initial work on OIDC (SSO) integration

2021-09-26 16:53:05 +08:00 · 2021-09-26 16:53:05 +08:00 · e7a2501fe8
commit e7a2501fe8
parent 83815f567d
6 changed files with 347 additions and 4 deletions
--- a/oidc.go
+++ b/oidc.go
@ -0,0 +1,310 @@
+package headscale
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/gin-gonic/gin"
+	"github.com/patrickmn/go-cache"
+	"github.com/rs/zerolog/log"
+	"github.com/s12v/go-jwks"
+	"gopkg.in/square/go-jose.v2/jwt"
+	"gorm.io/gorm"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+type OpenIDConfiguration struct {
+	Issuer                string `json:"issuer"`
+	AuthorizationEndpoint string `json:"authorization_endpoint"`
+	TokenEndpoint         string `json:"token_endpoint"`
+	JWKSURI               string `json:"jwks_uri"`
+}
+
+type OpenIDTokens struct {
+	AccessToken      string `json:"access_token"`
+	ExpiresIn        int    `json:"expires_in"`
+	IdToken          string `json:"id_token"`
+	NotBeforePolicy  int    `json:"not-before-policy,omitempty"`
+	RefreshExpiresIn int    `json:"refresh_expires_in"`
+	RefreshToken     string `json:"refresh_token"`
+	Scope            string `json:"scope"`
+	SessionState     string `json:"session_state,omitempty"`
+	TokenType        string `json:"token_type,omitempty"`
+}
+
+type AccessToken struct {
+	jwt.Claims
+	Name     string   `json:"name,omitempty"`
+	Groups   []string `json:"groups,omitempty"`
+	Email    string   `json:"email"`
+	Username string   `json:"preferred_username,omitempty"`
+}
+
+var oidcConfig *OpenIDConfiguration
+var stateCache *cache.Cache
+var jwksSource *jwks.WebSource
+var jwksClient jwks.JWKSClient
+
+func verifyToken(token string) (*AccessToken, error) {
+
+	if jwksClient == nil {
+		jwksSource = jwks.NewWebSource(oidcConfig.JWKSURI)
+		jwksClient = jwks.NewDefaultClient(
+			jwksSource,
+			time.Hour,    // Refresh keys every 1 hour
+			12*time.Hour, // Expire keys after 12 hours
+		)
+	}
+
+	//decode jwt
+	tok, err := jwt.ParseSigned(token)
+	if err != nil {
+		return nil, err
+	}
+
+	if tok.Headers[0].KeyID != "" {
+		log.Debug().Msgf("Checking KID %s\n", tok.Headers[0].KeyID)
+
+		jwk, err := jwksClient.GetSignatureKey(tok.Headers[0].KeyID)
+		if err != nil {
+			return nil, err
+		}
+
+		claims := AccessToken{}
+
+		err = tok.Claims(jwk.Certificates[0].PublicKey, &claims)
+		if err != nil {
+			return nil, err
+		} else {
+
+			err = claims.Validate(jwt.Expected{
+				Time: time.Now(),
+			})
+			if err != nil {
+				return nil, err
+			}
+
+			return &claims, nil
+		}
+
+	} else {
+		return nil, err
+	}
+}
+
+func getOIDCConfig(oidcConfigURL string) (*OpenIDConfiguration, error) {
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", oidcConfigURL, nil)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		return nil, err
+	}
+
+	log.Debug().Msgf("Requesting OIDC Config from %s", oidcConfigURL)
+
+	oidcConfigResp, err := client.Do(req)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		return nil, err
+	}
+	defer oidcConfigResp.Body.Close()
+
+	var oidcConfig OpenIDConfiguration
+
+	err = json.NewDecoder(oidcConfigResp.Body).Decode(&oidcConfig)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		return nil, err
+	}
+	return &oidcConfig, nil
+}
+
+func (h *Headscale) exchangeCodeForTokens(code string, redirectURI string) (*OpenIDTokens, error) {
+	var err error
+
+	if oidcConfig == nil {
+		oidcConfig, err = getOIDCConfig(fmt.Sprintf("%s.well-known/openid-configuration", h.cfg.OIDCEndpoint))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	params := url.Values{}
+	params.Add("grant_type", "authorization_code")
+	params.Add("code", code)
+	params.Add("client_id", h.cfg.OIDCClientID)
+	params.Add("client_secret", h.cfg.OIDCClientSecret)
+	params.Add("redirect_uri", redirectURI)
+
+	client := &http.Client{}
+	req, err := http.NewRequest("POST", oidcConfig.TokenEndpoint, strings.NewReader(params.Encode()))
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		return nil, err
+	}
+
+	tokenResp, err := client.Do(req)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		return nil, err
