Incorporate new GADT-based auth into Delayed

This commit is contained in:
aaron levin 2015-12-24 17:20:29 +01:00
parent c169d0bd59
commit 4d23cada4c
2 changed files with 107 additions and 58 deletions

View file

@ -1,9 +1,11 @@
{-# LANGUAGE CPP #-} {-# LANGUAGE CPP #-}
{-# LANGUAGE DataKinds #-} {-# LANGUAGE DataKinds #-}
{-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE FlexibleInstances #-}
{-# LANGUAGE ScopedTypeVariables #-} {-# LANGUAGE FunctionalDependencies #-}
{-# LANGUAGE TypeFamilies #-} {-# LANGUAGE MultiParamTypeClasses #-}
{-# LANGUAGE FlexibleInstances #-} {-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE ScopedTypeVariables #-}
{-# LANGUAGE TypeFamilies #-}
module Servant.Server.Internal.Authentication module Servant.Server.Internal.Authentication
( AuthData (..) ( AuthData (..)
@ -11,6 +13,7 @@ module Servant.Server.Internal.Authentication
, basicAuthLax , basicAuthLax
, basicAuthStrict , basicAuthStrict
, jwtAuthStrict , jwtAuthStrict
, SimpleAuthProtected
) where ) where
import Control.Monad (guard) import Control.Monad (guard)
@ -40,19 +43,20 @@ import qualified Web.JWT as JWT (decode)
-- | Class to represent the ability to extract authentication-related -- | Class to represent the ability to extract authentication-related
-- data from a 'Request' object. -- data from a 'Request' object.
class AuthData a where class AuthData a e | a -> e where
authData :: Request -> Maybe a authData :: Request -> Either e a
authProtect :: OnMissing IO ServantErr (missingPolicy :: AuthPolicy) -- | combinator to create authentication protected servers.
-> OnUnauthenticated IO ServantErr (unauthPolicy :: AuthPolicy) errorIndex authData authProtect :: OnMissing IO ServantErr missingPolicy missingError
-> (authData -> IO (Either errorIndex usr)) -> OnUnauthenticated IO ServantErr unauthPolicy unauthError authData
-> (authData -> IO (Either unauthError usr))
-> subserver -> subserver
-> AuthProtected IO ServantErr missingPolicy unauthPolicy errorIndex authData usr subserver -> AuthProtected IO ServantErr missingPolicy missingError unauthPolicy unauthError authData usr subserver
authProtect = AuthProtected authProtect = AuthProtected
-- | 'BasicAuth' instance for authData -- | 'BasicAuth' instance for authData
instance AuthData (BasicAuth realm) where instance AuthData (BasicAuth realm) () where
authData request = do authData request = maybe (Left ()) Right $ do
authBs <- lookup "Authorization" (requestHeaders request) authBs <- lookup "Authorization" (requestHeaders request)
let (x,y) = B.break isSpace authBs let (x,y) = B.break isSpace authBs
guard (B.map toLower x == "basic") guard (B.map toLower x == "basic")
@ -72,8 +76,8 @@ basicAuthFailure p = let realmBytes = (fromString . symbolVal) p
-- | OnMisisng handler for Basic Authentication -- | OnMisisng handler for Basic Authentication
basicMissingHandler :: forall realm. KnownSymbol realm basicMissingHandler :: forall realm. KnownSymbol realm
=> Proxy realm => Proxy realm
-> OnMissing IO ServantErr 'Strict -> OnMissing IO ServantErr 'Strict ()
basicMissingHandler p = StrictMissing (return $ basicAuthFailure p) basicMissingHandler p = StrictMissing (const $ return (basicAuthFailure p))
-- | OnUnauthenticated handler for Basic Authentication -- | OnUnauthenticated handler for Basic Authentication
basicUnauthenticatedHandler :: forall realm. KnownSymbol realm basicUnauthenticatedHandler :: forall realm. KnownSymbol realm
@ -85,7 +89,7 @@ basicUnauthenticatedHandler p = StrictUnauthenticated (const . const (return $ b
basicAuthStrict :: forall realm usr subserver. KnownSymbol realm basicAuthStrict :: forall realm usr subserver. KnownSymbol realm
=> (BasicAuth realm -> IO (Maybe usr)) => (BasicAuth realm -> IO (Maybe usr))
-> subserver -> subserver
-> AuthProtected IO ServantErr 'Strict 'Strict () (BasicAuth realm) usr subserver -> AuthProtected IO ServantErr 'Strict () 'Strict () (BasicAuth realm) usr subserver
basicAuthStrict check sub = basicAuthStrict check sub =
