Add infrastructure for HMAC signatures and verification.

src/client_management.rs

@@ -8,12 +8,15 @@ pub fn create(
 ) -> Result<(), UIDCError> {
     let rng = ring::rand::SystemRandom::new();
     let client_secret: [u8; 32] = ring::rand::generate(&rng).unwrap().expose();
+    let refresh_token_secret: [u8; 32] = ring::rand::generate(&rng).unwrap().expose();
 
     realm.clients.insert(schema::Client {
         realm: realm.id(),
         shortname: name.into(),
         secret: base64::encode(&client_secret),
-        key_type: key_type.into(),
+        access_key_type: key_type.into(),
+        refresh_key_type: key_type.into(),
+        refresh_token_secret: refresh_token_secret.into(),
         redirects: Default::default(),
         scopes: Default::default(),
     })?;

src/jwt.rs

@@ -1,15 +1,15 @@
-use crate::key::ParsedKey;
+use crate::key::{HMacType, ParsedKey};
 
 fn jwt_algorithm(pk: &ParsedKey) -> &'static str {
     match pk {
-        ParsedKey::Ed25519 {
-            key_id: _,
-            keypair: _,
-        } => "EdDSA",
-        ParsedKey::RSA {
-            key_id: _,
-            keypair: _,
-        } => "RS256",
+        ParsedKey::HMAC { hmty, .. } => {
+            match hmty {
+                HMacType::Sha256 => "HS256",
+                HMacType::Sha512 => "HS512",
+            }
+        },
+        ParsedKey::Ed25519 { ..  } => "EdDSA",
+        ParsedKey::RSA { ..  } => "RS256",
     }
 }
 

src/key.rs

@@ -1,8 +1,12 @@
 use std::{cell::RefCell, sync::Arc};
 
 use crate::{schema, UIDCError};
+use hmac::{Hmac, Mac};
 use microrm::prelude::*;
-use ring::signature::{Ed25519KeyPair, KeyPair};
+use ring::{
+    rand::SecureRandom,
+    signature::{Ed25519KeyPair, KeyPair},
+};
 use sha2::Digest;
 
 use itertools::Itertools;
@@ -12,9 +16,26 @@ pub enum KeyError {
     Plain(&'static str),
 }
 
+#[non_exhaustive]
+#[derive(Clone, Copy, Debug, PartialEq, serde::Serialize, serde::Deserialize)]
+pub enum HMacType {
+    Sha256,
+    Sha512,
+}
+
+impl HMacType {
+    pub fn digest_width(&self) -> usize {
+        match self {
+            Self::Sha256 => 32,
+            Self::Sha512 => 64,
+        }
+    }
+}
+
 #[non_exhaustive]
 #[derive(Clone, Copy, Debug, PartialEq, serde::Serialize, serde::Deserialize)]
 pub enum KeyType {
+    HMac(HMacType),
     RSA2048,
     RSA4096,
     Ed25519,
@@ -27,6 +48,8 @@ impl std::fmt::Display for KeyType {
 }
 
 pub const KEY_TYPE_NAMES: &'static [(&'static str, KeyType)] = &[
+    ("hmac_sha256", KeyType::HMac(HMacType::Sha256)),
+    ("hmac_sha512", KeyType::HMac(HMacType::Sha512)),
     ("rsa2048", KeyType::RSA2048),
     ("rsa4096", KeyType::RSA4096),
     ("ed25519", KeyType::Ed25519),
@@ -48,6 +71,11 @@ impl std::str::FromStr for KeyType {
 }
 
 pub enum ParsedKey {
+    HMAC {
+        key_id: String,
+        keydata: Vec<u8>,
+        hmty: HMacType,
+    },
     Ed25519 {
         key_id: String,
         keypair: ring::signature::Ed25519KeyPair,
@@ -61,15 +89,30 @@ pub enum ParsedKey {
 impl ParsedKey {
     pub fn key_id(&self) -> &str {
         match self {
-            Self::Ed25519 { key_id, keypair } => key_id.as_str(),
-            Self::RSA { key_id, keypair } => key_id.as_str(),
+            Self::HMAC { key_id, .. } => key_id.as_str(),
+            Self::Ed25519 { key_id, .. } => key_id.as_str(),
+            Self::RSA { key_id, .. } => key_id.as_str(),
         }
     }
 
