Fix rust server auth (#18692)

* Added authentication via Bearer-token api_key and basic for server and client

* Improved errorhandling

* Added check on oAuth audience to example

* Updates of the petstore files for Rust-server

* Moved module import to prevent issue in callbacks

* updated samples

* Fix for unused-qualifications issue

* updated sampmles

Author: cvkem

modules/openapi-generator/src/main/java/org/openapitools/codegen/languages/RustServerCodegen.java

@@ -230,11 +230,15 @@ public RustServerCodegen() {
         supportingFiles.add(new SupportingFile("context.mustache", "src", "context.rs"));
         supportingFiles.add(new SupportingFile("models.mustache", "src", "models.rs"));
         supportingFiles.add(new SupportingFile("header.mustache", "src", "header.rs"));
+        supportingFiles.add(new SupportingFile("auth.mustache", "src", "auth.rs"));
         supportingFiles.add(new SupportingFile("server-mod.mustache", "src/server", "mod.rs"));
+        supportingFiles.add(new SupportingFile("server-server_auth.mustache", "src/server", "server_auth.rs"));
         supportingFiles.add(new SupportingFile("client-mod.mustache", "src/client", "mod.rs"));
         supportingFiles.add(new SupportingFile("example-server-main.mustache", "examples/server", "main.rs"));
         supportingFiles.add(new SupportingFile("example-server-server.mustache", "examples/server", "server.rs"));
+        supportingFiles.add(new SupportingFile("example-server-auth.mustache", "examples/server", "server_auth.rs"));
         supportingFiles.add(new SupportingFile("example-client-main.mustache", "examples/client", "main.rs"));
+        supportingFiles.add(new SupportingFile("example-client-auth.mustache", "examples/client", "client_auth.rs"));
         supportingFiles.add(new SupportingFile("example-ca.pem", "examples", "ca.pem"));
         supportingFiles.add(new SupportingFile("example-server-chain.pem", "examples", "server-chain.pem"));
         supportingFiles.add(new SupportingFile("example-server-key.pem", "examples", "server-key.pem"));

modules/openapi-generator/src/main/resources/rust-server/Cargo.mustache

@@ -17,7 +17,7 @@ license = "{{.}}"
 # Override this license by providing a License Object in the OpenAPI.
 license = "Unlicense"
 {{/licenseInfo}}
-edition = "2021"
+edition = "2018"
 {{#publishRustRegistry}}
 publish = ["{{.}}"]
 {{/publishRustRegistry}}
@@ -133,6 +133,9 @@ frunk_core = { version = "0.3.0", optional = true }
 frunk-enum-derive = { version = "0.2.0", optional = true }
 frunk-enum-core = { version = "0.2.0", optional = true }
 
+# Bearer authentication
+jsonwebtoken = { version = "9.3.0", optional = false }
+
 [dev-dependencies]
 clap = "2.25"
 env_logger = "0.7"

modules/openapi-generator/src/main/resources/rust-server/auth.mustache

@@ -0,0 +1,62 @@
+use std::collections::BTreeSet;
+use crate::server::Authorization;
+use serde::{Deserialize, Serialize};
+use swagger::{ApiError, auth::{Basic, Bearer}};
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Claims {
+    pub sub: String,
+    pub iss: String,
+    pub aud: String,
+    pub company: String,
+    pub exp: u64,
+    pub scopes: String,
+}
+
+
+pub trait AuthenticationApi {
+
+    /// Method should be implemented (see example-code) to map Bearer-token to an Authorization
+    fn bearer_authorization(&self, token: &Bearer) -> Result<Authorization, ApiError>;
+
+    /// Method should be implemented (see example-code) to map ApiKey to an Authorization
+    fn apikey_authorization(&self, token: &str) -> Result<Authorization, ApiError>;
+
+    /// Method should be implemented (see example-code) to map Basic (Username:password) to an Authorization
+    fn basic_authorization(&self, basic: &Basic) -> Result<Authorization, ApiError>;
+} 
+
+// Implement it for AllowAllAuthenticator (dummy is needed, but should not used as we have Bearer authorization)
+use swagger::auth::{AllowAllAuthenticator, RcBound, Scopes};
+
+fn dummy_authorization() -> Authorization {
+    // Is called when MakeAllowAllAuthenticator is added to the stack. This is not needed as we have Bearer-authorization in the example-code.
+    // However, if you want to use it anyway this can not be unimplemented, so dummy implementation added.
+    // unimplemented!()
+    Authorization{
+        subject: "Dummmy".to_owned(),
+        scopes: Scopes::Some(BTreeSet::new()), // create an empty scope, as this should not be used
+        issuer: None
+    }
+}
+
+impl<T, RC> AuthenticationApi for AllowAllAuthenticator<T, RC>
+where
+    RC: RcBound,
+    RC::Result: Send + 'static {
+
+    /// Get method to map Bearer-token to an Authorization
+    fn bearer_authorization(&self, _token: &Bearer) -> Result<Authorization, ApiError> {
+        Ok(dummy_authorization())
+    }
+
+    /// Get method to map api-key to an Authorization
+    fn apikey_authorization(&self, _apikey: &str) -> Result<Authorization, ApiError> {
+        Ok(dummy_authorization())
+    }
+
+    /// Get method to map basic token to an Authorization
+    fn basic_authorization(&self, _basic: &Basic) -> Result<Authorization, ApiError> {
+        Ok(dummy_authorization())
+    }
+}

