commit 8d4321ea1ae5ba1ef06828ed162f09a1e2525725 Author: Ultradesu Date: Tue May 5 13:10:16 2026 +0100 Init diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..75301bb --- /dev/null +++ b/.dockerignore @@ -0,0 +1,4 @@ +target/ +.git/ +AUTH_PROXY_SPEC.md +routes.yaml diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml new file mode 100644 index 0000000..f38c35f --- /dev/null +++ b/.github/workflows/build-and-publish.yml @@ -0,0 +1,58 @@ +name: Build and Publish + +on: + push: + branches: + - master + - main + tags: + - 'v*.*.*' + +env: + IMAGE_NAME: ultradesu/rsauth2-proxy + +jobs: + build_docker: + name: Build and Publish Docker Image + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Extract metadata + id: meta + run: | + VERSION=$(grep '^version' Cargo.toml | head -1 | cut -d'"' -f2) + echo "cargo_version=${VERSION}" >> $GITHUB_OUTPUT + + if [[ "${{ github.ref }}" == refs/tags/* ]]; then + TAG_NAME=${GITHUB_REF#refs/tags/} + echo "docker_tags=${IMAGE_NAME}:${TAG_NAME},${IMAGE_NAME}:${VERSION},${IMAGE_NAME}:latest" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref }}" == refs/heads/* ]]; then + BRANCH=${GITHUB_REF#refs/heads/} + echo "docker_tags=${IMAGE_NAME}:${BRANCH},${IMAGE_NAME}:${VERSION},${IMAGE_NAME}:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + else + echo "docker_tags=${IMAGE_NAME}:$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + fi + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.docker_tags }} + cache-from: type=registry,ref=${{ IMAGE_NAME }}:buildcache + cache-to: type=registry,ref=${{ IMAGE_NAME }}:buildcache,mode=max diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d9d5b66 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +/target/ +routes.yaml +AUTH_PROXY_SPEC.md diff --git a/Cargo.lock b/Cargo.lock new file mode 100644 index 0000000..6bccf50 --- /dev/null +++ b/Cargo.lock @@ -0,0 +1,2390 @@ +# This file is automatically @generated by Cargo. +# It is not intended for manual editing. +version = 4 + +[[package]] +name = "aead" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d122413f284cf2d62fb1b7db97e02edb8cda96d769b16e443a4f6195e35662b0" +dependencies = [ + "crypto-common", + "generic-array", +] + +[[package]] +name = "aes" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b169f7a6d4742236a0a00c541b845991d0ac43e546831af1249753ab4c3aa3a0" +dependencies = [ + "cfg-if", + "cipher", + "cpufeatures", +] + +[[package]] +name = "aes-gcm" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "831010a0f742e1209b3bcea8fab6a8e149051ba6099432c8cb2cc117dec3ead1" +dependencies = [ + "aead", + "aes", + "cipher", + "ctr", + "ghash", + "subtle", +] + +[[package]] +name = "ahash" +version = "0.8.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75" +dependencies = [ + "cfg-if", + "once_cell", + "version_check", + "zerocopy", +] + +[[package]] +name = "aho-corasick" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ddd31a130427c27518df266943a5308ed92d4b226cc639f5a8f1002816174301" +dependencies = [ + "memchr", +] + +[[package]] +name = "anyhow" +version = "1.0.102" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" + +[[package]] +name = "async-trait" +version = "0.1.89" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "atomic-waker" +version = "1.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" + +[[package]] +name = "autocfg" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8" + +[[package]] +name = "axum" +version = "0.7.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "edca88bc138befd0323b20752846e6587272d3b03b0343c8ea28a6f819e6e71f" +dependencies = [ + "async-trait", + "axum-core", + "bytes", + "futures-util", + "http", + "http-body", + "http-body-util", + "hyper", + "hyper-util", + "itoa", + "matchit", + "memchr", + "mime", + "percent-encoding", + "pin-project-lite", + "rustversion", + "serde", + "serde_json", + "serde_path_to_error", + "serde_urlencoded", + "sync_wrapper", + "tokio", + "tower", + "tower-layer", + "tower-service", + "tracing", +] + +[[package]] +name = "axum-core" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09f2bd6146b97ae3359fa0cc6d6b376d9539582c7b4220f041a33ec24c226199" +dependencies = [ + "async-trait", + "bytes", + "futures-util", + "http", + "http-body", + "http-body-util", + "mime", + "pin-project-lite", + "rustversion", + "sync_wrapper", + "tower-layer", + "tower-service", + "tracing", +] + +[[package]] +name = "base64" +version = "0.22.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" + +[[package]] +name = "base64ct" +version = "1.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" + +[[package]] +name = "bitflags" +version = "2.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3" + +[[package]] +name = "block-buffer" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71" +dependencies = [ + "generic-array", +] + +[[package]] +name = "bumpalo" +version = "3.20.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb" + +[[package]] +name = "bytes" +version = "1.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33" + +[[package]] +name = "cc" +version = "1.2.61" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d" +dependencies = [ + "find-msvc-tools", + "shlex", +] + +[[package]] +name = "cfg-if" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801" + +[[package]] +name = "cfg_aliases" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" + +[[package]] +name = "cipher" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "773f3b9af64447d2ce9850330c473515014aa235e6a783b02db81ff39e4a3dad" +dependencies = [ + "crypto-common", + "inout", +] + +[[package]] +name = "const-oid" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" + +[[package]] +name = "cpufeatures" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280" +dependencies = [ + "libc", +] + +[[package]] +name = "crossbeam-epoch" +version = "0.9.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5b82ac4a3c2ca9c3460964f020e1402edd5753411d7737aa39c3714ad1b5420e" +dependencies = [ + "crossbeam-utils", +] + +[[package]] +name = "crossbeam-utils" +version = "0.8.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" + +[[package]] +name = "crypto-common" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a" +dependencies = [ + "generic-array", + "rand_core 0.6.4", + "typenum", +] + +[[package]] +name = "ctr" +version = "0.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0369ee1ad671834580515889b80f2ea915f23b8be8d0daa4bbaf2ac5c7590835" +dependencies = [ + "cipher", +] + +[[package]] +name = "der" +version = "0.7.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb" +dependencies = [ + "const-oid", + "pem-rfc7468", + "zeroize", +] + +[[package]] +name = "deranged" +version = "0.5.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c" +dependencies = [ + "powerfmt", +] + +[[package]] +name = "digest" +version = "0.10.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292" +dependencies = [ + "block-buffer", + "const-oid", + "crypto-common", +] + +[[package]] +name = "displaydoc" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "equivalent" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" + +[[package]] +name = "errno" +version = "0.3.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" +dependencies = [ + "libc", + "windows-sys 0.61.2", +] + +[[package]] +name = "fastrand" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6" + +[[package]] +name = "find-msvc-tools" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" + +[[package]] +name = "form_urlencoded" +version = "1.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb4cb245038516f5f85277875cdaa4f7d2c9a0fa0468de06ed190163b1581fcf" +dependencies = [ + "percent-encoding", +] + +[[package]] +name = "futures-channel" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" +dependencies = [ + "futures-core", +] + +[[package]] +name = "futures-core" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7e3450815272ef58cec6d564423f6e755e25379b217b0bc688e295ba24df6b1d" + +[[package]] +name = "futures-task" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393" + +[[package]] +name = "futures-util" +version = "0.3.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "389ca41296e6190b48053de0321d02a77f32f8a5d2461dd38762c0593805c6d6" +dependencies = [ + "futures-core", + "futures-task", + "pin-project-lite", + "slab", +] + +[[package]] +name = "generic-array" +version = "0.14.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a" +dependencies = [ + "typenum", + "version_check", +] + +[[package]] +name = "getrandom" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0" +dependencies = [ + "cfg-if", + "js-sys", + "libc", + "wasi", + "wasm-bindgen", +] + +[[package]] +name = "getrandom" +version = "0.3.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd" +dependencies = [ + "cfg-if", + "js-sys", + "libc", + "r-efi", + "wasip2", + "wasm-bindgen", +] + +[[package]] +name = "ghash" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0d8a4362ccb29cb0b265253fb0a2728f592895ee6854fd9bc13f2ffda266ff1" +dependencies = [ + "opaque-debug", + "polyval", +] + +[[package]] +name = "hashbrown" +version = "0.14.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" +dependencies = [ + "ahash", +] + +[[package]] +name = "hashbrown" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4f467dd6dccf739c208452f8014c75c18bb8301b050ad1cfb27153803edb0f51" + +[[package]] +name = "hermit-abi" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fc0fef456e4baa96da950455cd02c081ca953b141298e41db3fc7e36b1da849c" + +[[package]] +name = "http" +version = "1.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a" +dependencies = [ + "bytes", + "itoa", +] + +[[package]] +name = "http-body" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184" +dependencies = [ + "bytes", + "http", +] + +[[package]] +name = "http-body-util" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b021d93e26becf5dc7e1b75b1bed1fd93124b374ceb73f43d4d4eafec896a64a" +dependencies = [ + "bytes", + "futures-core", + "http", + "http-body", + "pin-project-lite", +] + +[[package]] +name = "httparse" +version = "1.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87" + +[[package]] +name = "httpdate" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" + +[[package]] +name = "hyper" +version = "1.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6299f016b246a94207e63da54dbe807655bf9e00044f73ded42c3ac5305fbcca" +dependencies = [ + "atomic-waker", + "bytes", + "futures-channel", + "futures-core", + "http", + "http-body", + "httparse", + "httpdate", + "itoa", + "pin-project-lite", + "smallvec", + "tokio", + "want", +] + +[[package]] +name = "hyper-rustls" +version = "0.27.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "33ca68d021ef39cf6463ab54c1d0f5daf03377b70561305bb89a8f83aab66e0f" +dependencies = [ + "http", + "hyper", + "hyper-util", + "rustls", + "tokio", + "tokio-rustls", + "tower-service", + "webpki-roots", +] + +[[package]] +name = "hyper-util" +version = "0.1.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "96547c2556ec9d12fb1578c4eaf448b04993e7fb79cbaad930a656880a6bdfa0" +dependencies = [ + "base64", + "bytes", + "futures-channel", + "futures-util", + "http", + "http-body", + "hyper", + "ipnet", + "libc", + "percent-encoding", + "pin-project-lite", + "socket2", + "tokio", + "tower-service", + "tracing", +] + +[[package]] +name = "icu_collections" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2984d1cd16c883d7935b9e07e44071dca8d917fd52ecc02c04d5fa0b5a3f191c" +dependencies = [ + "displaydoc", + "potential_utf", + "utf8_iter", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locale_core" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92219b62b3e2b4d88ac5119f8904c10f8f61bf7e95b640d25ba3075e6cac2c29" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_normalizer" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c56e5ee99d6e3d33bd91c5d85458b6005a22140021cc324cea84dd0e72cff3b4" +dependencies = [ + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da3be0ae77ea334f4da67c12f149704f19f81d1adf7c51cf482943e84a2bad38" + +[[package]] +name = "icu_properties" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bee3b67d0ea5c2cca5003417989af8996f8604e34fb9ddf96208a033901e70de" +dependencies = [ + "icu_collections", + "icu_locale_core", + "icu_properties_data", + "icu_provider", + "zerotrie", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e2bbb201e0c04f7b4b3e14382af113e17ba4f63e2c9d2ee626b720cbce54a14" + +[[package]] +name = "icu_provider" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "139c4cf31c8b5f33d7e199446eff9c1e02decfc2f0eec2c8d71f65befa45b421" +dependencies = [ + "displaydoc", + "icu_locale_core", + "writeable", + "yoke", + "zerofrom", + "zerotrie", + "zerovec", +] + +[[package]] +name = "idna" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3b0875f23caa03898994f6ddc501886a45c7d3d62d04d2d90788d47be1b1e4de" +dependencies = [ + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb68373c0d6620ef8105e855e7745e18b0d00d3bdb07fb532e434244cdb9a714" +dependencies = [ + "icu_normalizer", + "icu_properties", +] + +[[package]] +name = "indexmap" +version = "2.14.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9" +dependencies = [ + "equivalent", + "hashbrown 0.17.0", +] + +[[package]] +name = "inout" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01" +dependencies = [ + "generic-array", +] + +[[package]] +name = "ipnet" +version = "2.12.