diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-09-23 15:33:30 +0200 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-09-23 15:33:30 +0200 |
| commit | 3832bf5daed8b4a3fc87153590131730daa4e88c (patch) | |
| tree | 49b30717e86de623d00cec243ef84138e339716c | |
| parent | 83549be4db488711263808a54afd2652d6d99ca9 (diff) | |
| download | nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar.gz nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar.bz2 nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar.xz nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.zip | |
...
| -rw-r--r-- | overlays/spm/frontend/src/app/spm/spm.component.ts | 4 | ||||
| -rw-r--r-- | overlays/spm/lib/Spm/Api.hs | 31 | ||||
| -rw-r--r-- | overlays/spm/package.yaml | 3 | ||||
| -rw-r--r-- | overlays/spm/server/Crypto/JOSE/Error/Instances.hs | 11 | ||||
| -rw-r--r-- | overlays/spm/server/Spm/Server.hs | 24 | ||||
| -rw-r--r-- | overlays/spm/spm.nix | 4 |
6 files changed, 60 insertions, 17 deletions
diff --git a/overlays/spm/frontend/src/app/spm/spm.component.ts b/overlays/spm/frontend/src/app/spm/spm.component.ts index f6892d7c..361a1ce4 100644 --- a/overlays/spm/frontend/src/app/spm/spm.component.ts +++ b/overlays/spm/frontend/src/app/spm/spm.component.ts | |||
| @@ -36,7 +36,7 @@ export interface ClaimedSpmMail { | |||
| 36 | } | 36 | } |
| 37 | 37 | ||
| 38 | export interface SpmJwtUnregisteredPayload { | 38 | export interface SpmJwtUnregisteredPayload { |
| 39 | local: string; | 39 | 'li.yggdrasil.local': string; |
| 40 | } | 40 | } |
| 41 | 41 | ||
| 42 | type SpmJwtPayload = JwtPayload & SpmJwtUnregisteredPayload; | 42 | type SpmJwtPayload = JwtPayload & SpmJwtUnregisteredPayload; |
| @@ -136,7 +136,7 @@ export class SpmComponent implements OnInit, OnDestroy { | |||
| 136 | const curr: Map<string, SpmMail> = this.spmMails$.getValue(); | 136 | const curr: Map<string, SpmMail> = this.spmMails$.getValue(); |
| 137 | curr.set(k, { | 137 | curr.set(k, { |
| 138 | state: 'loaded', | 138 | state: 'loaded', |
| 139 | local: payload.local, | 139 | local: payload['li.yggdrasil.local'], |
| 140 | domain: payload.aud, | 140 | domain: payload.aud, |
| 141 | jwt: encoded, | 141 | jwt: encoded, |
| 142 | expiration: payload.exp ? new Date(1000 * payload.exp) : undefined, | 142 | expiration: payload.exp ? new Date(1000 * payload.exp) : undefined, |
diff --git a/overlays/spm/lib/Spm/Api.hs b/overlays/spm/lib/Spm/Api.hs index 04dff2c9..8285cc55 100644 --- a/overlays/spm/lib/Spm/Api.hs +++ b/overlays/spm/lib/Spm/Api.hs | |||
| @@ -5,6 +5,7 @@ module Spm.Api | |||
| 5 | , SpmMailbox, SpmDomain | 5 | , SpmMailbox, SpmDomain |
| 6 | , SpmLocal(..), SpmExtension(..) | 6 | , SpmLocal(..), SpmExtension(..) |
| 7 | , SpmMapping(..), SpmMappingState(..), SpmMappingListingItem(..), SpmMappingListing(..) | 7 | , SpmMapping(..), SpmMappingState(..), SpmMappingListingItem(..), SpmMappingListing(..) |
