Authenticate client.

Author: metalwhale

chloria-backend/Cargo.lock

@@ -5,12 +5,16 @@ edition = "2021"
 
 [dependencies]
 anyhow = "1.0.96"
+argon2 = { version = "0.5.3", features = ["std"] }
+async-trait = "0.1.86"
 axum = "0.8.1"
 axum-extra = { version = "0.10.0", features = ["typed-header"] }
-diesel = { version = "2.2.7", features = ["postgres"] }
+diesel = { version = "2.2.7", features = ["postgres", "r2d2"] }
 jsonwebtoken = "9.3.1"
+mockall = "0.13.1"
 serde = "1.0.218"
 serde_json = "1.0.140"
 serde_with = "3.12.0"
+strum = { version = "0.27.1", features = ["derive"] }
 tokio = { version = "1.43.0", features = ["rt-multi-thread"] }
 tower = "0.5.2"

chloria-backend/chloria-api/Cargo.toml

@@ -0,0 +1,27 @@
+## Manual guide
+### Add a static client credential
+Generate a hashed secret using Argon2:
+```bash
+apt update -y
+apt install -y argon2
+echo -n "${SECRET}" | argon2 ${SALT} -id
+```
+> Type:	    Argon2id\
+> ...\
+> Hash:	    ...\
+> Encoded:  ${HASHED_SECRET}\
+> ...
+- `${SECRET}`: Your private secret
+- `${SALT}`: A random salt value
+- `${HASHED_SECRET}`: Has the format `$argon2id...`
+
+Insert a new credential into the database:
+```sql
+INSERT INTO clients(authentication_method, authentication_registry) VALUES ('static', '${AUTHENTICATION_REGISTRY}');
+
+-- Suppose the id of the new client is `1` but it can be any value
+INSERT INTO client_credentials(id, api_key, api_secret) VALUES (1, '${API_KEY}', '${HASHED_SECRET}');
+```
+- `${AUTHENTICATION_REGISTRY}`: A unique value to distinguish it from other static clients (e.g., `power-user`, `first-subscriber`,...)
+- `${API_KEY}`: Randomly generated and unique
+- `${HASHED_SECRET}`: The hashed secret generated in the previous step

chloria-backend/chloria-api/README.md

@@ -0,0 +1,103 @@
+use std::sync::Arc;
+
+use anyhow::Result;
+use async_trait::async_trait;
+use strum::Display;
+
+use super::{
+    super::{
+        ports::{hashing_algorithm::HashingAlgorithm, repository::Repository},
+        workshop::Workshop,
+    },
+    Case,
+};
+
+pub(crate) struct AuthenticateCaseInput {
+    pub(crate) api_key: String,
+    pub(crate) api_secret: String,
+}
+
+#[derive(Display)]
+pub(crate) enum AuthenticateCaseOutput {
+    NotFound,
+    IncorrectSecret,
+    Success,
+}
+
+struct AuthenticateCase {
+    repository: Arc<dyn Repository>,
+    hashing_algorithm: Box<dyn HashingAlgorithm>,
+    input: AuthenticateCaseInput,
+}
+
+impl Workshop {
+    pub(crate) async fn execute_authenticate_case(
+        &self,
+        input: AuthenticateCaseInput,
+    ) -> Result<AuthenticateCaseOutput> {
+        let case = AuthenticateCase {
+            repository: Arc::clone(&self.repository),
+            hashing_algorithm: self.hashing_algorithm.clone(),
+            input,
+        };
+        self.run_case(case).await
+    }
+}
+
+#[async_trait]
+impl Case for AuthenticateCase {
+    type Output = AuthenticateCaseOutput;
+
+    async fn execute(self) -> Result<Self::Output> {
+        let Some(api_secret_value) = self.repository.select_client_api_secret(&self.input.api_key).await? else {
+            return Ok(AuthenticateCaseOutput::NotFound);
+        };
+        if !self
+            .hashing_algorithm
+            .verify(&self.input.api_secret, &api_secret_value)?
+        {
+            return Ok(AuthenticateCaseOutput::IncorrectSecret);
+        }
+        Ok(AuthenticateCaseOutput::Success)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use std::sync::Arc;
+
+    use anyhow::Result;
+
+    use super::{
+        super::{
+            super::ports::{hashing_algorithm::MockHashingAlgorithm, repository::MockRepository},
+            Case,
+        },
+        AuthenticateCase, AuthenticateCaseInput, AuthenticateCaseOutput,
+    };
+
+    #[tokio::test]
+    async fn confirm_successful_authentication() -> Result<()> {
+        let mut mock_repository = MockRepository::new();
+        mock_repository
+            .expect_select_client_api_secret()
+            .times(1)
+            .returning(|_| Ok(Some("".to_string())));
+        let mut mock_hashing_algorithm = MockHashingAlgorithm::new();
+        mock_hashing_algorithm
+            .expect_verify()
+            .times(1)
+            .returning(|_, _| Ok(true));
+        let case = AuthenticateCase {
+            repository: Arc::new(mock_repository),
+            hashing_algorithm: Box::new(mock_hashing_algorithm),
+            input: AuthenticateCaseInput {
+                api_key: "".to_string(),
+                api_secret: "".to_string(),
+            },
+        };
+        let output = case.execute().await?;
+        assert!(matches!(output, AuthenticateCaseOutput::Success));
+        Ok(())
+    }
+}

