2021-09-26 16:53:05 +08:00
|
|
|
package headscale
|
|
|
|
|
|
|
|
import (
|
2021-12-22 19:43:53 -07:00
|
|
|
"bytes"
|
2021-10-06 17:19:15 +08:00
|
|
|
"context"
|
2021-09-26 16:53:05 +08:00
|
|
|
"crypto/rand"
|
|
|
|
"encoding/hex"
|
2021-11-21 21:51:39 +00:00
|
|
|
"errors"
|
2021-09-26 16:53:05 +08:00
|
|
|
"fmt"
|
2021-12-22 19:43:53 -07:00
|
|
|
"html/template"
|
2021-10-18 19:27:52 +00:00
|
|
|
"net/http"
|
|
|
|
"strings"
|
2022-03-18 09:32:07 +01:00
|
|
|
"time"
|
2021-10-18 19:27:52 +00:00
|
|
|
|
2021-10-06 17:19:15 +08:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2021-09-26 16:53:05 +08:00
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"github.com/rs/zerolog/log"
|
2021-10-06 17:19:15 +08:00
|
|
|
"golang.org/x/oauth2"
|
2021-11-26 23:30:42 +00:00
|
|
|
"tailscale.com/types/key"
|
2021-09-26 16:53:05 +08:00
|
|
|
)
|
|
|
|
|
2021-11-14 18:31:51 +01:00
|
|
|
const (
|
2022-02-28 22:42:30 +00:00
|
|
|
randomByteSize = 16
|
2021-11-14 18:31:51 +01:00
|
|
|
)
|
|
|
|
|
2021-10-06 17:19:15 +08:00
|
|
|
type IDTokenClaims struct {
|
2021-09-26 16:53:05 +08:00
|
|
|
Name string `json:"name,omitempty"`
|
|
|
|
Groups []string `json:"groups,omitempty"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
Username string `json:"preferred_username,omitempty"`
|
|
|
|
}
|
|
|
|
|
2021-10-08 17:43:52 +08:00
|
|
|
func (h *Headscale) initOIDC() error {
|
2021-09-26 16:53:05 +08:00
|
|
|
var err error
|
|
|
|
// grab oidc config if it hasn't been already
|
2021-10-08 17:43:52 +08:00
|
|
|
if h.oauth2Config == nil {
|
2021-10-18 19:27:52 +00:00
|
|
|
h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)
|
2021-09-26 16:53:05 +08:00
|
|
|
|
|
|
|
if err != nil {
|
2021-11-21 21:51:39 +00:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
|
|
|
Caller().
|
|
|
|
Msgf("Could not retrieve OIDC Config: %s", err.Error())
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-10-08 17:43:52 +08:00
|
|
|
return err
|
2021-09-26 16:53:05 +08:00
|
|
|
}
|
2021-10-06 17:19:15 +08:00
|
|
|
|
2021-10-08 17:43:52 +08:00
|
|
|
h.oauth2Config = &oauth2.Config{
|
2021-10-18 19:27:52 +00:00
|
|
|
ClientID: h.cfg.OIDC.ClientID,
|
|
|
|
ClientSecret: h.cfg.OIDC.ClientSecret,
|
2021-10-08 17:43:52 +08:00
|
|
|
Endpoint: h.oidcProvider.Endpoint(),
|
2021-11-13 08:36:45 +00:00
|
|
|
RedirectURL: fmt.Sprintf(
|
|
|
|
"%s/oidc/callback",
|
|
|
|
strings.TrimSuffix(h.cfg.ServerURL, "/"),
|
|
|
|
),
|
|
|
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
2021-10-06 17:19:15 +08:00
|
|
|
}
|
2021-10-08 17:43:52 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// RegisterOIDC redirects to the OIDC provider for authentication
|
|
|
|
// Puts machine key in cache so the callback can retrieve it using the oidc state param
|
2022-03-29 16:54:31 +02:00
|
|
|
// Listens in /oidc/register/:nKey.
|
2021-11-14 20:32:03 +01:00
|
|
|
func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
|
2022-03-29 16:54:31 +02:00
|
|
|
nodeKeyStr := ctx.Param("nkey")
|
|
|
|
if nodeKeyStr == "" {
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(http.StatusBadRequest, "Wrong params")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-10-08 17:43:52 +08:00
|
|
|
return
|
2021-09-26 16:53:05 +08:00
|
|
|
}
|
|
|
|
|
2021-11-22 19:32:11 +00:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
2022-03-29 16:54:31 +02:00
|
|
|
Str("node_key", nodeKeyStr).