modules/openapi-generator/src/main/resources/rust-server/context.mustache

@@ -8,7 +8,8 @@ use std::marker::PhantomData;
 use std::task::{Poll, Context};
 use swagger::auth::{AuthData, Authorization, Bearer, Scopes};
 use swagger::{EmptyContext, Has, Pop, Push, XSpanIdString};
-use crate::Api;
+use crate::{Api, AuthenticationApi};
+use log::error;
 
 pub struct MakeAddContext<T, A> {
     inner: T,
@@ -89,7 +90,7 @@ impl<T, A, B, C, D, ReqBody> Service<Request<ReqBody>> for AddContext<T, A, B, C
         B: Push<Option<AuthData>, Result=C>,
         C: Push<Option<Authorization>, Result=D>,
         D: Send + 'static,
-        T: Service<(Request<ReqBody>, D)>
+        T: Service<(Request<ReqBody>, D)> + AuthenticationApi
 {
     type Error = T::Error;
     type Future = T::Future;
@@ -111,9 +112,17 @@ impl<T, A, B, C, D, ReqBody> Service<Request<ReqBody>> for AddContext<T, A, B, C
             use swagger::auth::Basic;
             use std::ops::Deref;
             if let Some(basic) = swagger::auth::from_headers::<Basic>(headers) {
+                let authorization = self.inner.basic_authorization(&basic);
                 let auth_data = AuthData::Basic(basic);
+
                 let context = context.push(Some(auth_data));
-                let context = context.push(None::<Authorization>);
+                let context = match authorization {
+                    Ok(auth) => context.push(Some(auth)),
+                    Err(err) => {
+                        error!("Error during Authorization: {err:?}");
+                        context.push(None::<Authorization>)
+                    }
+                };
 
                 return self.inner.call((request, context))
             }
@@ -124,9 +133,17 @@ impl<T, A, B, C, D, ReqBody> Service<Request<ReqBody>> for AddContext<T, A, B, C
             use swagger::auth::Bearer;
             use std::ops::Deref;
             if let Some(bearer) = swagger::auth::from_headers::<Bearer>(headers) {
+                let authorization = self.inner.bearer_authorization(&bearer);
                 let auth_data = AuthData::Bearer(bearer);
+
                 let context = context.push(Some(auth_data));
-                let context = context.push(None::<Authorization>);
+                let context = match authorization {
+                    Ok(auth) => context.push(Some(auth)),
+                    Err(err) => {
+                        error!("Error during Authorization: {err:?}");
+                        context.push(None::<Authorization>)
+                    }
+                };
 
                 return self.inner.call((request, context))
             }
@@ -138,9 +155,17 @@ impl<T, A, B, C, D, ReqBody> Service<Request<ReqBody>> for AddContext<T, A, B, C
             use swagger::auth::Bearer;
             use std::ops::Deref;
             if let Some(bearer) = swagger::auth::from_headers::<Bearer>(headers) {
+                let authorization = self.inner.bearer_authorization(&bearer);
                 let auth_data = AuthData::Bearer(bearer);
+
                 let context = context.push(Some(auth_data));
-                let context = context.push(None::<Authorization>);
+                let context = match authorization {
+                    Ok(auth) => context.push(Some(auth)),
+                    Err(err) => {
+                        error!("Error during Authorization: {err:?}");
+                        context.push(None::<Authorization>)
+                    }
+                };
 
                 return self.inner.call((request, context))
             }
@@ -152,9 +177,17 @@ impl<T, A, B, C, D, ReqBody> Service<Request<ReqBody>> for AddContext<T, A, B, C
             use swagger::auth::api_key_from_header;
 
             if let Some(header) = api_key_from_header(headers, "{{{keyParamName}}}") {
+                let authorization = self.inner.apikey_authorization(&header);
                 let auth_data = AuthData::ApiKey(header);
+
                 let context = context.push(Some(auth_data));
-                let context = context.push(None::<Authorization>);
+                let context = match authorization {
+                    Ok(auth) => context.push(Some(auth)),
+                    Err(err) => {
+                        error!("Error during Authorization: {err:?}");
+                        context.push(None::<Authorization>)
+                    }
+                };
 
                 return self.inner.call((request, context))
             }
@@ -167,9 +200,17 @@ impl<T, A, B, C, D, ReqBody> Service<Request<ReqBody>> for AddContext<T, A, B, C
                 .map(|e| e.1.clone().into_owned())
                 .next();
             if let Some(key) = key {
+                let authorization = self.inner.apikey_authorization(&key);
                 let auth_data = AuthData::ApiKey(key);
+
                 let context = context.push(Some(auth_data));
-                let context = context.push(None::<Authorization>);
+                let context = match authorization {
+                    Ok(auth) => context.push(Some(auth)),
+                    Err(err) => {
+                        error!("Error during Authorization: {err:?}");
+                        context.push(None::<Authorization>)
+                    }
+                };
 
                 return self.inner.call((request, context))
             }

modules/openapi-generator/src/main/resources/rust-server/example-client-auth.mustache

