netmaker/auth/auth.go

185 lines
5.2 KiB
Go
Raw Normal View History

2021-10-21 02:17:31 +08:00
package auth
import (
2021-10-22 21:47:29 +08:00
"encoding/base64"
2021-10-22 03:28:58 +08:00
"encoding/json"
"fmt"
2021-10-21 02:17:31 +08:00
"net/http"
2021-10-28 22:54:16 +08:00
"strings"
2021-10-21 02:17:31 +08:00
2021-12-07 04:31:08 +08:00
"github.com/gravitl/netmaker/logger"
2021-10-22 08:32:23 +08:00
"github.com/gravitl/netmaker/logic"
"github.com/gravitl/netmaker/models"
2021-10-21 02:17:31 +08:00
"github.com/gravitl/netmaker/servercfg"
2021-10-23 01:12:03 +08:00
"golang.org/x/crypto/bcrypt"
2021-10-21 02:17:31 +08:00
"golang.org/x/oauth2"
)
// == consts ==
const (
init_provider = "initprovider"
get_user_info = "getuserinfo"
handle_callback = "handlecallback"
handle_login = "handlelogin"
google_provider_name = "google"
azure_ad_provider_name = "azure-ad"
github_provider_name = "github"
2021-10-22 03:28:58 +08:00
verify_user = "verifyuser"
2021-10-22 08:32:23 +08:00
auth_key = "netmaker_auth"
2021-10-21 02:17:31 +08:00
)
2021-10-22 03:28:58 +08:00
var oauth_state_string = "netmaker-oauth-state" // should be set randomly each provider login
2021-10-21 02:17:31 +08:00
var auth_provider *oauth2.Config
func getCurrentAuthFunctions() map[string]interface{} {
var authInfo = servercfg.GetAuthProviderInfo()
var authProvider = authInfo[0]
switch authProvider {
case google_provider_name:
return google_functions
case azure_ad_provider_name:
2021-10-23 03:07:45 +08:00
return azure_ad_functions
2021-10-21 02:17:31 +08:00
case github_provider_name:
2021-10-23 01:12:03 +08:00
return github_functions
2021-10-21 02:17:31 +08:00
default:
return nil
}
}
// InitializeAuthProvider - initializes the auth provider if any is present
2021-10-22 03:28:58 +08:00
func InitializeAuthProvider() string {
2021-10-21 02:17:31 +08:00
var functions = getCurrentAuthFunctions()
if functions == nil {
2021-10-22 03:28:58 +08:00
return ""
2021-10-21 02:17:31 +08:00
}
2021-10-22 08:32:23 +08:00
var _, err = fetchPassValue(logic.RandomString(64))
if err != nil {
2021-12-07 04:31:08 +08:00
logger.Log(0, err.Error())
2021-10-22 08:32:23 +08:00
return ""
}
2021-10-22 21:47:29 +08:00
var currentFrontendURL = servercfg.GetFrontendURL()
if currentFrontendURL == "" {
return ""
}
2021-10-21 02:17:31 +08:00
var authInfo = servercfg.GetAuthProviderInfo()
var serverConn = servercfg.GetAPIHost()
2021-10-28 22:54:16 +08:00
if strings.Contains(serverConn, "localhost") || strings.Contains(serverConn, "127.0.0.1") {
serverConn = "http://" + serverConn
2021-12-07 04:31:08 +08:00
logger.Log(1, "localhost OAuth detected, proceeding with insecure http redirect: (", serverConn, ")")
2021-10-28 22:54:16 +08:00
} else {
serverConn = "https://" + serverConn
2021-12-07 04:31:08 +08:00
logger.Log(1, "external OAuth detected, proceeding with https redirect: ("+serverConn+")")
2021-10-28 22:54:16 +08:00
}
functions[init_provider].(func(string, string, string))(serverConn+"/api/oauth/callback", authInfo[1], authInfo[2])
2021-10-22 03:28:58 +08:00
return authInfo[0]
2021-10-21 02:17:31 +08:00
}
// HandleAuthCallback - handles oauth callback
func HandleAuthCallback(w http.ResponseWriter, r *http.Request) {
if auth_provider == nil {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
fmt.Fprintln(w, oauthNotConfigured)
return
}
2021-10-21 02:17:31 +08:00
var functions = getCurrentAuthFunctions()
if functions == nil {
return