|
2021-11-22 19:32:11 +00:00
|
|
|
Msg("Received oidc register call")
|
|
|
|
|
2021-11-15 17:24:24 +00:00
|
|
|
randomBlob := make([]byte, randomByteSize)
|
2021-11-15 16:15:50 +00:00
|
|
|
if _, err := rand.Read(randomBlob); err != nil {
|
2021-11-21 21:51:39 +00:00
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Msg("could not read 16 bytes from rand")
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(http.StatusInternalServerError, "could not read 16 bytes from rand")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-09-26 21:12:36 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-15 16:15:50 +00:00
|
|
|
stateStr := hex.EncodeToString(randomBlob)[:32]
|
2021-09-26 16:53:05 +08:00
|
|
|
|
|
|
|
// place the machine key into the state cache, so it can be retrieved later
|
2022-03-29 16:54:31 +02:00
|
|
|
h.registrationCache.Set(stateStr, nodeKeyStr, registerCacheExpiration)
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2021-11-15 17:24:24 +00:00
|
|
|
authURL := h.oauth2Config.AuthCodeURL(stateStr)
|
|
|
|
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2021-11-15 17:24:24 +00:00
|
|
|
ctx.Redirect(http.StatusFound, authURL)
|
2021-09-26 16:53:05 +08:00
|
|
|
}
|
|
|
|
|
2021-12-22 19:43:53 -07:00
|
|
|
type oidcCallbackTemplateConfig struct {
|
|
|
|
User string
|
|
|
|
Verb string
|
|
|
|
}
|
|
|
|
|
|
|
|
var oidcCallbackTemplate = template.Must(
|
|
|
|
template.New("oidccallback").Parse(`<html>
|
|
|
|
<body>
|
|
|
|
<h1>headscale</h1>
|
|
|
|
<p>
|
|
|
|
{{.Verb}} as {{.User}}, you can now close this window.
|
|
|
|
</p>
|
|
|
|
</body>
|
|
|
|
</html>`),
|
|
|
|
)
|
|
|
|
|
2021-09-26 16:53:05 +08:00
|
|
|
// OIDCCallback handles the callback from the OIDC endpoint
|
2022-03-29 16:54:31 +02:00
|
|
|
// Retrieves the nkey from the state cache and adds the machine to the users email namespace
|
2021-10-06 17:19:15 +08:00
|
|
|
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
|
|
|
|
// TODO: Add groups information from OIDC tokens into machine HostInfo
|
2021-11-13 08:39:04 +00:00
|
|
|
// Listens in /oidc/callback.
|
2021-11-14 20:32:03 +01:00
|
|
|
func (h *Headscale) OIDCCallback(ctx *gin.Context) {
|
|
|
|
code := ctx.Query("code")
|
|
|
|
state := ctx.Query("state")
|
2021-09-26 16:53:05 +08:00
|
|
|
|
|
|
|
if code == "" || state == "" {
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(http.StatusBadRequest, "Wrong params")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-09-26 16:53:05 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-10-08 17:43:52 +08:00
|
|
|
oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
|
2021-09-26 16:53:05 +08:00
|
|
|
if err != nil {
|
2022-03-18 09:40:12 +01:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
|
|
|
Caller().
|
|
|
|
Msg("Could not exchange code for token")
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(http.StatusBadRequest, "Could not exchange code for token")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-09-26 16:53:05 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-22 19:32:11 +00:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
|
|
|
Str("code", code).
|
|
|
|
Str("state", state).
|
|
|
|
Msg("Got oidc callback")
|
2021-10-10 17:22:42 +08:00
|
|
|
|
2021-10-06 17:19:15 +08:00
|
|
|
rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
|
|
|
|
if !rawIDTokenOK {
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(http.StatusBadRequest, "Could not extract ID Token")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-10-06 17:19:15 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-10-18 19:27:52 +00:00
|
|
|
verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2021-10-06 17:19:15 +08:00
|
|
|
idToken, err := verifier.Verify(context.Background(), rawIDToken)
|
2021-09-26 16:53:05 +08:00
|
|
|
if err != nil {
|
2021-11-21 21:51:39 +00:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
|
|
|
Caller().
