headscale/oidc.go

395 lines
9.8 KiB
Go
Raw Normal View History

2021-09-26 04:53:05 -04:00
package headscale
import (
2021-12-22 21:43:53 -05:00
"bytes"
"context"
2021-09-26 04:53:05 -04:00
"crypto/rand"
"encoding/hex"
"errors"
2021-09-26 04:53:05 -04:00
"fmt"
2021-12-22 21:43:53 -05:00
"html/template"
2021-10-18 15:27:52 -04:00
"net/http"
"regexp"
"strings"
"time"
"github.com/coreos/go-oidc/v3/oidc"
2021-09-26 04:53:05 -04:00
"github.com/gin-gonic/gin"
"github.com/patrickmn/go-cache"
"github.com/rs/zerolog/log"
"golang.org/x/oauth2"
"gorm.io/gorm"
"tailscale.com/types/key"
2021-09-26 04:53:05 -04:00
)
const (
oidcStateCacheExpiration = time.Minute * 5
oidcStateCacheCleanupInterval = time.Minute * 10
randomByteSize = 16
)
type IDTokenClaims struct {
2021-09-26 04:53:05 -04:00
Name string `json:"name,omitempty"`
Groups []string `json:"groups,omitempty"`
Email string `json:"email"`
Username string `json:"preferred_username,omitempty"`
}
2021-10-08 05:43:52 -04:00
func (h *Headscale) initOIDC() error {
2021-09-26 04:53:05 -04:00
var err error
// grab oidc config if it hasn't been already
2021-10-08 05:43:52 -04:00
if h.oauth2Config == nil {
2021-10-18 15:27:52 -04:00
h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)
2021-09-26 04:53:05 -04:00
if err != nil {
log.Error().
Err(err).
Caller().
Msgf("Could not retrieve OIDC Config: %s", err.Error())
2021-11-14 10:46:09 -05:00
2021-10-08 05:43:52 -04:00
return err
2021-09-26 04:53:05 -04:00
}
2021-10-08 05:43:52 -04:00
h.oauth2Config = &oauth2.Config{
2021-10-18 15:27:52 -04:00
ClientID: h.cfg.OIDC.ClientID,
ClientSecret: h.cfg.OIDC.ClientSecret,
2021-10-08 05:43:52 -04:00
Endpoint: h.oidcProvider.Endpoint(),
2021-11-13 03:36:45 -05:00
RedirectURL: fmt.Sprintf(
"%s/oidc/callback",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
),
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
2021-10-08 05:43:52 -04:00
}
// init the state cache if it hasn't been already
if h.oidcStateCache == nil {
h.oidcStateCache = cache.New(
oidcStateCacheExpiration,
oidcStateCacheCleanupInterval,
)
2021-10-08 05:43:52 -04:00
}
2021-10-08 05:43:52 -04:00
return nil
}
// RegisterOIDC redirects to the OIDC provider for authentication
// Puts machine key in cache so the callback can retrieve it using the oidc state param
2021-11-13 03:39:04 -05:00
// Listens in /oidc/register/:mKey.
func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
machineKeyStr := ctx.Param("mkey")
if machineKeyStr == "" {
ctx.String(http.StatusBadRequest, "Wrong params")
2021-11-14 10:46:09 -05:00
2021-10-08 05:43:52 -04:00
return
2021-09-26 04:53:05 -04:00
}
log.Trace().
Caller().
Str("machine_key", machineKeyStr).
Msg("Received oidc register call")
randomBlob := make([]byte, randomByteSize)
2021-11-15 11:15:50 -05:00
if _, err := rand.Read(randomBlob); err != nil {
log.Error().
Caller().
Msg("could not read 16 bytes from rand")
ctx.String(http.StatusInternalServerError, "could not read 16 bytes from rand")
2021-11-14 10:46:09 -05:00
return
}
2021-11-15 11:15:50 -05:00
stateStr := hex.EncodeToString(randomBlob)[:32]
2021-09-26 04:53:05 -04:00
// place the machine key into the state cache, so it can be retrieved later
h.oidcStateCache.Set(stateStr, machineKeyStr, oidcStateCacheExpiration)
2021-09-26 04:53:05 -04:00
authURL := h.oauth2Config.AuthCodeURL(stateStr)
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
2021-09-26 04:53:05 -04:00
ctx.Redirect(http.StatusFound, authURL)
2021-09-26 04:53:05 -04:00
}
2021-12-22 21:43:53 -05:00
type oidcCallbackTemplateConfig struct {
User string
Verb string
}
var oidcCallbackTemplate = template.Must(
template.New("oidccallback").Parse(`<html>
<body>
<h1>headscale</h1>
<p>
{{.Verb}} as {{.User}}, you can now close this window.
