2023-05-10 01:24:05 -06:00
|
|
|
package hscontrol
|
2021-09-26 02:53:05 -06:00
|
|
|
|
|
|
|
import (
|
2021-12-22 19:43:53 -07:00
|
|
|
"bytes"
|
2021-10-06 03:19:15 -06:00
|
|
|
"context"
|
2021-09-26 02:53:05 -06:00
|
|
|
"crypto/rand"
|
2023-06-05 14:21:31 -06:00
|
|
|
_ "embed"
|
2021-09-26 02:53:05 -06:00
|
|
|
"encoding/hex"
|
2023-11-08 04:32:47 -07:00
|
|
|
"encoding/json"
|
2021-11-21 14:51:39 -07:00
|
|
|
"errors"
|
2021-09-26 02:53:05 -06:00
|
|
|
"fmt"
|
2021-12-22 19:43:53 -07:00
|
|
|
"html/template"
|
2021-10-18 13:27:52 -06:00
|
|
|
"net/http"
|
|
|
|
"strings"
|
2022-03-18 02:32:07 -06:00
|
|
|
"time"
|
2021-10-18 13:27:52 -06:00
|
|
|
|
2021-10-06 03:19:15 -06:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2022-06-20 04:31:19 -06:00
|
|
|
"github.com/gorilla/mux"
|
2023-05-21 10:37:59 -06:00
|
|
|
"github.com/juanfont/headscale/hscontrol/db"
|
|
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
2023-05-11 01:09:18 -06:00
|
|
|
"github.com/juanfont/headscale/hscontrol/util"
|
2021-09-26 02:53:05 -06:00
|
|
|
"github.com/rs/zerolog/log"
|
2021-10-06 03:19:15 -06:00
|
|
|
"golang.org/x/oauth2"
|
2021-11-26 16:30:42 -07:00
|
|
|
"tailscale.com/types/key"
|
2021-09-26 02:53:05 -06:00
|
|
|
)
|
|
|
|
|
2021-11-14 10:31:51 -07:00
|
|
|
const (
|
2022-02-28 15:42:30 -07:00
|
|
|
randomByteSize = 16
|
2023-05-11 01:09:18 -06:00
|
|
|
)
|
2022-08-07 05:57:07 -06:00
|
|
|
|
2023-05-11 01:09:18 -06:00
|
|
|
var (
|
|
|
|
errEmptyOIDCCallbackParams = errors.New("empty OIDC callback params")
|
|
|
|
errNoOIDCIDToken = errors.New("could not extract ID Token for OIDC callback")
|
|
|
|
errOIDCAllowedDomains = errors.New(
|
|
|
|
"authenticated principal does not match any allowed domain",
|
|
|
|
)
|
|
|
|
errOIDCAllowedGroups = errors.New("authenticated principal is not in any allowed group")
|
|
|
|
errOIDCAllowedUsers = errors.New(
|
|
|
|
"authenticated principal does not match any allowed user",
|
|
|
|
)
|
2023-09-24 05:42:05 -06:00
|
|
|
errOIDCInvalidNodeState = errors.New(
|
|
|
|
"requested node state key expired before authorisation completed",
|
2023-01-31 04:40:38 -07:00
|
|
|
)
|
2023-11-12 21:52:59 -07:00
|
|
|
errOIDCNodeKeyMissing = errors.New("could not get node key from cache")
|
|
|
|
errOIDCEmailClaimMissing = errors.New("email claim missing from ID Token")
|
|
|
|
errOIDCUsernameClaimMissing = errors.New("username claim missing from ID Token")
|
2021-11-14 10:31:51 -07:00
|
|
|
)
|
|
|
|
|
2021-10-06 03:19:15 -06:00
|
|
|
type IDTokenClaims struct {
|
2023-11-08 04:32:47 -07:00
|
|
|
// in some cases the groups might be a single value and not a list
|
2023-11-12 21:52:59 -07:00
|
|
|
Groups stringOrArray
|
|
|
|
Email string
|
|
|
|
Username string
|
2023-11-08 04:32:47 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
type stringOrArray []string
|
|
|
|
|
|
|
|
func (s *stringOrArray) UnmarshalJSON(b []byte) error {
|
|
|
|
var a []string
|
|
|
|
if err := json.Unmarshal(b, &a); err == nil {
|
|
|
|
*s = a
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
var str string
|
|
|
|
if err := json.Unmarshal(b, &str); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
*s = []string{str}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type rawClaims map[string]json.RawMessage
|
|
|
|
|
|
|
|
func (c rawClaims) unmarshalClaim(name string, v interface{}) error {
|
|
|
|
val, ok := c[name]
|
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("claim not present")
|
|
|
|
}
|
|
|
|
return json.Unmarshal([]byte(val), v)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (c rawClaims) hasClaim(name string) bool {
|
|
|
|
_, ok := c[name]
|
|
|
|
return ok
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2021-10-08 03:43:52 -06:00
|
|
|
func (h *Headscale) initOIDC() error {
|
2021-09-26 02:53:05 -06:00
|
|
|
var err error
|
|
|
|
// grab oidc config if it hasn't been already
|
2021-10-08 03:43:52 -06:00
|
|
|
if h.oauth2Config == nil {
|
2021-10-18 13:27:52 -06:00
|
|
|
h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)
|
2021-09-26 02:53:05 -06:00
|
|
|
|
|
|
|
if err != nil {
|
2021-11-21 14:51:39 -07:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
|
|
|
Caller().
