-
Notifications
You must be signed in to change notification settings - Fork 225
/
authenticator.go
413 lines (368 loc) · 11.3 KB
/
authenticator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
package gcp
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"strings"
"time"
kms "cloud.google.com/go/kms/apiv1"
"github.com/NYTimes/gizmo/auth"
"github.com/go-kit/kit/log"
"github.com/pkg/errors"
"golang.org/x/oauth2"
kmsv1 "google.golang.org/genproto/googleapis/cloud/kms/v1"
)
type (
// Authenticator leans on Google's OAuth user flow to capture a Google Identity JWS
// and use it in a local, short lived HTTP cookie. The `Middleware` function manages
// login redirects, OAuth callbacks, dropping the HTTP cookie and adding the JWS
// claims information to the request context. User information and the JWS token can
// be retrieved from the context via GetInfo function.
// The Authenticator can also be used for checking service-to-service authentication
// via an Authorization header containing a Google Identity JWS, which can be
// generated using this package's IdentityTokenSource.
// The user state in the web login flow is encrypted using Google KMS. Ensure the
// service account being used has permissions to encrypt and decrypt.
Authenticator struct {
cfg AuthenticatorConfig
secureCookie bool
cookieDomain string
callbackPath string
keyName string
keys *kms.KeyManagementClient
verifier *auth.Verifier
}
// AuthenticatorConfig encapsulates the needs of the Authenticator.
AuthenticatorConfig struct {
// CookieName will be used for the local HTTP cookie name.
CookieName string
// KMSKeyName is used by a Google KMS client for encrypting and decrypting state
// tokens within the oauth exchange.
KMSKeyName string
// UnsafeState can be used to skip the encryption of the "state" token
// within the auth flow.
UnsafeState bool
// AuthConfig is used by Authenticator.Middleware and callback to enable the
// Google OAuth flow.
AuthConfig *oauth2.Config
// HeaderExceptions can optionally be included. Any requests that include any of
// the headers included will skip all Authenticator.Middlware checks and no
// claims information will be added to the context.
// This can be useful for unspoofable headers like Google App Engine's
// "X-AppEngine-*" headers for Google Task Queues.
HeaderExceptions []string
// CustomExceptionsFunc allows any custom exceptions based on the request. For
// example, looking for specific URIs. Return true if should be allowed. If
// false is returned, normal cookie-based authentication happens.
CustomExceptionsFunc func(context.Context, *http.Request) bool
// IDConfig will be used to verify the Google Identity JWS when it is inbound
// in the HTTP cookie.
IDConfig IdentityConfig
// IDVerifyFunc allows developers to add their own verification on the user
// claims. For example, one could enable access for anyone with an email domain
// of "@example.com".
IDVerifyFunc func(context.Context, IdentityClaimSet) bool
// Logger will be used to log any errors encountered during the auth flow.
Logger log.Logger
}
)
// NewAuthenticator will instantiate a new Authenticator, which can be used for verifying
// a number of authentication styles within the Google Cloud Platform ecosystem.
func NewAuthenticator(ctx context.Context, cfg AuthenticatorConfig) (Authenticator, error) {
ks, err := NewIdentityPublicKeySource(ctx, cfg.IDConfig)
if err != nil {
return Authenticator{}, errors.Wrap(err, "unable to init key source")
}
u, err := url.Parse(cfg.AuthConfig.RedirectURL)
if err != nil {
return Authenticator{}, errors.Wrap(err, "unable to pasrse redirect URL")
}
var keys *kms.KeyManagementClient
if !cfg.UnsafeState {
keys, err = kms.NewKeyManagementClient(ctx)
if err != nil {
return Authenticator{}, errors.Wrap(err, "unable to init KMS client")
}
}
if cfg.Logger == nil {
cfg.Logger = log.NewNopLogger()
}
return Authenticator{
cfg: cfg,
keys: keys,
cookieDomain: strings.Split(u.Host, ":")[0],
secureCookie: u.Scheme == "https",
callbackPath: u.Path,
verifier: auth.NewVerifier(ks, IdentityClaimsDecoderFunc,
IdentityVerifyFunc(cfg.IDVerifyFunc)),
}, nil
}
// LogOut can be used to clear an existing session. It will add an HTTP cookie with a -1
// "MaxAge" to the response to remove the cookie from the logged in user's browser.
