use crate::dbs::Session;
use crate::err::Error;
use crate::iam::access::{authenticate_generic, authenticate_record};
#[cfg(feature = "jwks")]
use crate::iam::jwks;
use crate::iam::{issue::expiration, token::Claims, Actor, Auth, Level, Role};
use crate::kvs::{Datastore, LockType::*, TransactionType::*};
use crate::sql::access_type::{AccessType, Jwt, JwtAccessVerify};
use crate::sql::{statements::DefineUserStatement, Algorithm, Value};
use crate::syn;
use argon2::{Argon2, PasswordHash, PasswordVerifier};
use chrono::Utc;
use jsonwebtoken::{decode, DecodingKey, Validation};
use std::str::{self, FromStr};
use std::sync::Arc;
use std::sync::LazyLock;
fn config(alg: Algorithm, key: &[u8]) -> Result<(DecodingKey, Validation), Error> {
let (dec, mut val) = match alg {
Algorithm::Hs256 => {
(DecodingKey::from_secret(key), Validation::new(jsonwebtoken::Algorithm::HS256))
}
Algorithm::Hs384 => {
(DecodingKey::from_secret(key), Validation::new(jsonwebtoken::Algorithm::HS384))
}
Algorithm::Hs512 => {
(DecodingKey::from_secret(key), Validation::new(jsonwebtoken::Algorithm::HS512))
}
Algorithm::EdDSA => {
(DecodingKey::from_ed_pem(key)?, Validation::new(jsonwebtoken::Algorithm::EdDSA))
}
Algorithm::Es256 => {
(DecodingKey::from_ec_pem(key)?, Validation::new(jsonwebtoken::Algorithm::ES256))
}
Algorithm::Es384 => {
(DecodingKey::from_ec_pem(key)?, Validation::new(jsonwebtoken::Algorithm::ES384))
}
Algorithm::Es512 => {
(DecodingKey::from_ec_pem(key)?, Validation::new(jsonwebtoken::Algorithm::ES384))
}
Algorithm::Ps256 => {
(DecodingKey::from_rsa_pem(key)?, Validation::new(jsonwebtoken::Algorithm::PS256))
}
Algorithm::Ps384 => {
(DecodingKey::from_rsa_pem(key)?, Validation::new(jsonwebtoken::Algorithm::PS384))
}
Algorithm::Ps512 => {
(DecodingKey::from_rsa_pem(key)?, Validation::new(jsonwebtoken::Algorithm::PS512))
}
Algorithm::Rs256 => {
(DecodingKey::from_rsa_pem(key)?, Validation::new(jsonwebtoken::Algorithm::RS256))
}
Algorithm::Rs384 => {
(DecodingKey::from_rsa_pem(key)?, Validation::new(jsonwebtoken::Algorithm::RS384))
}
Algorithm::Rs512 => {
(DecodingKey::from_rsa_pem(key)?, Validation::new(jsonwebtoken::Algorithm::RS512))
}
};
val.validate_aud = false;
Ok((dec, val))
}
static KEY: LazyLock<DecodingKey> = LazyLock::new(|| DecodingKey::from_secret(&[]));
static DUD: LazyLock<Validation> = LazyLock::new(|| {
let mut validation = Validation::new(jsonwebtoken::Algorithm::HS256);
validation.insecure_disable_signature_validation();
validation.validate_nbf = false;
validation.validate_exp = false;
validation.validate_aud = false;
validation
});
pub async fn basic(
kvs: &Datastore,
session: &mut Session,
user: &str,
pass: &str,
ns: Option<&str>,
db: Option<&str>,
) -> Result<(), Error> {
trace!("Attempting basic authentication");
match (ns, db) {
(Some(ns), Some(db)) => match verify_db_creds(kvs, ns, db, user, pass).await {
Ok(u) => {
debug!("Authenticated as database user '{}'", user);
session.exp = expiration(u.duration.session)?;
session.au =
Arc::new((&u, Level::Database(ns.to_owned(), db.to_owned())).try_into()?);
Ok(())
}
Err(err) => Err(err),
},
(Some(ns), None) => match verify_ns_creds(kvs, ns, user, pass).await {
Ok(u) => {
debug!("Authenticated as namespace user '{}'", user);
session.exp = expiration(u.duration.session)?;
session.au = Arc::new((&u, Level::Namespace(ns.to_owned())).try_into()?);
Ok(())
}
Err(err) => Err(err),
},
(None, None) => match verify_root_creds(kvs, user, pass).await {
Ok(u) => {
debug!("Authenticated as root user '{}'", user);
session.exp = expiration(u.duration.session)?;
session.au = Arc::new((&u, Level::Root).try_into()?);
Ok(())
}
Err(err) => Err(err),
},
(None, Some(db)) => {
debug!(
"Attempted basic authentication in database '{db}' without specifying a namespace"
);
Err(Error::InvalidAuth)
}
}
}
pub async fn token(kvs: &Datastore, session: &mut Session, token: &str) -> Result<(), Error> {
trace!("Attempting token authentication");
let token_data = decode::<Claims>(token, &KEY, &DUD)?;
let value = (&token_data.claims).into();
if let Some(nbf) = token_data.claims.nbf {
if nbf > Utc::now().timestamp() {
debug!("Token verification failed due to the 'nbf' claim containing a future time");
return Err(Error::InvalidAuth);
}
}
if let Some(exp) = token_data.claims.exp {
if exp < Utc::now().timestamp() {
debug!("Token verification failed due to the 'exp' claim containing a past time");
return Err(Error::ExpiredToken);
}
}
match &token_data.claims {
Claims {
ns: Some(ns),
db: Some(db),
ac: Some(ac),
id: Some(id),
..
