headscale/hscontrol/oidc.go

666 lines
18 KiB
Go
Raw Normal View History

package hscontrol
2021-09-26 04:53:05 -04:00
import (
2021-12-22 21:43:53 -05:00
"bytes"
"context"
2021-09-26 04:53:05 -04:00
"crypto/rand"
_ "embed"
2021-09-26 04:53:05 -04:00
"encoding/hex"
"errors"
2021-09-26 04:53:05 -04:00
"fmt"
2021-12-22 21:43:53 -05:00
"html/template"
2021-10-18 15:27:52 -04:00
"net/http"
"slices"
2021-10-18 15:27:52 -04:00
"strings"
"time"
2021-10-18 15:27:52 -04:00
"github.com/coreos/go-oidc/v3/oidc"
2022-06-20 06:31:19 -04:00
"github.com/gorilla/mux"
"github.com/juanfont/headscale/hscontrol/db"
"github.com/juanfont/headscale/hscontrol/types"
"github.com/juanfont/headscale/hscontrol/util"
2021-09-26 04:53:05 -04:00
"github.com/rs/zerolog/log"
"golang.org/x/oauth2"
"gorm.io/gorm"
"tailscale.com/types/key"
2021-09-26 04:53:05 -04:00
)
const (
randomByteSize = 16
)
2022-08-07 07:57:07 -04:00
var (
errEmptyOIDCCallbackParams = errors.New("empty OIDC callback params")
errNoOIDCIDToken = errors.New("could not extract ID Token for OIDC callback")
errOIDCAllowedDomains = errors.New(
"authenticated principal does not match any allowed domain",
)
errOIDCAllowedGroups = errors.New("authenticated principal is not in any allowed group")
errOIDCAllowedUsers = errors.New(
"authenticated principal does not match any allowed user",
)
2023-09-24 07:42:05 -04:00
errOIDCInvalidNodeState = errors.New(
"requested node state key expired before authorisation completed",
)
errOIDCNodeKeyMissing = errors.New("could not get node key from cache")
)
type IDTokenClaims struct {
2021-09-26 04:53:05 -04:00
Name string `json:"name,omitempty"`
Groups []string `json:"groups,omitempty"`
Email string `json:"email"`
Username string `json:"preferred_username,omitempty"`
}
2021-10-08 05:43:52 -04:00
func (h *Headscale) initOIDC() error {
2021-09-26 04:53:05 -04:00
var err error
// grab oidc config if it hasn't been already
2021-10-08 05:43:52 -04:00
if h.oauth2Config == nil {
2021-10-18 15:27:52 -04:00
h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)
2021-09-26 04:53:05 -04:00
if err != nil {
2024-04-12 09:57:43 -04:00
return fmt.Errorf("creating OIDC provider from issuer config: %w", err)
2021-09-26 04:53:05 -04:00
}
2021-10-08 05:43:52 -04:00
h.oauth2Config = &oauth2.Config{
2021-10-18 15:27:52 -04:00
ClientID: h.cfg.OIDC.ClientID,
ClientSecret: h.cfg.OIDC.ClientSecret,
2021-10-08 05:43:52 -04:00
Endpoint: h.oidcProvider.Endpoint(),
2021-11-13 03:36:45 -05:00
RedirectURL: fmt.Sprintf(
"%s/oidc/callback",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
),
Scopes: h.cfg.OIDC.Scope,
}
2021-10-08 05:43:52 -04:00
}
return nil
}
func (h *Headscale) determineTokenExpiration(idTokenExpiration time.Time) time.Time {
if h.cfg.OIDC.UseExpiryFromToken {
return idTokenExpiration
}
return time.Now().Add(h.cfg.OIDC.Expiry)
}
2021-10-08 05:43:52 -04:00
// RegisterOIDC redirects to the OIDC provider for authentication
2022-08-11 06:15:16 -04:00
// Puts NodeKey in cache so the callback can retrieve it using the oidc state param
// Listens in /oidc/register/:mKey.
