Merge pull request #234 from sebadob/prepare-v0.20.2-beta2

Prepare v0.20.2 beta2

CHANGELOG.md

@@ -7,8 +7,67 @@
 This update is not backwards-compatible with any previous version. It will modify the database under the hood
 which makes it incompatible with any previous version. If you need to downgrade for whatever reason, you will
 only be able to do this by applying a database backup from an older version.
+Testing has been done and everything was fine in tests. However, if you are using Rauthy in production, I recommend
+taking a database backup, since any version <= v0.19 will not be working with a v0.20+ database.
+
+### IMPORTANT Upgrade Notes 
+
+If you are upgrading from any earlier version, there is a manual action you need to perform, before you can
+start v0.20.0. If this has not been done, it will simply panic early and not start up. Nothing will get damaged.
+
+The internal encryption of certain values has been changed. Rauthy now uses [cryptr](https://github.com/sebadob/cryptr) to handle these things,
+like mentioned below as well.
+
+However, to make working with encryption keys easier and provide higher entropy, the format has changed.
+You need to convert your currently used `ENC_KEYS` to the new format:
+
+
+**1. Install cryptr - https://github.com/sebadob/cryptr**
+
+If you have Rust available on your system, just execute:
+
+  ```
+  cargo install cryptr --features cli --locked
+  ```
+
+  Otherwise, pre-built binaries do exist:
+
+  Linux: https://github.com/sebadob/cryptr/raw/main/out/cryptr_0.2.2
+
+  Windows: https://github.com/sebadob/cryptr/raw/main/out/cryptr_0.2.2.exe
+
+**2. Execute:**
+
+  ```
+  cryptr keys convert legacy-string
+  ```
+
+**3. Paste your current ENC_KEYS into the command line.**
+
+  For instance, if you have
+  ```
+  ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA"
+  ```
+  in your config, paste
+  ```
+  bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA
+  ```
+
+  If you provide your ENC_KEYS via a Kubernetes secret, you need to do a base64 decode first.
+  For instance, if your secret looks something like this
+  ```
+  ENC_KEYS: YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB
+  ```
+  Then decode via shell or any tool your like:
+  ```
+  echo -n YlZDeVRzR2FnZ1Z5NXlxUS9TOW43b0NlbjUzeFNKTHpjc21mZG5CRHZOcnFRNjNyNCBxNnUyNm9uUnZYVkc0NDI3LzNDRUM4UkpXQmNNa3JCTWtSWGd4NjVBbUpzTlRnaFNB | base64 -d
+  ```
+  ... and paste the decoded value into cryptr
+
+**4. cryptr will output the correct format for either usage in config or as kubernetes secret again**
+
+**5. Paste the new format into your Rauthy config / secret and restart.**
 
-TODO: Add guide how to convert ENC_KEYS with cryptr
 
 ### Encrypted SQLite backups to S3 storage
 
@@ -83,9 +142,9 @@ The new scope `address` adds:
 - new admin UI section to fetch and filter archived events.
 [ece73bb](https://github.com/sebadob/rauthy/commit/ece73bb38878d8d189d52855845c63fa729cae2a)
 - backend + frontend dependencies have been updated to the latest versions everywhere
-- The internal encryption handling has been changed to a new project of mine called [cryptr](https://github.com/sebadob/cryptr)
+- The internal encryption handling has been changed to a new project of mine called [cryptr](https://github.com/sebadob/cryptr).  
 This makes the whole value encryption way easier, more stable and future proof, because values have their own
-tiny header data with the minimal amount of information needed. This makes not only encryption key rotations,
+tiny header data with the minimal amount of information needed. It not only simplifies encryption key rotations,
 but also even encryption algorithm encryptions really easy in the future.
 [d6c224e](https://github.com/sebadob/rauthy/commit/d6c224e98198c155d7df83c25edc5c97ab590d2a)
 [c3df3ce](https://github.com/sebadob/rauthy/commit/c3df3cedbdff4a2a9dd592aac65ae21e5cd67385)

Cargo.toml

@@ -11,7 +11,7 @@ members = [
 exclude = ["rauthy-client"]
 
 [workspace.package]
-version = "0.20.0-beta1"
+version = "0.20.0-beta2"
 edition = "2021"
 authors = ["Sebastian Dobe <sebastiandobe@mailbox.org>"]
 license = "Apache-2.0"

frontend/src/components/admin/ContentWrapper.svelte

@@ -3,17 +3,13 @@
 
     export let eventsCollapsed = true;
     export let eventsWide = false;
-
-    const tDur = 100;
 </script>
 
 <div
         class="content"
         class:mr={!eventsCollapsed && !eventsWide}
         class:mrCollapsed={eventsCollapsed && !eventsWide}
         class:mrWide={!eventsCollapsed && eventsWide}
-        in:fade={{delay: tDur * 2, duration: tDur}}
-        out:fade={{duration: tDur}}
 >
     <slot></slot>
 </div>

rauthy-handlers/src/generic.rs

@@ -192,6 +192,16 @@ pub async fn get_admin_docs_html(data: web::Data<AppState>) -> Result<HttpRespon
     Ok(HttpResponse::Ok().insert_header(HEADER_HTML).body(body))
 }
 