} => {
trace!("Authenticating with record access method `{}`", ac);
let tx = kvs.transaction(Read, Optimistic).await?;
let mut rid = syn::thing(id)?;
let de = tx.get_db_access(ns, db, ac).await?;
tx.cancel().await?;
let cf = match &de.kind {
AccessType::Record(at) => match &at.jwt.verify {
JwtAccessVerify::Key(key) => config(key.alg, key.key.as_bytes()),
#[cfg(feature = "jwks")]
JwtAccessVerify::Jwks(jwks) => {
if let Some(kid) = token_data.header.kid {
jwks::config(kvs, &kid, &jwks.url, token_data.header.alg).await
} else {
Err(Error::MissingTokenHeader("kid".to_string()))
}
}
#[cfg(not(feature = "jwks"))]
_ => return Err(Error::AccessMethodMismatch),
}?,
_ => return Err(Error::AccessMethodMismatch),
};
verify_token(token, &cf.0, &cf.1)?;
if let Some(au) = &de.authenticate {
let mut sess = Session::editor().with_ns(ns).with_db(db);
sess.rd = Some(rid.clone().into());
sess.tk = Some((&token_data.claims).into());
sess.ip.clone_from(&session.ip);
sess.or.clone_from(&session.or);
rid = authenticate_record(kvs, &sess, au).await?;
}
debug!("Authenticated with record access method `{}`", ac);
session.tk = Some(value);
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.ac = Some(ac.to_owned());
session.rd = Some(Value::from(rid.to_owned()));
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
rid.to_string(),
Default::default(),
Level::Record(ns.to_string(), db.to_string(), rid.to_string()),
)));
Ok(())
}
Claims {
ns: Some(ns),
db: Some(db),
ac: Some(ac),
..
} => {
trace!("Authenticating to database `{}` with access method `{}`", db, ac);
let tx = kvs.transaction(Read, Optimistic).await?;
let de = tx.get_db_access(ns, db, ac).await?;
tx.cancel().await?;
match &de.kind {
AccessType::Jwt(_) | AccessType::Bearer(_) => {
let cf = match &de.kind.jwt().verify {
JwtAccessVerify::Key(key) => config(key.alg, key.key.as_bytes()),
#[cfg(feature = "jwks")]
JwtAccessVerify::Jwks(jwks) => {
if let Some(kid) = token_data.header.kid {
jwks::config(kvs, &kid, &jwks.url, token_data.header.alg).await
} else {
Err(Error::MissingTokenHeader("kid".to_string()))
}
}
#[cfg(not(feature = "jwks"))]
_ => return Err(Error::AccessMethodMismatch),
}?;
verify_token(token, &cf.0, &cf.1)?;
if let Some(au) = &de.authenticate {
let mut sess = Session::editor().with_ns(ns).with_db(db);
sess.tk = Some((&token_data.claims).into());
sess.ip.clone_from(&session.ip);
sess.or.clone_from(&session.or);
authenticate_generic(kvs, &sess, au).await?;
}
let roles = match &token_data.claims.roles {
None => vec![Role::Viewer],
Some(roles) => roles
.iter()
.map(|r| -> Result<Role, Error> {
Role::from_str(r.as_str()).map_err(Error::IamError)
})
.collect::<Result<Vec<_>, _>>()?,
};
debug!("Authenticated to database `{}` with access method `{}`", db, ac);
session.tk = Some(value);
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.ac = Some(ac.to_owned());
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
de.name.to_string(),
roles,
Level::Database(ns.to_string(), db.to_string()),
)));
}
AccessType::Record(at) => match &de.authenticate {
Some(au) => {
trace!("Access method `{}` is record access with AUTHENTICATE clause", ac);
let cf = match &at.jwt.verify {
JwtAccessVerify::Key(key) => config(key.alg, key.key.as_bytes()),
#[cfg(feature = "jwks")]
JwtAccessVerify::Jwks(jwks) => {
if let Some(kid) = token_data.header.kid {
jwks::config(kvs, &kid, &jwks.url, token_data.header.alg).await
} else {
Err(Error::MissingTokenHeader("kid".to_string()))
}
}
#[cfg(not(feature = "jwks"))]
_ => return Err(Error::AccessMethodMismatch),
}?;
verify_token(token, &cf.0, &cf.1)?;
let mut sess = Session::editor().with_ns(ns).with_db(db);
sess.tk = Some((&token_data.claims).into());
sess.ip.clone_from(&session.ip);
sess.or.clone_from(&session.or);
let rid = authenticate_record(kvs, &sess, au).await?;
debug!("Authenticated with record access method `{}`", ac);
session.tk = Some(value);
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.ac = Some(ac.to_owned());
session.rd = Some(Value::from(rid.to_owned()));
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
rid.to_string(),
Default::default(),
Level::Record(ns.to_string(), db.to_string(), rid.to_string()),
)));
}
_ => return Err(Error::AccessMethodMismatch),
},
};
Ok(())
}
Claims {
ns: Some(ns),
db: Some(db),
id: Some(id),
..
} => {
trace!("Authenticating to database `{}` with user `{}`", db, id);
let tx = kvs.transaction(Read, Optimistic).await?;
let de = tx.get_db_user(ns, db, id).await.map_err(|e| {
debug!("Error while authenticating to database `{db}`: {e}");
Error::InvalidAuth
})?;
tx.cancel().await?;
let cf = config(Algorithm::Hs512, de.code.as_bytes())?;
verify_token(token, &cf.0, &cf.1)?;
debug!("Authenticated to database `{}` with user `{}` using token", db, id);
session.tk = Some(value);
session.ns = Some(ns.to_owned());
session.db = Some(db.to_owned());
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
id.to_string(),
de.roles.iter().map(Role::try_from).collect::<Result<_, _>>()?,
Level::Database(ns.to_string(), db.to_string()),
)));
Ok(())
}
Claims {
ns: Some(ns),
ac: Some(ac),
..
} => {
trace!("Authenticating to namespace `{}` with access method `{}`", ns, ac);
let tx = kvs.transaction(Read, Optimistic).await?;
let de = tx.get_ns_access(ns, ac).await?;
tx.cancel().await?;
let cf = match &de.kind {
AccessType::Jwt(_) | AccessType::Bearer(_) => match &de.kind.jwt().verify {
JwtAccessVerify::Key(key) => config(key.alg, key.key.as_bytes()),
#[cfg(feature = "jwks")]
JwtAccessVerify::Jwks(jwks) => {
if let Some(kid) = token_data.header.kid {
jwks::config(kvs, &kid, &jwks.url, token_data.header.alg).await
} else {
Err(Error::MissingTokenHeader("kid".to_string()))
}
}
#[cfg(not(feature = "jwks"))]
_ => return Err(Error::AccessMethodMismatch),
},
_ => return Err(Error::AccessMethodMismatch),
}?;
verify_token(token, &cf.0, &cf.1)?;
if let Some(au) = &de.authenticate {
let mut sess = Session::editor().with_ns(ns);
sess.tk = Some((&token_data.claims).into());
sess.ip.clone_from(&session.ip);
sess.or.clone_from(&session.or);
authenticate_generic(kvs, &sess, au).await?;
}
let roles = match &token_data.claims.roles {
None => vec![Role::Viewer],
Some(roles) => roles
.iter()
.map(|r| -> Result<Role, Error> {
Role::from_str(r.as_str()).map_err(Error::IamError)
})
.collect::<Result<Vec<_>, _>>()?,
};
debug!("Authenticated to namespace `{}` with access method `{}`", ns, ac);
session.tk = Some(value);
session.ns = Some(ns.to_owned());
session.ac = Some(ac.to_owned());
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
de.name.to_string(),
roles,
Level::Namespace(ns.to_string()),
)));
Ok(())
}
Claims {
ns: Some(ns),
id: Some(id),
..