let mHandler = basicMissingHandler (Proxy :: Proxy realm) let mHandler = basicMissingHandler (Proxy :: Proxy realm)
unauthHandler = basicUnauthenticatedHandler (Proxy :: Proxy realm) unauthHandler = basicUnauthenticatedHandler (Proxy :: Proxy realm)
@ -96,14 +100,14 @@ basicAuthStrict check sub =
basicAuthLax :: KnownSymbol realm basicAuthLax :: KnownSymbol realm
=> (BasicAuth realm -> IO (Maybe usr)) => (BasicAuth realm -> IO (Maybe usr))
-> subserver -> subserver
-> AuthProtected IO ServantErr 'Lax 'Lax () (BasicAuth realm) usr subserver -> AuthProtected IO ServantErr 'Lax () 'Lax () (BasicAuth realm) usr subserver
basicAuthLax check sub = basicAuthLax check sub =
let check' = \a -> maybe (Left ()) Right <$> check a let check' = \a -> maybe (Left ()) Right <$> check a
in AuthProtected LaxMissing LaxUnauthenticated check' sub in AuthProtected LaxMissing LaxUnauthenticated check' sub
-- | Authentication data we extract from requests for JWT-based authentication. -- | Authentication data we extract from requests for JWT-based authentication.
instance AuthData JWTAuth where instance AuthData JWTAuth () where
authData req = do authData req = maybe (Left ()) Right $ do
hdr <- lookup "Authorization" . requestHeaders $ req hdr <- lookup "Authorization" . requestHeaders $ req
["Bearer", token] <- return . splitOn " " . decodeUtf8 $ hdr ["Bearer", token] <- return . splitOn " " . decodeUtf8 $ hdr
_ <- JWT.decode token -- try decode it. otherwise it's not a proper token _ <- JWT.decode token -- try decode it. otherwise it's not a proper token
@ -116,9 +120,13 @@ jwtWithError e = err401 { errHeaders = [("WWW-Authenticate", "Bearer error=\""<>
-- | OnMissing handler for Strict, JWT-based authentication -- | OnMissing handler for Strict, JWT-based authentication
jwtAuthStrict :: Secret jwtAuthStrict :: Secret
-> subserver -> subserver
-> AuthProtected IO ServantErr 'Strict 'Strict () JWTAuth (JWT VerifiedJWT) subserver -> AuthProtected IO ServantErr 'Strict () 'Strict () JWTAuth (JWT VerifiedJWT) subserver
jwtAuthStrict secret sub = jwtAuthStrict secret sub =
let missingHandler = StrictMissing (return $ jwtWithError "invalid_request") let missingHandler = StrictMissing (const $ return (jwtWithError "invalid_request"))
unauthHandler = StrictUnauthenticated (const . const (return $ jwtWithError "invalid_token")) unauthHandler = StrictUnauthenticated (const . const (return $ jwtWithError "invalid_token"))
check = return . maybe (Left ()) Right . decodeAndVerifySignature secret . unJWTAuth check = return . maybe (Left ()) Right . decodeAndVerifySignature secret . unJWTAuth
in AuthProtected missingHandler unauthHandler check sub in AuthProtected missingHandler unauthHandler check sub
-- | A type alias to make simple authentication endpoints
type SimpleAuthProtected mPolicy uPolicy authData usr subserver =
AuthProtected IO ServantErr mPolicy () uPolicy () authData usr subserver

View file

@ -2,10 +2,11 @@
{-# LANGUAGE DataKinds #-} {-# LANGUAGE DataKinds #-}
{-# LANGUAGE DeriveFunctor #-} {-# LANGUAGE DeriveFunctor #-}
{-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE TypeOperators #-}
{-# LANGUAGE GADTs #-} {-# LANGUAGE GADTs #-}
{-# LANGUAGE KindSignatures #-} {-# LANGUAGE KindSignatures #-}
{-# LANGUAGE StandaloneDeriving #-} {-# LANGUAGE StandaloneDeriving #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE TypeOperators #-}
module Servant.Server.Internal.RoutingApplication where module Servant.Server.Internal.RoutingApplication where
#if !MIN_VERSION_base(4,8,0) #if !MIN_VERSION_base(4,8,0)
@ -20,8 +21,8 @@ import Network.Wai (Application, Request,
Response, ResponseReceived, Response, ResponseReceived,
requestBody, requestBody,
strictRequestBody) strictRequestBody)
import Servant.API.Authentication (AuthPolicy(Strict,Lax)) import Servant.API.Authentication (AuthProtected (..), AuthPolicy(Strict,Lax),
import Servant.Server.Internal.Authentication OnMissing (..), OnUnauthenticated (..), SAuthPolicy (..))
