Rewrite some server functionality to use microrm 0.4.0.

src/cli.rs

@@ -2,7 +2,7 @@ use crate::{
     schema::{self, UIDCDatabase},
     config,
     UIDCError,
-    key::{self, KeyType}, user_management, client_management, scope_management, group_management, token_management,
+    key::{self, KeyType}, user_management, client_management, scope_management, group_management, token_management, server,
 };
 use clap::{Parser, Subcommand};
 use microrm::prelude::*;
@@ -36,10 +36,8 @@ enum Command {
     Key(KeyArgs),
     /// scope management
     Scope(ScopeArgs),
-    /*
     /// run the actual OIDC server
     Server(ServerArgs),
-    */
     /// manual token generation and inspection
     Token(TokenArgs),
     /// role management
@@ -78,11 +76,10 @@ impl RootArgs {
             Command::Client(v) => v.run(ra).await,
             Command::Scope(v) => v.run(ra).await,
             Command::Group(v) => v.run(ra).await,
-            /*Command::Server(v) => v.run(ra).await,*/
+            Command::Server(v) => v.run(ra).await,
             Command::Token(v) => v.run(ra).await,
             Command::Role(v) => v.run(ra).await,
             Command::User(v) => v.run(ra).await,
-            _ => todo!(),
         }
     }
 
@@ -370,7 +367,6 @@ impl ScopeArgs {
     }
 }
 
-/*
 #[derive(Debug, Parser)]
 struct ServerArgs {
     #[clap(short, long)]
@@ -379,11 +375,10 @@ struct ServerArgs {
 
 impl ServerArgs {
     async fn run(&self, args: RunArgs) -> Result<(), UIDCError> {
-        let config = config::Config::build_from(&args.db.query_interface(), None);
+        let config = config::Config::build_from(&args.db, None);
         server::run_server(args.db, config, self.port.unwrap_or(2114)).await
     }
 }
-*/
 
 #[derive(Debug, Subcommand)]
 enum TokenCommand {

src/config.rs

@@ -21,7 +21,7 @@ impl Config {
         let mut config_map = std::collections::HashMap::<String, String>::new();
         // load config keys from database
         let db_pcs = db.persistent_config.get().expect("could't get config keys from database");
-        config_map.extend(db_pcs.into_iter().map(|pc: microrm::schema::IDWrap<schema::PersistentConfig>| {
+        config_map.extend(db_pcs.into_iter().map(|pc: microrm::schema::Stored<schema::PersistentConfig>| {
             let pc = pc.wrapped();
             (pc.key, pc.value)
         }));

src/main.rs

@@ -10,7 +10,7 @@ mod key;
 mod role_management;
 mod schema;
 mod scope_management;
-// mod server;
+mod server;
 mod token;
 mod token_management;
 mod user;
@@ -22,6 +22,7 @@ fn main() {
     stderrlog::new()
         .module(module_path!())
         .module("tide")
+        .module("microrm")
         .show_module_names(true)
         .timestamp(stderrlog::Timestamp::Millisecond)
         .verbosity(10)

src/schema.rs

@@ -9,7 +9,7 @@ use crate::key::KeyType;
 // ----------------------------------------------------------------------
 
 /// Simple key-value store for persistent configuration
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct PersistentConfig {
     #[unique]
     pub key: String,
@@ -20,13 +20,15 @@ pub struct PersistentConfig {
 // Session types
 // ----------------------------------------------------------------------
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct Session {
-    auth: AssocMap<SessionAuth>,
-    // expiry: std::time::SystemTime
+    #[unique]
+    pub session_id: String,
+    pub auth: AssocMap<SessionAuth>,
+    pub expiry: time::OffsetDateTime,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct SessionAuth {
     pub realm: RealmID,
 
@@ -36,7 +38,7 @@ pub struct SessionAuth {
     pub pending_challenges: Serialized<Vec<AuthChallengeType>>,
 }
 