} => {
trace!("Authenticating to namespace `{}` with user `{}`", ns, id);
let tx = kvs.transaction(Read, Optimistic).await?;
let de = tx.get_ns_user(ns, id).await.map_err(|e| {
debug!("Error while authenticating to namespace `{ns}`: {e}");
Error::InvalidAuth
})?;
tx.cancel().await?;
let cf = config(Algorithm::Hs512, de.code.as_bytes())?;
verify_token(token, &cf.0, &cf.1)?;
debug!("Authenticated to namespace `{}` with user `{}` using token", ns, id);
session.tk = Some(value);
session.ns = Some(ns.to_owned());
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
id.to_string(),
de.roles.iter().map(Role::try_from).collect::<Result<_, _>>()?,
Level::Namespace(ns.to_string()),
)));
Ok(())
}
Claims {
ac: Some(ac),
..
} => {
trace!("Authenticating to root with access method `{}`", ac);
let tx = kvs.transaction(Read, Optimistic).await?;
let de = tx.get_root_access(ac).await?;
tx.cancel().await?;
let cf = match &de.kind {
AccessType::Jwt(_) | AccessType::Bearer(_) => match &de.kind.jwt().verify {
JwtAccessVerify::Key(key) => config(key.alg, key.key.as_bytes()),
#[cfg(feature = "jwks")]
JwtAccessVerify::Jwks(jwks) => {
if let Some(kid) = token_data.header.kid {
jwks::config(kvs, &kid, &jwks.url, token_data.header.alg).await
} else {
Err(Error::MissingTokenHeader("kid".to_string()))
}
}
#[cfg(not(feature = "jwks"))]
_ => return Err(Error::AccessMethodMismatch),
},
_ => return Err(Error::AccessMethodMismatch),
}?;
verify_token(token, &cf.0, &cf.1)?;
if let Some(au) = &de.authenticate {
let mut sess = Session::editor();
sess.tk = Some((&token_data.claims).into());
sess.ip.clone_from(&session.ip);
sess.or.clone_from(&session.or);
authenticate_generic(kvs, &sess, au).await?;
}
let roles = match &token_data.claims.roles {
None => vec![Role::Viewer],
Some(roles) => roles
.iter()
.map(|r| -> Result<Role, Error> {
Role::from_str(r.as_str()).map_err(Error::IamError)
})
.collect::<Result<Vec<_>, _>>()?,
};
debug!("Authenticated to root with access method `{}`", ac);
session.tk = Some(value);
session.ac = Some(ac.to_owned());
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(de.name.to_string(), roles, Level::Root)));
Ok(())
}
Claims {
id: Some(id),
..
} => {
trace!("Authenticating to root level with user `{}`", id);
let tx = kvs.transaction(Read, Optimistic).await?;
let de = tx.get_root_user(id).await.map_err(|e| {
debug!("Error while authenticating to root: {e}");
Error::InvalidAuth
})?;
tx.cancel().await?;
let cf = config(Algorithm::Hs512, de.code.as_bytes())?;
verify_token(token, &cf.0, &cf.1)?;
debug!("Authenticated to root level with user `{}` using token", id);
session.tk = Some(value);
session.exp = expiration(de.duration.session)?;
session.au = Arc::new(Auth::new(Actor::new(
id.to_string(),
de.roles.iter().map(Role::try_from).collect::<Result<_, _>>()?,
Level::Root,
)));
Ok(())
}
_ => Err(Error::InvalidAuth),
}
}
pub async fn verify_root_creds(
ds: &Datastore,
user: &str,
pass: &str,
) -> Result<DefineUserStatement, Error> {
let tx = ds.transaction(Read, Optimistic).await?;
let user = tx.get_root_user(user).await.map_err(|e| {
debug!("Error retrieving user for authentication to root: {e}");
Error::InvalidAuth
})?;
tx.cancel().await?;
verify_pass(pass, user.hash.as_ref())?;
let user = (*user).clone();
Ok(user)
}
pub async fn verify_ns_creds(
ds: &Datastore,
ns: &str,
user: &str,
pass: &str,
) -> Result<DefineUserStatement, Error> {
let tx = ds.transaction(Read, Optimistic).await?;
let user = tx.get_ns_user(ns, user).await.map_err(|e| {
debug!("Error retrieving user for authentication to namespace `{ns}`: {e}");
Error::InvalidAuth
})?;
tx.cancel().await?;
verify_pass(pass, user.hash.as_ref())?;
let user = (*user).clone();
Ok(user)
}
pub async fn verify_db_creds(
ds: &Datastore,
ns: &str,
db: &str,
user: &str,
pass: &str,
) -> Result<DefineUserStatement, Error> {
let tx = ds.transaction(Read, Optimistic).await?;
let user = tx.get_db_user(ns, db, user).await.map_err(|e| {
debug!("Error retrieving user for authentication to database `{ns}/{db}`: {e}");
Error::InvalidAuth
})?;
tx.cancel().await?;
verify_pass(pass, user.hash.as_ref())?;
let user = (*user).clone();
Ok(user)
}
fn verify_pass(pass: &str, hash: &str) -> Result<(), Error> {
let hash = PasswordHash::new(hash).unwrap();
match Argon2::default().verify_password(pass.as_ref(), &hash) {
Ok(_) => Ok(()),
_ => Err(Error::InvalidPass),
}
}
fn verify_token(token: &str, key: &DecodingKey, validation: &Validation) -> Result<(), Error> {
match decode::<Claims>(token, key, validation) {
Ok(_) => Ok(()),
Err(err) => {
match err.kind() {
jsonwebtoken::errors::ErrorKind::ExpiredSignature => Err(Error::ExpiredToken),
_ => {
debug!("Error verifying authentication token: {err}");
Err(Error::InvalidAuth)
}
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use crate::iam::token::{Audience, HEADER};
use argon2::password_hash::{PasswordHasher, SaltString};
use chrono::Duration;
use jsonwebtoken::{encode, EncodingKey};
struct TestLevel {
level: &'static str,
ns: Option<&'static str>,
db: Option<&'static str>,
}
const AVAILABLE_ROLES: [Role; 3] = [Role::Viewer, Role::Editor, Role::Owner];
#[tokio::test]
async fn test_basic() {
#[derive(Debug)]
struct TestCase {
title: &'static str,
password: &'static str,
roles: Vec<Role>,
expiration: Option<Duration>,
expect_ok: bool,
}
let test_cases = vec![
TestCase {
title: "without roles or expiration",
password: "pass",
roles: vec![Role::Viewer],
expiration: None,
expect_ok: true,
},
TestCase {
title: "with roles and expiration",
password: "pass",
roles: vec![Role::Editor, Role::Owner],
expiration: Some(Duration::days(1)),
expect_ok: true,
},
TestCase {
title: "with invalid password",
password: "invalid",
