Battermann/update rusty jwt tools to deploy 044 (#3348)

Author: battermann

changelog.d/5-internal/pr-3348

@@ -0,0 +1 @@
+Updated rusty-jwt-tools and error mapping

libs/jwt-tools/src/Data/Jwt/Tools.hs

@@ -277,6 +277,50 @@ data DPoPTokenGenerationError
     MissingExpError
   | -- | (exp) claim in DPoP token is larger than supplied [max_expiration]
     ExpMismatchError
-  | -- | (exp) claim in DPoP token is sooner than now (with [max_skew_secs] leeway)
-    ExpError
+  | -- (exp) claim in DPoP token is sooner than now (with [max_skew_secs] leeway)
+    Expired
+  | -- userId supplied across the FFI is invalid
+    InvalidUserId
+  | -- Client DPoP token "nbf" claim is in the future
+    NotYetValid
+  | -- Bubbling up errors
+    JwtSimpleError
+  | -- Bubbling up errors
+    RandError
+  | -- Bubbling up errors
+    Sec1Error
+  | -- Bubbling up errors
+    UrlParseError
+  | -- Bubbling up errors
+    UuidError
+  | -- Bubbling up errors
+    Utf8Error
+  | -- Bubbling up errors
+    Base64DecodeError
+  | -- Bubbling up errors
+    JsonError
+  | -- Bubbling up errors
+    InvalidJsonPath
+  | -- Bubbling up errors
+    JsonPathError
+  | -- Bubbling up errors
+    InvalidJwkThumbprint
+  | -- Bubbling up errors
+    MissingDpopHeader
+  | -- Bubbling up errors
+    MissingIssuer
+  | -- Bubbling up errors
+    DpopChallengeMismatch
+  | -- Bubbling up errors
+    DpopHtuMismatch
+  | -- Bubbling up errors
+    DpopHtmMismatch
+  | -- Bubbling up errors
+    InvalidBackendKeys
+  | -- Bubbling up errors
+    InvalidClientId
+  | -- Bubbling up errors
+    UnsupportedApiVersion
+  | -- Bubbling up errors
+    UnsupportedScope
   deriving (Eq, Show, Generic, Bounded, Enum)

libs/jwt-tools/test/Spec.hs

@@ -68,8 +68,8 @@ main = hspec $ do
       toResult (Just 16) (Just token) `shouldBe` Left MissingExpError
       toResult (Just 17) Nothing `shouldBe` Left ExpMismatchError
       toResult (Just 17) (Just token) `shouldBe` Left ExpMismatchError
-      toResult (Just 18) Nothing `shouldBe` Left ExpError
-      toResult (Just 18) (Just token) `shouldBe` Left ExpError
+      toResult (Just 18) Nothing `shouldBe` Left Expired
+      toResult (Just 18) (Just token) `shouldBe` Left Expired
       toResult Nothing Nothing `shouldBe` Left UnknownError
   where
     token = ""

nix/pkgs/rusty_jwt_tools_ffi/default.nix

@@ -11,8 +11,8 @@ let
   src = fetchFromGitHub {
     owner = "wireapp";
     repo = "rusty-jwt-tools";
-    rev = "v${version}";
-    sha256 = "sha256-awfpyMmDGWLViKI8Pr/BjbfnmFKo4JAcUB0+o6/prOA=";
+    rev = "fc4569c5b84d00a5cc8fc77b450714a5261cd3d9";
+    sha256 = "sha256-cZffVKfH0FzA4Eo7YVxivT3JWTwz9uu1HWhPVlvbYqM=";
   };
   cargoLockFile = builtins.toFile "cargo.lock" (builtins.readFile "${src}/ffi/Cargo.lock");
 
@@ -26,9 +26,7 @@ rustPlatform.buildRustPackage {
     outputHashes = {
       # if any of these need updating, replace / create new key with
       # lib.fakeSha256, rebuild, and replace with actual hash.
-      "biscuit-0.6.0-beta1" = "sha256-j8Pxi2nHgsKz6umroYjwR8sr1xLQAaWdnej5U9+L5ko=";
-      "jwt-simple-0.11.3" = "sha256-kVBTXYtBW9SE6F6nmH71iVc0KKxvpX/axCvMAP1cZvY=";
-      "ring-0.17.0-not-released-yet" = "sha256-9M4lR68r8phscSFw9Xh+CVHnOkilDI0brAdU0tW3xaA=";
+      "jwt-simple-0.11.4" = "sha256-zLKEvL6M7WD7F7HIABqq4b2rmlCS88QXDsj4JhAPe7o=";
     };
   };
 