2022-06-20 06:31:19 -04:00
func (h *Headscale) RegisterOIDC(
2022-06-26 05:55:37 -04:00
writer http.ResponseWriter,
req *http.Request,
2022-06-20 06:31:19 -04:00
) {
2022-06-26 05:55:37 -04:00
vars := mux.Vars(req)
machineKeyStr, ok := vars["mkey"]
2021-09-26 04:53:05 -04:00
log.Debug().
Caller().
Str("machine_key", machineKeyStr).
Bool("ok", ok).
Msg("Received oidc register call")
// We need to make sure we dont open for XSS style injections, if the parameter that
// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
// the template and log an error.
var machineKey key.MachinePublic
err := machineKey.UnmarshalText(
[]byte(machineKeyStr),
)
if err != nil {
log.Warn().
Err(err).
Msg("Failed to parse incoming nodekey in OIDC registration")
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
_, err := writer.Write([]byte("Wrong params"))
if err != nil {
util.LogErr(err, "Failed to write response")
}
return
}
randomBlob := make([]byte, randomByteSize)
2021-11-15 11:15:50 -05:00
if _, err := rand.Read(randomBlob); err != nil {
util.LogErr(err, "could not read 16 bytes from rand")
2022-06-26 05:55:37 -04:00
http.Error(writer, "Internal server error", http.StatusInternalServerError)
2021-11-14 10:46:09 -05:00
return
}
2021-11-15 11:15:50 -05:00
stateStr := hex.EncodeToString(randomBlob)[:32]
2021-09-26 04:53:05 -04:00
// place the node key into the state cache, so it can be retrieved later
h.registrationCache.Set(
stateStr,
machineKey,
registerCacheExpiration,
)
2021-09-26 04:53:05 -04:00
// Add any extra parameter provided in the configuration to the Authorize Endpoint request
extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
for k, v := range h.cfg.OIDC.ExtraParams {
extras = append(extras, oauth2.SetAuthURLParam(k, v))
}
authURL := h.oauth2Config.AuthCodeURL(stateStr, extras...)
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
2021-09-26 04:53:05 -04:00
2022-06-26 05:55:37 -04:00
http.Redirect(writer, req, authURL, http.StatusFound)
2021-09-26 04:53:05 -04:00
}
2021-12-22 21:43:53 -05:00
type oidcCallbackTemplateConfig struct {
User string
Verb string
}
//go:embed assets/oidc_callback_template.html
var oidcCallbackTemplateContent string
2021-12-22 21:43:53 -05:00
var oidcCallbackTemplate = template.Must(
template.New("oidccallback").Parse(oidcCallbackTemplateContent),
2021-12-22 21:43:53 -05:00
)
2021-09-26 04:53:05 -04:00
// OIDCCallback handles the callback from the OIDC endpoint
2023-09-24 07:42:05 -04:00
// Retrieves the nkey from the state cache and adds the node to the users email user
// TODO: A confirmation page for new nodes should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into node HostInfo
2021-11-13 03:39:04 -05:00
// Listens in /oidc/callback.
2022-06-17 11:42:17 -04:00
func (h *Headscale) OIDCCallback(
2022-06-26 06:01:04 -04:00
writer http.ResponseWriter,
req *http.Request,
2022-06-17 11:42:17 -04:00
) {
2022-08-07 07:57:07 -04:00
code, state, err := validateOIDCCallbackParams(writer, req)
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
2022-09-04 09:02:18 -04:00
rawIDToken, err := h.getIDTokenForOIDCCallback(req.Context(), writer, code, state)
2022-08-07 07:57:07 -04:00
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
2022-09-04 09:02:18 -04:00
idToken, err := h.verifyIDTokenForOIDCCallback(req.Context(), writer, rawIDToken)
2022-08-07 07:57:07 -04:00
