cat_gateway/service/common/auth/rbac/

scheme.rs

//! Catalyst RBAC Security Scheme
use std::{env, error::Error, time::Duration};

use poem::{IntoResponse, Request, error::ResponseError, http::StatusCode};
use poem_openapi::{SecurityScheme, auth::Bearer};
use tracing::{debug, error};

use super::token::CatalystRBACTokenV1;
use crate::{
    db::index::session::CassandraSessionError,
    service::common::{
        auth::{api_key::check_api_key, rbac::token::VerificationError},
        responses::{ErrorResponses, WithErrorResponses},
        types::headers::retry_after::{RetryAfterHeader, RetryAfterOption},
    },
};

/// The header name that holds the authorization RBAC token
pub(crate) const AUTHORIZATION_HEADER: &str = "Authorization";

/// Catalyst RBAC Access Token
#[derive(SecurityScheme)]
#[oai(
    ty = "bearer",
    key_name = "Authorization", // MUST match the `AUTHORIZATION_HEADER` constant.
    bearer_format = "catalyst-rbac-token",
    checker = "checker_api_catalyst_auth"
)]
#[allow(clippy::module_name_repetitions)]
pub(crate) struct CatalystRBACSecurityScheme(CatalystRBACTokenV1);

impl From<CatalystRBACSecurityScheme> for CatalystRBACTokenV1 {
    fn from(value: CatalystRBACSecurityScheme) -> Self {
        value.0
    }
}

/// Error with the service while processing a Catalyst RBAC Token
///
/// Can be related to database session failure.
#[derive(Debug, thiserror::Error)]
#[error("Service unavailable while processing a Catalyst RBAC Token")]
pub struct ServiceUnavailableError(pub anyhow::Error);

impl ResponseError for ServiceUnavailableError {
    fn status(&self) -> StatusCode {
        StatusCode::SERVICE_UNAVAILABLE
    }

    /// Convert this error to a HTTP response.
    fn as_response(&self) -> poem::Response
    where Self: Error + Send + Sync + 'static {
        WithErrorResponses::<()>::service_unavailable(
            &self.0,
            RetryAfterOption::Some(RetryAfterHeader::default()),
        )
        .into_response()
    }
}

/// Authentication token error.
#[derive(Debug, thiserror::Error)]
enum AuthTokenError {
    /// Registration chain cannot be built.
    #[error("Unable to build registration chain, err: {0}")]
    BuildRegChain(String),
    /// RBAC token cannot be parsed.
    #[error("Fail to parse RBAC token string, err: {0}")]
    ParseRbacToken(String),
    /// Registration chain cannot be found.
    #[error("Registration not found for the auth token.")]
    RegistrationNotFound,
    /// Latest signing key cannot be found.
    #[error("Unable to get the latest signing key.")]
    LatestSigningKey,
}

impl ResponseError for AuthTokenError {
    fn status(&self) -> StatusCode {
        StatusCode::UNAUTHORIZED
    }

    /// Convert this error to a HTTP response.
    fn as_response(&self) -> poem::Response
    where Self: Error + Send + Sync + 'static {
        ErrorResponses::unauthorized(self.to_string()).into_response()
    }
}

/// Token does not have required access rights
///
/// Not enough access rights, so its a 403 response.
#[derive(Debug, thiserror::Error)]
#[error("Insufficient Permission for Catalyst RBAC Token: {0:?}")]
enum AuthTokenAccessViolation {
    /// Not a Admin RBAC token
    #[error("Not a valid Admin RBAC token")]
    NotAdmin,
    /// Invalid RBAC token signature
    #[error("Invalid RBAC Token signature.")]
    InvalidSignature,
    /// RBAC token expired
    #[error("Expired RBAC token.")]
    Expired,
}

impl ResponseError for AuthTokenAccessViolation {
    fn status(&self) -> StatusCode {
        StatusCode::FORBIDDEN
    }

    /// Convert this error to a HTTP response.
    fn as_response(&self) -> poem::Response
    where Self: Error + Send + Sync + 'static {
        // TODO: Actually check permissions needed for an endpoint.
        ErrorResponses::forbidden(self.to_string()).into_response()
    }
}

/// Time in the past the Token can be valid for.
const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60); // 1 hour.

/// Time in the future the Token can be valid for.
const MAX_TOKEN_SKEW: Duration = Duration::from_secs(5 * 60); // 5 minutes

/// When added to an endpoint, this hook is called per request to verify the bearer token
/// is valid. The performed validation is described [here].
///
/// [here]: https://github.com/input-output-hk/catalyst-voices/blob/main/docs/src/catalyst-standards/permissionless-auth/auth-header.md#backend-processing-of-the-token
async fn checker_api_catalyst_auth(
    req: &Request,
    bearer: Bearer,
) -> poem::Result<CatalystRBACTokenV1> {
    /// Temporary: Conditional RBAC for testing
    const RBAC_OFF: &str = "RBAC_OFF";

    // Deserialize the token: this performs the 1-5 steps of the validation.
    let mut token = CatalystRBACTokenV1::parse(&bearer.token).map_err(|e| {
        debug!("Corrupt auth token: {e:?}");
        AuthTokenError::ParseRbacToken(e.to_string())
    })?;

    // If env var explicitly set by SRE, switch off full verification
    if env::var(RBAC_OFF).is_ok() {
        return Ok(token);
    }

    // Step 6, 8, 9: get the registration chain (or check is it a valid admin token), verify
    // the signature against the Role 0 pk.
    match token.verify().await {
        Ok(()) => {},
        Err(e) if e.is::<CassandraSessionError>() => return Err(ServiceUnavailableError(e).into()),
        Err(e) => {
            error!(cat_id = %token.catalyst_id(), err = ?e, "RBAC token fails validation");
            match e.downcast::<VerificationError>() {
                Ok(VerificationError::LatestSigningKey) => {
                    return Err(AuthTokenError::LatestSigningKey.into());
                },
                Ok(VerificationError::RegistrationNotFound) => {
                    return Err(AuthTokenError::RegistrationNotFound.into());
                },
                Ok(VerificationError::NotAdmin) => {
                    return Err(AuthTokenAccessViolation::NotAdmin.into());
                },
                Ok(VerificationError::InvalidSignature) => {
                    return Err(AuthTokenAccessViolation::InvalidSignature.into());
                },
                Err(e) => {
                    return Err(AuthTokenError::BuildRegChain(e.to_string()).into());
                },
            }
        },
    }

    // Step 7: Verify that the nonce is in the acceptable range.
    // If `InternalApiKeyAuthorization` auth is provided, skip validation.
    if check_api_key(req.headers()).is_err() && !token.is_young(MAX_TOKEN_AGE, MAX_TOKEN_SKEW) {
        // Token is too old or too far in the future.
        debug!("Auth token expired: {token}");
        Err(AuthTokenAccessViolation::Expired)?;
    }

    // Step 10 is optional and isn't currently implemented.
    //   - Get the latest unstable signing certificate registered for Role 0.
    //   - Verify the signature against the Role 0 Public Key and Algorithm identified by the
    //     certificate. If this fails, return 403.

    // Step 11: Token is valid
    Ok(token)
}