1 files changed, 51 insertions, 11 deletions

diff --git a/rust/src/lib.rs b/rust/src/lib.rs
index 0bed3471..b3e6c813 100644
--- a/rust/src/lib.rs
+++ b/rust/src/lib.rs
@@ -11,11 +11,10 @@ extern crate futures;
 extern crate uuid;
 #[macro_use]
 extern crate hyper;
-//extern crate swagger;
+extern crate swagger;
 #[macro_use]
 extern crate error_chain;
 extern crate iron;
-#[macro_use]
 extern crate serde_json;
 #[macro_use]
 extern crate log;
@@ -23,12 +22,14 @@ extern crate data_encoding;
 extern crate regex;
 #[macro_use]
 extern crate lazy_static;
+extern crate macaroon;
 extern crate sha1;
 
 pub mod api_entity_crud;
 pub mod api_helpers;
 pub mod api_server;
 pub mod api_wrappers;
+pub mod auth;
 pub mod database_models;
 pub mod database_schema;
 
@@ -41,6 +42,8 @@ pub mod errors {
                         Uuid(::uuid::ParseError);
                         Io(::std::io::Error) #[cfg(unix)];
                         Serde(::serde_json::Error);
+                        Utf8Decode(::std::string::FromUtf8Error);
+                        StringDecode(::data_encoding::DecodeError);
         }
         errors {
             InvalidFatcatId(id: String) {
@@ -71,6 +74,14 @@ pub mod errors {
                 description("Invalid Entity State Transform")
                 display("tried to mutate an entity which was not in an appropriate state: {}", message)
             }
+            InvalidCredentials(message: String) {
+                description("auth token was missing, expired, revoked, or corrupt")
+                display("auth token was missing, expired, revoked, or corrupt: {}", message)
+            }
+            InsufficientPrivileges(message: String) {
+                description("editor account doesn't have authorization")
+                display("editor account doesn't have authorization: {}", message)
+            }
             OtherBadRequest(message: String) {
                 description("catch-all error for bad or unallowed requests")
                 display("broke a constraint or made an otherwise invalid request: {}", message)
@@ -83,8 +94,8 @@ pub mod errors {
 pub use errors::*;
 
 pub use self::errors::*;
+use auth::AuthConfectionary;
 use diesel::pg::PgConnection;
-use diesel::prelude::*;
 use diesel::r2d2::ConnectionManager;
 use dotenv::dotenv;
 use iron::middleware::AfterMiddleware;
@@ -96,14 +107,38 @@ embed_migrations!("../migrations/");
 
 pub type ConnectionPool = diesel::r2d2::Pool<ConnectionManager<diesel::pg::PgConnection>>;
 
-/// Establish a direct database connection. Not currently used, but could be helpful for
-/// single-threaded tests or utilities.
-pub fn establish_connection() -> PgConnection {
+/// Instantiate a new API server with a pooled database connection
+pub fn database_worker_pool() -> Result<ConnectionPool> {
     dotenv().ok();
-
     let database_url = env::var("DATABASE_URL").expect("DATABASE_URL must be set");
-    PgConnection::establish(&database_url)
-        .unwrap_or_else(|_| panic!("Error connecting to {}", database_url))
+    let manager = ConnectionManager::<PgConnection>::new(database_url);
+    let pool = diesel::r2d2::Pool::builder()
+        .build(manager)
+        .expect("Failed to create database pool.");
+    Ok(pool)
+}
+
+pub fn env_confectionary() -> Result<AuthConfectionary> {
+    let auth_location = env::var("AUTH_LOCATION").expect("AUTH_LOCATION must be set");
+    let auth_key = env::var("AUTH_SECRET_KEY").expect("AUTH_SECRET_KEY must be set");
+    let auth_key_ident = env::var("AUTH_KEY_IDENT").expect("AUTH_KEY_IDENT must be set");
+    info!("Loaded primary auth key: {}", auth_key_ident);
+    let mut confectionary = AuthConfectionary::new(auth_location, auth_key_ident, auth_key)?;
+    match env::var("AUTH_ALT_KEYS") {
+        Ok(var) => {
+            for pair in var.split(",") {
+                let pair: Vec<&str> = pair.split(":").collect();
+                if pair.len() != 2 {
+                    println!("{:#?}", pair);
+                    bail!("couldn't parse keypair from AUTH_ALT_KEYS (expected 'ident:key' pairs separated by commas)");
+                }
+                info!("Loading alt auth key: {}", pair[0]);
+                confectionary.add_keypair(pair[0].to_string(), pair[1].to_string())?;
+            }
+        }
+        Err(_) => (),
+    }
+    Ok(confectionary)
 }
 
 /// Instantiate a new API server with a pooled database connection
@@ -114,7 +149,11 @@ pub fn server() -> Result<api_server::Server> {
     let pool = diesel::r2d2::Pool::builder()
         .build(manager)
         .expect("Failed to create database pool.");
-    Ok(api_server::Server { db_pool: pool })
+    let confectionary = env_confectionary()?;
+    Ok(api_server::Server {
+        db_pool: pool,
+        auth_confectionary: confectionary,
+    })
 }
 
 pub fn test_server() -> Result<api_server::Server> {
@@ -122,7 +161,8 @@ pub fn test_server() -> Result<api_server::Server> {
     let database_url = env::var("TEST_DATABASE_URL").expect("TEST_DATABASE_URL must be set");
     env::set_var("DATABASE_URL", database_url);
 
-    let server = server()?;
+    let mut server = server()?;
+    server.auth_confectionary = AuthConfectionary::new_dummy();
     let conn = server.db_pool.get().expect("db_pool error");
 
     // run migrations; revert latest (dummy data); re-run latest