2021-04-03 13:49:45 +00:00
|
|
|
// SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
|
|
|
|
//
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
package fupoidc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"crypto/rand"
|
|
|
|
"encoding/hex"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"log"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
|
|
"golang.org/x/oauth2"
|
2024-11-16 15:30:41 +00:00
|
|
|
"git.lukegb.com/lukegb/depot/web/fup/fuphttp"
|
2021-04-03 13:49:45 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
cookieOAuthState = "fup_state"
|
|
|
|
cookieToken = "fup_auth"
|
|
|
|
)
|
|
|
|
|
|
|
|
type Middleware struct {
|
|
|
|
oidc *oidc.Provider
|
|
|
|
|
|
|
|
verifier *oidc.IDTokenVerifier
|
|
|
|
|
|
|
|
clientID string
|
|
|
|
clientSecret string
|
|
|
|
baseURL string
|
|
|
|
}
|
|
|
|
|
|
|
|
type Config struct {
|
|
|
|
ClientID string
|
|
|
|
ClientSecret string
|
|
|
|
ProviderURL string
|
|
|
|
|
|
|
|
BaseURL string
|
|
|
|
}
|
|
|
|
|
|
|
|
func New(ctx context.Context, c Config) (*Middleware, error) {
|
|
|
|
provider, err := oidc.NewProvider(ctx, c.ProviderURL)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("oidc.NewProvider: %w", err)
|
|
|
|
}
|
|
|
|
verifier := provider.Verifier(&oidc.Config{
|
|
|
|
ClientID: c.ClientID,
|
|
|
|
})
|
|
|
|
|
|
|
|
return &Middleware{
|
|
|
|
oidc: provider,
|
|
|
|
verifier: verifier,
|
|
|
|
clientID: c.ClientID,
|
|
|
|
clientSecret: c.ClientSecret,
|
|
|
|
baseURL: c.BaseURL,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (mw *Middleware) oauth2Config() *oauth2.Config {
|
|
|
|
redirectURL := mw.baseURL
|
|
|
|
if strings.HasSuffix(redirectURL, "/") {
|
|
|
|
redirectURL += "loginz"
|
|
|
|
} else {
|
|
|
|
redirectURL += "/loginz"
|
|
|
|
}
|
|
|
|
|
|
|
|
return &oauth2.Config{
|
|
|
|
ClientID: mw.clientID,
|
|
|
|
ClientSecret: mw.clientSecret,
|
|
|
|
RedirectURL: redirectURL,
|
|
|
|
|
|
|
|
Endpoint: mw.oidc.Endpoint(),
|
|
|
|
|
|
|
|
Scopes: []string{oidc.ScopeOpenID},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var errNoCredentials = errors.New("fupoidc: no auth credentials")
|
|
|
|
|
|
|
|
func (mw *Middleware) isAuthenticated(r *http.Request) error {
|
|
|
|
// Check for credentials; either "Authorization: Bearer <token>" or "Cookie: fup_auth="
|
|
|
|
var token string
|
|
|
|
|
|
|
|
if cookie, err := r.Cookie(cookieToken); err == nil {
|
|
|
|
token = cookie.Value
|
|
|
|
}
|
|
|
|
if authHeader := r.Header.Get("Authorization"); authHeader != "" && strings.HasPrefix(authHeader, "Bearer ") {
|
|
|
|
token = strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer "))
|
|
|
|
}
|
|
|
|
|
|
|
|
if token == "" {
|
|
|
|
return errNoCredentials
|
|
|
|
}
|
|
|
|
|
|
|
|
// Validate the credentials.
