Skip to content

Commit 95f718e

Browse files
remove unwraps, fix put role issue, rever oidc changes
1 parent 68e3fab commit 95f718e

4 files changed

Lines changed: 25 additions & 51 deletions

File tree

src/handlers/http/cluster/mod.rs

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -537,7 +537,7 @@ pub async fn sync_users_with_roles_with_ingestors(
537537
let userid = userid.to_owned();
538538
let headers = req.headers().clone();
539539
let op = operation.to_string();
540-
let caller_userid = get_user_from_request(req).unwrap();
540+
let caller_userid = get_user_from_request(req)?;
541541
for_each_live_node(tenant_id, move |ingestor| {
542542
let url = format!(
543543
"{}{}/user/{}/role/sync/{}",
@@ -588,7 +588,7 @@ pub async fn sync_user_deletion_with_ingestors(
588588
tenant_id: &Option<String>,
589589
) -> Result<(), RBACError> {
590590
let userid = userid.to_owned();
591-
let caller_userid = get_user_from_request(req).unwrap();
591+
let caller_userid = get_user_from_request(req)?;
592592
let headers = req.headers().clone();
593593
for_each_live_node(tenant_id, move |ingestor| {
594594
let url = format!(
@@ -697,7 +697,7 @@ pub async fn sync_password_reset_with_ingestors(
697697
) -> Result<(), RBACError> {
698698
let userid = username.to_owned();
699699
let tenant_id = get_tenant_id_from_request(&req);
700-
let caller_userid = get_user_from_request(&req).unwrap();
700+
let caller_userid = get_user_from_request(&req)?;
701701
let headers = req.headers().clone();
702702
for_each_live_node(&tenant_id, move |ingestor| {
703703
let url = format!(
@@ -745,7 +745,8 @@ pub async fn sync_role_update(
745745
tenant_id: &Option<String>,
746746
) -> Result<(), RoleError> {
747747
let tenant = tenant_id.to_owned();
748-
let userid = get_user_from_request(req).unwrap();
748+
let userid =
749+
get_user_from_request(req).map_err(|e| RoleError::Anyhow(anyhow::anyhow!("{e}")))?;
749750
let headers = req.headers().clone();
750751
for_each_live_node(tenant_id, move |node| {
751752
let url = format!(
@@ -794,7 +795,8 @@ pub async fn sync_role_delete(
794795
name: String,
795796
tenant_id: &Option<String>,
796797
) -> Result<(), RoleError> {
797-
let userid = get_user_from_request(req).unwrap();
798+
let userid =
799+
get_user_from_request(req).map_err(|e| RoleError::Anyhow(anyhow::anyhow!("{e}")))?;
798800
let headers = req.headers().clone();
799801
for_each_live_node(tenant_id, move |node| {
800802
let url = format!(

src/handlers/http/modal/ingest/ingestor_role.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ pub async fn put(
4444
let name = name.into_inner();
4545
let req_tenant_id = get_tenant_id_from_request(&req);
4646
let req_tenant = req_tenant_id.as_deref().unwrap_or(DEFAULT_TENANT);
47-
if req_tenant.ne(DEFAULT_TENANT) && (req_tenant_id.eq(&sync_req.tenant_id)) {
47+
if req_tenant.ne(DEFAULT_TENANT) && (req_tenant_id.ne(&sync_req.tenant_id)) {
4848
return Err(RoleError::Anyhow(anyhow::Error::msg(
4949
"non super-admin user trying to create role for another tenant",
5050
)));

src/handlers/http/modal/query/querier_role.rs

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -104,7 +104,9 @@ pub async fn put(
104104
mut_sessions().remove_user(&userid, tenant);
105105
}
106106

107-
sync_role_update(&req, name.clone(), role, &tenant_id).await?;
107+
if let Err(e) = sync_role_update(&req, name.clone(), role, &tenant_id).await {
108+
tracing::error!("Failed to sync role update to cluster nodes: {e}");
109+
}
108110

109111
Ok(HttpResponse::Ok().finish())
110112
}
@@ -171,7 +173,9 @@ pub async fn delete(
171173
mut_sessions().remove_user(&userid, tenant);
172174
}
173175

174-
sync_role_delete(&req, name.clone(), &tenant_id).await?;
176+
if let Err(e) = sync_role_delete(&req, name.clone(), &tenant_id).await {
177+
tracing::error!("Failed to sync role deletion to cluster nodes: {e}");
178+
}
175179

176180
Ok(HttpResponse::Ok().finish())
177181
}

src/handlers/http/oidc.rs

Lines changed: 11 additions & 43 deletions
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,6 @@
1717
*/
1818

1919
use std::collections::HashSet;
20-
use std::sync::LazyLock;
21-
use std::time::Instant;
2220