func (c Authenticator) LogOut(w http.ResponseWriter) {
http.SetCookie(w, &http.Cookie{
Name: c.cfg.CookieName,
Domain: c.cookieDomain,
Secure: c.secureCookie,
Value: "",
Path: "/",
MaxAge: -1,
Expires: time.Unix(0, 0),
})
}
func forbidden(w http.ResponseWriter) {
// stop here here to prevent redirect chaos.
code := http.StatusForbidden
http.Error(w, http.StatusText(code), code)
}
// Middleware will handle login redirects, OAuth callbacks, header exceptions, custom
// exceptions, verifying inbound Google ID or IAM JWS' within HTTP cookies or
// Authorization headers and, if the user passes all checks, it will add the user claims
// to the inbound request context.
func (c Authenticator) Middleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == c.callbackPath {
c.callbackHandler(w, r)
return
}
// if one of the 'exception' headers exists, let the request pass through
// this is nice for unspoofable headers like 'X-Appengine-*'.
for _, hdr := range c.cfg.HeaderExceptions {
if r.Header.Get(hdr) != "" {
h.ServeHTTP(w, r)
return
}
}
// if a custom exception func has been configured, passing its inspection
// will bypass Identity auth.
if c.cfg.CustomExceptionsFunc != nil {
if c.cfg.CustomExceptionsFunc(r.Context(), r) {
h.ServeHTTP(w, r)
return
}
}
// ***all other endpoints must have a cookie or a header***
////////////
// check for an ID Authorization header
// this is for service-to-service auth/authz
////////////
token, err := auth.GetAuthorizationToken(r)
if err != nil {
c.cfg.Logger.Log("message", "unable to get header, falling back to cookie",
"error", err)
}
////////////
// check for an ID HTTP Cookie
// this is for web-based auth from a user + browser
////////////
if token == "" {
ck, err := r.Cookie(c.cfg.CookieName)
if err != nil {
c.cfg.Logger.Log("message", "unable to get cookie, redirecting",
"error", err)
} else {
token = ck.Value
}
}
if token == "" {
c.redirect(w, r)
return
}
verified, err := c.verifier.Verify(r.Context(), token)
if err != nil {
c.cfg.Logger.Log("message", "id verify cookie failure, redirecting",
"error", err)
c.redirect(w, r)
return
}
// token existed but was invalid, forbid these requests
if !verified {
forbidden(w)
return
}
claims, err := decodeClaims(token)
if err != nil {
c.redirect(w, r)
return
}
// add the user claims to the context and call the handlers below
r = r.WithContext(context.WithValue(r.Context(), claimsKey, claims))
h.ServeHTTP(w, r)
})
}
func (c Authenticator) callbackHandler(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
q := r.URL.Query()
// verify state
uri, ok := c.verifyState(ctx, q.Get("state"))
if !ok {
forbidden(w)
return
}
code := q.Get("code")
if strings.TrimSpace(code) == "" {
forbidden(w)
return
}
token, err := c.cfg.AuthConfig.Exchange(ctx, code)
if err != nil {
c.cfg.Logger.Log("error", err, "message", "unable to exchange code")
forbidden(w)
return
}
idI := token.Extra("id_token")
if idI == nil {
forbidden(w)
return
}
id, ok := idI.(string)
if !ok {
c.cfg.Logger.Log("message", "id_token was not a string",
"error", "unexpectected type: "+fmt.Sprintf("%T", idI))
forbidden(w)
return
}
// they have authenticated, see if we can authorize them
// via the given verifyFunc
verified, err := c.verifier.Verify(r.Context(), id)
if err != nil || !verified {
forbidden(w)
return
}
// grab claims so we can use the expiration on our cookie