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" + +[[package]] +name = "iri-string" +version = "0.7.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "25e659a4bb38e810ebc252e53b5814ff908a8c58c2a9ce2fae1bbec24cbf4e20" +dependencies = [ + "memchr", + "serde", +] + +[[package]] +name = "itoa" +version = "1.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8f42a60cbdf9a97f5d2305f08a87dc4e09308d1276d28c869c684d7777685682" + +[[package]] +name = "js-sys" +version = "0.3.97" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a1840c94c045fbcf8ba2812c95db44499f7c64910a912551aaaa541decebcacf" +dependencies = [ + "cfg-if", + "futures-util", + "once_cell", + "wasm-bindgen", +] + +[[package]] +name = "jsonwebtoken" +version = "9.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde" +dependencies = [ + "base64", + "js-sys", + "pem", + "ring", + "serde", + "serde_json", + "simple_asn1", +] + +[[package]] +name = "lazy_static" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" +dependencies = [ + "spin", +] + +[[package]] +name = "libc" +version = "0.2.186" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66" + +[[package]] +name = "libm" +version = "0.2.16" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981" + +[[package]] +name = "linux-raw-sys" +version = "0.12.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53" + +[[package]] +name = "litemap" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92daf443525c4cce67b150400bc2316076100ce0b3686209eb8cf3c31612e6f0" + +[[package]] +name = "lock_api" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "224399e74b87b5f3557511d98dff8b14089b3dadafcab6bb93eab67d3aace965" +dependencies = [ + "scopeguard", +] + +[[package]] +name = "log" +version = "0.4.29" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" + +[[package]] +name = "lru-slab" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "112b39cec0b298b6c1999fee3e31427f74f676e4cb9879ed1a121b43661a4154" + +[[package]] +name = "matchers" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d1525a2a28c7f4fa0fc98bb91ae755d1e2d1505079e05539e35bc876b5d65ae9" +dependencies = [ + "regex-automata", +] + +[[package]] +name = "matchit" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94" + +[[package]] +name = "memchr" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79" + +[[package]] +name = "metrics" +version = "0.23.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3045b4193fbdc5b5681f32f11070da9be3609f189a79f3390706d42587f46bb5" +dependencies = [ + "ahash", + "portable-atomic", +] + +[[package]] +name = "metrics-exporter-prometheus" +version = "0.15.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b4f0c8427b39666bf970460908b213ec09b3b350f20c0c2eabcbba51704a08e6" +dependencies = [ + "base64", + "indexmap", + "metrics", + "metrics-util", + "quanta", + "thiserror 1.0.69", +] + +[[package]] +name = "metrics-util" +version = "0.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4259040465c955f9f2f1a4a8a16dc46726169bca0f88e8fb2dbeced487c3e828" +dependencies = [ + "crossbeam-epoch", + "crossbeam-utils", + "hashbrown 0.14.5", + "metrics", + "num_cpus", + "quanta", + "sketches-ddsketch", +] + +[[package]] +name = "mime" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a" + +[[package]] +name = "mio" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1" +dependencies = [ + "libc", + "wasi", + "windows-sys 0.61.2", +] + +[[package]] +name = "nu-ansi-term" +version = "0.50.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" +dependencies = [ + "windows-sys 0.61.2", +] + +[[package]] +name = "num-bigint" +version = "0.4.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9" +dependencies = [ + "num-integer", + "num-traits", +] + +[[package]] +name = "num-bigint-dig" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e661dda6640fad38e827a6d4a310ff4763082116fe217f279885c97f511bb0b7" +dependencies = [ + "lazy_static", + "libm", + "num-integer", + "num-iter", + "num-traits", + "rand 0.8.6", + "smallvec", + "zeroize", +] + +[[package]] +name = "num-conv" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c6673768db2d862beb9b39a78fdcb1a69439615d5794a1be50caa9bc92c81967" + +[[package]] +name = "num-integer" +version = "0.1.46" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7969661fd2958a5cb096e56c8e1ad0444ac2bbcd0061bd28660485a44879858f" +dependencies = [ + "num-traits", +] + +[[package]] +name = "num-iter" +version = "0.1.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1429034a0490724d0075ebb2bc9e875d6503c3cf69e235a8941aa757d83ef5bf" +dependencies = [ + "autocfg", + "num-integer", + "num-traits", +] + +[[package]] +name = "num-traits" +version = "0.2.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" +dependencies = [ + "autocfg", + "libm", +] + +[[package]] +name = "num_cpus" +version = "1.17.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91df4bbde75afed763b708b7eee1e8e7651e02d97f6d5dd763e89367e957b23b" +dependencies = [ + "hermit-abi", + "libc", +] + +[[package]] +name = "once_cell" +version = "1.21.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50" + +[[package]] +name = "opaque-debug" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" + +[[package]] +name = "parking_lot" +version = "0.12.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93857453250e3077bd71ff98b6a65ea6621a19bb0f559a85248955ac12c45a1a" +dependencies = [ + "lock_api", + "parking_lot_core", +] + +[[package]] +name = "parking_lot_core" +version = "0.9.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2621685985a2ebf1c516881c026032ac7deafcda1a2c9b7850dc81e3dfcb64c1" +dependencies = [ + "cfg-if", + "libc", + "redox_syscall", + "smallvec", + "windows-link", +] + +[[package]] +name = "pem" +version = "3.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be" +dependencies = [ + "base64", + "serde_core", +] + +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct", +] + +[[package]] +name = "percent-encoding" +version = "2.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" + +[[package]] +name = "pin-project-lite" +version = "0.2.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a89322df9ebe1c1578d689c92318e070967d1042b512afbe49518723f4e6d5cd" + +[[package]] +name = "pkcs1" +version = "0.7.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8ffb9f10fa047879315e6625af03c164b16962a5368d724ed16323b68ace47f" +dependencies = [ + "der", + "pkcs8", + "spki", +] + +[[package]] +name = "pkcs8" +version = "0.10.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7" +dependencies = [ + "der", + "spki", +] + +[[package]] +name = "polyval" +version = "0.6.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9d1fe60d06143b2430aa532c94cfe9e29783047f06c0d7fd359a9a51b729fa25" +dependencies = [ + "cfg-if", + "cpufeatures", + "opaque-debug", + "universal-hash", +] + +[[package]] +name = "portable-atomic" +version = "1.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49" + +[[package]] +name = "potential_utf" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0103b1cef7ec0cf76490e969665504990193874ea05c85ff9bab8b911d0a0564" +dependencies = [ + "zerovec", +] + +[[package]] +name = "powerfmt" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" + +[[package]] +name = "ppv-lite86" +version = "0.2.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85eae3c4ed2f50dcfe72643da4befc30deadb458a9b590d720cde2f2b1e97da9" +dependencies = [ + "zerocopy", +] + +[[package]] +name = "proc-macro2" +version = "1.0.106" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "quanta" +version = "0.12.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3ab5a9d756f0d97bdc89019bd2e4ea098cf9cde50ee7564dde6b81ccc8f06c7" +dependencies = [ + "crossbeam-utils", + "libc", + "once_cell", + "raw-cpuid", + "wasi", + "web-sys", + "winapi", +] + +[[package]] +name = "quinn" +version = "0.11.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b9e20a958963c291dc322d98411f541009df2ced7b5a4f2bd52337638cfccf20" +dependencies = [ + "bytes", + "cfg_aliases", + "pin-project-lite", + "quinn-proto", + "quinn-udp", + "rustc-hash", + "rustls", + "socket2", + "thiserror 2.0.18", + "tokio", + "tracing", + "web-time", +] + +[[package]] +name = "quinn-proto" +version = "0.11.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "434b42fec591c96ef50e21e886936e66d3cc3f737104fdb9b737c40ffb94c098" +dependencies = [ + "bytes", + "getrandom 0.3.4", + "lru-slab", + "rand 0.9.4", + "ring", + "rustc-hash", + "rustls", + "rustls-pki-types", + "slab", + "thiserror 2.0.18", + "tinyvec", + "tracing", + "web-time", +] + +[[package]] +name = "quinn-udp" +version = "0.5.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "addec6a0dcad8a8d96a771f815f0eaf55f9d1805756410b39f5fa81332574cbd" +dependencies = [ + "cfg_aliases", + "libc", + "once_cell", + "socket2", + "tracing", + "windows-sys 0.60.2", +] + +[[package]] +name = "quote" +version = "1.0.45" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924" +dependencies = [ + "proc-macro2", +] + +[[package]] +name = "r-efi" +version = "5.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f" + +[[package]] +name = "rand" +version = "0.8.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5ca0ecfa931c29007047d1bc58e623ab12e5590e8c7cc53200d5202b69266d8a" +dependencies = [ + "libc", + "rand_chacha 0.3.1", + "rand_core 0.6.4", +] + +[[package]] +name = "rand" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea" +dependencies = [ + "rand_chacha 0.9.0", + "rand_core 0.9.5", +] + +[[package]] +name = "rand_chacha" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88" +dependencies = [ + "ppv-lite86", + "rand_core 0.6.4", +] + +[[package]] +name = "rand_chacha" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb" +dependencies = [ + "ppv-lite86", + "rand_core 0.9.5", +] + +[[package]] +name = "rand_core" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c" +dependencies = [ + "getrandom 0.2.17", +] + +[[package]] +name = "rand_core" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "76afc826de14238e6e8c374ddcc1fa19e374fd8dd986b0d2af0d02377261d83c" +dependencies = [ + "getrandom 0.3.4", +] + +[[package]] +name = "raw-cpuid" +version = "11.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "498cd0dc59d73224351ee52a95fee0f1a617a2eae0e7d9d720cc622c73a54186" +dependencies = [ + "bitflags", +] + +[[package]] +name = "redox_syscall" +version = "0.5.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ed2bf2547551a7053d6fdfafda3f938979645c44812fbfcda098faae3f1a362d" +dependencies = [ + "bitflags", +] + +[[package]] +name = "regex-automata" +version = "0.4.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f" +dependencies = [ + "aho-corasick", + "memchr", + "regex-syntax", +] + +[[package]] +name = "regex-syntax" +version = "0.8.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a" + +[[package]] +name = "reqwest" +version = "0.12.28" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147" +dependencies = [ + "base64", + "bytes", + "futures-core", + "http", + "http-body", + "http-body-util", + "hyper", + "hyper-rustls", + "hyper-util", + "js-sys", + "log", + "percent-encoding", + "pin-project-lite", + "quinn", + "rustls", + "rustls-pki-types", + "serde", + "serde_json", + "serde_urlencoded", + "sync_wrapper", + "tokio", + "tokio-rustls", + "tower", + "tower-http", + "tower-service", + "url", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", + "webpki-roots", +] + +[[package]] +name = "ring" +version = "0.17.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" +dependencies = [ + "cc", + "cfg-if", + "getrandom 0.2.17", + "libc", + "untrusted", + "windows-sys 0.52.0", +] + +[[package]] +name = "rsa" +version = "0.9.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8573f03f5883dcaebdfcf4725caa1ecb9c15b2ef50c43a07b816e06799bb12d" +dependencies = [ + "const-oid", + "digest", + "num-bigint-dig", + "num-integer", + "num-traits", + "pkcs1", + "pkcs8", + "rand_core 0.6.4", + "signature", + "spki", + "subtle", + "zeroize", +] + +[[package]] +name = "rsauth2-proxy" +version = "0.1.0" +dependencies = [ + "aes-gcm", + "anyhow", + "axum", + "base64", + "jsonwebtoken", + "metrics", + "metrics-exporter-prometheus", + "rand 0.8.6", + "reqwest", + "rsa", + "serde", + "serde_json", + "serde_yaml", + "sha2", + "tempfile", + "tokio", + "tower", + "tracing", + "tracing-subscriber", + "url", +] + +[[package]] +name = "rustc-hash" +version = "2.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe" + +[[package]] +name = "rustix" +version = "1.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190" +dependencies = [ + "bitflags", + "errno", + "libc", + "linux-raw-sys", + "windows-sys 0.61.2", +] + +[[package]] +name = "rustls" +version = "0.23.40" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ef86cd5876211988985292b91c96a8f2d298df24e75989a43a3c73f2d4d8168b" +dependencies = [ + "once_cell", + "ring", + "rustls-pki-types", + "rustls-webpki", + "subtle", + "zeroize", +] + +[[package]] +name = "rustls-pki-types" +version = "1.14.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30a7197ae7eb376e574fe940d068c30fe0462554a3ddbe4eca7838e049c937a9" +dependencies = [ + "web-time", + "zeroize", +] + +[[package]] +name = "rustls-webpki" +version = "0.103.