     pub fn generate_signature(&self, data: &[u8]) -> Result<Vec<u8>, UIDCError> {
         match self {
-            Self::Ed25519 { key_id, keypair } => Ok(keypair.sign(data).as_ref().into()),
-            Self::RSA { key_id, keypair } => {
+            Self::HMAC { keydata, hmty, .. } => match hmty {
+                HMacType::Sha256 => Ok(Hmac::<sha2::Sha256>::new_from_slice(keydata.as_slice())
+                    .unwrap()
+                    .chain_update(data)
+                    .finalize()
+                    .into_bytes()
+                    .to_vec()),
+                HMacType::Sha512 => Ok(Hmac::<sha2::Sha512>::new_from_slice(keydata.as_slice())
+                    .unwrap()
+                    .chain_update(data)
+                    .finalize()
+                    .into_bytes()
+                    .to_vec()),
+            },
+            Self::Ed25519 { keypair, .. } => Ok(keypair.sign(data).as_ref().into()),
+            Self::RSA { keypair, .. } => {
                 let rng = ring::rand::SystemRandom::new();
                 let mut signature = vec![];
                 signature.resize(keypair.public_modulus_len(), 0);
@@ -89,6 +132,11 @@ impl ParsedKey {
     pub fn verify_signature(&self, data: &[u8], signature: &[u8]) -> Result<bool, UIDCError> {
         use ring::signature::VerificationAlgorithm;
         match self {
+            Self::HMAC { .. } => Ok(ring::constant_time::verify_slices_are_equal(
+                self.generate_signature(data)?.as_slice(),
+                signature,
+            )
+            .is_ok()),
             Self::Ed25519 { keypair, .. } => Ok(ring::signature::ED25519
                 .verify(
                     keypair.public_key().as_ref().into(),
@@ -108,6 +156,11 @@ impl ParsedKey {
 
     pub fn parse_from(key: &schema::Key) -> Result<Self, UIDCError> {
         match key.key_type.as_ref() {
+            KeyType::HMac(hmty) => Ok(ParsedKey::HMAC {
+                key_id: key.key_id.clone(),
+                keydata: key.secret_data.clone(),
+                hmty: *hmty,
+            }),
             KeyType::RSA2048 | KeyType::RSA4096 => Ok(ParsedKey::RSA {
                 key_id: key.key_id.clone(),
                 keypair: ring::signature::RsaKeyPair::from_pkcs8(&key.secret_data)
@@ -234,6 +287,22 @@ fn generate_rsa(realm: &schema::Realm, kty: KeyType, bits: usize) -> Result<Pars
 pub fn generate_in(realm: &schema::Realm, kty: KeyType) -> Result<ParsedKey, UIDCError> {
     let mut rng = ring::rand::SystemRandom::new();
     match kty {
+        KeyType::HMac(hmty) => {
+            let rng = ring::rand::SystemRandom::new();
+            let mut key_id = [0u8; 16];
+            rng.fill(&mut key_id)
+                .map_err(|_| UIDCError::Abort("couldn't generate random values"));
+
+            let mut keydata = vec![];
+            keydata.resize(hmty.digest_width(), 0u8);
+            rng.fill(keydata.as_mut_slice())
+                .map_err(|_| UIDCError::Abort("couldn't generate random values"));
+            Ok(ParsedKey::HMAC {
+                key_id: base64::encode(key_id),
+                keydata,
+                hmty,
+            })
+        }
         KeyType::RSA2048 => generate_rsa(realm, KeyType::RSA2048, 2048),
         KeyType::RSA4096 => generate_rsa(realm, KeyType::RSA4096, 4096),
         KeyType::Ed25519 => {

src/schema.rs

@@ -138,15 +138,22 @@ pub struct Client {
     pub realm: RealmID,
     #[key]
     pub shortname: String,
+
     pub secret: String,
-    pub key_type: microrm::Serialized<KeyType>,
+
+    #[elide]
+    pub refresh_token_secret: Vec<u8>,
+
+    pub access_key_type: microrm::Serialized<KeyType>,
+    pub refresh_key_type: microrm::Serialized<KeyType>,
+
     pub redirects: microrm::RelationMap<ClientRedirect>,
     pub scopes: microrm::RelationMap<Scope>,
 }
 
 #[derive(Entity)]
 pub struct ClientRedirect {
-    pub redirect: String,
+    pub redirect_pattern: String,
 }
 
 #[derive(Entity)]

src/server/oidc.rs

@@ -128,7 +128,7 @@ fn do_token_authorize<'l, 's>(
     realm: &schema::Realm,
     client: &schema::Client,
     user: &schema::User,
-    scopes: impl Iterator<Item = &'l str>,
+    scopes: impl Iterator<Item = &'l str> + Clone,
     state: Option<&'s str>,
 ) -> Result<tide::Response, OIDCError<'s>> {
     let token = token::generate_access_token(config, &realm, client, user, scopes.into_iter());
@@ -374,19 +374,27 @@ async fn jwks(request: Request) -> tide::Result<tide::Response> {
             .get()?
             .into_iter()
             .map(|key| match key::ParsedKey::parse_from(&key)? {
-                key::ParsedKey::Ed25519 { key_id: _, keypair } => Ok(serde_json::json!({
+                key::ParsedKey::HMAC { key_id, hmty, .. } => Ok(serde_json::json!({
+                    "kid": key_id,
+                    "alg": match hmty {
+                        key::HMacType::Sha256 => "HS256",
+                        key::HMacType::Sha512 => "HS512",
+                    },
+                    "hmac": true,
+                })),
+                key::ParsedKey::Ed25519 { key_id, keypair } => Ok(serde_json::json!({
                     "crv": "Ed25519",
-                    "kid": key.key_id,
+                    "kid": key_id,
                     "kty": "OKP",
                     "use": "sig",
 
