2021-09-26 16:53:05 +08:00
package headscale
import (
2021-12-23 10:43:53 +08:00
"bytes"
2021-10-06 17:19:15 +08:00
"context"
2021-09-26 16:53:05 +08:00
"crypto/rand"
"encoding/hex"
2021-11-22 05:51:39 +08:00
"errors"
2021-09-26 16:53:05 +08:00
"fmt"
2021-12-23 10:43:53 +08:00
"html/template"
2021-10-19 03:27:52 +08:00
"net/http"
"regexp"
"strings"
"time"
2021-10-06 17:19:15 +08:00
"github.com/coreos/go-oidc/v3/oidc"
2021-09-26 16:53:05 +08:00
"github.com/gin-gonic/gin"
"github.com/patrickmn/go-cache"
"github.com/rs/zerolog/log"
2021-10-06 17:19:15 +08:00
"golang.org/x/oauth2"
2021-11-22 05:51:39 +08:00
"gorm.io/gorm"
2021-11-27 07:30:42 +08:00
"tailscale.com/types/key"
2021-09-26 16:53:05 +08:00
)
2021-11-15 01:31:51 +08:00
const (
2021-11-16 01:24:24 +08:00
oidcStateCacheExpiration = time . Minute * 5
oidcStateCacheCleanupInterval = time . Minute * 10
randomByteSize = 16
2021-11-15 01:31:51 +08:00
)
2021-10-06 17:19:15 +08:00
type IDTokenClaims struct {
2021-09-26 16:53:05 +08:00
Name string ` json:"name,omitempty" `
Groups [ ] string ` json:"groups,omitempty" `
Email string ` json:"email" `
Username string ` json:"preferred_username,omitempty" `
}
2021-10-08 17:43:52 +08:00
func ( h * Headscale ) initOIDC ( ) error {
2021-09-26 16:53:05 +08:00
var err error
// grab oidc config if it hasn't been already
2021-10-08 17:43:52 +08:00
if h . oauth2Config == nil {
2021-10-19 03:27:52 +08:00
h . oidcProvider , err = oidc . NewProvider ( context . Background ( ) , h . cfg . OIDC . Issuer )
2021-09-26 16:53:05 +08:00
if err != nil {
2021-11-22 05:51:39 +08:00
log . Error ( ) .
Err ( err ) .
Caller ( ) .
Msgf ( "Could not retrieve OIDC Config: %s" , err . Error ( ) )
2021-11-14 23:46:09 +08:00
2021-10-08 17:43:52 +08:00
return err
2021-09-26 16:53:05 +08:00
}
2021-10-06 17:19:15 +08:00
2021-10-08 17:43:52 +08:00
h . oauth2Config = & oauth2 . Config {
2021-10-19 03:27:52 +08:00
ClientID : h . cfg . OIDC . ClientID ,
ClientSecret : h . cfg . OIDC . ClientSecret ,
2021-10-08 17:43:52 +08:00
Endpoint : h . oidcProvider . Endpoint ( ) ,
2021-11-13 16:36:45 +08:00
RedirectURL : fmt . Sprintf (
"%s/oidc/callback" ,
strings . TrimSuffix ( h . cfg . ServerURL , "/" ) ,
) ,
Scopes : [ ] string { oidc . ScopeOpenID , "profile" , "email" } ,
2021-10-06 17:19:15 +08:00
}
2021-10-08 17:43:52 +08:00
}
// init the state cache if it hasn't been already
if h . oidcStateCache == nil {
2021-11-15 01:31:51 +08:00
h . oidcStateCache = cache . New (
2021-11-16 01:24:24 +08:00
oidcStateCacheExpiration ,
oidcStateCacheCleanupInterval ,
2021-11-15 01:31:51 +08:00
)
2021-10-08 17:43:52 +08:00
}
2021-10-06 17:19:15 +08:00
2021-10-08 17:43:52 +08:00
return nil
}
// RegisterOIDC redirects to the OIDC provider for authentication
// Puts machine key in cache so the callback can retrieve it using the oidc state param
2021-11-13 16:39:04 +08:00
// Listens in /oidc/register/:mKey.
