Introduce a user_store instead of accessing config.users directly - marks the end of wiring the SQL users

Author: dzervas

src/app_build.rs

@@ -50,6 +50,9 @@ pub async fn axum_build(
 	let external_url = config_ref.external_url.clone();
 	let key = oidc::init(&db).await;
 	let webauthn = webauthn::init(&title, &external_url).unwrap();
+	let user_store = config_ref
+		.get_user_store()
+		.expect("Could not construct a valid user store");
 	drop(config_ref);
 
 	let state = AppState {
@@ -58,6 +61,7 @@ pub async fn axum_build(
 		link_senders,
 		key,
 		webauthn,
+		user_store,
 	};
 
 	// TODO: Static files

src/config.rs

@@ -21,6 +21,8 @@ use crate::CONFIG;
 use crate::database::{ConfigKVRow, Database};
 use crate::service::Services;
 use crate::user::User;
+use crate::user_store::{SQLUserStore, StaticUserStore, UserStoreKind};
+// use crate::user_store::{SQLUserStore, StaticUserStore, UserStoreKind};
 
 /// The actual, deserialized config data
 ///
@@ -79,10 +81,12 @@ pub struct Config {
 	pub webauthn_enable: bool,
 
 	// pub force_https_redirects: bool,
-	pub users: Vec<User>,
+	// Private to avoid reading from the field instead of the user store
+	users: Vec<User>,
 	/// Path to a file containing the user definitions
 	pub users_file: Option<String>,
-	pub users_sql_query: Option<String>,
+	pub users_sql_query_all: Option<String>,
+	pub users_sql_query_email: Option<String>,
 	pub users_sql_url: Option<String>,
 	pub services: Services,
 }
@@ -136,7 +140,8 @@ impl Default for Config {
 
 			users: vec![],
 			users_file: None,
-			users_sql_query: None,
+			users_sql_query_all: None,
+			users_sql_query_email: None,
 			users_sql_url: None,
 
 			services: Services(vec![]),
@@ -247,6 +252,43 @@ impl Config {
 			.collect::<String>()
 			.replace("\n", ""))
 	}
+
+	pub fn get_user_store(&self) -> anyhow::Result<UserStoreKind> {
+		if self.users.len() > 0 {
+			return Ok(UserStoreKind::Static(StaticUserStore::new(
+				self.users.clone(),
+			)));
+		}
+
+		if self.users_file.is_some() {
+			// TODO: While this is correct since during reload we shove the users to the store, it's not right
+			return Ok(UserStoreKind::Static(StaticUserStore::new(
+				self.users.clone(),
+			)));
+		}
+
+		if let Some(url) = self.users_sql_url.clone() {
+			let Some(query_all) = self.users_sql_query_all.clone() else {
+				return Err(anyhow::anyhow!(
+					"users_sql_query_all is required when users_sql_url is set"
+				));
+			};
+			let Some(query_email) = self.users_sql_query_email.clone() else {
+				return Err(anyhow::anyhow!(
+					"users_sql_query_email is required when users_sql_url is set"
+				));
+			};
+
+			return Ok(UserStoreKind::SQL(SQLUserStore::new(
+				&url,
+				query_all,
+				query_email,
+			)?));
+		}
+
+		error!("No users configured, using an empty user store");
+		Ok(UserStoreKind::Static(StaticUserStore::new(vec![])))
+	}
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize)]

src/handle_login_post.rs

@@ -18,7 +18,8 @@ use crate::error::AppError;
 use crate::pages::{LoginActionPage, Page};
 use crate::secret::LoginLinkSecret;
 use crate::secret::login_link::LoginLinkRedirect;
-use crate::user::User;
+
+use crate::user_store::UserStore as _;
 
 /// Used to get the login form data for from the login page
 #[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
@@ -29,14 +30,14 @@ pub struct LoginInfo {
 #[axum::debug_handler]
 pub async fn handle_login_post(
 	config: LiveConfig,
-	State(state): State<AppState>,
+	State(mut state): State<AppState>,
 	Query(login_redirect): Query<LoginLinkRedirect>,
 	Form(form): Form<LoginInfo>,
 ) -> Result<Response, AppError> {
 	let login_action_page = LoginActionPage.render().await;
 