|
|
|
|
Msg("failed to verify id token")
|
|
|
|
ctx.String(http.StatusBadRequest, "Failed to verify id token")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-10-06 17:19:15 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-10-10 17:22:42 +08:00
|
|
|
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
|
2021-11-14 18:44:37 +01:00
|
|
|
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
|
|
|
|
// if err != nil {
|
2021-11-21 21:54:19 +00:00
|
|
|
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
|
2021-11-14 18:44:37 +01:00
|
|
|
// return
|
|
|
|
// }
|
2021-10-06 17:19:15 +08:00
|
|
|
|
|
|
|
// Extract custom claims
|
|
|
|
var claims IDTokenClaims
|
|
|
|
if err = idToken.Claims(&claims); err != nil {
|
2021-11-21 21:51:39 +00:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
|
|
|
Caller().
|
|
|
|
Msg("Failed to decode id token claims")
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(
|
2021-11-13 08:36:45 +00:00
|
|
|
http.StatusBadRequest,
|
2021-11-22 17:22:47 +00:00
|
|
|
"Failed to decode id token claims",
|
2021-11-13 08:36:45 +00:00
|
|
|
)
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-09-26 16:53:05 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-10-18 19:27:52 +00:00
|
|
|
// retrieve machinekey from state cache
|
2022-03-29 16:54:31 +02:00
|
|
|
nodeKeyIf, machineKeyFound := h.registrationCache.Get(state)
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2021-11-21 21:51:39 +00:00
|
|
|
if !machineKeyFound {
|
2021-11-13 08:36:45 +00:00
|
|
|
log.Error().
|
2022-03-29 16:54:31 +02:00
|
|
|
Msg("requested node state key expired before authorisation completed")
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(http.StatusBadRequest, "state has expired")
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-09-26 16:53:05 +08:00
|
|
|
return
|
|
|
|
}
|
2021-11-26 23:30:42 +00:00
|
|
|
|
2022-03-29 16:54:31 +02:00
|
|
|
nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
|
2021-11-26 23:30:42 +00:00
|
|
|
|
2022-03-29 16:54:31 +02:00
|
|
|
var nodeKey key.NodePublic
|
|
|
|
err = nodeKey.UnmarshalText(
|
|
|
|
[]byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
|
2022-03-02 06:55:21 +00:00
|
|
|
)
|
2021-11-26 23:30:42 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
2022-03-29 16:54:31 +02:00
|
|
|
Msg("could not parse node public key")
|
2021-11-26 23:30:42 +00:00
|
|
|
ctx.String(http.StatusBadRequest, "could not parse public key")
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2022-03-29 16:54:31 +02:00
|
|
|
if !nodeKeyOK {
|
|
|
|
log.Error().Msg("could not get node key from cache")
|
2021-11-14 20:32:03 +01:00
|
|
|
ctx.String(
|
|
|
|
http.StatusInternalServerError,
|
|
|
|
"could not get machine key from cache",
|
|
|
|
)
|
2021-11-14 16:46:09 +01:00
|
|
|
|
2021-09-26 16:53:05 +08:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-02-28 23:00:41 +00:00
|
|
|
// retrieve machine information if it exist
|
2022-03-02 07:29:40 +00:00
|
|
|
// The error is not important, because if it does not
|
|
|
|
// exist, then this is a new machine and we will move
|
|
|
|
// on to registration.
|
2022-03-29 16:54:31 +02:00
|
|
|
machine, _ := h.GetMachineByNodeKeys(nodeKey, key.NodePublic{})
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2022-02-28 16:55:57 +00:00
|
|
|
if machine != nil {
|
2021-11-22 19:32:11 +00:00
|
|
|
log.Trace().
|
|
|
|
Caller().
|
|
|
|
Str("machine", machine.Name).
|
|
|
|
Msg("machine already registered, reauthenticating")
|
|
|
|
|
2022-03-18 09:32:07 +01:00
|
|
|
h.RefreshMachine(machine, time.Time{})
|
2021-11-22 19:32:11 +00:00
|
|
|
|
2021-12-22 19:43:53 -07:00
|
|
|
var content bytes.Buffer
|
|
|
|
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
|
|
|
|
User: claims.Email,
|
|
|
|
Verb: "Reauthenticated",
|
|
|
|
}); err != nil {
|
|
|
|
log.Error().
|
|
|
|
Str("func", "OIDCCallback").
|
|
|
|
Str("type", "reauthenticate").
|
|
|
|
Err(err).