roles: vec![],
expiration: None,
expect_ok: false,
},
];
let test_levels = vec![
TestLevel {
level: "ROOT",
ns: None,
db: None,
},
TestLevel {
level: "NS",
ns: Some("test"),
db: None,
},
TestLevel {
level: "DB",
ns: Some("test"),
db: Some("test"),
},
];
for level in &test_levels {
for case in &test_cases {
println!("Test case: {} level {}", level.level, case.title);
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
let roles_clause = if case.roles.is_empty() {
String::new()
} else {
let roles: Vec<&str> = case
.roles
.iter()
.map(|r| match r {
Role::Viewer => "VIEWER",
Role::Editor => "EDITOR",
Role::Owner => "OWNER",
})
.collect();
format!("ROLES {}", roles.join(", "))
};
let duration_clause = if let Some(duration) = case.expiration {
format!("DURATION FOR SESSION {}s", duration.num_seconds())
} else {
String::new()
};
let define_user_query = format!(
"DEFINE USER user ON {} PASSWORD 'pass' {} {}",
level.level, roles_clause, duration_clause,
);
ds.execute(&define_user_query, &sess, None).await.unwrap();
let mut sess = Session {
ns: level.ns.map(String::from),
db: level.db.map(String::from),
..Default::default()
};
let res = basic(&ds, &mut sess, "user", case.password, level.ns, level.db).await;
if case.expect_ok {
assert!(res.is_ok(), "Failed to signin: {:?}", res);
assert_eq!(sess.au.id(), "user");
assert_eq!(sess.au.level().ns(), level.ns);
assert_eq!(sess.au.level().db(), level.db);
match level.level {
"ROOT" => assert!(sess.au.is_root()),
"NS" => assert!(sess.au.is_ns()),
"DB" => assert!(sess.au.is_db()),
_ => panic!("Unsupported level"),
}
for role in AVAILABLE_ROLES {
let has_role = sess.au.has_role(role);
let should_have_role = case.roles.contains(&role);
assert_eq!(has_role, should_have_role, "Role {:?} check failed", role);
}
if let Some(exp_duration) = case.expiration {
let exp = sess.exp.unwrap();
let min_exp =
(Utc::now() + exp_duration - Duration::seconds(10)).timestamp();
let max_exp =
(Utc::now() + exp_duration + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to match the defined duration"
);
} else {
assert_eq!(sess.exp, None, "Expiration is expected to be None");
}
} else {
assert!(res.is_err(), "Unexpected successful signin: {:?}", res);
}
}
}
}
#[tokio::test]
async fn test_basic_nonexistent_role() {
use crate::iam::Error as IamError;
use crate::sql::{
statements::{define::DefineStatement, DefineUserStatement},
user::UserDuration,
Base, Statement,
};
let test_levels = vec![
TestLevel {
level: "ROOT",
ns: None,
db: None,
},
TestLevel {
level: "NS",
ns: Some("test"),
db: None,
},
TestLevel {
level: "DB",
ns: Some("test"),
db: Some("test"),
},
];
for level in &test_levels {
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
let base = match level.level {
"ROOT" => Base::Root,
"NS" => Base::Ns,
"DB" => Base::Db,
_ => panic!("Unsupported level"),
};
let user = DefineUserStatement {
base,
name: "user".into(),
hash: "$argon2id$v=19$m=16,t=2,p=1$VUlHTHVOYjc5d0I1dGE3OQ$sVtmRNH+Xtiijk0uXL2+4w"
.to_string(),
code: "dummy".to_string(),
roles: vec!["nonexistent".into()],
duration: UserDuration::default(),
comment: None,
if_not_exists: false,
overwrite: false,
};
ds.process(Statement::Define(DefineStatement::User(user)).into(), &sess, None)
.await
.unwrap();
let mut sess = Session {
ns: level.ns.map(String::from),
db: level.db.map(String::from),
..Default::default()
};
let res = basic(&ds, &mut sess, "user", "pass", level.ns, level.db).await;
match res {
Err(Error::IamError(IamError::InvalidRole(_))) => {} res => {
panic!("Expected an invalid role IAM error, but instead received: {:?}", res)
}
}
}
}
#[tokio::test]
async fn test_token() {
#[derive(Debug)]
struct TestCase {
title: &'static str,
roles: Option<Vec<&'static str>>,
key: &'static str,
expect_roles: Vec<Role>,
expect_error: bool,
}
let test_cases = vec![
TestCase {
title: "with no roles",
roles: None,
key: "secret",
expect_roles: vec![Role::Viewer],
expect_error: false,
},
TestCase {
title: "with roles",
roles: Some(vec!["editor", "owner"]),
key: "secret",
expect_roles: vec![Role::Editor, Role::Owner],
expect_error: false,
},
TestCase {
title: "with nonexistent roles",
roles: Some(vec!["viewer", "nonexistent"]),
key: "secret",
expect_roles: vec![],
expect_error: true,
},
TestCase {
title: "with invalid token signature",
roles: None,
key: "invalid",
expect_roles: vec![],
expect_error: true,
},
];
let test_levels = vec![
TestLevel {
level: "ROOT",
ns: None,
db: None,
},
TestLevel {
level: "NS",
ns: Some("test"),
db: None,
},
TestLevel {
level: "DB",
ns: Some("test"),
db: Some("test"),
},
];
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ac: Some("token".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
for level in &test_levels {
ds.execute(
format!(
r#"
DEFINE ACCESS token ON {} TYPE JWT
ALGORITHM HS512 KEY 'secret' DURATION FOR SESSION 30d
;
"#,
level.level
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
for case in &test_cases {
println!("Test case: {} level {}", level.level, case.title);
let mut claims = claims.clone();
claims.ns = level.ns.map(|s| s.to_string());
claims.db = level.db.map(|s| s.to_string());
claims.roles =
case.roles.clone().map(|roles| roles.into_iter().map(String::from).collect());
let key = EncodingKey::from_secret(case.key.as_ref());
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
if case.expect_error {
assert!(res.is_err(), "Unexpected success for case: {:?}", case);
} else {
assert!(res.is_ok(), "Failed to sign in with token for case: {:?}", case);
assert_eq!(sess.ns, level.ns.map(|s| s.to_string()));
assert_eq!(sess.db, level.db.map(|s| s.to_string()));
assert_eq!(sess.au.id(), "token");
for role in AVAILABLE_ROLES {
let has_role = sess.au.has_role(role);
