1mod apidocs;
2pub(crate) mod cache_buster;
3pub(crate) mod errors;
4mod extractors;
5mod generic;
6mod javascript;
7mod manifest;
8pub(crate) mod middleware;
9mod oauth2;
10pub(crate) mod trace;
11mod v1;
12mod v1_domain;
13mod v1_oauth2;
14mod v1_scim;
15mod views;
16
17use self::extractors::ClientConnInfo;
18use self::javascript::*;
19use crate::actors::{QueryServerReadV1, QueryServerWriteV1};
20use crate::config::{AddressSet, Configuration, ServerRole};
21use crate::CoreAction;
22use axum::{
23 body::Body,
24 extract::connect_info::IntoMakeServiceWithConnectInfo,
25 http::{HeaderMap, HeaderValue, Request},
26 middleware::{from_fn, from_fn_with_state},
27 response::Redirect,
28 routing::*,
29 Router,
30};
31use axum_extra::extract::cookie::CookieJar;
32use cidr::IpCidr;
33use compact_jwt::{error::JwtError, JwsCompact, JwsHs256Signer, JwsVerifier};
34use futures::pin_mut;
35use haproxy_protocol::{ProxyHdrV2, RemoteAddress};
36use hyper::body::Incoming;
37use hyper_util::rt::{TokioExecutor, TokioIo};
38use kanidm_lib_crypto::x509_cert::{der::Decode, x509_public_key_s256, Certificate};
39use kanidm_proto::{constants::KSESSIONID, internal::COOKIE_AUTH_SESSION_ID};
40use kanidmd_lib::{idm::ClientCertInfo, status::StatusActor};
41use serde::de::DeserializeOwned;
42use sketching::*;
43use std::fmt::Write;
44use std::io::ErrorKind;
45use std::path::PathBuf;
46use std::sync::Arc;
47use std::{
48 net::{IpAddr, SocketAddr},
49 str::FromStr,
50};
51use tokio::{
52 io::{AsyncRead, AsyncWrite},
53 net::{TcpListener, TcpStream},
54 sync::broadcast,
55 sync::mpsc,
56 task,
57};
58use tokio_rustls::TlsAcceptor;
59use tower::Service;
60use tower_http::{services::ServeDir, trace::TraceLayer};
61use url::Url;
62use uuid::Uuid;
63
64#[derive(Clone)]
65pub struct ServerState {
66 pub(crate) status_ref: &'static StatusActor,
67 pub(crate) qe_w_ref: &'static QueryServerWriteV1,
68 pub(crate) qe_r_ref: &'static QueryServerReadV1,
69 pub(crate) jws_signer: JwsHs256Signer,
71 pub(crate) trust_x_forward_for_ips: Option<Arc<AddressSet>>,
72 pub(crate) csp_header: HeaderValue,
73 pub(crate) origin: Url,
74 pub(crate) domain: String,
75 pub(crate) secure_cookies: bool,
77}
78
79impl ServerState {
80 fn deserialise_from_str<T: DeserializeOwned>(&self, input: &str) -> Option<T> {
84 match JwsCompact::from_str(input) {
85 Ok(val) => match self.jws_signer.verify(&val) {
86 Ok(val) => val.from_json::<T>().ok(),
87 Err(err) => {
88 error!(?err, "Failed to deserialise JWT from request");
89 if matches!(err, JwtError::InvalidSignature) {
90 warn!("Invalid Signature errors can occur if your instance restarted recently, if a load balancer is not configured for sticky sessions, or a session was tampered with.");
100 }
101 None
102 }
103 },
104 Err(_) => None,
105 }
106 }
107
108 #[instrument(level = "trace", skip_all)]
109 fn get_current_auth_session_id(&self, headers: &HeaderMap, jar: &CookieJar) -> Option<Uuid> {
110 headers
112 .get(KSESSIONID)
113 .and_then(|hv| {
114 trace!("trying header");
115 hv.to_str().ok()
117 })
118 .or_else(|| {
119 trace!("trying cookie");
120 jar.get(COOKIE_AUTH_SESSION_ID).map(|c| c.value())
121 })
122 .and_then(|s| {
123 trace!(id_jws = %s);
124 self.deserialise_from_str::<Uuid>(s)
125 })
126 }
127}
128
129pub(crate) fn get_js_files(role: ServerRole) -> Result<Vec<JavaScriptFile>, ()> {
130 let mut all_pages: Vec<JavaScriptFile> = Vec::new();
131
132 if !matches!(role, ServerRole::WriteReplicaNoUI) {
133 let pkg_path = env!("KANIDM_SERVER_UI_PKG_PATH").to_owned();
135
136 let filelist = [
137 "external/bootstrap.bundle.min.js",
138 "external/htmx.min.1.9.12.js",
139 "external/confetti.js",
140 "external/base64.js",
141 "modules/cred_update.mjs",
142 "pkhtml.js",
143 "style.js",
144 ];
145
146 for filepath in filelist {
147 match generate_integrity_hash(format!("{pkg_path}/{filepath}",)) {
148 Ok(hash) => {
149 debug!("Integrity hash for {}: {}", filepath, hash);
