1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
18 "git.arvados.org/arvados.git/lib/controller/rpc"
19 "git.arvados.org/arvados.git/lib/ctrlctx"
20 "git.arvados.org/arvados.git/sdk/go/arvados"
21 "git.arvados.org/arvados.git/sdk/go/auth"
22 "git.arvados.org/arvados.git/sdk/go/httpserver"
25 type loginController interface {
26 Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
27 Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
28 UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
31 func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController {
32 wantGoogle := cluster.Login.Google.Enable
33 wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
34 wantPAM := cluster.Login.PAM.Enable
35 wantLDAP := cluster.Login.LDAP.Enable
36 wantTest := cluster.Login.Test.Enable
37 wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
39 case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster):
40 return errorLoginController{
41 error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
44 return &oidcLoginController{
47 Issuer: "https://accounts.google.com",
48 ClientID: cluster.Login.Google.ClientID,
49 ClientSecret: cluster.Login.Google.ClientSecret,
50 AuthParams: cluster.Login.Google.AuthenticationRequestParameters,
51 UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
53 EmailVerifiedClaim: "email_verified",
55 case wantOpenIDConnect:
56 return &oidcLoginController{
59 Issuer: cluster.Login.OpenIDConnect.Issuer,
60 ClientID: cluster.Login.OpenIDConnect.ClientID,
61 ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
62 AuthParams: cluster.Login.OpenIDConnect.AuthenticationRequestParameters,
63 EmailClaim: cluster.Login.OpenIDConnect.EmailClaim,
64 EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim,
65 UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim,
66 AcceptAccessToken: cluster.Login.OpenIDConnect.AcceptAccessToken,
67 AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope,
70 return &pamLoginController{Cluster: cluster, Parent: parent}
72 return &ldapLoginController{Cluster: cluster, Parent: parent}
74 return &testLoginController{Cluster: cluster, Parent: parent}
75 case wantLoginCluster:
76 return &federatedLoginController{Cluster: cluster}
78 return errorLoginController{
79 error: errors.New("BUG: missing case in login controller setup switch"),
84 func countTrue(vals ...bool) int {
86 for _, val := range vals {
94 type errorLoginController struct{ error }
96 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
97 return arvados.LoginResponse{}, ctrl.error
99 func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
100 return arvados.LogoutResponse{}, ctrl.error
102 func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
103 return arvados.APIClientAuthorization{}, ctrl.error
106 type federatedLoginController struct {
107 Cluster *arvados.Cluster
110 func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
111 return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest)
113 func (ctrl federatedLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
114 return logout(ctx, ctrl.Cluster, opts)
116 func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
117 return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
120 func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) {
122 return arvados.APIClientAuthorization{}, errors.New("configuration error: empty SystemRootToken")
124 ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
125 newsession, err := conn.railsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
126 // Send a fake ReturnTo value instead of the caller's
127 // opts.ReturnTo. We won't follow the resulting
128 // redirect target anyway.
129 ReturnTo: ",https://controller.api.client.invalid",
135 target, err := url.Parse(newsession.RedirectLocation)
139 token := target.Query().Get("api_token")
140 tx, err := ctrlctx.CurrentTx(ctx)
145 if strings.Contains(token, "/") {
146 tokenparts := strings.Split(token, "/")
147 if len(tokenparts) >= 3 {
148 tokensecret = tokenparts[2]
153 err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
157 resp.ExpiresAt = exp.Time
159 err = json.Unmarshal(scopes, &resp.Scopes)
161 return resp, fmt.Errorf("unmarshal scopes: %s", err)
167 var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo")
169 func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error {
170 u, err := url.Parse(returnTo)
174 u, err = u.Parse("/")
179 return errUserinfoInRedirectTarget
182 for trusted := range cluster.Login.TrustedClients {
183 trustedOrigin := origin(url.URL(trusted))
184 if trustedOrigin == target {
187 // If TrustedClients has https://*.bar.example, we
188 // trust https://foo.bar.example. Note origin() has
189 // already stripped the incoming Path, so we won't
190 // accidentally trust
191 // https://attacker.example/pwn.bar.example here. See
193 if strings.HasPrefix(trustedOrigin, u.Scheme+"://*.") && strings.HasSuffix(target, trustedOrigin[len(u.Scheme)+4:]) {
197 if target == origin(url.URL(cluster.Services.Workbench1.ExternalURL)) ||
198 target == origin(url.URL(cluster.Services.Workbench2.ExternalURL)) {
201 if cluster.Login.TrustPrivateNetworks {
202 if u.Hostname() == "localhost" {
205 if ip := net.ParseIP(u.Hostname()); len(ip) > 0 {
206 for _, n := range privateNetworks {
213 return fmt.Errorf("requesting site is not listed in TrustedClients config")
216 // origin returns the canonical origin of a URL, e.g.,
217 // origin("https://example:443/foo") returns "https://example/"
218 func origin(u url.URL) string {
224 if origin.Port() == "80" && origin.Scheme == "http" {
225 origin.Host = origin.Hostname()
226 } else if origin.Port() == "443" && origin.Scheme == "https" {
227 origin.Host = origin.Hostname()
229 return origin.String()
projects / arvados.git / blob