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
idTokenExpiry := h.determineTokenExpiration(idToken.Expiry)
2022-07-11 17:25:13 -04:00
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
// if err != nil {
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
// return
// }
2022-08-07 07:57:07 -04:00
claims, err := extractIDTokenClaims(writer, idToken)
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
2022-08-07 07:57:07 -04:00
if err := validateOIDCAllowedDomains(writer, h.cfg.OIDC.AllowedDomains, claims); err != nil {
2022-07-11 17:25:13 -04:00
return
}
if err := validateOIDCAllowedGroups(writer, h.cfg.OIDC.AllowedGroups, claims); err != nil {
return
}
2022-08-07 07:57:07 -04:00
if err := validateOIDCAllowedUsers(writer, h.cfg.OIDC.AllowedUsers, claims); err != nil {
2022-07-11 17:25:13 -04:00
return
}
machineKey, nodeExists, err := h.validateNodeForOIDCCallback(
writer,
state,
claims,
idTokenExpiry,
)
2023-09-24 07:42:05 -04:00
if err != nil || nodeExists {
2022-07-11 17:25:13 -04:00
return
}
userName, err := getUserName(writer, claims, h.cfg.OIDC.StripEmaildomain)
2022-08-07 07:57:07 -04:00
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
2023-09-24 07:42:05 -04:00
// register the node if it's new
log.Debug().Msg("Registering new node after successful callback")
2022-07-11 17:25:13 -04:00
user, err := h.findOrCreateNewUserForOIDCCallback(writer, userName)
2022-08-07 07:57:07 -04:00
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
if err := h.registerNodeForOIDCCallback(writer, user, machineKey, idTokenExpiry); err != nil {
2022-07-11 17:25:13 -04:00
return
}
2022-08-07 07:57:07 -04:00
content, err := renderOIDCCallbackTemplate(writer, claims)
if err != nil {
2022-07-11 17:25:13 -04:00
return
}
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
writer.WriteHeader(http.StatusOK)
if _, err := writer.Write(content.Bytes()); err != nil {
util.LogErr(err, "Failed to write response")
2022-07-11 17:25:13 -04:00
}
}
func validateOIDCCallbackParams(
writer http.ResponseWriter,
req *http.Request,
2022-08-07 07:57:07 -04:00
) (string, string, error) {
2022-06-26 06:01:04 -04:00
code := req.URL.Query().Get("code")
state := req.URL.Query().Get("state")
2021-09-26 04:53:05 -04:00
if code == "" || state == "" {
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 06:21:35 -04:00
_, err := writer.Write([]byte("Wrong params"))
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-11-14 10:46:09 -05:00
2022-08-07 07:57:07 -04:00
return "", "", errEmptyOIDCCallbackParams
2021-09-26 04:53:05 -04:00
}
2022-08-07 07:57:07 -04:00
return code, state, nil
2022-07-11 17:25:13 -04:00
}
func (h *Headscale) getIDTokenForOIDCCallback(
2022-09-04 09:02:18 -04:00
ctx context.Context,
2022-07-11 17:25:13 -04:00
writer http.ResponseWriter,
code, state string,
2022-08-07 07:57:07 -04:00
) (string, error) {
2022-09-04 09:02:18 -04:00
oauth2Token, err := h.oauth2Config.Exchange(ctx, code)
2021-09-26 04:53:05 -04:00
if err != nil {
util.LogErr(err, "Could not exchange code for token")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-08-07 07:57:07 -04:00
_, werr := writer.Write([]byte("Could not exchange code for token"))
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-11-14 10:46:09 -05:00
2022-08-07 07:57:07 -04:00
return "", err
2021-09-26 04:53:05 -04:00
}
log.Trace().
Caller().
Str("code", code).
Str("state", state).
