feat: support qualified client id from wire clients with : as delimiter

beltram · beltram · commit aa1a6c76b177 · 2023-03-10T16:34:52.000+01:00
diff --git a/acme/src/identifier.rs b/acme/src/identifier.rs
@@ -10,7 +10,7 @@ pub enum AcmeIdentifier {
 
 impl AcmeIdentifier {
     pub fn try_new(display_name: String, domain: String, client_id: ClientId, handle: String) -> RustyAcmeResult<Self> {
-        let client_id = client_id.to_subject();
+        let client_id = client_id.to_uri();
         let identifier = WireIdentifier {
             display_name,
             domain,
diff --git a/acme/src/order.rs b/acme/src/order.rs
@@ -1,15 +1,16 @@
-use crate::prelude::*;
 use rusty_jwt_tools::prelude::*;
 
+use crate::prelude::*;
+
 // Order creation
 impl RustyAcme {
     /// create a new order
     /// see [RFC 8555 Section 7.4](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4).
     #[allow(clippy::too_many_arguments)]
     pub fn new_order_request(
-        display_name: String,
+        display_name: &str,
         client_id: ClientId,
-        handle: String,
+        handle: &str,
         expiry: core::time::Duration,
         directory: &AcmeDirectory,
         account: &AcmeAccount,
@@ -21,7 +22,12 @@ impl RustyAcme {
         let acct_url = account.acct_url()?;
 
         let domain = client_id.domain.clone();
-        let identifiers = vec![AcmeIdentifier::try_new(display_name, domain, client_id, handle)?];
+        let identifiers = vec![AcmeIdentifier::try_new(
+            display_name.to_string(),
+            domain,
+            client_id,
+            handle.to_string(),
+        )?];
         let not_before = time::OffsetDateTime::now_utc();
         let not_after = not_before + expiry;
         let payload = AcmeOrderRequest {
@@ -231,10 +237,11 @@ pub enum AcmeOrderStatus {
 
 #[cfg(test)]
 mod tests {
-    use super::*;
     use serde_json::json;
     use wasm_bindgen_test::*;
 
+    use super::*;
+
     wasm_bindgen_test_configure!(run_in_browser);
 
     mod json {
diff --git a/cli/src/access_generate.rs b/cli/src/access_generate.rs
@@ -57,7 +57,7 @@ impl AccessGenerate {
             extra_claims: None,
         };
         let nonce: BackendNonce = self.nonce.into();
-        let client_id: ClientId = self.client_id.as_str().try_into().expect("Invalid 'client_id'");
+        let client_id = ClientId::try_from_uri(&self.client_id).expect("Invalid 'client_id'");
         let expiry = core::time::Duration::from_secs(self.expiry);
 
         let client_dpop_token =
diff --git a/cli/src/access_verify.rs b/cli/src/access_verify.rs
@@ -46,7 +46,7 @@ impl AccessVerify {
             .trim()
             .to_string();
 
-        let client_id: ClientId = self.client_id.as_str().try_into().expect("Invalid 'client_id'");
+        let client_id = ClientId::try_from_uri(&self.client_id).expect("Invalid 'client_id'");
         let challenge: AcmeNonce = self.challenge.into();
         let (_, backend_pk) = parse_public_key_pem(read_file(Some(&self.key)).unwrap());
 
diff --git a/e2e-identity/README.md b/e2e-identity/README.md
diff --git a/e2e-identity/src/lib.rs b/e2e-identity/src/lib.rs
@@ -115,16 +115,16 @@ impl RustyE2eIdentity {
     #[allow(clippy::too_many_arguments)]
     pub fn acme_new_order_request(
         &self,
-        display_name: String,
-        client_id: String,
-        handle: String,
+        display_name: &str,
+        client_id: &str,
+        handle: &str,
         expiry: core::time::Duration,
         directory: &AcmeDirectory,
         account: &E2eiAcmeAccount,
         previous_nonce: String,
     ) -> E2eIdentityResult<Json> {
         let account = serde_json::from_value(account.clone().into())?;
-        let client_id = ClientId::try_from_qualified(client_id.as_str())?;
+        let client_id = ClientId::try_from_qualified(client_id)?;
         let order_req = RustyAcme::new_order_request(
             display_name,
             client_id,
diff --git a/e2e-identity/tests/api.rs b/e2e-identity/tests/api.rs
@@ -20,7 +20,7 @@ fn e2e_api() {
         let user_id = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(user_id.to_string());
         let client_id = random::<u64>();
         let domain = "example.org";
-        let qualified_client_id = format!("{user_id}/{client_id:x}@{domain}");
+        let qualified_client_id = format!("{user_id}:{client_id:x}@{domain}");
 
