remove oidc migration (#2411)
* remove oidc migration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
GitHub
parent
3bf7d5a9c9
commit
b92bd3d27e
7 changed files with 12 additions and 231 deletions
|
|
@ -442,32 +442,6 @@ func (a *AuthProviderOIDC) createOrUpdateUserFromClaim(
|
|||
return nil, fmt.Errorf("creating or updating user: %w", err)
|
||||
}
|
||||
|
||||
// This check is for legacy, if the user cannot be found by the OIDC identifier
|
||||
// look it up by username. This should only be needed once.
|
||||
// This branch will persist for a number of versions after the OIDC migration and
|
||||
// then be removed following a deprecation.
|
||||
// TODO(kradalby): Remove when strip_email_domain and migration is removed
|
||||
// after #2170 is cleaned up.
|
||||
if a.cfg.MapLegacyUsers && user == nil {
|
||||
log.Trace().Str("username", claims.Username).Str("sub", claims.Sub).Msg("user not found by OIDC identifier, looking up by username")
|
||||
if oldUsername, err := getUserName(claims, a.cfg.StripEmaildomain); err == nil {
|
||||
log.Trace().Str("old_username", oldUsername).Str("sub", claims.Sub).Msg("found username")
|
||||
user, err = a.db.GetUserByName(oldUsername)
|
||||
if err != nil && !errors.Is(err, db.ErrUserNotFound) {
|
||||
return nil, fmt.Errorf("getting user: %w", err)
|
||||
}
|
||||
|
||||
// If the user exists, but it already has a provider identifier (OIDC sub), create a new user.
|
||||
// This is to prevent users that have already been migrated to the new OIDC format
|
||||
// to be updated with the new OIDC identifier inexplicitly which might be the cause of an
|
||||
// account takeover.
|
||||
if user != nil && user.ProviderIdentifier.Valid {
|
||||
log.Info().Str("username", claims.Username).Str("sub", claims.Sub).Msg("user found by username, but has provider identifier, creating new user.")
|
||||
user = &types.User{}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// if the user is still not found, create a new empty user.
|
||||
if user == nil {
|
||||
user = &types.User{}
|
||||
|
|
@ -548,27 +522,6 @@ func renderOIDCCallbackTemplate(
|
|||
return &content, nil
|
||||
}
|
||||
|
||||
// TODO(kradalby): Reintroduce when strip_email_domain is removed
|
||||
// after #2170 is cleaned up
|
||||
// DEPRECATED: DO NOT USE.
|
||||
func getUserName(
|
||||
claims *types.OIDCClaims,
|
||||
stripEmaildomain bool,
|
||||
) (string, error) {
|
||||
if !claims.EmailVerified {
|
||||
return "", fmt.Errorf("email not verified")
|
||||
}
|
||||
userName, err := util.NormalizeToFQDNRules(
|
||||
claims.Email,
|
||||
stripEmaildomain,
|
||||
)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return userName, nil
|
||||
}
|
||||
|
||||
func setCSRFCookie(w http.ResponseWriter, r *http.Request, name string) (string, error) {
|
||||
val, err := util.GenerateRandomStringURLSafe(64)
|
||||
if err != nil {
|
||||
|
|
|
|||
|
|
@ -13,7 +13,6 @@ import (
|
|||
"github.com/juanfont/headscale/hscontrol/types"
|
||||
"github.com/juanfont/headscale/hscontrol/util"
|
||||
"github.com/rs/zerolog/log"
|
||||
"github.com/spf13/viper"
|
||||
"github.com/stretchr/testify/require"
|
||||
"go4.org/netipx"
|
||||
"gopkg.in/check.v1"
|
||||
|
|
@ -681,8 +680,6 @@ func Test_expandGroup(t *testing.T) {
|
|||
}
|
||||
for _, test := range tests {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
viper.Set("oidc.strip_email_domain", test.args.stripEmail)
|
||||
|
||||
got, err := test.field.pol.expandUsersFromGroup(
|
||||
test.args.group,
|
||||
)
|
||||
|
|
|
|||
|
|
@ -180,10 +180,8 @@ type OIDCConfig struct {
|
|||
AllowedDomains []string
|
||||
AllowedUsers []string
|
||||
AllowedGroups []string
|
||||
StripEmaildomain bool
|
||||
Expiry time.Duration
|
||||
UseExpiryFromToken bool
|
||||
MapLegacyUsers bool
|
||||