Msg("Got oidc callback")
2021-10-10 05:22:42 -04:00
rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
if !rawIDTokenOK {
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 06:21:35 -04:00
_, err := writer.Write([]byte("Could not extract ID Token"))
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-11-14 10:46:09 -05:00
2022-08-07 07:57:07 -04:00
return "", errNoOIDCIDToken
}
2022-08-07 07:57:07 -04:00
return rawIDToken, nil
2022-07-11 17:25:13 -04:00
}
2021-09-26 04:53:05 -04:00
2022-07-11 17:25:13 -04:00
func (h *Headscale) verifyIDTokenForOIDCCallback(
2022-09-04 09:02:18 -04:00
ctx context.Context,
2022-07-11 17:25:13 -04:00
writer http.ResponseWriter,
rawIDToken string,
2022-08-07 07:57:07 -04:00
) (*oidc.IDToken, error) {
2022-07-11 17:25:13 -04:00
verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
2022-09-04 09:02:18 -04:00
idToken, err := verifier.Verify(ctx, rawIDToken)
2021-09-26 04:53:05 -04:00
if err != nil {
util.LogErr(err, "failed to verify id token")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-08-07 07:57:07 -04:00
_, werr := writer.Write([]byte("Failed to verify id token"))
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-11-14 10:46:09 -05:00
2022-08-07 07:57:07 -04:00
return nil, err
}
2022-08-07 07:57:07 -04:00
return idToken, nil
2022-07-11 17:25:13 -04:00
}
2022-07-11 17:25:13 -04:00
func extractIDTokenClaims(
writer http.ResponseWriter,
idToken *oidc.IDToken,
2022-08-07 07:57:07 -04:00
) (*IDTokenClaims, error) {
var claims IDTokenClaims
2022-08-17 11:03:10 -04:00
if err := idToken.Claims(&claims); err != nil {
util.LogErr(err, "Failed to decode id token claims")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-08-07 07:57:07 -04:00
_, werr := writer.Write([]byte("Failed to decode id token claims"))
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-11-14 10:46:09 -05:00
2022-08-07 07:57:07 -04:00
return nil, err
2021-09-26 04:53:05 -04:00
}
2022-08-07 07:57:07 -04:00
return &claims, nil
2022-07-11 17:25:13 -04:00
}
// validateOIDCAllowedDomains checks that if AllowedDomains is provided,
// that the authenticated principal ends with @<alloweddomain>.
func validateOIDCAllowedDomains(
writer http.ResponseWriter,
allowedDomains []string,
claims *IDTokenClaims,
2022-08-07 07:57:07 -04:00
) error {
2022-07-11 17:25:13 -04:00
if len(allowedDomains) > 0 {
if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
!slices.Contains(allowedDomains, claims.Email[at+1:]) {
log.Trace().Msg("authenticated principal does not match any allowed domain")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 06:21:35 -04:00
_, err := writer.Write([]byte("unauthorized principal (domain mismatch)"))
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2022-08-07 07:57:07 -04:00
return errOIDCAllowedDomains
}
}
2022-08-07 07:57:07 -04:00
return nil
2022-07-11 17:25:13 -04:00
}
// validateOIDCAllowedGroups checks if AllowedGroups is provided,
// and that the user has one group in the list.
// claims.Groups can be populated by adding a client scope named
// 'groups' that contains group membership.
func validateOIDCAllowedGroups(
writer http.ResponseWriter,
allowedGroups []string,
claims *IDTokenClaims,
) error {
if len(allowedGroups) > 0 {
for _, group := range allowedGroups {
if slices.Contains(claims.Groups, group) {
return nil
}
}
log.Trace().Msg("authenticated principal not in any allowed groups")
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
_, err := writer.Write([]byte("unauthorized principal (allowed groups)"))
if err != nil {
util.LogErr(err, "Failed to write response")
}
return errOIDCAllowedGroups
}
return nil
}
2022-07-11 17:25:13 -04:00
// validateOIDCAllowedUsers checks that if AllowedUsers is provided,
// that the authenticated principal is part of that list.
func validateOIDCAllowedUsers(
writer http.ResponseWriter,
allowedUsers []string,
claims *IDTokenClaims,
2022-08-07 07:57:07 -04:00
) error {
2022-07-11 17:25:13 -04:00
if len(allowedUsers) > 0 &&
!slices.Contains(allowedUsers, claims.Email) {
log.Trace().Msg("authenticated principal does not match any allowed user")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 06:21:35 -04:00
_, err := writer.Write([]byte("unauthorized principal (user mismatch)"))
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2022-08-07 07:57:07 -04:00
return errOIDCAllowedUsers
}
2022-08-07 07:57:07 -04:00
return nil
2022-07-11 17:25:13 -04:00
}
2023-09-24 07:42:05 -04:00
// validateNode retrieves node information if it exist
2022-07-11 17:25:13 -04:00
// The error is not important, because if it does not
2023-09-24 07:42:05 -04:00
// exist, then this is a new node and we will move
2022-07-11 17:25:13 -04:00
// on to registration.