2021-11-15 03:32:03 +08:00
func ( h * Headscale ) RegisterOIDC ( ctx * gin . Context ) {
2021-11-22 05:51:39 +08:00
machineKeyStr := ctx . Param ( "mkey" )
if machineKeyStr == "" {
2021-11-15 03:32:03 +08:00
ctx . String ( http . StatusBadRequest , "Wrong params" )
2021-11-14 23:46:09 +08:00
2021-10-08 17:43:52 +08:00
return
2021-09-26 16:53:05 +08:00
}
2021-11-23 03:32:11 +08:00
log . Trace ( ) .
Caller ( ) .
Str ( "machine_key" , machineKeyStr ) .
Msg ( "Received oidc register call" )
2021-11-16 01:24:24 +08:00
randomBlob := make ( [ ] byte , randomByteSize )
2021-11-16 00:15:50 +08:00
if _ , err := rand . Read ( randomBlob ) ; err != nil {
2021-11-22 05:51:39 +08:00
log . Error ( ) .
Caller ( ) .
Msg ( "could not read 16 bytes from rand" )
2021-11-15 03:32:03 +08:00
ctx . String ( http . StatusInternalServerError , "could not read 16 bytes from rand" )
2021-11-14 23:46:09 +08:00
2021-09-26 21:12:36 +08:00
return
}
2021-11-16 00:15:50 +08:00
stateStr := hex . EncodeToString ( randomBlob ) [ : 32 ]
2021-09-26 16:53:05 +08:00
// place the machine key into the state cache, so it can be retrieved later
2021-11-22 05:51:39 +08:00
h . oidcStateCache . Set ( stateStr , machineKeyStr , oidcStateCacheExpiration )
2021-09-26 16:53:05 +08:00
2021-11-16 01:24:24 +08:00
authURL := h . oauth2Config . AuthCodeURL ( stateStr )
log . Debug ( ) . Msgf ( "Redirecting to %s for authentication" , authURL )
2021-09-26 16:53:05 +08:00
2021-11-16 01:24:24 +08:00
ctx . Redirect ( http . StatusFound , authURL )
2021-09-26 16:53:05 +08:00
}
2021-12-23 10:43:53 +08:00
type oidcCallbackTemplateConfig struct {
User string
Verb string
}
var oidcCallbackTemplate = template . Must (
template . New ( "oidccallback" ) . Parse ( ` < html >
< body >
< h1 > headscale < / h1 >
< p >
{ { . Verb } } as { { . User } } , you can now close this window .
< / p >
< / body >
< / html > ` ) ,
)
2022-01-16 21:16:59 +08:00
// TODO: Why is the entire machine registration logic duplicated here?
2021-09-26 16:53:05 +08:00
// OIDCCallback handles the callback from the OIDC endpoint
2021-10-06 17:19:15 +08:00
// Retrieves the mkey from the state cache and adds the machine to the users email namespace
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into machine HostInfo
2021-11-13 16:39:04 +08:00
// Listens in /oidc/callback.
2021-11-15 03:32:03 +08:00
func ( h * Headscale ) OIDCCallback ( ctx * gin . Context ) {
code := ctx . Query ( "code" )
state := ctx . Query ( "state" )
2021-09-26 16:53:05 +08:00
if code == "" || state == "" {
2021-11-15 03:32:03 +08:00
ctx . String ( http . StatusBadRequest , "Wrong params" )
2021-11-14 23:46:09 +08:00
2021-09-26 16:53:05 +08:00
return
}
2021-10-08 17:43:52 +08:00
oauth2Token , err := h . oauth2Config . Exchange ( context . Background ( ) , code )
2021-09-26 16:53:05 +08:00
if err != nil {
2021-11-15 03:32:03 +08:00
ctx . String ( http . StatusBadRequest , "Could not exchange code for token" )
2021-11-14 23:46:09 +08:00
2021-09-26 16:53:05 +08:00
return
}
2021-11-23 03:32:11 +08:00
log . Trace ( ) .