|
|
|
|
Msgf("Could not retrieve OIDC Config: %s", err.Error())
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2021-10-08 03:43:52 -06:00
|
|
|
return err
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
2021-10-06 03:19:15 -06:00
|
|
|
|
2021-10-08 03:43:52 -06:00
|
|
|
h.oauth2Config = &oauth2.Config{
|
2021-10-18 13:27:52 -06:00
|
|
|
ClientID: h.cfg.OIDC.ClientID,
|
|
|
|
ClientSecret: h.cfg.OIDC.ClientSecret,
|
2021-10-08 03:43:52 -06:00
|
|
|
Endpoint: h.oidcProvider.Endpoint(),
|
2021-11-13 01:36:45 -07:00
|
|
|
RedirectURL: fmt.Sprintf(
|
|
|
|
"%s/oidc/callback",
|
|
|
|
strings.TrimSuffix(h.cfg.ServerURL, "/"),
|
|
|
|
),
|
2022-04-25 13:05:37 -06:00
|
|
|
Scopes: h.cfg.OIDC.Scope,
|
2021-10-06 03:19:15 -06:00
|
|
|
}
|
2021-10-08 03:43:52 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-01-31 04:40:38 -07:00
|
|
|
func (h *Headscale) determineTokenExpiration(idTokenExpiration time.Time) time.Time {
|
|
|
|
if h.cfg.OIDC.UseExpiryFromToken {
|
|
|
|
return idTokenExpiration
|
|
|
|
}
|
|
|
|
|
|
|
|
return time.Now().Add(h.cfg.OIDC.Expiry)
|
|
|
|
}
|
|
|
|
|
2021-10-08 03:43:52 -06:00
|
|
|
// RegisterOIDC redirects to the OIDC provider for authentication
|
2022-08-11 04:15:16 -06:00
|
|
|
// Puts NodeKey in cache so the callback can retrieve it using the oidc state param
|
|
|
|
// Listens in /oidc/register/:nKey.
|
2022-06-20 04:31:19 -06:00
|
|
|
func (h *Headscale) RegisterOIDC(
|
2022-06-26 03:55:37 -06:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
req *http.Request,
|
2022-06-20 04:31:19 -06:00
|
|
|
) {
|
2022-06-26 03:55:37 -06:00
|
|
|
vars := mux.Vars(req)
|
2022-08-10 07:35:26 -06:00
|
|
|
nodeKeyStr, ok := vars["nkey"]
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2022-11-14 10:56:04 -07:00
|
|
|
log.Debug().
|
2021-11-22 12:32:11 -07:00
|
|
|
Caller().
|
2022-08-10 07:35:26 -06:00
|
|
|
Str("node_key", nodeKeyStr).
|
2022-11-14 10:56:04 -07:00
|
|
|
Bool("ok", ok).
|
2021-11-22 12:32:11 -07:00
|
|
|
Msg("Received oidc register call")
|
|
|
|
|
2023-05-11 01:09:18 -06:00
|
|
|
if !util.NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
|
2022-11-14 07:05:47 -07:00
|
|
|
log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusUnauthorized)
|
|
|
|
_, err := writer.Write([]byte("Unauthorized"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-11-14 07:05:47 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// We need to make sure we dont open for XSS style injections, if the parameter that
|
|
|
|
// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
|
|
|
|
// the template and log an error.
|
|
|
|
var nodeKey key.NodePublic
|
|
|
|
err := nodeKey.UnmarshalText(
|
2023-05-11 01:09:18 -06:00
|
|
|
[]byte(util.NodePublicKeyEnsurePrefix(nodeKeyStr)),
|
2022-11-14 07:05:47 -07:00
|
|
|
)
|
|
|
|
|
|
|
|
if !ok || nodeKeyStr == "" || err != nil {
|
2022-11-14 10:56:04 -07:00
|
|
|
log.Warn().
|
|
|
|
Err(err).
