diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2023-09-23 15:33:30 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2023-09-23 15:33:30 +0200 |
commit | 3832bf5daed8b4a3fc87153590131730daa4e88c (patch) | |
tree | 49b30717e86de623d00cec243ef84138e339716c /overlays/spm/server | |
parent | 83549be4db488711263808a54afd2652d6d99ca9 (diff) | |
download | nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar.gz nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar.bz2 nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.tar.xz nixos-3832bf5daed8b4a3fc87153590131730daa4e88c.zip |
...
Diffstat (limited to 'overlays/spm/server')
-rw-r--r-- | overlays/spm/server/Crypto/JOSE/Error/Instances.hs | 11 | ||||
-rw-r--r-- | overlays/spm/server/Spm/Server.hs | 24 |
2 files changed, 24 insertions, 11 deletions
diff --git a/overlays/spm/server/Crypto/JOSE/Error/Instances.hs b/overlays/spm/server/Crypto/JOSE/Error/Instances.hs new file mode 100644 index 00000000..9f3eea51 --- /dev/null +++ b/overlays/spm/server/Crypto/JOSE/Error/Instances.hs | |||
@@ -0,0 +1,11 @@ | |||
1 | {-# OPTIONS_GHC -Wno-orphans #-} | ||
2 | |||
3 | module Crypto.JOSE.Error.Instances () where | ||
4 | |||
5 | import Data.Monoid (Monoid) | ||
6 | import Control.Monad (Monad) | ||
7 | import Control.Applicative (Alternative) | ||
8 | |||
9 | import Crypto.JOSE.Error | ||
10 | |||
11 | deriving newtype instance (Monad m, Monoid e) => Alternative (JOSE e m) | ||
diff --git a/overlays/spm/server/Spm/Server.hs b/overlays/spm/server/Spm/Server.hs index df12e3d8..8e7f8786 100644 --- a/overlays/spm/server/Spm/Server.hs +++ b/overlays/spm/server/Spm/Server.hs | |||
@@ -44,7 +44,7 @@ import Database.Persist | |||
44 | import Database.Persist.Postgresql | 44 | import Database.Persist.Postgresql |
45 | import UnliftIO.Pool | 45 | import UnliftIO.Pool |
46 | 46 | ||
47 | import Control.Monad.Trans.Reader (ReaderT, runReaderT) | 47 | import Control.Monad.Trans.Reader (ReaderT, runReaderT, mapReaderT) |
48 | 48 | ||
49 | import Control.Monad.Logger | 49 | import Control.Monad.Logger |
50 | 50 | ||
@@ -58,12 +58,12 @@ import qualified Data.UUID as UUID | |||
58 | import qualified Data.UUID.V4 as UUID | 58 | import qualified Data.UUID.V4 as UUID |
59 | 59 | ||
60 | import qualified Data.Aeson as JSON | 60 | import qualified Data.Aeson as JSON |
61 | import Data.Aeson.Lens (_JSON) | ||
62 | 61 | ||
63 | import System.FilePath ((</>), isRelative) | 62 | import System.FilePath ((</>), isRelative) |
64 | 63 | ||
65 | import Crypto.JOSE.JWK hiding (Context) | 64 | import Crypto.JOSE.JWK hiding (Context) |
66 | import Crypto.JOSE.JWK.Instances () | 65 | import Crypto.JOSE.JWK.Instances () |
66 | import Crypto.JOSE.Error.Instances () | ||
67 | 67 | ||
68 | import Crypto.Random.Instances () | 68 | import Crypto.Random.Instances () |
69 | import qualified Crypto.Random as Crypto | 69 | import qualified Crypto.Random as Crypto |
@@ -197,10 +197,13 @@ mkSpmApp = do | |||
197 | spmSql :: ReaderT SqlBackend Handler' a -> Handler' a | 197 | spmSql :: ReaderT SqlBackend Handler' a -> Handler' a |
198 | spmSql act = do | 198 | spmSql act = do |
199 | sqlPool <- view sctxSqlPool | 199 | sqlPool <- view sctxSqlPool |
200 | withResource sqlPool $ runReaderT act | 200 | mapReaderT (mapLoggingT $ either throwError pure <=< liftIO) . withResource sqlPool $ mapReaderT (mapLoggingT runHandler) . runReaderT act |
201 | 201 | ||
202 | spmJWT :: forall error a. Show error => ServerError -> ExceptT error IO a -> Handler' a | 202 | spmJWT :: forall error a. Show error => ServerError -> JOSE error IO a -> Handler' a |