Caller ( ) .
Str ( "code" , code ) .
Str ( "state" , state ) .
Msg ( "Got oidc callback" )
2021-10-10 17:22:42 +08:00
2021-10-06 17:19:15 +08:00
rawIDToken , rawIDTokenOK := oauth2Token . Extra ( "id_token" ) . ( string )
if ! rawIDTokenOK {
2021-11-15 03:32:03 +08:00
ctx . String ( http . StatusBadRequest , "Could not extract ID Token" )
2021-11-14 23:46:09 +08:00
2021-10-06 17:19:15 +08:00
return
}
2021-10-19 03:27:52 +08:00
verifier := h . oidcProvider . Verifier ( & oidc . Config { ClientID : h . cfg . OIDC . ClientID } )
2021-09-26 16:53:05 +08:00
2021-10-06 17:19:15 +08:00
idToken , err := verifier . Verify ( context . Background ( ) , rawIDToken )
2021-09-26 16:53:05 +08:00
if err != nil {
2021-11-22 05:51:39 +08:00
log . Error ( ) .
Err ( err ) .
Caller ( ) .
Msg ( "failed to verify id token" )
ctx . String ( http . StatusBadRequest , "Failed to verify id token" )
2021-11-14 23:46:09 +08:00
2021-10-06 17:19:15 +08:00
return
}
2021-10-10 17:22:42 +08:00
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
2021-11-15 01:44:37 +08:00
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
// if err != nil {
2021-11-22 05:54:19 +08:00
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
2021-11-15 01:44:37 +08:00
// return
// }
2021-10-06 17:19:15 +08:00
// Extract custom claims
var claims IDTokenClaims
if err = idToken . Claims ( & claims ) ; err != nil {
2021-11-22 05:51:39 +08:00
log . Error ( ) .
Err ( err ) .
Caller ( ) .
Msg ( "Failed to decode id token claims" )
2021-11-15 03:32:03 +08:00
ctx . String (
2021-11-13 16:36:45 +08:00
http . StatusBadRequest ,
2021-11-23 01:22:47 +08:00
"Failed to decode id token claims" ,
2021-11-13 16:36:45 +08:00
)
2021-11-14 23:46:09 +08:00
2021-09-26 16:53:05 +08:00
return
}
2021-10-19 03:27:52 +08:00
// retrieve machinekey from state cache
2021-11-22 05:51:39 +08:00
machineKeyIf , machineKeyFound := h . oidcStateCache . Get ( state )
2021-09-26 16:53:05 +08:00
2021-11-22 05:51:39 +08:00
if ! machineKeyFound {
2021-11-13 16:36:45 +08:00
log . Error ( ) .
Msg ( "requested machine state key expired before authorisation completed" )
2021-11-15 03:32:03 +08:00
ctx . String ( http . StatusBadRequest , "state has expired" )
2021-11-14 23:46:09 +08:00
2021-09-26 16:53:05 +08:00
return
}
2021-11-27 07:30:42 +08:00
machineKeyStr , machineKeyOK := machineKeyIf . ( string )
2021-11-27 07:50:42 +08:00
var machineKey key . MachinePublic
2021-11-28 04:25:12 +08:00
err = machineKey . UnmarshalText ( [ ] byte ( MachinePublicKeyEnsurePrefix ( machineKeyStr ) ) )
2021-11-27 07:30:42 +08:00
if err != nil {
log . Error ( ) .
