initial commit

Dockerfile-quick

@@ -0,0 +1,14 @@
+#first stage - builder
+FROM alpine:3.15.2
+ARG version 
+WORKDIR /app
+COPY ./netmaker /root/netmaker
+ENV GO111MODULE=auto
+
+# add a c lib
+RUN apk add gcompat iptables wireguard-tools
+# set the working directory
+WORKDIR /root/
+RUN mkdir -p /etc/netclient/config
+EXPOSE 8081
+ENTRYPOINT ["./netmaker"]

auth/auth.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/logic"
+	"github.com/gravitl/netmaker/logic/pro/netcache"
 	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
 	"golang.org/x/crypto/bcrypt"
@@ -27,8 +28,19 @@ const (
 	oidc_provider_name     = "oidc"
 	verify_user            = "verifyuser"
 	auth_key               = "netmaker_auth"
+	user_signin_length     = 16
+	node_signin_length     = 64
 )
 
+// OAuthUser - generic OAuth strategy user
+type OAuthUser struct {
+	Name              string `json:"name" bson:"name"`
+	Email             string `json:"email" bson:"email"`
+	Login             string `json:"login" bson:"login"`
+	UserPrincipalName string `json:"userPrincipalName" bson:"userPrincipalName"`
+	AccessToken       string `json:"accesstoken" bson:"accesstoken"`
+}
+
 var auth_provider *oauth2.Config
 
 func getCurrentAuthFunctions() map[string]interface{} {
@@ -94,7 +106,14 @@ func HandleAuthCallback(w http.ResponseWriter, r *http.Request) {
 	if functions == nil {
 		return
 	}
-	functions[handle_callback].(func(http.ResponseWriter, *http.Request))(w, r)
+	state, _ := getStateAndCode(r)
+	_, err := netcache.Get(state) // if in netcache proceeed with node registration login
+	if err == nil || len(state) == node_signin_length || (err != nil && strings.Contains(err.Error(), "expired")) {
+		logger.Log(0, "proceeding with node SSO callback")
+		HandleNodeSSOCallback(w, r)
+	} else { // handle normal login
+		functions[handle_callback].(func(http.ResponseWriter, *http.Request))(w, r)
+	}
 }
 
 // swagger:route GET /api/oauth/login nodes HandleAuthLogin
@@ -197,3 +216,35 @@ func fetchPassValue(newValue string) (string, error) {
 	}
 	return string(b64CurrentValue), nil
 }
+
+func getStateAndCode(r *http.Request) (string, string) {
+	var state, code string
+	if r.FormValue("state") != "" && r.FormValue("code") != "" {
+		state = r.FormValue("state")
+		code = r.FormValue("code")
+	} else if r.URL.Query().Get("state") != "" && r.URL.Query().Get("code") != "" {
+		state = r.URL.Query().Get("state")
+		code = r.URL.Query().Get("code")
+	}
+
+	return state, code
+}
+
+func (user *OAuthUser) getUserName() string {
+	var userName string
+	if user.Email != "" {
+		userName = user.Email
+	} else if user.Login != "" {
+		userName = user.Login
+	} else if user.UserPrincipalName != "" {
+		userName = user.UserPrincipalName
+	} else if user.Name != "" {
+		userName = user.Name
+	}
+	return userName
+}
+
+func isStateCached(state string) bool {
+	_, err := netcache.Get(state)
+	return err == nil || strings.Contains(err.Error(), "expired")
+}

auth/azure-ad.go

@@ -23,11 +23,6 @@ var azure_ad_functions = map[string]interface{}{
 	verify_user:     verifyAzureUser,
 }
 
-type azureOauthUser struct {
-	UserPrincipalName string `json:"userPrincipalName" bson:"userPrincipalName"`
-	AccessToken       string `json:"accesstoken" bson:"accesstoken"`
-}
-
 // == handle azure ad authentication here ==
 
 func initAzureAD(redirectURL string, clientID string, clientSecret string) {
@@ -41,7 +36,7 @@ func initAzureAD(redirectURL string, clientID string, clientSecret string) {
 }
 
 func handleAzureLogin(w http.ResponseWriter, r *http.Request) {
-	var oauth_state_string = logic.RandomString(16)
+	var oauth_state_string = logic.RandomString(user_signin_length)
 	if auth_provider == nil && servercfg.GetFrontendURL() != "" {
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?oauth=callback-error", http.StatusTemporaryRedirect)
 		return
@@ -61,7 +56,8 @@ func handleAzureLogin(w http.ResponseWriter, r *http.Request) {
 
 func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
 
-	var content, err = getAzureUserInfo(r.FormValue("state"), r.FormValue("code"))
+	var rState, rCode = getStateAndCode(r)
+	var content, err = getAzureUserInfo(rState, rCode)
 	if err != nil {
 		logger.Log(1, "error when getting user info from azure:", err.Error())
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?oauth=callback-error", http.StatusTemporaryRedirect)
@@ -93,9 +89,9 @@ func handleAzureCallback(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?login="+jwt+"&user="+content.UserPrincipalName, http.StatusPermanentRedirect)
 }
 
-func getAzureUserInfo(state string, code string) (*azureOauthUser, error) {
+func getAzureUserInfo(state string, code string) (*OAuthUser, error) {
 	oauth_state_string, isValid := logic.IsStateValid(state)
-	if !isValid || state != oauth_state_string {
+	if (!isValid || state != oauth_state_string) && !isStateCached(state) {
 		return nil, fmt.Errorf("invalid oauth state")
 	}
 	var token, err = auth_provider.Exchange(context.Background(), code)
@@ -121,7 +117,7 @@ func getAzureUserInfo(state string, code string) (*azureOauthUser, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed reading response body: %s", err.Error())
 	}
-	var userInfo = &azureOauthUser{}
+	var userInfo = &OAuthUser{}
 	if err = json.Unmarshal(contents, userInfo); err != nil {
 		return nil, fmt.Errorf("failed parsing email from response data: %s", err.Error())
 	}

auth/github.go

@@ -23,11 +23,6 @@ var github_functions = map[string]interface{}{
 	verify_user:     verifyGithubUser,
 }
 
