2024-04-03 02:43:57 +08:00
|
|
|
package auth
|
2024-02-05 00:32:57 +08:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2024-05-07 13:38:31 +08:00
|
|
|
"crypto/subtle"
|
2024-05-23 14:24:10 +08:00
|
|
|
"database/sql"
|
2024-02-05 00:32:57 +08:00
|
|
|
"encoding/base64"
|
2024-05-23 14:24:10 +08:00
|
|
|
"errors"
|
2024-02-05 00:32:57 +08:00
|
|
|
"fmt"
|
2024-05-23 14:24:10 +08:00
|
|
|
"log"
|
2024-02-05 00:32:57 +08:00
|
|
|
"net/http"
|
2024-05-23 14:24:10 +08:00
|
|
|
"net/url"
|
|
|
|
|
"strings"
|
2024-04-28 01:31:23 +08:00
|
|
|
"sync"
|
2024-05-23 14:24:10 +08:00
|
|
|
"time"
|
2024-02-05 00:32:57 +08:00
|
|
|
|
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2024-05-23 14:24:10 +08:00
|
|
|
"github.com/knadh/listmonk/models"
|
2024-02-05 00:32:57 +08:00
|
|
|
"github.com/labstack/echo/v4"
|
|
|
|
|
"github.com/labstack/echo/v4/middleware"
|
2024-05-23 14:24:10 +08:00
|
|
|
"github.com/vividvilla/simplesessions/stores/postgres"
|
|
|
|
|
"github.com/vividvilla/simplesessions/v2"
|
2024-02-05 00:32:57 +08:00
|
|
|
"golang.org/x/oauth2"
|
|
|
|
|
)
|
|
|
|
|
|
2024-04-03 02:43:57 +08:00
|
|
|
// UserKey is the key on which the User profile is set on echo handlers.
|
|
|
|
|
const UserKey = "auth_user"
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
const (
|
|
|
|
|
sessTypeNative = "native"
|
|
|
|
|
sessTypeOIDC = "oidc"
|
|
|
|
|
)
|
2024-04-03 02:43:57 +08:00
|
|
|
|
|
|
|
|
type OIDCConfig struct {
|
|
|
|
|
Enabled bool `json:"enabled"`
|
|
|
|
|
ProviderURL string `json:"provider_url"`
|
|
|
|
|
RedirectURL string `json:"redirect_url"`
|
|
|
|
|
ClientID string `json:"client_id"`
|
|
|
|
|
ClientSecret string `json:"client_secret"`
|
2024-02-05 00:32:57 +08:00
|
|
|
|
|
|
|
|
// Skipper defines a function to skip middleware.
|
|
|
|
|
Skipper middleware.Skipper
|
|
|
|
|
}
|
|
|
|
|
|
2024-04-03 02:43:57 +08:00
|
|
|
type BasicAuthConfig struct {
|
|
|
|
|
Enabled bool `json:"enabled"`
|
|
|
|
|
Username string `json:"username"`
|
|
|
|
|
Password string `json:"password"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Config struct {
|
|
|
|
|
OIDC OIDCConfig
|
|
|
|
|
BasicAuth BasicAuthConfig
|
2024-05-23 14:24:10 +08:00
|
|
|
LoginURL string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Callbacks takes two callback functions required by simplesessions.
|
|
|
|
|
type Callbacks struct {
|
|
|
|
|
SetCookie func(cookie *http.Cookie, w interface{}) error
|
|
|
|
|
GetCookie func(name string, r interface{}) (*http.Cookie, error)
|
|
|
|
|
GetUser func(id int) (models.User, error)
|
2024-04-03 02:43:57 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Auth struct {
|
2024-05-23 14:24:10 +08:00
|
|
|
tokens map[string]models.User
|
2024-05-07 13:38:31 +08:00
|
|
|
sync.RWMutex
|
2024-04-28 01:31:23 +08:00
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
cfg Config
|
|
|
|
|
oauthCfg oauth2.Config
|
|
|
|
|
verifier *oidc.IDTokenVerifier
|
|
|
|
|
skipper middleware.Skipper
|
|
|
|
|
sess *simplesessions.Manager
|
|
|
|
|
sessStore *postgres.Store
|
|
|
|
|
cb *Callbacks
|
|
|
|
|
log *log.Logger
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
func New(cfg Config, db *sql.DB, cb *Callbacks, lo *log.Logger) (*Auth, error) {
|
|
|
|
|
a := &Auth{
|
|
|
|
|
cfg: cfg,
|
|
|
|
|
cb: cb,
|
|
|
|
|
log: lo,
|
2024-02-05 00:32:57 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// Initialize OIDC.
