Merge pull request #80 from sebadob/audit-part-1

audit part 1
sebadob · Oct 16, 2023 · 758dda6 · 758dda6
2 parents da18033 + 04fb3f4
commit 758dda6
Show file tree

Hide file tree

Showing 17 changed files with 292 additions and 14 deletions.
diff --git a/.cargo/config.toml b/.cargo/config.toml
@@ -0,0 +1,2 @@
+[build]
+rustflags = ["--cfg=uuid_unstable"]
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,6 +2,7 @@
 resolver = "2"
 members = [
     "rauthy-common",
+    "rauthy-events",
     "rauthy-handlers",
     "rauthy-main",
     "rauthy-models",

diff --git a/dev_notes.md b/dev_notes.md
@@ -17,9 +17,10 @@ start with simple polling every few seconds first because of the HA_MODE problem
 - implement an SSE endpoint for listening to events in real time
     - for SI deployments with SQLite, this is a no-brainer -> just copy each event to the corresponding tx 
     - for HA deployments:
-        - research sqlx + postgres + CDC to avoid additional deployment needs
-        - if postgres + cdc does not work out nicely with sqlx, think about using a NATS deployment for this task
+        - research sqlx + postgres + CDC to avoid additional deployment needs (or maybe just listen / notify? KISS?)
+        - if postgres does not work out nicely, think about using a NATS deployment for this task
 - switch the UI component to the SSE stream
+- add some way of configuring an email (or webhook, slack, ... ?) which gets messages depending on configured event level
 
 ### other features (some may come with v0.18 depending on amount of work)
 

diff --git a/rauthy-common/src/lib.rs b/rauthy-common/src/lib.rs
@@ -1,4 +1,4 @@
-// Rauthy - OpenID Connect and Single Sign-On IdP
+// Rauthy - OpenID Connect and Single Sign-On Identity & Access Management
 // Copyright (C) 2023 Sebastian Dobe <sebastiandobe@mailbox.org>
 //
 // This program is free software: you can redistribute it and/or modify

