* add oidc config

* inching forward with oidc idp

* lil webfingy fix

* bit more progress

* further oidc

* oidc now working

* document dex config

* replace broken images

* add additional credits

* tiny doc update

* update

* add oidc config

* inching forward with oidc idp

* bit more progress

* further oidc

* oidc now working

* document dex config

* replace broken images

* add additional credits

* tiny doc update

* update

* document

* docs + comments
This commit is contained in:
Tobi Smethurst
2021-07-23 10:36:28 +02:00
committed by GitHub
parent 113186ce4e
commit 05e9af089c
61 changed files with 2597 additions and 757 deletions

View File

@@ -26,6 +26,7 @@ import (
"github.com/superseriousbusiness/gotosocial/internal/config"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/oauth"
"github.com/superseriousbusiness/gotosocial/internal/oidc"
"github.com/superseriousbusiness/gotosocial/internal/router"
)
@@ -36,40 +37,37 @@ const (
OauthTokenPath = "/oauth/token"
// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)
OauthAuthorizePath = "/oauth/authorize"
// CallbackPath is the API path for receiving callback tokens from external OIDC providers
CallbackPath = oidc.CallbackPath
callbackStateParam = "state"
callbackCodeParam = "code"
sessionUserID = "userid"
sessionClientID = "client_id"
sessionRedirectURI = "redirect_uri"
sessionForceLogin = "force_login"
sessionResponseType = "response_type"
sessionCode = "code"
sessionScope = "scope"
sessionState = "state"
)
var sessionKeys []string = []string{
sessionUserID,
sessionClientID,
sessionRedirectURI,
sessionForceLogin,
sessionResponseType,
sessionCode,
sessionScope,
}
// Module implements the ClientAPIModule interface for
type Module struct {
config *config.Config
db db.DB
server oauth.Server
idp oidc.IDP
log *logrus.Logger
}
// New returns a new auth module
func New(config *config.Config, db db.DB, server oauth.Server, log *logrus.Logger) api.ClientModule {
func New(config *config.Config, db db.DB, server oauth.Server, idp oidc.IDP, log *logrus.Logger) api.ClientModule {
return &Module{
config: config,
db: db,
server: server,
idp: idp,
log: log,
}
}
@@ -84,6 +82,8 @@ func (m *Module) Route(s router.Router) error {
s.AttachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
s.AttachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)
s.AttachHandler(http.MethodGet, CallbackPath, m.CallbackGETHandler)
s.AttachMiddleware(m.OauthTokenMiddleware)
return nil
}

View File

@@ -23,9 +23,11 @@ import (
"fmt"
"net/http"
"net/url"
"strings"
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@@ -46,16 +48,19 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
form := &model.OAuthAuthorize{}
if err := c.Bind(form); err != nil {
l.Debugf("invalid auth form: %s", err)
return
}
l.Tracef("parsed auth form: %+v", form)
if err := extractAuthForm(s, form); err != nil {
l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
m.clearSession(s)
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
c.Redirect(http.StatusFound, AuthSignInPath)
l.Debugf("parsed auth form: %+v", form)
if err := extractAuthForm(s, form); err != nil {
l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
m.clearSession(s)
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
c.Redirect(http.StatusSeeOther, AuthSignInPath)
return
}
@@ -69,6 +74,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
ClientID: clientID,
}
if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
return
}
@@ -78,6 +84,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
ID: userID,
}
if err := m.db.GetByID(user.ID, user); err != nil {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
@@ -87,6 +94,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
}
if err := m.db.GetByID(acct.ID, acct); err != nil {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
@@ -94,11 +102,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
// Finally we should also get the redirect and scope of this particular request, as stored in the session.
redirect, ok := s.Get(sessionRedirectURI).(string)
if !ok || redirect == "" {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"})
return
}
scope, ok := s.Get(sessionScope).(string)
if !ok || scope == "" {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"})
return
}
@@ -128,48 +138,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
// recreate it on the request so that it can be used further by the oauth2 library.
// So first fetch all the values from the session.
errs := []string{}
forceLogin, ok := s.Get(sessionForceLogin).(string)
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"})
return
forceLogin = "false"
}
responseType, ok := s.Get(sessionResponseType).(string)
if !ok || responseType == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"})
return
errs = append(errs, "session missing response_type")
}
clientID, ok := s.Get(sessionClientID).(string)
if !ok || clientID == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"})
return
errs = append(errs, "session missing client_id")
}
redirectURI, ok := s.Get(sessionRedirectURI).(string)
if !ok || redirectURI == "" {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"})
return
errs = append(errs, "session missing redirect_uri")
}
scope, ok := s.Get(sessionScope).(string)
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"})
return
errs = append(errs, "session missing scope")
}
userID, ok := s.Get(sessionUserID).(string)
if !ok {
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
return
errs = append(errs, "session missing userid")
}
// we're done with the session so we can clear it now
for _, key := range sessionKeys {
s.Delete(key)
}
if err := s.Save(); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
m.clearSession(s)
if len(errs) != 0 {
c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")})
return
}
@@ -209,5 +213,6 @@ func extractAuthForm(s sessions.Session, form *model.OAuthAuthorize) error {
s.Set(sessionClientID, form.ClientID)
s.Set(sessionRedirectURI, form.RedirectURI)
s.Set(sessionScope, form.Scope)
s.Set(sessionState, uuid.NewString())
return s.Save()
}