let should_have_role = case.expect_roles.contains(&role);
assert_eq!(has_role, should_have_role, "Role {:?} check failed", role);
}
let exp = sess.exp.unwrap();
let min_exp =
(Utc::now() + Duration::days(30) - Duration::seconds(10)).timestamp();
let max_exp =
(Utc::now() + Duration::days(30) + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to match the defined duration in case: {:?}",
case
);
}
}
}
}
#[tokio::test]
async fn test_token_record() {
#[derive(Debug)]
struct TestCase {
title: &'static str,
ids: Vec<&'static str>,
roles: Option<Vec<&'static str>>,
key: &'static str,
expect_error: bool,
}
let test_cases = vec![
TestCase {
title: "with no roles",
ids: vec!["user:test"],
roles: None,
key: "secret",
expect_error: false,
},
TestCase {
title: "with roles",
ids: vec!["user:test"],
roles: Some(vec!["editor", "owner"]),
key: "secret",
expect_error: false,
},
TestCase {
title: "with invalid token signature",
ids: vec!["user:test"],
roles: None,
key: "invalid",
expect_error: true,
},
TestCase {
title: "with invalid id",
ids: vec!["invalid"],
roles: None,
key: "invalid",
expect_error: true,
},
TestCase {
title: "with generic id",
ids: vec!["user:2k9qnabxuxh8k4d5gfto"],
roles: None,
key: "secret",
expect_error: false,
},
TestCase {
title: "with numeric ids",
ids: vec!["user:1", "user:2", "user:100", "user:10000000"],
roles: None,
key: "secret",
expect_error: false,
},
TestCase {
title: "with alphanumeric ids",
ids: vec!["user:username", "user:username1", "user:username10", "user:username100"],
roles: None,
key: "secret",
expect_error: false,
},
TestCase {
title: "with ids including special characters",
ids: vec![
"user:⟨user.name⟩",
"user:⟨user.name1⟩",
"user:⟨user.name10⟩",
"user:⟨user.name100⟩",
],
roles: None,
key: "secret",
expect_error: false,
},
TestCase {
title: "with UUID ids",
ids: vec!["user:⟨83149446-95f5-4c0d-9f42-136e7b272456⟩"],
roles: None,
key: "secret",
expect_error: false,
},
];
let secret = "secret";
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ns: Some("test".to_string()),
db: Some("test".to_string()),
ac: Some("token".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(
r#"
DEFINE ACCESS token ON DATABASE TYPE RECORD
WITH JWT ALGORITHM HS512 KEY '{secret}'
DURATION FOR SESSION 30d;
CREATE user:test;
"#
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
for case in &test_cases {
println!("Test case: {}", case.title);
for id in &case.ids {
let mut claims = claims.clone();
claims.id = Some(id.to_string());
claims.roles =
case.roles.clone().map(|roles| roles.into_iter().map(String::from).collect());
let key = EncodingKey::from_secret(case.key.as_ref());
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
if case.expect_error {
assert!(res.is_err(), "Unexpected success for case: {:?}", case);
} else {
assert!(res.is_ok(), "Failed to sign in with token for case: {:?}", case);
assert_eq!(sess.ns, Some("test".to_string()));
assert_eq!(sess.db, Some("test".to_string()));
assert_eq!(sess.au.id(), *id);
for role in AVAILABLE_ROLES {
assert!(
!sess.au.has_role(role),
"Auth user expected to not have role {:?} in case: {:?}",
role,
case
);
}
let exp = sess.exp.unwrap();
let min_exp =
(Utc::now() + Duration::days(30) - Duration::seconds(10)).timestamp();
let max_exp =
(Utc::now() + Duration::days(30) + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to match the defined duration in case: {:?}",
case
);
}
}
}
}
#[tokio::test]
async fn test_token_record_custom_claims() {
use std::collections::HashMap;
let secret = "jwt_secret";
let key = EncodingKey::from_secret(secret.as_ref());
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(
r#"
DEFINE ACCESS token ON DATABASE TYPE RECORD
WITH JWT ALGORITHM HS512 KEY '{secret}'
DURATION FOR SESSION 30d;
CREATE user:test;
"#
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
let now = Utc::now().timestamp();
let later = (Utc::now() + Duration::hours(1)).timestamp();
{
let claims_json = format!(
r#"
{{
"iss": "surrealdb-test",
"iat": {now},
"nbf": {now},
"exp": {later},
"ns": "test",
"db": "test",
"ac": "token",
"id": "user:test",
"string_claim": "test",
"bool_claim": true,
"int_claim": 123456,
"float_claim": 123.456,
"array_claim": [
"test_1",
"test_2"
],
"object_claim": {{
"test_1": "value_1",
"test_2": {{
"test_2_1": "value_2_1",
"test_2_2": "value_2_2"
}}
}}
}}
"#
);
let claims = serde_json::from_str::<Claims>(&claims_json).unwrap();
let enc = match encode(&HEADER, &claims, &key) {
Ok(enc) => enc,
Err(err) => panic!("Failed to encode token: {:?}", err),
};
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
assert!(res.is_ok(), "Failed to signin with token: {:?}", res);
assert_eq!(sess.ns, Some("test".to_string()));
assert_eq!(sess.db, Some("test".to_string()));
assert_eq!(sess.ac, Some("token".to_string()));
assert_eq!(sess.au.id(), "user:test");
assert!(sess.au.is_record());
assert_eq!(sess.au.level().ns(), Some("test"));
assert_eq!(sess.au.level().db(), Some("test"));
assert!(!sess.au.has_role(Role::Viewer), "Auth user expected to not have Viewer role");
assert!(!sess.au.has_role(Role::Editor), "Auth user expected to not have Editor role");
assert!(!sess.au.has_role(Role::Owner), "Auth user expected to not have Owner role");
let exp = sess.exp.unwrap();
let min_exp = (Utc::now() + Duration::days(30) - Duration::seconds(10)).timestamp();
let max_exp = (Utc::now() + Duration::days(30) + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to match the defined duration"
);
let tk = match sess.tk {
Some(Value::Object(tk)) => tk,
_ => panic!("Session token is not an object"),
};
let string_claim = tk.get("string_claim").unwrap();
assert_eq!(*string_claim, Value::Strand("test".into()));
