X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ed4d8462e763eb1d8c8f1548912495563cd9288f..cf315eea954e291f56999eb5dcdec559a08e70c0:/lib/controller/localdb/login.go

diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 0d6f2ef027..f9b968a705 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -30,15 +31,14 @@ type loginController interface {
 func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginController {
 	wantGoogle := cluster.Login.Google.Enable
 	wantOpenIDConnect := cluster.Login.OpenIDConnect.Enable
-	wantSSO := cluster.Login.SSO.Enable
 	wantPAM := cluster.Login.PAM.Enable
 	wantLDAP := cluster.Login.LDAP.Enable
 	wantTest := cluster.Login.Test.Enable
 	wantLoginCluster := cluster.Login.LoginCluster != "" && cluster.Login.LoginCluster != cluster.ClusterID
 	switch {
-	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantSSO, wantPAM, wantLDAP, wantTest, wantLoginCluster):
+	case 1 != countTrue(wantGoogle, wantOpenIDConnect, wantPAM, wantLDAP, wantTest, wantLoginCluster):
 		return errorLoginController{
-			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.SSO, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
+			error: errors.New("configuration problem: exactly one of Login.Google, Login.OpenIDConnect, Login.PAM, Login.LDAP, Login.Test, or Login.LoginCluster must be set"),
 		}
 	case wantGoogle:
 		return &oidcLoginController{
@@ -66,8 +66,6 @@ func chooseLoginController(cluster *arvados.Cluster, parent *Conn) loginControll
 			AcceptAccessToken:      cluster.Login.OpenIDConnect.AcceptAccessToken,
 			AcceptAccessTokenScope: cluster.Login.OpenIDConnect.AcceptAccessTokenScope,
 		}
-	case wantSSO:
-		return &ssoLoginController{Parent: parent}
 	case wantPAM:
 		return &pamLoginController{Cluster: cluster, Parent: parent}
 	case wantLDAP:
@@ -93,20 +91,6 @@ func countTrue(vals ...bool) int {
 	return n
 }
 
-// Login and Logout are passed through to the parent's railsProxy;
-// UserAuthenticate is rejected.
-type ssoLoginController struct{ Parent *Conn }
-
-func (ctrl *ssoLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
-	return ctrl.Parent.railsProxy.Login(ctx, opts)
-}
-func (ctrl *ssoLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
-	return ctrl.Parent.railsProxy.Logout(ctx, opts)
-}
-func (ctrl *ssoLoginController) UserAuthenticate(ctx context.Context, opts arvados.UserAuthenticateOptions) (arvados.APIClientAuthorization, error) {
-	return arvados.APIClientAuthorization{}, httpserver.ErrorWithStatus(errors.New("username/password authentication is not available"), http.StatusBadRequest)
-}
-
 type errorLoginController struct{ error }
 
 func (ctrl errorLoginController) Login(context.Context, arvados.LoginOptions) (arvados.LoginResponse, error) {
@@ -164,13 +148,13 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st
 			tokensecret = tokenparts[2]
 		}
 	}
-	var exp sql.NullString
+	var exp sql.NullTime
 	var scopes []byte
 	err = tx.QueryRowxContext(ctx, "select uuid, api_token, expires_at, scopes from api_client_authorizations where api_token=$1", tokensecret).Scan(&resp.UUID, &resp.APIToken, &exp, &scopes)
 	if err != nil {
 		return
 	}
-	resp.ExpiresAt = exp.String
+	resp.ExpiresAt = exp.Time
 	if len(scopes) > 0 {
 		err = json.Unmarshal(scopes, &resp.Scopes)
 		if err != nil {
@@ -179,3 +163,68 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st
 	}
 	return
 }
+
+var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo")
+
+func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error {
+	u, err := url.Parse(returnTo)
+	if err != nil {
+		return err
+	}
+	u, err = u.Parse("/")
+	if err != nil {
+		return err
+	}
+	if u.User != nil {
+		return errUserinfoInRedirectTarget
+	}
+	target := origin(*u)
+	for trusted := range cluster.Login.TrustedClients {
+		trustedOrigin := origin(url.URL(trusted))
+		if trustedOrigin == target {
+			return nil
+		}
+		// If TrustedClients has https://*.bar.example, we
+		// trust https://foo.bar.example. Note origin() has
+		// already stripped the incoming Path, so we won't
+		// accidentally trust
+		// https://attacker.example/pwn.bar.example here. See
+		// tests.
+		if strings.HasPrefix(trustedOrigin, u.Scheme+"://*.") && strings.HasSuffix(target, trustedOrigin[len(u.Scheme)+4:]) {
+			return nil
+		}
+	}
+	if target == origin(url.URL(cluster.Services.Workbench1.ExternalURL)) ||
+		target == origin(url.URL(cluster.Services.Workbench2.ExternalURL)) {
+		return nil
+	}
+	if cluster.Login.TrustPrivateNetworks {
+		if u.Hostname() == "localhost" {
+			return nil
+		}
+		if ip := net.ParseIP(u.Hostname()); len(ip) > 0 {
+			for _, n := range privateNetworks {
+				if n.Contains(ip) {
+					return nil
+				}
+			}
+		}
+	}
+	return fmt.Errorf("requesting site is not listed in TrustedClients config")
+}
+
+// origin returns the canonical origin of a URL, e.g.,
+// origin("https://example:443/foo") returns "https://example/"
+func origin(u url.URL) string {
+	origin := url.URL{
+		Scheme: u.Scheme,
+		Host:   u.Host,
+		Path:   "/",
+	}
+	if origin.Port() == "80" && origin.Scheme == "http" {
+		origin.Host = origin.Hostname()
+	} else if origin.Port() == "443" && origin.Scheme == "https" {
+		origin.Host = origin.Hostname()
+	}
+	return origin.String()
+}