1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
use crate::error::{AuthErrorOr, Error};

use serde::{Deserialize, Serialize};
use time::OffsetDateTime;

/// Represents a token returned by oauth2 servers. All tokens are Bearer tokens. Other types of
/// tokens are not supported.
#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize, Serialize)]
pub struct AccessToken {
    access_token: Option<String>,
    expires_at: Option<OffsetDateTime>,
}

impl AccessToken {
    /// A string representation of the access token.
    pub fn token(&self) -> Option<&str> {
        self.access_token.as_deref()
    }

    /// The time at which the tokens will expire, if any.
    pub fn expiration_time(&self) -> Option<OffsetDateTime> {
        self.expires_at
    }

    /// Determine if the access token is expired.
    ///
    /// This will report that the token is expired 1 minute prior to the expiration time to ensure
    /// that when the token is actually sent to the server it's still valid.
    pub fn is_expired(&self) -> bool {
        // Consider the token expired if it's within 1 minute of it's expiration time.
        self.expires_at
            .map(|expiration_time| {
                expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc()
            })
            .unwrap_or(false)
    }
}

impl From<TokenInfo> for AccessToken {
    fn from(
        TokenInfo {
            access_token,
            expires_at,
            ..
        }: TokenInfo,
    ) -> Self {
        AccessToken {
            access_token,
            expires_at,
        }
    }
}

/// Represents a token as returned by OAuth2 servers.
///
/// It is produced by all authentication flows.
/// It authenticates certain operations, and must be refreshed once it reached it's expiry date.
#[derive(Clone, PartialEq, Debug, Deserialize, Serialize)]
pub struct TokenInfo {
    /// used when authorizing calls to oauth2 enabled services.
    pub access_token: Option<String>,
    /// used to refresh an expired access_token.
    pub refresh_token: Option<String>,
    /// The time when the token expires.
    pub expires_at: Option<OffsetDateTime>,
    /// Optionally included by the OAuth2 server and may contain information to verify the identity
    /// used to obtain the access token.
    /// Specifically Google API:s include this if the additional scopes "email" and/or "profile"
    /// are used. In that case the content is an JWT token.
    pub id_token: Option<String>,
}

impl TokenInfo {
    pub(crate) fn from_json(json_data: &[u8]) -> Result<TokenInfo, Error> {
        #[derive(Deserialize)]
        struct RawToken {
            access_token: Option<String>,
            refresh_token: Option<String>,
            token_type: Option<String>,
            expires_in: Option<i64>,
            id_token: Option<String>,
        }

        // Serialize first to a `serde_json::Value` then to `AuthErrorOr<RawToken>` to work around this bug in
        // serde_json: https://github.com/serde-rs/json/issues/559
        let raw_token = serde_json::from_slice::<serde_json::Value>(json_data)?;
        let RawToken {
            access_token,
            refresh_token,
            token_type,
            expires_in,
            id_token,
        } = <AuthErrorOr<RawToken>>::deserialize(raw_token)?.into_result()?;

        match token_type {
            Some(token_ty) if !token_ty.eq_ignore_ascii_case("bearer") => {
                use std::io;
                return Err(io::Error::new(
                    io::ErrorKind::InvalidData,
                    format!(
                        r#"unknown token type returned; expected "bearer" found {}"#,
                        token_ty
                    ),
                )
                .into());
            }
            _ => (),
        }

        let expires_at = match expires_in {
            Some(seconds_from_now) => {
                Some(OffsetDateTime::now_utc() + time::Duration::seconds(seconds_from_now))
            }
            None if id_token.is_some() && access_token.is_none() => {
                // If the response contains only an ID token, an expiration date may not be
                // returned. According to the docs, the tokens are always valid for 1 hour.
                //
                // https://cloud.google.com/iam/docs/create-short-lived-credentials-direct#sa-credentials-oidc
                Some(OffsetDateTime::now_utc() + time::Duration::HOUR)
            }
            None => None,
        };