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "61c429a8649f110dddef65e2a5ad240f747e85f7758a6bccc7e5777bd33f756e" +dependencies = [ + "ring", + "rustls-pki-types", + "untrusted", +] + +[[package]] +name = "rustversion" +version = "1.0.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b39cdef0fa800fc44525c84ccb54a029961a8215f9619753635a9c0d2538d46d" + +[[package]] +name = "ryu" +version = "1.0.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9774ba4a74de5f7b1c1451ed6cd5285a32eddb5cccb8cc655a4e50009e06477f" + +[[package]] +name = "scopeguard" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" + +[[package]] +name = "serde" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" +dependencies = [ + "serde_core", + "serde_derive", +] + +[[package]] +name = "serde_core" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.228" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "serde_json" +version = "1.0.149" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "83fc039473c5595ace860d8c4fafa220ff474b3fc6bfdb4293327f1a37e94d86" +dependencies = [ + "itoa", + "memchr", + "serde", + "serde_core", + "zmij", +] + +[[package]] +name = "serde_path_to_error" +version = "0.1.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "10a9ff822e371bb5403e391ecd83e182e0e77ba7f6fe0160b795797109d1b457" +dependencies = [ + "itoa", + "serde", + "serde_core", +] + +[[package]] +name = "serde_urlencoded" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" +dependencies = [ + "form_urlencoded", + "itoa", + "ryu", + "serde", +] + +[[package]] +name = "serde_yaml" +version = "0.9.34+deprecated" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47" +dependencies = [ + "indexmap", + "itoa", + "ryu", + "serde", + "unsafe-libyaml", +] + +[[package]] +name = "sha2" +version = "0.10.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283" +dependencies = [ + "cfg-if", + "cpufeatures", + "digest", +] + +[[package]] +name = "sharded-slab" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f40ca3c46823713e0d4209592e8d6e826aa57e928f09752619fc696c499637f6" +dependencies = [ + "lazy_static", +] + +[[package]] +name = "shlex" +version = "1.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" + +[[package]] +name = "signal-hook-registry" +version = "1.4.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4db69cba1110affc0e9f7bcd48bbf87b3f4fc7c61fc9155afd4c469eb3d6c1b" +dependencies = [ + "errno", + "libc", +] + +[[package]] +name = "signature" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de" +dependencies = [ + "digest", + "rand_core 0.6.4", +] + +[[package]] +name = "simple_asn1" +version = "0.6.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d" +dependencies = [ + "num-bigint", + "num-traits", + "thiserror 2.0.18", + "time", +] + +[[package]] +name = "sketches-ddsketch" +version = "0.2.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "85636c14b73d81f541e525f585c0a2109e6744e1565b5c1668e31c70c10ed65c" + +[[package]] +name = "slab" +version = "0.4.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c790de23124f9ab44544d7ac05d60440adc586479ce501c1d6d7da3cd8c9cf5" + +[[package]] +name = "smallvec" +version = "1.15.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03" + +[[package]] +name = "socket2" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e" +dependencies = [ + "libc", + "windows-sys 0.61.2", +] + +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" + +[[package]] +name = "spki" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" +dependencies = [ + "base64ct", + "der", +] + +[[package]] +name = "stable_deref_trait" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" + +[[package]] +name = "subtle" +version = "2.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" + +[[package]] +name = "syn" +version = "2.0.117" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99" +dependencies = [ + "proc-macro2", + "quote", + "unicode-ident", +] + +[[package]] +name = "sync_wrapper" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0bf256ce5efdfa370213c1dabab5935a12e49f2c58d15e9eac2870d3b4f27263" +dependencies = [ + "futures-core", +] + +[[package]] +name = "synstructure" +version = "0.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "728a70f3dbaf5bab7f0c4b1ac8d7ae5ea60a4b5549c8a5914361c99147a709d2" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tempfile" +version = "3.27.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd" +dependencies = [ + "fastrand", + "getrandom 0.3.4", + "once_cell", + "rustix", + "windows-sys 0.61.2", +] + +[[package]] +name = "thiserror" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52" +dependencies = [ + "thiserror-impl 1.0.69", +] + +[[package]] +name = "thiserror" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4" +dependencies = [ + "thiserror-impl 2.0.18", +] + +[[package]] +name = "thiserror-impl" +version = "1.0.69" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "thiserror-impl" +version = "2.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "thread_local" +version = "1.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f60246a4944f24f6e018aa17cdeffb7818b76356965d03b07d6a9886e8962185" +dependencies = [ + "cfg-if", +] + +[[package]] +name = "time" +version = "0.3.47" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c" +dependencies = [ + "deranged", + "itoa", + "num-conv", + "powerfmt", + "serde_core", + "time-core", + "time-macros", +] + +[[package]] +name = "time-core" +version = "0.1.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca" + +[[package]] +name = "time-macros" +version = "0.2.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215" +dependencies = [ + "num-conv", + "time-core", +] + +[[package]] +name = "tinystr" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8323304221c2a851516f22236c5722a72eaa19749016521d6dff0824447d96d" +dependencies = [ + "displaydoc", + "zerovec", +] + +[[package]] +name = "tinyvec" +version = "1.11.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3e61e67053d25a4e82c844e8424039d9745781b3fc4f32b8d55ed50f5f667ef3" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" + +[[package]] +name = "tokio" +version = "1.52.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "110a78583f19d5cdb2c5ccf321d1290344e71313c6c37d43520d386027d18386" +dependencies = [ + "bytes", + "libc", + "mio", + "parking_lot", + "pin-project-lite", + "signal-hook-registry", + "socket2", + "tokio-macros", + "windows-sys 0.61.2", +] + +[[package]] +name = "tokio-macros" +version = "2.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "385a6cb71ab9ab790c5fe8d67f1645e6c450a7ce006a33de03daa956cf70a496" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tokio-rustls" +version = "0.26.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61" +dependencies = [ + "rustls", + "tokio", +] + +[[package]] +name = "tower" +version = "0.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ebe5ef63511595f1344e2d5cfa636d973292adc0eec1f0ad45fae9f0851ab1d4" +dependencies = [ + "futures-core", + "futures-util", + "pin-project-lite", + "sync_wrapper", + "tokio", + "tower-layer", + "tower-service", + "tracing", +] + +[[package]] +name = "tower-http" +version = "0.6.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8" +dependencies = [ + "bitflags", + "bytes", + "futures-util", + "http", + "http-body", + "iri-string", + "pin-project-lite", + "tower", + "tower-layer", + "tower-service", +] + +[[package]] +name = "tower-layer" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "121c2a6cda46980bb0fcd1647ffaf6cd3fc79a013de288782836f6df9c48780e" + +[[package]] +name = "tower-service" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3" + +[[package]] +name = "tracing" +version = "0.1.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "63e71662fa4b2a2c3a26f570f037eb95bb1f85397f3cd8076caed2f026a6d100" +dependencies = [ + "log", + "pin-project-lite", + "tracing-attributes", + "tracing-core", +] + +[[package]] +name = "tracing-attributes" +version = "0.1.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7490cfa5ec963746568740651ac6781f701c9c5ea257c58e057f3ba8cf69e8da" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "tracing-core" +version = "0.1.36" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db97caf9d906fbde555dd62fa95ddba9eecfd14cb388e4f491a66d74cd5fb79a" +dependencies = [ + "once_cell", + "valuable", +] + +[[package]] +name = "tracing-log" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3" +dependencies = [ + "log", + "once_cell", + "tracing-core", +] + +[[package]] +name = "tracing-subscriber" +version = "0.3.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cb7f578e5945fb242538965c2d0b04418d38ec25c79d160cd279bf0731c8d319" +dependencies = [ + "matchers", + "nu-ansi-term", + "once_cell", + "regex-automata", + "sharded-slab", + "smallvec", + "thread_local", + "tracing", + "tracing-core", + "tracing-log", +] + +[[package]] +name = "try-lock" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" + +[[package]] +name = "typenum" +version = "1.20.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de" + +[[package]] +name = "unicode-ident" +version = "1.0.24" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" + +[[package]] +name = "universal-hash" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fc1de2c688dc15305988b563c3854064043356019f97a4b46276fe734c4f07ea" +dependencies = [ + "crypto-common", + "subtle", +] + +[[package]] +name = "unsafe-libyaml" +version = "0.2.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861" + +[[package]] +name = "untrusted" +version = "0.9.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" + +[[package]] +name = "url" +version = "2.5.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff67a8a4397373c3ef660812acab3268222035010ab8680ec4215f38ba3d0eed" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", + "serde", +] + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + +[[package]] +name = "valuable" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65" + +[[package]] +name = "version_check" +version = "0.9.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" + +[[package]] +name = "want" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e" +dependencies = [ + "try-lock", +] + +[[package]] +name = "wasi" +version = "0.11.1+wasi-snapshot-preview1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b" + +[[package]] +name = "wasip2" +version = "1.0.3+wasi-0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6" +dependencies = [ + "wit-bindgen", +] + +[[package]] +name = "wasm-bindgen" +version = "0.2.120" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "df52b6d9b87e0c74c9edfa1eb2d9bf85e5d63515474513aa50fa181b3c4f5db1" +dependencies = [ + "cfg-if", + "once_cell", + "rustversion", + "wasm-bindgen-macro", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-futures" +version = "0.4.70" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "af934872acec734c2d80e6617bbb5ff4f12b052dd8e6332b0817bce889516084" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "wasm-bindgen-macro" +version = "0.2.120" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "78b1041f495fb322e64aca85f5756b2172e35cd459376e67f2a6c9dffcedb103" +dependencies = [ + "quote", + "wasm-bindgen-macro-support", +] + +[[package]] +name = "wasm-bindgen-macro-support" +version = "0.2.120" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9dcd0ff20416988a18ac686d4d4d0f6aae9ebf08a389ff5d29012b05af2a1b41" +dependencies = [ + "bumpalo", + "proc-macro2", + "quote", + "syn", + "wasm-bindgen-shared", +] + +[[package]] +name = "wasm-bindgen-shared" +version = "0.2.120" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49757b3c82ebf16c57d69365a142940b384176c24df52a087fb748e2085359ea" +dependencies = [ + "unicode-ident", +] + +[[package]] +name = "web-sys" +version = "0.3.97" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2eadbac71025cd7b0834f20d1fe8472e8495821b4e9801eb0a60bd1f19827602" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "web-time" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5a6580f308b1fad9207618087a65c04e7a10bc77e02c8e84e9b00dd4b12fa0bb" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + +[[package]] +name = "webpki-roots" +version = "1.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "52f5ee44c96cf55f1b349600768e3ece3a8f26010c05265ab73f945bb1a2eb9d" +dependencies = [ + "rustls-pki-types", +] + +[[package]] +name = "winapi" +version = "0.3.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" +dependencies = [ + "winapi-i686-pc-windows-gnu", + "winapi-x86_64-pc-windows-gnu", +] + +[[package]] +name = "winapi-i686-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" + +[[package]] +name = "winapi-x86_64-pc-windows-gnu" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" + +[[package]] +name = "windows-link" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5" + +[[package]] +name = "windows-sys" +version = "0.52.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" +dependencies = [ + "windows-targets 0.52.6", +] + +[[package]] +name = "windows-sys" +version = "0.60.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb" +dependencies = [ + "windows-targets 0.53.5", +] + +[[package]] +name = "windows-sys" +version = "0.61.