|
|
|
|
Msg("Failed to parse incoming nodekey in OIDC registration")
|
2022-11-14 07:05:47 -07:00
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
|
|
|
_, err := writer.Write([]byte("Wrong params"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-11-14 07:05:47 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-15 10:24:24 -07:00
|
|
|
randomBlob := make([]byte, randomByteSize)
|
2021-11-15 09:15:50 -07:00
|
|
|
if _, err := rand.Read(randomBlob); err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "could not read 16 bytes from rand")
|
|
|
|
|
2022-06-26 03:55:37 -06:00
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2021-09-26 07:12:36 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-15 09:15:50 -07:00
|
|
|
stateStr := hex.EncodeToString(randomBlob)[:32]
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2022-08-10 07:35:26 -06:00
|
|
|
// place the node key into the state cache, so it can be retrieved later
|
2023-05-11 01:09:18 -06:00
|
|
|
h.registrationCache.Set(
|
|
|
|
stateStr,
|
|
|
|
util.NodePublicKeyStripPrefix(nodeKey),
|
|
|
|
registerCacheExpiration,
|
|
|
|
)
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2022-04-25 13:05:37 -06:00
|
|
|
// Add any extra parameter provided in the configuration to the Authorize Endpoint request
|
|
|
|
extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
|
|
|
|
|
|
|
|
for k, v := range h.cfg.OIDC.ExtraParams {
|
|
|
|
extras = append(extras, oauth2.SetAuthURLParam(k, v))
|
|
|
|
}
|
|
|
|
|
|
|
|
authURL := h.oauth2Config.AuthCodeURL(stateStr, extras...)
|
2021-11-15 10:24:24 -07:00
|
|
|
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2022-06-26 03:55:37 -06:00
|
|
|
http.Redirect(writer, req, authURL, http.StatusFound)
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2021-12-22 19:43:53 -07:00
|
|
|
type oidcCallbackTemplateConfig struct {
|
|
|
|
User string
|
|
|
|
Verb string
|
|
|
|
}
|
|
|
|
|
2023-06-05 14:21:31 -06:00
|
|
|
//go:embed assets/oidc_callback_template.html
|
|
|
|
var oidcCallbackTemplateContent string
|
|
|
|
|
2021-12-22 19:43:53 -07:00
|
|
|
var oidcCallbackTemplate = template.Must(
|
2023-06-05 14:21:31 -06:00
|
|
|
template.New("oidccallback").Parse(oidcCallbackTemplateContent),
|
2021-12-22 19:43:53 -07:00
|
|
|
)
|
|
|
|
|
2021-09-26 02:53:05 -06:00
|
|
|
// OIDCCallback handles the callback from the OIDC endpoint
|
2023-09-24 05:42:05 -06:00
|
|
|
// Retrieves the nkey from the state cache and adds the node to the users email user
|
|
|
|
// TODO: A confirmation page for new nodes should be added to avoid phishing vulnerabilities
|
|
|
|
// TODO: Add groups information from OIDC tokens into node HostInfo
|
2021-11-13 01:39:04 -07:00
|
|
|
// Listens in /oidc/callback.
|
2022-06-17 09:42:17 -06:00
|
|
|
func (h *Headscale) OIDCCallback(
|
2022-06-26 04:01:04 -06:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
req *http.Request,
|
2022-06-17 09:42:17 -06:00
|
|
|
) {
|
2022-08-07 05:57:07 -06:00
|
|
|
code, state, err := validateOIDCCallbackParams(writer, req)
|
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-09-04 07:02:18 -06:00
|
|
|
rawIDToken, err := h.getIDTokenForOIDCCallback(req.Context(), writer, code, state)
|
2022-08-07 05:57:07 -06:00
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-09-04 07:02:18 -06:00
|
|
|
idToken, err := h.verifyIDTokenForOIDCCallback(req.Context(), writer, rawIDToken)
|
2022-08-07 05:57:07 -06:00
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
2023-01-31 04:40:38 -07:00
|
|
|
idTokenExpiry := h.determineTokenExpiration(idToken.Expiry)
|
2022-07-11 15:25:13 -06:00
|
|
|
|
|
|
|
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
|
|
|
|
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
|
|
|
|
// if err != nil {
|
|
|
|
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
|
|
|
|
// return
|
|
|
|
// }
|
|
|
|
|
2023-11-08 04:32:47 -07:00
|
|
|
claims, err := extractIDTokenClaims(writer, h.cfg.OIDC, idToken)
|
2022-08-07 05:57:07 -06:00
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
if err := validateOIDCAllowedDomains(writer, h.cfg.OIDC.AllowedDomains, claims); err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-12-06 17:08:01 -07:00
|
|
|
if err := validateOIDCAllowedGroups(writer, h.cfg.OIDC.AllowedGroups, claims); err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
if err := validateOIDCAllowedUsers(writer, h.cfg.OIDC.AllowedUsers, claims); err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
nodeKey, nodeExists, err := h.validateNodeForOIDCCallback(
|
2023-01-31 04:40:38 -07:00
|
|
|
writer,
|
|
|
|
state,
|
|
|
|
claims,
|
|
|
|
idTokenExpiry,
|
|
|
|
)
|
2023-09-24 05:42:05 -06:00
|
|
|
if err != nil || nodeExists {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-03-26 08:45:32 -06:00
|
|
|
userName, err := getUserName(
|
|
|
|
writer,
|
|
|
|
claims,
|
|
|
|
h.cfg.OIDC.UseUsernameClaim,
|