-#[derive(Clone, Copy, Debug, PartialEq, PartialOrd, Serialize, Deserialize)]
+#[derive(Clone, Copy, PartialEq, PartialOrd, Serialize, Deserialize, Debug)]
 pub enum AuthChallengeType {
     Username,
     Password,
@@ -45,7 +47,7 @@ pub enum AuthChallengeType {
     WebAuthn,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct AuthChallenge {
     #[unique]
     pub challenge_type: Serialized<AuthChallengeType>,
@@ -72,7 +74,7 @@ impl Relation for GroupRoleRelation {
     const NAME: &'static str = "GroupRole";
 }
 
-#[derive(Clone, Debug, Default, Entity)]
+#[derive(Clone, Default, Entity)]
 pub struct Realm {
     #[unique]
     pub shortname: String,
@@ -85,7 +87,7 @@ pub struct Realm {
     pub users: AssocMap<User>,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct Key {
     #[unique]
     pub key_id: String,
@@ -95,7 +97,7 @@ pub struct Key {
     pub expiry: time::OffsetDateTime,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct User {
     #[unique]
     pub username: String,
@@ -103,7 +105,7 @@ pub struct User {
     pub groups: AssocDomain<UserGroupRelation>,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct Group {
     #[unique]
     pub shortname: String,
@@ -111,7 +113,7 @@ pub struct Group {
     pub roles: AssocDomain<GroupRoleRelation>,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct Role {
     #[unique]
     pub shortname: String,
@@ -119,7 +121,7 @@ pub struct Role {
 }
 
 /// OAuth2 client representation
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct Client {
     #[unique]
     pub shortname: String,
@@ -129,13 +131,13 @@ pub struct Client {
     pub scopes: AssocMap<Scope>,
 }
 
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct ClientRedirect {
     pub redirect: String,
 }
 
 /// Requested group of permissions
-#[derive(Debug, Entity)]
+#[derive(Entity)]
 pub struct Scope {
     #[unique]
     pub shortname: String,

src/server.rs

@@ -1,12 +1,12 @@
-use crate::{config, UIDCError};
+use crate::{config, UIDCError, schema};
 
-mod oidc;
+// mod oidc;
 mod session;
-mod um;
+// mod um;
 
 pub struct ServerState {
     config: config::Config,
-    pool: microrm::DBPool<'static>,
+    db: schema::UIDCDatabase,
     templates: handlebars::Handlebars<'static>,
 }
 
@@ -19,15 +19,15 @@ async fn index(req: tide::Request<ServerStateWrapper>) -> tide::Result<tide::Res
     let shelper = session::SessionHelper::new(&req);
 
     let realm = shelper.get_realm()?;
-    let sid = shelper.get_session(&req);
-    let auth = sid.and_then(|sid| shelper.get_auth_for_session(realm, sid));
+    let session = shelper.get_session(&req);
+    let auth = session.as_ref().and_then(|session| shelper.get_auth_for_session(realm.id(), &session));
 
     let response = tide::Response::builder(200)
         .content_type(tide::http::mime::PLAIN)
         .body(format!(
             r#"
             realm: {realm:?}
-            session: {sid:?}
+            session: {session:?}
             auth: {auth:?}
         "#
         ))
@@ -36,17 +36,13 @@ async fn index(req: tide::Request<ServerStateWrapper>) -> tide::Result<tide::Res
 }
 
 pub async fn run_server(
-    db: microrm::DB,
+    db: schema::UIDCDatabase,
     config: config::Config,
     port: u16,
 ) -> Result<(), UIDCError> {
-    let db_box = Box::new(db);
-    let db: &'static mut microrm::DB = Box::leak(db_box);
-    let pool = microrm::DBPool::new(db);
-
     let core_state = Box::leak(Box::new(ServerState {
         config,
-        pool,
+        db,
         templates: handlebars::Handlebars::new(),
     }));
 