diff --git a/rauthy-events/Cargo.toml b/rauthy-events/Cargo.toml
@@ -0,0 +1,23 @@
+[package]
+name = "rauthy-events"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+
+[dependencies]
+chrono = { workspace = true }
+flume = { workspace = true }
+rauthy-common = { path = "../rauthy-common" }
+serde = { workspace = true }
+serde_json = { workspace = true }
+sqlx = { workspace = true }
+tracing = { workspace = true }
+tracing-subscriber = { workspace = true }
+tokio = { workspace = true }
+uuid = { version = "1", features = ["serde", "v7"] }
+validator = { workspace = true }
+
+[dev-dependencies]
+pretty_assertions = "1"
+tokio-test = "*"
diff --git a/rauthy-events/src/event.rs b/rauthy-events/src/event.rs
@@ -0,0 +1,143 @@
+use chrono::{DateTime, Timelike, Utc};
+use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
+use serde::{Deserialize, Serialize};
+use std::fmt::{Display, Formatter};
+use tracing::error;
+use uuid::Uuid;
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub enum EventLevel {
+    Info,
+    Notice,
+    Warning,
+    Critical,
+}
+
+impl Display for EventLevel {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        let s = match self {
+            EventLevel::Info => "INFO    ",
+            EventLevel::Notice => "NOTICE  ",
+            EventLevel::Warning => "WARNING ",
+            EventLevel::Critical => "CRITICAL",
+        };
+        write!(f, "{}", s)
+    }
+}
+
+impl EventLevel {
+    pub fn as_str(&self) -> &str {
+        match self {
+            EventLevel::Info => "INFO",
+            EventLevel::Notice => "NOTICE",
+            EventLevel::Warning => "WARNING",
+            EventLevel::Critical => "CRITICAL",
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub enum EventType {
+    //github.com/ number of invalid logins
+    InvalidLogins(u32),
+    IpBlacklisted,
+    //github.com/ E-Mail of the new admin role member
+    NewRauthyAdmin(String),
+    PossibleBruteForce,
+    PossibleDoS,
+}
+
+impl ToString for EventType {
+    fn to_string(&self) -> String {
+        match self {
+            EventType::InvalidLogins(count) => format!("invalid logins: {}", count),
+            EventType::IpBlacklisted => "IP blacklisted".to_string(),
+            EventType::NewRauthyAdmin(email) => format!("new rauthy_admin member: {}", email),
+            EventType::PossibleBruteForce => "possible brute force".to_string(),
+            EventType::PossibleDoS => "possible DoS".to_string(),
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+pub struct Event {
+    pub id: Uuid,
+    pub timestamp: DateTime<Utc>,
+    pub level: EventLevel,
+    pub typ: EventType,
+    pub ip: Option<String>,
+}
+
+impl Display for Event {
+    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
+        write!(
+            f,
+            "EVENT {} {}:{}:{} {} {} {}",
+            self.timestamp.date_naive(),
+            self.timestamp.hour(),
+            self.timestamp.minute(),
+            self.timestamp.second(),
+            self.level,
+            self.typ.to_string(),
+            self.ip.as_deref().unwrap_or_default(),
+        )
+    }
+}
+
+impl Event {
+    pub fn new(level: EventLevel, typ: EventType, ip: Option<String>) -> Self {
+        Self {
+            id: Uuid::now_v7(),
+            timestamp: Utc::now(),
+            level,
+            typ,
+            ip,
+        }
+    }
+
+    //github.com/ The EventLevel will change depending on the amount of invalid logins
+    pub fn invalid_login(count: u32, ip: String) -> Self {
+        let level = if count > 6 {
+            EventLevel::Warning
+        } else if count > 3 {
+            EventLevel::Notice
+        } else {
+            EventLevel::Info
+        };
+        Self::new(level, EventType::InvalidLogins(count), Some(ip))
+    }
+
+    pub fn ip_blacklisted(ip: String) -> Self {
+        Self::new(EventLevel::Warning, EventType::IpBlacklisted, Some(ip))
+    }
+
+    pub fn rauthy_admin(email: String) -> Self {
+        Self::new(EventLevel::Notice, EventType::NewRauthyAdmin(email), None)
+    }
+
+    pub fn brute_force(ip: String) -> Self {
+        Self::new(
+            EventLevel::Critical,
+            EventType::PossibleBruteForce,
+            Some(ip),
+        )
+    }
+
+    pub fn dos(ip: String) -> Self {
+        Self::new(EventLevel::Critical, EventType::PossibleDoS, Some(ip))
+    }
+
+    #[inline(always)]
+    pub async fn send(self, tx: &flume::Sender<Self>) -> Result<(), ErrorResponse> {
+        match tx.send_async(self).await {
+            Ok(_) => Ok(()),
+            Err(err) => {
+                error!("Event::send: {:?}", err);
+                Err(ErrorResponse::new(
+                    ErrorResponseType::Internal,
+                    format!("Error sending event internally: {:?}", err),
+                ))
+            }
+        }
+    }
+}
diff --git a/rauthy-events/src/lib.rs b/rauthy-events/src/lib.rs
@@ -0,0 +1,18 @@
+// Rauthy - OpenID Connect and Single Sign-On Identity & Access Management
+// Copyright (C) 2023 Sebastian Dobe <sebastiandobe@mailbox.org>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+pub mod event;
+pub mod listener;
diff --git a/rauthy-events/src/listener.rs b/rauthy-events/src/listener.rs
@@ -0,0 +1,19 @@
+use crate::event::{Event, EventLevel};
+use rauthy_common::error_response::ErrorResponse;
+use tracing::{info, warn};
+
+pub struct EventListener;
+
+impl EventListener {
+    pub async fn listen(rx: flume::Receiver<Event>) -> Result<(), ErrorResponse> {
+        while let Ok(event) = rx.recv_async().await {
+            match event.level {
+                EventLevel::Info | EventLevel::Notice => info!("{}", event),
+                EventLevel::Warning => warn!("{}", event),
+                EventLevel::Critical => warn!("{}", event),
+            }
+        }
+
+        Ok(())
+    }
+}
diff --git a/rauthy-handlers/src/lib.rs b/rauthy-handlers/src/lib.rs
@@ -1,4 +1,4 @@
-// Rauthy - OpenID Connect and Single Sign-On IdP
+// Rauthy - OpenID Connect and Single Sign-On Identity & Access Management
 // Copyright (C) 2023 Sebastian Dobe <sebastiandobe@mailbox.org>
 //
 // This program is free software: you can redistribute it and/or modify

