v0.1.5 (#40)

Reviewed-on: wrenn/wrenn#40

envd-rs/src/auth/middleware.rs

@@ -0,0 +1,56 @@
+use std::sync::Arc;
+
+use axum::extract::Request;
+use axum::http::StatusCode;
+use axum::middleware::Next;
+use axum::response::{IntoResponse, Response};
+use serde_json::json;
+
+use crate::auth::token::SecureToken;
+
+const ACCESS_TOKEN_HEADER: &str = "x-access-token";
+
+/// Paths excluded from general token auth.
+/// Format: "METHOD/path"
+const AUTH_EXCLUDED: &[&str] = &[
+    "GET/health",
+    "GET/files",
+    "POST/files",
+    "POST/init",
+    "POST/snapshot/prepare",
+];
+
+/// Axum middleware that checks X-Access-Token header.
+pub async fn auth_layer(
+    request: Request,
+    next: Next,
+    access_token: Arc<SecureToken>,
+) -> Response {
+    if access_token.is_set() {
+        let method = request.method().as_str();
+        let path = request.uri().path();
+        let key = format!("{method}{path}");
+
+        let is_excluded = AUTH_EXCLUDED.iter().any(|p| *p == key);
+
+        let header_val = request
+            .headers()
+            .get(ACCESS_TOKEN_HEADER)
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+
+        if !access_token.equals(header_val) && !is_excluded {
+            tracing::error!("unauthorized access attempt");
+            return (
+                StatusCode::UNAUTHORIZED,
+                axum::Json(json!({
+                    "code": 401,
+                    "message": "unauthorized access, please provide a valid access token or method signing if supported"
+                })),
+            )
+                .into_response();
+        }
+    }
+
+    next.run(request).await
+}

envd-rs/src/auth/mod.rs

@@ -0,0 +1,3 @@
+pub mod token;
+pub mod signing;
+pub mod middleware;

envd-rs/src/auth/signing.rs

@@ -0,0 +1,85 @@
+use crate::auth::token::SecureToken;
+use crate::crypto;
+use zeroize::Zeroize;
+
+pub const READ_OPERATION: &str = "read";
+pub const WRITE_OPERATION: &str = "write";
+
+/// Generate a v1 signature: `v1_{sha256_base64(path:operation:username:token[:expiration])}`
+pub fn generate_signature(
+    token: &SecureToken,
+    path: &str,
+    username: &str,
+    operation: &str,
+    expiration: Option<i64>,
+) -> Result<String, &'static str> {
+    let mut token_bytes = token.bytes().ok_or("access token is not set")?;
+
+    let payload = match expiration {
+        Some(exp) => format!(
+            "{}:{}:{}:{}:{}",
+            path,
+            operation,
+            username,
+            String::from_utf8_lossy(&token_bytes),
+            exp
+        ),
+        None => format!(
+            "{}:{}:{}:{}",
+            path,
+            operation,
+            username,
+            String::from_utf8_lossy(&token_bytes),
+        ),
+    };
+
+    token_bytes.zeroize();
+
+    let hash = crypto::sha256::hash_without_prefix(payload.as_bytes());
+    Ok(format!("v1_{hash}"))
+}
+
+/// Validate a request's signing. Returns Ok(()) if valid.
+pub fn validate_signing(
+    token: &SecureToken,
+    header_token: Option<&str>,
+    signature: Option<&str>,
+    signature_expiration: Option<i64>,
+    username: &str,
+    path: &str,
+    operation: &str,
+) -> Result<(), String> {
+    if !token.is_set() {
+        return Ok(());
+    }
+
+    if let Some(ht) = header_token {
+        if !ht.is_empty() {
+            if token.equals(ht) {
+                return Ok(());
+            }
+            return Err("access token present in header but does not match".into());
+        }
+    }
+
+    let sig = signature.ok_or("missing signature query parameter")?;
+
+    let expected = generate_signature(token, path, username, operation, signature_expiration)
+        .map_err(|e| format!("error generating signing key: {e}"))?;
+
+    if expected != sig {
+        return Err("invalid signature".into());
+    }
+
+    if let Some(exp) = signature_expiration {
+        let now = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap()
+            .as_secs() as i64;
+        if exp < now {
+            return Err("signature is already expired".into());
+        }
+    }
+
+    Ok(())
+}

