diff --git a/server/core/src/https/errors.rs b/server/core/src/https/errors.rs index d6c08b253..10ce8f228 100644 --- a/server/core/src/https/errors.rs +++ b/server/core/src/https/errors.rs @@ -1,9 +1,9 @@ //! Where we hide the error handling widgets //! +use axum::http::header::ACCESS_CONTROL_ALLOW_ORIGIN; +use axum::http::{HeaderValue, StatusCode}; use axum::response::{IntoResponse, Response}; -use http::header::ACCESS_CONTROL_ALLOW_ORIGIN; -use http::{HeaderValue, StatusCode}; use kanidm_proto::v1::OperationError; use utoipa::ToSchema; diff --git a/server/core/src/https/generic.rs b/server/core/src/https/generic.rs index e9fcbd2e7..e8e5f95c9 100644 --- a/server/core/src/https/generic.rs +++ b/server/core/src/https/generic.rs @@ -1,8 +1,8 @@ use axum::extract::State; +use axum::http::header::CONTENT_TYPE; use axum::response::IntoResponse; use axum::routing::get; use axum::{Extension, Router}; -use http::header::CONTENT_TYPE; use kanidmd_lib::status::StatusRequestEvent; use super::middleware::KOpId; diff --git a/server/core/src/https/manifest.rs b/server/core/src/https/manifest.rs index f5110b7d5..b4b2c2c57 100644 --- a/server/core/src/https/manifest.rs +++ b/server/core/src/https/manifest.rs @@ -1,10 +1,10 @@ //! Builds a Progressive Web App Manifest page. use axum::extract::State; +use axum::http::header::CONTENT_TYPE; +use axum::http::HeaderValue; use axum::response::{IntoResponse, Response}; use axum::Extension; -use http::header::CONTENT_TYPE; -use http::HeaderValue; use serde::{Deserialize, Serialize}; use serde_with::skip_serializing_none; diff --git a/server/core/src/https/middleware/caching.rs b/server/core/src/https/middleware/caching.rs index 45b60e7e9..7276bc3fb 100644 --- a/server/core/src/https/middleware/caching.rs +++ b/server/core/src/https/middleware/caching.rs @@ -1,6 +1,6 @@ use axum::{ headers::{CacheControl, HeaderMapExt}, - http::{self, Request}, + http::{header, HeaderValue, Request}, middleware::Next, response::Response, }; @@ -9,13 +9,12 @@ use axum::{ pub async fn dont_cache_me(request: Request, next: Next) -> Response { let mut response = next.run(request).await; response.headers_mut().insert( - http::header::CACHE_CONTROL, - http::HeaderValue::from_static("no-store no-cache max-age=0"), - ); - response.headers_mut().insert( - http::header::PRAGMA, - http::HeaderValue::from_static("no-cache"), + header::CACHE_CONTROL, + HeaderValue::from_static("no-store no-cache max-age=0"), ); + response + .headers_mut() + .insert(header::PRAGMA, HeaderValue::from_static("no-cache")); response } @@ -28,10 +27,9 @@ pub async fn cache_me(request: Request, next: Next) -> Response { .with_private(); response.headers_mut().typed_insert(cache_header); - response.headers_mut().insert( - http::header::PRAGMA, - http::HeaderValue::from_static("no-cache"), - ); + response + .headers_mut() + .insert(header::PRAGMA, HeaderValue::from_static("no-cache")); response } diff --git a/server/core/src/https/middleware/hsts_header.rs b/server/core/src/https/middleware/hsts_header.rs index 0ac101591..0981ee867 100644 --- a/server/core/src/https/middleware/hsts_header.rs +++ b/server/core/src/https/middleware/hsts_header.rs @@ -1,7 +1,6 @@ -use axum::http::Request; +use axum::http::{header, HeaderValue, Request}; use axum::middleware::Next; use axum::response::Response; -use http::HeaderValue; const HSTS_HEADER: &str = "max-age=86400"; @@ -11,7 +10,7 @@ pub async fn