@@ -74,8 +70,8 @@ pub async fn run_server(
         .expect("Can't serve static files");
 
     session::session_v1_server(app.at("/:realm/v1/session/"));
-    oidc::oidc_server(app.at("/:realm/"));
-    um::um_server(app.at("/:realm/um/"));
+    // oidc::oidc_server(app.at("/:realm/"));
+    // um::um_server(app.at("/:realm/um/"));
 
     app.listen(("127.0.0.1", port))
         .await

src/server/session.rs

@@ -1,10 +1,10 @@
-use crate::{schema, user};
-use microrm::prelude::*;
+use crate::{schema, user, UIDCError};
+use microrm::{prelude::*, schema::Stored};
 use serde::Deserialize;
 use tide::http::Cookie;
 
 pub(super) struct SessionHelper<'l> {
-    qi: &'l microrm::QueryInterface<'static>,
+    db: &'l schema::UIDCDatabase,
     tmpl: &'l handlebars::Handlebars<'l>,
     realm_str: &'l str,
 }
@@ -16,54 +16,48 @@ const SESSION_COOKIE_NAME: &'static str = "uidc_session";
 impl<'l> SessionHelper<'l> {
     pub fn new(req: &'l Request) -> Self {
         Self {
-            qi: req.state().core.pool.query_interface(),
+            db: &req.state().core.db,
             tmpl: &req.state().core.templates,
             realm_str: req.param("realm").expect("no realm param?"),
         }
     }
 
-    pub fn get_realm(&self) -> tide::Result<schema::RealmID> {
-        self.qi
-            .get()
-            .by(schema::Realm::Shortname, self.realm_str)
-            .one()
-            .expect("couldn't query db")
-            .map(|r| r.id())
-            .ok_or(tide::Error::from_str(404, "No such realm"))
+    pub fn get_realm(&self) -> tide::Result<Stored<schema::Realm>> {
+        self.db.realms.unique(self.realm_str).get()?.ok_or(tide::Error::from_str(404, "No such realm"))
     }
 
     fn build_session(
         &self,
-    ) -> tide::Result<(schema::SessionID, Option<tide::http::Cookie<'static>>)> {
+    ) -> tide::Result<(schema::Session, Option<tide::http::Cookie<'static>>)> {
         let rng = ring::rand::SystemRandom::new();
         let session_id: [u8; 32] = ring::rand::generate(&rng)
             .map_err(|_| tide::Error::from_str(500, "Failed to generate session ID"))?
             .expose();
         let session_id = base64::encode_config(session_id, base64::URL_SAFE_NO_PAD);
 
-        let maybe_id = self.qi.add(&schema::Session {
-            key: session_id.clone(),
-        });
+        // XXX: replace with in-place insertion once support for that is added to microrm
+        let session = self.db.sessions.insert_and_return(schema::Session {
+            session_id: session_id.clone(),
+            auth: Default::default(),
+            expiry: time::OffsetDateTime::now_utc() + time::Duration::minutes(10)
+        })?;
         let session_cookie = Cookie::build(SESSION_COOKIE_NAME, session_id)
             .path("/")
             .finish();
         Ok((
-            maybe_id.ok().ok_or(tide::Error::from_str(
-                500,
-                "Failed to store session in database",
-            ))?,
+            session.wrapped(),
             Some(session_cookie),
         ))
     }
 
-    pub fn verify_session(&self, req: &Request) -> Option<(schema::RealmID, schema::UserID)> {
+    pub fn verify_session(&self, req: &Request) -> Option<(Stored<schema::Realm>, schema::UserID)> {
         self.get_or_build_session(req)
             .ok()
             .zip(self.get_realm().ok())
             .and_then(|((sid, _cookie), realm)| {
-                self.get_auth_for_session(realm, sid).and_then(|auth| {
-                    if auth.challenges_left.len() == 0 {
-                        Some((realm, auth.user))
+                self.get_auth_for_session(realm.id(), &sid).and_then(|auth| {
+                    if let Some(user) = auth.user {
+                        Some((realm, user))
                     } else {
                         None
                     }
@@ -71,24 +65,19 @@ impl<'l> SessionHelper<'l> {
             })
     }
 