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc" +dependencies = [ + "windows-link", +] + +[[package]] +name = "windows-targets" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" +dependencies = [ + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", + "windows_i686_gnullvm 0.52.6", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", +] + +[[package]] +name = "windows-targets" +version = "0.53.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4945f9f551b88e0d65f3db0bc25c33b8acea4d9e41163edf90dcd0b19f9069f3" +dependencies = [ + "windows-link", + "windows_aarch64_gnullvm 0.53.1", + "windows_aarch64_msvc 0.53.1", + "windows_i686_gnu 0.53.1", + "windows_i686_gnullvm 0.53.1", + "windows_i686_msvc 0.53.1", + "windows_x86_64_gnu 0.53.1", + "windows_x86_64_gnullvm 0.53.1", + "windows_x86_64_msvc 0.53.1", +] + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" + +[[package]] +name = "windows_aarch64_gnullvm" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a9d8416fa8b42f5c947f8482c43e7d89e73a173cead56d044f6a56104a6d1b53" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" + +[[package]] +name = "windows_aarch64_msvc" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b9d782e804c2f632e395708e99a94275910eb9100b2114651e04744e9b125006" + +[[package]] +name = "windows_i686_gnu" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" + +[[package]] +name = "windows_i686_gnu" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "960e6da069d81e09becb0ca57a65220ddff016ff2d6af6a223cf372a506593a3" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fa7359d10048f68ab8b09fa71c3daccfb0e9b559aed648a8f95469c27057180c" + +[[package]] +name = "windows_i686_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" + +[[package]] +name = "windows_i686_msvc" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e7ac75179f18232fe9c285163565a57ef8d3c89254a30685b57d83a38d326c2" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" + +[[package]] +name = "windows_x86_64_gnu" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9c3842cdd74a865a8066ab39c8a7a473c0778a3f29370b5fd6b4b9aa7df4a499" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" + +[[package]] +name = "windows_x86_64_gnullvm" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ffa179e2d07eee8ad8f57493436566c7cc30ac536a3379fdf008f47f6bb7ae1" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" + +[[package]] +name = "windows_x86_64_msvc" +version = "0.53.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6bbff5f0aada427a1e5a6da5f1f98158182f26556f345ac9e04d36d0ebed650" + +[[package]] +name = "wit-bindgen" +version = "0.57.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e" + +[[package]] +name = "writeable" +version = "0.6.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ffae5123b2d3fc086436f8834ae3ab053a283cfac8fe0a0b8eaae044768a4c4" + +[[package]] +name = "yoke" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca" +dependencies = [ + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de844c262c8848816172cef550288e7dc6c7b7814b4ee56b3e1553f275f1858e" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + +[[package]] +name = "zerocopy" +version = "0.8.48" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9" +dependencies = [ + "zerocopy-derive", +] + +[[package]] +name = "zerocopy-derive" +version = "0.8.48" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "zerofrom" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "69faa1f2a1ea75661980b013019ed6687ed0e83d069bc1114e2cc74c6c04c4df" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "11532158c46691caf0f2593ea8358fed6bbf68a0315e80aae9bd41fbade684a1" +dependencies = [ + "proc-macro2", + "quote", + "syn", + "synstructure", +] + +[[package]] +name = "zeroize" +version = "1.8.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" + +[[package]] +name = "zerotrie" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0f9152d31db0792fa83f70fb2f83148effb5c1f5b8c7686c3459e361d9bc20bf" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", +] + +[[package]] +name = "zerovec" +version = "0.11.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "90f911cbc359ab6af17377d242225f4d75119aec87ea711a880987b18cd7b239" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.11.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "625dc425cab0dca6dc3c3319506e6593dcb08a9f387ea3b284dbd52a92c40555" +dependencies = [ + "proc-macro2", + "quote", + "syn", +] + +[[package]] +name = "zmij" +version = "1.0.21" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8848ee67ecc8aedbaf3e4122217aff892639231befc6a1b58d29fff4c2cabaa" diff --git a/Cargo.toml b/Cargo.toml new file mode 100644 index 0000000..5104eeb --- /dev/null +++ b/Cargo.toml @@ -0,0 +1,34 @@ +[package] +name = "rsauth2-proxy" +version = "0.1.0" +edition = "2021" + +[dependencies] +axum = "0.7" +tokio = { version = "1", features = ["full"] } +serde = { version = "1", features = ["derive"] } +serde_json = "1" +serde_yaml = "0.9" +reqwest = { version = "0.12", default-features = false, features = ["rustls-tls-webpki-roots", "json"] } +jsonwebtoken = "9" +aes-gcm = "0.10" +base64 = "0.22" +rand = "0.8" +sha2 = "0.10" +tracing = "0.1" +tracing-subscriber = { version = "0.3", features = ["env-filter"] } +anyhow = "1" +url = "2" +metrics = "0.23" +metrics-exporter-prometheus = { version = "0.15", default-features = false } + +[dev-dependencies] +rsa = "0.9" +tower = { version = "0.5", features = ["util"] } +tempfile = "3" + +[profile.release] +opt-level = "z" +lto = true +codegen-units = 1 +strip = true diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d655b72 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +FROM rust:1-slim AS builder + +WORKDIR /app + +# Cache dependencies +COPY Cargo.toml Cargo.lock ./ +RUN mkdir src && echo "fn main() {}" > src/main.rs && \ + cargo build --release && \ + rm -rf src + +COPY src ./src +RUN touch src/main.rs && cargo build --release + +FROM gcr.io/distroless/cc-debian12 +COPY --from=builder /app/target/release/rsauth2-proxy /rsauth2-proxy +ENTRYPOINT ["/rsauth2-proxy"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..b3190d5 --- /dev/null +++ b/README.md @@ -0,0 +1,224 @@ +# rsauth2-proxy + +Auth proxy for [Traefik ForwardAuth](https://doc.traefik.io/traefik/middlewares/http/forwardauth/) with Keycloak OIDC. Single instance protects all services in a cluster. Replaces oauth2-proxy. + +## How it works + +``` +Browser → Traefik → ForwardAuth (/auth) → rsauth2-proxy + ├── no session → 302 to Keycloak login + ├── valid session → 200 + user headers + └── expired session → token refresh → 302 back +``` + +Traefik calls `/auth` for every request to a protected service. The proxy checks the encrypted session cookie, verifies group membership against the route config, and returns 200 (allow), 403 (deny), or 302 (login required). + +Sessions are stored entirely in an AES-256-GCM encrypted cookie. No server-side state. Any number of replicas work without coordination. + +## Configuration + +All configuration is via environment variables. + +| Variable | Required | Default | Description | +|---|---|---|---| +| `AUTH_PROXY_OIDC_ISSUER` | yes | | OIDC issuer URL | +| `AUTH_PROXY_CLIENT_ID` | yes | | Keycloak client ID | +| `AUTH_PROXY_CLIENT_SECRET` | yes | | Keycloak client secret | +| `AUTH_PROXY_COOKIE_SECRET` | yes | | AES-256 key, 32 bytes, base64-encoded | +| `AUTH_PROXY_COOKIE_DOMAIN` | yes | | Cookie domain (e.g. `.example.com`) | +| `AUTH_PROXY_CALLBACK_URL` | yes | | Full callback URL (e.g. `https://auth.example.com/callback`) | +| `AUTH_PROXY_LISTEN` | no | `0.0.0.0:8080` | Listen address | +| `AUTH_PROXY_ROUTES_FILE` | no | `/config/routes.yaml` | Path to routes config | +| `AUTH_PROXY_LOG_LEVEL` | no | `info` | Log level (`debug`, `info`, `warn`, `error`) | + +Generate a cookie secret: + +```sh +openssl rand -base64 32 +``` + +## Routes file + +Defines which hosts are protected and which groups have access. + +```yaml +routes: + grafana.example.com: + allowed_groups: ["admins", "developers"] + + wiki.example.com: + allowed_groups: [] + # Empty list = any authenticated user + + secret.example.com: + allowed_groups: ["admins"] +``` + +Rules: +- Host in routes, `allowed_groups` empty — any authenticated user is allowed +- Host in routes, `allowed_groups` set — user must be in at least one listed group +- Host not in routes — denied (403) + +The file is polled every 5 seconds and reloaded on change. This works reliably with Kubernetes ConfigMap volume mounts. + +## Endpoints + +| Path | Purpose | +|---|---| +| `GET /auth` | ForwardAuth endpoint (called by Traefik) | +| `GET /callback` | OIDC callback (receives authorization code from Keycloak) | +| `GET /refresh` | Token refresh (transparent redirect when session expires) | +| `GET /sign_out` | Logout (clears cookie, redirects to Keycloak end_session) | +| `GET /health` | Health check (returns 200) | + +## Keycloak setup + +The proxy reads user groups from the `groups` claim in the ID token. Keycloak does not include this by default. Add a group membership mapper to the client: + +```hcl +resource "keycloak_openid_group_membership_protocol_mapper" "groups" { + realm_id = keycloak_realm.main.id + client_id = keycloak_openid_client.auth_proxy.id + name = "groups" + claim_name = "groups" + full_path = false +} +``` + +Or manually: Client Scopes → your client → Mappers → Add mapper → "Group Membership", claim name `groups`, full path off. + +## Kubernetes deployment + +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: auth-proxy + namespace: auth-proxy +spec: + replicas: 2 + selector: + matchLabels: + app: auth-proxy + template: + metadata: + labels: + app: auth-proxy + spec: + containers: + - name: auth-proxy + image: ghcr.io/your-org/rsauth2-proxy:latest + ports: + - containerPort: 8080 + envFrom: + - secretRef: + name: auth-proxy-creds + volumeMounts: + - name: routes + mountPath: /config + readOnly: true + livenessProbe: + httpGet: + path: /health + port: 8080 + readinessProbe: + httpGet: + path: /health + port: 8080 + volumes: + - name: routes + configMap: + name: auth-proxy-routes +--- +apiVersion: v1 +kind: Service +metadata: + name: auth-proxy + namespace: auth-proxy +spec: + selector: + app: auth-proxy + ports: + - port: 80 + targetPort: 8080 +``` + +### Traefik ForwardAuth middleware + +Create in each namespace that has protected services: + +```yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: auth-proxy +spec: + forwardAuth: + address: http://auth-proxy.auth-proxy.svc:80/auth + trustForwardHeader: true + authResponseHeaders: + - X-Auth-Request-User + - X-Auth-Request-Email + - X-Auth-Request-Groups +``` + +### Ingress for auth-proxy itself + +The `/callback`, `/refresh`, and `/sign_out` endpoints must be reachable by browsers: + +```yaml +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: auth-proxy + namespace: auth-proxy +spec: + entryPoints: + - websecure + routes: + - match: Host(`auth.example.com`) && (Path(`/callback`) || Path(`/refresh`) || Path(`/sign_out`)) + kind: Rule + services: + - name: auth-proxy + port: 80 + tls: + secretName: auth-proxy-tls +``` + +## Building + +```sh +cargo build --release +``` + +### Docker + +```sh +docker build -t rsauth2-proxy . +``` + +Produces a static musl binary in a `FROM scratch` image (~10MB). + +## Security properties + +- **Encrypted cookies** — AES-256-GCM, not just signed. Cookie contents cannot be read or tampered with without the key. +- **PKCE (S256)** — protects the authorization code exchange against interception. +- **Stateless PKCE** — the PKCE verifier is encrypted inside the `state` parameter. No server-side storage needed. +- **No open redirect** — the redirect URL after login is encrypted in `state`, not taken from user input. +- **Deny by default** — any host not listed in routes gets 403. +- **JWT validation** — ID tokens are verified against Keycloak's JWKS (keys refreshed hourly). +- **Cookie flags** — `HttpOnly`, `Secure`, `SameSite=Lax`. + +## Response headers + +On successful authentication, the following headers are set on the request forwarded to the upstream service: + +| Header | Value | +|---|---| +| `X-Auth-Request-User` | `preferred_username` from the ID token | +| `X-Auth-Request-Email` | `email` from the ID token | +| `X-Auth-Request-Groups` | Comma-separated list of groups | + +## License + +MIT diff --git a/src/config.rs b/src/config.rs new file mode 100644 index 0000000..500c8b4 --- /dev/null +++ b/src/config.rs @@ -0,0 +1,52 @@ +use anyhow::{Context, Result}; +use base64::{engine::general_purpose::STANDARD, Engine}; + +#[derive(Clone)] +pub struct Config { + pub listen: String, + pub oidc_issuer: String, + pub client_id: String, + pub client_secret: String, + pub cookie_secret: [u8; 32], + pub cookie_domain: String, + pub routes_file: String, + pub callback_url: String, + pub log_level: String, +} + +impl Config { + pub fn from_env() -> Result { + let cookie_secret_b64 = + std::env::var("AUTH_PROXY_COOKIE_SECRET").context("AUTH_PROXY_COOKIE_SECRET required")?; + let decoded = STANDARD + .decode(&cookie_secret_b64) + .context("invalid base64 in AUTH_PROXY_COOKIE_SECRET")?; + let cookie_secret: [u8; 32] = decoded + .try_into() + .map_err(|v: Vec| anyhow::anyhow!