strict_transport_security_layer(request: Request, next: Next< // add the header response.headers_mut().insert( - http::header::STRICT_TRANSPORT_SECURITY, + header::STRICT_TRANSPORT_SECURITY, HeaderValue::from_static(HSTS_HEADER), ); diff --git a/server/core/src/https/middleware/mod.rs b/server/core/src/https/middleware/mod.rs index 37b589e04..296581508 100644 --- a/server/core/src/https/middleware/mod.rs +++ b/server/core/src/https/middleware/mod.rs @@ -1,11 +1,10 @@ use axum::{ headers::{authorization::Bearer, Authorization}, - http::{self, Request}, + http::{HeaderValue, Request}, middleware::Next, response::Response, TypedHeader, }; -use http::HeaderValue; use kanidm_proto::constants::{KOPID, KVERSION}; use uuid::Uuid; pub(crate) mod caching; @@ -44,9 +43,9 @@ pub async fn are_we_json_yet(request: Request, next: Next) -> Response if uri.starts_with("/v1") && response.status().is_success() { let headers = response.headers(); - assert!(headers.contains_key(http::header::CONTENT_TYPE)); + assert!(headers.contains_key(axum::http::header::CONTENT_TYPE)); assert!( - headers.get(http::header::CONTENT_TYPE) + headers.get(axum::http::header::CONTENT_TYPE) == Some(&HeaderValue::from_static( kanidm_proto::constants::APPLICATION_JSON )) diff --git a/server/core/src/https/middleware/security_headers.rs b/server/core/src/https/middleware/security_headers.rs index 88d244d1a..6e58911c3 100644 --- a/server/core/src/https/middleware/security_headers.rs +++ b/server/core/src/https/middleware/security_headers.rs @@ -1,9 +1,9 @@ use axum::extract::State; +use axum::http::header; +use axum::http::HeaderValue; use axum::http::Request; use axum::middleware::Next; use axum::response::Response; -use http::header::X_CONTENT_TYPE_OPTIONS; -use http::HeaderValue; use crate::https::ServerState; @@ -20,14 +20,14 @@ pub async fn security_headers_layer( // add the Content-Security-Policy header, which defines how contact will be accessed/run based on the source URL let headers = response.headers_mut(); - headers.insert(http::header::CONTENT_SECURITY_POLICY, state.csp_header); + headers.insert(header::CONTENT_SECURITY_POLICY, state.csp_header); // X-Content-Type-Options tells the browser if it's OK to "sniff" or guess the content type of a response // // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options // https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options headers.insert( - X_CONTENT_TYPE_OPTIONS, + header::X_CONTENT_TYPE_OPTIONS, HeaderValue::from_static(X_CONTENT_TYPE_OPTIONS_VALUE), ); @@ -44,7 +44,7 @@ pub async fn security_headers_layer( // https://scotthelme.co.uk/a-new-security-header-referrer-policy/ // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy headers.insert( - http::header::REFERRER_POLICY, + header::REFERRER_POLICY, HeaderValue::from_static("no-referrer-when-downgrade"), ); diff --git a/server/core/src/https/mod.rs b/server/core/src/https/mod.rs index 584c24a88..d18ce8acd 100644 --- a/server/core/src/https/mod.rs +++ b/server/core/src/https/mod.rs @@ -19,6 +19,7 @@ use crate::actors::v1_read::QueryServerReadV1; use crate::actors::v1_write::QueryServerWriteV1; use crate::config::{Configuration, ServerRole, TlsConfiguration}; use axum::extract::connect_info::{IntoMakeServiceWithConnectInfo, ResponseFuture}; +use axum::http::{HeaderMap, HeaderValue}; use axum::middleware::{from_fn, from_fn_with_state}; use axum::response::Redirect; use