X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2c5417221843491727e4e5505012fc115e3bc7b0..HEAD:/lib/controller/localdb/login.go diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index 1cd349a10e..f9b968a705 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -10,11 +10,13 @@ import ( "encoding/json" "errors" "fmt" + "net" "net/http" "net/url" "strings" "git.arvados.org/arvados.git/lib/controller/rpc" + "git.arvados.org/arvados.git/lib/ctrlctx" "git.arvados.org/arvados.git/sdk/go/arvados" "git.arvados.org/arvados.git/sdk/go/auth" "git.arvados.org/arvados.git/sdk/go/httpserver" @@ -26,54 +28,67 @@ type loginController interface { UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) } -func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController { +func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController { wantGoogle := cluster.Login.Google.Enable wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable - wantSSO := cluster.Login.SSO.Enable wantPAM := cluster.Login.PAM.Enable wantLDAP := cluster.Login.LDAP.Enable + wantTest := cluster.Login.Test.Enable + wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID switch { - case wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP: + case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster): + return errorLoginController{ + error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"), + } + case wantGoogle: return &oidcLoginController{ Cluster: cluster, - RailsProxy: railsProxy, + Parent: parent, Issuer: "https://accounts.google.com", ClientID: cluster.Login.Google.ClientID, ClientSecret: cluster.Login.Google.ClientSecret, + AuthParams: cluster.Login.Google.AuthenticationRequestParameters, UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses, EmailClaim: "email", EmailVerifiedClaim: "email_verified", } - case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP: + case wantOpenIDConnect: return &oidcLoginController{ - Cluster: cluster, - RailsProxy: railsProxy, - Issuer: cluster.Login.OpenIDConnect.Issuer, - ClientID: cluster.Login.OpenIDConnect.ClientID, - ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, - EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, - EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, - UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + Cluster: cluster, + Parent: parent, + Issuer: cluster.Login.OpenIDConnect.Issuer, + ClientID: cluster.Login.OpenIDConnect.ClientID, + ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + AuthParams: cluster.Login.OpenIDConnect.AuthenticationRequestParameters, + EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, + EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, + UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + AcceptAccessToken: cluster.Login.OpenIDConnect.AcceptAccessToken, + AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope, } - case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP: - return &ssoLoginController{railsProxy} - case !wantGoogle && !wantOpenIDConnect && !wantSSO && wantPAM && !wantLDAP: - return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy} - case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && wantLDAP: - return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy} + case wantPAM: + return &pamLoginController{Cluster: cluster, Parent: parent} + case wantLDAP: + return &ldapLoginController{Cluster: cluster, Parent: parent} + case wantTest: + return &testLoginController{Cluster: cluster, Parent: parent} + case wantLoginCluster: + return &federatedLoginController{Cluster: cluster} default: return errorLoginController{ - error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, and Login.LDAP must be enabled"), + error: errors.New("BUG: missing case in login controller setup switch"), } } } -// Login and Logout are passed through to the wrapped railsProxy; -// UserAuthenticate is rejected. -type ssoLoginController struct{ *railsProxy } - -func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { - return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) +func countTrue(vals ...bool) int { + n := 0 + for _, val := range vals { + if val { + n++ + } + } + return n } type errorLoginController struct{ error } @@ -88,25 +103,30 @@ func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserA return arvados.APIClientAuthorization{}, ctrl.error } -func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - target := opts.ReturnTo - if target == "" { - if cluster.Services.Workbench2.ExternalURL.Host != "" { - target = cluster.Services.Workbench2.ExternalURL.String() - } else { - target = cluster.Services.Workbench1.ExternalURL.String() - } - } - return arvados.LogoutResponse{RedirectLocation: target}, nil +type federatedLoginController struct { + Cluster *arvados.Cluster } -func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { +func (ctrl federatedLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { + return arvados.LoginResponse{}, httpserver.ErrorWithStatus(errors.New("Should have been redirected to login cluster"), http.StatusBadRequest) +} +func (ctrl federatedLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { + return logout(ctx, ctrl.Cluster, opts) +} +func (ctrl federatedLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) +} + +func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { + if rootToken == "" { + return arvados.APIClientAuthorization{}, errors.New("configuration error: empty SystemRootToken") + } ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}}) - newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ + newsession, err := conn.railsProxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ // Send a fake ReturnTo value instead of the caller's // opts.ReturnTo. We won't follow the resulting // redirect target anyway. - ReturnTo: ",https://none.invalid", + ReturnTo: ",https://controller.api.client.invalid", AuthInfo: authinfo, }) if err != nil { @@ -117,7 +137,7 @@ func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken return } token := target.Query().Get("api_token") - tx, err := currenttx(ctx) + tx, err := ctrlctx.CurrentTx(ctx) if err != nil { return } @@ -128,13 +148,13 @@ func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken tokensecret = tokenparts[2] } } - var exp sql.NullString + var exp sql.NullTime var scopes []byte - err = tx.QueryRowContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) + err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) if err != nil { return } - resp.ExpiresAt = exp.String + resp.ExpiresAt = exp.Time if len(scopes) > 0 { err = json.Unmarshal(scopes, &resp.Scopes) if err != nil { @@ -143,3 +163,68 @@ func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken } return } + +var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo") + +func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error { + u, err := url.Parse(returnTo) + if err != nil { + return err + } + u, err = u.Parse("/") + if err != nil { + return err + } + if u.User != nil { + return errUserinfoInRedirectTarget + } + target := origin(*u) + for trusted := range cluster.Login.TrustedClients { + trustedOrigin := origin(url.URL(trusted)) + if trustedOrigin == target { + return nil + } + // If TrustedClients has https://*.bar.example, we + // trust https://foo.bar.example. Note origin() has + // already stripped the incoming Path, so we won't + // accidentally trust + // https://attacker.example/pwn.bar.example here. See + // tests. + if strings.HasPrefix(trustedOrigin, u.Scheme+"://*.") && strings.HasSuffix(target, trustedOrigin[len(u.Scheme)+4:]) { + return nil + } + } + if target == origin(url.URL(cluster.Services.Workbench1.ExternalURL)) || + target == origin(url.URL(cluster.Services.Workbench2.ExternalURL)) { + return nil + } + if cluster.Login.TrustPrivateNetworks { + if u.Hostname() == "localhost" { + return nil + } + if ip := net.ParseIP(u.Hostname()); len(ip) > 0 { + for _, n := range privateNetworks { + if n.Contains(ip) { + return nil + } + } + } + } + return fmt.Errorf("requesting site is not listed in TrustedClients config") +} + +// origin returns the canonical origin of a URL, e.g., +// origin("https://example:443/foo") returns "https://example/" +func origin(u url.URL) string { + origin := url.URL{ + Scheme: u.Scheme, + Host: u.Host, + Path: "/", + } + if origin.Port() == "80" && origin.Scheme == "http" { + origin.Host = origin.Hostname() + } else if origin.Port() == "443" && origin.Scheme == "https" { + origin.Host = origin.Hostname() + } + return origin.String() +}