-    pub fn get_session(&self, req: &Request) -> Option<schema::SessionID> {
+    pub fn get_session(&self, req: &Request) -> Option<schema::Session> {
         req.cookie(SESSION_COOKIE_NAME)
             .and_then(|sid| {
-                self.qi
-                    .get()
-                    .by(schema::Session::Key, sid.value())
-                    .one()
-                    .expect("couldn't query db")
+                self.db.sessions.unique(sid.value()).get().ok().flatten().map(|v| v.wrapped())
             })
-            .and_then(|session| Some(session.id()))
     }
 
     pub fn get_or_build_session(
         &self,
         req: &Request,
-    ) -> tide::Result<(schema::SessionID, Option<tide::http::Cookie<'static>>)> {
+    ) -> tide::Result<(schema::Session, Option<tide::http::Cookie<'static>>)> {
         match self.get_session(&req) {
-            Some(sid) => Ok((sid, None)),
+            Some(s) => Ok((s, None)),
             None => self.build_session(),
         }
     }
@@ -96,25 +85,14 @@ impl<'l> SessionHelper<'l> {
     pub fn get_auth_for_session(
         &self,
         realm: schema::RealmID,
-        session: schema::SessionID,
-    ) -> Option<microrm::WithID<schema::SessionAuthentication>> {
-        use schema::SessionAuthentication as SAC;
-        self.qi
-            .get()
-            .by(SAC::Realm, &realm)
-            .by(SAC::Session, &session)
-            .one()
-            .expect("couldn't query db")
+        session: &schema::Session,
+    ) -> Option<Stored<schema::SessionAuth>> {
+        session.auth.with(schema::SessionAuth::Realm, realm).first().get().ok()?
     }
 
-    pub fn destroy_auth(&self, realm: schema::RealmID, session: schema::SessionID) {
-        use schema::SessionAuthentication as SAC;
-        self.qi
-            .delete()
-            .by(SAC::Realm, &realm)
-            .by(SAC::Session, &session)
-            .exec()
-            .expect("couldn't query db")
+    pub fn destroy_auth(&self, realm: schema::RealmID, session: &schema::Session) -> Result<(), UIDCError> {
+        session.auth.with(schema::SessionAuth::Realm, realm).first().delete()?;
+        Ok(())
     }
 }
 
@@ -123,12 +101,12 @@ impl<'l> SessionHelper<'l> {
         &self,
         mut response: tide::Response,
         redirect: String,
-        auth: Option<schema::SessionAuthentication>,
+        auth: Option<schema::SessionAuth>,
         error_msg: Option<String>,
     ) -> tide::Response {
         let to_present: Option<schema::AuthChallengeType> = match auth {
             None => Some(schema::AuthChallengeType::Username),
-            Some(auth) => auth.challenges_left.first().copied(),
+            Some(auth) => auth.pending_challenges.as_ref().first().copied(),
         };
 
         if to_present.is_none() {
@@ -203,10 +181,10 @@ async fn v1_login(req: Request) -> tide::Result<tide::Response> {
     let shelper = SessionHelper::new(&req);
 
     let realm = shelper.get_realm()?;
-    let (session_id, cookie) = shelper.get_or_build_session(&req)?;
+    let (session, cookie) = shelper.get_or_build_session(&req)?;
     cookie.map(|c| response.insert_cookie(c));
 
-    let auth = shelper.get_auth_for_session(realm, session_id);
+    let auth = shelper.get_auth_for_session(realm.id(), &session);
 
     #[derive(serde::Deserialize)]
     struct LoginQuery {
@@ -218,8 +196,8 @@ async fn v1_login(req: Request) -> tide::Result<tide::Response> {
     Ok(shelper.render_login_from_auth(
         response,
         query.redirect.unwrap_or_else(|| "../..".to_string()),
-        auth.map(|a| a.wrapped()),
-        None,
+        auth.map(Stored::wrapped),
+        None
     ))
 }
 