("cookie secret must be 32 bytes, got {}", v.len()))?; + + Ok(Self { + listen: std::env::var("AUTH_PROXY_LISTEN").unwrap_or_else(|_| "0.0.0.0:8080".into()), + oidc_issuer: std::env::var("AUTH_PROXY_OIDC_ISSUER") + .context("AUTH_PROXY_OIDC_ISSUER required")?, + client_id: std::env::var("AUTH_PROXY_CLIENT_ID") + .context("AUTH_PROXY_CLIENT_ID required")?, + client_secret: std::env::var("AUTH_PROXY_CLIENT_SECRET") + .context("AUTH_PROXY_CLIENT_SECRET required")?, + cookie_secret, + cookie_domain: std::env::var("AUTH_PROXY_COOKIE_DOMAIN") + .context("AUTH_PROXY_COOKIE_DOMAIN required")?, + routes_file: std::env::var("AUTH_PROXY_ROUTES_FILE") + .unwrap_or_else(|_| "/config/routes.yaml".into()), + callback_url: std::env::var("AUTH_PROXY_CALLBACK_URL") + .context("AUTH_PROXY_CALLBACK_URL required")?, + log_level: std::env::var("AUTH_PROXY_LOG_LEVEL").unwrap_or_else(|_| "info".into()), + }) + } + + pub fn base_url(&self) -> &str { + self.callback_url + .strip_suffix("/callback") + .unwrap_or(&self.callback_url) + } +} diff --git a/src/crypto.rs b/src/crypto.rs new file mode 100644 index 0000000..7574e68 --- /dev/null +++ b/src/crypto.rs @@ -0,0 +1,107 @@ +use aes_gcm::aead::{Aead, KeyInit}; +use aes_gcm::{Aes256Gcm, Nonce}; +use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; +use rand::RngCore; + +#[derive(Clone)] +pub struct CookieCrypto { + cipher: Aes256Gcm, +} + +impl CookieCrypto { + pub fn new(key_bytes: &[u8; 32]) -> Self { + Self { + cipher: Aes256Gcm::new_from_slice(key_bytes).expect("valid 32-byte key"), + } + } + + pub fn encrypt(&self, plaintext: &[u8]) -> anyhow::Result { + let mut nonce_bytes = [0u8; 12]; + rand::thread_rng().fill_bytes(&mut nonce_bytes); + let nonce = Nonce::from_slice(&nonce_bytes); + + let ciphertext = self + .cipher + .encrypt(nonce, plaintext) + .map_err(|e| anyhow::anyhow!("encryption failed: {}", e))?; + + let mut result = Vec::with_capacity(12 + ciphertext.len()); + result.extend_from_slice(&nonce_bytes); + result.extend_from_slice(&ciphertext); + + Ok(URL_SAFE_NO_PAD.encode(&result)) + } + + pub fn decrypt(&self, encoded: &str) -> anyhow::Result> { + let data = URL_SAFE_NO_PAD.decode(encoded)?; + if data.len() < 13 { + anyhow::bail!("ciphertext too short"); + } + let (nonce_bytes, ciphertext) = data.split_at(12); + let nonce = Nonce::from_slice(nonce_bytes); + + self.cipher + .decrypt(nonce, ciphertext) + .map_err(|e| anyhow::anyhow!("decryption failed: {}", e)) + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn encrypt_decrypt_roundtrip() { + let crypto = CookieCrypto::new(&[0x42; 32]); + let plaintext = b"hello world"; + let encrypted = crypto.encrypt(plaintext).unwrap(); + let decrypted = crypto.decrypt(&encrypted).unwrap(); + assert_eq!(decrypted, plaintext); + } + + #[test] + fn encrypt_produces_different_ciphertext_each_time() { + let crypto = CookieCrypto::new(&[0x42; 32]); + let a = crypto.encrypt(b"same").unwrap(); + let b = crypto.encrypt(b"same").unwrap(); + assert_ne!(a, b); // different nonces + } + + #[test] + fn wrong_key_fails() { + let crypto1 = CookieCrypto::new(&[0x42; 32]); + let crypto2 = CookieCrypto::new(&[0x43; 32]); + let encrypted = crypto1.encrypt(b"hello").unwrap(); + assert!(crypto2.decrypt(&encrypted).is_err()); + } + + #[test] + fn tampered_ciphertext_fails() { + let crypto = CookieCrypto::new(&[0x42; 32]); + let encrypted = crypto.encrypt(b"hello").unwrap(); + let mut data = URL_SAFE_NO_PAD.decode(&encrypted).unwrap(); + *data.last_mut().unwrap() ^= 0xFF; + let tampered = URL_SAFE_NO_PAD.encode(&data); + assert!(crypto.decrypt(&tampered).is_err()); + } + + #[test] + fn empty_plaintext_roundtrip() { + let crypto = CookieCrypto::new(&[0x42; 32]); + let encrypted = crypto.encrypt(b"").unwrap(); + let decrypted = crypto.decrypt(&encrypted).unwrap(); + assert!(decrypted.is_empty()); + } + + #[test] + fn short_ciphertext_rejected() { + let crypto = CookieCrypto::new(&[0x42; 32]); + assert!(crypto.decrypt("dG9vc2hvcnQ").is_err()); // "tooshort" base64 + } + + #[test] + fn invalid_base64_rejected() { + let crypto = CookieCrypto::new(&[0x42; 32]); + assert!(crypto.decrypt("not valid base64!!!").is_err()); + } +} diff --git a/src/handlers.rs b/src/handlers.rs new file mode 100644 index 0000000..c273a43 --- /dev/null +++ b/src/handlers.rs @@ -0,0 +1,1160 @@ +use crate::crypto::CookieCrypto; +use crate::oidc::OidcClient; +use crate::routes::SharedRoutes; +use crate::session::{now_timestamp, Session}; +use axum::extract::{Query, State}; +use axum::http::{header, HeaderMap, StatusCode}; +use axum::response::{IntoResponse, Response}; +use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; +use rand::RngCore; +use serde::{Deserialize, Serialize}; +use sha2::{Digest, Sha256}; +use std::sync::Arc; + +pub struct AppState { + pub config: crate::config::Config, + pub oidc: OidcClient, + pub routes: SharedRoutes, + pub crypto: CookieCrypto, + pub metrics_handle: metrics_exporter_prometheus::PrometheusHandle, +} + +#[derive(Serialize, Deserialize)] +struct AuthStatePayload { + original_url: String, + pkce_verifier: String, + nonce: String, +} + +#[derive(Serialize, Deserialize)] +struct RefreshStatePayload { + original_url: String, +} + +const COOKIE_NAME: &str = "_auth_proxy_session"; +const MAX_SESSION_DURATION: i64 = 86400; // 24h + +// --- / --- + +pub async fn root() -> Response { + ( + StatusCode::OK, + [(header::CONTENT_TYPE, "text/plain; charset=utf-8")], + concat!( + "rsauth2-proxy is running.\n", + "\n", + "This is a Traefik ForwardAuth backend. It has no UI.\n", + "Users interact with it transparently through protected applications.\n", + "\n", + "Endpoints:\n", + " GET /auth ForwardAuth (called by Traefik)\n", + " GET /callback OIDC callback\n", + " GET /refresh Token refresh\n", + " GET /sign_out Logout\n", + " GET /health Health check\n", + ), + ) + .into_response() +} + +// --- /health --- + +pub async fn health() -> StatusCode { + StatusCode::OK +} + +// --- /metrics --- + +pub async fn metrics_handler(State(state): State>) -> Response { + let body = state.metrics_handle.render(); + ( + StatusCode::OK, + [(header::CONTENT_TYPE, "text/plain; version=0.0.4; charset=utf-8")], + body, + ) + .into_response() +} + +// --- /auth --- + +pub async fn auth(State(state): State>, headers: HeaderMap) -> Response { + let start = std::time::Instant::now(); + let resp = auth_inner(&state, &headers).await; + let status = resp.status().as_u16().to_string(); + metrics::counter!("auth_requests_total", "status" => status).increment(1); + metrics::histogram!("auth_request_duration_seconds").record(start.elapsed().as_secs_f64()); + resp +} + +async fn auth_inner(state: &AppState, headers: &HeaderMap) -> Response { + let host = get_header(headers, "x-forwarded-host"); + let uri = get_header(headers, "x-forwarded-uri"); + let proto = get_header(headers, "x-forwarded-proto"); + + let host = match host { + Some(h) => h, + None => { + tracing::warn!("missing X-Forwarded-Host header"); + return (StatusCode::BAD_REQUEST, "missing X-Forwarded-Host").into_response(); + } + }; + + let proto = proto.unwrap_or("https"); + let uri = uri.unwrap_or("/"); + let original_url = format!("{}://{}{}", proto, host, uri); + + let session = extract_session_from_headers(headers, &state.crypto); + + match session { + Some(session) if !session.is_access_expired() => { + authorize_request(state, &session, host).await + } + Some(session) if session.refresh_token.is_some() => { + redirect_to_refresh(state, &original_url) + } + _ => redirect_to_login(state, &original_url), + } +} + +// --- /callback --- + +#[derive(Deserialize)] +pub struct CallbackParams { + pub code: String, + pub state: String, +} + +pub async fn callback( + State(state): State>, + Query(params): Query, +) -> Response { + let auth_state = match decrypt_state::(&state.crypto, ¶ms.state) { + Ok(s) => s, + Err(e) => { + tracing::warn!(error = %e, "invalid callback state"); + metrics::counter!("callback_requests_total", "result" => "error").increment(1); + return (StatusCode::BAD_REQUEST, "invalid state").into_response(); + } + }; + + let token_response = match state + .oidc + .exchange_code(¶ms.code, &auth_state.pkce_verifier) + .await + { + Ok(t) => t, + Err(e) => { + tracing::error!(error = %e, "token exchange failed"); + metrics::counter!("callback_requests_total", "result" => "error").increment(1); + return (StatusCode::BAD_GATEWAY, "token exchange failed").into_response(); + } + }; + + let id_token_str = match &token_response.id_token { + Some(t) => t, + None => { + tracing::error!("no id_token in token response"); + metrics::counter!("callback_requests_total", "result" => "error").increment(1); + return (StatusCode::BAD_GATEWAY, "missing id_token").into_response(); + } + }; + + let claims = match state + .oidc + .validate_id_token(id_token_str, Some(&auth_state.nonce)) + .await + { + Ok(c) => c, + Err(e) => { + tracing::error!(error = %e, "id_token validation failed"); + metrics::counter!("callback_requests_total", "result" => "error").increment(1); + return (StatusCode::BAD_GATEWAY, "invalid id_token").into_response(); + } + }; + + let now = now_timestamp(); + let exp = claims.exp.min(now + MAX_SESSION_DURATION); + + let session = Session { + sub: claims.sub, + username: claims.preferred_username.unwrap_or_default(), + email: claims.email.unwrap_or_default(), + groups: claims.groups.unwrap_or_default(), + exp, + iat: now, + refresh_token: token_response.refresh_token, + }; + + let cookie_value = match session.encrypt(&state.crypto) { + Ok(v) => v, + Err(e) => { + tracing::error!(error = %e, "failed to encrypt session"); + metrics::counter!("callback_requests_total", "result" => "error").increment(1); + return StatusCode::INTERNAL_SERVER_ERROR.into_response(); + } + }; + + let cookie_header = format_set_cookie(&state.config.cookie_domain, &cookie_value, exp - now); + + metrics::counter!("callback_requests_total", "result" => "success").increment(1); + + ( + StatusCode::FOUND, + [ + (header::SET_COOKIE, cookie_header), + (header::LOCATION, auth_state.original_url), + ], + ) + .into_response() +} + +// --- /refresh --- + +#[derive(Deserialize)] +pub struct RefreshParams { + pub state: String, +} + +pub async fn refresh( + State(state): State>, + headers: HeaderMap, + Query(params): Query, +) -> Response { + let refresh_state = match decrypt_state::(&state.crypto, ¶ms.state) { + Ok(s) => s, + Err(e) => { + tracing::warn!(error = %e, "invalid refresh state"); + return (StatusCode::BAD_REQUEST, "invalid state").into_response(); + } + }; + + let old_session = match extract_session_from_headers(&headers, &state.crypto) { + Some(s) => s, + None => { + metrics::counter!("refresh_requests_total", "result" => "login").increment(1); + return redirect_to_login(&state, &refresh_state.original_url); + } + }; + + let refresh_tok = match &old_session.refresh_token { + Some(t) => t.clone(), + None => { + metrics::counter!("refresh_requests_total", "result" => "login").increment(1); + return redirect_to_login(&state, &refresh_state.original_url); + } + }; + + let token_response = match state.oidc.refresh_token(&refresh_tok).await { + Ok(t) => t, + Err(e) => { + tracing::info!(error = %e, "refresh token failed, redirecting to login"); + metrics::counter!("refresh_requests_total", "result" => "login").increment(1); + return redirect_to_login(&state, &refresh_state.original_url); + } + }; + + // Validate new ID token (no nonce check on refresh) + let id_token_str = match &token_response.id_token { + Some(t) => t, + None => { + tracing::error!("no id_token in refresh response"); + metrics::counter!("refresh_requests_total", "result" => "login").increment(1); + return redirect_to_login(&state, &refresh_state.original_url); + } + }; + + let claims = match state.oidc.validate_id_token(id_token_str, None).await { + Ok(c) => c, + Err(e) => { + tracing::error!(error = %e, "refreshed id_token validation failed"); + metrics::counter!("refresh_requests_total", "result" => "login").increment(1); + return redirect_to_login(&state, &refresh_state.original_url); + } + }; + + let now = now_timestamp(); + let exp = claims.exp.min(now + MAX_SESSION_DURATION); + + let new_session = Session { + sub: claims.sub, + username: claims.preferred_username.unwrap_or_default(), + email: claims.email.unwrap_or_default(), + groups: claims.groups.unwrap_or_default(), + exp, + iat: now, + refresh_token: token_response.refresh_token.or(Some(refresh_tok)), + }; + + let cookie_value = match new_session.encrypt(&state.crypto) { + Ok(v) => v, + Err(e) => { + tracing::error!(error = %e, "failed to encrypt session"); + return StatusCode::INTERNAL_SERVER_ERROR.into_response(); + } + }; + + let cookie_header = format_set_cookie(&state.config.cookie_domain, &cookie_value, exp - now); + + metrics::counter!("refresh_requests_total", "result" => "success").increment(1); + + ( + StatusCode::FOUND, + [ + (header::SET_COOKIE, cookie_header), + (header::LOCATION, refresh_state.original_url), + ], + ) + .into_response() +} + +// --- /sign_out --- + +pub async fn sign_out(State(state): State>) -> Response { + let expired_cookie = format!