|
|
|
h.cfg.OIDC.StripEmaildomain,
|
|
|
|
)
|
2022-08-07 05:57:07 -06:00
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
// register the node if it's new
|
|
|
|
log.Debug().Msg("Registering new node after successful callback")
|
2022-07-11 15:25:13 -06:00
|
|
|
|
2023-01-17 09:43:44 -07:00
|
|
|
user, err := h.findOrCreateNewUserForOIDCCallback(writer, userName)
|
2022-08-07 05:57:07 -06:00
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
if err := h.registerNodeForOIDCCallback(writer, user, nodeKey, idTokenExpiry); err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-03-26 08:45:32 -06:00
|
|
|
content, err := renderOIDCCallbackTemplate(writer, userName)
|
2022-08-07 05:57:07 -06:00
|
|
|
if err != nil {
|
2022-07-11 15:25:13 -06:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
if _, err := writer.Write(content.Bytes()); err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func validateOIDCCallbackParams(
|
|
|
|
writer http.ResponseWriter,
|
|
|
|
req *http.Request,
|
2022-08-07 05:57:07 -06:00
|
|
|
) (string, string, error) {
|
2022-06-26 04:01:04 -06:00
|
|
|
code := req.URL.Query().Get("code")
|
|
|
|
state := req.URL.Query().Get("state")
|
2021-09-26 02:53:05 -06:00
|
|
|
|
|
|
|
if code == "" || state == "" {
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-06-26 04:21:35 -06:00
|
|
|
_, err := writer.Write([]byte("Wrong params"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return "", "", errEmptyOIDCCallbackParams
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return code, state, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Headscale) getIDTokenForOIDCCallback(
|
2022-09-04 07:02:18 -06:00
|
|
|
ctx context.Context,
|
2022-07-11 15:25:13 -06:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
code, state string,
|
2022-08-07 05:57:07 -06:00
|
|
|
) (string, error) {
|
2022-09-04 07:02:18 -06:00
|
|
|
oauth2Token, err := h.oauth2Config.Exchange(ctx, code)
|
2021-09-26 02:53:05 -06:00
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Could not exchange code for token")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-08-07 05:57:07 -06:00
|
|
|
_, werr := writer.Write([]byte("Could not exchange code for token"))
|
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return "", err
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2021-11-22 12:32:11 -07:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
|
|
|
Str("code", code).
|
|
|
|
Str("state", state).
|
|
|
|
Msg("Got oidc callback")
|
2021-10-10 03:22:42 -06:00
|
|
|
|
2021-10-06 03:19:15 -06:00
|
|
|
rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
|
|
|
|
if !rawIDTokenOK {
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-06-26 04:21:35 -06:00
|
|
|
_, err := writer.Write([]byte("Could not extract ID Token"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return "", errNoOIDCIDToken
|
2021-10-06 03:19:15 -06:00
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return rawIDToken, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2022-07-11 15:25:13 -06:00
|
|
|
func (h *Headscale) verifyIDTokenForOIDCCallback(
|
2022-09-04 07:02:18 -06:00
|
|
|
ctx context.Context,
|
2022-07-11 15:25:13 -06:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
rawIDToken string,
|
2022-08-07 05:57:07 -06:00
|
|
|
) (*oidc.IDToken, error) {
|
2022-07-11 15:25:13 -06:00
|
|
|
verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
|
2022-09-04 07:02:18 -06:00
|
|
|
idToken, err := verifier.Verify(ctx, rawIDToken)
|
2021-09-26 02:53:05 -06:00
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "failed to verify id token")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-08-07 05:57:07 -06:00
|
|
|
_, werr := writer.Write([]byte("Failed to verify id token"))
|
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, err
|
2021-10-06 03:19:15 -06:00
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return idToken, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
2021-10-06 03:19:15 -06:00
|
|
|
|
2022-07-11 15:25:13 -06:00
|
|
|
func extractIDTokenClaims(
|
|
|
|
writer http.ResponseWriter,
|
2023-11-08 04:32:47 -07:00
|
|
|
cfg types.OIDCConfig,
|
2022-07-11 15:25:13 -06:00
|
|
|
idToken *oidc.IDToken,
|
2022-08-07 05:57:07 -06:00
|
|
|
) (*IDTokenClaims, error) {
|
2021-10-06 03:19:15 -06:00
|
|
|
var claims IDTokenClaims
|
2023-11-08 04:32:47 -07:00
|
|
|
var rawClaims rawClaims
|
|
|
|
if err := idToken.Claims(&rawClaims); err != nil {
|
|
|
|
handleClaimError(writer, err)
|
2023-06-22 08:38:57 -06:00
|
|
|
|
2023-11-08 04:32:47 -07:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if !rawClaims.hasClaim(cfg.EmailClaim) {
|
|
|
|
handleClaimError(writer, errOIDCEmailClaimMissing)
|
|
|
|
|
|
|
|
return nil, errOIDCEmailClaimMissing
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := rawClaims.unmarshalClaim(cfg.EmailClaim, &claims.Email); err != nil {
|
|
|
|