203 | spmJWT errTemplate = either (\err -> throwError errTemplate{ errBody = LBS.fromStrict . Text.encodeUtf8 . Text.pack $ show err }) return <=< liftIO . runExceptT | 203 | spmJWT errTemplate = either (\err -> throwError errTemplate{ errBody = LBS.fromStrict . Text.encodeUtf8 . Text.pack $ show err }) return <=< liftIO . runJOSE |
204 | |||
205 | withJOSE :: forall m e e' a. Functor m => (e -> e') -> JOSE e m a -> JOSE e' m a | ||
206 | withJOSE f = JOSE . withExceptT f . unwrapJOSE | ||
204 | 207 | ||
205 | generateLocal :: MonadIO m => SpmStyle -> m MailLocal | 208 | generateLocal :: MonadIO m => SpmStyle -> m MailLocal |
206 | generateLocal SpmWords = fmap (review _Wrapped . CI.mk) . liftIO $ do | 209 | generateLocal SpmWords = fmap (review _Wrapped . CI.mk) . liftIO $ do |
@@ -254,24 +257,23 @@ spmServer dom mbox = whoami | |||
254 | instanceId' <- view sctxInstanceId | 257 | instanceId' <- view sctxInstanceId |
255 | jwks <- view $ sctxJwkSet . _Wrapped | 258 | jwks <- view $ sctxJwkSet . _Wrapped |
256 | tokenId <- liftIO UUID.nextRandom | 259 | tokenId <- liftIO UUID.nextRandom |
257 | let claimsSet = emptyClaimsSet | 260 | let jwtClaims = (_SpmJWTLocal # local) |
258 | & claimIss ?~ (JWT.string # UUID.toText instanceId') | 261 | & claimIss ?~ (JWT.string # UUID.toText instanceId') |
259 | & claimAud ?~ Audience (pure $ dom ^. _Wrapped . to CI.original . re JWT.string) | 262 | & claimAud ?~ Audience (pure $ dom ^. _Wrapped . to CI.original . re JWT.string) |
260 | & claimNbf ?~ NumericDate t | 263 | & claimNbf ?~ NumericDate t |
261 | & claimIat ?~ NumericDate t | 264 | & claimIat ?~ NumericDate t |
262 | & claimExp ?~ NumericDate (600 `addUTCTime` t) | 265 | & claimExp ?~ NumericDate (600 `addUTCTime` t) |
263 | & claimJti ?~ UUID.toText tokenId | 266 | & claimJti ?~ UUID.toText tokenId |
264 | & unregisteredClaims . at "local" ?~ view (_Wrapped . re _JSON) local | ||
265 | spmJWT @JWT.Error err500 $ do | 267 | spmJWT @JWT.Error err500 $ do |
266 | (jwsAlg, selectedJwk) <- withExceptT (fromMaybe JWT.NoUsableKeys . getFirst) . asum $ map (\jwk' -> (, jwk') <$> withExceptT (First . Just) (bestJWSAlg jwk')) jwks | 268 | (jwsAlg, selectedJwk) <- withJOSE (fromMaybe JWT.NoUsableKeys . getFirst) . asum $ map (\jwk' -> (, jwk') <$> withJOSE (First . Just) (bestJWSAlg jwk')) jwks |
267 | signClaims selectedJwk (newJWSHeader ((), jwsAlg)) claimsSet | 269 | signJWT selectedJwk (newJWSHeader ((), jwsAlg)) jwtClaims |
268 | 270 | ||
269 | claim jwt = do | 271 | claim jwt = do |
270 | jwks <- view sctxJwkSet | 272 | jwks <- view sctxJwkSet |
271 | let validationSettings' = defaultJWTValidationSettings ((== Just dom) . fmap (review _Wrapped . CI.mk) . preview JWT.string) | 273 | let validationSettings' = defaultJWTValidationSettings ((== Just dom) . fmap (review _Wrapped . CI.mk) . preview JWT.string) |
272 | & jwtValidationSettingsAllowedSkew .~ 5 | 274 | & jwtValidationSettingsAllowedSkew .~ 5 |
273 | claims <- spmJWT @JWT.JWTError err403 $ verifyClaims validationSettings' jwks jwt | 275 | jwtClaims <- spmJWT @JWT.JWTError err403 $ verifyJWT validationSettings' jwks jwt |
274 | mailboxMappingLocal <- maybe (throwError err400{ errBody = "Claim ‘local’ missing" }) (return . Just) $ claims ^? unregisteredClaims . ix "local" . _JSON . to CI.mk . re _Wrapped | 276 | let mailboxMappingLocal = Just $ jwtClaims ^. _spmjwtLocal . _Wrapped . _Unwrapped |
275 | 277 | ||
276 | spmSql $ do | 278 | spmSql $ do |
277 | Entity mailboxMappingMailbox _ <- maybe (throwError err404) return <=< getBy $ UniqueMailbox mbox | 279 | Entity mailboxMappingMailbox _ <- maybe (throwError err404) return <=< getBy $ UniqueMailbox mbox |