|
|
|
|
|
if cfg.OIDC.Enabled {
|
|
|
|
|
provider, err := oidc.NewProvider(context.Background(), cfg.OIDC.ProviderURL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
a.verifier = provider.Verifier(&oidc.Config{
|
|
|
|
|
ClientID: cfg.OIDC.ClientID,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
a.oauthCfg = oauth2.Config{
|
|
|
|
|
ClientID: cfg.OIDC.ClientID,
|
|
|
|
|
ClientSecret: cfg.OIDC.ClientSecret,
|
|
|
|
|
Endpoint: provider.Endpoint(),
|
|
|
|
|
RedirectURL: cfg.OIDC.RedirectURL,
|
|
|
|
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
a.skipper = cfg.OIDC.Skipper
|
2024-02-05 00:32:57 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// Initialize session manager.
|
|
|
|
|
a.sess = simplesessions.New(simplesessions.Options{
|
|
|
|
|
IsHTTPOnlyCookie: true,
|
|
|
|
|
CookieLifetime: time.Hour * 24 * 7,
|
|
|
|
|
})
|
|
|
|
|
st, err := postgres.New(postgres.Opt{}, db)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
2024-05-23 14:24:10 +08:00
|
|
|
a.sessStore = st
|
|
|
|
|
a.sess.UseStore(st)
|
|
|
|
|
a.sess.RegisterGetCookie(cb.GetCookie)
|
|
|
|
|
a.sess.RegisterSetCookie(cb.SetCookie)
|
|
|
|
|
|
|
|
|
|
// Prune dead sessions from the DB periodically.
|
|
|
|
|
go func() {
|
|
|
|
|
if err := st.Prune(); err != nil {
|
|
|
|
|
lo.Printf("error pruning login sessions: %v", err)
|
|
|
|
|
}
|
|
|
|
|
time.Sleep(time.Hour * 12)
|
|
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
return a, nil
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-07 13:38:31 +08:00
|
|
|
// SetTokens caches tokens for authenticating API client calls.
|
2024-05-23 14:24:10 +08:00
|
|
|
func (o *Auth) SetTokens(tokens map[string]models.User) {
|
2024-05-07 13:38:31 +08:00
|
|
|
o.Lock()
|
|
|
|
|
defer o.Unlock()
|
2024-04-28 01:31:23 +08:00
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
o.tokens = make(map[string]models.User, len(tokens))
|
|
|
|
|
for userID, u := range tokens {
|
|
|
|
|
o.tokens[userID] = u
|
2024-04-28 01:31:23 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// GetToken validates an API user+token.
|
|
|
|
|
func (o *Auth) GetToken(user string, token string) (models.User, bool) {
|
2024-05-07 13:38:31 +08:00
|
|
|
o.RLock()
|
|
|
|
|
t, ok := o.tokens[user]
|
|
|
|
|
o.RUnlock()
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
if !ok || subtle.ConstantTimeCompare([]byte(t.Password.String), []byte(token)) != 1 {
|
|
|
|
|
return models.User{}, false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return t, true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// GetOIDCAuthURL returns the OIDC provider's auth URL to redirect to.
|
|
|
|
|
func (o *Auth) GetOIDCAuthURL(state, nonce string) string {
|
|
|
|
|
return o.oauthCfg.AuthCodeURL(state, oidc.Nonce(nonce))
|
2024-04-28 01:31:23 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// ExchangeOIDCToken takes an OIDC authorization code (recieved via redirect from the OIDC provider),
|
|
|
|
|
// validates it, and returns an OIDC token for subsequent auth.
|
|
|
|
|
func (o *Auth) ExchangeOIDCToken(code, nonce string) (string, models.User, error) {
|
|
|
|
|
var user models.User
|
|
|
|
|
|
|
|
|
|
tk, err := o.oauthCfg.Exchange(context.TODO(), code)
|
2024-02-05 00:32:57 +08:00
|
|
|
if err != nil {
|
2024-05-23 14:24:10 +08:00
|
|
|
return "", user, echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("error exchanging token: %v", err))
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rawIDTk, ok := tk.Extra("id_token").(string)
|
|
|
|
|
if !ok {
|
2024-05-23 14:24:10 +08:00
|
|
|
return "", user, echo.NewHTTPError(http.StatusUnauthorized, "`id_token` missing.")