150 let js = JavaScriptFile { hash };
151 all_pages.push(js)
152 }
153 Err(err) => {
154 admin_error!(
155 ?err,
156 "Failed to generate integrity hash for {} - cancelling startup!",
157 filepath
158 );
159 return Err(());
160 }
161 }
162 }
163 }
164 Ok(all_pages)
165}
166
167pub async fn create_https_server(
168 config: Configuration,
169 jws_signer: JwsHs256Signer,
170 status_ref: &'static StatusActor,
171 qe_w_ref: &'static QueryServerWriteV1,
172 qe_r_ref: &'static QueryServerReadV1,
173 server_message_tx: broadcast::Sender<CoreAction>,
174 maybe_tls_acceptor: Option<TlsAcceptor>,
175 tls_acceptor_reload_rx: mpsc::Receiver<TlsAcceptor>,
176) -> Result<task::JoinHandle<()>, ()> {
177 let rx = server_message_tx.subscribe();
178
179 let all_js_files = get_js_files(config.role)?;
180 let js_directives = all_js_files
186 .into_iter()
187 .map(|f| f.hash)
188 .collect::<Vec<String>>();
189
190 let js_checksums: String = js_directives
191 .iter()
192 .fold(String::new(), |mut output, value| {
193 let _ = write!(output, " 'sha384-{value}'");
194 output
195 });
196
197 let csp_header = format!(
198 concat!(
199 "default-src 'self'; ",
200 "base-uri 'self' https:; ",
201 "form-action 'self' https:;",
202 "frame-ancestors 'none'; ",
203 "img-src 'self' data:; ",
204 "worker-src 'none'; ",
205 "script-src 'self' 'unsafe-eval'{};",
206 ),
207 js_checksums
208 );
209
210 let csp_header = HeaderValue::from_str(&csp_header).map_err(|err| {
211 error!(?err, "Unable to generate content security policy");
212 })?;
213
214 let trust_x_forward_for_ips = config
215 .http_client_address_info
216 .trusted_x_forward_for()
217 .map(Arc::new);
218
219 let trusted_proxy_v2_ips = config
220 .http_client_address_info
221 .trusted_proxy_v2()
222 .map(Arc::new);
223
224 let state = ServerState {
225 status_ref,
226 qe_w_ref,
227 qe_r_ref,
228 jws_signer,
229 trust_x_forward_for_ips,
230 csp_header,
231 origin: config.origin,
232 domain: config.domain.clone(),
233 secure_cookies: config.integration_test_config.is_none(),
234 };
235
236 let static_routes = match config.role {
237 ServerRole::WriteReplica | ServerRole::ReadOnlyReplica => {
238 Router::new()
239 .route("/ui/images/oauth2/:rs_name", get(oauth2::oauth2_image_get))
240 .route("/ui/images/domain", get(v1_domain::image_get))
241 .route("/manifest.webmanifest", get(manifest::manifest)) .layer(middleware::compression::new())
245 .layer(from_fn(middleware::caching::cache_me_short))
246 .route("/", get(|| async { Redirect::to("/ui") }))
247 .nest("/ui", views::view_router())
248 }
250 ServerRole::WriteReplicaNoUI => Router::new(),
251 };
252 let app = Router::new()
253 .merge(oauth2::route_setup(state.clone()))
254 .merge(v1_scim::route_setup())
255 .merge(v1::route_setup(state.clone()))
256 .route("/robots.txt", get(generic::robots_txt))
257 .route(
258 views::constants::Urls::WellKnownChangePassword.as_ref(),
259 get(generic::redirect_to_update_credentials),
260 );
261
262 let app = match config.role {
263 ServerRole::WriteReplicaNoUI => app,
264 ServerRole::WriteReplica | ServerRole::ReadOnlyReplica => {
265 let pkg_path = PathBuf::from(env!("KANIDM_SERVER_UI_PKG_PATH"));
266 if !pkg_path.exists() {
267 eprintln!(
268 "Couldn't find htmx UI package path: ({}), quitting.",
269 env!("KANIDM_SERVER_UI_PKG_PATH")
270 );
271 std::process::exit(1);
272 }
273 let pkg_router = Router::new()
274 .nest_service("/pkg", ServeDir::new(pkg_path))
275 .layer(from_fn(middleware::caching::cache_me_short));
277
278 app.merge(pkg_router)
279 }
280 };
281
282 let trace_layer = TraceLayer::new_for_http()
284 .make_span_with(trace::DefaultMakeSpanKanidmd::new())
285 .on_response(trace::DefaultOnResponseKanidmd::new());
287
288 let app = app
289 .merge(static_routes)
290 .layer(from_fn_with_state(
291 state.clone(),
292 middleware::security_headers::security_headers_layer,
293 ))
294 .layer(from_fn(middleware::version_middleware))
295 .layer(from_fn(