+#[get("/admin/events")]
+pub async fn get_admin_events_html(
+    data: web::Data<AppState>,
+) -> Result<HttpResponse, ErrorResponse> {
+    let colors = ColorEntity::find_rauthy(&data).await?;
+    let body = AdminUsersHtml::build(&colors);
+
+    Ok(HttpResponse::Ok().insert_header(HEADER_HTML).body(body))
+}
+
 #[get("/admin/groups")]
 pub async fn get_admin_groups_html(
     data: web::Data<AppState>,

rauthy-handlers/src/openapi.rs

@@ -182,7 +182,11 @@ use utoipa::{openapi, OpenApi};
             request::WebauthnAuthStartRequest,
             request::WebauthnAuthFinishRequest,
             request::WebIdRequest,
+            request::WhoamiRequestParam,
+            request::WhoamiRequestParams,
 
+            response::ApiKeyResponse,
+            response::ApiKeysResponse,
             response::AppVersionResponse,
             response::BlacklistResponse,
             response::BlacklistedIp,
@@ -213,6 +217,7 @@ use utoipa::{openapi, OpenApi};
 
             rauthy_models::AddressClaim,
             rauthy_models::JktClaim,
+            rauthy_models::JwtTokenType,
             token_set::TokenSet,
         ),
     ),

rauthy-main/src/main.rs

@@ -506,6 +506,7 @@ async fn actix_main(app_state: web::Data<AppState>) -> std::io::Result<()> {
                             .service(generic::get_admin_clients_html)
                             .service(generic::get_admin_config_html)
                             .service(generic::get_admin_docs_html)
+                            .service(generic::get_admin_events_html)
                             .service(generic::get_admin_groups_html)
                             .service(generic::get_admin_roles_html)
                             .service(generic::get_admin_scopes_html)
@@ -685,7 +686,7 @@ async fn v20_migrate_to_cryptr(app_state: &Data<AppState>) -> Result<(), ErrorRe
             continue;
         }
 
-        let kid = client.secret_kid.as_ref().unwrap();
+        let kid = client.secret_kid.as_ref().unwrap_or(&keys.enc_key_active);
         let key = keys.get_key(kid)?;
 
         let dec = decrypt_legacy(client.secret.as_ref().unwrap(), key)?;

rauthy-models/src/entity/clients.rs

@@ -487,8 +487,10 @@ impl Client {
     #[inline]
     pub fn generate_new_secret() -> Result<(String, Vec<u8>), ErrorResponse> {
         let rnd = utils::secure_random_alnum(64);
-        let rnd_enc = EncValue::encrypt(rnd.as_bytes())?.into_bytes().to_vec();
-        Ok((rnd, rnd_enc))
+        let enc_value = EncValue::encrypt(rnd.as_bytes())?;
+        let kid = enc_value.header.enc_key_id.clone();
+        let enc = enc_value.into_bytes().to_vec();
+        Ok((kid, enc))
     }
 
     #[inline]

rauthy-models/src/lib.rs

@@ -208,7 +208,7 @@ pub struct JwtRefreshClaims {
     pub cnf: Option<JktClaim>,
 }
 
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, ToSchema)]
 pub enum JwtTokenType {
     Bearer,
     DPoP,

rauthy-models/src/request.rs

@@ -723,12 +723,12 @@ pub struct WebIdRequest {
     pub expose_email: bool,
 }
 
-#[derive(Debug, Deserialize, Validate, IntoParams)]
+#[derive(Debug, Deserialize, Validate, IntoParams, ToSchema)]
 pub struct WhoamiRequestParams {
     pub typ: Option<WhoamiRequestParam>,
 }
 
-#[derive(Debug, PartialEq, Deserialize)]
+#[derive(Debug, PartialEq, Deserialize, ToSchema)]
 #[serde(rename_all = "lowercase")]
 pub enum WhoamiRequestParam {
     Ip,

rauthy-models/src/templates.rs

@@ -683,6 +683,53 @@ impl AdminDocsHtml<'_> {
     }
 }
 
+#[derive(Default, Template)]
+#[template(path = "html/admin/events.html")]
+pub struct AdminEventsHtml<'a> {
+    pub lang: &'a str,
+    pub csrf_token: &'a str,
+    pub data: &'a str,
+    pub action: &'a str,
+    pub col_act1: &'a str,
+    pub col_act1a: &'a str,
+    pub col_act2: &'a str,
+    pub col_act2a: &'a str,
+    pub col_acnt: &'a str,
+    pub col_acnta: &'a str,
+    pub col_ok: &'a str,
+    pub col_err: &'a str,
+    pub col_glow: &'a str,
+    pub col_gmid: &'a str,
+    pub col_ghigh: &'a str,
+    pub col_text: &'a str,
+    pub col_bg: &'a str,
+    pub i18n: String,
+}
+
+impl AdminEventsHtml<'_> {
+    pub fn build(colors: &Colors) -> String {
+        let res = AdminEventsHtml {
+            lang: "en",
+            col_act1: &colors.act1,
+            col_act1a: &colors.act1a,
+            col_act2: &colors.act2,
+            col_act2a: &colors.act2a,
+            col_acnt: &colors.acnt,
+            col_acnta: &colors.acnta,
+            col_ok: &colors.ok,
+            col_err: &colors.err,
+            col_glow: &colors.glow,
+            col_gmid: &colors.gmid,
+            col_ghigh: &colors.ghigh,
+            col_text: &colors.text,
+            col_bg: &colors.bg,
+            ..Default::default()
+        };
+
+        res.render().unwrap()
+    }
+}
+
 #[derive(Default, Template)]
 #[template(path = "html/admin/groups.html")]
 pub struct AdminGroupsHtml<'a> {