| 8 | , SpmJWTClaims(..), _spmjwtLocal, _SpmJWTLocal | ||
| 8 | , _SpmMappingText, _SpmMappingStateReject | 9 | , _SpmMappingText, _SpmMappingStateReject |
| 9 | , spmMappingAncestors | 10 | , spmMappingAncestors |
| 10 | , SpmApi, spmApi | 11 | , SpmApi, spmApi |
| @@ -24,18 +25,21 @@ import Type.Reflection (Typeable) | |||
| 24 | 25 | ||
| 25 | import Control.Lens | 26 | import Control.Lens |
| 26 | 27 | ||
| 28 | import Control.Monad (guard) | ||
| 29 | |||
| 27 | import Data.CaseInsensitive (CI) | 30 | import Data.CaseInsensitive (CI) |
| 28 | import qualified Data.CaseInsensitive as CI | 31 | import qualified Data.CaseInsensitive as CI |
| 29 | import Data.CaseInsensitive.Instances () | 32 | import Data.CaseInsensitive.Instances () |
| 30 | 33 | ||
| 31 | import Crypto.JOSE.JWK (JWKSet) | 34 | import Crypto.JOSE.JWK (JWKSet) |
| 32 | import Crypto.JWT (SignedJWT) | 35 | import Crypto.JWT (SignedJWT, ClaimsSet, HasClaimsSet(..), emptyClaimsSet) |
| 33 | import Crypto.JWT.Instances () | 36 | import Crypto.JWT.Instances () |
| 34 | 37 | ||
| 35 | import Data.UUID (UUID) | 38 | import Data.UUID (UUID) |
| 36 | import Data.UUID.Instances () | 39 | import Data.UUID.Instances () |
| 37 | 40 | ||
| 38 | import qualified Data.Aeson as JSON | 41 | import qualified Data.Aeson as JSON |
| 42 | import qualified Data.Aeson.Lens as JSON | ||
| 39 | import Data.Aeson.TH (deriveJSON) | 43 | import Data.Aeson.TH (deriveJSON) |
| 40 | import Data.Aeson.Casing | 44 | import Data.Aeson.Casing |
| 41 | 45 | ||
| @@ -163,6 +167,31 @@ deriveJSON (aesonPrefix trainCase) ''SpmMappingListingItem | |||
| 163 | instance ToJSON SpmMappingListing where | 167 | instance ToJSON SpmMappingListing where |
| 164 | toJSON SpmMappingListing{..} = JSON.object [ "mappings" JSON..= unSpmMappingListing ] | 168 | toJSON SpmMappingListing{..} = JSON.object [ "mappings" JSON..= unSpmMappingListing ] |
| 165 | 169 | ||
| 170 | data SpmJWTClaims = SpmJWTClaims | ||
| 171 | { spmjwtStdClaims :: ClaimsSet | ||
| 172 | , spmjwtLocal :: SpmLocal | ||
| 173 | } deriving stock (Eq, Show, Generic, Typeable) | ||
| 174 | |||
| 175 | makeLensesFor [("spmjwtStdClaims", "_stdClaims"), ("spmjwtLocal", "_spmjwtLocal")] ''SpmJWTClaims | ||
| 176 | |||
| 177 | instance HasClaimsSet SpmJWTClaims where | ||
| 178 | claimsSet = _stdClaims | ||
| 179 | |||
| 180 | _SpmJWTLocal :: (Wrapped l, Unwrapped l ~ Unwrapped SpmLocal) => Prism' SpmJWTClaims l | ||
| 181 | _SpmJWTLocal = prism' toClaims fromClaims | ||
| 182 | where toClaims (view $ _Wrapped' . _Unwrapped' -> spmjwtLocal) = SpmJWTClaims{..} | ||
| 183 | where spmjwtStdClaims = emptyClaimsSet | ||
| 184 | fromClaims SpmJWTClaims{..} = view (_Wrapped' . _Unwrapped') spmjwtLocal <$ guard (spmjwtStdClaims == emptyClaimsSet) | ||
| 185 | |||
| 186 | instance JSON.ToJSON SpmJWTClaims where | ||
| 187 | toJSON SpmJWTClaims{..} = JSON.toJSON spmjwtStdClaims | ||
| 188 | & JSON._Object . at "li.yggdrasil.local" .~ Just (JSON.toJSON spmjwtLocal) | ||
