Define admin users and extend AuthCheck to handle them

LawnGnome · LawnGnome · commit e44958657d4c · 2023-06-07T15:32:08.000-07:00
This adds a concept of admin users, who are defined by their GitHub IDs,
and allows them to be defined through an environment variable, falling
back to a static list of the current `crates.io` team.

`AuthCheck` now has a builder method to require that the current cookie
or token belong to an admin user.

In the future, this will be extended to use Rust's team API for the
fallback.
diff --git a/.env.sample b/.env.sample
@@ -72,3 +72,7 @@ export GH_CLIENT_SECRET=
 # Credentials for connecting to the Sentry error reporting service.
 # export SENTRY_DSN_API=
 export SENTRY_ENV_API=local
+
+# IDs of GitHub users that are admins on this instance, separated by commas.
+# Whitespace will be ignored.
+export GH_ADMIN_USER_IDS=
diff --git a/src/auth.rs b/src/auth.rs
@@ -1,5 +1,8 @@
+use std::collections::HashSet;
+
 use crate::controllers;
 use crate::controllers::util::RequestPartsExt;
+use crate::middleware::app::RequestApp;
 use crate::middleware::log_request::RequestLogExt;
 use crate::middleware::session::RequestSession;
 use crate::models::token::{CrateScope, EndpointScope};
@@ -16,6 +19,7 @@ pub struct AuthCheck {
     allow_token: bool,
     endpoint_scope: Option<EndpointScope>,
     crate_name: Option<String>,
+    require_admin: bool,
 }
 
 impl AuthCheck {
@@ -27,6 +31,7 @@ impl AuthCheck {
             allow_token: true,
             endpoint_scope: None,
             crate_name: None,
+            require_admin: false,
         }
     }
 
@@ -36,6 +41,7 @@ impl AuthCheck {
             allow_token: false,
             endpoint_scope: None,
             crate_name: None,
+            require_admin: false,
         }
     }
 
@@ -44,6 +50,7 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: Some(endpoint_scope),
             crate_name: self.crate_name.clone(),
+            require_admin: self.require_admin,
         }
     }
 
@@ -52,6 +59,16 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: self.endpoint_scope,
             crate_name: Some(crate_name.to_string()),
+            require_admin: self.require_admin,
+        }
+    }
+
+    pub fn require_admin(&self) -> Self {
+        Self {
+            allow_token: self.allow_token,
+            endpoint_scope: self.endpoint_scope,
+            crate_name: self.crate_name.clone(),
+            require_admin: true,
         }
     }
 
@@ -61,8 +78,17 @@ impl AuthCheck {
         request: &T,
         conn: &mut PgConnection,
     ) -> AppResult<Authentication> {
-        let auth = authenticate(request, conn)?;
+        self.check_authentication(
+            authenticate(request, conn)?,
+            &request.app().config.gh_admin_user_ids,
+        )
+    }
 
+    fn check_authentication(
+        &self,
+        auth: Authentication,
+        gh_admin_user_ids: &HashSet<i32>,
+    ) -> AppResult<Authentication> {
         if let Some(token) = auth.api_token() {
             if !self.allow_token {
                 let error_message =
@@ -81,6 +107,11 @@ impl AuthCheck {
             }
         }
 
+        if self.require_admin && !gh_admin_user_ids.contains(&auth.user().gh_id) {
+            let error_message = "User is unauthorized";
+            return Err(internal(error_message).chain(forbidden()));
+        }
+
         Ok(auth)
     }
 
