headscale/oidc.go

213 lines
5.8 KiB
Go
Raw Normal View History

2021-09-26 02:53:05 -06:00
package headscale
import (
"context"
2021-09-26 02:53:05 -06:00
"crypto/rand"
"encoding/hex"
"errors"
"fmt"
"github.com/coreos/go-oidc/v3/oidc"
2021-09-26 02:53:05 -06:00
"github.com/gin-gonic/gin"
"github.com/patrickmn/go-cache"
"github.com/rs/zerolog/log"
"golang.org/x/oauth2"
2021-09-26 02:53:05 -06:00
"gorm.io/gorm"
"net/http"
2021-10-08 03:43:52 -06:00
"strings"
2021-09-26 02:53:05 -06:00
"time"
)
type IDTokenClaims struct {
2021-09-26 02:53:05 -06:00
Name string `json:"name,omitempty"`
Groups []string `json:"groups,omitempty"`
Email string `json:"email"`
Username string `json:"preferred_username,omitempty"`
}
2021-10-08 03:43:52 -06:00
func (h *Headscale) initOIDC() error {
2021-09-26 02:53:05 -06:00
var err error
// grab oidc config if it hasn't been already
2021-10-08 03:43:52 -06:00
if h.oauth2Config == nil {
h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDCIssuer)
2021-09-26 02:53:05 -06:00
if err != nil {
log.Error().Msgf("Could not retrieve OIDC Config: %s", err.Error())
2021-10-08 03:43:52 -06:00
return err
2021-09-26 02:53:05 -06:00
}
2021-10-08 03:43:52 -06:00
h.oauth2Config = &oauth2.Config{
ClientID: h.cfg.OIDCClientID,
ClientSecret: h.cfg.OIDCClientSecret,
2021-10-08 03:43:52 -06:00
Endpoint: h.oidcProvider.Endpoint(),
RedirectURL: fmt.Sprintf("%s/oidc/callback", strings.TrimSuffix(h.cfg.ServerURL, "/")),
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
2021-10-08 03:43:52 -06:00
}
// init the state cache if it hasn't been already
if h.oidcStateCache == nil {
h.oidcStateCache = cache.New(time.Minute*5, time.Minute*10)
}
2021-10-08 03:43:52 -06:00
return nil
}
// RegisterOIDC redirects to the OIDC provider for authentication
// Puts machine key in cache so the callback can retrieve it using the oidc state param
// Listens in /oidc/register/:mKey
func (h *Headscale) RegisterOIDC(c *gin.Context) {
mKeyStr := c.Param("mkey")
if mKeyStr == "" {
c.String(http.StatusBadRequest, "Wrong params")
return
2021-09-26 02:53:05 -06:00
}
b := make([]byte, 16)
2021-10-08 03:43:52 -06:00
_, err := rand.Read(b)
if err != nil {
log.Error().Msg("could not read 16 bytes from rand")
c.String(http.StatusInternalServerError, "could not read 16 bytes from rand")
return
}
2021-09-26 02:53:05 -06:00
stateStr := hex.EncodeToString(b)[:32]
// place the machine key into the state cache, so it can be retrieved later
2021-10-08 03:43:52 -06:00
h.oidcStateCache.Set(stateStr, mKeyStr, time.Minute*5)
2021-09-26 02:53:05 -06:00
2021-10-08 03:43:52 -06:00
authUrl := h.oauth2Config.AuthCodeURL(stateStr)
log.Debug().Msgf("Redirecting to %s for authentication", authUrl)
2021-09-26 02:53:05 -06:00
c.Redirect(http.StatusFound, authUrl)
}
// OIDCCallback handles the callback from the OIDC endpoint
// Retrieves the mkey from the state cache and adds the machine to the users email namespace
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into machine HostInfo
2021-09-26 02:53:05 -06:00
// Listens in /oidc/callback
func (h *Headscale) OIDCCallback(c *gin.Context) {
code := c.Query("code")
state := c.Query("state")
if code == "" || state == "" {
c.String(http.StatusBadRequest, "Wrong params")
return
}
2021-10-08 03:43:52 -06:00
oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
2021-09-26 02:53:05 -06:00
if err != nil {
c.String(http.StatusBadRequest, "Could not exchange code for token")
return
}
rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
if !rawIDTokenOK {
c.String(http.StatusBadRequest, "Could not extract ID Token")
return
}
2021-10-08 03:43:52 -06:00
verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDCClientID})
2021-09-26 02:53:05 -06:00
idToken, err := verifier.Verify(context.Background(), rawIDToken)
2021-09-26 02:53:05 -06:00
if err != nil {
c.String(http.StatusBadRequest, "Failed to verify id token: %s", err.Error())
return
}
//userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
//if err != nil {
// c.String(http.StatusBadRequest, "Failed to retrieve userinfo: "+err.Error())
// return
//}
// Extract custom claims
var claims IDTokenClaims
if err = idToken.Claims(&claims); err != nil {
c.String(http.StatusBadRequest, "Failed to decode id token claims: "+err.Error())
2021-09-26 02:53:05 -06:00
return
}
//retrieve machinekey from state cache
2021-10-08 03:43:52 -06:00
mKeyIf, mKeyFound := h.oidcStateCache.Get(state)
2021-09-26 02:53:05 -06:00
if !mKeyFound {
c.String(http.StatusBadRequest, "state has expired")
return
}
mKeyStr, mKeyOK := mKeyIf.(string)
if !mKeyOK {
c.String(http.StatusInternalServerError, "could not get machine key from cache")
return
}
// retrieve machine information
var m Machine
if result := h.db.Preload("Namespace").First(&m, "machine_key = ?", mKeyStr); errors.Is(result.Error, gorm.ErrRecordNotFound) {
log.Error().Msg("machine key not found in database")
c.String(http.StatusInternalServerError, "could not get machine info from database")
return
}
//look for a namespace of the users email for now
if !m.Registered {
2021-10-08 03:43:52 -06:00
log.Debug().Msg("Registering new machine after successful callback")
2021-09-26 02:53:05 -06:00
ns, err := h.GetNamespace(claims.Email)
if err != nil {
ns, err = h.CreateNamespace(claims.Email)
if err != nil {
log.Error().Msgf("could not create new namespace '%s'", claims.Email)
c.String(http.StatusInternalServerError, "could not create new namespace")
return
}
2021-09-26 02:53:05 -06:00
}
ip, err := h.getAvailableIP()
if err != nil {
c.String(http.StatusInternalServerError, "could not get an IP from the pool")
return
}
m.IPAddress = ip.String()
m.NamespaceID = ns.ID
m.Registered = true
m.RegisterMethod = "oidc"
h.db.Save(&m)
}
2021-10-08 03:43:52 -06:00
if m.isExpired() {
maxExpiry := time.Now().UTC().Add(h.cfg.MaxMachineExpiry)
// use the maximum expiry if it's sooner than the requested expiry
if maxExpiry.Before(*m.Expiry) {
log.Debug().Msgf("Clamping expiry time to maximum: %v (%v)", maxExpiry, h.cfg.MaxMachineExpiry)
m.Expiry = &maxExpiry
h.db.Save(&m)
} else if m.Expiry.IsZero() {
log.Debug().Msgf("Using default machine expiry time: %v (%v)", maxExpiry, h.cfg.MaxMachineExpiry)
defaultExpiry := time.Now().UTC().Add(h.cfg.DefaultMachineExpiry)
m.Expiry = &defaultExpiry
h.db.Save(&m)
}
}
2021-09-26 02:53:05 -06:00
c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(fmt.Sprintf(`
<html>
<body>
<h1>headscale</h1>
<p>
Authenticated as %s, you can now close this window.
2021-09-26 02:53:05 -06:00
</p>
</body>
</html>
`, claims.Email)))
2021-09-26 02:53:05 -06:00
}