// Copyright (C) The Arvados Authors. All rights reserved. // // SPDX-License-Identifier: AGPL-3.0 package localdb import ( "context" "database/sql" "encoding/json" "errors" "fmt" "net" "net/http" "net/url" "strings" "git.arvados.org/arvados.git/lib/controller/rpc" "git.arvados.org/arvados.git/lib/ctrlctx" "git.arvados.org/arvados.git/sdk/go/arvados" "git.arvados.org/arvados.git/sdk/go/auth" "git.arvados.org/arvados.git/sdk/go/httpserver" ) type loginController interface { Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) } func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController { wantGoogle := cluster.Login.Google.Enable wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable wantPAM := cluster.Login.PAM.Enable wantLDAP := cluster.Login.LDAP.Enable wantTest := cluster.Login.Test.Enable wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID switch { case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster): return errorLoginController{ error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), } case wantGoogle: return &oidcLoginController{ Cluster: cluster, Parent: parent, Issuer: "https://accounts.google.com", ClientID: cluster.Login.Google.ClientID, ClientSecret: cluster.Login.Google.ClientSecret, AuthParams: cluster.Login.Google.AuthenticationRequestParameters, UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses, EmailClaim: "email", EmailVerifiedClaim: "email_verified", } case wantOpenIDConnect: return &oidcLoginController{ Cluster: cluster, Parent: parent, Issuer: cluster.Login.OpenIDConnect.Issuer, ClientID: cluster.Login.OpenIDConnect.ClientID, ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, AuthParams: cluster.Login.OpenIDConnect.AuthenticationRequestParameters, EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, AcceptAccessToken: cluster.Login.OpenIDConnect.AcceptAccessToken, AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope, } case wantPAM: return &pamLoginController{Cluster: cluster, Parent: parent} case wantLDAP: return &ldapLoginController{Cluster: cluster, Parent: parent} case wantTest: return &testLoginController{Cluster: cluster, Parent: parent} case wantLoginCluster: return &federatedLoginController{Cluster: cluster} default: return errorLoginController{ error: errors.New("BUG: missing case in login controller setup switch"), } } } func countTrue(vals ...bool) int { n := 0 for _, val := range vals { if val { n++ } } return n } type errorLoginController struct{ error } func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { return arvados.LoginResponse{}, ctrl.error } func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) { return arvados.LogoutResponse{}, ctrl.error } func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { return arvados.APIClientAuthorization{}, ctrl.error } type federatedLoginController struct { Cluster *arvados.Cluster } func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest) } func (ctrl federatedLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { return logout(ctx, ctrl.Cluster, opts) } func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) } func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { if rootToken == "" { return arvados.APIClientAuthorization{}, errors.New("configuration error: empty SystemRootToken") } ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}}) newsession, err := conn.railsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ // Send a fake ReturnTo value instead of the caller's // opts.ReturnTo. We won't follow the resulting // redirect target anyway. ReturnTo: ",https://controller.api.client.invalid", AuthInfo: authinfo, }) if err != nil { return } target, err := url.Parse(newsession.RedirectLocation) if err != nil { return } token := target.Query().Get("api_token") tx, err := ctrlctx.CurrentTx(ctx) if err != nil { return } tokensecret := token if strings.Contains(token, "/") { tokenparts := strings.Split(token, "/") if len(tokenparts) >= 3 { tokensecret = tokenparts[2] } } var exp sql.NullTime var scopes []byte err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) if err != nil { return } resp.ExpiresAt = exp.Time if len(scopes) > 0 { err = json.Unmarshal(scopes, &resp.Scopes) if err != nil { return resp, fmt.Errorf("unmarshal scopes: %s", err) } } return } var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo") func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error { u, err := url.Parse(returnTo) if err != nil { return err } u, err = u.Parse("/") if err != nil { return err } if u.User != nil { return errUserinfoInRedirectTarget } target := origin(*u) for trusted := range cluster.Login.TrustedClients { trustedOrigin := origin(url.URL(trusted)) if trustedOrigin == target { return nil } // If TrustedClients has https://*.bar.example, we // trust https://foo.bar.example. Note origin() has // already stripped the incoming Path, so we won't // accidentally trust // https://attacker.example/pwn.bar.example here. See // tests. if strings.HasPrefix(trustedOrigin, u.Scheme+"://*.") && strings.HasSuffix(target, trustedOrigin[len(u.Scheme)+4:]) { return nil } } if target == origin(url.URL(cluster.Services.Workbench1.ExternalURL)) || target == origin(url.URL(cluster.Services.Workbench2.ExternalURL)) { return nil } if cluster.Login.TrustPrivateNetworks { if u.Hostname() == "localhost" { return nil } if ip := net.ParseIP(u.Hostname()); len(ip) > 0 { for _, n := range privateNetworks { if n.Contains(ip) { return nil } } } } return fmt.Errorf("requesting site is not listed in TrustedClients config") } // origin returns the canonical origin of a URL, e.g., // origin("https://example:443/foo") returns "https://example/" func origin(u url.URL) string { origin := url.URL{ Scheme: u.Scheme, Host: u.Host, Path: "/", } if origin.Port() == "80" && origin.Scheme == "http" { origin.Host = origin.Hostname() } else if origin.Port() == "443" && origin.Scheme == "https" { origin.Host = origin.Hostname() } return origin.String() }