@@ -343,4 +374,43 @@ mod tests {
         assert!(!auth_check.crate_scope_matches(Some(&vec![cs("anyhow")])));
         assert!(!auth_check.crate_scope_matches(Some(&vec![cs("actix-*")])));
     }
+
+    #[test]
+    fn require_admin() {
+        let auth_check = AuthCheck::default().require_admin();
+        let gh_admin_user_ids = [42, 43].into_iter().collect();
+
+        assert_ok!(auth_check.check_authentication(mock_cookie(42), &gh_admin_user_ids));
+        assert_err!(auth_check.check_authentication(mock_cookie(44), &gh_admin_user_ids));
+        assert_ok!(auth_check.check_authentication(mock_token(43), &gh_admin_user_ids));
+        assert_err!(auth_check.check_authentication(mock_token(45), &gh_admin_user_ids));
+    }
+
+    fn mock_user(gh_id: i32) -> User {
+        User {
+            id: 3,
+            gh_access_token: "arbitrary".into(),
+            gh_login: "literally_anything".into(),
+            name: None,
+            gh_avatar: None,
+            gh_id,
+            account_lock_reason: None,
+            account_lock_until: None,
+        }
+    }
+
+    fn mock_cookie(gh_id: i32) -> Authentication {
+        Authentication::Cookie(CookieAuthentication {
+            user: mock_user(gh_id),
+        })
+    }
+
+    fn mock_token(gh_id: i32) -> Authentication {
+        Authentication::Token(TokenAuthentication {
+            token: crate::models::token::tests::build_mock()
+                .user_id(gh_id)
+                .token(),
+            user: mock_user(gh_id),
+        })
+    }
 }
diff --git a/src/config.rs b/src/config.rs
@@ -13,12 +13,17 @@ pub use self::base::Base;
 pub use self::database_pools::{DatabasePools, DbPoolConfig};
 pub use crate::config::balance_capacity::BalanceCapacityConfig;
 use http::HeaderValue;
-use std::collections::HashSet;
-use std::time::Duration;
+use std::{collections::HashSet, num::ParseIntError, str::FromStr, time::Duration};
 
 const DEFAULT_VERSION_ID_CACHE_SIZE: u64 = 10_000;
 const DEFAULT_VERSION_ID_CACHE_TTL: u64 = 5 * 60; // 5 minutes
 
+// The defaults correspond to the current crates.io team, which as at the time of writing, is the
+// GitHub user names carols10cents, jtgeibel, Turbo87, JohnTitor, LawnGnome, and mdtro.
+//
+// FIXME: this needs to be removed once we can detect the admins from the Rust teams API.
+const DEFAULT_GH_ADMIN_USER_IDS: [i32; 6] = [193874, 22186, 141300, 25030997, 229984, 20070360];
+
 pub struct Server {
     pub base: Base,
     pub db: DatabasePools,
@@ -47,6 +52,7 @@ pub struct Server {
     pub version_id_cache_ttl: Duration,
     pub cdn_user_agent: String,
     pub balance_capacity: BalanceCapacityConfig,
+    pub gh_admin_user_ids: HashSet<i32>,
 }
 
 impl Default for Server {
@@ -82,6 +88,9 @@ impl Default for Server {
     ///   endpoint even with a healthy database pool.
     /// - `BLOCKED_ROUTES`: A comma separated list of HTTP route patterns that are manually blocked
     ///   by an operator (e.g. `/crates/:crate_id/:version/download`).
+    /// - `GH_ADMIN_USER_IDS`: A comma separated list of GitHub user IDs that will be considered
+    ///   admins. If not set, a default list comprised of the crates.io team as of May 2023 will be
+    ///   used.
     ///
     /// # Panics
     ///
@@ -151,6 +160,9 @@ impl Default for Server {
             cdn_user_agent: dotenvy::var("WEB_CDN_USER_AGENT")
                 .unwrap_or_else(|_| "Amazon CloudFront".into()),
             balance_capacity: BalanceCapacityConfig::from_environment(),
+            gh_admin_user_ids: env_optional("GH_ADMIN_USER_IDS")
+                .map(parse_gh_admin_user_ids)
+                .unwrap_or(DEFAULT_GH_ADMIN_USER_IDS.into_iter().collect()),
         }
     }
 }
@@ -289,3 +301,29 @@ fn parse_ipv6_based_cidr_blocks() {
             .unwrap()
     );
 }
+
+fn parse_gh_admin_user_ids(users: String) -> HashSet<i32> {
+    users
+        .split(|c: char| !(c.is_ascii_digit()))
+        .filter(|uid| !uid.is_empty())
+        .map(i32::from_str)
+        .collect::<Result<HashSet<i32>, ParseIntError>>()
+        .expect("invalid GH_ADMIN_USER_IDS")
+}
+
+#[test]
+fn test_parse_authorized_admin_users() {
+    fn assert_authorized(input: &str, expected: &[i32]) {
+        assert_eq!(
+            parse_gh_admin_user_ids(input.into()),
+            expected.iter().copied().collect()
+        );
+    }
+
+    assert_authorized("", &[]);
+    assert_authorized("12345", &[12345]);
+    assert_authorized("12345, 6789", &[12345, 6789]);
+    assert_authorized("   12345  6789 ", &[12345, 6789]);
+    assert_authorized("12345;6789", &[12345, 6789]);
+    assert_authorized("12345;6789;12345", &[12345, 6789]);
+}
diff --git a/src/models/token.rs b/src/models/token.rs
@@ -102,31 +102,28 @@ impl std::fmt::Debug for CreatedApiToken {
 }
 