import Servant.Server.Internal.ServantErr import Servant.Server.Internal.ServantErr
type RoutingApplication = type RoutingApplication =
@ -179,43 +180,83 @@ addMethodCheck :: Delayed a
addMethodCheck (Delayed captures method auth body server) new = addMethodCheck (Delayed captures method auth body server) new =
Delayed captures (combineRouteResults const method new) auth body server Delayed captures (combineRouteResults const method new) auth body server
-- | Add a method to perform authorization in strict mode. -- | helper type family to capture server handled values for various policies
addAuthStrictCheck :: Delayed (AuthProtected auth usr (usr -> a) 'Strict) type family AuthDelayedReturn (mP :: AuthPolicy) mE (uP :: AuthPolicy) uE usr :: * where
-> IO (RouteResult (Maybe auth)) AuthDelayedReturn 'Strict mE 'Strict uE usr = usr
-> Delayed a AuthDelayedReturn 'Strict mE 'Lax uE usr = Either uE usr
addAuthStrictCheck delayed@(Delayed captures method _ body _) new = AuthDelayedReturn 'Lax mE 'Strict uE usr = Either mE usr
let newAuth = runDelayed delayed `bindRouteResults` \authProtectionStrict -> new `bindRouteResults` \mAuthData -> case mAuthData of AuthDelayedReturn 'Lax mE 'Lax uE usr = Either (Either mE uE) usr
Nothing -> do -- | Internal method to generate auth checkers for various policies. Scary type signature
-- we're in strict mode: don't let the request go -- but it does help with understanding the logic of how each policy works. See
-- call the provided "on missing auth" handler -- examples below.
resp <- onMissingAuthData (authHandlers authProtectionStrict) genAuthCheck :: (OnMissing IO ServantErr mPolicy mError -> (AuthDelayedReturn mPolicy mError uPolicy uError usr -> a) -> mError -> IO (RouteResult a))
return $ FailFatal resp -> (OnUnauthenticated IO ServantErr uPolicy uError auth -> (AuthDelayedReturn mPolicy mError uPolicy uError usr -> a) -> uError -> auth -> IO (RouteResult a))
-> (usr -> (AuthDelayedReturn mPolicy mError uPolicy uError usr))
-- successfully pulled auth data out of the request -> Delayed (AuthProtected IO ServantErr mPolicy mError uPolicy uError auth usr (AuthDelayedReturn mPolicy mError uPolicy uError usr -> a))
Just aData -> do -> IO (RouteResult (Either mError auth))
mUsr <- (checkAuthStrict authProtectionStrict) aData -> Delayed a
case mUsr of genAuthCheck missingHandler unauthHandler returnHandler d@(Delayed captures method _ body _) new =
-- this user is not authenticated let newAuth =
Nothing -> do runDelayed d `bindRouteResults` \ authProtection ->
resp <- onUnauthenticated (authHandlers authProtectionStrict) aData new `bindRouteResults` \ eAuthData ->
return $ FailFatal resp case eAuthData of
-- we failed to extract authentication data from the request
-- this user is authenticated Left mError -> missingHandler (onMissing authProtection) (subserver authProtection) mError
Just usr -> -- auth data was succesfully extracted from the request
(return . Route . subServerStrict authProtectionStrict) usr Right aData -> do
eUsr <- checkAuth authProtection aData
case eUsr of
-- we failed to authenticate the user