handleClaimError(writer, err)
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, err
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2023-11-12 21:52:59 -07:00
|
|
|
if !rawClaims.hasClaim(cfg.UsernameClaim) {
|
|
|
|
handleClaimError(writer, errOIDCUsernameClaimMissing)
|
|
|
|
|
|
|
|
return nil, errOIDCUsernameClaimMissing
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := rawClaims.unmarshalClaim(cfg.UsernameClaim, &claims.Username); err != nil {
|
|
|
|
handleClaimError(writer, err)
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, err
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2023-11-08 04:32:47 -07:00
|
|
|
if rawClaims.hasClaim(cfg.GroupsClaim) {
|
|
|
|
if err := rawClaims.unmarshalClaim(cfg.GroupsClaim, &claims.Groups); err != nil {
|
|
|
|
handleClaimError(writer, err)
|
|
|
|
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return &claims, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
|
2023-11-08 04:32:47 -07:00
|
|
|
func handleClaimError(writer http.ResponseWriter, err error) {
|
|
|
|
util.LogErr(err, "Failed to decode id token rawClaims")
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
|
|
|
_, werr := writer.Write([]byte("Failed to decode id token rawClaims"))
|
|
|
|
if werr != nil {
|
|
|
|
util.LogErr(err, "Failed to write response")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-11 15:25:13 -06:00
|
|
|
// validateOIDCAllowedDomains checks that if AllowedDomains is provided,
|
|
|
|
// that the authenticated principal ends with @<alloweddomain>.
|
|
|
|
func validateOIDCAllowedDomains(
|
|
|
|
writer http.ResponseWriter,
|
|
|
|
allowedDomains []string,
|
|
|
|
claims *IDTokenClaims,
|
2022-08-07 05:57:07 -06:00
|
|
|
) error {
|
2022-07-11 15:25:13 -06:00
|
|
|
if len(allowedDomains) > 0 {
|
2022-04-25 13:05:37 -06:00
|
|
|
if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
|
2023-05-11 01:09:18 -06:00
|
|
|
!util.IsStringInSlice(allowedDomains, claims.Email[at+1:]) {
|
2023-06-22 08:38:57 -06:00
|
|
|
log.Trace().Msg("authenticated principal does not match any allowed domain")
|
|
|
|
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-06-26 04:21:35 -06:00
|
|
|
_, err := writer.Write([]byte("unauthorized principal (domain mismatch)"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-04-25 13:05:37 -06:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return errOIDCAllowedDomains
|
2022-04-25 13:05:37 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
|
2022-12-06 17:08:01 -07:00
|
|
|
// validateOIDCAllowedGroups checks if AllowedGroups is provided,
|
|
|
|
// and that the user has one group in the list.
|
|
|
|
// claims.Groups can be populated by adding a client scope named
|
|
|
|
// 'groups' that contains group membership.
|
|
|
|
func validateOIDCAllowedGroups(
|
|
|
|
writer http.ResponseWriter,
|
|
|
|
allowedGroups []string,
|
|
|
|
claims *IDTokenClaims,
|
|
|
|
) error {
|
|
|
|
if len(allowedGroups) > 0 {
|
|
|
|
for _, group := range allowedGroups {
|
2023-05-11 01:09:18 -06:00
|
|
|
if util.IsStringInSlice(claims.Groups, group) {
|
2022-12-06 17:08:01 -07:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-06-22 08:38:57 -06:00
|
|
|
log.Trace().Msg("authenticated principal not in any allowed groups")
|
2022-12-06 17:08:01 -07:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
|
|
|
_, err := writer.Write([]byte("unauthorized principal (allowed groups)"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-12-06 17:08:01 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return errOIDCAllowedGroups
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-07-11 15:25:13 -06:00
|
|
|
// validateOIDCAllowedUsers checks that if AllowedUsers is provided,
|
|
|
|
// that the authenticated principal is part of that list.
|
|
|
|
func validateOIDCAllowedUsers(
|
|
|
|
writer http.ResponseWriter,
|
|
|
|
allowedUsers []string,
|
|
|
|
claims *IDTokenClaims,
|
2022-08-07 05:57:07 -06:00
|
|
|
) error {
|
2022-07-11 15:25:13 -06:00
|
|
|
if len(allowedUsers) > 0 &&
|
2023-05-11 01:09:18 -06:00
|
|
|
!util.IsStringInSlice(allowedUsers, claims.Email) {
|
2023-06-22 08:38:57 -06:00
|
|
|
log.Trace().Msg("authenticated principal does not match any allowed user")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-06-26 04:21:35 -06:00
|
|
|
_, err := writer.Write([]byte("unauthorized principal (user mismatch)"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-04-25 13:05:37 -06:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return errOIDCAllowedUsers
|
2022-04-25 13:05:37 -06:00
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
// validateNode retrieves node information if it exist
|
2022-07-11 15:25:13 -06:00
|
|
|
// The error is not important, because if it does not
|
2023-09-24 05:42:05 -06:00
|
|
|
// exist, then this is a new node and we will move
|
2022-07-11 15:25:13 -06:00
|
|
|
// on to registration.