 	// Return 200 to avoid leaking valid emails
-	let Some(user) = User::from_email(&config, &form.email) else {
+	let Some(user) = state.user_store.from_email(&form.email).await else {
 		return Ok(login_action_page.into_response());
 	};
 

src/lib.rs

@@ -58,6 +58,7 @@ use tracing_subscriber::util::SubscriberInitExt;
 use tracing_subscriber::{EnvFilter, fmt};
 
 use crate::error::AppError;
+use crate::user_store::UserStoreKind;
 use crate::{config::Config, user::User};
 
 pub mod app_build;
@@ -142,6 +143,7 @@ pub struct InFlightConfig(Arc<Config>);
 pub struct AppState {
 	pub db: crate::Database,
 	config: Arc<ArcSwap<Config>>,
+	pub user_store: UserStoreKind,
 	pub link_senders: Vec<Arc<dyn LinkSender>>,
 
 	pub key: jsonwebtoken::EncodingKey,

src/tests/config.rs

@@ -9,10 +9,8 @@ fn get_saml_key_strips_pem_headers() {
 	let path = std::env::temp_dir().join(format!("testkey-{}.pem", Uuid::new_v4()));
 	std::fs::write(&path, pem).expect("write pem");
 
-	let config = Config {
-		saml_key_pem_path: path.to_string_lossy().into_owned(),
-		..Default::default()
-	};
+	let mut config = Config::default();
+	config.saml_key_pem_path = path.to_string_lossy().into_owned();
 
 	let key = config.get_saml_key().expect("read key");
 	assert_eq!(key, "ABCDEF");

src/tests/render_pages.rs

@@ -11,53 +11,13 @@ use crate::config::Config;
 use crate::error::AppError;
 use crate::pages::*;
 
-/// Mock configuration for testing
-fn create_mock_config() -> Config {
-	Config {
-		database_url: "sqlite::memory:".to_string(),
-		listen_host: "127.0.0.1".to_string(),
-		listen_port: 8080,
-		path_prefix: "/demo".to_string(),
-		external_url: "http://localhost:8080".to_string(),
-		link_duration: chrono::Duration::try_hours(12).unwrap(),
-		session_duration: chrono::Duration::try_days(30).unwrap(),
-		secrets_cleanup_interval: chrono::Duration::try_hours(24).unwrap(),
-		title: "MagicEntry Demo".to_string(),
-		static_path: "static".to_string(),
-		auth_url_enable: true,
-		auth_url_user_header: "X-Remote-User".to_string(),
-		auth_url_email_header: "X-Remote-Email".to_string(),
-		auth_url_name_header: "X-Remote-Name".to_string(),
-		auth_url_realms_header: "X-Remote-Realms".to_string(),
-		oidc_code_duration: chrono::Duration::try_minutes(1).unwrap(),
-		saml_cert_pem_path: "saml_cert.pem".to_string(),
-		saml_key_pem_path: "saml_key.pem".to_string(),
-		smtp_enable: false,
-		smtp_url: "smtp://localhost:25".to_string(),
-		smtp_from: "{title} <magicentry@example.com>".to_string(),
-		smtp_subject: "{title} Login".to_string(),
-		smtp_body: "Click the link to login: {magic_link}".to_string(),
-		request_enable: false,
-		request_url: "https://www.cinotify.cc/api/notify".to_string(),
-		request_method: "POST".to_string(),
-		request_data: Some("to={email}&subject={title} Login&body=Click the link to login: <a href=\"{magic_link}\">Login</a>&type=text/html".to_string()),
-		request_content_type: "application/x-www-form-urlencoded".to_string(),
-		webauthn_enable: true,
-		users_file: None,
-		users_sql_query: None,
-		users_sql_url: None,
-		users: vec![],
-		services: crate::service::Services(vec![]),
-	}
-}
-
 /// Helper function to render pages with mock config
 fn render_with_mock_config<P: Page>(page: &P, filename: &str) -> Result<(), AppError> {
 	// For this example, we'll simulate the global CONFIG with a local Arc<RwLock>
 	// In a real application, the global CONFIG would be properly initialized
 
 	// Create a mock config and use it directly with render_partial
-	let mock_config = create_mock_config();
+	let mock_config = Config::default();
 
 	// Manually implement the render logic using the mock config
 	let content = page.render_partial();

src/user.rs

@@ -1,8 +1,6 @@
 use serde::{Deserialize, Serialize};
 use uuid::Uuid;
 