|
|
|
|
Msg("Could not render OIDC callback template")
|
|
|
|
ctx.Data(
|
|
|
|
http.StatusInternalServerError,
|
|
|
|
"text/html; charset=utf-8",
|
|
|
|
[]byte("Could not render OIDC callback template"),
|
|
|
|
)
|
|
|
|
}
|
2021-11-22 19:32:11 +00:00
|
|
|
|
2021-12-22 19:43:53 -07:00
|
|
|
ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
|
2021-11-22 19:32:11 +00:00
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-07 22:55:54 +01:00
|
|
|
namespaceName, err := NormalizeToFQDNRules(
|
2022-02-23 14:22:21 +01:00
|
|
|
claims.Email,
|
|
|
|
h.cfg.OIDC.StripEmaildomain,
|
|
|
|
)
|
2022-02-22 12:46:45 +01:00
|
|
|
if err != nil {
|
|
|
|
log.Error().Err(err).Caller().Msgf("couldn't normalize email")
|
|
|
|
ctx.String(
|
|
|
|
http.StatusInternalServerError,
|
|
|
|
"couldn't normalize email",
|
|
|
|
)
|
2022-02-22 21:05:39 +01:00
|
|
|
|
2022-02-22 12:46:45 +01:00
|
|
|
return
|
|
|
|
}
|
2022-02-28 16:55:57 +00:00
|
|
|
|
2022-02-22 12:46:45 +01:00
|
|
|
// register the machine if it's new
|
2022-02-28 16:55:57 +00:00
|
|
|
log.Debug().Msg("Registering new machine after successful callback")
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2022-02-28 16:55:57 +00:00
|
|
|
namespace, err := h.GetNamespace(namespaceName)
|
|
|
|
if errors.Is(err, errNamespaceNotFound) {
|
|
|
|
namespace, err = h.CreateNamespace(namespaceName)
|
2021-09-26 16:53:05 +08:00
|
|
|
|
2022-02-22 12:46:45 +01:00
|
|
|
if err != nil {
|
2021-12-22 19:43:53 -07:00
|
|
|
log.Error().
|
|
|
|
Err(err).
|
2022-02-28 16:55:57 +00:00
|
|
|
Caller().
|
|
|
|
Msgf("could not create new namespace '%s'", namespaceName)
|
2022-02-22 12:46:45 +01:00
|
|
|
ctx.String(
|
2021-12-22 19:43:53 -07:00
|
|
|
http.StatusInternalServerError,
|
2022-02-28 16:55:57 +00:00
|
|
|
"could not create new namespace",
|
2021-12-22 19:43:53 -07:00
|
|
|
)
|
|
|
|
|
2022-02-22 12:46:45 +01:00
|
|
|
return
|
|
|
|
}
|
2022-02-28 16:55:57 +00:00
|
|
|
} else if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Str("namespace", namespaceName).
|
|
|
|
Msg("could not find or create namespace")
|
|
|
|
ctx.String(
|
|
|
|
http.StatusInternalServerError,
|
|
|
|
"could not find or create namespace",
|
|
|
|
)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-03-29 16:54:31 +02:00
|
|
|
nodeKeyStr := NodePublicKeyStripPrefix(nodeKey)
|
2022-03-02 06:55:21 +00:00
|
|
|
|
2022-02-28 16:55:57 +00:00
|
|
|
_, err = h.RegisterMachineFromAuthCallback(
|
2022-03-29 16:54:31 +02:00
|
|
|
nodeKeyStr,
|
2022-02-28 16:55:57 +00:00
|
|
|
namespace.Name,
|
|
|
|
RegisterMethodOIDC,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
log.Error().
|
|
|
|
Caller().
|
|
|
|
Err(err).
|
|
|
|
Msg("could not register machine")
|
|
|
|
ctx.String(
|
|
|
|
http.StatusInternalServerError,
|
|
|
|
"could not register machine",
|
|
|
|
)
|
|
|
|
|
|
|
|
return
|
2021-10-18 19:27:52 +00:00
|
|
|
}
|
|
|
|
|
2022-02-22 12:46:45 +01:00
|
|
|
var content bytes.Buffer
|
|
|
|
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
|
|
|
|
User: claims.Email,
|
|
|
|
Verb: "Authenticated",
|
|
|
|
}); err != nil {
|
|
|
|
log.Error().
|
|
|
|
Str("func", "OIDCCallback").
|
|
|
|
Str("type", "authenticate").
|
|
|
|
Err(err).
|
|
|
|
Msg("Could not render OIDC callback template")
|
|
|
|
ctx.Data(
|
|
|
|
http.StatusInternalServerError,
|
|
|
|
"text/html; charset=utf-8",
|
|
|
|
[]byte("Could not render OIDC callback template"),
|
|
|
|
)
|
2021-10-18 19:27:52 +00:00
|
|
|
}
|
|
|
|
|
2022-02-22 12:46:45 +01:00
|
|
|
ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
|
2021-09-26 16:53:05 +08:00
|
|
|
}
|