chore(auth): with introspection

Signed-off-by: kjuulh <contact@kjuulh.io>

Cargo.toml

@@ -6,6 +6,7 @@ members = [
   "como_infrastructure",
   "como_gql",
   "como_api",
+  "como_auth",
 ]
 resolver = "2"
 
@@ -16,6 +17,7 @@ como_domain = { path = "./como_domain/" }
 como_infrastructure = { path = "./como_infrastructure/" }
 como_gql = { path = "./como_gql/" }
 como_api = { path = "./como_api/" }
+como_auth = { path = "./como_auth/" }
 
 async-trait = "0.1.68"
 async-graphql = { version = "5.0.9", features = ["uuid"] }
@@ -51,3 +53,6 @@ clap = { version = "4.3.0", features = ["derive", "env"] }
 
 argon2 = { version = "0.5.0" }
 rand_core = { version = "0.6.4" }
+
+pretty_assertions = "1.4.0"
+sealed_test = "1.0.0"

como_api/Cargo.toml

@@ -10,7 +10,9 @@ como_gql.workspace = true
 como_core.workspace = true
 como_domain.workspace = true
 como_infrastructure.workspace = true
+como_auth.workspace = true
 
+async-trait.workspace = true
 async-graphql.workspace = true
 async-graphql-axum.workspace = true
 axum.workspace = true

como_api/src/controllers/auth.rs

@@ -49,7 +49,6 @@ pub struct AuthRequest {
 pub async fn login_authorized(
     Query(query): Query<AuthRequest>,
     State(store): State<PostgresSessionStore>,
-    State(oauth_client): State<BasicClient>,
     State(introspection_state): State<IntrospectionState>,
 ) -> impl IntoResponse {
     let token = oauth_client
@@ -111,7 +110,6 @@ pub struct UserFromSession {
 impl<S> FromRequestParts<S> for UserFromSession
 where
     PostgresSessionStore: FromRef<S>,
-    BasicClient: FromRef<S>,
     IntrospectionState: FromRef<S>,
     S: Send + Sync,
 {

como_api/src/router.rs

@@ -12,7 +12,6 @@ use tower_http::{cors::CorsLayer, trace::TraceLayer};
 
 use crate::controllers::auth::AuthController;
 use crate::controllers::graphql::GraphQLController;
-use crate::zitadel::client::oauth_client;
 use crate::zitadel::{IntrospectionState, IntrospectionStateBuilder};
 
 pub struct Api;
@@ -32,9 +31,7 @@ impl Api {
             .build()
             .await?;
 
-        let oauth_client = oauth_client();
         let app_state = AppState {
-            oauth_client,
             store: service_register.session_store.clone(),
             introspection_state: is,
         };
@@ -79,17 +76,10 @@ impl Api {
 
 #[derive(Clone)]
 pub struct AppState {
-    oauth_client: BasicClient,
     introspection_state: IntrospectionState,
     store: PostgresSessionStore,
 }
 
-impl FromRef<AppState> for BasicClient {
-    fn from_ref(state: &AppState) -> Self {
-        state.oauth_client.clone()
-    }
-}
-
 impl FromRef<AppState> for PostgresSessionStore {
     fn from_ref(state: &AppState) -> Self {
         state.store.clone()

como_api/src/zitadel/client.rs

@@ -1,7 +1,54 @@
+use async_trait::async_trait;
 use oauth2::{basic::BasicClient, AuthUrl, ClientId, ClientSecret, RedirectUrl, TokenUrl};
-use std::env;
+use std::{env, ops::Deref, sync::Arc};
 
-pub fn oauth_client() -> BasicClient {
+#[async_trait]
+pub trait OAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()>;
+}
+
+pub struct OAuth(Arc<dyn OAuthClient + Send + Sync + 'static>);
+
+impl OAuth {
+    pub fn new_zitadel() -> Self {
+        Self(Arc::new(ZitadelOAuthClient {
+            client: oauth_client(),
+        }))
+    }
+    pub fn new_noop() -> Self {
+        Self(Arc::new(NoopOAuthClient {}))
+    }
+}
+
+impl Deref for OAuth {
+    type Target = Arc<dyn OAuthClient + Send + Sync + 'static>;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
+}
+
+pub struct NoopOAuthClient;
+
+#[async_trait]
+impl OAuthClient for NoopOAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()> {
+        Ok(())
+    }
+}
+
+pub struct ZitadelOAuthClient {
+    client: BasicClient,
+}
+
+#[async_trait]
+impl OAuthClient for ZitadelOAuthClient {
+    async fn get_token(&self) -> anyhow::Result<()> {
+        Ok(())
+    }
+}
+
+fn oauth_client() -> BasicClient {
     let client_id = env::var("CLIENT_ID").expect("Missing CLIENT_ID!");
     let client_secret = env::var("CLIENT_SECRET").expect("Missing CLIENT_SECRET!");
     let redirect_url = env::var("REDIRECT_URL").expect("missing REDIRECT_URL");