</p>
</body>
</html>`),
)
2022-01-16 08:16:59 -05:00
// TODO: Why is the entire machine registration logic duplicated here?
2021-09-26 04:53:05 -04:00
// OIDCCallback handles the callback from the OIDC endpoint
// Retrieves the mkey from the state cache and adds the machine to the users email namespace
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into machine HostInfo
2021-11-13 03:39:04 -05:00
// Listens in /oidc/callback.
func (h *Headscale) OIDCCallback(ctx *gin.Context) {
code := ctx.Query("code")
state := ctx.Query("state")
2021-09-26 04:53:05 -04:00
if code == "" || state == "" {
ctx.String(http.StatusBadRequest, "Wrong params")
2021-11-14 10:46:09 -05:00
2021-09-26 04:53:05 -04:00
return
}
2021-10-08 05:43:52 -04:00
oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
2021-09-26 04:53:05 -04:00
if err != nil {
ctx.String(http.StatusBadRequest, "Could not exchange code for token")
2021-11-14 10:46:09 -05:00
2021-09-26 04:53:05 -04:00
return
}
log.Trace().
Caller().
Str("code", code).
Str("state", state).
Msg("Got oidc callback")
2021-10-10 05:22:42 -04:00
rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
if !rawIDTokenOK {
ctx.String(http.StatusBadRequest, "Could not extract ID Token")
2021-11-14 10:46:09 -05:00
return
}
2021-10-18 15:27:52 -04:00
verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
2021-09-26 04:53:05 -04:00
idToken, err := verifier.Verify(context.Background(), rawIDToken)
2021-09-26 04:53:05 -04:00
if err != nil {
log.Error().
Err(err).
Caller().
Msg("failed to verify id token")
ctx.String(http.StatusBadRequest, "Failed to verify id token")
2021-11-14 10:46:09 -05:00
return
}
2021-10-10 05:22:42 -04:00
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
2021-11-14 12:44:37 -05:00
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
// if err != nil {
2021-11-21 16:54:19 -05:00
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
2021-11-14 12:44:37 -05:00
// return
// }
// Extract custom claims
var claims IDTokenClaims
if err = idToken.Claims(&claims); err != nil {
log.Error().
Err(err).
Caller().
Msg("Failed to decode id token claims")
ctx.String(
2021-11-13 03:36:45 -05:00
http.StatusBadRequest,
2021-11-22 12:22:47 -05:00
"Failed to decode id token claims",
2021-11-13 03:36:45 -05:00
)
2021-11-14 10:46:09 -05:00
2021-09-26 04:53:05 -04:00
return
}
2021-10-18 15:27:52 -04:00
// retrieve machinekey from state cache
machineKeyIf, machineKeyFound := h.oidcStateCache.Get(state)
2021-09-26 04:53:05 -04:00
if !machineKeyFound {
2021-11-13 03:36:45 -05:00
log.Error().
Msg("requested machine state key expired before authorisation completed")
ctx.String(http.StatusBadRequest, "state has expired")
2021-11-14 10:46:09 -05:00
2021-09-26 04:53:05 -04:00
return
}
machineKeyStr, machineKeyOK := machineKeyIf.(string)
var machineKey key.MachinePublic
err = machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
if err != nil {
log.Error().
Msg("could not parse machine public key")
ctx.String(http.StatusBadRequest, "could not parse public key")
return
}
2021-09-26 04:53:05 -04:00
if !machineKeyOK {
2021-10-10 05:22:42 -04:00
log.Error().Msg("could not get machine key from cache")
ctx.String(
http.StatusInternalServerError,
"could not get machine key from cache",
)
2021-11-14 10:46:09 -05:00
2021-09-26 04:53:05 -04:00
return
}
// TODO(kradalby): Currently, if it fails to find a requested expiry, non will be set
requestedTime := time.Time{}
if requestedTimeIf, found := h.requestedExpiryCache.Get(machineKey.String()); found {
if reqTime, ok := requestedTimeIf.(time.Time); ok {
requestedTime = reqTime
}
}
2021-09-26 04:53:05 -04:00
// retrieve machine information
machine, err := h.GetMachineByMachineKey(machineKey)
2021-10-10 05:22:42 -04:00
if err != nil {
2021-09-26 04:53:05 -04:00
log.Error().Msg("machine key not found in database")
ctx.String(
2021-11-13 03:36:45 -05:00
http.StatusInternalServerError,
"could not get machine info from database",
)
2021-11-14 10:46:09 -05:00
2021-09-26 04:53:05 -04:00
return
}
if machine.isRegistered() {
log.Trace().