-type githubOauthUser struct {
-	Login       string `json:"login" bson:"login"`
-	AccessToken string `json:"accesstoken" bson:"accesstoken"`
-}
-
 // == handle github authentication here ==
 
 func initGithub(redirectURL string, clientID string, clientSecret string) {
@@ -41,7 +36,7 @@ func initGithub(redirectURL string, clientID string, clientSecret string) {
 }
 
 func handleGithubLogin(w http.ResponseWriter, r *http.Request) {
-	var oauth_state_string = logic.RandomString(16)
+	var oauth_state_string = logic.RandomString(user_signin_length)
 	if auth_provider == nil && servercfg.GetFrontendURL() != "" {
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?oauth=callback-error", http.StatusTemporaryRedirect)
 		return
@@ -61,7 +56,8 @@ func handleGithubLogin(w http.ResponseWriter, r *http.Request) {
 
 func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
 
-	var content, err = getGithubUserInfo(r.URL.Query().Get("state"), r.URL.Query().Get("code"))
+	var rState, rCode = getStateAndCode(r)
+	var content, err = getGithubUserInfo(rState, rCode)
 	if err != nil {
 		logger.Log(1, "error when getting user info from github:", err.Error())
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?oauth=callback-error", http.StatusTemporaryRedirect)
@@ -93,10 +89,10 @@ func handleGithubCallback(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?login="+jwt+"&user="+content.Login, http.StatusPermanentRedirect)
 }
 
-func getGithubUserInfo(state string, code string) (*githubOauthUser, error) {
+func getGithubUserInfo(state string, code string) (*OAuthUser, error) {
 	oauth_state_string, isValid := logic.IsStateValid(state)
-	if !isValid || state != oauth_state_string {
-		return nil, fmt.Errorf("invalid OAuth state")
+	if (!isValid || state != oauth_state_string) && !isStateCached(state) {
+		return nil, fmt.Errorf("invalid oauth state")
 	}
 	var token, err = auth_provider.Exchange(context.Background(), code)
 	if err != nil {
@@ -125,7 +121,7 @@ func getGithubUserInfo(state string, code string) (*githubOauthUser, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed reading response body: %s", err.Error())
 	}
-	var userInfo = &githubOauthUser{}
+	var userInfo = &OAuthUser{}
 	if err = json.Unmarshal(contents, userInfo); err != nil {
 		return nil, fmt.Errorf("failed parsing email from response data: %s", err.Error())
 	}

auth/google.go

@@ -24,11 +24,6 @@ var google_functions = map[string]interface{}{
 	verify_user:     verifyGoogleUser,
 }
 
-type googleOauthUser struct {
-	Email       string `json:"email" bson:"email"`
-	AccessToken string `json:"accesstoken" bson:"accesstoken"`
-}
-
 // == handle google authentication here ==
 
 func initGoogle(redirectURL string, clientID string, clientSecret string) {
@@ -42,7 +37,7 @@ func initGoogle(redirectURL string, clientID string, clientSecret string) {
 }
 
 func handleGoogleLogin(w http.ResponseWriter, r *http.Request) {
-	var oauth_state_string = logic.RandomString(16)
+	var oauth_state_string = logic.RandomString(user_signin_length)
 	if auth_provider == nil && servercfg.GetFrontendURL() != "" {
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?oauth=callback-error", http.StatusTemporaryRedirect)
 		return
@@ -62,7 +57,9 @@ func handleGoogleLogin(w http.ResponseWriter, r *http.Request) {
 
 func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
 
-	var content, err = getGoogleUserInfo(r.FormValue("state"), r.FormValue("code"))
+	var rState, rCode = getStateAndCode(r)
+
+	var content, err = getGoogleUserInfo(rState, rCode)
 	if err != nil {
 		logger.Log(1, "error when getting user info from google:", err.Error())
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?oauth=callback-error", http.StatusTemporaryRedirect)
@@ -94,10 +91,10 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, servercfg.GetFrontendURL()+"/login?login="+jwt+"&user="+content.Email, http.StatusPermanentRedirect)
 }
 
-func getGoogleUserInfo(state string, code string) (*googleOauthUser, error) {
+func getGoogleUserInfo(state string, code string) (*OAuthUser, error) {
 	oauth_state_string, isValid := logic.IsStateValid(state)
-	if !isValid || state != oauth_state_string {
-		return nil, fmt.Errorf("invalid OAuth state")
+	if (!isValid || state != oauth_state_string) && !isStateCached(state) {
+		return nil, fmt.Errorf("invalid oauth state")
 	}
 	var token, err = auth_provider.Exchange(context.Background(), code)
 	if err != nil {
@@ -120,7 +117,7 @@ func getGoogleUserInfo(state string, code string) (*googleOauthUser, error) {
 	if err != nil {
 		return nil, fmt.Errorf("failed reading response body: %s", err.Error())
 	}
-	var userInfo = &googleOauthUser{}
+	var userInfo = &OAuthUser{}
 	if err = json.Unmarshal(contents, userInfo); err != nil {
 		return nil, fmt.Errorf("failed parsing email from response data: %s", err.Error())
 	}