         let display_name = "Smith, Alice M (QA)".to_string();
         let qualified_handle = format!("alice.smith.qa@{domain}");
@@ -73,9 +73,9 @@ fn e2e_api() {
             let expiry = core::time::Duration::from_secs(3600); // 1h
             let _order_request = enrollment
                 .acme_new_order_request(
-                    display_name,
-                    qualified_client_id.clone(),
-                    qualified_handle,
+                    &display_name,
+                    &qualified_client_id,
+                    &qualified_handle,
                     expiry,
                     &directory,
                     &account,
diff --git a/e2e-identity/tests/utils/cfg.rs b/e2e-identity/tests/utils/cfg.rs
@@ -108,7 +108,7 @@ impl<'a> E2eTest<'a> {
                 email: email.to_string(),
                 password: password.to_string(),
                 domain: domain.to_string(),
-                sub: sub.to_subject(),
+                sub: sub.to_uri(),
             },
             dex_cfg: DexCfg {
                 host: dex_host,
diff --git a/e2e-identity/tests/utils/fmk.rs b/e2e-identity/tests/utils/fmk.rs
@@ -136,9 +136,9 @@ impl<'a> E2eTest<'a> {
         self.display_step("create a new order");
         let expiry = core::time::Duration::from_secs(3600); // 1h
         let order_request = RustyAcme::new_order_request(
-            self.display_name.clone(),
+            &self.display_name,
             self.sub.clone(),
-            self.handle.clone(),
+            &self.handle,
             expiry,
             directory,
             account,
@@ -267,7 +267,7 @@ impl<'a> E2eTest<'a> {
         let b64 = |v: &str| base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(v);
 
         // cheat to share test context
-        ctx_store("client-id", self.sub.to_subject());
+        ctx_store("client-id", self.sub.to_uri());
         ctx_store("backend-kp", self.backend_kp.to_string());
         ctx_store("hash-alg", self.hash_alg.to_string());
         ctx_store("wire-server-uri", self.wire_server_uri());
diff --git a/e2e-identity/tests/utils/wire_server/server_api.rs b/e2e-identity/tests/utils/wire_server/server_api.rs
@@ -47,7 +47,7 @@ pub async fn wire_api(req: Request<Body>) -> Result<Response<Body>, hyper::Error
 
 fn generate_access_token(dpop: &str, nonce: BackendNonce) -> serde_json::Value {
     let client_id = ctx_get("client-id").unwrap();
-    let client_id: ClientId = client_id.as_str().try_into().unwrap();
+    let client_id = ClientId::try_from_uri(&client_id).unwrap();
     let backend_kp: Pem = ctx_get("backend-kp").unwrap().into();
     let hash_alg: HashAlgorithm = ctx_get("hash-alg").unwrap().parse().unwrap();
     let htu: Htu = ctx_get("wire-server-uri").unwrap().as_str().try_into().unwrap();
diff --git a/jwt/src/access/generate.rs b/jwt/src/access/generate.rs
@@ -95,7 +95,7 @@ impl RustyJwtTools {
                 challenge: proof_claims.custom.challenge,
                 cnf,
                 proof: proof.to_string(),
-                client_id: client_id.to_subject(),
+                client_id: client_id.to_uri(),
                 api_version: Access::WIRE_SERVER_API_VERSION,
                 scope: Access::DEFAULT_SCOPE.to_string(),
                 extra_claims: proof_claims.custom.extra_claims,
@@ -364,8 +364,8 @@ mod tests {
 
                 let backend_key = JwtKey::from((ciphersuite.key.alg, backend_key));
                 let claims = backend_key.claims::<Access>(&token);
-                assert_eq!(claims.subject, Some(sub.to_subject()));
-                assert_eq!(claims.custom.client_id, sub.to_subject());
+                assert_eq!(claims.subject, Some(sub.to_uri()));
+                assert_eq!(claims.custom.client_id, sub.to_uri());
             }
 
             #[apply(all_ciphersuites)]
diff --git a/jwt/src/access/mod.rs b/jwt/src/access/mod.rs
@@ -65,7 +65,7 @@ impl Access {
         let exp = Duration::from_secs(Self::EXP);
         Claims::with_custom_claims(self, exp)
             .with_jwt_id(new_jti())
-            .with_subject(client_id.to_subject())
+            .with_subject(client_id.to_uri())
             .with_nonce(nonce.to_string())
             .with_issuer(issuer)
             .with_audience(audience)
diff --git a/jwt/src/dpop/generate.rs b/jwt/src/dpop/generate.rs
@@ -463,7 +463,7 @@ pub mod tests {
             .unwrap();
             let claims = key.claims::<Dpop>(&token);
             assert!(claims.subject.is_some());
-            assert_eq!(claims.subject.unwrap(), client_id.to_subject())
+            assert_eq!(claims.subject.unwrap(), client_id.to_uri())
         }
 
         #[apply(all_keys)]
diff --git a/jwt/src/dpop/mod.rs b/jwt/src/dpop/mod.rs
@@ -51,6 +51,6 @@ impl Dpop {
         Claims::with_custom_claims(self, expiry)
             .with_jwt_id(new_jti())
             .with_nonce(nonce.to_string())
-            .with_subject(client_id.to_subject())
+            .with_subject(client_id.to_uri())
     }
 }
diff --git a/jwt/src/jwt/verify.rs b/jwt/src/jwt/verify.rs
@@ -22,7 +22,7 @@ impl From<&Verify<'_>> for VerificationOptions {
         Self {
             accept_future: false,
             required_key_id: None, // we don't verify 'jti', just enforce its presence
-            required_subject: Some(v.client_id.to_subject()),
+            required_subject: Some(v.client_id.to_uri()),
             required_nonce: v.backend_nonce.map(|n| n.to_string()),
             time_tolerance: Some(UnixTimeStamp::from_secs(v.leeway as u64)),
             ..Default::default()
diff --git a/jwt/src/model/client_id.rs b/jwt/src/model/client_id.rs
diff --git a/jwt/src/test_utils/access.rs b/jwt/src/test_utils/access.rs
diff --git a/jwt/src/test_utils/dpop.rs b/jwt/src/test_utils/dpop.rs