chloria-backend/chloria-api/src/execution/cases/authenticate.rs

@@ -0,0 +1,11 @@
+pub(crate) mod authenticate;
+
+use anyhow::Result;
+use async_trait::async_trait;
+
+#[async_trait]
+pub(super) trait Case: Send + Sync + 'static {
+    type Output: Send;
+
+    async fn execute(self) -> Result<Self::Output>;
+}

chloria-backend/chloria-api/src/execution/cases/mod.rs

@@ -0,0 +1,3 @@
+pub(crate) mod cases;
+pub(crate) mod ports;
+pub(crate) mod workshop;

chloria-backend/chloria-api/src/execution/mod.rs

@@ -0,0 +1,46 @@
+use anyhow::Result;
+use mockall::mock;
+
+use private::{HashingAlgorithmBoxClone, Internal};
+
+pub(crate) trait HashingAlgorithm: HashingAlgorithmBoxClone + Send + Sync + 'static {
+    fn verify(&self, secret: &str, hashed_secret: &str) -> Result<bool>;
+}
+
+mod private {
+    use super::HashingAlgorithm;
+
+    pub(crate) struct Internal;
+
+    pub(crate) trait HashingAlgorithmBoxClone {
+        // Sealed with an unused internal argument to prevent this method from being called directly outside
+        fn box_clone(&self, _internal: Internal) -> Box<dyn HashingAlgorithm>;
+    }
+
+    impl<A> HashingAlgorithmBoxClone for A
+    where
+        A: HashingAlgorithm + Clone,
+    {
+        fn box_clone(&self, _internal: Internal) -> Box<dyn HashingAlgorithm> {
+            Box::new(self.clone())
+        }
+    }
+}
+
+impl Clone for Box<dyn HashingAlgorithm> {
+    fn clone(&self) -> Self {
+        self.box_clone(Internal)
+    }
+}
+
+mock! {
+    pub(in super::super) HashingAlgorithm {}
+
+    impl HashingAlgorithm for HashingAlgorithm {
+        fn verify(&self, secret: &str, hashed_secret: &str) -> Result<bool>;
+    }
+
+    impl HashingAlgorithmBoxClone for HashingAlgorithm {
+        fn box_clone(&self, _internal: Internal) -> Box<dyn HashingAlgorithm>;
+    }
+}

chloria-backend/chloria-api/src/execution/ports/hashing_algorithm.rs

@@ -0,0 +1,2 @@
+pub(crate) mod hashing_algorithm;
+pub(crate) mod repository;

chloria-backend/chloria-api/src/execution/ports/mod.rs

@@ -0,0 +1,9 @@
+use anyhow::Result;
+use async_trait::async_trait;
+use mockall::automock;
+
+#[automock]
+#[async_trait]
+pub(crate) trait Repository: Send + Sync {
+    async fn select_client_api_secret(&self, api_key_input: &str) -> Result<Option<String>>;
+}

chloria-backend/chloria-api/src/execution/ports/repository.rs

@@ -0,0 +1,46 @@
+use std::sync::Arc;
+
+use anyhow::Result;
+use tokio::sync::Semaphore;
+
+use super::{
+    cases::Case,
+    ports::{hashing_algorithm::HashingAlgorithm, repository::Repository},
+};
+
+pub(crate) struct Config {
+    pub(crate) case_permits_num: usize,
+}
+
+#[derive(Clone)]
+pub(crate) struct Workshop {
+    pub(super) repository: Arc<dyn Repository>,
+    // NOTE: We could use `Arc`, but the hashing algorithm doesn't need to be shared across threads since it should have no state.
+    // We use `Box` for simple cloning and to avoid overhead.
+    pub(super) hashing_algorithm: Box<dyn HashingAlgorithm>,
+    semaphore: Arc<Semaphore>,
+}
+
+impl Workshop {
+    pub(crate) fn new(
+        repository: Arc<dyn Repository>,
+        hashing_algorithm: Box<dyn HashingAlgorithm>,
+        config: Config,
+    ) -> Self {
+        let semaphore = Arc::new(Semaphore::new(config.case_permits_num));
+        Self {
+            repository,
+            hashing_algorithm,
+            semaphore,
+        }
+    }
+
+    pub(super) async fn run_case<C: Case>(&self, case: C) -> Result<C::Output> {
+        let semaphore = Arc::clone(&self.semaphore);
+        tokio::task::spawn(async move {
+            let _permit = semaphore.acquire().await?;
+            case.execute().await
+        })
+        .await?
+    }
+}