                     "x": base64::encode(keypair.public_key().as_ref()),
                 })),
-                key::ParsedKey::RSA { key_id: _, keypair } => {
+                key::ParsedKey::RSA { key_id, keypair } => {
                     let pubkey = keypair.public_key();
                     Ok(serde_json::json!({
                         "alg": "RS256",
-                        "kid": key.key_id,
+                        "kid": key_id,
                         "kty": "RSA",
                         "use": "sig",
 

src/token.rs

@@ -20,18 +20,11 @@ impl From<ring::error::KeyRejected> for TokenError {
     }
 }
 
-pub fn generate_access_token<'a>(
-    config: &config::Config,
+fn determine_roles<'a>(
     realm: &schema::Realm,
-    client: &schema::Client,
     user: &schema::User,
     scopes: impl Iterator<Item = &'a str>,
-) -> Result<String, UIDCError> {
-    let issuer = format!("{}/{}", config.base_url, realm.shortname,);
-
-    let iat = std::time::SystemTime::now();
-    let exp = iat + std::time::Duration::from_secs(config.auth_token_expiry);
-
+) -> Result<Vec<String>, UIDCError> {
     // find all roles the user can possibly have access to
     let mut user_roles = user.groups.join(schema::Group::Roles).get()?;
 
@@ -54,11 +47,26 @@ pub fn generate_access_token<'a>(
     requested_roles.dedup();
 
     // find the intersection between requested roles and the ones the user actually has
-
-    let resulting_roles = requested_roles
+    Ok(requested_roles
         .into_iter()
         .filter(|req| user_roles.contains(req))
-        .map(|role| Ok(serde_json::Value::String(role.wrapped().shortname)));
+        .map(|role| role.wrapped().shortname)
+        .collect())
+}
+
+pub fn generate_access_token<'a>(
+    config: &config::Config,
+    realm: &schema::Realm,
+    client: &schema::Client,
+    user: &schema::User,
+    scopes: impl Iterator<Item = &'a str> + Clone,
+) -> Result<String, UIDCError> {
+    let issuer = format!("{}/{}", config.base_url, realm.shortname,);
+
+    let iat = std::time::SystemTime::now();
+    let exp = iat + std::time::Duration::from_secs(config.auth_token_expiry);
+
+    let resulting_roles = determine_roles(realm, user, scopes.clone())?;
 
     let token = jwt::JWTData {
         sub: user.username.as_str(),
@@ -66,17 +74,32 @@ pub fn generate_access_token<'a>(
         aud: client.shortname.as_str(),
         iat: iat.duration_since(std::time::UNIX_EPOCH).unwrap().as_secs(),
         exp: exp.duration_since(std::time::UNIX_EPOCH).unwrap().as_secs(),
-        extras: [(
-            "roles",
-            serde_json::Value::Array(resulting_roles.collect::<Result<Vec<_>, UIDCError>>()?),
-        )]
+        extras: [
+            (
+                "scopes",
+                serde_json::Value::Array(
+                    scopes
+                        .map(|v| serde_json::Value::String(v.into()))
+                        .collect::<Vec<_>>(),
+                ),
+            ),
+            (
+                "roles",
+                serde_json::Value::Array(
+                    resulting_roles
+                        .into_iter()
+                        .map(serde_json::Value::String)
+                        .collect::<Vec<_>>(),
+                ),
+            ),
+        ]
         .into(),
     };
 
     let mut realmkeys = key::RealmKeys::new(realm.clone());
 
     let key = realmkeys
-        .by_type(*client.key_type.as_ref())?
+        .by_type(*client.access_key_type.as_ref())?
         .ok_or(UIDCError::Abort("no matching signing key for realm"))?;
 
     Ok(jwt::JWT::sign(&key, token).into_string())
@@ -91,3 +114,10 @@ pub fn generate_refresh_token<'a>(
 ) -> Result<String, UIDCError> {
     todo!()
 }
+
+pub fn trade_refresh_token<'a>(
+    config: &config::Config,
+    token: &'a str,
+) -> Result<(String, String), UIDCError> {
+    todo!()
+}