296 middleware::hsts_header::strict_transport_security_layer,
297 ));
298
299 #[cfg(any(test, debug_assertions))]
301 let app = app.layer(from_fn(middleware::are_we_json_yet));
302
303 let app = app
304 .route("/status", get(generic::status))
305 .layer(from_fn_with_state(
310 state.clone(),
311 middleware::ip_address_middleware,
312 ))
313 .layer(from_fn(middleware::kopid_middleware))
314 .merge(apidocs::router())
315 .layer(trace_layer)
317 .with_state(state)
318 .into_make_service_with_connect_info::<ClientConnInfo>();
320
321 let addr = SocketAddr::from_str(&config.address).map_err(|err| {
322 error!(
323 "Failed to parse address ({:?}) from config: {:?}",
324 config.address, err
325 );
326 })?;
327
328 info!("Starting the web server...");
329
330 let listener = match TcpListener::bind(addr).await {
331 Ok(l) => l,
332 Err(err) => {
333 error!(?err, "Failed to bind tcp listener");
334 return Err(());
335 }
336 };
337
338 match maybe_tls_acceptor {
339 Some(tls_acceptor) => Ok(task::spawn(server_tls_loop(
340 tls_acceptor,
341 listener,
342 app,
343 rx,
344 server_message_tx,
345 tls_acceptor_reload_rx,
346 trusted_proxy_v2_ips,
347 ))),
348 None => Ok(task::spawn(server_plaintext_loop(
349 listener,
350 app,
351 rx,
352 trusted_proxy_v2_ips,
353 ))),
354 }
355}
356
357async fn server_tls_loop(
358 mut tls_acceptor: TlsAcceptor,
359 listener: TcpListener,
360 app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
361 mut rx: broadcast::Receiver<CoreAction>,
362 server_message_tx: broadcast::Sender<CoreAction>,
363 mut tls_acceptor_reload_rx: mpsc::Receiver<TlsAcceptor>,
364 trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
365) {
366 pin_mut!(listener);
367
368 loop {
369 tokio::select! {
370 Ok(action) = rx.recv() => {
371 match action {
372 CoreAction::Shutdown => break,
373 }
374 }
375 accept = listener.accept() => {
376 match accept {
377 Ok((stream, addr)) => {
378 let tls_acceptor = tls_acceptor.clone();
379 let app = app.clone();
380 task::spawn(handle_tls_conn(tls_acceptor, stream, app, addr, trusted_proxy_v2_ips.clone()));
381 }
382 Err(err) => {
383 error!("Web server exited with {:?}", err);
384 if let Err(err) = server_message_tx.send(CoreAction::Shutdown) {
385 error!("Web server failed to send shutdown message! {:?}", err)
386 };
387 break;
388 }
389 }
390 }
391 Some(mut new_tls_acceptor) = tls_acceptor_reload_rx.recv() => {
392 std::mem::swap(&mut tls_acceptor, &mut new_tls_acceptor);
393 info!("Reloaded http tls acceptor");
394 }
395 }
396 }
397
398 info!("Stopped {}", super::TaskName::HttpsServer);
399}
400
401async fn server_plaintext_loop(
402 listener: TcpListener,
403 app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
404 mut rx: broadcast::Receiver<CoreAction>,
405 trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
406) {
407 pin_mut!(listener);
408
409 loop {
410 tokio::select! {
411 Ok(action) = rx.recv() => {
412 match action {
413 CoreAction::Shutdown => break,
414 }
415 }
416 accept = listener.accept() => {
417 match accept {
418 Ok((stream, addr)) => {
419 let app = app.clone();
420 task::spawn(handle_conn(stream, app, addr, trusted_proxy_v2_ips.clone()));
421 }
422 Err(err) => {
423 error!("Web server exited with {:?}", err);
424 break;
425 }
426 }
427 }
428 }
429 }
430
431 info!("Stopped {}", super::TaskName::HttpsServer);
432}
433
434pub(crate) async fn handle_conn(
436 stream: TcpStream,
437 app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
438 connection_addr: SocketAddr,
439 trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
440) -> Result<(), std::io::Error> {
441 let (stream, client_ip_addr) =
442 process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
443
444 let client_conn_info = ClientConnInfo {
445 connection_addr,
446 client_ip_addr,
447 client_cert: None,
448 };
449
450 let stream = TokioIo::new(stream);
453
454 process_client_hyper(stream, app, client_conn_info).await
455}
456
