Merge branch 'main' into aumetra/case-insensitive-usernames

Cargo.toml

@@ -30,6 +30,7 @@ members = [
     "crates/kitsune-language",
     "crates/kitsune-messaging",
     "crates/kitsune-observability",
+    "crates/kitsune-oidc",
     "crates/kitsune-retry-policies",
     "crates/kitsune-search",
     "crates/kitsune-storage",

crates/kitsune-cache/src/redis.rs

@@ -28,7 +28,6 @@ impl<K, V> Redis<K, V>
 where
     K: ?Sized,
 {
-    #[allow(clippy::missing_panics_doc)] // All invariants covered. Won't panic.
     pub fn new<P>(redis_conn: deadpool_redis::Pool, prefix: P, ttl: Duration) -> Self
     where
         P: Into<String>,

crates/kitsune-config/src/lib.rs

@@ -39,7 +39,7 @@ pub struct MCaptchaConfiguration {
 }
 
 #[derive(Clone, Deserialize, Serialize)]
-#[serde(rename_all = "camelCase", tag = "type")]
+#[serde(rename_all = "lowercase", tag = "type")]
 pub enum CaptchaConfiguration {
     HCaptcha(HCaptchaConfiguration),
     MCaptcha(MCaptchaConfiguration),
@@ -93,9 +93,23 @@ pub struct JobQueueConfiguration {
     pub num_workers: NonZeroUsize,
 }
 
+#[derive(Clone, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub struct OidcRedisStoreConfiguration {
+    pub url: SmolStr,
+}
+
+#[derive(Clone, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case", tag = "type")]
+pub enum OidcStoreConfiguration {
+    InMemory,
+    Redis(OidcRedisStoreConfiguration),
+}
+
 #[derive(Clone, Deserialize, Serialize)]
 #[serde(rename_all = "kebab-case")]
 pub struct OidcConfiguration {
+    pub store: OidcStoreConfiguration,
     pub server_url: SmolStr,
     pub client_id: SmolStr,
     pub client_secret: SmolStr,

crates/kitsune-core/Cargo.toml

@@ -17,7 +17,7 @@ autometrics = { version = "0.6.0", default-features = false, features = [
 base64-simd = "0.8.0"
 bytes = "1.5.0"
 const_format = "0.2.32"
-deadpool-redis = { version = "0.13.0", default-features = false }
+deadpool-redis = "0.13.0"
 derive_builder = "0.12.0"
 diesel = "2.1.3"
 diesel-async = { version = "0.4.1", features = ["postgres"] }

crates/kitsune-embed/Cargo.toml

@@ -12,7 +12,7 @@ iso8601-timestamp = "0.2.12"
 kitsune-db = { path = "../kitsune-db" }
 kitsune-http-client = { path = "../kitsune-http-client" }
 once_cell = "1.18.0"
-scraper = { version = "0.18.0", default-features = false }
+scraper = { version = "0.18.1", default-features = false }
 smol_str = "0.2.0"
 thiserror = "1.0.50"
 typed-builder = "0.18.0"

crates/kitsune-oidc/Cargo.toml

@@ -0,0 +1,26 @@
+[package]
+name = "kitsune-oidc"
+edition.workspace = true
+version.workspace = true
+
+[dependencies]
+async-trait = "0.1.74"
+deadpool-redis = "0.13.0"
+enum_dispatch = "0.3.12"
+http = "0.2.9"
+hyper = "0.14.27"
+kitsune-config = { path = "../kitsune-config" }
+kitsune-http-client = { path = "../kitsune-http-client" }
+moka = { version = "0.12.1", features = ["sync"] }
+once_cell = "1.18.0"
+openidconnect = { version = "3.4.0", default-features = false, features = [
+    # Accept these two, per specification invalid, cases to increase compatibility
+    "accept-rfc3339-timestamps",
+    "accept-string-booleans",
+] }
+redis = "0.23.3"
+serde = { version = "1.0.190", features = ["derive"] }
+simd-json = "0.13.4"
+speedy-uuid = { path = "../../lib/speedy-uuid", features = ["serde"] }
+thiserror = "1.0.50"
+url = "2.4.1"

crates/kitsune-oidc/src/error.rs

@@ -0,0 +1,61 @@
+use openidconnect::{
+    core::CoreErrorResponseType, ClaimsVerificationError, DiscoveryError, RequestTokenError,
+    SigningError, StandardErrorResponse,
+};
+use thiserror::Error;
+
+pub type Result<T, E = Error> = std::result::Result<T, E>;
+
+#[derive(Debug, Error)]
+pub enum Error {
+    #[error(transparent)]
+    ClaimsVerification(#[from] ClaimsVerificationError),
+
+    #[error(transparent)]
+    CreateRedisPool(#[from] deadpool_redis::CreatePoolError),
+
+    #[error(transparent)]
+    Discovery(#[from] DiscoveryError<kitsune_http_client::Error>),
+
+    #[error(transparent)]
+    JsonParse(#[from] simd_json::Error),
+
+    #[error("Missing Email address")]
+    MissingEmail,
+
+    #[error("Mismatching hash")]
+    MismatchingHash,
+
+    #[error("Missing ID token")]
+    MissingIdToken,
+
+    #[error("Missing login state")]
+    MissingLoginState,
+
+    #[error("Missing username")]
+    MissingUsername,
+
+    #[error(transparent)]
+    Redis(#[from] redis::RedisError),
+
+    #[error(transparent)]
+    RedisPool(#[from] deadpool_redis::PoolError),
+
+    #[error(transparent)]
+    RequestToken(
+        #[from]
+        RequestTokenError<
+            kitsune_http_client::Error,
+            StandardErrorResponse<CoreErrorResponseType>,
+        >,
+    ),
+
+    #[error(transparent)]
+    Signing(#[from] SigningError),
+
+    #[error("Unknown CSRF token")]
+    UnknownCsrfToken,
+
+    #[error(transparent)]
+    UrlParse(#[from] url::ParseError),
+}

crates/kitsune-oidc/src/http.rs

@@ -0,0 +1,20 @@
+use http::Request;
+use hyper::Body;
+use kitsune_http_client::Client as HttpClient;
+use once_cell::sync::Lazy;
+use openidconnect::{HttpRequest, HttpResponse};
+
+static HTTP_CLIENT: Lazy<HttpClient> = Lazy::new(HttpClient::default);
+
+pub async fn async_client(req: HttpRequest) -> Result<HttpResponse, kitsune_http_client::Error> {
+    let mut request = Request::builder().method(req.method).uri(req.url.as_str());
+    *request.headers_mut().unwrap() = req.headers;
+    let request = request.body(Body::from(req.body)).unwrap();
+    let response = HTTP_CLIENT.execute(request).await?;
+
+    Ok(HttpResponse {
+        status_code: response.status(),
+        headers: response.headers().clone(),
+        body: response.bytes().await?.to_vec(),
+    })
+}