}
functions[handle_callback].(func(http.ResponseWriter, *http.Request))(w, r)
}
// HandleAuthLogin - handles oauth login
func HandleAuthLogin(w http.ResponseWriter, r *http.Request) {
if auth_provider == nil {
var referer = r.Header.Get("referer")
if referer != "" {
2021-11-03 01:25:15 +08:00
http.Redirect(w, r, referer+"login?oauth=callback-error", http.StatusTemporaryRedirect)
return
}
w.Header().Set("Content-Type", "text/html; charset=utf-8")
fmt.Fprintln(w, oauthNotConfigured)
return
}
2021-10-21 02:17:31 +08:00
var functions = getCurrentAuthFunctions()
if functions == nil {
return
}
functions[handle_login].(func(http.ResponseWriter, *http.Request))(w, r)
}
2021-10-22 03:28:58 +08:00
2021-10-23 01:12:03 +08:00
// IsOauthUser - returns
func IsOauthUser(user *models.User) error {
var currentValue, err = fetchPassValue("")
if err != nil {
return err
}
var bCryptErr = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(currentValue))
return bCryptErr
}
2021-10-22 08:32:23 +08:00
// == private methods ==
func addUser(email string) error {
var hasAdmin, err = logic.HasAdmin()
if err != nil {
2021-12-07 04:31:08 +08:00
logger.Log(1, "error checking for existence of admin user during OAuth login for", email, "; user not added")
2021-10-22 08:32:23 +08:00
return err
} // generate random password to adapt to current model
var newPass, fetchErr = fetchPassValue("")
if fetchErr != nil {
return fetchErr
2021-10-22 03:28:58 +08:00
}
2021-10-22 08:32:23 +08:00
var newUser = models.User{
UserName: email,
Password: newPass,
}
if !hasAdmin { // must be first attempt, create an admin
if newUser, err = logic.CreateAdmin(newUser); err != nil {
2021-12-07 04:31:08 +08:00
logger.Log(1, "error creating admin from user,", email, "; user not added")
2021-10-22 08:32:23 +08:00
} else {
2021-12-07 04:31:08 +08:00
logger.Log(1, "admin created from user,", email, "; was first user added")
2021-10-22 08:32:23 +08:00
}
} else { // otherwise add to db as admin..?
// TODO: add ability to add users with preemptive permissions
2021-10-23 01:12:03 +08:00
newUser.IsAdmin = false
2021-10-22 08:32:23 +08:00
if newUser, err = logic.CreateUser(newUser); err != nil {
2021-12-07 04:31:08 +08:00
logger.Log(1, "error creating user,", email, "; user not added")
2021-10-22 08:32:23 +08:00
} else {
2021-12-07 04:31:08 +08:00
logger.Log(0, "user created from ", email)
2021-10-22 08:32:23 +08:00
}
}
return nil
}
func fetchPassValue(newValue string) (string, error) {
type valueHolder struct {
Value string `json:"value" bson:"value"`
}
2021-10-22 21:47:29 +08:00
var b64NewValue = base64.StdEncoding.EncodeToString([]byte(newValue))
2021-10-22 08:32:23 +08:00
var newValueHolder = &valueHolder{
2021-10-22 21:47:29 +08:00
Value: b64NewValue,
2021-10-22 08:32:23 +08:00
}
var data, marshalErr = json.Marshal(newValueHolder)
if marshalErr != nil {
return "", marshalErr
}
var currentValue, err = logic.FetchAuthSecret(auth_key, string(data))
if err != nil {
return "", err
}
var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder)
if unmarshErr != nil {
return "", unmarshErr
2021-10-22 03:28:58 +08:00
}
2021-10-22 21:47:29 +08:00
var b64CurrentValue, b64Err = base64.StdEncoding.DecodeString(newValueHolder.Value)
if b64Err != nil {
2021-12-07 04:31:08 +08:00
logger.Log(0, "could not decode pass")
2021-10-22 21:47:29 +08:00
return "", nil
}
return string(b64CurrentValue), nil
2021-10-22 03:28:58 +08:00
}