diff --git a/rauthy-main/Cargo.toml b/rauthy-main/Cargo.toml
@@ -23,6 +23,7 @@ flume = { workspace = true }
 num_cpus = { workspace = true }
 prometheus = "0.13.3"
 rauthy-common = { path = "../rauthy-common" }
+rauthy-events = { path = "../rauthy-events" }
 rauthy-handlers = { path = "../rauthy-handlers" }
 rauthy-models = { path = "../rauthy-models" }
 rauthy-service = { path = "../rauthy-service" }

diff --git a/rauthy-main/src/main.rs b/rauthy-main/src/main.rs
@@ -1,4 +1,4 @@
-// Rauthy - OpenID Connect and Single Sign-On IdP
+// Rauthy - OpenID Connect and Single Sign-On Identity & Access Management
 // Copyright (C) 2023 Sebastian Dobe <sebastiandobe@mailbox.org>
 //
 // This program is free software: you can redistribute it and/or modify
@@ -38,6 +38,8 @@ use rauthy_common::constants::{
 };
 use rauthy_common::error_response::ErrorResponse;
 use rauthy_common::password_hasher;
+use rauthy_events::event::Event;
+use rauthy_events::listener::EventListener;
 use rauthy_handlers::middleware::logging::RauthyLoggingMiddleware;
 use rauthy_handlers::middleware::session::RauthySessionMiddleware;
 use rauthy_handlers::openapi::ApiDoc;
@@ -160,11 +162,45 @@ async fn main() -> Result<(), Box<dyn Error>> {
     let (tx_email, rx_email) = mpsc::channel::<EMail>(16);
     tokio::spawn(email::sender(rx_email, test_mode));
 
+    // events listener
+    let (tx_events, rx_events) = flume::unbounded();
+    tokio::spawn(EventListener::listen(rx_events));
+
+    // // TODO REMOVE AFTER TESTING
+    // Event::brute_force("192.15.15.1".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+    // Event::dos("192.15.15.1".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+    // Event::invalid_login(2, "192.15.15.1".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+    // Event::invalid_login(5, "192.15.15.1".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+    // Event::invalid_login(7, "192.15.15.1".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+    // Event::ip_blacklisted("192.15.15.1".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+    // Event::rauthy_admin("sebastiandobe@mailbox.org".to_string())
+    //     .send(&tx_events)
+    //     .await
+    //     .unwrap();
+
     // build the application state
     let caches = Caches {
         ha_cache_config: cache_config.clone(),
     };
-    let app_state = web::Data::new(AppState::new(tx_email, caches).await?);
+    let app_state = web::Data::new(AppState::new(tx_email, tx_events, caches).await?);
 
     // TODO remove with v0.17
     TEMP_migrate_passkeys_uv(&app_state.db)

diff --git a/rauthy-models/Cargo.toml b/rauthy-models/Cargo.toml
@@ -30,6 +30,7 @@ chrono = { workspace = true }
 css-color = { workspace = true }
 derive_more = { workspace = true }
 dotenvy = { workspace = true }
+flume = { workspace = true }
 futures-util = "0.3"
 hex = { version = "0.4", features = ["serde"] }
 jwt-simple = { workspace = true }
@@ -41,6 +42,7 @@ openssl-sys = { workspace = true }
 rand = { workspace = true }
 rand_core = { workspace = true }
 rauthy-common = { path = "../rauthy-common" }
+rauthy-events = { path = "../rauthy-events" }
 redhac = { workspace = true }
 regex = { workspace = true }
 ring = { workspace = true }