X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1dee1aad0573bf3a54d536c8dd3693a352cf0cbe..3ec51dcf456b2afe02857089895a261653abddd4:/lib/controller/localdb/login.go

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 8b83c38571..4bf515fc3f 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -5,195 +5,185 @@
 package localdb
 
 import (
-	"bytes"
 	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
+	"database/sql"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"strings"
-	"sync"
-	"text/template"
-	"time"
 
-	"git.curoverse.com/arvados.git/lib/controller/rpc"
-	"git.curoverse.com/arvados.git/sdk/go/arvados"
-	"git.curoverse.com/arvados.git/sdk/go/auth"
-	"github.com/coreos/go-oidc"
-	"golang.org/x/oauth2"
+	"git.arvados.org/arvados.git/lib/controller/rpc"
+	"git.arvados.org/arvados.git/lib/ctrlctx"
+	"git.arvados.org/arvados.git/sdk/go/arvados"
+	"git.arvados.org/arvados.git/sdk/go/auth"
+	"git.arvados.org/arvados.git/sdk/go/httpserver"
 )
 
-type googleLoginController struct {
-	issuer   string // override OIDC issuer URL (normally https://accounts.google.com) for testing
-	provider *oidc.Provider
-	mu       sync.Mutex
+type loginController interface {
+	Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error)
+	Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error)
+	UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error)
 }
 