PKCE PKCEConfig
|
||||
}
|
||||
|
||||
|
|
@ -315,11 +313,9 @@ func LoadConfig(path string, isFile bool) error {
|
|||
viper.SetDefault("database.sqlite.wal_autocheckpoint", 1000) // SQLite default
|
||||
|
||||
viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
|
||||
viper.SetDefault("oidc.strip_email_domain", true)
|
||||
viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
|
||||
viper.SetDefault("oidc.expiry", "180d")
|
||||
viper.SetDefault("oidc.use_expiry_from_token", false)
|
||||
viper.SetDefault("oidc.map_legacy_users", false)
|
||||
viper.SetDefault("oidc.pkce.enabled", false)
|
||||
viper.SetDefault("oidc.pkce.method", "S256")
|
||||
|
||||
|
|
@ -365,9 +361,9 @@ func validateServerConfig() error {
|
|||
depr.fatal("dns.use_username_in_magic_dns")
|
||||
depr.fatal("dns_config.use_username_in_magic_dns")
|
||||
|
||||
// TODO(kradalby): Reintroduce when strip_email_domain is removed
|
||||
// after #2170 is cleaned up
|
||||
// depr.fatal("oidc.strip_email_domain")
|
||||
// Removed since version v0.26.0
|
||||
depr.fatal("oidc.strip_email_domain")
|
||||
depr.fatal("oidc.map_legacy_users")
|
||||
|
||||
if viper.GetBool("oidc.enabled") {
|
||||
if err := validatePKCEMethod(viper.GetString("oidc.pkce.method")); err != nil {
|
||||
|
|
@ -377,19 +373,6 @@ func validateServerConfig() error {
|
|||
|
||||
depr.Log()
|
||||
|
||||
for _, removed := range []string{
|
||||
// TODO(kradalby): Reintroduce when strip_email_domain is removed
|
||||
// after #2170 is cleaned up
|
||||
// "oidc.strip_email_domain",
|
||||
"dns.use_username_in_magic_dns",
|
||||
"dns_config.use_username_in_magic_dns",
|
||||
} {
|
||||
if viper.IsSet(removed) {
|
||||
log.Fatal().
|
||||
Msgf("Fatal config error: %s has been removed. Please remove it from your config file", removed)
|
||||
}
|
||||
}
|
||||
|
||||
if viper.IsSet("dns.extra_records") && viper.IsSet("dns.extra_records_path") {
|
||||
log.Fatal().Msg("Fatal config error: dns.extra_records and dns.extra_records_path are mutually exclusive. Please remove one of them from your config file")
|
||||
}
|
||||
|
|
@ -959,10 +942,6 @@ func LoadServerConfig() (*Config, error) {
|
|||
}
|
||||
}(),
|
||||
UseExpiryFromToken: viper.GetBool("oidc.use_expiry_from_token"),
|
||||
// TODO(kradalby): Remove when strip_email_domain is removed
|
||||
// after #2170 is cleaned up
|
||||
StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
|
||||
MapLegacyUsers: viper.GetBool("oidc.map_legacy_users"),
|
||||
PKCE: PKCEConfig{
|
||||
Enabled: viper.GetBool("oidc.pkce.enabled"),
|
||||
Method: viper.GetString("oidc.pkce.method"),
|
||||
|
|
|
|||
|
|
@ -227,32 +227,3 @@ func GenerateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
|
|||
|
||||
return fqdns
|
||||
}
|
||||
|
||||
// TODO(kradalby): Reintroduce when strip_email_domain is removed
|
||||
// after #2170 is cleaned up
|
||||
// DEPRECATED: DO NOT USE
|
||||
// NormalizeToFQDNRules will replace forbidden chars in user
|
||||
// it can also return an error if the user doesn't respect RFC 952 and 1123.
|
||||
func NormalizeToFQDNRules(name string, stripEmailDomain bool) (string, error) {
|
||||
name = strings.ToLower(name)
|
||||
name = strings.ReplaceAll(name, "'", "")
|
||||
atIdx := strings.Index(name, "@")
|
||||
if stripEmailDomain && atIdx > 0 {
|
||||
name = name[:atIdx]
|
||||
} else {
|
||||
name = strings.ReplaceAll(name, "@", ".")
|
||||
}
|
||||
name = invalidDNSRegex.ReplaceAllString(name, "-")
|
||||
|
||||
for _, elt := range strings.Split(name, ".") {
|
||||
if len(elt) > LabelHostnameLength {
|
||||
return "", fmt.Errorf(
|
||||
"label %v is more than 63 chars: %w",
|
||||
elt,
|
||||
ErrInvalidUserName,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
return name, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue