-
Notifications
You must be signed in to change notification settings - Fork 534
/
auth.go
336 lines (307 loc) · 9.72 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
package auth
import (
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"net/http"
"strings"
"time"
"golang.org/x/crypto/bcrypt"
"golang.org/x/exp/slog"
"golang.org/x/oauth2"
"github.com/gorilla/websocket"
"github.com/gravitl/netmaker/logger"
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/logic/pro/netcache"
"github.com/gravitl/netmaker/models"
"github.com/gravitl/netmaker/servercfg"
)
// == consts ==
const (
init_provider = "initprovider"
get_user_info = "getuserinfo"
handle_callback = "handlecallback"
handle_login = "handlelogin"
google_provider_name = "google"
azure_ad_provider_name = "azure-ad"
github_provider_name = "github"
oidc_provider_name = "oidc"
verify_user = "verifyuser"
auth_key = "netmaker_auth"
user_signin_length = 16
node_signin_length = 64
headless_signin_length = 32
)
// OAuthUser - generic OAuth strategy user
type OAuthUser struct {
Name string `json:"name" bson:"name"`
Email string `json:"email" bson:"email"`
Login string `json:"login" bson:"login"`
UserPrincipalName string `json:"userPrincipalName" bson:"userPrincipalName"`
AccessToken string `json:"accesstoken" bson:"accesstoken"`
}
var (
auth_provider *oauth2.Config
upgrader = websocket.Upgrader{}
)
func getCurrentAuthFunctions() map[string]interface{} {
var authInfo = servercfg.GetAuthProviderInfo()
var authProvider = authInfo[0]
switch authProvider {
case google_provider_name:
return google_functions
case azure_ad_provider_name:
return azure_ad_functions
case github_provider_name:
return github_functions
case oidc_provider_name:
return oidc_functions
default:
return nil
}
}
// InitializeAuthProvider - initializes the auth provider if any is present
func InitializeAuthProvider() string {
var functions = getCurrentAuthFunctions()
if functions == nil {
return ""
}
var _, err = fetchPassValue(logic.RandomString(64))
if err != nil {
logger.Log(0, err.Error())
return ""
}
var authInfo = servercfg.GetAuthProviderInfo()
var serverConn = servercfg.GetAPIHost()
if strings.Contains(serverConn, "localhost") || strings.Contains(serverConn, "127.0.0.1") {
serverConn = "http://" + serverConn
logger.Log(1, "localhost OAuth detected, proceeding with insecure http redirect: (", serverConn, ")")
} else {
serverConn = "https://" + serverConn
logger.Log(1, "external OAuth detected, proceeding with https redirect: ("+serverConn+")")
}
if authInfo[0] == "oidc" {
functions[init_provider].(func(string, string, string, string))(serverConn+"/api/oauth/callback", authInfo[1], authInfo[2], authInfo[3])
return authInfo[0]
}
functions[init_provider].(func(string, string, string))(serverConn+"/api/oauth/callback", authInfo[1], authInfo[2])
return authInfo[0]
}
// HandleAuthCallback - handles oauth callback
// Note: not included in API reference as part of the OAuth process itself.
func HandleAuthCallback(w http.ResponseWriter, r *http.Request) {
if auth_provider == nil {
handleOauthNotConfigured(w)
return
}
var functions = getCurrentAuthFunctions()
if functions == nil {
return
}
state, _ := getStateAndCode(r)
_, err := netcache.Get(state) // if in netcache proceeed with node registration login
if err == nil || errors.Is(err, netcache.ErrExpired) {
switch len(state) {
case node_signin_length:
logger.Log(1, "proceeding with host SSO callback")
HandleHostSSOCallback(w, r)
case headless_signin_length:
logger.Log(1, "proceeding with headless SSO callback")
HandleHeadlessSSOCallback(w, r)
default:
logger.Log(1, "invalid state length: ", fmt.Sprintf("%d", len(state)))
}
} else { // handle normal login
functions[handle_callback].(func(http.ResponseWriter, *http.Request))(w, r)
}
}
// swagger:route GET /api/oauth/login nodes HandleAuthLogin
//
// Handles OAuth login.
//
// Schemes: https
//
// Security:
// oauth
// Responses:
// 200: okResponse
func HandleAuthLogin(w http.ResponseWriter, r *http.Request) {
if auth_provider == nil {
handleOauthNotConfigured(w)
return
}
var functions = getCurrentAuthFunctions()
if functions == nil {
return
}
if servercfg.GetFrontendURL() == "" {
handleOauthNotConfigured(w)
return
}
functions[handle_login].(func(http.ResponseWriter, *http.Request))(w, r)
}
// IsOauthUser - returns
func IsOauthUser(user *models.User) error {
var currentValue, err = fetchPassValue("")
if err != nil {
return err
}
var bCryptErr = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(currentValue))
return bCryptErr
}
// HandleHeadlessSSO - handles the OAuth login flow for headless interfaces such as Netmaker CLI via websocket
func HandleHeadlessSSO(w http.ResponseWriter, r *http.Request) {
conn, err := upgrader.Upgrade(w, r, nil)
if err != nil {
logger.Log(0, "error during connection upgrade for headless sign-in:", err.Error())
return
}
if conn == nil {
logger.Log(0, "failed to establish web-socket connection during headless sign-in")
return
}
defer conn.Close()
req := &netcache.CValue{User: "", Pass: ""}
stateStr := logic.RandomString(headless_signin_length)
if err = netcache.Set(stateStr, req); err != nil {
logger.Log(0, "Failed to process sso request -", err.Error())
return
}
timeout := make(chan bool, 1)
answer := make(chan string, 1)
defer close(answer)
defer close(timeout)
if auth_provider == nil {
if err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, "")); err != nil {
logger.Log(0, "error during message writing:", err.Error())
}
return
}
redirectUrl = fmt.Sprintf("https://%s/api/oauth/register/%s", servercfg.GetAPIConnString(), stateStr)
if err = conn.WriteMessage(websocket.TextMessage, []byte(redirectUrl)); err != nil {
logger.Log(0, "error during message writing:", err.Error())
}
go func() {
for {
cachedReq, err := netcache.Get(stateStr)
if err != nil {
if strings.Contains(err.Error(), "expired") {
logger.Log(0, "timeout occurred while waiting for SSO")
timeout <- true
break
}
continue
} else if cachedReq.Pass != "" {
logger.Log(0, "SSO process completed for user ", cachedReq.User)
answer <- cachedReq.Pass
break
}
time.Sleep(500) // try it 2 times per second to see if auth is completed
}
}()
select {
case result := <-answer:
if err = conn.WriteMessage(websocket.TextMessage, []byte(result)); err != nil {
logger.Log(0, "Error during message writing:", err.Error())
}
case <-timeout:
logger.Log(0, "Authentication server time out for headless SSO login")
if err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, "")); err != nil {
logger.Log(0, "Error during message writing:", err.Error())
}
}
if err = netcache.Del(stateStr); err != nil {
logger.Log(0, "failed to remove SSO cache entry", err.Error())
}
if err = conn.WriteMessage(websocket.CloseMessage, websocket.FormatCloseMessage(websocket.CloseNormalClosure, "")); err != nil {
logger.Log(0, "write close:", err.Error())
}
}
// == private methods ==
func addUser(email string) error {
var hasSuperAdmin, err = logic.HasSuperAdmin()
if err != nil {
slog.Error("error checking for existence of admin user during OAuth login for", "email", email, "error", err)
return err
} // generate random password to adapt to current model
var newPass, fetchErr = fetchPassValue("")
if fetchErr != nil {
return fetchErr
}
var newUser = models.User{
UserName: email,
Password: newPass,
}
if !hasSuperAdmin { // must be first attempt, create a superadmin
if err = logic.CreateSuperAdmin(&newUser); err != nil {
slog.Error("error creating super admin from user", "email", email, "error", err)
} else {
slog.Info("superadmin created from user", "email", email)
}
} else { // otherwise add to db as admin..?
// TODO: add ability to add users with preemptive permissions
newUser.IsAdmin = false
if err = logic.CreateUser(&newUser); err != nil {
logger.Log(1, "error creating user,", email, "; user not added")
} else {
logger.Log(0, "user created from ", email)
}
}
return nil
}
func fetchPassValue(newValue string) (string, error) {
type valueHolder struct {
Value string `json:"value" bson:"value"`
}
var b64NewValue = base64.StdEncoding.EncodeToString([]byte(newValue))
var newValueHolder = &valueHolder{
Value: b64NewValue,
}
var data, marshalErr = json.Marshal(newValueHolder)
if marshalErr != nil {
return "", marshalErr
}
var currentValue, err = logic.FetchAuthSecret(auth_key, string(data))
if err != nil {
return "", err
}
var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder)
if unmarshErr != nil {
return "", unmarshErr
}
var b64CurrentValue, b64Err = base64.StdEncoding.DecodeString(newValueHolder.Value)
if b64Err != nil {
logger.Log(0, "could not decode pass")
return "", nil
}
return string(b64CurrentValue), nil
}
func getStateAndCode(r *http.Request) (string, string) {
var state, code string
if r.FormValue("state") != "" && r.FormValue("code") != "" {
state = r.FormValue("state")
code = r.FormValue("code")
} else if r.URL.Query().Get("state") != "" && r.URL.Query().Get("code") != "" {
state = r.URL.Query().Get("state")
code = r.URL.Query().Get("code")
}
return state, code
}
func (user *OAuthUser) getUserName() string {
var userName string
if user.Email != "" {
userName = user.Email
} else if user.Login != "" {
userName = user.Login
} else if user.UserPrincipalName != "" {
userName = user.UserPrincipalName
} else if user.Name != "" {
userName = user.Name
}
return userName
}
func isStateCached(state string) bool {
_, err := netcache.Get(state)
return err == nil || strings.Contains(err.Error(), "expired")
}