| 189 | |||
| 190 | instance JSON.FromJSON SpmJWTClaims where | ||
| 191 | parseJSON = JSON.withObject "SpmJWTClaims" $ \o -> SpmJWTClaims | ||
| 192 | <$> JSON.parseJSON (JSON._Object # o) | ||
| 193 | <*> o JSON..: "li.yggdrasil.local" | ||
| 194 | |||
| 166 | 195 | ||
| 167 | type SpmApi = "whoami" :> Get '[PlainText, JSON] SpmMailbox | 196 | type SpmApi = "whoami" :> Get '[PlainText, JSON] SpmMailbox |
| 168 | :<|> "domain" :> Get '[PlainText, JSON] SpmDomain | 197 | :<|> "domain" :> Get '[PlainText, JSON] SpmDomain |
diff --git a/overlays/spm/package.yaml b/overlays/spm/package.yaml index e188dc77..6d4abe1c 100644 --- a/overlays/spm/package.yaml +++ b/overlays/spm/package.yaml | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | name: spm | 1 | name: spm |
| 2 | version: 0.1.0 | 2 | version: 0.1.1 |
| 3 | 3 | ||
| 4 | default-extensions: | 4 | default-extensions: |
| 5 | - NoImplicitPrelude | 5 | - NoImplicitPrelude |
| @@ -36,6 +36,7 @@ library: | |||
| 36 | - lens | 36 | - lens |
| 37 | - case-insensitive | 37 | - case-insensitive |
| 38 | - aeson | 38 | - aeson |
| 39 | - lens-aeson | ||
| 39 | - jose | 40 | - jose |
| 40 | - uuid | 41 | - uuid |
| 41 | - containers | 42 | - containers |
diff --git a/overlays/spm/server/Crypto/JOSE/Error/Instances.hs b/overlays/spm/server/Crypto/JOSE/Error/Instances.hs new file mode 100644 index 00000000..9f3eea51 --- /dev/null +++ b/overlays/spm/server/Crypto/JOSE/Error/Instances.hs | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | {-# OPTIONS_GHC -Wno-orphans #-} | ||
| 2 | |||
| 3 | module Crypto.JOSE.Error.Instances () where | ||
| 4 | |||
| 5 | import Data.Monoid (Monoid) | ||
| 6 | import Control.Monad (Monad) | ||
| 7 | import Control.Applicative (Alternative) | ||
| 8 | |||
| 9 | import Crypto.JOSE.Error | ||
| 10 | |||
| 11 | deriving newtype instance (Monad m, Monoid e) => Alternative (JOSE e m) | ||
diff --git a/overlays/spm/server/Spm/Server.hs b/overlays/spm/server/Spm/Server.hs index df12e3d8..8e7f8786 100644 --- a/overlays/spm/server/Spm/Server.hs +++ b/overlays/spm/server/Spm/Server.hs | |||
| @@ -44,7 +44,7 @@ import Database.Persist | |||
| 44 | import Database.Persist.Postgresql | 44 | import Database.Persist.Postgresql |
| 45 | import UnliftIO.Pool | 45 | import UnliftIO.Pool |
| 46 | 46 | ||
| 47 | import Control.Monad.Trans.Reader (ReaderT, runReaderT) | 47 | import Control.Monad.Trans.Reader (ReaderT, runReaderT, mapReaderT) |
| 48 | 48 | ||
| 49 | import Control.Monad.Logger | 49 | import Control.Monad.Logger |
| 50 | 50 | ||
| @@ -58,12 +58,12 @@ import qualified Data.UUID as UUID | |||
| 58 | import qualified Data.UUID.V4 as UUID | 58 | import qualified Data.UUID.V4 as UUID |
| 59 | 59 | ||
| 60 | import qualified Data.Aeson as JSON | 60 | import qualified Data.Aeson as JSON |
| 61 | import Data.Aeson.Lens (_JSON) | ||
| 62 | 61 | ||