|
2023-09-24 05:42:05 -06:00
|
|
|
func (h *Headscale) validateNodeForOIDCCallback(
|
2022-07-11 15:25:13 -06:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
state string,
|
|
|
|
claims *IDTokenClaims,
|
2023-01-11 05:21:30 -07:00
|
|
|
expiry time.Time,
|
2022-08-10 07:35:26 -06:00
|
|
|
) (*key.NodePublic, bool, error) {
|
2023-09-24 05:42:05 -06:00
|
|
|
// retrieve nodekey from state cache
|
2022-11-14 07:05:47 -07:00
|
|
|
nodeKeyIf, nodeKeyFound := h.registrationCache.Get(state)
|
|
|
|
if !nodeKeyFound {
|
2023-06-22 08:38:57 -06:00
|
|
|
log.Trace().
|
2023-09-24 05:42:05 -06:00
|
|
|
Msg("requested node state key expired before authorisation completed")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-06-26 04:21:35 -06:00
|
|
|
_, err := writer.Write([]byte("state has expired"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-11-14 07:10:26 -07:00
|
|
|
return nil, false, errOIDCNodeKeyMissing
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
2021-11-26 16:30:42 -07:00
|
|
|
|
2022-08-10 07:35:26 -06:00
|
|
|
var nodeKey key.NodePublic
|
2022-11-14 07:05:47 -07:00
|
|
|
nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
|
|
|
|
if !nodeKeyOK {
|
2023-06-22 08:38:57 -06:00
|
|
|
log.Trace().
|
2023-09-24 05:42:05 -06:00
|
|
|
Msg("requested node state key is not a string")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
2022-11-14 07:05:47 -07:00
|
|
|
_, err := writer.Write([]byte("state is invalid"))
|
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-26 16:30:42 -07:00
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
return nil, false, errOIDCInvalidNodeState
|
2021-11-26 16:30:42 -07:00
|
|
|
}
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2022-11-14 07:05:47 -07:00
|
|
|
err := nodeKey.UnmarshalText(
|
2023-05-11 01:09:18 -06:00
|
|
|
[]byte(util.NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
|
2022-11-14 07:05:47 -07:00
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Str("nodeKey", nodeKeyFromCache).
|
|
|
|
Bool("nodeKeyOK", nodeKeyOK).
|
|
|
|
Msg("could not parse node public key")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
2022-11-14 07:05:47 -07:00
|
|
|
writer.WriteHeader(http.StatusBadRequest)
|
|
|
|
_, werr := writer.Write([]byte("could not parse node public key"))
|
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-14 08:46:09 -07:00
|
|
|
|
2022-11-14 07:05:47 -07:00
|
|
|
return nil, false, err
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
// retrieve node information if it exist
|
2022-03-02 00:29:40 -07:00
|
|
|
// The error is not important, because if it does not
|
2023-09-24 05:42:05 -06:00
|
|
|
// exist, then this is a new node and we will move
|
2022-03-02 00:29:40 -07:00
|
|
|
// on to registration.
|
2023-09-24 05:42:05 -06:00
|
|
|
node, _ := h.db.GetNodeByNodeKey(nodeKey)
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
if node != nil {
|
2021-11-22 12:32:11 -07:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
2023-09-24 05:42:05 -06:00
|
|
|
Str("node", node.Hostname).
|
|
|
|
Msg("node already registered, reauthenticating")
|
2021-11-22 12:32:11 -07:00
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
err := h.db.NodeSetExpiry(node, expiry)
|
2022-06-26 04:30:52 -06:00
|
|
|
if err != nil {
|
2023-09-24 05:42:05 -06:00
|
|
|
util.LogErr(err, "Failed to refresh node")
|
2022-08-04 02:47:00 -06:00
|
|
|
http.Error(
|
|
|
|
writer,
|
2023-09-24 05:42:05 -06:00
|
|
|
"Failed to refresh node",
|
2022-08-04 02:47:00 -06:00
|
|
|
http.StatusInternalServerError,
|
|
|
|
)
|
2022-06-26 04:30:52 -06:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, true, err
|
2022-06-26 04:30:52 -06:00
|
|
|
}
|
2023-01-11 05:21:30 -07:00
|
|
|
log.Debug().
|
2023-09-24 05:42:05 -06:00
|
|
|
Str("node", node.Hostname).