services/brig/src/Brig/API/Error.hs

@@ -192,7 +192,29 @@ certEnrollmentError (RustError MissingIatError) = StdError $ Wai.mkError status4
 certEnrollmentError (RustError IatError) = StdError $ Wai.mkError status400 "client-token-bad-iat" "(iat) claim in DPoP token is not earlier of now (with max_skew_secs leeway)"
 certEnrollmentError (RustError MissingExpError) = StdError $ Wai.mkError status400 "client-token-exp-missing" "(exp) claim is absent in DPoP token"
 certEnrollmentError (RustError ExpMismatchError) = StdError $ Wai.mkError status400 "client-token-exp-too-large" "(exp) claim in DPoP token is larger than supplied [max_expiration]"
-certEnrollmentError (RustError ExpError) = StdError $ Wai.mkError status400 "client-token-exp-too-small" "(exp) claim in DPoP token is sooner than now (with [max_skew_secs] leeway)"
+certEnrollmentError (RustError Expired) = StdError $ Wai.mkError status400 "client-token-exp-too-small" "(exp) claim in DPoP token is sooner than now (with [max_skew_secs] leeway)"
+certEnrollmentError (RustError InvalidUserId) = StdError $ Wai.mkError status400 "invalid-user-id" "userId supplied across the FFI is invalid"
+certEnrollmentError (RustError NotYetValid) = StdError $ Wai.mkError status400 "not-yet-valid" "Client DPoP token 'nbf' claim is in the future"
+certEnrollmentError (RustError JwtSimpleError) = StdError $ Wai.mkError status400 "jwt-simple-error" "Bubbling up errors"
+certEnrollmentError (RustError RandError) = StdError $ Wai.mkError status400 "rand-error" "Bubbling up errors"
+certEnrollmentError (RustError Sec1Error) = StdError $ Wai.mkError status400 "sec1-error" "Bubbling up errors"
+certEnrollmentError (RustError UrlParseError) = StdError $ Wai.mkError status400 "url-parse-error" "Bubbling up errors"
+certEnrollmentError (RustError UuidError) = StdError $ Wai.mkError status400 "uuid-error" "Bubbling up errors"
+certEnrollmentError (RustError Utf8Error) = StdError $ Wai.mkError status400 "utf8-error" "Bubbling up errors"
+certEnrollmentError (RustError Base64DecodeError) = StdError $ Wai.mkError status400 "base64-decode-error" "Bubbling up errors"
+certEnrollmentError (RustError JsonError) = StdError $ Wai.mkError status400 "json-error" "Bubbling up errors"
+certEnrollmentError (RustError InvalidJsonPath) = StdError $ Wai.mkError status400 "invalid-json-path" "Bubbling up errors"
+certEnrollmentError (RustError JsonPathError) = StdError $ Wai.mkError status400 "json-path-error" "Bubbling up errors"
+certEnrollmentError (RustError InvalidJwkThumbprint) = StdError $ Wai.mkError status400 "invalid-jwk-thumbprint" "Bubbling up errors"
+certEnrollmentError (RustError MissingDpopHeader) = StdError $ Wai.mkError status400 "missing-dpop-header" "Bubbling up errors"
+certEnrollmentError (RustError MissingIssuer) = StdError $ Wai.mkError status400 "missing-issuer" "Bubbling up errors"
+certEnrollmentError (RustError DpopChallengeMismatch) = StdError $ Wai.mkError status400 "dpop-challenge-mismatch" "Bubbling up errors"
+certEnrollmentError (RustError DpopHtuMismatch) = StdError $ Wai.mkError status400 "dpop-htu-mismatch" "Bubbling up errors"
+certEnrollmentError (RustError DpopHtmMismatch) = StdError $ Wai.mkError status400 "dpop-htm-mismatch" "Bubbling up errors"
+certEnrollmentError (RustError InvalidBackendKeys) = StdError $ Wai.mkError status400 "invalid-backend-keys" "Bubbling up errors"
+certEnrollmentError (RustError InvalidClientId) = StdError $ Wai.mkError status400 "invalid-client-id" "Bubbling up errors"
+certEnrollmentError (RustError UnsupportedApiVersion) = StdError $ Wai.mkError status400 "unsupported-api-version" "Bubbling up errors"
+certEnrollmentError (RustError UnsupportedScope) = StdError $ Wai.mkError status400 "unsupported-scope" "Bubbling up errors"
 certEnrollmentError NonceNotFound = StdError $ Wai.mkError status400 "client-token-bad-nonce" "The client sent an unacceptable anti-replay nonce"
 certEnrollmentError MisconfiguredRequestUrl = StdError $ Wai.mkError status500 "misconfigured-request-url" "The request url cannot be derived from optSettings.setFederationDomain in brig.yaml"
 certEnrollmentError KeyBundleError = StdError $ Wai.mkError status404 "no-server-key-bundle" "The key bundle required for the certificate enrollment process could not be found"