let bool_claim = tk.get("bool_claim").unwrap();
assert_eq!(*bool_claim, Value::Bool(true));
let int_claim = tk.get("int_claim").unwrap();
assert_eq!(*int_claim, Value::Number(123456.into()));
let float_claim = tk.get("float_claim").unwrap();
assert_eq!(*float_claim, Value::Number(123.456.into()));
let array_claim = tk.get("array_claim").unwrap();
assert_eq!(*array_claim, Value::Array(vec!["test_1", "test_2"].into()));
let object_claim = tk.get("object_claim").unwrap();
let mut test_object: HashMap<String, Value> = HashMap::new();
test_object.insert("test_1".to_string(), Value::Strand("value_1".into()));
let mut test_object_child = HashMap::new();
test_object_child.insert("test_2_1".to_string(), Value::Strand("value_2_1".into()));
test_object_child.insert("test_2_2".to_string(), Value::Strand("value_2_2".into()));
test_object.insert("test_2".to_string(), Value::Object(test_object_child.into()));
assert_eq!(*object_claim, Value::Object(test_object.into()));
}
}
#[cfg(feature = "jwks")]
#[tokio::test]
async fn test_token_record_jwks() {
use crate::dbs::capabilities::{Capabilities, NetTarget, Targets};
use base64::{engine::general_purpose::STANDARD_NO_PAD, Engine};
use jsonwebtoken::jwk::{Jwk, JwkSet};
use rand::{distributions::Alphanumeric, Rng};
use wiremock::matchers::{method, path};
use wiremock::{Mock, MockServer, ResponseTemplate};
fn random_path() -> String {
let rng = rand::thread_rng();
rng.sample_iter(&Alphanumeric).take(8).map(char::from).collect()
}
let kid = "test_kid";
let secret = "jwt_secret";
let jwks = JwkSet {
keys: vec![Jwk {
common: jsonwebtoken::jwk::CommonParameters {
public_key_use: None,
key_operations: None,
key_algorithm: Some(jsonwebtoken::jwk::KeyAlgorithm::HS512),
key_id: Some(kid.to_string()),
x509_url: None,
x509_chain: None,
x509_sha1_fingerprint: None,
x509_sha256_fingerprint: None,
},
algorithm: jsonwebtoken::jwk::AlgorithmParameters::OctetKey(
jsonwebtoken::jwk::OctetKeyParameters {
key_type: jsonwebtoken::jwk::OctetKeyType::Octet,
value: STANDARD_NO_PAD.encode(secret),
},
),
}],
};
let jwks_path = format!("{}/jwks.json", random_path());
let mock_server = MockServer::start().await;
let response = ResponseTemplate::new(200).set_body_json(jwks);
Mock::given(method("GET"))
.and(path(&jwks_path))
.respond_with(response)
.expect(1)
.mount(&mock_server)
.await;
let server_url = mock_server.uri();
let ds = Datastore::new("memory").await.unwrap().with_capabilities(
Capabilities::default().with_network_targets(Targets::<NetTarget>::Some(
[NetTarget::from_str("127.0.0.1").unwrap()].into(),
)),
);
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(
r#"
DEFINE ACCESS token ON DATABASE TYPE RECORD
WITH JWT URL '{server_url}/{jwks_path}';
CREATE user:test;
"#
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
let header_with_kid = jsonwebtoken::Header {
kid: Some(kid.to_string()),
alg: jsonwebtoken::Algorithm::HS512,
..jsonwebtoken::Header::default()
};
let key = EncodingKey::from_secret(secret.as_ref());
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
aud: Some(Audience::Single("surrealdb-test".to_string())),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ns: Some("test".to_string()),
db: Some("test".to_string()),
ac: Some("token".to_string()),
id: Some("user:test".to_string()),
..Claims::default()
};
{
let mut claims = claims.clone();
claims.roles = None;
let enc = encode(&header_with_kid, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
assert!(res.is_ok(), "Failed to signin with token: {:?}", res);
assert_eq!(sess.ns, Some("test".to_string()));
assert_eq!(sess.db, Some("test".to_string()));
assert_eq!(sess.ac, Some("token".to_string()));
assert_eq!(sess.au.id(), "user:test");
assert!(sess.au.is_record());
assert_eq!(sess.au.level().ns(), Some("test"));
assert_eq!(sess.au.level().db(), Some("test"));
assert!(!sess.au.has_role(Role::Viewer), "Auth user expected to not have Viewer role");
assert!(!sess.au.has_role(Role::Editor), "Auth user expected to not have Editor role");
assert!(!sess.au.has_role(Role::Owner), "Auth user expected to not have Owner role");
assert_eq!(sess.exp, None, "Default session expiration is expected to be None");
}
{
let claims = claims.clone();
let key = EncodingKey::from_secret("invalid".as_ref());
let enc = encode(&header_with_kid, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
assert!(res.is_err(), "Unexpected success signing in with token: {:?}", res);
}
}
#[test]
fn test_verify_pass() {
let salt = SaltString::generate(&mut rand::thread_rng());
let hash = Argon2::default().hash_password("test".as_bytes(), &salt).unwrap().to_string();
verify_pass("test", &hash).unwrap();
assert!(verify_pass("nonmatching", &hash).is_err());
}
#[tokio::test]
async fn test_verify_creds_invalid() {
let ds = Datastore::new("memory").await.unwrap();
let ns = "N".to_string();
let db = "D".to_string();
{
assert!(verify_root_creds(&ds, "test", "test").await.is_err());
}
{
assert!(verify_ns_creds(&ds, &ns, "test", "test").await.is_err());
}
{
assert!(verify_db_creds(&ds, &ns, &db, "test", "test").await.is_err());
}
}
#[tokio::test]
async fn test_verify_creds_valid() {
let ds = Datastore::new("memory").await.unwrap();
let ns = "N".to_string();
let db = "D".to_string();
{
let sess = Session::owner();
let sql = "DEFINE USER root ON ROOT PASSWORD 'root'";
ds.execute(sql, &sess, None).await.unwrap();
let sql = "USE NS N; DEFINE USER ns ON NS PASSWORD 'ns'";
ds.execute(sql, &sess, None).await.unwrap();
let sql = "USE NS N DB D; DEFINE USER db ON DB PASSWORD 'db'";
ds.execute(sql, &sess, None).await.unwrap();
}
{
let res = verify_root_creds(&ds, "root", "root").await;
res.unwrap();
}
{