2321
use actix_web::http::StatusCode;
2422
use actix_web::{
@@ -28,9 +26,7 @@ use actix_web::{
2826
web,
2927
};
3028
use chrono::{Duration, TimeDelta};
31-
use dashmap::DashMap;
3229
use openid::Bearer;
33-
use rand::distributions::{Alphanumeric, DistString};
3430
use regex::Regex;
3531
use serde::Deserialize;
3632
use ulid::Ulid;
@@ -54,31 +50,6 @@ use crate::{
5450
},
5551
};
5652

57-
/// In-memory store mapping OAuth state nonces to redirect URLs.
58-
/// Entries expire after 10 minutes to prevent stale nonces.
59-
const OAUTH_NONCE_TTL: std::time::Duration = std::time::Duration::from_secs(600);
60-
static OAUTH_NONCE_STORE: LazyLock<DashMap<String, (String, Instant)>> =
61-
LazyLock::new(DashMap::new);
62-
63-
/// Generate a cryptographic nonce, store it with the redirect URL, and return the nonce.
64-
fn store_oauth_nonce(redirect: &str) -> String {
65-
// Evict expired entries opportunistically
66-
OAUTH_NONCE_STORE.retain(|_, (_, created)| created.elapsed() < OAUTH_NONCE_TTL);
67-
let nonce = Alphanumeric.sample_string(&mut rand::thread_rng(), 32);
68-
OAUTH_NONCE_STORE.insert(nonce.clone(), (redirect.to_string(), Instant::now()));
69-
nonce
70-
}
71-
72-
/// Look up and consume a nonce, returning the associated redirect URL if valid.
73-
fn consume_oauth_nonce(nonce: &str) -> Option<String> {
74-
let (_, (redirect, created)) = OAUTH_NONCE_STORE.remove(nonce)?;
75-
if created.elapsed() < OAUTH_NONCE_TTL {
76-
Some(redirect)
77-
} else {
78-
None
79-
}
80-
}
81-
8253
/// Struct representing query params returned from oidc provider
8354
#[derive(Deserialize, Debug)]
8455
pub struct Login {
@@ -113,10 +84,9 @@ pub async fn login(
11384
(None, None) => return Ok(redirect_no_oauth_setup(query.redirect.clone())),
11485
(None, Some(client)) => {
11586
let redirect = query.into_inner().redirect.to_string();
116-
let nonce = store_oauth_nonce(&redirect);
11787

11888
let scope = PARSEABLE.options.scope.to_string();
119-
let mut auth_url: String = client.read().await.auth_url(&scope, Some(nonce)).into();
89+
let mut auth_url: String = client.read().await.auth_url(&scope, Some(redirect)).into();
12090

12191
auth_url.push_str("&access_type=offline&prompt=consent");
12292
return Ok(HttpResponse::TemporaryRedirect()
@@ -169,12 +139,11 @@ pub async fn login(
169139
Users.remove_session(&key);
170140
if let Some(oidc_client) = oidc_client {
171141
let redirect = query.into_inner().redirect.to_string();
172-
let nonce = store_oauth_nonce(&redirect);
173142
let scope = PARSEABLE.options.scope.to_string();
174143
let mut auth_url: String = oidc_client
175144
.read()
176145
.await
177-
.auth_url(&scope, Some(nonce))
146+
.auth_url(&scope, Some(redirect))
178147
.into();
179148
auth_url.push_str("&access_type=offline&prompt=consent");
180149
HttpResponse::TemporaryRedirect()
@@ -339,13 +308,14 @@ fn resolve_roles(
339308
// Inherit roles from a native user with the same email (e.g. tenant owner via OAuth)
340309
if roles.is_empty()
341310
&& let Some(email) = &user_info.email
342-
&& let Some(native) = metadata.users.iter().find(|u| {
343-
matches!(u.ty, UserType::Native(_))
344-
&& u.userid() == email.as_str()
345-
&& !u.roles.is_empty()
346-
}) {
347-
roles.clone_from(&native.roles);
348-
}
311+
&& let Some(native) = metadata.users.iter().find(|u| {
312+
matches!(u.ty, UserType::Native(_))
313+
&& u.userid() == email.as_str()
314+
&& !u.roles.is_empty()
315+
})
316+
{
317+
roles.clone_from(&native.roles);
318+
}
349319

350320
roles
351321
}
@@ -376,7 +346,6 @@ fn build_login_response(
376346

377347
if is_xhr {
378348
let mut response = HttpResponse::Ok();
379-
response.insert_header((actix_web::http::header::CACHE_CONTROL, "no-store"));
380349
for cookie in cookies {
381350
response.cookie(cookie);
382351
}
@@ -388,8 +357,7 @@ fn build_login_response(
388357
} else {
389358
let redirect_url = login_query
390359
.state
391-
.as_deref()
392-
.and_then(consume_oauth_nonce)
360+
.clone()
393361
.unwrap_or_else(|| PARSEABLE.options.address.to_string());
394362

395363
redirect_to_client(&redirect_url, cookies)

0 commit comments

Comments
 (0)