Msg ( "could not parse machine public key" )
ctx . String ( http . StatusBadRequest , "could not parse public key" )
return
}
2021-09-26 16:53:05 +08:00
2021-11-22 05:51:39 +08:00
if ! machineKeyOK {
2021-10-10 17:22:42 +08:00
log . Error ( ) . Msg ( "could not get machine key from cache" )
2021-11-15 03:32:03 +08:00
ctx . String (
http . StatusInternalServerError ,
"could not get machine key from cache" ,
)
2021-11-14 23:46:09 +08:00
2021-09-26 16:53:05 +08:00
return
}
2021-11-23 03:32:52 +08:00
// TODO(kradalby): Currently, if it fails to find a requested expiry, non will be set
requestedTime := time . Time { }
2021-11-27 07:30:42 +08:00
if requestedTimeIf , found := h . requestedExpiryCache . Get ( machineKey . String ( ) ) ; found {
2021-11-23 03:32:52 +08:00
if reqTime , ok := requestedTimeIf . ( time . Time ) ; ok {
requestedTime = reqTime
}
}
2021-09-26 16:53:05 +08:00
// retrieve machine information
2021-11-22 05:51:39 +08:00
machine , err := h . GetMachineByMachineKey ( machineKey )
2021-10-10 17:22:42 +08:00
if err != nil {
2021-09-26 16:53:05 +08:00
log . Error ( ) . Msg ( "machine key not found in database" )
2021-11-15 03:32:03 +08:00
ctx . String (
2021-11-13 16:36:45 +08:00
http . StatusInternalServerError ,
"could not get machine info from database" ,
)
2021-11-14 23:46:09 +08:00
2021-09-26 16:53:05 +08:00
return
}
2021-11-23 03:32:11 +08:00
if machine . isRegistered ( ) {
log . Trace ( ) .
Caller ( ) .
Str ( "machine" , machine . Name ) .
Msg ( "machine already registered, reauthenticating" )
h . RefreshMachine ( machine , requestedTime )
2021-12-23 10:43:53 +08:00
var content bytes . Buffer
if err := oidcCallbackTemplate . Execute ( & content , oidcCallbackTemplateConfig {
User : claims . Email ,
Verb : "Reauthenticated" ,
} ) ; err != nil {
log . Error ( ) .
Str ( "func" , "OIDCCallback" ) .
Str ( "type" , "reauthenticate" ) .
Err ( err ) .
Msg ( "Could not render OIDC callback template" )
ctx . Data (
http . StatusInternalServerError ,
"text/html; charset=utf-8" ,
[ ] byte ( "Could not render OIDC callback template" ) ,
)
}
2021-11-23 03:32:11 +08:00
2021-12-23 10:43:53 +08:00
ctx . Data ( http . StatusOK , "text/html; charset=utf-8" , content . Bytes ( ) )
2021-11-23 03:32:11 +08:00
return
}
2021-10-10 17:22:42 +08:00
now := time . Now ( ) . UTC ( )
2021-11-15 03:32:03 +08:00
if namespaceName , ok := h . getNamespaceFromEmail ( claims . Email ) ; ok {
2021-10-19 03:27:52 +08:00
// register the machine if it's new
2021-11-15 03:32:03 +08:00
if ! machine . Registered {
2021-10-19 03:27:52 +08:00
log . Debug ( ) . Msg ( "Registering new machine after successful callback" )
2021-10-08 17:43:52 +08:00
2021-11-15 03:32:03 +08:00
namespace , err := h . GetNamespace ( namespaceName )
2021-11-22 05:51:39 +08:00
if errors . Is ( err , gorm . ErrRecordNotFound ) {
2021-11-15 03:32:03 +08:00
namespace , err = h . CreateNamespace ( namespaceName )
2021-10-19 03:27:52 +08:00
if err != nil {
2021-11-13 16:36:45 +08:00
log . Error ( ) .
2021-11-22 05:51:39 +08:00
Err ( err ) .
Caller ( ) .