2023-09-24 07:42:05 -04:00
func (h *Headscale) validateNodeForOIDCCallback(
2022-07-11 17:25:13 -04:00
writer http.ResponseWriter,
state string,
claims *IDTokenClaims,
expiry time.Time,
) (*key.MachinePublic, bool, error) {
2023-09-24 07:42:05 -04:00
// retrieve nodekey from state cache
machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
if !machineKeyFound {
log.Trace().
2023-09-24 07:42:05 -04:00
Msg("requested node state key expired before authorisation completed")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 06:21:35 -04:00
_, err := writer.Write([]byte("state has expired"))
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-11-14 10:46:09 -05:00
2022-11-14 09:10:26 -05:00
return nil, false, errOIDCNodeKeyMissing
2021-09-26 04:53:05 -04:00
}
var machineKey key.MachinePublic
machineKey, machineKeyOK := machineKeyIf.(key.MachinePublic)
if !machineKeyOK {
log.Trace().
Interface("got", machineKeyIf).
Msg("requested node state key is not a nodekey")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
_, err := writer.Write([]byte("state is invalid"))
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2023-09-24 07:42:05 -04:00
return nil, false, errOIDCInvalidNodeState
}
2021-09-26 04:53:05 -04:00
2023-09-24 07:42:05 -04:00
// retrieve node information if it exist
2022-03-02 02:29:40 -05:00
// The error is not important, because if it does not
2023-09-24 07:42:05 -04:00
// exist, then this is a new node and we will move
2022-03-02 02:29:40 -05:00
// on to registration.
node, _ := h.db.GetNodeByMachineKey(machineKey)
2021-09-26 04:53:05 -04:00
2023-09-24 07:42:05 -04:00
if node != nil {
log.Trace().
Caller().
2023-09-24 07:42:05 -04:00
Str("node", node.Hostname).
Msg("node already registered, reauthenticating")
err := h.db.NodeSetExpiry(node.ID, expiry)
2022-06-26 06:30:52 -04:00
if err != nil {
2023-09-24 07:42:05 -04:00
util.LogErr(err, "Failed to refresh node")
2022-08-04 04:47:00 -04:00
http.Error(
writer,
2023-09-24 07:42:05 -04:00
"Failed to refresh node",
2022-08-04 04:47:00 -04:00
http.StatusInternalServerError,
)
2022-06-26 06:30:52 -04:00
2022-08-07 07:57:07 -04:00
return nil, true, err
2022-06-26 06:30:52 -04:00
}
log.Debug().
2023-09-24 07:42:05 -04:00
Str("node", node.Hostname).
Str("expiresAt", fmt.Sprintf("%v", expiry)).
2023-09-24 07:42:05 -04:00
Msg("successfully refreshed node")
2021-12-22 21:43:53 -05:00
var content bytes.Buffer
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
User: claims.Email,
Verb: "Reauthenticated",
}); err != nil {
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-08-07 07:57:07 -04:00
_, werr := writer.Write([]byte("Could not render OIDC callback template"))
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2022-06-17 11:42:17 -04:00
2024-04-12 09:57:43 -04:00
return nil, true, fmt.Errorf("rendering OIDC callback template: %w", err)
2021-12-22 21:43:53 -05:00
}
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
writer.WriteHeader(http.StatusOK)
2022-06-26 06:30:52 -04:00
_, err = writer.Write(content.Bytes())
2022-06-26 06:21:35 -04:00
if err != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
ctx := types.NotifyCtx(context.Background(), "oidc-expiry-self", node.Hostname)
h.nodeNotifier.NotifyByNodeID(
ctx,
types.StateUpdate{
Type: types.StateSelfUpdate,
ChangeNodes: []types.NodeID{node.ID},
},
node.ID,
)
ctx = types.NotifyCtx(context.Background(), "oidc-expiry-peers", node.Hostname)
h.nodeNotifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, expiry), node.ID)
2022-08-07 07:57:07 -04:00
return nil, true, nil
}
return &machineKey, false, nil
2022-07-11 17:25:13 -04:00