-func (ctrl *googleLoginController) getProvider() (*oidc.Provider, error) {
-	ctrl.mu.Lock()
-	defer ctrl.mu.Unlock()
-	if ctrl.provider == nil {
-		issuer := ctrl.issuer
-		if issuer == "" {
-			issuer = "https://accounts.google.com"
+func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController {
+	wantGoogle := cluster.Login.Google.Enable
+	wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
+	wantSSO := cluster.Login.SSO.Enable
+	wantPAM := cluster.Login.PAM.Enable
+	wantLDAP := cluster.Login.LDAP.Enable
+	wantTest := cluster.Login.Test.Enable
+	wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
+	switch {
+	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
+		return errorLoginController{
+			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
 		}
-		provider, err := oidc.NewProvider(context.Background(), issuer)
-		if err != nil {
-			return nil, err
-		}
-		ctrl.provider = provider
-	}
-	return ctrl.provider, nil
-}
-
-func (ctrl *googleLoginController) Login(ctx context.Context, cluster *arvados.Cluster, railsproxy *railsProxy, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
-	provider, err := ctrl.getProvider()
-	if err != nil {
-		return ctrl.loginError(fmt.Errorf("error setting up OpenID Connect provider: %s", err))
-	}
-	redirURL, err := (*url.URL)(&cluster.Services.Controller.ExternalURL).Parse("/login")
-	if err != nil {
-		return ctrl.loginError(fmt.Errorf("error making redirect URL: %s", err))
-	}
-	conf := &oauth2.Config{
-		ClientID:     cluster.Login.GoogleClientID,
-		ClientSecret: cluster.Login.GoogleClientSecret,
-		Endpoint:     provider.Endpoint(),
-		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
-		RedirectURL:  redirURL.String(),
-	}
-	verifier := provider.Verifier(&oidc.Config{
-		ClientID: conf.ClientID,
-	})
-	if opts.State == "" {
-		// Initiate Google sign-in.
-		if opts.ReturnTo == "" {
-			return ctrl.loginError(errors.New("missing return_to parameter"))
-		}
-		me := url.URL(cluster.Services.Controller.ExternalURL)
-		callback, err := me.Parse("/" + arvados.EndpointLogin.Path)
-		if err != nil {
-			return ctrl.loginError(err)
-		}
-		conf.RedirectURL = callback.String()
-		state := ctrl.newOAuth2State([]byte(cluster.SystemRootToken), opts.Remote, opts.ReturnTo)
-		return arvados.LoginResponse{
-			RedirectLocation: conf.AuthCodeURL(state.String(),
-				// prompt=select_account tells Google
-				// to show the "choose which Google
-				// account" page, even if the client
-				// is currently logged in to exactly
-				// one Google account.
-				oauth2.SetAuthURLParam("prompt", "select_account")),
-		}, nil
-	} else {
-		// Callback after Google sign-in.
-		state := ctrl.parseOAuth2State(opts.State)
-		if !state.verify([]byte(cluster.SystemRootToken)) {
-			return ctrl.loginError(errors.New("invalid OAuth2 state"))
+	case wantGoogle:
+		return &oidcLoginController{
+			Cluster:            cluster,
+			Parent:             parent,
+			Issuer:             "https://accounts.google.com",
+			ClientID:           cluster.Login.Google.ClientID,
+			ClientSecret:       cluster.Login.Google.ClientSecret,
+			UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
+			EmailClaim:         "email",
+			EmailVerifiedClaim: "email_verified",
 		}
-		oauth2Token, err := conf.Exchange(ctx, opts.Code)
-		if err != nil {
-			return ctrl.loginError(fmt.Errorf("error in OAuth2 exchange: %s", err))
+	case wantOpenIDConnect:
+		return &oidcLoginController{
+			Cluster:            cluster,
+			Parent:             parent,
+			Issuer:             cluster.Login.OpenIDConnect.Issuer,
+			ClientID:           cluster.Login.OpenIDConnect.ClientID,
+			ClientSecret:       cluster.Login.OpenIDConnect.ClientSecret,
+			EmailClaim:         cluster.Login.OpenIDConnect.EmailClaim,
+			EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim,
+			UsernameClaim:      cluster.Login.OpenIDConnect.UsernameClaim,
 		}
-		rawIDToken, ok := oauth2Token.Extra("id_token").(string)
-		if !ok {
-			return ctrl.loginError(errors.New("error in OAuth2 exchange: no ID token in OAuth2 token"))
+	case wantSSO:
+		return &ssoLoginController{Parent: parent}
+	case wantPAM:
+		return &pamLoginController{Cluster: cluster, Parent: parent}
+	case wantLDAP:
+		return &ldapLoginController{Cluster: cluster, Parent: parent}
+	case wantTest:
+		return &testLoginController{Cluster: cluster, Parent: parent}
+	case wantLoginCluster:
+		return &federatedLoginController{Cluster: cluster}
+	default:
+		return errorLoginController{
+			error: errors.New("BUG: missing case in login controller setup switch"),
 		}
-		idToken, err := verifier.Verify(ctx, rawIDToken)
-		if err != nil {
-			return ctrl.loginError(fmt.Errorf("error verifying ID token: %s", err))
-		}
-		var claims struct {
-			Name     string `json:"name"`
-			Email    string `json:"email"`
-			Verified bool   `json:"email_verified"`
-		}
-		if err := idToken.Claims(&claims); err != nil {
-			return ctrl.loginError(fmt.Errorf("error extracting claims from ID token: %s", err))
-		}
-		if !claims.Verified {
-			return ctrl.loginError(errors.New("cannot authenticate using an unverified email address"))
-		}
-
-		firstname, lastname := strings.TrimSpace(claims.Name), ""
-		if names := strings.Fields(firstname); len(names) > 1 {
-			firstname = strings.Join(names[0:len(names)-1], " ")
-			lastname = names[len(names)-1]
-		}
-
-		ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{cluster.SystemRootToken}})
-		return railsproxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
-			ReturnTo: state.Remote + "," + state.ReturnTo,
-			AuthInfo: map[string]interface{}{
-				"email":      claims.Email,
-				"first_name": firstname,
-				"last_name":  lastname,
-			},
-		})
 	}
 }
 
-func (ctrl *googleLoginController) loginError(sendError error) (resp arvados.LoginResponse, err error) {
-	tmpl, err := template.New("error").Parse(`<h2>Login error:</h2><p>{{.}}</p>`)
-	if err != nil {
-		return
+func countTrue(vals ...bool) int {
+	n := 0
+	for _, val := range vals {
+		if val {
+			n++
+		}
 	}
-	err = tmpl.Execute(&resp.HTML, sendError.Error())
-	return
+	return n
 }
 
-func (ctrl *googleLoginController) newOAuth2State(key []byte, remote, returnTo string) oauth2State {
-	s := oauth2State{
-		Time:     time.Now().Unix(),
-		Remote:   remote,
-		ReturnTo: returnTo,
-	}
-	s.HMAC = s.computeHMAC(key)
-	return s
+// Login and Logout are passed through to the parent's railsProxy;
+// UserAuthenticate is rejected.
+type ssoLoginController struct{ Parent *Conn }
+
+func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
+	return ctrl.Parent.railsProxy.Login(ctx, opts)
+}
+func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+	return ctrl.Parent.railsProxy.Logout(ctx, opts)
+}
+func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
 }
 