Msgf ( "could not create new namespace '%s'" , namespaceName )
2021-11-15 03:32:03 +08:00
ctx . String (
2021-11-13 16:36:45 +08:00
http . StatusInternalServerError ,
"could not create new namespace" ,
)
2021-11-14 23:46:09 +08:00
2021-10-19 03:27:52 +08:00
return
}
2021-11-22 05:51:39 +08:00
} else if err != nil {
log . Error ( ) .
Caller ( ) .
Err ( err ) .
Str ( "namespace" , namespaceName ) .
Msg ( "could not find or create namespace" )
ctx . String (
http . StatusInternalServerError ,
"could not find or create namespace" ,
)
return
2021-10-19 03:27:52 +08:00
}
2021-09-26 21:12:36 +08:00
2022-01-16 21:16:59 +08:00
ips , err := h . getAvailableIPs ( )
2021-09-26 21:12:36 +08:00
if err != nil {
2021-11-22 05:51:39 +08:00
log . Error ( ) .
Caller ( ) .
Err ( err ) .
Msg ( "could not get an IP from the pool" )
2021-11-15 03:32:03 +08:00
ctx . String (
2021-11-13 16:36:45 +08:00
http . StatusInternalServerError ,
"could not get an IP from the pool" ,
)
2021-11-14 23:46:09 +08:00
2021-09-26 21:12:36 +08:00
return
}
2021-09-26 16:53:05 +08:00
2022-01-16 21:16:59 +08:00
machine . IPAddresses = ips
2021-11-15 03:32:03 +08:00
machine . NamespaceID = namespace . ID
machine . Registered = true
2021-11-19 01:51:54 +08:00
machine . RegisterMethod = RegisterMethodOIDC
2021-11-15 03:32:03 +08:00
machine . LastSuccessfulUpdate = & now
2021-11-23 03:32:11 +08:00
machine . Expiry = & requestedTime
2021-11-15 03:32:03 +08:00
h . db . Save ( & machine )
2021-09-26 16:53:05 +08:00
}
2021-12-23 10:43:53 +08:00
var content bytes . Buffer
if err := oidcCallbackTemplate . Execute ( & content , oidcCallbackTemplateConfig {
User : claims . Email ,
Verb : "Authenticated" ,
} ) ; err != nil {
log . Error ( ) .
Str ( "func" , "OIDCCallback" ) .
Str ( "type" , "authenticate" ) .
Err ( err ) .
Msg ( "Could not render OIDC callback template" )
ctx . Data (
http . StatusInternalServerError ,
"text/html; charset=utf-8" ,
[ ] byte ( "Could not render OIDC callback template" ) ,
)
}
ctx . Data ( http . StatusOK , "text/html; charset=utf-8" , content . Bytes ( ) )
2021-11-23 01:22:47 +08:00
return
2021-10-19 03:27:52 +08:00
}
log . Error ( ) .
2021-11-22 05:51:39 +08:00
Caller ( ) .
2021-10-19 03:27:52 +08:00
Str ( "email" , claims . Email ) .
Str ( "username" , claims . Username ) .
2021-11-15 03:32:03 +08:00
Str ( "machine" , machine . Name ) .
2021-10-19 03:27:52 +08:00
Msg ( "Email could not be mapped to a namespace" )
2021-11-15 03:32:03 +08:00
ctx . String (
2021-11-13 16:36:45 +08:00
http . StatusBadRequest ,
"email from claim could not be mapped to a namespace" ,
)
2021-10-19 03:27:52 +08:00
}
2021-10-20 01:25:59 +08:00
// getNamespaceFromEmail passes the users email through a list of "matchers"
// and iterates through them until it matches and returns a namespace.
// If no match is found, an empty string will be returned.
// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.
2021-10-19 03:27:52 +08:00
func ( h * Headscale ) getNamespaceFromEmail ( email string ) ( string , bool ) {
for match , namespace := range h . cfg . OIDC . MatchMap {
regex := regexp . MustCompile ( match )
if regex . MatchString ( email ) {
return namespace , true
}
}
return "" , false
2021-09-26 16:53:05 +08:00
}