457pub(crate) async fn handle_tls_conn(
459 acceptor: TlsAcceptor,
460 stream: TcpStream,
461 app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
462 connection_addr: SocketAddr,
463 trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
464) -> Result<(), std::io::Error> {
465 let (stream, client_ip_addr) =
466 process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
467
468 let tls_stream = acceptor.accept(stream).await.map_err(|err| {
469 error!(?err, "Failed to create TLS stream");
470 std::io::Error::from(ErrorKind::ConnectionAborted)
471 })?;
472
473 let maybe_peer_cert = tls_stream
474 .get_ref()
475 .1
476 .peer_certificates()
477 .and_then(|peer_certs| peer_certs.first());
479
480 let client_cert = if let Some(peer_cert) = maybe_peer_cert {
482 let certificate = Certificate::from_der(peer_cert).map_err(|ossl_err| {
488 error!(?ossl_err, "unable to process DER certificate to x509");
489 std::io::Error::from(ErrorKind::ConnectionAborted)
490 })?;
491
492 let public_key_s256 = x509_public_key_s256(&certificate).ok_or_else(|| {
493 error!("subject public key bitstring is not octet aligned");
494 std::io::Error::from(ErrorKind::ConnectionAborted)
495 })?;
496
497 Some(ClientCertInfo {
498 public_key_s256,
499 certificate,
500 })
501 } else {
502 None
503 };
504
505 let client_conn_info = ClientConnInfo {
506 connection_addr,
507 client_ip_addr,
508 client_cert,
509 };
510
511 let stream = TokioIo::new(tls_stream);
514
515 process_client_hyper(stream, app, client_conn_info).await
516}
517
518async fn process_client_addr(
519 stream: TcpStream,
520 connection_addr: SocketAddr,
521 trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
522) -> Result<(TcpStream, IpAddr), std::io::Error> {
523 let enable_proxy_v2_hdr = trusted_proxy_v2_ips
524 .map(|trusted| {
525 trusted
526 .iter()
527 .any(|ip_cidr| ip_cidr.contains(&connection_addr.ip()))
528 })
529 .unwrap_or_default();
530
531 let (stream, client_addr) = if enable_proxy_v2_hdr {
532 match ProxyHdrV2::parse_from_read(stream).await {
533 Ok((stream, hdr)) => {
534 let remote_socket_addr = match hdr.to_remote_addr() {
535 RemoteAddress::Local => {
536 debug!("PROXY protocol liveness check - will not contain client data");
537 return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
538 }
539 RemoteAddress::TcpV4 { src, dst: _ } => SocketAddr::from(src),
540 RemoteAddress::TcpV6 { src, dst: _ } => SocketAddr::from(src),
541 remote_addr => {
542 error!(?remote_addr, "remote address in proxy header is invalid");
543 return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
544 }
545 };
546
547 (stream, remote_socket_addr)
548 }
549 Err(err) => {
550 error!(?connection_addr, ?err, "Unable to process proxy v2 header");
551 return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
552 }
553 }
554 } else {
555 (stream, connection_addr)
556 };
557
558 Ok((stream, client_addr.ip()))
559}
560
561async fn process_client_hyper<T>(
562 stream: TokioIo<T>,
563 mut app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
564 client_conn_info: ClientConnInfo,
565) -> Result<(), std::io::Error>
566where
567 T: AsyncRead + AsyncWrite + std::marker::Unpin + std::marker::Send + 'static,
568{
569 debug!(?client_conn_info);
570
571 let svc = tower::MakeService::<ClientConnInfo, hyper::Request<Body>>::make_service(
572 &mut app,
573 client_conn_info,
574 );
575
576 let svc = svc.await.map_err(|e| {
577 error!("Failed to build HTTP response: {:?}", e);
578 std::io::Error::from(ErrorKind::Other)
579 })?;
580
581 let hyper_service = hyper::service::service_fn(move |request: Request<Incoming>| {
585 svc.clone().call(request)
590 });
591
592 hyper_util::server::conn::auto::Builder::new(TokioExecutor::new())
593 .serve_connection_with_upgrades(stream, hyper_service)
594 .await
595 .map_err(|e| {
596 debug!("Failed to complete connection: {:?}", e);
597 std::io::Error::from(ErrorKind::ConnectionAborted)
598 })
599}