( + "{}=; Domain={}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=0", + COOKIE_NAME, state.config.cookie_domain + ); + + let redirect_target = state + .oidc + .end_session_url() + .unwrap_or(state.config.base_url()); + + ( + StatusCode::FOUND, + [ + (header::SET_COOKIE, expired_cookie), + (header::LOCATION, redirect_target.to_string()), + ], + ) + .into_response() +} + +// --- helpers --- + +fn get_header<'a>(headers: &'a HeaderMap, name: &str) -> Option<&'a str> { + headers.get(name).and_then(|v| v.to_str().ok()) +} + +fn extract_session_from_headers(headers: &HeaderMap, crypto: &CookieCrypto) -> Option { + let cookie_header = headers.get(header::COOKIE)?.to_str().ok()?; + let value = cookie_header + .split(';') + .map(|s| s.trim()) + .find(|s| s.starts_with(COOKIE_NAME))? + .strip_prefix(COOKIE_NAME)? + .strip_prefix('=')?; + Session::decrypt(crypto, value).ok() +} + +async fn authorize_request(state: &AppState, session: &Session, host: &str) -> Response { + let routes = state.routes.read().await; + + let route = match routes.get(host) { + Some(r) => r, + None => { + tracing::debug!(host, "host not found in routes, denying"); + return StatusCode::FORBIDDEN.into_response(); + } + }; + + if !route.allowed_groups.is_empty() { + let has_access = session + .groups + .iter() + .any(|g| route.allowed_groups.contains(g)); + if !has_access { + tracing::debug!( + host, + user = session.username, + "user not in allowed groups" + ); + return StatusCode::FORBIDDEN.into_response(); + } + } + + let groups_csv = session.groups.join(","); + + ( + StatusCode::OK, + [ + ("X-Auth-Request-User", session.username.as_str()), + ("X-Auth-Request-Email", session.email.as_str()), + ("X-Auth-Request-Groups", groups_csv.as_str()), + ], + ) + .into_response() +} + +fn redirect_to_login(state: &AppState, original_url: &str) -> Response { + let (pkce_verifier, pkce_challenge) = generate_pkce(); + + let nonce = generate_random_string(); + + let auth_state = AuthStatePayload { + original_url: original_url.to_string(), + pkce_verifier, + nonce: nonce.clone(), + }; + + let encrypted_state = match encrypt_state(&state.crypto, &auth_state) { + Ok(s) => s, + Err(e) => { + tracing::error!(error = %e, "failed to encrypt auth state"); + return StatusCode::INTERNAL_SERVER_ERROR.into_response(); + } + }; + + let auth_url = state.oidc.auth_url(&encrypted_state, &pkce_challenge, &nonce); + + (StatusCode::FOUND, [(header::LOCATION, auth_url)]).into_response() +} + +fn redirect_to_refresh(state: &AppState, original_url: &str) -> Response { + let payload = RefreshStatePayload { + original_url: original_url.to_string(), + }; + + let encrypted = match encrypt_state(&state.crypto, &payload) { + Ok(s) => s, + Err(e) => { + tracing::error!(error = %e, "failed to encrypt refresh state"); + return StatusCode::INTERNAL_SERVER_ERROR.into_response(); + } + }; + + let mut url = url::Url::parse(&format!("{}/refresh", state.config.base_url())) + .expect("valid base_url"); + url.query_pairs_mut().append_pair("state", &encrypted); + + (StatusCode::FOUND, [(header::LOCATION, url.to_string())]).into_response() +} + +fn generate_pkce() -> (String, String) { + let mut verifier_bytes = [0u8; 32]; + rand::thread_rng().fill_bytes(&mut verifier_bytes); + let verifier = URL_SAFE_NO_PAD.encode(verifier_bytes); + + let challenge = URL_SAFE_NO_PAD.encode(Sha256::digest(verifier.as_bytes())); + + (verifier, challenge) +} + +fn generate_random_string() -> String { + let mut bytes = [0u8; 16]; + rand::thread_rng().fill_bytes(&mut bytes); + URL_SAFE_NO_PAD.encode(bytes) +} + +fn encrypt_state(crypto: &CookieCrypto, payload: &T) -> anyhow::Result { + let json = serde_json::to_vec(payload)?; + crypto.encrypt(&json) +} + +fn decrypt_state Deserialize<'de>>( + crypto: &CookieCrypto, + encoded: &str, +) -> anyhow::Result { + let plaintext = crypto.decrypt(encoded)?; + Ok(serde_json::from_slice(&plaintext)?) +} + +fn format_set_cookie(domain: &str, value: &str, max_age_secs: i64) -> String { + format!( + "{}={}; Domain={}; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age={}", + COOKIE_NAME, value, domain, max_age_secs + ) +} + +#[cfg(test)] +mod tests { + use super::*; + use axum::body::Body; + use axum::http::Request; + use axum::routing::{get, post}; + use axum::Router; + use crate::config::Config; + use crate::crypto::CookieCrypto; + use crate::oidc::OidcClient; + use crate::routes::RouteConfig; + use crate::session::{now_timestamp, Session}; + use std::collections::HashMap; + use tokio::sync::RwLock; + use tower::ServiceExt; + + const TEST_KEY: [u8; 32] = [0x42; 32]; + const MOCK_NONCE: &str = "test-nonce-123"; + + // --- RSA key generation for mock JWT signing --- + + struct TestKeys { + encoding_key: jsonwebtoken::EncodingKey, + n: String, + e: String, + kid: String, + } + + fn generate_test_keys() -> TestKeys { + use rsa::pkcs8::EncodePrivateKey; + use rsa::traits::PublicKeyParts; + use rsa::RsaPrivateKey; + + let mut rng = rand::thread_rng(); + let private_key = RsaPrivateKey::new(&mut rng, 2048).unwrap(); + let public_key = rsa::RsaPublicKey::from(&private_key); + + let n = URL_SAFE_NO_PAD.encode(public_key.n().to_bytes_be()); + let e = URL_SAFE_NO_PAD.encode(public_key.e().to_bytes_be()); + + let pem = private_key + .to_pkcs8_pem(rsa::pkcs8::LineEnding::LF) + .unwrap(); + let encoding_key = + jsonwebtoken::EncodingKey::from_rsa_pem(pem.as_bytes()).unwrap(); + + TestKeys { + encoding_key, + n, + e, + kid: "test-key-1".into(), + } + } + + // --- Mock Keycloak server --- + + #[derive(Clone)] + struct MockKeycloakState { + encoding_key: jsonwebtoken::EncodingKey, + jwks_n: String, + jwks_e: String, + kid: String, + issuer: String, + } + + async fn mock_discovery( + State(st): State>, + ) -> axum::Json { + axum::Json(serde_json::json!({ + "issuer": st.issuer, + "authorization_endpoint": format!("{}/authorize", st.issuer), + "token_endpoint": format!("{}/token", st.issuer), + "jwks_uri": format!("{}/jwks", st.issuer), + "end_session_endpoint": format!("{}/end-session", st.issuer), + })) + } + + async fn mock_jwks( + State(st): State>, + ) -> axum::Json { + axum::Json(serde_json::json!({ + "keys": [{ + "kid": st.kid, + "kty": "RSA", + "alg": "RS256", + "n": st.jwks_n, + "e": st.jwks_e, + }] + })) + } + + async fn mock_token( + State(st): State>, + ) -> axum::Json { + let now = now_timestamp(); + let claims = serde_json::json!({ + "iss": st.issuer, + "sub": "test-user-id", + "aud": "test-client", + "exp": now + 3600, + "iat": now, + "preferred_username": "testuser", + "email": "test@example.com", + "groups": ["admins", "developers"], + "nonce": MOCK_NONCE, + }); + + let header = jsonwebtoken::Header { + alg: jsonwebtoken::Algorithm::RS256, + kid: Some(st.kid.clone()), + ..Default::default() + }; + let id_token = + jsonwebtoken::encode(&header, &claims, &st.encoding_key).unwrap(); + + axum::Json(serde_json::json!({ + "id_token": id_token, + "access_token": "mock-access-token", + "refresh_token": "mock-new-refresh-token", + "token_type": "Bearer", + "expires_in": 3600, + "refresh_expires_in": 86400, + })) + } + + async fn start_mock_keycloak(keys: &TestKeys) -> String { + let listener = tokio::net::TcpListener::bind("127.0.0.1:0") + .await + .unwrap(); + let issuer = format!("http://{}", listener.local_addr().unwrap()); + + let mock_state = Arc::new(MockKeycloakState { + encoding_key: keys.encoding_key.clone(), + jwks_n: keys.n.clone(), + jwks_e: keys.e.clone(), + kid: keys.kid.clone(), + issuer: issuer.clone(), + }); + + let mock_app = Router::new() + .route("/.well-known/openid-configuration", get(mock_discovery)) + .route("/jwks", get(mock_jwks)) + .route("/token", post(mock_token)) + .with_state(mock_state); + + tokio::spawn(async move { + axum::serve(listener, mock_app).await.unwrap(); + }); + + issuer + } + + // --- Test environment --- + + async fn setup() -> (Router, Arc) { + let keys = generate_test_keys(); + let issuer = start_mock_keycloak(&keys).await; + + let config = Config { + listen: "127.0.0.1:0".into(), + oidc_issuer: issuer.clone(), + client_id: "test-client".into(), + client_secret: "test-secret".into(), + cookie_secret: TEST_KEY, + cookie_domain: ".example.com".into(), + routes_file: "/dev/null".into(), + callback_url: "http://auth.example.com/callback".into(), + log_level: "debug".into(), + }; + + let oidc = OidcClient::discover( + &config.oidc_issuer, + config.client_id.clone(), + config.client_secret.clone(), + config.callback_url.clone(), + ) + .await + .unwrap(); + + let mut routes = HashMap::new(); + routes.insert( + "grafana.example.com".into(), + RouteConfig { + allowed_groups: vec!["admins".into(), "developers".into()], + }, + ); + routes.insert( + "wiki.example.com".into(), + RouteConfig { + allowed_groups: vec![], + }, + ); + + let metrics_handle = metrics_exporter_prometheus::PrometheusBuilder::new() + .install_recorder() + .unwrap_or_else(|_| { + // Recorder already installed by another test — get a dummy handle + metrics_exporter_prometheus::PrometheusBuilder::new() + .build_recorder() + .handle() + }); + + let state = Arc::new(AppState { + config, + oidc, + routes: Arc::new(RwLock::new(routes)), + crypto: CookieCrypto::new(&TEST_KEY), + metrics_handle, + }); + + let app = Router::new() + .route("/auth", get(auth)) + .route("/callback", get(callback)) + .route("/refresh", get(refresh)) + .route("/sign_out", get(sign_out)) + .route("/health", get(health)) + .route("/metrics", get(metrics_handler)) + .with_state(state.clone()); + + (app, state) + } + + fn make_cookie(crypto: &CookieCrypto, session: &Session) -> String { + let encrypted = session.encrypt(crypto).unwrap(); + format!("{}={}", COOKIE_NAME, encrypted) + } + + fn active_session() -> Session { + Session { + sub: "test-user-id".into(), + username: "testuser".into(), + email: "test@example.com".into(), + groups: vec!["admins".into(), "developers".into()], + exp: now_timestamp() + 3600, + iat: now_timestamp(), + refresh_token: Some("mock-refresh-token".into()), + } + } + + // --- Unit tests --- + + #[test] + fn pkce_challenge_matches_verifier() { + let (verifier, challenge) = generate_pkce(); + let expected = URL_SAFE_NO_PAD.encode(Sha256::digest(verifier.as_bytes())); + assert_eq!(challenge, expected); + assert_eq!(verifier.len(), 43); // 32 bytes → 43 base64url chars + } + + #[test] + fn state_encrypt_decrypt_roundtrip() { + let crypto = CookieCrypto::new(&TEST_KEY); + let original = AuthStatePayload { + original_url: "https://example.com/path?q=1".into(), + pkce_verifier: "verifier123".into(), + nonce: "nonce456".into(), + }; + let encrypted = encrypt_state(&crypto, &original).unwrap(); + let restored: AuthStatePayload = decrypt_state(&crypto, &encrypted).unwrap(); + assert_eq!(restored.original_url, original.original_url); + assert_eq!(restored.pkce_verifier, original.pkce_verifier); + assert_eq!(restored.nonce, original.nonce); + } + + #[test] + fn cookie_parsing() { + let crypto = CookieCrypto::new(&TEST_KEY); + let session = active_session(); + let cookie_val = make_cookie(&crypto, &session); + + let mut headers = HeaderMap::new(); + headers.insert( + header::COOKIE, + format!("other=abc; {}", cookie_val).parse().unwrap(), + ); + + let restored = extract_session_from_headers(&headers, &crypto).unwrap(); + assert_eq!(restored.sub, "test-user-id"); + assert_eq!(restored.username, "testuser"); + } + + #[test] + fn cookie_parsing_missing_cookie() { + let crypto = CookieCrypto::new(&TEST_KEY); + let headers = HeaderMap::new(); + assert!(extract_session_from_headers(&headers, &crypto).is_none()); + } + + #[test] + fn cookie_parsing_wrong_key() { + let crypto1 = CookieCrypto::new(&[0x42; 32]); + let crypto2 = CookieCrypto::new(&[0x99; 32]); + let cookie_val = make_cookie(&crypto1, &active_session()); + + let mut headers = HeaderMap::new(); + headers.insert(header::COOKIE, cookie_val.parse().unwrap()); + + assert!(extract_session_from_headers(&headers, &crypto2).is_none()); + } + + // --- Integration tests --- + + #[tokio::test] + async fn health_returns_200() { + let (app, _) = setup().await; + let resp = app + .oneshot(Request::builder().uri("/health").body(Body::empty()).unwrap()) + .await + .unwrap(); + assert_eq!(resp.status(), StatusCode::OK); + } + + #[tokio::test] + async fn auth_no_session_redirects_to_keycloak() { + let (app, _) = setup().await; + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "grafana.example.com") + .header("x-forwarded-uri", "/d/dashboard") + .header("x-forwarded-proto", "https") + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + let location = resp.headers().get("location").unwrap().to_str().unwrap(); + assert!(location.contains("/authorize"), "should redirect to OIDC authorize"); + assert!(location.contains("client_id=test-client")); + assert!(location.contains("code_challenge=")); + assert!(location.contains("code_challenge_method=S256")); + assert!(location.contains("nonce=")); + assert!(location.contains("state=")); + } + + #[tokio::test] + async fn auth_valid_session_returns_200_with_headers() { + let (app, state) = setup().await; + let cookie = make_cookie(&state.crypto, &active_session()); + + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "grafana.example.com") + .header("x-forwarded-uri", "/") + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::OK); + assert_eq!( + resp.headers().get("x-auth-request-user").unwrap(), + "testuser" + ); + assert_eq!( + resp.headers().get("x-auth-request-email").unwrap(), + "test@example.com" + ); + let groups = resp + .headers() + .get("x-auth-request-groups") + .unwrap() + .to_str() + .unwrap(); + assert!