@@ -239,14 +217,14 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
     let shelper = SessionHelper::new(&req);
 
     let realm = shelper.get_realm()?;
-    let (session_id, cookie) = shelper.get_or_build_session(&req)?;
+    let (session, cookie) = shelper.get_or_build_session(&req)?;
     cookie.map(|c| response.insert_cookie(c));
 
-    let mut auth = shelper.get_auth_for_session(realm, session_id);
+    let mut auth = shelper.get_auth_for_session(realm.id(), &session);
 
     // check if a login reset was requested; if so, we start again from the top
     if body.reset.is_some() {
-        shelper.destroy_auth(realm, session_id);
+        shelper.destroy_auth(realm.id(), &session)?;
         return Ok(tide::Redirect::new("login").into());
     }
 
@@ -264,7 +242,7 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
     // check that the response matches what we're expecting next
     let to_be_presented: Option<schema::AuthChallengeType> = match &auth {
         None => Some(schema::AuthChallengeType::Username),
-        Some(auth) => auth.challenges_left.first().copied(),
+        Some(auth) => auth.pending_challenges.as_ref().first().copied(),
     };
 
     if to_be_presented != Some(challenge) {
@@ -272,65 +250,60 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
     }
 
     match challenge {
+        // handle the username challenge specially because this sets up the pending challenges.
         ChallengeType::Username => {
-            let qi = req.state().core.pool.query_interface();
-            shelper.destroy_auth(realm, session_id);
-
-            let user = qi
-                .get()
-                .by(schema::User::Realm, &realm)
-                .by(schema::User::Username, &body.challenge)
-                .one()
-                .expect("couldn't query db");
+            shelper.destroy_auth(realm.id(), &session)?;
+
+            let user = realm.users.unique(&body.challenge).get()?;
             if user.is_none() {
                 error = Some(format!("No such user {}", body.challenge));
             } else {
                 let user = user.unwrap();
 
-                let enabled = qi.get().by(schema::AuthChallenge::User, &user.id()).all()?;
-                let has_totp = enabled
-                    .iter()
-                    .filter(|ac| ac.challenge_type == schema::AuthChallengeType::TOTP)
-                    .count()
-                    > 0;
+                let has_totp = user.auth.with(schema::AuthChallenge::ChallengeType, microrm::schema::Serialized::from(schema::AuthChallengeType::TOTP)).count()? > 0;
 
                 // TODO: support more flows than just username,password[,totp]
-                let sa = schema::SessionAuthentication {
-                    session: session_id,
-                    realm: realm,
-                    user: user.id(),
-                    challenges_left: if has_totp {
-                        vec![
-                            schema::AuthChallengeType::Password,
-                            schema::AuthChallengeType::TOTP,
-                        ]
-                    } else {
-                        vec![schema::AuthChallengeType::Password]
-                    },
-                };
-                let id = qi.add(&sa).unwrap();
-                auth = Some(microrm::WithID::new(sa, id));
+                auth = Some(session.auth.insert_and_return(
+                    schema::SessionAuth {
+                        realm: realm.id(),
+                        user: None,
+                        pending_user: Some(user.id()),
+                        pending_challenges: if has_totp {
+                            vec![
+                                schema::AuthChallengeType::Password,
+                                schema::AuthChallengeType::TOTP,
+                            ]
+                        } else {
+                            vec![schema::AuthChallengeType::Password]
+                        }.into(),
+                    }
+                )?);
+                // auth = Some(session.auth.with(id, id).first().get()?.expect("can't re-get just-added entity"));
             }
         }
         ct => {
-            if let Some(auth) = &mut auth {
-                let qi = req.state().core.pool.query_interface();
+            if let Some(auth) = auth.as_mut() {
+                // let qi = req.state().core.pool.query_interface();
 
