Support auth token based auth

obmarg · Jul 24, 2021 · c83caf0 · c83caf0
1 parent e3f0e49
commit c83caf0
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 25 deletions.
diff --git a/ingle/src/database/auth/mod.rs b/ingle/src/database/auth/mod.rs
@@ -6,14  6,16 @@ pub use token::Token;
 
 #[derive(Clone)]
 pub enum Credentials {
-    Default(Token),
     ServiceAccount(Token),
     AuthToken(String),
     EmulatorOwner,
 }
 
 impl std::fmt::Debug for Credentials {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            Credentials::Default(_) => write!(f, "Credentials::Default(_)"),
             Credentials::ServiceAccount(_) => write!(f, "Credentials::ServiceAccount(_)"),
             Credentials::AuthToken(_) => write!(f, "Credentials::AuthToken(_)"),
             Credentials::EmulatorOwner => write!(f, "Credentials::EmulatorOwner"),
         }
     }

diff --git a/ingle/src/database/auth/service.rs b/ingle/src/database/auth/service.rs
@@ -2,7  2,7 @@
 
 use std::sync::Arc;
 use std::task::{Context, Poll};
-use tonic::codegen::http::{HeaderValue, Request};
 use tonic::codegen::http::{header::AUTHORIZATION, HeaderValue, Request};
 use tonic::metadata::MetadataValue;
 use tower_service::Service;
 
@@ -37,15  37,22 @@ where
     #[inline]
     fn call(&mut self, mut request: Request<Body>) -> Self::Future {
         match &self.credentials {
-            Some(Credentials::Default(token)) => {
             Some(Credentials::ServiceAccount(token)) => {
                 let jwt = token.jwt();
                 request.headers_mut().insert(
-                    "authorization",
-                    HeaderValue::from_str(&format!("Bearer {}", token.jwt())).unwrap(),
                     AUTHORIZATION,
                     HeaderValue::from_str(&format!("Bearer {}", jwt)).unwrap(),
                 );
             }
             Some(Credentials::AuthToken(token)) => {
                 request.headers_mut().insert(
                     AUTHORIZATION,
                     HeaderValue::from_str(&format!("Bearer {}", token)).unwrap(),
                 );
             }
             Some(Credentials::EmulatorOwner) => {
                 request.headers_mut().insert(
-                    "authorization",
                     AUTHORIZATION,
                     HeaderValue::from_str("Bearer owner").unwrap(),
                 );
             }

diff --git a/ingle/src/database/auth/token.rs b/ingle/src/database/auth/token.rs
@@ -51,14  51,6 @@ impl Token {
     ) -> Result<Self, frank_jwt::Error> {
         Token::new(audience, credentials_from_file(path)?)
     }
-
-    pub fn from_default_credentials(audience: impl ToString) -> Result<Self, frank_jwt::Error> {
-        Token::from_file(
-            std::env::var("GOOGLE_APPLICATION_CREDENTIALS")
-                .expect("GOOGLE_APPLICATION_CREDENTIALS not defined"),
-            audience,
-        )
-    }
 }
 
 static JWT_VALID_TIME: Duration = Duration::from_secs(10 * 60);
@@ -92,11  84,11 @@ impl TokenInner {
             .as_secs();
 
         let claims = json!({
-            "sub": email.clone(),
-            "iss": email.clone(),
-            "aud": audience.to_owned(),
             "sub": &email,
             "iss": &email,
             "aud": &audience,
             "iat": now_timestamp,
-            "exp": expires_at_timestamp,
             "exp": expires_at_timestamp
         });
 
         let header = json!({});

diff --git a/ingle/src/database/builder.rs b/ingle/src/database/builder.rs
@@ -2,7  2,7 @@ use std::time::Duration;
 
 use tonic::{
     metadata::MetadataValue,
-    transport::{self, Endpoint},
     transport::{self, ClientTlsConfig, Endpoint},
     Request,
 };
 
@@ -28,7  28,9 @@ pub struct DatabaseBuilder {
 impl DatabaseBuilder {
     pub fn new(project_id: impl Into<String>) -> DatabaseBuilder {
         DatabaseBuilder {
-            endpoint: Endpoint::from_static(FIRESTORE_ENDPOINT),
             endpoint: Endpoint::from_static(FIRESTORE_ENDPOINT)
                 .tls_config(ClientTlsConfig::default())
                 .expect("Couldn't configure TLS"),
             credentials: None,
             project_id: project_id.into(),
             database_id: DEFAULT_DATABASE.to_string(),
@@ -38,7  40,9 @@ impl DatabaseBuilder {
     pub fn https_endpoint(self, url: &str) -> Self {
         DatabaseBuilder {
             endpoint: Endpoint::from_shared(format!("https://{}", url))
-                .expect("Invalid firestore URL"),
                 .expect("Invalid firestore URL")
                 .tls_config(ClientTlsConfig::default())
                 .expect("Couldn't initialise TLS"),
             ..self
         }
     }
@@ -85,7  89,7 @@ impl DatabaseBuilder {
         };
 
         Ok(DatabaseBuilder {
-            credentials: Some(Credentials::Default(Token::from_file(
             credentials: Some(Credentials::ServiceAccount(Token::from_file(
                 filename,
                 FIRESTORE_TOKEN_AUDIENCE,
             )?)),
@@ -100,6  104,13 @@ impl DatabaseBuilder {
         }
     }
 
     pub fn auth_token(self, token: impl Into<String>) -> Self {
         DatabaseBuilder {
             credentials: Some(Credentials::AuthToken(token.into())),
             ..self
         }
     }
 
     #[allow(clippy::redundant_closure)]
     pub async fn connect(self) -> Result<Database, ConnectError> {
         // TODO: Probably want retries at some point?

diff --git a/ingle/tests/integration.rs b/ingle/tests/integration.rs
@@ -6,8  6,7 @@ use ingle::{
 #[tokio::test]
 async fn test_adding_document() {
     let database = DatabaseBuilder::new("nandos-api-platform")
-        .default_credentials()
-        .unwrap()
         .auth_token(std::env::var("GOOGLE_TOKEN").unwrap())
         .connect()
         .await
         .unwrap();