Define admin users and extend AuthCheck to handle them

This adds a concept of admin users, who are defined by their GitHub IDs,
and allows them to be defined through an environment variable, falling
back to a static list of the current `crates.io` team.

`AuthCheck` now has a builder method to require that the current cookie
or token belong to an admin user.

In the future, this will be extended to use Rust's team API for the
fallback.

Author: LawnGnome

.env.sample

@@ -72,3 +72,7 @@ export GH_CLIENT_SECRET=
 # Credentials for connecting to the Sentry error reporting service.
 # export SENTRY_DSN_API=
 export SENTRY_ENV_API=local
+
+# IDs of GitHub users that are admins on this instance, separated by commas.
+# Whitespace will be ignored.
+export GH_ADMIN_USER_IDS=

Cargo.lock

@@ -60,6 +60,7 @@ indicatif = "=0.17.3"
 ipnetwork = "=0.20.0"
 tikv-jemallocator = { version = "=0.5.0", features = ['unprefixed_malloc_on_supported_platforms', 'profiling'] }
 lettre = { version = "=0.10.4", default-features = false, features = ["file-transport", "smtp-transport", "native-tls", "hostname", "builder"] }
+lazy_static = "=1.4.0"
 minijinja = "=0.32.1"
 moka = { version = "=0.11.0", features = ["future"]  }
 oauth2 = { version = "=4.3.0", default-features = false, features = ["reqwest"] }

Cargo.toml

@@ -16,6 +16,7 @@ pub struct AuthCheck {
     allow_token: bool,
     endpoint_scope: Option<EndpointScope>,
     crate_name: Option<String>,
+    require_admin: bool,
 }
 
 impl AuthCheck {
@@ -27,6 +28,7 @@ impl AuthCheck {
             allow_token: true,
             endpoint_scope: None,
             crate_name: None,
+            require_admin: false,
         }
     }
 
@@ -36,6 +38,7 @@ impl AuthCheck {
             allow_token: false,
             endpoint_scope: None,
             crate_name: None,
+            require_admin: false,
         }
     }
 
@@ -44,6 +47,7 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: Some(endpoint_scope),
             crate_name: self.crate_name.clone(),
+            require_admin: self.require_admin,
         }
     }
 
@@ -52,6 +56,16 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: self.endpoint_scope,
             crate_name: Some(crate_name.to_string()),
+            require_admin: self.require_admin,
+        }
+    }
+
+    pub fn require_admin(&self) -> Self {
+        Self {
+            allow_token: self.allow_token,
+            endpoint_scope: self.endpoint_scope,
+            crate_name: self.crate_name.clone(),
+            require_admin: true,
         }
     }
 
@@ -61,8 +75,10 @@ impl AuthCheck {
         request: &T,
         conn: &mut PgConnection,
     ) -> AppResult<Authentication> {
-        let auth = authenticate(request, conn)?;
+        self.check_authentication(authenticate(request, conn)?)
+    }
 
+    fn check_authentication(&self, auth: Authentication) -> AppResult<Authentication> {
         if let Some(token) = auth.api_token() {
             if !self.allow_token {
                 let error_message =
@@ -81,6 +97,11 @@ impl AuthCheck {
             }
         }
 
+        if self.require_admin && auth.user().admin().is_err() {
+            let error_message = "User is unauthorized";
+            return Err(internal(error_message).chain(forbidden()));
+        }
+
         Ok(auth)
     }
 
@@ -247,6 +268,13 @@ fn ensure_not_locked(user: &User) -> AppResult<()> {
 
 #[cfg(test)]
 mod tests {
+    use chrono::NaiveDate;
+
+    use crate::{
+        models::user::tests::MockUserGenerator,
+        util::token::{SecureToken, SecureTokenKind},
+    };
+
     use super::*;
 