| 63 | import System.FilePath ((</>), isRelative) | 62 | import System.FilePath ((</>), isRelative) |
| 64 | 63 | ||
| 65 | import Crypto.JOSE.JWK hiding (Context) | 64 | import Crypto.JOSE.JWK hiding (Context) |
| 66 | import Crypto.JOSE.JWK.Instances () | 65 | import Crypto.JOSE.JWK.Instances () |
| 66 | import Crypto.JOSE.Error.Instances () | ||
| 67 | 67 | ||
| 68 | import Crypto.Random.Instances () | 68 | import Crypto.Random.Instances () |
| 69 | import qualified Crypto.Random as Crypto | 69 | import qualified Crypto.Random as Crypto |
| @@ -197,10 +197,13 @@ mkSpmApp = do | |||
| 197 | spmSql :: ReaderT SqlBackend Handler' a -> Handler' a | 197 | spmSql :: ReaderT SqlBackend Handler' a -> Handler' a |
| 198 | spmSql act = do | 198 | spmSql act = do |
| 199 | sqlPool <- view sctxSqlPool | 199 | sqlPool <- view sctxSqlPool |
| 200 | withResource sqlPool $ runReaderT act | 200 | mapReaderT (mapLoggingT $ either throwError pure <=< liftIO) . withResource sqlPool $ mapReaderT (mapLoggingT runHandler) . runReaderT act |
| 201 | 201 | ||
| 202 | spmJWT :: forall error a. Show error => ServerError -> ExceptT error IO a -> Handler' a | 202 | spmJWT :: forall error a. Show error => ServerError -> JOSE error IO a -> Handler' a |
| 203 | spmJWT errTemplate = either (\err -> throwError errTemplate{ errBody = LBS.fromStrict . Text.encodeUtf8 . Text.pack $ show err }) return <=< liftIO . runExceptT | 203 | spmJWT errTemplate = either (\err -> throwError errTemplate{ errBody = LBS.fromStrict . Text.encodeUtf8 . Text.pack $ show err }) return <=< liftIO . runJOSE |
| 204 | |||
| 205 | withJOSE :: forall m e e' a. Functor m => (e -> e') -> JOSE e m a -> JOSE e' m a | ||
| 206 | withJOSE f = JOSE . withExceptT f . unwrapJOSE | ||
| 204 | 207 | ||
| 205 | generateLocal :: MonadIO m => SpmStyle -> m MailLocal | 208 | generateLocal :: MonadIO m => SpmStyle -> m MailLocal |
| 206 | generateLocal SpmWords = fmap (review _Wrapped . CI.mk) . liftIO $ do | 209 | generateLocal SpmWords = fmap (review _Wrapped . CI.mk) . liftIO $ do |
| @@ -254,24 +257,23 @@ spmServer dom mbox = whoami | |||
| 254 | instanceId' <- view sctxInstanceId | 257 | instanceId' <- view sctxInstanceId |
| 255 | jwks <- view $ sctxJwkSet . _Wrapped | 258 | jwks <- view $ sctxJwkSet . _Wrapped |
| 256 | tokenId <- liftIO UUID.nextRandom | 259 | tokenId <- liftIO UUID.nextRandom |
| 257 | let claimsSet = emptyClaimsSet | 260 | let jwtClaims = (_SpmJWTLocal # local) |
| 258 | & claimIss ?~ (JWT.string # UUID.toText instanceId') | 261 | & claimIss ?~ (JWT.string # UUID.toText instanceId') |
| 259 | & claimAud ?~ Audience (pure $ dom ^. _Wrapped . to CI.original . re JWT.string) | 262 | & claimAud ?~ Audience (pure $ dom ^. _Wrapped . to CI.original . re JWT.string) |
| 260 | & claimNbf ?~ NumericDate t | 263 | & claimNbf ?~ NumericDate t |
| 261 | & claimIat ?~ NumericDate t | 264 | & claimIat ?~ NumericDate t |
| 262 | & claimExp ?~ NumericDate (600 `addUTCTime` t) | 265 | & claimExp ?~ NumericDate (600 `addUTCTime` t) |