}
func getUserName(
2022-07-11 17:25:13 -04:00
writer http.ResponseWriter,
claims *IDTokenClaims,
stripEmaildomain bool,
2022-08-07 07:57:07 -04:00
) (string, error) {
userName, err := util.NormalizeToFQDNRules(
2022-02-23 08:22:21 -05:00
claims.Email,
2022-07-11 17:25:13 -04:00
stripEmaildomain,
2022-02-23 08:22:21 -05:00
)
2022-02-22 06:46:45 -05:00
if err != nil {
util.LogErr(err, "couldn't normalize email")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-08-07 07:57:07 -04:00
_, werr := writer.Write([]byte("couldn't normalize email"))
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2022-02-22 15:05:39 -05:00
2022-08-07 07:57:07 -04:00
return "", err
2022-02-22 06:46:45 -05:00
}
return userName, nil
2022-07-11 17:25:13 -04:00
}
2021-09-26 04:53:05 -04:00
func (h *Headscale) findOrCreateNewUserForOIDCCallback(
2022-07-11 17:25:13 -04:00
writer http.ResponseWriter,
userName string,
) (*types.User, error) {
user, err := h.db.GetUser(userName)
if errors.Is(err, db.ErrUserNotFound) {
user, err = h.db.CreateUser(userName)
2022-02-22 06:46:45 -05:00
if err != nil {
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
_, werr := writer.Write([]byte("could not create user"))
2022-08-07 07:57:07 -04:00
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2021-12-22 21:43:53 -05:00
2024-04-12 09:57:43 -04:00
return nil, fmt.Errorf("creating new user: %w", err)
2022-02-22 06:46:45 -05:00
}
} else if err != nil {
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
_, werr := writer.Write([]byte("could not find or create user"))
2022-08-07 07:57:07 -04:00
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2024-04-12 09:57:43 -04:00
return nil, fmt.Errorf("find or create user: %w", err)
}
return user, nil
2022-07-11 17:25:13 -04:00
}
2023-09-24 07:42:05 -04:00
func (h *Headscale) registerNodeForOIDCCallback(
2022-07-11 17:25:13 -04:00
writer http.ResponseWriter,
user *types.User,
machineKey *key.MachinePublic,
expiry time.Time,
2022-08-07 07:57:07 -04:00
) error {
ipv4, ipv6, err := h.ipAlloc.Next()
if err != nil {
return err
}
if err := h.db.Write(func(tx *gorm.DB) error {
if _, err := db.RegisterNodeFromAuthCallback(
// TODO(kradalby): find a better way to use the cache across modules
tx,
h.registrationCache,
*machineKey,
user.Name,
&expiry,
util.RegisterMethodOIDC,
ipv4, ipv6,
); err != nil {
return err
}
return nil
}); err != nil {
2023-09-24 07:42:05 -04:00
util.LogErr(err, "could not register node")
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2023-09-24 07:42:05 -04:00
_, werr := writer.Write([]byte("could not register node"))
2022-08-07 07:57:07 -04:00
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2022-08-07 07:57:07 -04:00
return err
2021-10-18 15:27:52 -04:00
}
2022-08-07 07:57:07 -04:00
return nil
2022-07-11 17:25:13 -04:00
}
func renderOIDCCallbackTemplate(
writer http.ResponseWriter,
claims *IDTokenClaims,
2022-08-07 07:57:07 -04:00
) (*bytes.Buffer, error) {
2022-02-22 06:46:45 -05:00
var content bytes.Buffer
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
User: claims.Email,
Verb: "Authenticated",
}); err != nil {
2022-06-26 06:01:04 -04:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-08-07 07:57:07 -04:00
_, werr := writer.Write([]byte("Could not render OIDC callback template"))
if werr != nil {
util.LogErr(err, "Failed to write response")
2022-06-26 06:21:35 -04:00
}
2022-06-17 11:42:17 -04:00
2024-04-12 09:57:43 -04:00
return nil, fmt.Errorf("rendering OIDC callback template: %w", err)
2021-10-18 15:27:52 -04:00
}
2022-08-07 07:57:07 -04:00
return &content, nil
2021-09-26 04:53:05 -04:00
}