-use crate::config::LiveConfig;
-
 #[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
 pub struct User {
 	pub username: String,
@@ -12,11 +10,6 @@ pub struct User {
 }
 
 impl User {
-	pub fn from_email(config: &LiveConfig, email: &str) -> Option<Self> {
-		config.users.iter().find(|u| u.email == email).cloned()
-	}
-
-	#[must_use]
 	pub fn has_any_realm(&self, realms: &[String]) -> bool {
 		self.realms.contains(&"all".to_string()) || self.realms.iter().any(|r| realms.contains(r))
 	}

src/user_store.rs

@@ -5,21 +5,37 @@ use tracing::*;
 use crate::user::User;
 
 #[async_trait::async_trait]
-pub trait UserStore {
+pub trait UserStore: Send + Sync {
 	async fn from_email(&mut self, email: &str) -> Option<User>;
 }
 
+#[derive(Debug, Clone)]
+pub enum UserStoreKind {
+	Static(StaticUserStore),
+	SQL(SQLUserStore),
+}
+
+#[async_trait::async_trait]
+impl UserStore for UserStoreKind {
+	async fn from_email(&mut self, email: &str) -> Option<User> {
+		match self {
+			UserStoreKind::Static(store) => store.from_email(email).await,
+			UserStoreKind::SQL(store) => store.from_email(email).await,
+		}
+	}
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
-pub struct ConfigUserStore(Vec<User>);
+pub struct StaticUserStore(Vec<User>);
 
-impl ConfigUserStore {
+impl StaticUserStore {
 	pub fn new(users: Vec<User>) -> Self {
-		ConfigUserStore(users)
+		StaticUserStore(users)
 	}
 }
 
 #[async_trait::async_trait]
-impl UserStore for ConfigUserStore {
+impl UserStore for StaticUserStore {
 	async fn from_email(&mut self, email: &str) -> Option<User> {
 		self.0.iter().find(|user| user.email == email).cloned()
 	}
@@ -28,6 +44,8 @@ impl UserStore for ConfigUserStore {
 #[derive(Debug, Clone)]
 pub struct SQLUserStore {
 	conn: sqlx::AnyPool,
+	#[allow(dead_code)]
+	// This is not used but there's no way we won't need it at some point, right?
 	query_all: String,
 	query_email: String,
 }

src/utils.rs

@@ -18,6 +18,7 @@ pub mod tests {
 	use crate::config::Config;
 	use crate::database::init_database;
 	use crate::user::User;
+	use crate::user_store::UserStore;
 	use crate::{CONFIG_FILE, Database};
 
 	use super::*;
@@ -35,11 +36,11 @@ pub mod tests {
 
 		let config = Config::reload_from_path(&CONFIG_FILE).await.unwrap();
 		let user = config
-			.users
-			.iter()
-			.find(|u| u.email == user_email)
+			.get_user_store()
 			.unwrap()
-			.clone();
+			.from_email(user_email)
+			.await
+			.unwrap();
 
 		assert_eq!(user.email, user_email);
 		assert_eq!(user.realms, user_realms);

src/webauthn/handle_auth_start.rs

@@ -4,26 +4,30 @@ use axum::extract::State;
 use axum::response::IntoResponse;
 use axum_extra::extract::CookieJar;
 
+use super::store::PasskeyStore;
 use crate::AppState;
 use crate::config::LiveConfig;
 use crate::error::{AppError, WebAuthnError};
 use crate::handle_login_post::LoginInfo;
 use crate::secret::WebAuthnAuthSecret;
-use crate::user::User;
 
-use super::store::PasskeyStore;
+use crate::user_store::UserStore as _;
 
 #[axum::debug_handler]
 pub async fn handle_auth_start(
 	config: LiveConfig,
-	State(state): State<AppState>,
+	State(mut state): State<AppState>,
 	jar: CookieJar,
 	form: Json<LoginInfo>,
 ) -> Result<(CookieJar, impl IntoResponse), AppError> {
 	let webauthn = state.webauthn.clone();
 
 	// TODO: Handle the errors to avoid leaking (in)valid emails
-	let user = User::from_email(&config, &form.email).ok_or(WebAuthnError::SecretNotFound)?;
+	let user = state
+		.user_store
+		.from_email(&form.email)
+		.await
+		.ok_or(WebAuthnError::SecretNotFound)?;
 
 	let passkey_stores = PasskeyStore::get_by_user(&user, &state.db).await?;
 	let passkeys = passkey_stores