        Ok(TokenInfo {
            id_token,
            access_token,
            refresh_token,
            expires_at,
        })
    }

    /// Returns true if we are expired.
    pub fn is_expired(&self) -> bool {
        self.expires_at
            .map(|expiration_time| {
                expiration_time - time::Duration::minutes(1) <= OffsetDateTime::now_utc()
            })
            .unwrap_or(false)
    }
}

/// Represents either 'installed' or 'web' applications in a json secrets file.
/// See `ConsoleApplicationSecret` for more information
#[derive(Deserialize, Serialize, Clone, Default, Debug)]
pub struct ApplicationSecret {
    /// The client ID.
    pub client_id: String,
    /// The client secret.
    pub client_secret: String,
    /// The token server endpoint URI.
    pub token_uri: String,
    /// The authorization server endpoint URI.
    pub auth_uri: String,
    /// The redirect uris.
    pub redirect_uris: Vec<String>,
    /// Name of the google project the credentials are associated with
    pub project_id: Option<String>,
    /// The service account email associated with the client.
    pub client_email: Option<String>,
    /// The URL of the public x509 certificate, used to verify the signature on JWTs, such
    /// as ID tokens, signed by the authentication provider.
    pub auth_provider_x509_cert_url: Option<String>,
    ///  The URL of the public x509 certificate, used to verify JWTs signed by the client.
    pub client_x509_cert_url: Option<String>,
}

/// A type to facilitate reading and writing the json secret file
/// as returned by the [google developer console](https://code.google.com/apis/console)
#[derive(Deserialize, Serialize, Default, Debug)]
pub struct ConsoleApplicationSecret {
    /// web app secret
    pub web: Option<ApplicationSecret>,
    /// installed app secret
    pub installed: Option<ApplicationSecret>,
}

#[cfg(test)]
pub mod tests {
    use super::*;

    pub const SECRET: &str =
        "{\"installed\":{\"auth_uri\":\"https://accounts.google.com/o/oauth2/auth\",\
         \"client_secret\":\"UqkDJd5RFwnHoiG5x5Rub8SI\",\"token_uri\":\"https://accounts.google.\
         com/o/oauth2/token\",\"client_email\":\"\",\"redirect_uris\":[\"urn:ietf:wg:oauth:2.0:\
         oob\",\"oob\"],\"client_x509_cert_url\":\"\",\"client_id\":\
         \"14070749909-vgip2f1okm7bkvajhi9jugan6126io9v.apps.googleusercontent.com\",\
         \"auth_provider_x509_cert_url\":\"https://www.googleapis.com/oauth2/v1/certs\"}}";

    #[test]
    fn console_secret() {
        use serde_json as json;
        match json::from_str::<ConsoleApplicationSecret>(SECRET) {
            Ok(s) => assert!(s.installed.is_some() && s.web.is_none()),
            Err(err) => panic!(
                "Encountered error parsing ConsoleApplicationSecret: {}",
                err
            ),
        }
    }

    #[test]
    fn default_expiry_for_id_token_only() {
        // If only an ID token is present, set a default expiration date
        let json = r#"{"id_token": "id"}"#;

        let token = TokenInfo::from_json(json.as_bytes()).unwrap();
        assert_eq!(token.id_token, Some("id".to_owned()));

        let expiry = token.expires_at.unwrap();
        assert!(expiry <= time::OffsetDateTime::now_utc() + time::Duration::HOUR);
    }

    #[test]
    fn no_default_expiry_for_access_token() {
        // Don't set a default expiration date if an access token is returned
        let json = r#"{"access_token": "access", "id_token": "id"}"#;

        let token = TokenInfo::from_json(json.as_bytes()).unwrap();
        assert_eq!(token.access_token, Some("access".to_owned()));
        assert_eq!(token.id_token, Some("id".to_owned()));
        assert_eq!(token.expires_at, None);
    }
}