-type oauth2State struct {
-	HMAC     []byte // hash of other fields; see computeHMAC()
-	Time     int64  // creation time (unix timestamp)
-	Remote   string // remote cluster if requesting a salted token, otherwise blank
-	ReturnTo string // redirect target
+type errorLoginController struct{ error }
+
+func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
+	return arvados.LoginResponse{}, ctrl.error
+}
+func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+	return arvados.LogoutResponse{}, ctrl.error
+}
+func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+	return arvados.APIClientAuthorization{}, ctrl.error
 }
 
-func (ctrl *googleLoginController) parseOAuth2State(encoded string) (s oauth2State) {
-	// Errors are not checked. If decoding/parsing fails, the
-	// token will be rejected by verify().
-	decoded, _ := base64.RawURLEncoding.DecodeString(encoded)
-	f := strings.Split(string(decoded), "\n")
-	if len(f) != 4 {
-		return
-	}
-	fmt.Sscanf(f[0], "%x", &s.HMAC)
-	fmt.Sscanf(f[1], "%x", &s.Time)
-	fmt.Sscanf(f[2], "%s", &s.Remote)
-	fmt.Sscanf(f[3], "%s", &s.ReturnTo)
-	return
+type federatedLoginController struct {
+	Cluster *arvados.Cluster
 }
 
-func (s oauth2State) verify(key []byte) bool {
-	if delta := time.Now().Unix() - s.Time; delta < 0 || delta > 300 {
-		return false
-	}
-	return hmac.Equal(s.computeHMAC(key), s.HMAC)
+func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
+	return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest)
+}
+func (ctrl federatedLoginController) Logout(_ context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+	return noopLogout(ctrl.Cluster, opts)
+}
+func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
+	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
 }
 
-func (s oauth2State) String() string {
-	var buf bytes.Buffer
-	enc := base64.NewEncoder(base64.RawURLEncoding, &buf)
-	fmt.Fprintf(enc, "%x\n%x\n%s\n%s", s.HMAC, s.Time, s.Remote, s.ReturnTo)
-	enc.Close()
-	return buf.String()
+func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
+	target := opts.ReturnTo
+	if target == "" {
+		if cluster.Services.Workbench2.ExternalURL.Host != "" {
+			target = cluster.Services.Workbench2.ExternalURL.String()
+		} else {
+			target = cluster.Services.Workbench1.ExternalURL.String()
+		}
+	}
+	return arvados.LogoutResponse{RedirectLocation: target}, nil
 }
 
-func (s oauth2State) computeHMAC(key []byte) []byte {
-	mac := hmac.New(sha256.New, key)
-	fmt.Fprintf(mac, "%x %s %s", s.Time, s.Remote, s.ReturnTo)
-	return mac.Sum(nil)
+func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) {
+	if rootToken == "" {
+		return arvados.APIClientAuthorization{}, errors.New("configuration error: empty SystemRootToken")
+	}
+	ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}})
+	newsession, err := conn.railsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{
+		// Send a fake ReturnTo value instead of the caller's
+		// opts.ReturnTo. We won't follow the resulting
+		// redirect target anyway.
+		ReturnTo: ",https://controller.api.client.invalid",
+		AuthInfo: authinfo,
+	})
+	if err != nil {
+		return
+	}
+	target, err := url.Parse(newsession.RedirectLocation)
+	if err != nil {
+		return
+	}
+	token := target.Query().Get("api_token")
+	tx, err := ctrlctx.CurrentTx(ctx)
+	if err != nil {
+		return
+	}
+	tokensecret := token
+	if strings.Contains(token, "/") {
+		tokenparts := strings.Split(token, "/")
+		if len(tokenparts) >= 3 {
+			tokensecret = tokenparts[2]
+		}
+	}
+	var exp sql.NullString
+	var scopes []byte
+	err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
+	if err != nil {
+		return
+	}
+	resp.ExpiresAt = exp.String
+	if len(scopes) > 0 {
+		err = json.Unmarshal(scopes, &resp.Scopes)
+		if err != nil {
+			return resp, fmt.Errorf("unmarshal scopes: %s", err)
+		}
+	}
+	return
 }