Define admin users and extend AuthCheck to handle them

LawnGnome · LawnGnome · commit f86ffa17fda4 · 2023-07-15T15:17:01.000-07:00
This adds a concept of admin users, who are defined by their GitHub IDs,
and allows them to be defined through an environment variable, falling
back to a static list of the current `crates.io` team.

`AuthCheck` now has a builder method to require that the current cookie
or token belong to an admin user.

In the future, this will be extended to use Rust's team API for the
fallback.
diff --git a/.env.sample b/.env.sample
@@ -86,3 +86,7 @@ export SENTRY_ENV_API=local
 # export TEST_S3_INDEX_REGION=http://127.0.0.1:19000
 # export TEST_AWS_ACCESS_KEY=minio
 # export TEST_AWS_SECRET_KEY=miniominio
+
+# IDs of GitHub users that are admins on this instance, separated by commas.
+# Whitespace will be ignored.
+export GH_ADMIN_USER_IDS=
diff --git a/src/auth.rs b/src/auth.rs
@@ -1,5 +1,8 @@
+use std::collections::HashSet;
+
 use crate::controllers;
 use crate::controllers::util::RequestPartsExt;
+use crate::middleware::app::RequestApp;
 use crate::middleware::log_request::RequestLogExt;
 use crate::middleware::session::RequestSession;
 use crate::models::token::{CrateScope, EndpointScope};
@@ -16,6 +19,7 @@ pub struct AuthCheck {
     allow_token: bool,
     endpoint_scope: Option<EndpointScope>,
     crate_name: Option<String>,
+    require_admin: bool,
 }
 
 impl AuthCheck {
@@ -27,6 +31,7 @@ impl AuthCheck {
             allow_token: true,
             endpoint_scope: None,
             crate_name: None,
+            require_admin: false,
         }
     }
 
@@ -36,6 +41,7 @@ impl AuthCheck {
             allow_token: false,
             endpoint_scope: None,
             crate_name: None,
+            require_admin: false,
         }
     }
 
@@ -44,6 +50,7 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: Some(endpoint_scope),
             crate_name: self.crate_name.clone(),
+            require_admin: self.require_admin,
         }
     }
 
@@ -52,6 +59,16 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: self.endpoint_scope,
             crate_name: Some(crate_name.to_string()),
+            require_admin: self.require_admin,
+        }
+    }
+
+    pub fn require_admin(&self) -> Self {
+        Self {
+            allow_token: self.allow_token,
+            endpoint_scope: self.endpoint_scope,
+            crate_name: self.crate_name.clone(),
+            require_admin: true,
         }
     }
 
@@ -61,8 +78,17 @@ impl AuthCheck {
         request: &T,
         conn: &mut PgConnection,
     ) -> AppResult<Authentication> {
-        let auth = authenticate(request, conn)?;
+        self.check_authentication(
+            authenticate(request, conn)?,
+            &request.app().config.gh_admin_user_ids,
+        )
+    }
 
+    fn check_authentication(
+        &self,
+        auth: Authentication,
+        gh_admin_user_ids: &HashSet<i32>,
+    ) -> AppResult<Authentication> {
         if let Some(token) = auth.api_token() {
             if !self.allow_token {
                 let error_message =
@@ -81,6 +107,11 @@ impl AuthCheck {
             }
         }
 
+        if self.require_admin && !gh_admin_user_ids.contains(&auth.user().gh_id) {
+            let error_message = "User is unauthorized";
+            return Err(internal(error_message).chain(forbidden()));
+        }
+
         Ok(auth)
     }
 