(groups.contains("admins")); + assert!(groups.contains("developers")); + } + + #[tokio::test] + async fn auth_any_authenticated_user_for_empty_groups() { + let (app, state) = setup().await; + let mut session = active_session(); + session.groups = vec!["random-group".into()]; + let cookie = make_cookie(&state.crypto, &session); + + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "wiki.example.com") + .header("x-forwarded-uri", "/") + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::OK); + } + + #[tokio::test] + async fn auth_host_not_in_routes_returns_403() { + let (app, state) = setup().await; + let cookie = make_cookie(&state.crypto, &active_session()); + + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "unknown.example.com") + .header("x-forwarded-uri", "/") + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FORBIDDEN); + } + + #[tokio::test] + async fn auth_wrong_group_returns_403() { + let (app, state) = setup().await; + let mut session = active_session(); + session.groups = vec!["viewers".into()]; + let cookie = make_cookie(&state.crypto, &session); + + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "grafana.example.com") + .header("x-forwarded-uri", "/") + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FORBIDDEN); + } + + #[tokio::test] + async fn auth_expired_with_refresh_redirects_to_refresh_endpoint() { + let (app, state) = setup().await; + let mut session = active_session(); + session.exp = now_timestamp() - 10; + let cookie = make_cookie(&state.crypto, &session); + + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "grafana.example.com") + .header("x-forwarded-uri", "/dashboard") + .header("x-forwarded-proto", "https") + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + let location = resp.headers().get("location").unwrap().to_str().unwrap(); + assert!( + location.contains("/refresh"), + "should redirect to /refresh, got: {}", + location + ); + } + + #[tokio::test] + async fn auth_expired_without_refresh_redirects_to_keycloak() { + let (app, state) = setup().await; + let mut session = active_session(); + session.exp = now_timestamp() - 10; + session.refresh_token = None; + let cookie = make_cookie(&state.crypto, &session); + + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .header("x-forwarded-host", "grafana.example.com") + .header("x-forwarded-uri", "/") + .header("x-forwarded-proto", "https") + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + let location = resp.headers().get("location").unwrap().to_str().unwrap(); + assert!( + location.contains("/authorize"), + "should redirect to Keycloak, got: {}", + location + ); + } + + #[tokio::test] + async fn auth_missing_forwarded_host_returns_400() { + let (app, _) = setup().await; + let resp = app + .oneshot( + Request::builder() + .uri("/auth") + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + } + + #[tokio::test] + async fn callback_exchanges_code_and_sets_cookie() { + let (app, state) = setup().await; + + let auth_state = AuthStatePayload { + original_url: "https://grafana.example.com/dashboard".into(), + pkce_verifier: "test-verifier-01234567890123456789012".into(), + nonce: MOCK_NONCE.into(), + }; + let encrypted_state = encrypt_state(&state.crypto, &auth_state).unwrap(); + + let resp = app + .oneshot( + Request::builder() + .uri(&format!( + "/callback?code=mock-auth-code&state={}", + encrypted_state + )) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + assert_eq!( + resp.headers().get("location").unwrap(), + "https://grafana.example.com/dashboard" + ); + + let set_cookie = resp + .headers() + .get("set-cookie") + .unwrap() + .to_str() + .unwrap(); + assert!(set_cookie.starts_with("_auth_proxy_session=")); + assert!(set_cookie.contains("HttpOnly")); + assert!(set_cookie.contains("Secure")); + assert!(set_cookie.contains("SameSite=Lax")); + assert!(set_cookie.contains("Domain=.example.com")); + + // Verify the cookie contains a valid session + let cookie_value = set_cookie + .split(';') + .next() + .unwrap() + .strip_prefix("_auth_proxy_session=") + .unwrap(); + let session = Session::decrypt(&state.crypto, cookie_value).unwrap(); + assert_eq!(session.sub, "test-user-id"); + assert_eq!(session.username, "testuser"); + assert_eq!(session.email, "test@example.com"); + assert_eq!(session.groups, vec!["admins", "developers"]); + assert!(session.refresh_token.is_some()); + } + + #[tokio::test] + async fn callback_invalid_state_returns_400() { + let (app, _) = setup().await; + let resp = app + .oneshot( + Request::builder() + .uri("/callback?code=abc&state=garbage-data") + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + assert_eq!(resp.status(), StatusCode::BAD_REQUEST); + } + + #[tokio::test] + async fn refresh_updates_session_and_redirects() { + let (app, state) = setup().await; + + let mut session = active_session(); + session.exp = now_timestamp() - 10; + let cookie = make_cookie(&state.crypto, &session); + + let refresh_state = RefreshStatePayload { + original_url: "https://grafana.example.com/dashboard".into(), + }; + let encrypted_state = encrypt_state(&state.crypto, &refresh_state).unwrap(); + + let resp = app + .oneshot( + Request::builder() + .uri(&format!("/refresh?state={}", encrypted_state)) + .header("cookie", &cookie) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + assert_eq!( + resp.headers().get("location").unwrap(), + "https://grafana.example.com/dashboard" + ); + + // New cookie should be set + let set_cookie = resp + .headers() + .get("set-cookie") + .unwrap() + .to_str() + .unwrap(); + let cookie_value = set_cookie + .split(';') + .next() + .unwrap() + .strip_prefix("_auth_proxy_session=") + .unwrap(); + let new_session = Session::decrypt(&state.crypto, cookie_value).unwrap(); + assert!(!new_session.is_access_expired()); + assert!(new_session.refresh_token.is_some()); + } + + #[tokio::test] + async fn refresh_without_cookie_redirects_to_login() { + let (app, state) = setup().await; + + let refresh_state = RefreshStatePayload { + original_url: "https://grafana.example.com/".into(), + }; + let encrypted_state = encrypt_state(&state.crypto, &refresh_state).unwrap(); + + let resp = app + .oneshot( + Request::builder() + .uri(&format!("/refresh?state={}", encrypted_state)) + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + let location = resp.headers().get("location").unwrap().to_str().unwrap(); + assert!(location.contains("/authorize")); + } + + #[tokio::test] + async fn sign_out_clears_cookie_and_redirects() { + let (app, _) = setup().await; + let resp = app + .oneshot( + Request::builder() + .uri("/sign_out") + .body(Body::empty()) + .unwrap(), + ) + .await + .unwrap(); + + assert_eq!(resp.status(), StatusCode::FOUND); + + let set_cookie = resp + .headers() + .get("set-cookie") + .unwrap() + .to_str() + .unwrap(); + assert!(set_cookie.contains("Max-Age=0"), "cookie should be expired"); + + let location = resp.headers().get("location").unwrap().to_str().unwrap(); + assert!( + location.contains("/end-session"), + "should redirect to OIDC end_session" + ); + } +} diff --git a/src/main.rs b/src/main.rs new file mode 100644 index 0000000..08d3207 --- /dev/null +++ b/src/main.rs @@ -0,0 +1,200 @@ +mod config; +mod crypto; +mod handlers; +mod oidc; +mod routes; +mod session; + +use crate::config::Config; +use crate::crypto::CookieCrypto; +use crate::handlers::AppState; +use axum::routing::get; +use axum::Router; +use std::sync::Arc; +use tokio::sync::RwLock; + +const HELP: &str = "\ +rsauth2-proxy — Auth proxy for Traefik ForwardAuth with Keycloak OIDC + +USAGE: + rsauth2-proxy Start the proxy (configured via environment variables) + rsauth2-proxy --help Show this help + rsauth2-proxy --version Show version + +ENVIRONMENT VARIABLES: + AUTH_PROXY_OIDC_ISSUER (required) OIDC issuer URL + Example: https://auth.example.com/realms/main + AUTH_PROXY_CLIENT_ID (required) Keycloak client ID + AUTH_PROXY_CLIENT_SECRET (required) Keycloak client secret + AUTH_PROXY_COOKIE_SECRET (required) AES-256 encryption key, 32 bytes, base64-encoded + Generate with: openssl rand -base64 32 + AUTH_PROXY_COOKIE_DOMAIN (required) Cookie domain, must cover all protected hosts + Example: .example.com + AUTH_PROXY_CALLBACK_URL (required) Full public URL for the OIDC callback endpoint + Example: https://auth-proxy.example.com/callback + AUTH_PROXY_LISTEN (optional) Listen address [default: 0.0.0.0:8080] + AUTH_PROXY_ROUTES_FILE (optional) Path to routes config [default: /config/routes.yaml] + AUTH_PROXY_LOG_LEVEL (optional) Log level: debug, info, warn, error [default: info] + +ENDPOINTS: + GET /auth ForwardAuth endpoint (called by Traefik for every request) + GET /callback OIDC callback (receives authorization code from Keycloak) + GET /refresh Token refresh (transparent redirect when access token expires) + GET /sign_out Logout (clears cookie, redirects to Keycloak end_session) + GET /health Health check (returns 200 OK) + GET /metrics Prometheus metrics (text exposition format) + +ROUTES FILE (routes.yaml): + routes: + grafana.example.com: + allowed_groups: [\"admins\", \"developers\"] # user must be in at least one group + wiki.example.com: + allowed_groups: [] # any authenticated user + # Hosts not listed are denied (403) + + The file is polled every 5 seconds and reloaded on change. + Works with Kubernetes ConfigMap volume mounts (symlink-based updates). + +RESPONSE HEADERS (forwarded to upstream on 200): + X-Auth-Request-User preferred_username from the ID token + X-Auth-Request-Email email from the ID token + X-Auth-Request-Groups comma-separated list of groups + +KEYCLOAK SETUP: + Groups must be included in the ID token via a \"Group Membership\" protocol mapper + with claim name \"groups\" and full path disabled. + +TRAEFIK MIDDLEWARE: + apiVersion: traefik.io/v1alpha1 + kind: Middleware + metadata: + name: auth-proxy + spec: + forwardAuth: + address: http://auth-proxy.auth-proxy.svc:80/auth + trustForwardHeader: true + authResponseHeaders: + - X-Auth-Request-User + - X-Auth-Request-Email + - X-Auth-Request-Groups + +SECURITY: + - Sessions encrypted with AES-256-GCM (not just signed) + - PKCE S256 on all authorization flows + - JWT validated against Keycloak JWKS (keys refreshed hourly) + - No open redirects (redirect URL encrypted in state parameter) + - Deny by default (unlisted hosts get 403) + - Fully stateless (all state in encrypted cookies), supports multiple replicas + - Graceful shutdown on SIGTERM/SIGINT + +SOURCE: https://github.com/ab/rsauth2-proxy"; + +const VERSION: &str = env!("CARGO_PKG_VERSION"); + +#[tokio::main] +async fn main() -> anyhow::Result<()> { + let args: Vec = std::env::args().collect(); + if args.iter().any(|a| a == "--help" || a == "-h") { + println!("{}", HELP); + return Ok(()); + } + if args.iter().any(|a| a == "--version" || a == "-V") { + println!("rsauth2-proxy {}", VERSION); + return Ok(()); + } + + let config = Config::from_env()?; + + tracing_subscriber::fmt() + .with_env_filter( + tracing_subscriber::EnvFilter::try_new(&config.log_level) + .unwrap_or_else(|_| tracing_subscriber::EnvFilter::new("info")), + ) + .init(); + + let metrics_handle = metrics_exporter_prometheus::PrometheusBuilder::new() + .install_recorder() + .expect("failed to install prometheus recorder"); + + metrics::describe_counter!("auth_requests_total", "Total auth check requests"); + metrics::describe_histogram!( + "auth_request_duration_seconds", + "Auth check request duration in seconds" + ); + metrics::describe_counter!("callback_requests_total", "Total OIDC callback requests"); + metrics::describe_counter!("refresh_requests_total", "Total token refresh requests"); + metrics::describe_gauge!("routes_loaded_total", "Number of loaded routes"); + + tracing::info!(listen = %config.listen, "starting rsauth2-proxy"); + + let oidc = oidc::OidcClient::discover( + &config.oidc_issuer, + config.client_id.clone(), + config.client_secret.clone(), + config.callback_url.clone(), + ) + .await?; + + let initial_routes = routes::load_routes(&config.routes_file)?; + let shared_routes: routes::SharedRoutes = Arc::new(RwLock::new(initial_routes)); + + let crypto = CookieCrypto::new(&config.cookie_secret); + + let state = Arc::new(AppState { + config: config.clone(), + oidc, + routes: shared_routes.clone(), + crypto, + metrics_handle, + }); + + // Background: watch routes file for changes + let routes_path = config.routes_file.clone(); + let routes_ref = shared_routes.clone(); + tokio::spawn(async move { + routes::watch_routes(routes_path, routes_ref).await; + }); + + // Background: periodically refresh JWKS keys + let oidc_state = state.clone(); + tokio::spawn(async move { + let mut interval = tokio::time::interval(std::time::Duration::from_secs(3600)); + loop { + interval.tick().await; + if let Err(e) = oidc_state.oidc.refresh_jwks().await { + tracing::warn!(error = %e, "failed to refresh JWKS"); + } + } + }); + + let app = Router::new() + .route("/", get(handlers::root)) + .route("/auth", get(handlers::auth)) + .route("/callback", get(handlers::callback)) + .route("/refresh", get(handlers::refresh)) + .route("/sign_out", get(handlers::sign_out)) + .route("/health", get(handlers::health)) + .route("/metrics", get(handlers::metrics_handler)) + .with_state(state); + + let listener = tokio::net::TcpListener::bind(&config.listen).await?; + tracing::info!