Left uError -> unauthHandler (onUnauthenticated authProtection) (subserver authProtection) uError aData
-- user was authenticated
Right usr ->
(return . Route . subserver authProtection) (returnHandler usr)
in Delayed captures method newAuth body (\_ y _ -> Route y) in Delayed captures method newAuth body (\_ y _ -> Route y)
-- | Add a method to perform authorization in strict mode. -- | Delayed auth checker for Strict Missing and Strict Unauthentication
addAuthLaxCheck :: Delayed (AuthProtected auth usr (Maybe usr -> a) 'Lax) addAuthCheckSS :: Delayed (AuthProtected IO ServantErr 'Strict mError 'Strict uError auth usr (usr -> a))
-> IO (RouteResult (Maybe auth)) -> IO (RouteResult (Either mError auth))
-> Delayed a -> Delayed a
addAuthLaxCheck delayed@(Delayed captures method _ body _) new = addAuthCheckSS = genAuthCheck (\(StrictMissing handler) _ e -> FailFatal <$> handler e)
let newAuth = runDelayed delayed `bindRouteResults` \authProtectionLax -> new `bindRouteResults` \mAuthData -> (\(StrictUnauthenticated handler) _ e a -> FailFatal <$> handler e a)
fmap (Route . subServerLax authProtectionLax) id
(maybe (pure Nothing) (checkAuthLax authProtectionLax) mAuthData)
in Delayed captures method newAuth body (\_ y _ -> Route y) -- | Delayed auth checker for Strict Missing and Lax Unauthentication
addAuthCheckSL :: Delayed (AuthProtected IO ServantErr 'Strict mError 'Lax uError auth usr (Either uError usr -> a))
-> IO (RouteResult (Either mError auth))
-> Delayed a
addAuthCheckSL = genAuthCheck (\(StrictMissing handler) _ e -> FailFatal <$> handler e)
(\(LaxUnauthenticated) cont e _ -> (return . Route . cont) (Left e))
Right
-- | Delayed auth checker for Lax Missing and Strict Unauthentication
addAuthCheckLS :: Delayed (AuthProtected IO ServantErr 'Lax mError 'Strict uError auth usr (Either mError usr -> a))
-> IO (RouteResult (Either mError auth))
-> Delayed a
addAuthCheckLS = genAuthCheck (\(LaxMissing) cont e -> (return . Route . cont) (Left e))
(\(StrictUnauthenticated handler) _ e a -> FailFatal <$> handler e a)
Right
-- | Delayed auth checker for Lax Missing and Lax Unauthentication
addAuthCheckLL :: Delayed (AuthProtected IO ServantErr 'Lax mError 'Lax uError auth usr (Either (Either mError uError) usr -> a))
-> IO (RouteResult (Either mError auth))
-> Delayed a
addAuthCheckLL = genAuthCheck (\(LaxMissing) cont e -> (return . Route . cont) (Left (Left e)))
(\(LaxUnauthenticated) cont e _ -> (return . Route . cont) (Left (Right e)))
Right
-- | Add an auth check by supplying OnMissing policies and OnUnauthenticated policies.
addAuthCheck :: SAuthPolicy mPolicy
-> SAuthPolicy uPolicy
-> Delayed (AuthProtected IO ServantErr mPolicy mError uPolicy uError auth usr (AuthDelayedReturn mPolicy mError uPolicy uError usr -> a))
-> IO (RouteResult (Either mError auth))
-> Delayed a
addAuthCheck SStrict SStrict = addAuthCheckSS
addAuthCheck SStrict SLax = addAuthCheckSL
addAuthCheck SLax SStrict = addAuthCheckLS
addAuthCheck SLax SLax = addAuthCheckLL
-- | Add a body check to the end of the body block. -- | Add a body check to the end of the body block.
addBodyCheck :: Delayed (a -> b) addBodyCheck :: Delayed (a -> b)