envd-rs/src/auth/token.rs

@@ -0,0 +1,127 @@
+use std::sync::RwLock;
+
+use subtle::ConstantTimeEq;
+use zeroize::Zeroize;
+
+/// Secure token storage with constant-time comparison and zeroize-on-drop.
+///
+/// Mirrors Go's SecureToken backed by memguard.LockedBuffer.
+/// In Rust we rely on `zeroize` for Drop-based zeroing.
+pub struct SecureToken {
+    inner: RwLock<Option<Vec<u8>>>,
+}
+
+impl SecureToken {
+    pub fn new() -> Self {
+        Self {
+            inner: RwLock::new(None),
+        }
+    }
+
+    pub fn set(&self, token: &[u8]) -> Result<(), &'static str> {
+        if token.is_empty() {
+            return Err("empty token not allowed");
+        }
+        let mut guard = self.inner.write().unwrap();
+        if let Some(ref mut old) = *guard {
+            old.zeroize();
+        }
+        *guard = Some(token.to_vec());
+        Ok(())
+    }
+
+    pub fn is_set(&self) -> bool {
+        let guard = self.inner.read().unwrap();
+        guard.is_some()
+    }
+
+    /// Constant-time comparison.
+    pub fn equals(&self, other: &str) -> bool {
+        let guard = self.inner.read().unwrap();
+        match guard.as_ref() {
+            Some(buf) => buf.as_slice().ct_eq(other.as_bytes()).into(),
+            None => false,
+        }
+    }
+
+    /// Constant-time comparison with another SecureToken.
+    pub fn equals_secure(&self, other: &SecureToken) -> bool {
+        let other_bytes = match other.bytes() {
+            Some(b) => b,
+            None => return false,
+        };
+        let guard = self.inner.read().unwrap();
+        let result = match guard.as_ref() {
+            Some(buf) => buf.as_slice().ct_eq(&other_bytes).into(),
+            None => false,
+        };
+        // other_bytes dropped here, Vec<u8> doesn't auto-zeroize but
+        // we accept this — same as Go's `defer memguard.WipeBytes(otherBytes)`
+        result
+    }
+
+    /// Returns a copy of the token bytes (for signature generation).
+    pub fn bytes(&self) -> Option<Vec<u8>> {
+        let guard = self.inner.read().unwrap();
+        guard.as_ref().map(|b| b.clone())
+    }
+
+    /// Transfer token from another SecureToken, clearing the source.
+    pub fn take_from(&self, src: &SecureToken) {
+        let taken = {
+            let mut src_guard = src.inner.write().unwrap();
+            src_guard.take()
+        };
+        let mut guard = self.inner.write().unwrap();
+        if let Some(ref mut old) = *guard {
+            old.zeroize();
+        }
+        *guard = taken;
+    }
+
+    pub fn destroy(&self) {
+        let mut guard = self.inner.write().unwrap();
+        if let Some(ref mut buf) = *guard {
+            buf.zeroize();
+        }
+        *guard = None;
+    }
+}
+
+impl Drop for SecureToken {
+    fn drop(&mut self) {
+        if let Ok(mut guard) = self.inner.write() {
+            if let Some(ref mut buf) = *guard {
+                buf.zeroize();
+            }
+        }
+    }
+}
+
+/// Deserialize from JSON string, matching Go's UnmarshalJSON behavior.
+/// Expects a quoted JSON string. Rejects escape sequences.
+impl SecureToken {
+    pub fn from_json_bytes(data: &mut [u8]) -> Result<Self, &'static str> {
+        if data.len() < 2 || data[0] != b'"' || data[data.len() - 1] != b'"' {
+            data.zeroize();
+            return Err("invalid secure token JSON string");
+        }
+
+        let content = &data[1..data.len() - 1];
+        if content.contains(&b'\\') {
+            data.zeroize();
+            return Err("invalid secure token: unexpected escape sequence");
+        }
+
+        if content.is_empty() {
+            data.zeroize();
+            return Err("empty token not allowed");
+        }
+
+        let token = Self::new();
+        token.set(content).map_err(|_| "failed to set token")?;
+
+        data.zeroize();
+        Ok(token)
+    }
+}