1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
use crate::error::TelescopeError;
use actix::{Actor, AsyncContext, Context};
use actix_web::HttpRequest;
use chrono::{DateTime, Duration, Utc};
use dashmap::DashMap;
use oauth2::CsrfToken;
use std::sync::Arc;
use std::time::Duration as StdDuration;
fn extract_ip_addr(req: &HttpRequest) -> Result<String, TelescopeError> {
req.connection_info()
.realip_remote_addr()
.map(str::to_string)
.ok_or(TelescopeError::IpExtractionError)
}
lazy_static! {
static ref GLOBAL_CSRF_MAP: Arc<DashMap<(&'static str, String), (CsrfToken, DateTime<Utc>)>> =
Arc::new(DashMap::new());
}
fn global_csrf_map() -> Arc<DashMap<(&'static str, String), (CsrfToken, DateTime<Utc>)>> {
GLOBAL_CSRF_MAP.clone()
}
fn get(idp_name: &'static str, req: &HttpRequest) -> Result<CsrfToken, TelescopeError> {
let ip_addr: String = extract_ip_addr(req)?;
return global_csrf_map()
.get(&(idp_name, ip_addr))
.filter(|record| record.value().1 > Utc::now())
.map(|record| record.value().0.clone())
.ok_or(TelescopeError::CsrfTokenNotFound);
}
pub fn save(
idp_name: &'static str,
req: &HttpRequest,
token: CsrfToken,
) -> Result<(), TelescopeError> {
let ip_addr: String = extract_ip_addr(req)?;
let expiration_time: DateTime<Utc> = Utc::now() + Duration::minutes(10);
global_csrf_map().insert((idp_name, ip_addr), (token, expiration_time));
return Ok(());
}
pub fn verify(
idp_name: &'static str,
req: &HttpRequest,
token: CsrfToken,
) -> Result<(), TelescopeError> {
let actual_token: CsrfToken = get(idp_name, req)?;
let ip_addr: String = extract_ip_addr(req)?;
global_csrf_map().remove(&(idp_name, ip_addr));
return (actual_token.secret() == token.secret())
.then(|| ())
.ok_or(TelescopeError::CsrfTokenMismatch);
}
pub struct CsrfJanitor;
impl CsrfJanitor {
fn call(&self) -> usize {
let remove_keys: Vec<_> = global_csrf_map()
.iter()
.filter(|record| record.value().1 < Utc::now())
.map(|record| record.key().clone())
.collect();
return remove_keys
.iter()
.map(|key| global_csrf_map().remove(key))
.filter(Option::is_some)
.count();
}
}
impl Actor for CsrfJanitor {
type Context = Context<Self>;
fn started(&mut self, ctx: &mut Self::Context) {
info!("CSRF Janitor Started");
let interval: StdDuration = StdDuration::new(20 * 60, 0);
ctx.run_interval(interval, |actor, _| {
info!("Calling CSRF Janitor.");
let removed: usize = actor.call();
info!("CSRF Janitor removed {} expired CSRF tokens.", removed);
});
}
}