| 263 | & claimJti ?~ UUID.toText tokenId | 266 | & claimJti ?~ UUID.toText tokenId |
| 264 | & unregisteredClaims . at "local" ?~ view (_Wrapped . re _JSON) local | ||
| 265 | spmJWT @JWT.Error err500 $ do | 267 | spmJWT @JWT.Error err500 $ do |
| 266 | (jwsAlg, selectedJwk) <- withExceptT (fromMaybe JWT.NoUsableKeys . getFirst) . asum $ map (\jwk' -> (, jwk') <$> withExceptT (First . Just) (bestJWSAlg jwk')) jwks | 268 | (jwsAlg, selectedJwk) <- withJOSE (fromMaybe JWT.NoUsableKeys . getFirst) . asum $ map (\jwk' -> (, jwk') <$> withJOSE (First . Just) (bestJWSAlg jwk')) jwks |
| 267 | signClaims selectedJwk (newJWSHeader ((), jwsAlg)) claimsSet | 269 | signJWT selectedJwk (newJWSHeader ((), jwsAlg)) jwtClaims |
| 268 | 270 | ||
| 269 | claim jwt = do | 271 | claim jwt = do |
| 270 | jwks <- view sctxJwkSet | 272 | jwks <- view sctxJwkSet |
| 271 | let validationSettings' = defaultJWTValidationSettings ((== Just dom) . fmap (review _Wrapped . CI.mk) . preview JWT.string) | 273 | let validationSettings' = defaultJWTValidationSettings ((== Just dom) . fmap (review _Wrapped . CI.mk) . preview JWT.string) |
| 272 | & jwtValidationSettingsAllowedSkew .~ 5 | 274 | & jwtValidationSettingsAllowedSkew .~ 5 |
| 273 | claims <- spmJWT @JWT.JWTError err403 $ verifyClaims validationSettings' jwks jwt | 275 | jwtClaims <- spmJWT @JWT.JWTError err403 $ verifyJWT validationSettings' jwks jwt |
| 274 | mailboxMappingLocal <- maybe (throwError err400{ errBody = "Claim ‘local’ missing" }) (return . Just) $ claims ^? unregisteredClaims . ix "local" . _JSON . to CI.mk . re _Wrapped | 276 | let mailboxMappingLocal = Just $ jwtClaims ^. _spmjwtLocal . _Wrapped . _Unwrapped |
| 275 | 277 | ||
| 276 | spmSql $ do | 278 | spmSql $ do |
| 277 | Entity mailboxMappingMailbox _ <- maybe (throwError err404) return <=< getBy $ UniqueMailbox mbox | 279 | Entity mailboxMappingMailbox _ <- maybe (throwError err404) return <=< getBy $ UniqueMailbox mbox |
diff --git a/overlays/spm/spm.nix b/overlays/spm/spm.nix index 7c9eb933..2d1f7eed 100644 --- a/overlays/spm/spm.nix +++ b/overlays/spm/spm.nix | |||
| @@ -10,13 +10,13 @@ | |||
| 10 | }: | 10 | }: |
| 11 | mkDerivation { | 11 | mkDerivation { |
| 12 | pname = "spm"; | 12 | pname = "spm"; |
| 13 | version = "0.1.0"; | 13 | version = "0.1.1"; |
| 14 | src = ./.; | 14 | src = ./.; |
| 15 | isLibrary = true; | 15 | isLibrary = true; |
| 16 | isExecutable = true; | 16 | isExecutable = true; |
| 17 | libraryHaskellDepends = [ | 17 | libraryHaskellDepends = [ |
| 18 | aeson aeson-casing base case-insensitive containers jose lens | 18 | aeson aeson-casing base case-insensitive containers jose lens |
| 19 | servant text uuid | 19 | lens-aeson servant text uuid |
| 20 | ]; | 20 | ]; |
| 21 | libraryToolDepends = [ hpack ]; | 21 | libraryToolDepends = [ hpack ]; |
| 22 | executableHaskellDepends = [ | 22 | executableHaskellDepends = [ |