(addr = %config.listen, "listening"); + + axum::serve(listener, app) + .with_graceful_shutdown(shutdown_signal()) + .await?; + + tracing::info!("shutdown complete"); + Ok(()) +} + +async fn shutdown_signal() { + let ctrl_c = tokio::signal::ctrl_c(); + let mut sigterm = + tokio::signal::unix::signal(tokio::signal::unix::SignalKind::terminate()).unwrap(); + tokio::select! { + _ = ctrl_c => {}, + _ = sigterm.recv() => {}, + } + tracing::info!("shutdown signal received"); +} diff --git a/src/oidc.rs b/src/oidc.rs new file mode 100644 index 0000000..857f8a5 --- /dev/null +++ b/src/oidc.rs @@ -0,0 +1,223 @@ +use anyhow::{Context, Result}; +use jsonwebtoken::{decode, decode_header, DecodingKey, TokenData, Validation}; +use reqwest::Client; +use serde::Deserialize; +use std::sync::Arc; +use tokio::sync::RwLock; + +#[derive(Deserialize)] +pub struct OidcDiscovery { + pub issuer: String, + pub authorization_endpoint: String, + pub token_endpoint: String, + pub jwks_uri: String, + pub end_session_endpoint: Option, +} + +#[derive(Deserialize, Clone)] +#[allow(dead_code)] +pub struct JwkKey { + pub kid: Option, + pub kty: String, + pub n: Option, + pub e: Option, +} + +#[derive(Deserialize)] +struct JwksResponse { + keys: Vec, +} + +#[derive(Deserialize)] +#[allow(dead_code)] +pub struct TokenResponse { + pub id_token: Option, + pub refresh_token: Option, + pub expires_in: Option, + pub refresh_expires_in: Option, +} + +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct IdTokenClaims { + pub sub: String, + pub preferred_username: Option, + pub email: Option, + pub groups: Option>, + pub exp: i64, + pub iat: i64, + pub nonce: Option, +} + +pub struct OidcClient { + http: Client, + pub discovery: OidcDiscovery, + jwks: Arc>>, + client_id: String, + client_secret: String, + redirect_uri: String, +} + +impl OidcClient { + pub async fn discover( + issuer: &str, + client_id: String, + client_secret: String, + redirect_uri: String, + ) -> Result { + let http = Client::new(); + let discovery_url = format!( + "{}/.well-known/openid-configuration", + issuer.trim_end_matches('/') + ); + let discovery: OidcDiscovery = http + .get(&discovery_url) + .send() + .await? + .error_for_status() + .context("OIDC discovery request failed")? + .json() + .await + .context("failed to parse OIDC discovery")?; + + let jwks: JwksResponse = http + .get(&discovery.jwks_uri) + .send() + .await? + .error_for_status() + .context("JWKS request failed")? + .json() + .await + .context("failed to parse JWKS")?; + + tracing::info!( + keys = jwks.keys.len(), + "OIDC discovery complete" + ); + + Ok(Self { + http, + discovery, + jwks: Arc::new(RwLock::new(jwks.keys)), + client_id, + client_secret, + redirect_uri, + }) + } + + pub fn auth_url(&self, state: &str, pkce_challenge: &str, nonce: &str) -> String { + let mut url = url::Url::parse(&self.discovery.authorization_endpoint) + .expect("valid authorization_endpoint URL"); + url.query_pairs_mut() + .append_pair("client_id", &self.client_id) + .append_pair("redirect_uri", &self.redirect_uri) + .append_pair("response_type", "code") + .append_pair("scope", "openid profile email") + .append_pair("state", state) + .append_pair("nonce", nonce) + .append_pair("code_challenge", pkce_challenge) + .append_pair("code_challenge_method", "S256"); + url.to_string() + } + + pub async fn exchange_code(&self, code: &str, pkce_verifier: &str) -> Result { + let resp = self + .http + .post(&self.discovery.token_endpoint) + .form(&[ + ("grant_type", "authorization_code"), + ("code", code), + ("redirect_uri", self.redirect_uri.as_str()), + ("client_id", self.client_id.as_str()), + ("client_secret", self.client_secret.as_str()), + ("code_verifier", pkce_verifier), + ]) + .send() + .await?; + + if !resp.status().is_success() { + let status = resp.status(); + let body = resp.text().await.unwrap_or_default(); + anyhow::bail!("token exchange failed ({}): {}", status, body); + } + + Ok(resp.json().await?) + } + + pub async fn refresh_token(&self, refresh_token: &str) -> Result { + let resp = self + .http + .post(&self.discovery.token_endpoint) + .form(&[ + ("grant_type", "refresh_token"), + ("refresh_token", refresh_token), + ("client_id", self.client_id.as_str()), + ("client_secret", self.client_secret.as_str()), + ]) + .send() + .await?; + + if !resp.status().is_success() { + let status = resp.status(); + let body = resp.text().await.unwrap_or_default(); + anyhow::bail!("token refresh failed ({}): {}", status, body); + } + + Ok(resp.json().await?) + } + + pub async fn validate_id_token( + &self, + token: &str, + expected_nonce: Option<&str>, + ) -> Result { + let header = decode_header(token)?; + let kid = header.kid.as_deref(); + + let jwks = self.jwks.read().await; + let key = if let Some(kid) = kid { + jwks.iter().find(|k| k.kid.as_deref() == Some(kid)) + } else { + jwks.first() + } + .context("no matching JWK found")?; + + let decoding_key = DecodingKey::from_rsa_components( + key.n.as_deref().context("missing 'n' in JWK")?, + key.e.as_deref().context("missing 'e' in JWK")?, + )?; + + let mut validation = Validation::new(header.alg); + validation.set_issuer(&[&self.discovery.issuer]); + validation.set_audience(&[&self.client_id]); + + let token_data: TokenData = decode(token, &decoding_key, &validation)?; + + if let Some(expected) = expected_nonce { + if token_data.claims.nonce.as_deref() != Some(expected) { + anyhow::bail!("nonce mismatch"); + } + } + + Ok(token_data.claims) + } + + pub async fn refresh_jwks(&self) -> Result<()> { + let jwks: JwksResponse = self + .http + .get(&self.discovery.jwks_uri) + .send() + .await? + .error_for_status()? + .json() + .await?; + let count = jwks.keys.len(); + *self.jwks.write().await = jwks.keys; + tracing::debug!(keys = count, "JWKS refreshed"); + Ok(()) + } + + pub fn end_session_url(&self) -> Option<&str> { + self.discovery.end_session_endpoint.as_deref() + } +} diff --git a/src/routes.rs b/src/routes.rs new file mode 100644 index 0000000..6e4c00f --- /dev/null +++ b/src/routes.rs @@ -0,0 +1,157 @@ +use anyhow::Result; +use serde::Deserialize; +use std::collections::HashMap; +use std::sync::Arc; +use tokio::sync::RwLock; + +#[derive(Debug, Deserialize, Clone)] +pub struct RouteConfig { + pub allowed_groups: Vec, +} + +#[derive(Debug, Deserialize)] +pub struct RoutesFile { + pub routes: HashMap, +} + +pub type SharedRoutes = Arc>>; + +pub fn load_routes(path: &str) -> Result> { + let content = std::fs::read_to_string(path)?; + let routes_file: RoutesFile = serde_yaml::from_str(&content)?; + let count = routes_file.routes.len(); + tracing::info!(count, "routes loaded"); + metrics::gauge!("routes_loaded_total").set(count as f64); + Ok(routes_file.routes) +} + +pub async fn watch_routes(path: String, routes: SharedRoutes) { + let mut last_content = std::fs::read_to_string(&path).unwrap_or_default(); + let mut interval = tokio::time::interval(std::time::Duration::from_secs(5)); + + loop { + interval.tick().await; + + // Read through the symlink — k8s ConfigMap updates swap the symlink target, + // so reading the original path always gives current content. + match std::fs::read_to_string(&path) { + Ok(content) if content != last_content => match serde_yaml::from_str::(&content) { + Ok(routes_file) => { + let count = routes_file.routes.len(); + *routes.write().await = routes_file.routes; + last_content = content; + metrics::gauge!("routes_loaded_total").set(count as f64); + tracing::info!(count, "routes reloaded"); + } + Err(e) => { + tracing::error!(error = %e, "failed to parse routes file"); + } + }, + Ok(_) => {} + Err(e) => { + tracing::warn!(error = %e, "failed to read routes file"); + } + } + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn parse_routes_yaml() { + let yaml = r#" +routes: + grafana.example.com: + allowed_groups: ["admins", "developers"] + wiki.example.com: + allowed_groups: [] +"#; + let rf: RoutesFile = serde_yaml::from_str(yaml).unwrap(); + assert_eq!(rf.routes.len(), 2); + assert_eq!( + rf.routes["grafana.example.com"].allowed_groups, + vec!["admins", "developers"] + ); + assert!(rf.routes["wiki.example.com"].allowed_groups.is_empty()); + } + + #[test] + fn load_routes_from_file() { + let dir = tempfile::tempdir().unwrap(); + let path = dir.path().join("routes.yaml"); + std::fs::write( + &path, + "routes:\n app.example.com:\n allowed_groups: [\"users\"]\n", + ) + .unwrap(); + let routes = load_routes(path.to_str().unwrap()).unwrap(); + assert_eq!(routes.len(), 1); + assert_eq!(routes["app.example.com"].allowed_groups, vec!["users"]); + } + + #[test] + fn empty_routes_file() { + let dir = tempfile::tempdir().unwrap(); + let path = dir.path().join("routes.yaml"); + std::fs::write(&path, "routes: {}\n").unwrap(); + let routes = load_routes(path.to_str().unwrap()).unwrap(); + assert!(routes.is_empty()); + } + + #[test] + fn invalid_yaml_returns_error() { + let dir = tempfile::tempdir().unwrap(); + let path = dir.path().join("routes.yaml"); + std::fs::write(&path, "not: valid: yaml: [[[").unwrap(); + assert!(load_routes(path.to_str().unwrap()).is_err()); + } + + #[test] + fn missing_file_returns_error() { + assert!(load_routes("/nonexistent/routes.yaml").is_err()); + } + + #[tokio::test] + async fn watch_routes_detects_change() { + let dir = tempfile::tempdir().unwrap(); + let path = dir.path().join("routes.yaml"); + std::fs::write( + &path, + "routes:\n a.example.com:\n allowed_groups: []\n", + ) + .unwrap(); + + let initial = load_routes(path.to_str().unwrap()).unwrap(); + let shared: SharedRoutes = Arc::new(RwLock::new(initial)); + assert_eq!(shared.read().await.len(), 1); + + let watch_path = path.to_str().unwrap().to_string(); + let watch_routes = shared.clone(); + let handle = tokio::spawn(async move { + super::watch_routes(watch_path, watch_routes).await; + }); + + // Let the watcher initialize and read the original content + tokio::time::sleep(std::time::Duration::from_millis(200)).await; + + // Update the file + std::fs::write( + &path, + "routes:\n a.example.com:\n allowed_groups: []\n b.example.com:\n allowed_groups: [\"admins\"]\n", + ) + .unwrap(); + + // Poll interval is 5s; wait up to 12s for the change to be detected + for _ in 0..12 { + tokio::time::sleep(std::time::Duration::from_secs(1)).await; + if shared.read().await.len() == 2 { + break; + } + } + assert_eq!(shared.read().await.len(), 2); + + handle.abort(); + } +} diff --git a/src/session.rs b/src/session.rs new file mode 100644 index 0000000..c8df9f7 --- /dev/null +++ b/src/session.rs @@ -0,0 +1,100 @@ +use crate::crypto::CookieCrypto; +use serde::{Deserialize, Serialize}; + +#[derive(Debug, Serialize, Deserialize)] +pub struct Session { + pub sub: String, + pub username: String, + pub email: String, + pub groups: Vec, + pub exp: i64, + pub iat: i64, + pub refresh_token: Option, +} + +impl Session { + pub fn is_access_expired(&self) -> bool { + now_timestamp() >= self.exp + } + + pub fn encrypt(&self, crypto: &CookieCrypto) -> anyhow::Result { + let json = serde_json::to_vec(self)?; + crypto.encrypt(&json) + } + + pub fn decrypt(crypto: &CookieCrypto, encoded: &str) -> anyhow::Result { + let plaintext = crypto.decrypt(encoded)?; + Ok(serde_json::from_slice(&plaintext)?) + } +} + +pub fn now_timestamp() -> i64 { + std::time::SystemTime::now() + .duration_since(std::time::UNIX_EPOCH) + .unwrap() + .as_secs() as i64 +} + +#[cfg(test)] +mod tests { + use super::*; + use crate::crypto::CookieCrypto; + + fn make_session(exp_offset: i64) -> Session { + Session { + sub: "user-123".into(), + username: "john".into(), + email: "john@example.com".into(), + groups: vec!["admins".into(), "devs".into()], + exp: now_timestamp() + exp_offset, + iat: now_timestamp(), + refresh_token: Some("refresh-tok-xyz".into()), + } + } + + #[test] + fn encrypt_decrypt_preserves_all_fields() { + let crypto = CookieCrypto::new(&[0x42; 32]); + let session = make_session(3600); + let encrypted = session.encrypt(&crypto).unwrap(); + let restored = Session::decrypt(&crypto, &encrypted).unwrap(); + + assert_eq!(restored.sub, "user-123"); + assert_eq!(restored.username, "john"); + assert_eq!(restored.email, "john@example.com"); + assert_eq!(restored.groups, vec!["admins", "devs"]); + assert_eq!(restored.exp, session.exp); + assert_eq!(restored.iat, session.iat); + assert_eq!(restored.refresh_token.as_deref(), Some("refresh-tok-xyz")); + } + + #[test] + fn session_without_refresh_token() { + let crypto = CookieCrypto::new(&[0x42; 32]); + let mut session = make_session(3600); + session.refresh_token = None; + let encrypted = session.encrypt(&crypto).unwrap(); + let restored = Session::decrypt(&crypto, &encrypted).unwrap(); + assert!(restored.refresh_token.is_none()); + } + + #[test] + fn active_session_not_expired() { + let session = make_session(3600); // +1h + assert!(!session.is_access_expired()); + } + + #[test] + fn past_session_is_expired() { + let session = make_session(-1); // 1 second ago + assert!(session.is_access_expired()); + } + + #[test] + fn wrong_key_cannot_decrypt() { + let crypto1 = CookieCrypto::new(&[0x42; 32]); + let crypto2 = CookieCrypto::new(&[0x99; 32]); + let encrypted = make_session(3600).encrypt(&crypto1).unwrap(); + assert!(Session::decrypt(&crypto2, &encrypted).is_err()); + } +}