|
2023-01-11 05:21:30 -07:00
|
|
|
Str("expiresAt", fmt.Sprintf("%v", expiry)).
|
2023-09-24 05:42:05 -06:00
|
|
|
Msg("successfully refreshed node")
|
2021-11-22 12:32:11 -07:00
|
|
|
|
2023-03-26 08:45:32 -06:00
|
|
|
userName, err := getUserName(
|
|
|
|
writer,
|
|
|
|
claims,
|
|
|
|
h.cfg.OIDC.UseUsernameClaim,
|
|
|
|
h.cfg.OIDC.StripEmaildomain,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
userName = "unknown"
|
|
|
|
}
|
|
|
|
|
2021-12-22 19:43:53 -07:00
|
|
|
var content bytes.Buffer
|
|
|
|
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
|
2023-03-26 08:45:32 -06:00
|
|
|
User: userName,
|
2021-12-22 19:43:53 -07:00
|
|
|
Verb: "Reauthenticated",
|
|
|
|
}); err != nil {
|
|
|
|
log.Error().
|
|
|
|
Str("func", "OIDCCallback").
|
|
|
|
Str("type", "reauthenticate").
|
|
|
|
Err(err).
|
|
|
|
Msg("Could not render OIDC callback template")
|
2022-06-17 09:42:17 -06:00
|
|
|
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusInternalServerError)
|
2022-08-07 05:57:07 -06:00
|
|
|
_, werr := writer.Write([]byte("Could not render OIDC callback template"))
|
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-06-17 09:42:17 -06:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, true, err
|
2021-12-22 19:43:53 -07:00
|
|
|
}
|
2021-11-22 12:32:11 -07:00
|
|
|
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
2022-06-26 04:30:52 -06:00
|
|
|
_, err = writer.Write(content.Bytes())
|
2022-06-26 04:21:35 -06:00
|
|
|
if err != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-11-22 12:32:11 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, true, nil
|
2021-11-22 12:32:11 -07:00
|
|
|
}
|
|
|
|
|
2022-08-10 07:35:26 -06:00
|
|
|
return &nodeKey, false, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
|
2023-01-17 09:43:44 -07:00
|
|
|
func getUserName(
|
2022-07-11 15:25:13 -06:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
claims *IDTokenClaims,
|
2023-03-26 08:45:32 -06:00
|
|
|
useUsernameClaim bool,
|
2022-07-11 15:25:13 -06:00
|
|
|
stripEmaildomain bool,
|
2022-08-07 05:57:07 -06:00
|
|
|
) (string, error) {
|
2023-03-26 08:45:32 -06:00
|
|
|
var claim string
|
|
|
|
if useUsernameClaim {
|
|
|
|
claim = claims.Username
|
|
|
|
} else {
|
|
|
|
claim = claims.Email
|
|
|
|
}
|
2023-05-21 10:37:59 -06:00
|
|
|
userName, err := util.NormalizeToFQDNRules(
|
2023-03-26 08:45:32 -06:00
|
|
|
claim,
|
2022-07-11 15:25:13 -06:00
|
|
|
stripEmaildomain,
|
2022-02-23 06:22:21 -07:00
|
|
|
)
|
2022-02-22 04:46:45 -07:00
|
|
|
if err != nil {
|
2023-03-26 08:45:32 -06:00
|
|
|
var friendlyErrMsg string
|
|
|
|
if useUsernameClaim {
|
|
|
|
friendlyErrMsg = "couldn't normalize username (preferred_username OIDC claim)"
|
|
|
|
} else {
|
|
|
|
friendlyErrMsg = "couldn't normalize username (email OIDC claim)"
|
|
|
|
}
|
|
|
|
log.Error().Err(err).Caller().Msgf(friendlyErrMsg)
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusInternalServerError)
|
2023-03-26 08:45:32 -06:00
|
|
|
_, werr := writer.Write([]byte(friendlyErrMsg))
|
2022-08-07 05:57:07 -06:00
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-02-22 13:05:39 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return "", err
|
2022-02-22 04:46:45 -07:00
|
|
|
}
|
2022-02-28 09:55:57 -07:00
|
|
|
|
2023-01-17 09:43:44 -07:00
|
|
|
return userName, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
2021-09-26 02:53:05 -06:00
|
|
|
|
2023-01-17 09:43:44 -07:00
|
|
|
func (h *Headscale) findOrCreateNewUserForOIDCCallback(
|
2022-07-11 15:25:13 -06:00
|
|
|
writer http.ResponseWriter,
|
2023-01-17 09:43:44 -07:00
|
|
|
userName string,
|
2023-05-21 10:37:59 -06:00
|
|
|
) (*types.User, error) {
|
2023-05-11 01:09:18 -06:00
|
|
|
user, err := h.db.GetUser(userName)
|
2023-05-21 10:37:59 -06:00
|
|
|
if errors.Is(err, db.ErrUserNotFound) {
|
2023-05-11 01:09:18 -06:00
|
|
|
user, err = h.db.CreateUser(userName)
|
2022-02-22 04:46:45 -07:00
|
|
|
if err != nil {
|
2021-12-22 19:43:53 -07:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
2022-02-28 09:55:57 -07:00
|
|
|
Caller().