|
|
|
|
ctx := r.Context()
|
|
|
|
_, err := mw.verifier.Verify(ctx, token)
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
func (mw *Middleware) setStateCookie(rw http.ResponseWriter, value string) {
|
|
|
|
cookie := &http.Cookie{
|
|
|
|
Name: cookieOAuthState,
|
|
|
|
Value: value,
|
|
|
|
Secure: true,
|
|
|
|
HttpOnly: true,
|
|
|
|
SameSite: http.SameSiteNoneMode,
|
|
|
|
}
|
|
|
|
if value == "" {
|
|
|
|
cookie.MaxAge = -1
|
|
|
|
}
|
|
|
|
http.SetCookie(rw, cookie)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (mw *Middleware) redirectToProvider(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
randBuf := make([]byte, 16)
|
|
|
|
_, err := rand.Read(randBuf)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(rw, "rand.Read in redirectToProvider", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
state := hex.EncodeToString(randBuf)
|
|
|
|
mw.setStateCookie(rw, state)
|
|
|
|
http.Redirect(rw, r, mw.oauth2Config().AuthCodeURL(state), http.StatusFound)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (mw *Middleware) handleLoginzRequest(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
stateCookie, err := r.Cookie(cookieOAuthState)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(rw, "fup_state cookie missing or invalid", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
stateQuery := r.URL.Query().Get("state")
|
|
|
|
if stateQuery == "" {
|
|
|
|
http.Error(rw, "state query param missing or invalid", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if stateQuery != stateCookie.Value {
|
|
|
|
http.Error(rw, "state mismatch", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
mw.setStateCookie(rw, "") // Clear state cookie.
|
|
|
|
|
|
|
|
// State is valid.
|
|
|
|
ctx := r.Context()
|
|
|
|
oauth2Token, err := mw.oauth2Config().Exchange(ctx, r.URL.Query().Get("code"))
|
|
|
|
if err != nil {
|
|
|
|
http.Error(rw, "code invalid", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
|
|
|
if !ok {
|
|
|
|
http.Error(rw, "missing id_token", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
idToken, err := mw.verifier.Verify(ctx, rawIDToken)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(rw, "id_token invalid", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var claims struct {
|
|
|
|
Username string `json:"preferred_username"`
|
|
|
|
Sub string `json:"sub"`
|
|
|
|
}
|
|
|
|
if err := idToken.Claims(&claims); err != nil {
|
|
|
|
http.Error(rw, "id_token claims invalid", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
log.Printf("%s (%s) logged in with token %s", claims.Username, claims.Sub, rawIDToken)
|
|
|
|
|
|
|
|
// Set the cookie.
|
|
|
|
http.SetCookie(rw, &http.Cookie{
|
|
|
|
Name: cookieToken,
|
|
|
|
Value: rawIDToken,
|
|
|
|
Secure: true,
|
|
|
|
HttpOnly: true,
|
|
|
|
SameSite: http.SameSiteLaxMode,
|
|
|
|
})
|
|
|
|
http.Redirect(rw, r, mw.baseURL, http.StatusFound)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (mw *Middleware) Middleware(handler http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
|
|
|
if strings.HasSuffix(r.URL.Path, "/loginz") {
|
|
|
|
// We're up.
|
|
|
|
mw.handleLoginzRequest(rw, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
authnErr := mw.isAuthenticated(r)
|
|
|
|
switch {
|
|
|
|
case authnErr == nil:
|
|
|
|
// Authn successful.
|
|
|
|
handler.ServeHTTP(rw, r)
|
|
|
|
return
|
|
|
|
case authnErr == errNoCredentials && !fuphttp.IsMutate(ctx):
|
|
|
|
// No credentials provided, but none needed.
|
|
|
|
handler.ServeHTTP(rw, r)
|
|
|
|
return
|
|
|
|
case authnErr == errNoCredentials:
|
|
|
|
// No credentials provided, but required.
|
|
|
|
if fuphttp.IsAPIRequest(ctx) {
|
|
|
|
http.Error(rw, "need OAuth credentials", http.StatusUnauthorized)
|
|
|
|
} else {
|
|
|
|
mw.redirectToProvider(rw, r)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
case authnErr != nil && !fuphttp.IsAPIRequest(ctx):
|
|
|
|
// Credential validation error.
|
|
|
|
log.Printf("invalid OIDC credential: %v", authnErr)
|
|
|
|
if fuphttp.IsAPIRequest(ctx) {
|
|
|
|
http.Error(rw, "oauth credentials invalid", http.StatusUnauthorized)
|
|
|
|
} else {
|
|
|
|
// try redirecting them through the login loop.
|
|
|
|
mw.redirectToProvider(rw, r)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
default:
|
|
|
|
// No credentials
|
|
|
|
http.Error(rw, "request slipped through the auth cracks :(", http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|