+	}
+	defer tokenResp.Body.Close()
+
+	if tokenResp.StatusCode != 200 {
+		b, _ := io.ReadAll(tokenResp.Body)
+		log.Error().Msgf("%s", b)
+	}
+
+	var tokens OpenIDTokens
+
+	err = json.NewDecoder(tokenResp.Body).Decode(&tokens)
+	if err != nil {
+		log.Error().Msgf("%v", err)
+		return nil, err
+	}
+
+	log.Info().Msg("Successfully exchanged code for tokens")
+
+	return &tokens, nil
+}
+
+// RegisterOIDC redirects to the OIDC provider for authentication
+// Puts machine key in cache so the callback can retrieve it using the oidc state param
+// Listens in /oidc/register/:mKey
+func (h *Headscale) RegisterOIDC(c *gin.Context) {
+	mKeyStr := c.Param("mKey")
+	if mKeyStr == "" {
+		c.String(http.StatusBadRequest, "Wrong params")
+		return
+	}
+
+	var err error
+
+	// grab oidc config if it hasn't been already
+	if oidcConfig == nil {
+		oidcConfig, err = getOIDCConfig(fmt.Sprintf("%s.well-known/openid-configuration", h.cfg.OIDCEndpoint))
+
+		if err != nil {
+			c.String(http.StatusInternalServerError, "Could not retrieve OIDC Config")
+			return
+		}
+	}
+
+	b := make([]byte, 16)
+	_, err = rand.Read(b)
+	stateStr := hex.EncodeToString(b)[:32]
+
+	// init the state cache if it hasn't been already
+	if stateCache == nil {
+		stateCache = cache.New(time.Minute*5, time.Minute*10)
+	}
+
+	// place the machine key into the state cache, so it can be retrieved later
+	stateCache.Set(stateStr, mKeyStr, time.Minute*5)
+
+	params := url.Values{}
+	params.Add("response_type", "code")
+	params.Add("client_id", h.cfg.OIDCClientID)
+	params.Add("redirect_uri", fmt.Sprintf("%s/oidc/callback", h.cfg.ServerURL))
+	params.Add("scope", "openid")
+	params.Add("state", stateStr)
+
+	authUrl := fmt.Sprintf("%s?%s", oidcConfig.AuthorizationEndpoint, params.Encode())
+	log.Debug().Msg(authUrl)
+
+	c.Redirect(http.StatusFound, authUrl)
+}
+
+// OIDCCallback handles the callback from the OIDC endpoint
+// Retrieves the mkey from the state cache, if the machine is not registered, presents a confirmation
+// Listens in /oidc/callback
+func (h *Headscale) OIDCCallback(c *gin.Context) {
+
+	code := c.Query("code")
+	state := c.Query("state")
+
+	if code == "" || state == "" {
+		c.String(http.StatusBadRequest, "Wrong params")
+		return
+	}
+
+	redirectURI := fmt.Sprintf("%s/oidc/callback", h.cfg.ServerURL)
+
+	tokens, err := h.exchangeCodeForTokens(code, redirectURI)
+
+	if err != nil {
+		c.String(http.StatusBadRequest, "Could not exchange code for token")
+		return
+	}
+
+	//verify tokens
+	claims, err := verifyToken(tokens.AccessToken)
+
+	if err != nil {
+		c.String(http.StatusBadRequest, "invalid tokens")
+		return
+	}
+
+	//retrieve machinekey from state cache
+	mKeyIf, mKeyFound := stateCache.Get(state)
+
+	if !mKeyFound {
+		c.String(http.StatusBadRequest, "state has expired")
+		return
+	}
+	mKeyStr, mKeyOK := mKeyIf.(string)
+
+	if !mKeyOK {
+		c.String(http.StatusInternalServerError, "could not get machine key from cache")
+		return
+	}
+
+	// retrieve machine information
+	var m Machine
+	if result := h.db.Preload("Namespace").First(&m, "machine_key = ?", mKeyStr); errors.Is(result.Error, gorm.ErrRecordNotFound) {
+		log.Error().Msg("machine key not found in database")
+		c.String(http.StatusInternalServerError, "could not get machine info from database")
+		return
+	}
+
+	//look for a namespace of the users email for now
+	if !m.Registered {
+
+		ns, err := h.GetNamespace(claims.Email)
+		if err != nil {
+			ns, err = h.CreateNamespace(claims.Email)
+		}
+
+		ip, err := h.getAvailableIP()
+		if err != nil {
+			c.String(http.StatusInternalServerError, "could not get an IP from the pool")
+			return
+		}
+
+		m.IPAddress = ip.String()
+		m.NamespaceID = ns.ID
+		m.Registered = true
+		m.RegisterMethod = "oidc"
+		h.db.Save(&m)
+	}
+
+	c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(fmt.Sprintf(`
+<html>
+<body>
+<h1>headscale</h1>
+<p>
+    Authenticated, you can now close this window.
+</p>
+</body>
+</html>
+
+`)))
+}