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
idTk, err := o.verifier.Verify(context.TODO(), rawIDTk)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", user, echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("error verifying ID token: %v", err))
|
|
|
|
|
}
|
2024-02-05 00:32:57 +08:00
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
if idTk.Nonce != nonce {
|
|
|
|
|
return "", user, echo.NewHTTPError(http.StatusUnauthorized, "nonce did not match")
|
|
|
|
|
}
|
2024-02-05 00:32:57 +08:00
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
if err := idTk.Claims(&user); err != nil {
|
|
|
|
|
return "", user, errors.New("error getting user from OIDC")
|
|
|
|
|
}
|
2024-04-02 17:00:12 +08:00
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
return rawIDTk, user, nil
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// Middleware is the HTTP middleware used for wrapping HTTP handlers registered on the echo router.
|
|
|
|
|
// It authorizes token (BasicAuth/token) based and cookie based sessions.
|
2024-04-03 02:43:57 +08:00
|
|
|
func (o *Auth) Middleware(next echo.HandlerFunc) echo.HandlerFunc {
|
2024-04-02 17:00:12 +08:00
|
|
|
return func(c echo.Context) error {
|
2024-05-23 14:24:10 +08:00
|
|
|
// It's an `Authorization` header request.
|
|
|
|
|
hdr := c.Response().Header().Get("Authorization")
|
|
|
|
|
if len(hdr) > 0 {
|
|
|
|
|
key, token, err := parseAuthHeader(hdr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return echo.NewHTTPError(http.StatusForbidden, err.Error())
|
|
|
|
|
}
|
2024-04-02 17:00:12 +08:00
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// Validate the token.
|
|
|
|
|
user, ok := o.GetToken(key, token)
|
|
|
|
|
if !ok {
|
|
|
|
|
return echo.NewHTTPError(http.StatusForbidden, "invalid token:secret")
|
2024-04-02 17:20:45 +08:00
|
|
|
}
|
2024-05-23 14:24:10 +08:00
|
|
|
|
|
|
|
|
// Set the user details on the handler context.
|
|
|
|
|
c.Set(UserKey, user)
|
|
|
|
|
return next(c)
|
2024-04-02 17:00:12 +08:00
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// It's a cookie based session.
|
|
|
|
|
user, err := o.validateSession(c)
|
2024-04-02 17:00:12 +08:00
|
|
|
if err != nil {
|
2024-05-23 14:24:10 +08:00
|
|
|
u, _ := url.Parse(o.cfg.LoginURL)
|
|
|
|
|
q := url.Values{}
|
|
|
|
|
q.Set("next", c.Request().RequestURI)
|
|
|
|
|
u.RawQuery = q.Encode()
|
|
|
|
|
|
|
|
|
|
return c.Redirect(http.StatusTemporaryRedirect, u.String())
|
2024-02-05 00:32:57 +08:00
|
|
|
}
|
2024-05-23 14:24:10 +08:00
|
|
|
|
|
|
|
|
// Set the user details on the handler context.
|
|
|
|
|
c.Set(UserKey, user)
|
|
|
|
|
return next(c)
|
2024-02-05 00:32:57 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2024-05-23 14:24:10 +08:00
|
|
|
// SetSession creates and sets a session (post successful login/auth).