let res = verify_ns_creds(&ds, &ns, "ns", "ns").await;
res.unwrap();
}
{
let res = verify_db_creds(&ds, &ns, &db, "db", "db").await;
res.unwrap();
}
}
#[tokio::test]
async fn test_expired_token() {
let secret = "jwt_secret";
let key = EncodingKey::from_secret(secret.as_ref());
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some((Utc::now() - Duration::hours(2)).timestamp()),
nbf: Some((Utc::now() - Duration::hours(2)).timestamp()),
exp: Some((Utc::now() - Duration::hours(1)).timestamp()),
ac: Some("token".to_string()),
ns: Some("test".to_string()),
db: Some("test".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!("DEFINE ACCESS token ON DATABASE TYPE JWT ALGORITHM HS512 KEY '{secret}' DURATION FOR SESSION 30d, FOR TOKEN 30d")
.as_str(),
&sess,
None,
)
.await
.unwrap();
let mut claims = claims.clone();
claims.roles = None;
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
match res {
Err(Error::ExpiredToken) => {} Err(err) => panic!("Unexpected error signing in with expired token: {:?}", err),
res => panic!("Unexpected success signing in with expired token: {:?}", res),
}
}
#[tokio::test]
async fn test_token_authenticate_clause() {
#[derive(Debug)]
struct TestCase {
title: &'static str,
iss_claim: Option<&'static str>,
aud_claim: Option<Audience>,
error_statement: &'static str,
expected_error: Option<Error>,
}
let test_cases = vec![
TestCase {
title: "with correct 'iss' and 'aud' claims",
iss_claim: Some("surrealdb-test"),
aud_claim: Some(Audience::Single("surrealdb-test".to_string())),
error_statement: "THROW",
expected_error: None,
},
TestCase {
title: "with correct 'iss' and 'aud' claims, multiple audiences",
iss_claim: Some("surrealdb-test"),
aud_claim: Some(Audience::Multiple(vec![
"invalid".to_string(),
"surrealdb-test".to_string(),
])),
error_statement: "THROW",
expected_error: None,
},
TestCase {
title: "with correct 'iss' claim but invalid 'aud' claim",
iss_claim: Some("surrealdb-test"),
aud_claim: Some(Audience::Single("invalid".to_string())),
error_statement: "THROW",
expected_error: Some(Error::Thrown("Invalid token audience string".to_string())),
},
TestCase {
title: "with correct 'iss' claim but invalid 'aud' claim, multiple audiences",
iss_claim: Some("surrealdb-test"),
aud_claim: Some(Audience::Multiple(vec![
"invalid".to_string(),
"surrealdb-test-different".to_string(),
])),
error_statement: "THROW",
expected_error: Some(Error::Thrown("Invalid token audience array".to_string())),
},
TestCase {
title: "with correct 'iss' claim but invalid 'aud' claim, generic error",
iss_claim: Some("surrealdb-test"),
aud_claim: Some(Audience::Single("invalid".to_string())),
error_statement: "RETURN",
expected_error: Some(Error::InvalidAuth),
},
];
let test_levels = vec![
TestLevel {
level: "ROOT",
ns: None,
db: None,
},
TestLevel {
level: "NS",
ns: Some("test"),
db: None,
},
TestLevel {
level: "DB",
ns: Some("test"),
db: Some("test"),
},
];
let secret = "secret";
let key = EncodingKey::from_secret(secret.as_ref());
let claims = Claims {
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ac: Some("user".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
for level in &test_levels {
for case in &test_cases {
println!("Test case: {} level {}", level.level, case.title);
ds.execute(
format!(
r#"
REMOVE ACCESS IF EXISTS user ON {0};
DEFINE ACCESS user ON {0} TYPE JWT
ALGORITHM HS512 KEY '{1}'
AUTHENTICATE {{
IF $token.iss != "surrealdb-test" {{ {2} "Invalid token issuer" }};
IF type::is::array($token.aud) {{
IF "surrealdb-test" NOT IN $token.aud {{ {2} "Invalid token audience array" }}
}} ELSE {{
IF $token.aud IS NOT "surrealdb-test" {{ {2} "Invalid token audience string" }}
}};
}}
DURATION FOR SESSION 2h
;
"#,
level.level, secret, case.error_statement,
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
let mut claims = claims.clone();
claims.ns = level.ns.map(|s| s.to_string());
claims.db = level.db.map(|s| s.to_string());
claims.iss = case.iss_claim.map(|s| s.to_string());
claims.aud = case.aud_claim.clone();
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
if let Some(expected_err) = &case.expected_error {
assert!(res.is_err(), "Unexpected success for case: {:?}", case);
let err = res.unwrap_err();
match (expected_err, &err) {
(Error::InvalidAuth, Error::InvalidAuth) => {}
(Error::Thrown(expected_msg), Error::Thrown(msg))
if expected_msg == msg => {}
_ => panic!("Unexpected error for case: {:?}, got: {:?}", case, err),
}
} else {
assert!(res.is_ok(), "Failed to sign in with token for case: {:?}", case);
assert_eq!(sess.ns, level.ns.map(|s| s.to_string()));
assert_eq!(sess.db, level.db.map(|s| s.to_string()));
assert_eq!(sess.ac, Some("user".to_string()));
assert_eq!(sess.au.id(), "user");
assert_eq!(sess.au.level().ns(), level.ns);
assert_eq!(sess.au.level().db(), level.db);
match level.level {
"ROOT" => assert!(sess.au.is_root()),
"NS" => assert!(sess.au.is_ns()),
"DB" => assert!(sess.au.is_db()),
_ => panic!("Unsupported level"),
}
assert!(
sess.au.has_role(Role::Viewer),
"Auth user expected to have Viewer role"
);
assert!(
!sess.au.has_role(Role::Editor),
"Auth user expected to not have Editor role"
);
assert!(
!sess.au.has_role(Role::Owner),
"Auth user expected to not have Owner role"
);
let exp = sess.exp.unwrap();
let min_exp =
(Utc::now() + Duration::hours(2) - Duration::seconds(10)).timestamp();
let max_exp =
(Utc::now() + Duration::hours(2) + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to match the defined duration in case: {:?}",
case
);
}
}
}
}
#[tokio::test]
async fn test_token_record_and_authenticate_clause() {
{
let secret = "jwt_secret";
let key = EncodingKey::from_secret(secret.as_ref());
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ns: Some("test".to_string()),