axum::routing::*; @@ -27,7 +28,6 @@ use axum_csp::{CspDirectiveType, CspValue}; use axum_macros::FromRef; use compact_jwt::{JwsCompact, JwsHs256Signer, JwsVerifier}; use hashbrown::HashMap; -use http::{HeaderMap, HeaderValue}; use hyper::server::accept::Accept; use hyper::server::conn::{AddrStream, Http}; use kanidm_proto::constants::KSESSIONID; diff --git a/server/core/src/https/oauth2.rs b/server/core/src/https/oauth2.rs index 76785f871..2be4a4987 100644 --- a/server/core/src/https/oauth2.rs +++ b/server/core/src/https/oauth2.rs @@ -2,17 +2,17 @@ use super::errors::WebError; use super::middleware::KOpId; use super::ServerState; use axum::extract::{Path, Query, State}; +use axum::http::header::{ + ACCESS_CONTROL_ALLOW_HEADERS, ACCESS_CONTROL_ALLOW_ORIGIN, AUTHORIZATION, CONTENT_TYPE, + LOCATION, WWW_AUTHENTICATE, +}; +use axum::http::{HeaderMap, HeaderValue, StatusCode}; use axum::middleware::from_fn; use axum::response::{IntoResponse, Response}; use axum::routing::{get, post}; use axum::{Extension, Form, Json, Router}; use axum_macros::debug_handler; use compact_jwt::{JwkKeySet, OidcToken}; -use http::header::{ - ACCESS_CONTROL_ALLOW_HEADERS, ACCESS_CONTROL_ALLOW_ORIGIN, AUTHORIZATION, CONTENT_TYPE, - LOCATION, WWW_AUTHENTICATE, -}; -use http::{HeaderMap, HeaderValue, StatusCode}; use hyper::Body; use kanidm_proto::constants::uri::{ OAUTH2_AUTHORISE, OAUTH2_AUTHORISE_PERMIT, OAUTH2_AUTHORISE_REJECT, diff --git a/server/core/src/https/trace.rs b/server/core/src/https/trace.rs index b0a6ed82f..bd10b7f12 100644 --- a/server/core/src/https/trace.rs +++ b/server/core/src/https/trace.rs @@ -1,6 +1,6 @@ //! Reimplementation of tower-http's DefaultMakeSpan that only runs at "INFO" level for our own needs. -use http::Request; +use axum::http::Request; use kanidm_proto::constants::KOPID; use sketching::event_dynamic_lvl; use tower_http::LatencyUnit; diff --git a/server/core/src/https/ui.rs b/server/core/src/https/ui.rs index 2befbd7b6..0ff4b28b8 100644 --- a/server/core/src/https/ui.rs +++ b/server/core/src/https/ui.rs @@ -1,9 +1,9 @@ use axum::extract::State; +use axum::http::header::CONTENT_TYPE; use axum::http::HeaderValue; use axum::response::Response; use axum::routing::get; use axum::{Extension, Router}; -use http::header::CONTENT_TYPE; use super::middleware::KOpId; use super::ServerState; diff --git a/server/core/src/https/v1.rs b/server/core/src/https/v1.rs index b5e390710..1b56f4e6d 100644 --- a/server/core/src/https/v1.rs +++ b/server/core/src/https/v1.rs @@ -1,12 +1,12 @@ //! The V1 API things! use axum::extract::{Path, Query, State}; +use axum::http::{HeaderMap, HeaderValue}; use axum::middleware::from_fn; use axum::response::{IntoResponse, Response}; use axum::routing::{delete, get, post, put}; use axum::{Extension, Json, Router}; use compact_jwt::{Jws, JwsSigner}; -use http::{HeaderMap, HeaderValue}; use kanidm_proto::constants::uri::V1_AUTH_VALID; use serde::{Deserialize, Serialize}; use std::net::IpAddr; diff --git a/server/lib/src/idm/oauth2.rs b/server/lib/src/idm/oauth2.rs index 760a410ec..f9d0e07bf 100644 --- a/server/lib/src/idm/oauth2.rs +++ b/server/lib/src/idm/oauth2.rs @@ -1361,8 +1361,8 @@ impl<'a> IdmServerProxyReadTransaction<'a> { let failed_scopes = req_scopes .iter() + .filter(|&s| !OAUTHSCOPE_RE.is_match(s)) .cloned() - .filter(|s| !OAUTHSCOPE_RE.is_match(s)) .collect::>(); if !failed_scopes.is_empty() { let requested_scopes_string = req_scopes