como_auth/src/introspection.rs

@@ -0,0 +1,120 @@
+use anyhow::Context;
+use axum::extract::FromRef;
+use openidconnect::IntrospectionUrl;
+use zitadel::{
+    axum::introspection::IntrospectionStateBuilderError,
+    credentials::Application,
+    oidc::{discovery::discover, introspection::AuthorityAuthentication},
+};
+
+#[derive(Clone, Debug)]
+pub struct IntrospectionState {
+    pub(crate) config: IntrospectionConfig,
+}
+
+#[derive(clap::Args, Clone, Debug, PartialEq, Eq)]
+pub struct IntrospectionConfigClap {
+    #[arg(
+        env = "ZITADEL_AUTHORITY",
+        long = "zitadel-authority",
+        group = "introspection"
+    )]
+    pub authority: String,
+
+    #[arg(
+        env = "ZITADEL_CLIENT_ID",
+        long = "zitadel-client-id",
+        group = "introspection"
+    )]
+    pub client_id: String,
+    #[arg(
+        env = "ZITADEL_CLIENT_SECRET",
+        long = "zitadel-client-secret",
+        group = "introspection"
+    )]
+    pub client_secret: String,
+}
+
+impl IntrospectionConfigClap {
+    async fn try_into(self) -> anyhow::Result<IntrospectionState> {
+        IntrospectionStateBuilder::new(&self.authority)
+            .with_basic_auth(&self.client_id, &self.client_secret)
+            .build()
+            .await
+            .context("failed to generate an introspection builder")
+    }
+}
+
+/// Configuration that must be inject into the axum application state. Used by the
+/// [IntrospectionStateBuilder](super::IntrospectionStateBuilder). This struct is also used to create the [IntrospectionState](IntrospectionState)
+#[derive(Debug, Clone)]
+pub struct IntrospectionConfig {
+    pub authority: String,
+    pub authentication: AuthorityAuthentication,
+    pub introspection_uri: IntrospectionUrl,
+}
+
+impl FromRef<IntrospectionState> for IntrospectionConfig {
+    fn from_ref(input: &IntrospectionState) -> Self {
+        input.config.clone()
+    }
+}
+
+pub struct IntrospectionStateBuilder {
+    authority: String,
+    authentication: Option<AuthorityAuthentication>,
+}
+
+/// Builder for [IntrospectionConfig]
+impl IntrospectionStateBuilder {
+    pub fn new(authority: &str) -> Self {
+        Self {
+            authority: authority.to_string(),
+            authentication: None,
+        }
+    }
+
+    pub fn with_basic_auth(
+        &mut self,
+        client_id: &str,
+        client_secret: &str,
+    ) -> &mut IntrospectionStateBuilder {
+        self.authentication = Some(AuthorityAuthentication::Basic {
+            client_id: client_id.to_string(),
+            client_secret: client_secret.to_string(),
+        });
+
+        self
+    }
+
+    pub fn with_jwt_profile(&mut self, application: Application) -> &mut IntrospectionStateBuilder {
+        self.authentication = Some(AuthorityAuthentication::JWTProfile { application });
+
+        self
+    }
+
+    pub async fn build(&mut self) -> Result<IntrospectionState, IntrospectionStateBuilderError> {
+        let authentication = self
+            .authentication
+            .clone()
+            .ok_or(IntrospectionStateBuilderError::NoAuthSchema)?;
+
+        let metadata = discover(&self.authority)
+            .await
+            .map_err(|source| IntrospectionStateBuilderError::Discovery { source })?;
+
+        let introspection_uri = metadata
+            .additional_metadata()
+            .introspection_endpoint
+            .clone()
+            .ok_or(IntrospectionStateBuilderError::NoIntrospectionUrl)?;
+
+        Ok(IntrospectionState {
+            config: IntrospectionConfig {
+                authority: self.authority.clone(),
+                introspection_uri: introspection_uri,
+                authentication: authentication,
+            },
+        })
+    }
+}

como_auth/src/lib.rs

@@ -1 +1,2 @@
+mod introspection;
 mod oauth;

como_auth/src/oauth.rs

@@ -14,7 +14,7 @@ pub struct OAuthClientClap {
 
 #[derive(Clone, clap::Args, Debug, PartialEq, Eq)]
 pub struct NoopConfig {
-    #[arg(env = "OAUTH_NOOP", long = "oauth-noop", group = "auth", global = true)]
+    #[arg(env = "OAUTH_NOOP", long = "oauth-noop", group = "auth")]
     pub oauth_noop: Option<bool>,
 }