@@ -0,0 +1,17 @@
+use {{{externCrateName}}}::Claims;
+use jsonwebtoken::{encode, errors::Error as JwtError, Algorithm, EncodingKey, Header};
+use log::debug;
+
+/// build an encrypted token with the provided claims.
+pub fn build_token(my_claims: Claims, key: &[u8]) -> Result<String, JwtError> {
+
+    // Ensure that you set the correct algorithm and correct key.
+    // See https://github.com/Keats/jsonwebtoken for more information.
+    let header =
+        Header { kid: Some("signing_key".to_owned()), alg: Algorithm::HS512, ..Default::default() };
+
+    let token = encode(&header, &my_claims, &EncodingKey::from_secret(key))?;
+    debug!("Derived token: {:?}", token);
+
+    Ok(token)
+}

modules/openapi-generator/src/main/resources/rust-server/example-client-main.mustache

@@ -7,7 +7,7 @@ mod server;
 #[allow(unused_imports)]
 use futures::{future, Stream, stream};
 #[allow(unused_imports)]
-use {{{externCrateName}}}::{Api, ApiNoContext, Client, ContextWrapperExt, models,
+use {{{externCrateName}}}::{Api, ApiNoContext, Claims, Client, ContextWrapperExt, models,
 {{#apiInfo}}
   {{#apis}}
     {{#operations}}
@@ -20,6 +20,9 @@ use {{{externCrateName}}}::{Api, ApiNoContext, Client, ContextWrapperExt, models
                      };
 use clap::{App, Arg};
 
+// NOTE: Set environment variable RUST_LOG to the name of the executable (or "cargo run") to activate console logging for all loglevels.
+//     See https://docs.rs/env_logger/latest/env_logger/  for more details
+
 #[allow(unused_imports)]
 use log::info;
 
@@ -29,6 +32,10 @@ use swagger::{AuthData, ContextBuilder, EmptyContext, Has, Push, XSpanIdString};
 
 type ClientContext = swagger::make_context_ty!(ContextBuilder, EmptyContext, Option<AuthData>, XSpanIdString);
 
+mod client_auth;
+use client_auth::build_token;
+
+
 // rt may be unused if there are no examples
 #[allow(unused_mut)]
 fn main() {
@@ -44,7 +51,7 @@ fn main() {
       {{#operation}}
         {{#vendorExtensions}}
           {{^x-no-client-example}}
-                "{{{operationId}}}",
+                "{{{operationId}}}", 
           {{/x-no-client-example}}
         {{/vendorExtensions}}
       {{/operation}}
@@ -69,14 +76,45 @@ fn main() {
             .help("Port to contact"))
         .get_matches();
 
+    // Create Bearer-token with a fixed key (secret) for test purposes.
+    // In a real (production) system this Bearer token should be obtained via an external Identity/Authentication-server
+    // Ensure that you set the correct algorithm and encodingkey that matches what is used on the server side.
+    // See https://github.com/Keats/jsonwebtoken for more information
+
+    let auth_token = build_token(
+            Claims {
+                sub: "tester@acme.com".to_owned(), 
+                company: "ACME".to_owned(),
+                iss: "my_identity_provider".to_owned(),
+                // added a very long expiry time
+                aud: "org.acme.Resource_Server".to_string(),
+                exp: 10000000000,
+                // In this example code all available Scopes are added, so the current Bearer Token gets fully authorization.
+                scopes: [
+                  {{#authMethods}}
+                   {{#scopes}}
+                            "{{{scope}}}",
+                   {{/scopes}}
+                  {{/authMethods}}
+                ].join(", ")
+            }, 
+            b"secret").unwrap();
+
+    let auth_data = if !auth_token.is_empty() {
+        Some(AuthData::Bearer(swagger::auth::Bearer { token: auth_token}))
+    } else {
+        // No Bearer-token available, so return None
+        None
+    };
+
     let is_https = matches.is_present("https");
     let base_url = format!("{}://{}:{}",
-                           if is_https { "https" } else { "http" },
-                           matches.value_of("host").unwrap(),
-                           matches.value_of("port").unwrap());
+        if is_https { "https" } else { "http" },
+        matches.value_of("host").unwrap(),
+        matches.value_of("port").unwrap());
 
     let context: ClientContext =
-        swagger::make_context!(ContextBuilder, EmptyContext, None as Option<AuthData>, XSpanIdString::default());
+        swagger::make_context!(ContextBuilder, EmptyContext, auth_data, XSpanIdString::default());
 
     let mut client : Box<dyn ApiNoContext<ClientContext>> = if matches.is_present("https") {
         // Using Simple HTTPS