 #[cfg(test)]
-mod tests {
+pub mod tests {
     use super::*;
     use chrono::NaiveDate;
 
     #[test]
     fn api_token_serializes_to_rfc3339() {
-        let tok = ApiToken {
-            id: 12345,
-            user_id: 23456,
-            token: SecureToken::generate(SecureTokenKind::Api).into_inner(),
-            revoked: false,
-            name: "".to_string(),
-            created_at: NaiveDate::from_ymd_opt(2017, 1, 6)
-                .unwrap()
-                .and_hms_opt(14, 23, 11)
-                .unwrap(),
-            last_used_at: Some(
+        let tok = build_mock()
+            .created_at(
                 NaiveDate::from_ymd_opt(2017, 1, 6)
                     .unwrap()
-                    .and_hms_opt(14, 23, 12),
+                    .and_hms_opt(14, 23, 11)
+                    .unwrap(),
             )
-            .unwrap(),
-            crate_scopes: None,
-            endpoint_scopes: None,
-        };
+            .last_used_at(
+                Some(
+                    NaiveDate::from_ymd_opt(2017, 1, 6)
+                        .unwrap()
+                        .and_hms_opt(14, 23, 12),
+                )
+                .unwrap(),
+            )
+            .token();
         let json = serde_json::to_string(&tok).unwrap();
         assert_some!(json
             .as_str()
@@ -135,4 +132,66 @@ mod tests {
             .as_str()
             .find(r#""last_used_at":"2017-01-06T14:23:12+00:00""#));
     }
+
+    pub struct MockBuilder(ApiToken);
+
+    impl MockBuilder {
+        pub fn token(self) -> ApiToken {
+            self.0
+        }
+
+        pub fn id(mut self, id: i32) -> Self {
+            self.0.id = id;
+            self
+        }
+
+        pub fn user_id(mut self, user_id: i32) -> Self {
+            self.0.user_id = user_id;
+            self
+        }
+
+        pub fn name(mut self, name: String) -> Self {
+            self.0.name = name;
+            self
+        }
+
+        pub fn created_at(mut self, created_at: NaiveDateTime) -> Self {
+            self.0.created_at = created_at;
+            self
+        }
+
+        pub fn last_used_at(mut self, last_used_at: Option<NaiveDateTime>) -> Self {
+            self.0.last_used_at = last_used_at;
+            self
+        }
+
+        pub fn revoked(mut self, revoked: bool) -> Self {
+            self.0.revoked = revoked;
+            self
+        }
+
+        pub fn crate_scopes(mut self, crate_scopes: Option<Vec<CrateScope>>) -> Self {
+            self.0.crate_scopes = crate_scopes;
+            self
+        }
+
+        pub fn endpoint_scopes(mut self, endpoint_scopes: Option<Vec<EndpointScope>>) -> Self {
+            self.0.endpoint_scopes = endpoint_scopes;
+            self
+        }
+    }
+
+    pub fn build_mock() -> MockBuilder {
+        MockBuilder(ApiToken {
+            id: 12345,
+            user_id: 23456,
+            token: SecureToken::generate(SecureTokenKind::Api).into_inner(),
+            revoked: false,
+            name: "".to_string(),
+            created_at: NaiveDateTime::default(),
+            last_used_at: None,
+            crate_scopes: None,
+            endpoint_scopes: None,
+        })
+    }
 }
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -360,6 +360,7 @@ fn simple_config() -> config::Server {
         version_id_cache_ttl: Duration::from_secs(5 * 60),
         cdn_user_agent: "Amazon CloudFront".to_string(),
         balance_capacity: BalanceCapacityConfig::for_testing(),
+        gh_admin_user_ids: HashSet::new(),
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -360,6 +360,7 @@ fn simple_config() -> config::Server {`
`360`	`360`	`version_id_cache_ttl: Duration::from_secs(5 * 60),`
`361`	`361`	`cdn_user_agent: "Amazon CloudFront".to_string(),`
`362`	`362`	`balance_capacity: BalanceCapacityConfig::for_testing(),`
	`363`	`+ gh_admin_user_ids: HashSet::new(),`
`363`	`364`	`}`
`364`	`365`	`}`
`365`	`366`