-                let user = qi.get().by_id(&auth.user).one().expect("couldn't query db");
+                // let user = qi.get().by_id(&auth.user).one().expect("couldn't query db");
 
-                if let Some(user) = user {
-                    let user = user::User::from_model(user);
+                if let Some(user_id) = auth.pending_user {
+                    let user = realm.users.with(user_id, user_id).first().get()?.ok_or(UIDCError::Abort("session auth refers to nonexistent user"))?;
 
-                    let verification = user.verify_challenge(&qi, ct, body.challenge.as_bytes());
+                    let user = user::User::from_schema(&realm, user);
+
+                    let verification = user.verify_challenge_by_type(ct, body.challenge.as_bytes());
 
                     match verification {
                         Ok(true) => {
-                            auth.challenges_left.remove(0);
-                            qi.update()
-                                .to(auth.as_ref())
-                                .by_id(&auth.id())
-                                .exec()
-                                .expect("couldn't update auth status?");
+                            auth.pending_challenges.as_mut().remove(0);
+
+                            // if we're done with the last challenge, mark us as logged in
+                            if auth.pending_challenges.as_ref().is_empty() {
+                                auth.user = auth.pending_user.take();
+                            }
+
+                            auth.sync()?;
                         }
                         Ok(false) => {
                             error = Some("Incorrect response. Please try again".into());
@@ -348,7 +321,7 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
         }
     };
 
-    Ok(shelper.render_login_from_auth(response, body.redirect, auth.map(|a| a.wrapped()), error))
+    Ok(shelper.render_login_from_auth(response, body.redirect, auth.map(Stored::wrapped), error))
 }
 
 async fn v1_logout(req: Request) -> tide::Result<tide::Response> {
@@ -364,7 +337,7 @@ async fn v1_logout(req: Request) -> tide::Result<tide::Response> {
     let realm = shelper.get_realm()?;
     shelper
         .get_session(&req)
-        .map(|sid| shelper.destroy_auth(realm, sid));
+        .map(|sid| shelper.destroy_auth(realm.id(), &sid));
     Ok(tide::Redirect::new(query.redirect.unwrap_or_else(|| "../..".into())).into())
 }
 

src/user.rs

@@ -1,5 +1,5 @@
 use crate::{schema, UIDCError};
-use microrm::schema::IDWrap;
+use microrm::schema::Stored;
 use microrm::prelude::*;
 
 #[derive(Debug)]
@@ -12,7 +12,7 @@ pub enum UserError {
 
 pub struct User<'a> {
     realm: &'a schema::Realm,
-    user: IDWrap<schema::User>,
+    user: Stored<schema::User>,
 }
 
 static PBKDF2_ROUNDS: std::num::NonZeroU32 = unsafe { std::num::NonZeroU32::new_unchecked(20000) };
@@ -40,7 +40,7 @@ fn generate_totp_digits(secret: &[u8], time_offset: isize) -> Result<u32, UIDCEr
 }
 
 impl<'a> User<'a> {
-    pub fn from_schema(realm: &'a schema::Realm, user: IDWrap<schema::User>) -> Self {
+    pub fn from_schema(realm: &'a schema::Realm, user: Stored<schema::User>) -> Self {
         Self { realm, user }
     }
 
@@ -53,7 +53,7 @@ impl<'a> User<'a> {
             Err(UIDCError::Abort("username already in use"))
         } else {
             self.user.username = new_name.clone();
-            // self.realm.users.update(&self.user);
+            self.user.sync()?;
             Ok(())
         }
     }

src/user_management.rs

@@ -19,10 +19,10 @@ pub fn list(realm: &schema::Realm) -> Result<(), UIDCError> {
 
 pub fn create(
     realm: &schema::Realm,
-    username: &String,
+    username: &str,
 ) -> Result<(), UIDCError> {
     // check that the user doesn't exist already
-    let existing_user = realm.users.unique(&username).get()?;
+    let existing_user = realm.users.unique(username).get()?;
 
     if existing_user.is_some() {
         log::error!(