     fn cs(scope: &str) -> CrateScope {
@@ -343,4 +371,31 @@ mod tests {
         assert!(!auth_check.crate_scope_matches(Some(&vec![cs("anyhow")])));
         assert!(!auth_check.crate_scope_matches(Some(&vec![cs("actix-*")])));
     }
+
+    #[test]
+    fn require_admin() {
+        let auth_check = AuthCheck::default().require_admin();
+
+        let mut gen = MockUserGenerator::default();
+        let admin = gen.admin();
+        let non_admin = gen.regular();
+
+        assert_ok!(auth_check.check_authentication(mock_cookie(admin.clone())));
+        assert_err!(auth_check.check_authentication(mock_cookie(non_admin.clone())));
+        assert_ok!(auth_check.check_authentication(mock_token(admin)));
+        assert_err!(auth_check.check_authentication(mock_token(non_admin)));
+    }
+
+    fn mock_cookie(user: User) -> Authentication {
+        Authentication::Cookie(CookieAuthentication { user })
+    }
+
+    fn mock_token(user: User) -> Authentication {
+        Authentication::Token(TokenAuthentication {
+            token: crate::models::token::tests::build_mock()
+                .user_id(user.id)
+                .token(),
+            user,
+        })
+    }
 }

src/auth.rs

@@ -1 +1,2 @@
+pub mod admin;
 pub mod with_count;

src/models/helpers.rs

@@ -0,0 +1,91 @@
+use std::{collections::HashSet, num::ParseIntError, str::FromStr};
+
+use lazy_static::lazy_static;
+
+use crate::util::errors::{forbidden, AppResult};
+
+lazy_static! {
+    static ref AUTHORIZED_ADMIN_USER_IDS: HashSet<i32> =
+        parse_authorized_admin_users(dotenv::var("GH_ADMIN_USER_IDS"));
+}
+
+// The defaults correspond to the current crates.io team.
+//
+// FIXME: this needs to be removed once we can detect the admins from the Rust teams API.
+const DEFAULT_ADMIN_USER_IDS: [i32; 5] = [193874, 22186, 141300, 229984, 20070360];
+
+fn parse_authorized_admin_users(maybe_users: dotenv::Result<String>) -> HashSet<i32> {
+    match maybe_users {
+        Ok(users) => users
+            .split(|c: char| !(c.is_ascii_digit()))
+            .filter(|uid| !uid.is_empty())
+            .map(i32::from_str)
+            .collect::<Result<HashSet<i32>, ParseIntError>>()
+            .expect("parsing admin users from $GH_ADMIN_USER_IDS"),
+        Err(_err) => DEFAULT_ADMIN_USER_IDS.into_iter().collect(),
+    }
+}
+
+/// Return `Ok(())` if the given GitHub user ID matches a known admin (set
+/// either via the `$GH_ADMIN_USER_IDS` environment variable, or the builtin
+/// fallback list if that variable is unset), or a forbidden error otherwise.
+pub fn is_authorized_admin(github_uid: i32) -> AppResult<()> {
+    // This hack is here to allow tests to have a consistent set of admin users
+    // (in this case, just the contents of the `DEFAULT_ADMIN_USER_IDS` constant
+    // above).
+
+    #[cfg(not(test))]
+    fn check_user_id(uid: i32) -> bool {
+        AUTHORIZED_ADMIN_USER_IDS.contains(&uid)
+    }
+
+    #[cfg(test)]
+    fn check_user_id(uid: i32) -> bool {
+        DEFAULT_ADMIN_USER_IDS.contains(&uid)
+    }
+
+    if check_user_id(github_uid) {
+        Ok(())
+    } else {
+        Err(forbidden())
+    }
+}
+
+#[cfg(test)]
+pub(crate) fn authorized_user_ids() -> &'static HashSet<i32> {
+    &AUTHORIZED_ADMIN_USER_IDS
+}
+
+#[cfg(test)]
+mod tests {
+    use std::io::{self, ErrorKind};
+
+    use super::{is_authorized_admin, parse_authorized_admin_users, DEFAULT_ADMIN_USER_IDS};
+
+    #[test]
+    fn test_is_authorized_admin() {
+        assert_ok!(is_authorized_admin(193874));
+        assert_err!(is_authorized_admin(0));
+        assert_err!(is_authorized_admin(141301));
+    }
+
+    #[test]
+    fn test_parse_authorized_admin_users() {
+        fn assert_authorized(input: dotenv::Result<&str>, expected: &[i32]) {
+            assert_eq!(
+                parse_authorized_admin_users(input.map(String::from)),
+                expected.iter().copied().collect()
+            );
+        }
+
+        assert_authorized(Ok(""), &[]);
+        assert_authorized(Ok("12345"), &[12345]);
+        assert_authorized(Ok("12345, 6789"), &[12345, 6789]);
+        assert_authorized(Ok("   12345  6789 "), &[12345, 6789]);
+        assert_authorized(Ok("12345;6789"), &[12345, 6789]);
+        assert_authorized(Ok("12345;6789;12345"), &[12345, 6789]);
+
+        let not_found_error = dotenv::Error::Io(io::Error::new(ErrorKind::NotFound, "not found"));
+        assert_authorized(Err(not_found_error), DEFAULT_ADMIN_USER_IDS.as_slice());
+    }
+}