@@ -347,4 +378,43 @@ mod tests {
         assert!(!auth_check.crate_scope_matches(Some(&vec![cs("anyhow")])));
         assert!(!auth_check.crate_scope_matches(Some(&vec![cs("actix-*")])));
     }
+
+    #[test]
+    fn require_admin() {
+        let auth_check = AuthCheck::default().require_admin();
+        let gh_admin_user_ids = [42, 43].into_iter().collect();
+
+        assert_ok!(auth_check.check_authentication(mock_cookie(42), &gh_admin_user_ids));
+        assert_err!(auth_check.check_authentication(mock_cookie(44), &gh_admin_user_ids));
+        assert_ok!(auth_check.check_authentication(mock_token(43), &gh_admin_user_ids));
+        assert_err!(auth_check.check_authentication(mock_token(45), &gh_admin_user_ids));
+    }
+
+    fn mock_user(gh_id: i32) -> User {
+        User {
+            id: 3,
+            gh_access_token: "arbitrary".into(),
+            gh_login: "literally_anything".into(),
+            name: None,
+            gh_avatar: None,
+            gh_id,
+            account_lock_reason: None,
+            account_lock_until: None,
+        }
+    }
+
+    fn mock_cookie(gh_id: i32) -> Authentication {
+        Authentication::Cookie(CookieAuthentication {
+            user: mock_user(gh_id),
+        })
+    }
+
+    fn mock_token(gh_id: i32) -> Authentication {
+        Authentication::Token(TokenAuthentication {
+            token: crate::models::token::tests::build_mock()
+                .user_id(gh_id)
+                .token(),
+            user: mock_user(gh_id),
+        })
+    }
 }
diff --git a/src/config/server.rs b/src/config/server.rs
@@ -12,11 +12,19 @@ use crate::storage::StorageConfig;
 use http::HeaderValue;
 use std::collections::HashSet;
 use std::net::IpAddr;
+use std::num::ParseIntError;
+use std::str::FromStr;
 use std::time::Duration;
 
 const DEFAULT_VERSION_ID_CACHE_SIZE: u64 = 10_000;
 const DEFAULT_VERSION_ID_CACHE_TTL: u64 = 5 * 60; // 5 minutes
 
+// The defaults correspond to the current crates.io team, which as at the time of writing, is the
+// GitHub user names carols10cents, jtgeibel, Turbo87, JohnTitor, LawnGnome, and mdtro.
+//
+// FIXME: this needs to be removed once we can detect the admins from the Rust teams API.
+const DEFAULT_GH_ADMIN_USER_IDS: [i32; 6] = [193874, 22186, 141300, 25030997, 229984, 20070360];
+
 pub struct Server {
     pub base: Base,
     pub ip: IpAddr,
@@ -50,6 +58,7 @@ pub struct Server {
     pub version_id_cache_ttl: Duration,
     pub cdn_user_agent: String,
     pub balance_capacity: BalanceCapacityConfig,
+    pub gh_admin_user_ids: HashSet<i32>,
 
     /// Should the server serve the frontend assets in the `dist` directory?
     pub serve_dist: bool,
@@ -94,6 +103,9 @@ impl Default for Server {
     ///   endpoint even with a healthy database pool.
     /// - `BLOCKED_ROUTES`: A comma separated list of HTTP route patterns that are manually blocked
     ///   by an operator (e.g. `/crates/:crate_id/:version/download`).
+    /// - `GH_ADMIN_USER_IDS`: A comma separated list of GitHub user IDs that will be considered
+    ///   admins. If not set, a default list comprised of the crates.io team as of May 2023 will be
+    ///   used.
     ///
     /// # Panics
     ///
@@ -185,6 +197,10 @@ impl Default for Server {
             cdn_user_agent: dotenvy::var("WEB_CDN_USER_AGENT")
                 .unwrap_or_else(|_| "Amazon CloudFront".into()),
             balance_capacity: BalanceCapacityConfig::from_environment(),
+            gh_admin_user_ids: env_optional("GH_ADMIN_USER_IDS")
+                .map(parse_gh_admin_user_ids)
+                .unwrap_or_else(|| Ok(DEFAULT_GH_ADMIN_USER_IDS.into_iter().collect()))
+                .expect("invalid GH_ADMIN_USER_IDS"),
             serve_dist: true,
             serve_html: true,
             use_fastboot: dotenvy::var("USE_FASTBOOT").ok(),
@@ -326,3 +342,28 @@ fn parse_ipv6_based_cidr_blocks() {
             .unwrap()
     );
 }
+
+fn parse_gh_admin_user_ids(users: String) -> Result<HashSet<i32>, ParseIntError> {
+    users
+        .split(|c: char| !(c.is_ascii_digit()))
+        .filter(|uid| !uid.is_empty())
+        .map(i32::from_str)
+        .collect()
+}
+
+#[test]
+fn test_gh_admin_user_ids() {
+    fn assert_authorized(input: &str, expected: &[i32]) {
+        assert_eq!(
+            parse_gh_admin_user_ids(input.into()).unwrap(),
+            expected.iter().copied().collect()
+        );
+    }
+
+    assert_authorized("", &[]);
+    assert_authorized("12345", &[12345]);
+    assert_authorized("12345, 6789", &[12345, 6789]);
+    assert_authorized("   12345  6789 ", &[12345, 6789]);
+    assert_authorized("12345;6789", &[12345, 6789]);
+    assert_authorized("12345;6789;12345", &[12345, 6789]);
+}
diff --git a/src/models/token.rs b/src/models/token.rs
@@ -98,28 +98,28 @@ pub struct CreatedApiToken {
 }
 