db: Some("test".to_string()),
ac: Some("user".to_string()),
id: Some("user:1".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(
r#"
DEFINE ACCESS user ON DATABASE TYPE RECORD
WITH JWT ALGORITHM HS512 KEY '{secret}'
AUTHENTICATE (
-- Simple example increasing the record identifier by one
SELECT * FROM type::thing('user', record::id($auth) + 1)
)
DURATION FOR SESSION 2h
;
CREATE user:1, user:2;
"#
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
let mut claims = claims.clone();
claims.roles = None;
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
assert!(res.is_ok(), "Failed to signin with token: {:?}", res);
assert_eq!(sess.ns, Some("test".to_string()));
assert_eq!(sess.db, Some("test".to_string()));
assert_eq!(sess.ac, Some("user".to_string()));
assert_eq!(sess.au.id(), "user:2");
assert!(sess.au.is_record());
assert_eq!(sess.au.level().ns(), Some("test"));
assert_eq!(sess.au.level().db(), Some("test"));
assert_eq!(sess.au.level().id(), Some("user:2"));
assert!(!sess.au.has_role(Role::Viewer), "Auth user expected to not have Viewer role");
assert!(!sess.au.has_role(Role::Editor), "Auth user expected to not have Editor role");
assert!(!sess.au.has_role(Role::Owner), "Auth user expected to not have Owner role");
let exp = sess.exp.unwrap();
let min_exp = (Utc::now() + Duration::hours(2) - Duration::seconds(10)).timestamp();
let max_exp = (Utc::now() + Duration::hours(2) + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to follow the defined duration"
);
}
{
let secret = "jwt_secret";
let key = EncodingKey::from_secret(secret.as_ref());
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(
r#"
DEFINE ACCESS user ON DATABASE TYPE RECORD
SIGNIN (
SELECT * FROM type::thing('user', $id)
)
WITH JWT ALGORITHM HS512 KEY '{secret}'
AUTHENTICATE (
SELECT id FROM user WHERE email = $token.email
)
DURATION FOR SESSION 2h
;
CREATE user:1 SET email = "info@surrealdb.com";
"#
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
let now = Utc::now().timestamp();
let later = (Utc::now() + Duration::hours(1)).timestamp();
let claims_json = format!(
r#"
{{
"iss": "surrealdb-test",
"iat": {now},
"nbf": {now},
"exp": {later},
"ns": "test",
"db": "test",
"ac": "user",
"email": "info@surrealdb.com"
}}
"#
);
let claims = serde_json::from_str::<Claims>(&claims_json).unwrap();
let enc = match encode(&HEADER, &claims, &key) {
Ok(enc) => enc,
Err(err) => panic!("Failed to encode token: {:?}", err),
};
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
assert!(res.is_ok(), "Failed to signin with token: {:?}", res);
assert_eq!(sess.ns, Some("test".to_string()));
assert_eq!(sess.db, Some("test".to_string()));
assert_eq!(sess.ac, Some("user".to_string()));
assert_eq!(sess.au.id(), "user:1");
assert!(sess.au.is_record());
assert_eq!(sess.au.level().ns(), Some("test"));
assert_eq!(sess.au.level().db(), Some("test"));
assert_eq!(sess.au.level().id(), Some("user:1"));
assert!(!sess.au.has_role(Role::Viewer), "Auth user expected to not have Viewer role");
assert!(!sess.au.has_role(Role::Editor), "Auth user expected to not have Editor role");
assert!(!sess.au.has_role(Role::Owner), "Auth user expected to not have Owner role");
let exp = sess.exp.unwrap();
let min_exp = (Utc::now() + Duration::hours(2) - Duration::seconds(10)).timestamp();
let max_exp = (Utc::now() + Duration::hours(2) + Duration::seconds(10)).timestamp();
assert!(
exp > min_exp && exp < max_exp,
"Session expiration is expected to follow the defined duration"
);
}
{
let secret = "jwt_secret";
let key = EncodingKey::from_secret(secret.as_ref());
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ns: Some("test".to_string()),
db: Some("test".to_string()),
ac: Some("user".to_string()),
id: Some("user:1".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(r#"
DEFINE ACCESS user ON DATABASE TYPE RECORD
WITH JWT ALGORITHM HS512 KEY '{secret}'
AUTHENTICATE {{
-- Not just signin, this clause runs across signin, signup and authenticate, which makes it a nice place to centralize logic
IF !$auth.enabled {{
THROW "This user is not enabled";
}};
-- Always need to return the user id back, otherwise auth generically fails
RETURN $auth;
}}
DURATION FOR SESSION 2h
;
CREATE user:1 SET enabled = false;
"#).as_str(),
&sess,
None,
)
.await
.unwrap();
let mut claims = claims.clone();
claims.roles = None;
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
match res {
Err(Error::Thrown(e)) if e == "This user is not enabled" => {} res => panic!(
"Expected authentication to failed due to user not being enabled, but instead received: {:?}",
res
),
}
}
{
let secret = "jwt_secret";
let key = EncodingKey::from_secret(secret.as_ref());
let claims = Claims {
iss: Some("surrealdb-test".to_string()),
iat: Some(Utc::now().timestamp()),
nbf: Some(Utc::now().timestamp()),
exp: Some((Utc::now() + Duration::hours(1)).timestamp()),
ns: Some("test".to_string()),
db: Some("test".to_string()),
ac: Some("user".to_string()),
id: Some("user:test".to_string()),
..Claims::default()
};
let ds = Datastore::new("memory").await.unwrap();
let sess = Session::owner().with_ns("test").with_db("test");
ds.execute(
format!(
r#"
DEFINE ACCESS user ON DATABASE TYPE RECORD
WITH JWT ALGORITHM HS512 KEY '{secret}'
AUTHENTICATE {{}}
DURATION FOR SESSION 2h
;
CREATE user:1;
"#
)
.as_str(),
&sess,
None,
)
.await
.unwrap();
let mut claims = claims.clone();
claims.roles = None;
let enc = encode(&HEADER, &claims, &key).unwrap();
let mut sess = Session::default();
let res = token(&ds, &mut sess, &enc).await;
match res {
Err(Error::InvalidAuth) => {} res => panic!(
"Expected authentication to generally fail, but instead received: {:?}",
res
),
}
}
}
}