src/models/helpers/admin.rs

@@ -102,31 +102,28 @@ impl std::fmt::Debug for CreatedApiToken {
 }
 
 #[cfg(test)]
-mod tests {
+pub mod tests {
     use super::*;
     use chrono::NaiveDate;
 
     #[test]
     fn api_token_serializes_to_rfc3339() {
-        let tok = ApiToken {
-            id: 12345,
-            user_id: 23456,
-            token: SecureToken::generate(SecureTokenKind::Api).into_inner(),
-            revoked: false,
-            name: "".to_string(),
-            created_at: NaiveDate::from_ymd_opt(2017, 1, 6)
-                .unwrap()
-                .and_hms_opt(14, 23, 11)
-                .unwrap(),
-            last_used_at: Some(
+        let tok = build_mock()
+            .created_at(
                 NaiveDate::from_ymd_opt(2017, 1, 6)
                     .unwrap()
-                    .and_hms_opt(14, 23, 12),
+                    .and_hms_opt(14, 23, 11)
+                    .unwrap(),
             )
-            .unwrap(),
-            crate_scopes: None,
-            endpoint_scopes: None,
-        };
+            .last_used_at(
+                Some(
+                    NaiveDate::from_ymd_opt(2017, 1, 6)
+                        .unwrap()
+                        .and_hms_opt(14, 23, 12),
+                )
+                .unwrap(),
+            )
+            .token();
         let json = serde_json::to_string(&tok).unwrap();
         assert_some!(json
             .as_str()
@@ -135,4 +132,66 @@ mod tests {
             .as_str()
             .find(r#""last_used_at":"2017-01-06T14:23:12+00:00""#));
     }
+
+    pub struct MockBuilder(ApiToken);
+
+    impl MockBuilder {
+        pub fn token(self) -> ApiToken {
+            self.0
+        }
+
+        pub fn id(mut self, id: i32) -> Self {
+            self.0.id = id;
+            self
+        }
+
+        pub fn user_id(mut self, user_id: i32) -> Self {
+            self.0.user_id = user_id;
+            self
+        }
+
+        pub fn name(mut self, name: String) -> Self {
+            self.0.name = name;
+            self
+        }
+
+        pub fn created_at(mut self, created_at: NaiveDateTime) -> Self {
+            self.0.created_at = created_at;
+            self
+        }
+
+        pub fn last_used_at(mut self, last_used_at: Option<NaiveDateTime>) -> Self {
+            self.0.last_used_at = last_used_at;
+            self
+        }
+
+        pub fn revoked(mut self, revoked: bool) -> Self {
+            self.0.revoked = revoked;
+            self
+        }
+
+        pub fn crate_scopes(mut self, crate_scopes: Option<Vec<CrateScope>>) -> Self {
+            self.0.crate_scopes = crate_scopes;
+            self
+        }
+
+        pub fn endpoint_scopes(mut self, endpoint_scopes: Option<Vec<EndpointScope>>) -> Self {
+            self.0.endpoint_scopes = endpoint_scopes;
+            self
+        }
+    }
+
+    pub fn build_mock() -> MockBuilder {
+        MockBuilder(ApiToken {
+            id: 12345,
+            user_id: 23456,
+            token: SecureToken::generate(SecureTokenKind::Api).into_inner(),
+            revoked: false,
+            name: "".to_string(),
+            created_at: NaiveDateTime::default(),
+            last_used_at: None,
+            crate_scopes: None,
+            endpoint_scopes: None,
+        })
+    }
 }