X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e459f4e2d40762f67ffedafbe988c8da6f4f04d4..65b05a0f63dd137d680af4d98ae8d32dd2603158:/lib/controller/localdb/login.go diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go index e96b940ef7..dc2c7c875c 100644 --- a/lib/controller/localdb/login.go +++ b/lib/controller/localdb/login.go @@ -5,278 +5,141 @@ package localdb import ( - "bytes" "context" - "crypto/hmac" - "crypto/sha256" - "encoding/base64" + "database/sql" + "encoding/json" "errors" "fmt" + "net/http" "net/url" "strings" - "sync" - "text/template" - "time" "git.arvados.org/arvados.git/lib/controller/rpc" "git.arvados.org/arvados.git/sdk/go/arvados" "git.arvados.org/arvados.git/sdk/go/auth" - "git.arvados.org/arvados.git/sdk/go/ctxlog" - "github.com/coreos/go-oidc" - "golang.org/x/oauth2" - "google.golang.org/api/option" - "google.golang.org/api/people/v1" + "git.arvados.org/arvados.git/sdk/go/httpserver" ) -type googleLoginController struct { - issuer string // override OIDC issuer URL (normally https://accounts.google.com) for testing - peopleAPIBasePath string // override Google People API base URL (normally set by google pkg to https://people.googleapis.com/) - provider *oidc.Provider - mu sync.Mutex +type loginController interface { + Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) + Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) + UserAuthenticate(ctx context.Context, options arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) } -func (ctrl *googleLoginController) getProvider() (*oidc.Provider, error) { - ctrl.mu.Lock() - defer ctrl.mu.Unlock() - if ctrl.provider == nil { - issuer := ctrl.issuer - if issuer == "" { - issuer = "https://accounts.google.com" +func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) loginController { + wantGoogle := cluster.Login.Google.Enable + wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable + wantSSO := cluster.Login.SSO.Enable + wantPAM := cluster.Login.PAM.Enable + wantLDAP := cluster.Login.LDAP.Enable + switch { + case wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP: + return &oidcLoginController{ + Cluster: cluster, + RailsProxy: railsProxy, + Issuer: "https://accounts.google.com", + ClientID: cluster.Login.Google.ClientID, + ClientSecret: cluster.Login.Google.ClientSecret, + UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses, + EmailClaim: "email", + EmailVerifiedClaim: "email_verified", + } + case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP: + return &oidcLoginController{ + Cluster: cluster, + RailsProxy: railsProxy, + Issuer: cluster.Login.OpenIDConnect.Issuer, + ClientID: cluster.Login.OpenIDConnect.ClientID, + ClientSecret: cluster.Login.OpenIDConnect.ClientSecret, + EmailClaim: cluster.Login.OpenIDConnect.EmailClaim, + EmailVerifiedClaim: cluster.Login.OpenIDConnect.EmailVerifiedClaim, + UsernameClaim: cluster.Login.OpenIDConnect.UsernameClaim, + } + case !wantGoogle && !wantOpenIDConnect && wantSSO && !wantPAM && !wantLDAP: + return &ssoLoginController{railsProxy} + case !wantGoogle && !wantOpenIDConnect && !wantSSO && wantPAM && !wantLDAP: + return &pamLoginController{Cluster: cluster, RailsProxy: railsProxy} + case !wantGoogle && !wantOpenIDConnect && !wantSSO && !wantPAM && wantLDAP: + return &ldapLoginController{Cluster: cluster, RailsProxy: railsProxy} + default: + return errorLoginController{ + error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, and Login.LDAP must be enabled"), } - provider, err := oidc.NewProvider(context.Background(), issuer) - if err != nil { - return nil, err - } - ctrl.provider = provider } - return ctrl.provider, nil } -func (ctrl *googleLoginController) Logout(ctx context.Context, cluster *arvados.Cluster, railsproxy *railsProxy, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { - return arvados.LogoutResponse{RedirectLocation: opts.ReturnTo}, nil -} +// Login and Logout are passed through to the wrapped railsProxy; +// UserAuthenticate is rejected. +type ssoLoginController struct{ *railsProxy } -func (ctrl *googleLoginController) Login(ctx context.Context, cluster *arvados.Cluster, railsproxy *railsProxy, opts arvados.LoginOptions) (arvados.LoginResponse, error) { - provider, err := ctrl.getProvider() - if err != nil { - return ctrl.loginError(fmt.Errorf("error setting up OpenID Connect provider: %s", err)) - } - redirURL, err := (*url.URL)(&cluster.Services.Controller.ExternalURL).Parse("/login") - if err != nil { - return ctrl.loginError(fmt.Errorf("error making redirect URL: %s", err)) - } - conf := &oauth2.Config{ - ClientID: cluster.Login.GoogleClientID, - ClientSecret: cluster.Login.GoogleClientSecret, - Endpoint: provider.Endpoint(), - Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, - RedirectURL: redirURL.String(), - } - verifier := provider.Verifier(&oidc.Config{ - ClientID: conf.ClientID, - }) - if opts.State == "" { - // Initiate Google sign-in. - if opts.ReturnTo == "" { - return ctrl.loginError(errors.New("missing return_to parameter")) - } - me := url.URL(cluster.Services.Controller.ExternalURL) - callback, err := me.Parse("/" + arvados.EndpointLogin.Path) - if err != nil { - return ctrl.loginError(err) - } - conf.RedirectURL = callback.String() - state := ctrl.newOAuth2State([]byte(cluster.SystemRootToken), opts.Remote, opts.ReturnTo) - return arvados.LoginResponse{ - RedirectLocation: conf.AuthCodeURL(state.String(), - // prompt=select_account tells Google - // to show the "choose which Google - // account" page, even if the client - // is currently logged in to exactly - // one Google account. - oauth2.SetAuthURLParam("prompt", "select_account")), - }, nil - } else { - // Callback after Google sign-in. - state := ctrl.parseOAuth2State(opts.State) - if !state.verify([]byte(cluster.SystemRootToken)) { - return ctrl.loginError(errors.New("invalid OAuth2 state")) - } - oauth2Token, err := conf.Exchange(ctx, opts.Code) - if err != nil { - return ctrl.loginError(fmt.Errorf("error in OAuth2 exchange: %s", err)) - } - rawIDToken, ok := oauth2Token.Extra("id_token").(string) - if !ok { - return ctrl.loginError(errors.New("error in OAuth2 exchange: no ID token in OAuth2 token")) - } - idToken, err := verifier.Verify(ctx, rawIDToken) - if err != nil { - return ctrl.loginError(fmt.Errorf("error verifying ID token: %s", err)) - } - authinfo, err := ctrl.getAuthInfo(ctx, cluster, conf, oauth2Token, idToken) - if err != nil { - return ctrl.loginError(err) - } - ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{cluster.SystemRootToken}}) - return railsproxy.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ - ReturnTo: state.Remote + "," + state.ReturnTo, - AuthInfo: *authinfo, - }) - } +func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest) } -// Use a person's token to get all of their email addresses, with the -// primary address at index 0. The provided defaultAddr is always -// included in the returned slice, and is used as the primary if the -// Google API does not indicate one. -func (ctrl *googleLoginController) getAuthInfo(ctx context.Context, cluster *arvados.Cluster, conf *oauth2.Config, token *oauth2.Token, idToken *oidc.IDToken) (*rpc.UserSessionAuthInfo, error) { - var ret rpc.UserSessionAuthInfo - defer ctxlog.FromContext(ctx).WithField("ret", &ret).Debug("getAuthInfo returned") +type errorLoginController struct{ error } - var claims struct { - Name string `json:"name"` - Email string `json:"email"` - Verified bool `json:"email_verified"` - } - if err := idToken.Claims(&claims); err != nil { - return nil, fmt.Errorf("error extracting claims from ID token: %s", err) - } else if claims.Verified { - // Fall back to this info if the People API call - // (below) doesn't return a primary && verified email. - if names := strings.Fields(strings.TrimSpace(claims.Name)); len(names) > 1 { - ret.FirstName = strings.Join(names[0:len(names)-1], " ") - ret.LastName = names[len(names)-1] - } else { - ret.FirstName = names[0] - } - ret.Email = claims.Email - } +func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) { + return arvados.LoginResponse{}, ctrl.error +} +func (ctrl errorLoginController) Logout(context.Context, arvados.LogoutOptions) (arvados.LogoutResponse, error) { + return arvados.LogoutResponse{}, ctrl.error +} +func (ctrl errorLoginController) UserAuthenticate(context.Context, arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) { + return arvados.APIClientAuthorization{}, ctrl.error +} - if !cluster.Login.GoogleAlternateEmailAddresses { - if ret.Email == "" { - return nil, fmt.Errorf("cannot log in with unverified email address %q", claims.Email) +func noopLogout(cluster *arvados.Cluster, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) { + target := opts.ReturnTo + if target == "" { + if cluster.Services.Workbench2.ExternalURL.Host != "" { + target = cluster.Services.Workbench2.ExternalURL.String() + } else { + target = cluster.Services.Workbench1.ExternalURL.String() } - return &ret, nil } + return arvados.LogoutResponse{RedirectLocation: target}, nil +} - svc, err := people.NewService(ctx, option.WithTokenSource(conf.TokenSource(ctx, token)), option.WithScopes(people.UserEmailsReadScope)) +func createAPIClientAuthorization(ctx context.Context, conn *rpc.Conn, rootToken string, authinfo rpc.UserSessionAuthInfo) (resp arvados.APIClientAuthorization, err error) { + ctxRoot := auth.NewContext(ctx, &auth.Credentials{Tokens: []string{rootToken}}) + newsession, err := conn.UserSessionCreate(ctxRoot, rpc.UserSessionCreateOptions{ + // Send a fake ReturnTo value instead of the caller's + // opts.ReturnTo. We won't follow the resulting + // redirect target anyway. + ReturnTo: ",https://none.invalid", + AuthInfo: authinfo, + }) if err != nil { - return nil, fmt.Errorf("error setting up People API: %s", err) - } - if p := ctrl.peopleAPIBasePath; p != "" { - // Override normal API endpoint (for testing) - svc.BasePath = p + return } - person, err := people.NewPeopleService(svc).Get("people/me").PersonFields("emailAddresses,names").Do() + target, err := url.Parse(newsession.RedirectLocation) if err != nil { - if strings.Contains(err.Error(), "Error 403") && strings.Contains(err.Error(), "accessNotConfigured") { - // Log the original API error, but display - // only the "fix config" advice to the user. - ctxlog.FromContext(ctx).WithError(err).WithField("email", ret.Email).Error("People API is not enabled") - return nil, errors.New("configuration error: Login.GoogleAlternateEmailAddresses is true, but Google People API is not enabled") - } else { - return nil, fmt.Errorf("error getting profile info from People API: %s", err) - } - } - - // The given/family names returned by the People API and - // flagged as "primary" (if any) take precedence over the - // split-by-whitespace result from above. - for _, name := range person.Names { - if name.Metadata != nil && name.Metadata.Primary { - ret.FirstName = name.GivenName - ret.LastName = name.FamilyName - break - } - } - - altEmails := map[string]bool{} - if ret.Email != "" { - altEmails[ret.Email] = true - } - for _, ea := range person.EmailAddresses { - if ea.Metadata == nil || !ea.Metadata.Verified { - ctxlog.FromContext(ctx).WithField("address", ea.Value).Info("skipping unverified email address") - continue - } - altEmails[ea.Value] = true - if ea.Metadata.Primary || ret.Email == "" { - ret.Email = ea.Value - } + return } - if len(altEmails) == 0 { - return nil, errors.New("cannot log in without a verified email address") + token := target.Query().Get("api_token") + tx, err := currenttx(ctx) + if err != nil { + return } - for ae := range altEmails { - if ae != ret.Email { - ret.AlternateEmails = append(ret.AlternateEmails, ae) - if i := strings.Index(ae, "@"); i > 0 && strings.ToLower(ae[i+1:]) == strings.ToLower(cluster.Users.PreferDomainForUsername) { - ret.Username = strings.SplitN(ae[:i], "+", 2)[0] - } + tokensecret := token + if strings.Contains(token, "/") { + tokenparts := strings.Split(token, "/") + if len(tokenparts) >= 3 { + tokensecret = tokenparts[2] } } - return &ret, nil -} - -func (ctrl *googleLoginController) loginError(sendError error) (resp arvados.LoginResponse, err error) { - tmpl, err := template.New("error").Parse(`

Login error:

{{.}}

`) + var exp sql.NullString + var scopes []byte + err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes) if err != nil { return } - err = tmpl.Execute(&resp.HTML, sendError.Error()) - return -} - -func (ctrl *googleLoginController) newOAuth2State(key []byte, remote, returnTo string) oauth2State { - s := oauth2State{ - Time: time.Now().Unix(), - Remote: remote, - ReturnTo: returnTo, - } - s.HMAC = s.computeHMAC(key) - return s -} - -type oauth2State struct { - HMAC []byte // hash of other fields; see computeHMAC() - Time int64 // creation time (unix timestamp) - Remote string // remote cluster if requesting a salted token, otherwise blank - ReturnTo string // redirect target -} - -func (ctrl *googleLoginController) parseOAuth2State(encoded string) (s oauth2State) { - // Errors are not checked. If decoding/parsing fails, the - // token will be rejected by verify(). - decoded, _ := base64.RawURLEncoding.DecodeString(encoded) - f := strings.Split(string(decoded), "\n") - if len(f) != 4 { - return + resp.ExpiresAt = exp.String + if len(scopes) > 0 { + err = json.Unmarshal(scopes, &resp.Scopes) + if err != nil { + return resp, fmt.Errorf("unmarshal scopes: %s", err) + } } - fmt.Sscanf(f[0], "%x", &s.HMAC) - fmt.Sscanf(f[1], "%x", &s.Time) - fmt.Sscanf(f[2], "%s", &s.Remote) - fmt.Sscanf(f[3], "%s", &s.ReturnTo) return } - -func (s oauth2State) verify(key []byte) bool { - if delta := time.Now().Unix() - s.Time; delta < 0 || delta > 300 { - return false - } - return hmac.Equal(s.computeHMAC(key), s.HMAC) -} - -func (s oauth2State) String() string { - var buf bytes.Buffer - enc := base64.NewEncoder(base64.RawURLEncoding, &buf) - fmt.Fprintf(enc, "%x\n%x\n%s\n%s", s.HMAC, s.Time, s.Remote, s.ReturnTo) - enc.Close() - return buf.String() -} - -func (s oauth2State) computeHMAC(key []byte) []byte { - mac := hmac.New(sha256.New, key) - fmt.Fprintf(mac, "%x %s %s", s.Time, s.Remote, s.ReturnTo) - return mac.Sum(nil) -}