mirror of
https://github.com/gravitl/netmaker.git
synced 2024-11-11 01:54:34 +08:00
192 lines
5.4 KiB
Go
192 lines
5.4 KiB
Go
package auth
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gravitl/netmaker/logger"
|
|
"github.com/gravitl/netmaker/logic"
|
|
"github.com/gravitl/netmaker/models"
|
|
"github.com/gravitl/netmaker/servercfg"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
// == consts ==
|
|
const (
|
|
init_provider = "initprovider"
|
|
get_user_info = "getuserinfo"
|
|
handle_callback = "handlecallback"
|
|
handle_login = "handlelogin"
|
|
google_provider_name = "google"
|
|
azure_ad_provider_name = "azure-ad"
|
|
github_provider_name = "github"
|
|
oidc_provider_name = "oidc"
|
|
verify_user = "verifyuser"
|
|
auth_key = "netmaker_auth"
|
|
)
|
|
|
|
// var oauth_state_string = "netmaker-oauth-state" // should be set randomly each provider login
|
|
var auth_provider *oauth2.Config
|
|
|
|
func getCurrentAuthFunctions() map[string]interface{} {
|
|
var authInfo = servercfg.GetAuthProviderInfo()
|
|
var authProvider = authInfo[0]
|
|
switch authProvider {
|
|
case google_provider_name:
|
|
return google_functions
|
|
case azure_ad_provider_name:
|
|
return azure_ad_functions
|
|
case github_provider_name:
|
|
return github_functions
|
|
case oidc_provider_name:
|
|
return oidc_functions
|
|
default:
|
|
return nil
|
|
}
|
|
}
|
|
|
|
// InitializeAuthProvider - initializes the auth provider if any is present
|
|
func InitializeAuthProvider() string {
|
|
var functions = getCurrentAuthFunctions()
|
|
if functions == nil {
|
|
return ""
|
|
}
|
|
var _, err = fetchPassValue(logic.RandomString(64))
|
|
if err != nil {
|
|
logger.Log(0, err.Error())
|
|
return ""
|
|
}
|
|
var currentFrontendURL = servercfg.GetFrontendURL()
|
|
if currentFrontendURL == "" {
|
|
return ""
|
|
}
|
|
var authInfo = servercfg.GetAuthProviderInfo()
|
|
var serverConn = servercfg.GetAPIHost()
|
|
if strings.Contains(serverConn, "localhost") || strings.Contains(serverConn, "127.0.0.1") {
|
|
serverConn = "http://" + serverConn
|
|
logger.Log(1, "localhost OAuth detected, proceeding with insecure http redirect: (", serverConn, ")")
|
|
} else {
|
|
serverConn = "https://" + serverConn
|
|
logger.Log(1, "external OAuth detected, proceeding with https redirect: ("+serverConn+")")
|
|
}
|
|
|
|
if authInfo[0] == "oidc" {
|
|
functions[init_provider].(func(string, string, string, string))(serverConn+"/api/oauth/callback", authInfo[1], authInfo[2], authInfo[3])
|
|
return authInfo[0]
|
|
}
|
|
|
|
functions[init_provider].(func(string, string, string))(serverConn+"/api/oauth/callback", authInfo[1], authInfo[2])
|
|
return authInfo[0]
|
|
}
|
|
|
|
// HandleAuthCallback - handles oauth callback
|
|
func HandleAuthCallback(w http.ResponseWriter, r *http.Request) {
|
|
if auth_provider == nil {
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
fmt.Fprintln(w, oauthNotConfigured)
|
|
return
|
|
}
|
|
var functions = getCurrentAuthFunctions()
|
|
if functions == nil {
|
|
return
|
|
}
|
|
functions[handle_callback].(func(http.ResponseWriter, *http.Request))(w, r)
|
|
}
|
|
|
|
// HandleAuthLogin - handles oauth login
|
|
func HandleAuthLogin(w http.ResponseWriter, r *http.Request) {
|
|
if auth_provider == nil {
|
|
var referer = r.Header.Get("referer")
|
|
if referer != "" {
|
|
http.Redirect(w, r, referer+"login?oauth=callback-error", http.StatusTemporaryRedirect)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
fmt.Fprintln(w, oauthNotConfigured)
|
|
return
|
|
}
|
|
var functions = getCurrentAuthFunctions()
|
|
if functions == nil {
|
|
return
|
|
}
|
|
functions[handle_login].(func(http.ResponseWriter, *http.Request))(w, r)
|
|
}
|
|
|
|
// IsOauthUser - returns
|
|
func IsOauthUser(user *models.User) error {
|
|
var currentValue, err = fetchPassValue("")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
var bCryptErr = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(currentValue))
|
|
return bCryptErr
|
|
}
|
|
|
|
// == private methods ==
|
|
|
|
func addUser(email string) error {
|
|
var hasAdmin, err = logic.HasAdmin()
|
|
if err != nil {
|
|
logger.Log(1, "error checking for existence of admin user during OAuth login for", email, "; user not added")
|
|
return err
|
|
} // generate random password to adapt to current model
|
|
var newPass, fetchErr = fetchPassValue("")
|
|
if fetchErr != nil {
|
|
return fetchErr
|
|
}
|
|
var newUser = models.User{
|
|
UserName: email,
|
|
Password: newPass,
|
|
}
|
|
if !hasAdmin { // must be first attempt, create an admin
|
|
if newUser, err = logic.CreateAdmin(newUser); err != nil {
|
|
logger.Log(1, "error creating admin from user,", email, "; user not added")
|
|
} else {
|
|
logger.Log(1, "admin created from user,", email, "; was first user added")
|
|
}
|
|
} else { // otherwise add to db as admin..?
|
|
// TODO: add ability to add users with preemptive permissions
|
|
newUser.IsAdmin = false
|
|
if newUser, err = logic.CreateUser(newUser); err != nil {
|
|
logger.Log(1, "error creating user,", email, "; user not added")
|
|
} else {
|
|
logger.Log(0, "user created from ", email)
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func fetchPassValue(newValue string) (string, error) {
|
|
|
|
type valueHolder struct {
|
|
Value string `json:"value" bson:"value"`
|
|
}
|
|
var b64NewValue = base64.StdEncoding.EncodeToString([]byte(newValue))
|
|
var newValueHolder = &valueHolder{
|
|
Value: b64NewValue,
|
|
}
|
|
var data, marshalErr = json.Marshal(newValueHolder)
|
|
if marshalErr != nil {
|
|
return "", marshalErr
|
|
}
|
|
|
|
var currentValue, err = logic.FetchAuthSecret(auth_key, string(data))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder)
|
|
if unmarshErr != nil {
|
|
return "", unmarshErr
|
|
}
|
|
|
|
var b64CurrentValue, b64Err = base64.StdEncoding.DecodeString(newValueHolder.Value)
|
|
if b64Err != nil {
|
|
logger.Log(0, "could not decode pass")
|
|
return "", nil
|
|
}
|
|
return string(b64CurrentValue), nil
|
|
}
|