|
|
|
|
|
func (o *Auth) SetSession(u models.User, oidcToken string, c echo.Context) error {
|
|
|
|
|
sess, err := o.sess.Acquire(c, c, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return echo.NewHTTPError(http.StatusInternalServerError, "error creating session")
|
2024-02-05 00:32:57 +08:00
|
|
|
}
|
2024-05-23 14:24:10 +08:00
|
|
|
|
|
|
|
|
// sess, err := simplesessions.NewSession(o.sess, c, c)
|
|
|
|
|
// if err != nil {
|
|
|
|
|
// o.log.Printf("error creating login session: %v", err)
|
|
|
|
|
// return echo.NewHTTPError(http.StatusInternalServerError, "error creating session")
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
if err := sess.SetMulti(map[string]interface{}{"user_id": u.ID, "oidc_token": oidcToken}); err != nil {
|
|
|
|
|
o.log.Printf("error setting login session: %v", err)
|
|
|
|
|
return echo.NewHTTPError(http.StatusInternalServerError, "error creating session")
|
|
|
|
|
}
|
|
|
|
|
if err := sess.Commit(); err != nil {
|
|
|
|
|
o.log.Printf("error committing login session: %v", err)
|
|
|
|
|
return echo.NewHTTPError(http.StatusInternalServerError, "error creating session")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (o *Auth) validateSession(c echo.Context) (models.User, error) {
|
|
|
|
|
// Cookie session.
|
|
|
|
|
sess, err := o.sess.Acquire(c, c, nil)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return models.User{}, echo.NewHTTPError(http.StatusForbidden, err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get the session variables.
|
|
|
|
|
vars, err := sess.GetMulti("user_id", "oidc_token")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return models.User{}, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Validate the user ID in the session.
|
|
|
|
|
userID, err := o.sessStore.Int(vars["user_id"], nil)
|
|
|
|
|
if err != nil || userID < 1 {
|
|
|
|
|
o.log.Printf("error fetching session user ID: %v", err)
|
|
|
|
|
return models.User{}, echo.NewHTTPError(http.StatusInternalServerError, err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If it's an OIDC session, validate the claim.
|
|
|
|
|
if vars["oidc_token"] != "" {
|
|
|
|
|
if !o.cfg.OIDC.Enabled {
|
|
|
|
|
return models.User{}, echo.NewHTTPError(http.StatusForbidden, "OIDC aut his not enabled.")
|
|
|
|
|
}
|
|
|
|
|
if _, err := o.verifyOIDC(vars["oidc_token"].(string), c); err != nil {
|
|
|
|
|
return models.User{}, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Fetch user details from the database.
|
|
|
|
|
user, err := o.cb.GetUser(userID)
|
|
|
|
|
return user, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (o *Auth) verifyOIDC(token string, c echo.Context) (models.User, error) {
|
|
|
|
|
idTk, err := o.verifier.Verify(c.Request().Context(), token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return models.User{}, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var user models.User
|
|
|
|
|
if err := idTk.Claims(&user); err != nil {
|
|
|
|
|
return user, echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("error verifying OIDC claim: %v", user))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if user.ID < 1 {
|
|
|
|
|
return user, echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("invalid user ID in OIDC: %v", user))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return user, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// parseAuthHeader parses the Authorization header and returns the api_key and access_token.
|
|
|
|
|
func parseAuthHeader(h string) (string, string, error) {
|
|
|
|
|
const authBasic = "Basic"
|
|
|
|
|
const authToken = "token"
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
pair []string
|
|
|
|
|
delim = ":"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
if strings.HasPrefix(h, authToken) {
|
|
|
|
|
// token api_key:access_token.
|
|
|
|
|
pair = strings.SplitN(strings.Trim(h[len(authToken):], " "), delim, 2)
|
|
|
|
|
} else if strings.HasPrefix(h, authBasic) {
|
|
|
|
|
// HTTP BasicAuth. This is supported for backwards compatibility.
|
|
|
|
|
payload, err := base64.StdEncoding.DecodeString(string(strings.Trim(h[len(authBasic):], " ")))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", "", echo.NewHTTPError(http.StatusBadRequest, "invalid Base64 value in Basic Authorization header")
|
|
|
|
|
}
|
|
|
|
|
pair = strings.SplitN(string(payload), delim, 2)
|
|
|
|
|
} else {
|
|
|
|
|
return "", "", echo.NewHTTPError(http.StatusBadRequest, "unknown Authorization scheme")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(pair) < 2 {
|
|
|
|
|
return "", "", echo.NewHTTPError(http.StatusBadRequest, "api_key:token missing")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(pair[0]) == 0 || len(pair[1]) == 0 {
|
|
|
|
|
return "", "", echo.NewHTTPError(http.StatusBadRequest, "empty `api_key` or `token`")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return pair[0], pair[1], nil
|
2024-02-05 00:32:57 +08:00
|
|
|
}
|