 #[cfg(test)]
-mod tests {
+pub mod tests {
     use super::*;
     use chrono::NaiveDate;
 
     #[test]
     fn api_token_serializes_to_rfc3339() {
-        let tok = ApiToken {
-            id: 12345,
-            user_id: 23456,
-            revoked: false,
-            name: "".to_string(),
-            created_at: NaiveDate::from_ymd_opt(2017, 1, 6)
-                .unwrap()
-                .and_hms_opt(14, 23, 11)
+        let tok = build_mock()
+            .created_at(
+                NaiveDate::from_ymd_opt(2017, 1, 6)
+                    .unwrap()
+                    .and_hms_opt(14, 23, 11)
+                    .unwrap(),
+            )
+            .last_used_at(
+                Some(
+                    NaiveDate::from_ymd_opt(2017, 1, 6)
+                        .unwrap()
+                        .and_hms_opt(14, 23, 12),
+                )
                 .unwrap(),
-            last_used_at: NaiveDate::from_ymd_opt(2017, 1, 6)
-                .unwrap()
-                .and_hms_opt(14, 23, 12),
-            crate_scopes: None,
-            endpoint_scopes: None,
-            expired_at: None,
-        };
+            )
+            .token();
         let json = serde_json::to_string(&tok).unwrap();
         assert_some!(json
             .as_str()
@@ -128,4 +128,66 @@ mod tests {
             .as_str()
             .find(r#""last_used_at":"2017-01-06T14:23:12+00:00""#));
     }
+
+    pub struct MockBuilder(ApiToken);
+
+    impl MockBuilder {
+        pub fn token(self) -> ApiToken {
+            self.0
+        }
+
+        pub fn id(mut self, id: i32) -> Self {
+            self.0.id = id;
+            self
+        }
+
+        pub fn user_id(mut self, user_id: i32) -> Self {
+            self.0.user_id = user_id;
+            self
+        }
+
+        pub fn name(mut self, name: String) -> Self {
+            self.0.name = name;
+            self
+        }
+
+        pub fn created_at(mut self, created_at: NaiveDateTime) -> Self {
+            self.0.created_at = created_at;
+            self
+        }
+
+        pub fn last_used_at(mut self, last_used_at: Option<NaiveDateTime>) -> Self {
+            self.0.last_used_at = last_used_at;
+            self
+        }
+
+        pub fn revoked(mut self, revoked: bool) -> Self {
+            self.0.revoked = revoked;
+            self
+        }
+
+        pub fn crate_scopes(mut self, crate_scopes: Option<Vec<CrateScope>>) -> Self {
+            self.0.crate_scopes = crate_scopes;
+            self
+        }
+
+        pub fn endpoint_scopes(mut self, endpoint_scopes: Option<Vec<EndpointScope>>) -> Self {
+            self.0.endpoint_scopes = endpoint_scopes;
+            self
+        }
+    }
+
+    pub fn build_mock() -> MockBuilder {
+        MockBuilder(ApiToken {
+            id: 12345,
+            user_id: 23456,
+            revoked: false,
+            name: "".to_string(),
+            created_at: NaiveDateTime::default(),
+            last_used_at: None,
+            crate_scopes: None,
+            endpoint_scopes: None,
+            expired_at: None,
+        })
+    }
 }
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -439,6 +439,7 @@ fn simple_config() -> config::Server {
         version_id_cache_ttl: Duration::from_secs(5 * 60),
         cdn_user_agent: "Amazon CloudFront".to_string(),
         balance_capacity,
+        gh_admin_user_ids: HashSet::new(),
 
         // The frontend code is not needed for the backend tests.
         serve_dist: false,