Caller().
Str("machine", machine.Name).
Msg("machine already registered, reauthenticating")
h.RefreshMachine(machine, requestedTime)
2021-12-22 21:43:53 -05:00
var content bytes.Buffer
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
User: claims.Email,
Verb: "Reauthenticated",
}); err != nil {
log.Error().
Str("func", "OIDCCallback").
Str("type", "reauthenticate").
Err(err).
Msg("Could not render OIDC callback template")
ctx.Data(
http.StatusInternalServerError,
"text/html; charset=utf-8",
[]byte("Could not render OIDC callback template"),
)
}
2021-12-22 21:43:53 -05:00
ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
return
}
2021-10-10 05:22:42 -04:00
now := time.Now().UTC()
if namespaceName, ok := h.getNamespaceFromEmail(claims.Email); ok {
2021-10-18 15:27:52 -04:00
// register the machine if it's new
if !machine.Registered {
2021-10-18 15:27:52 -04:00
log.Debug().Msg("Registering new machine after successful callback")
2021-10-08 05:43:52 -04:00
namespace, err := h.GetNamespace(namespaceName)
if errors.Is(err, gorm.ErrRecordNotFound) {
namespace, err = h.CreateNamespace(namespaceName)
2021-10-18 15:27:52 -04:00
if err != nil {
2021-11-13 03:36:45 -05:00
log.Error().
Err(err).
Caller().
Msgf("could not create new namespace '%s'", namespaceName)
ctx.String(
2021-11-13 03:36:45 -05:00
http.StatusInternalServerError,
"could not create new namespace",
)
2021-11-14 10:46:09 -05:00
2021-10-18 15:27:52 -04:00
return
}
} else if err != nil {
log.Error().
Caller().
Err(err).
Str("namespace", namespaceName).
Msg("could not find or create namespace")
ctx.String(
http.StatusInternalServerError,
"could not find or create namespace",
)
return
2021-10-18 15:27:52 -04:00
}
h.ipAllocationMutex.Lock()
2022-01-16 08:16:59 -05:00
ips, err := h.getAvailableIPs()
if err != nil {
log.Error().
Caller().
Err(err).
Msg("could not get an IP from the pool")
ctx.String(
2021-11-13 03:36:45 -05:00
http.StatusInternalServerError,
"could not get an IP from the pool",
)
2021-11-14 10:46:09 -05:00
return
}
2021-09-26 04:53:05 -04:00
2022-01-16 08:16:59 -05:00
machine.IPAddresses = ips
machine.NamespaceID = namespace.ID
machine.Registered = true
2021-11-18 12:51:54 -05:00
machine.RegisterMethod = RegisterMethodOIDC
machine.LastSuccessfulUpdate = &now
machine.Expiry = &requestedTime
h.db.Save(&machine)
h.ipAllocationMutex.Unlock()
2021-09-26 04:53:05 -04:00
}
2021-12-22 21:43:53 -05:00
var content bytes.Buffer
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
User: claims.Email,
Verb: "Authenticated",
}); err != nil {
log.Error().
Str("func", "OIDCCallback").
Str("type", "authenticate").
Err(err).
Msg("Could not render OIDC callback template")
ctx.Data(
http.StatusInternalServerError,
"text/html; charset=utf-8",
[]byte("Could not render OIDC callback template"),
)
}
ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
2021-11-22 12:22:47 -05:00
return
2021-10-18 15:27:52 -04:00
}
log.Error().
Caller().
2021-10-18 15:27:52 -04:00
Str("email", claims.Email).
Str("username", claims.Username).
Str("machine", machine.Name).
2021-10-18 15:27:52 -04:00
Msg("Email could not be mapped to a namespace")
ctx.String(
2021-11-13 03:36:45 -05:00
http.StatusBadRequest,
"email from claim could not be mapped to a namespace",
)
2021-10-18 15:27:52 -04:00
}
2021-10-19 13:25:59 -04:00
// getNamespaceFromEmail passes the users email through a list of "matchers"
// and iterates through them until it matches and returns a namespace.
// If no match is found, an empty string will be returned.
// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.
2021-10-18 15:27:52 -04:00
func (h *Headscale) getNamespaceFromEmail(email string) (string, bool) {
for match, namespace := range h.cfg.OIDC.MatchMap {
regex := regexp.MustCompile(match)
if regex.MatchString(email) {
return namespace, true
}
}
return "", false
2021-09-26 04:53:05 -04:00
}