|
2023-01-17 09:43:44 -07:00
|
|
|
Msgf("could not create new user '%s'", userName)
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusInternalServerError)
|
2023-01-17 09:43:44 -07:00
|
|
|
_, werr := writer.Write([]byte("could not create user"))
|
2022-08-07 05:57:07 -06:00
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2021-12-22 19:43:53 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, err
|
2022-02-22 04:46:45 -07:00
|
|
|
}
|
2022-02-28 09:55:57 -07:00
|
|
|
} else if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
2023-01-17 09:43:44 -07:00
|
|
|
Str("user", userName).
|
|
|
|
Msg("could not find or create user")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusInternalServerError)
|
2023-01-17 09:43:44 -07:00
|
|
|
_, werr := writer.Write([]byte("could not find or create user"))
|
2022-08-07 05:57:07 -06:00
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-02-28 09:55:57 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, err
|
2022-02-28 09:55:57 -07:00
|
|
|
}
|
|
|
|
|
2023-01-17 09:43:44 -07:00
|
|
|
return user, nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
2022-03-01 23:55:21 -07:00
|
|
|
|
2023-09-24 05:42:05 -06:00
|
|
|
func (h *Headscale) registerNodeForOIDCCallback(
|
2022-07-11 15:25:13 -06:00
|
|
|
writer http.ResponseWriter,
|
2023-05-21 10:37:59 -06:00
|
|
|
user *types.User,
|
2022-08-10 07:35:26 -06:00
|
|
|
nodeKey *key.NodePublic,
|
2022-12-14 17:10:26 -07:00
|
|
|
expiry time.Time,
|
2022-08-07 05:57:07 -06:00
|
|
|
) error {
|
2023-09-24 05:42:05 -06:00
|
|
|
if _, err := h.db.RegisterNodeFromAuthCallback(
|
2023-05-11 01:09:18 -06:00
|
|
|
// TODO(kradalby): find a better way to use the cache across modules
|
|
|
|
h.registrationCache,
|
2022-11-05 02:07:22 -06:00
|
|
|
nodeKey.String(),
|
2023-01-17 09:43:44 -07:00
|
|
|
user.Name,
|
2022-12-14 17:10:26 -07:00
|
|
|
&expiry,
|
2023-05-21 10:37:59 -06:00
|
|
|
util.RegisterMethodOIDC,
|
2022-07-11 15:25:13 -06:00
|
|
|
); err != nil {
|
2023-09-24 05:42:05 -06:00
|
|
|
util.LogErr(err, "could not register node")
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusInternalServerError)
|
2023-09-24 05:42:05 -06:00
|
|
|
_, werr := writer.Write([]byte("could not register node"))
|
2022-08-07 05:57:07 -06:00
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-02-28 09:55:57 -07:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return err
|
2021-10-18 13:27:52 -06:00
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil
|
2022-07-11 15:25:13 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
func renderOIDCCallbackTemplate(
|
|
|
|
writer http.ResponseWriter,
|
2023-03-26 08:45:32 -06:00
|
|
|
user string,
|
2022-08-07 05:57:07 -06:00
|
|
|
) (*bytes.Buffer, error) {
|
2022-02-22 04:46:45 -07:00
|
|
|
var content bytes.Buffer
|
|
|
|
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
|
2023-03-26 08:45:32 -06:00
|
|
|
User: user,
|
2022-02-22 04:46:45 -07:00
|
|
|
Verb: "Authenticated",
|
|
|
|
}); err != nil {
|
|
|
|
log.Error().
|
|
|
|
Str("func", "OIDCCallback").
|
|
|
|
Str("type", "authenticate").
|
|
|
|
Err(err).
|
|
|
|
Msg("Could not render OIDC callback template")
|
2022-06-17 09:42:17 -06:00
|
|
|
|
2022-06-26 04:01:04 -06:00
|
|
|
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
|
|
|
writer.WriteHeader(http.StatusInternalServerError)
|
2022-08-07 05:57:07 -06:00
|
|
|
_, werr := writer.Write([]byte("Could not render OIDC callback template"))
|
|
|
|
if werr != nil {
|
2023-06-22 08:38:57 -06:00
|
|
|
util.LogErr(err, "Failed to write response")
|
2022-06-26 04:21:35 -06:00
|
|
|
}
|
2022-06-17 09:42:17 -06:00
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return nil, err
|
2021-10-18 13:27:52 -06:00
|
|
|
}
|
|
|
|
|
2022-08-07 05:57:07 -06:00
|
|
|
return &content, nil
|
2021-09-26 02:53:05 -06:00
|
|
|
}
|