claims, err := decodeClaims(id)
if err != nil {
c.cfg.Logger.Log("error", err, "message", "unable to decode token")
forbidden(w)
return
}
http.SetCookie(w, &http.Cookie{
Name: c.cfg.CookieName,
Secure: c.secureCookie,
Value: id,
Domain: c.cookieDomain,
Expires: time.Unix(claims.Exp, 0),
})
http.Redirect(w, r, uri, http.StatusTemporaryRedirect)
}
func (c Authenticator) verifyState(ctx context.Context, state string) (string, bool) {
if state == "" {
return "", false
}
rawState, err := base64.StdEncoding.DecodeString(state)
if err != nil {
return "", false
}
var data stateData
if c.keys == nil {
err = json.Unmarshal(rawState, &data)
if err != nil {
return "", false
}
return data.verifiedURI()
}
decRes, err := c.keys.Decrypt(ctx, &kmsv1.DecryptRequest{
Name: c.cfg.KMSKeyName,
Ciphertext: rawState,
})
if err != nil {
c.cfg.Logger.Log("error", err, "message", "unable to decrypt state",
"state", state)
return "", false
}
err = json.Unmarshal(decRes.Plaintext, &data)
if err != nil {
return "", false
}
return data.verifiedURI()
}
func (s stateData) verifiedURI() (string, bool) {
return s.URI, timeNow().Before(s.Expiry)
}
type stateData struct {
Expiry time.Time
URI string
Nonce *[24]byte
}
func newNonce() (*[24]byte, error) {
nonce := &[24]byte{}
_, err := io.ReadFull(rand.Reader, nonce[:])
if err != nil {
return nonce, errors.Wrap(err, "unable to generate nonce from rand.Reader")
}
return nonce, nil
}
func (c Authenticator) redirect(w http.ResponseWriter, r *http.Request) {
uri := r.URL.EscapedPath()
if r.URL.RawQuery != "" {
uri += "?" + r.URL.RawQuery
}
// avoid redirect loops
if strings.HasPrefix(uri, c.cfg.AuthConfig.RedirectURL) {
uri = "/"
}
nonce, err := newNonce()
if err != nil {
c.cfg.Logger.Log("error", err, "message", "unable to generate nonce")
http.Error(w, "oauth error", http.StatusInternalServerError)
return
}
const stateExpiryMins = 10
stateData, err := json.Marshal(stateData{
Expiry: timeNow().Add(stateExpiryMins * time.Minute),
URI: uri,
Nonce: nonce,
})
if err != nil {
c.cfg.Logger.Log("error", err, "message", "unable to encode state")
http.Error(w, "oauth error", http.StatusInternalServerError)
return
}
if c.keys != nil {
encRes, err := c.keys.Encrypt(r.Context(), &kmsv1.EncryptRequest{
Name: c.cfg.KMSKeyName,
Plaintext: stateData,
})
if err != nil {
c.cfg.Logger.Log("error", err, "message", "unable to encrypt state")
} else {
stateData = encRes.Ciphertext
}
}
state := base64.StdEncoding.EncodeToString(stateData)
http.Redirect(w, r, c.cfg.AuthConfig.AuthCodeURL(state),
http.StatusTemporaryRedirect)
}
type key int
const claimsKey key = 1
// GetUserClaims will return the Google identity claim set if it exists in the
// context. This can be used in coordination with the Authenticator.Middleware.
func GetUserClaims(ctx context.Context) (IdentityClaimSet, error) {
var claims IdentityClaimSet
clms := ctx.Value(claimsKey)
if clms == nil {
return claims, errors.New("claims not found")
}
return clms.(IdentityClaimSet), nil
}
func decodeClaims(token string) (IdentityClaimSet, error) {
var claims IdentityClaimSet
s := strings.Split(token, ".")
if len(s) < 2 {
return claims, errors.New("jws: invalid token received")
}
decoded, err := base64.RawURLEncoding.DecodeString(s[1])
if err != nil {
return claims, err
}
err = json.Unmarshal(decoded, &claims)
if err != nil {
return claims, err
}
return claims, nil
}