::spawn(server);
let sso_url = self.get_sso_login_url(redirect_url.as_str()).unwrap();
match use_sso_login_url(sso_url).await {
Ok(t) => t,
Err(err) => return Err(err),
};
let token = match data_rx.await {
Ok(Some(t)) => t,
Ok(None) => {
return Err(IoError::new(IoErrorKind::Other, "Could not get the loginToken").into())
}
Err(err) => return Err(IoError::new(IoErrorKind::Other, format!("{}", err)).into()),
};
let _ = signal_tx.send(());
self.login_with_token(token.as_str(), device_id, initial_device_display_name)
.await
}
/// Login to the server with a token.
///
/// This token is usually received in the SSO flow after following the URL
@ -1990,6 +2206,46 @@ mod test {
assert!(logged_in, "Client should be logged in");
}
#[cfg(feature = "sso_login")]
#[tokio::test]
async fn login_with_sso() {
let _m_login = mock("POST", "/_matrix/client/r0/login")
.with_status(200)
.with_body(test_json::LOGIN.to_string())
.create();
let homeserver = Url::from_str(&mockito::server_url()).unwrap();
let client = Client::new(homeserver).unwrap();
client
.login_with_sso(
|sso_url| async move {
let sso_url = Url::parse(sso_url.as_str()).unwrap();
let (_, redirect) = sso_url
.query_pairs()
.find(|(key, _)| key == "redirectUrl")
.unwrap();
let mut redirect_url = Url::parse(redirect.into_owned().as_str()).unwrap();
redirect_url.set_query(Some("loginToken=tinytoken"));
reqwest::get(redirect_url.to_string()).await.unwrap();
Ok(())
},
None,
None,
None,
None,
)
.await
.unwrap();
let logged_in = client.logged_in().await;
assert!(logged_in, "Client should be logged in");
}
#[tokio::test]
async fn login_with_sso_token() {
let homeserver = Url::from_str(&mockito::server_url()).unwrap();

4
matrix_sdk/src/lib.rs
View file

@ -45,6 +45,7 @@
//! of Synapse in compliance with the Matrix API specification.
//! * `markdown`: Support for sending markdown formatted messages.
//! * `socks`: Enables SOCKS support in reqwest, the default HTTP client.
//! * `sso_login`: Enables SSO login with a local http server.
#![deny(
missing_debug_implementations,
@ -64,6 +65,9 @@ compile_error!("one of 'native-tls' or 'rustls-tls' features must be enabled");
#[cfg(all(feature = "native-tls", feature = "rustls-tls",))]
compile_error!("only one of 'native-tls' or 'rustls-tls' features can be enabled");
#[cfg(all(feature = "sso_login", target_arch = "wasm32"))]
compile_error!("'sso_login' cannot be enabled on 'wasm32' arch");
#[cfg(feature = "encryption")]
#[cfg_attr(feature = "docs", doc(cfg(encryption)))]
pub use matrix_sdk_base::crypto::{EncryptionInfo, LocalTrust};