View File

@@ -0,0 +1,219 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package auth
import (
"errors"
"fmt"
"net"
"net/http"
"strconv"
"strings"
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
"github.com/superseriousbusiness/gotosocial/internal/oidc"
"github.com/superseriousbusiness/gotosocial/internal/util"
)
// CallbackGETHandler parses a token from an external auth provider.
func (m *Module) CallbackGETHandler(c *gin.Context) {
s := sessions.Default(c)
// first make sure the state set in the cookie is the same as the state returned from the external provider
state := c.Query(callbackStateParam)
if state == "" {
m.clearSession(s)
c.JSON(http.StatusForbidden, gin.H{"error": "state query not found on callback"})
return
}
savedStateI := s.Get(sessionState)
savedState, ok := savedStateI.(string)
if !ok {
m.clearSession(s)
c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
return
}
if state != savedState {
m.clearSession(s)
c.JSON(http.StatusForbidden, gin.H{"error": "state mismatch"})
return
}
code := c.Query(callbackCodeParam)
claims, err := m.idp.HandleCallback(c.Request.Context(), code)
if err != nil {
m.clearSession(s)
c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
return
}
// We can use the client_id on the session to retrieve info about the app associated with the client_id
clientID, ok := s.Get(sessionClientID).(string)
if !ok || clientID == "" {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": "no client_id found in session during callback"})
return
}
app := &gtsmodel.Application{
ClientID: clientID,
}
if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
return
}
user, err := m.parseUserFromClaims(claims, net.IP(c.ClientIP()), app.ID)
if err != nil {
m.clearSession(s)
c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
return
}
s.Set(sessionUserID, user.ID)
if err := s.Save(); err != nil {
m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
c.Redirect(http.StatusFound, OauthAuthorizePath)
}
func (m *Module) parseUserFromClaims(claims *oidc.Claims, ip net.IP, appID string) (*gtsmodel.User, error) {
if claims.Email == "" {
return nil, errors.New("no email returned in claims")
}
// see if we already have a user for this email address
user := &gtsmodel.User{}
err := m.db.GetWhere([]db.Where{{Key: "email", Value: claims.Email}}, user)
if err == nil {
// we do! so we can just return it
return user, nil
}
if _, ok := err.(db.ErrNoEntries); !ok {
// we have an actual error in the database
return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
}
// maybe we have an unconfirmed user
err = m.db.GetWhere([]db.Where{{Key: "unconfirmed_email", Value: claims.Email}}, user)
if err == nil {
// user is unconfirmed so return an error
return nil, fmt.Errorf("user with email address %s is unconfirmed", claims.Email)
}
if _, ok := err.(db.ErrNoEntries); !ok {
// we have an actual error in the database
return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
}
// we don't have a confirmed or unconfirmed user with the claimed email address
// however, because we trust the OIDC provider, we should now create a user + account with the provided claims
// check if the email address is available for use; if it's not there's nothing we can so
if err := m.db.IsEmailAvailable(claims.Email); err != nil {
return nil, fmt.Errorf("email %s not available: %s", claims.Email, err)
}
// now we need a username
var username string
// make sure claims.Name is defined since we'll be using that for the username
if claims.Name == "" {
return nil, errors.New("no name returned in claims")
}
// check if we can just use claims.Name as-is
err = util.ValidateUsername(claims.Name)
if err == nil {
// the name we have on the claims is already a valid username
username = claims.Name
} else {
// not a valid username so we have to fiddle with it to try to make it valid
// first trim leading and trailing whitespace
trimmed := strings.TrimSpace(claims.Name)
// underscore any spaces in the middle of the name
underscored := strings.ReplaceAll(trimmed, " ", "_")
// lowercase the whole thing
lower := strings.ToLower(underscored)
// see if this is valid....
if err := util.ValidateUsername(lower); err == nil {
// we managed to get a valid username
username = lower
} else {
return nil, fmt.Errorf("couldn't parse a valid username from claims.Name value of %s", claims.Name)
}
}
var iString string
var found bool
// if the username isn't available we need to iterate on it until we find one that is
// we should try to do this in a predictable way so we just keep iterating i by one and trying
// the username with that number on the end
//
// note that for the first iteration, iString is still "" when the check is made, so our first choice
// is still the raw username with no integer stuck on the end
for i := 1; !found; i = i + 1 {
if err := m.db.IsUsernameAvailable(username + iString); err != nil {
if strings.Contains(err.Error(), "db error") {
// if there's an actual db error we should return
return nil, fmt.Errorf("error checking username availability: %s", err)
}
} else {
// no error so we've found a username that works
found = true
username = username + iString
continue
}
iString = strconv.Itoa(i)
}
// check if the user is in any recognised admin groups
var admin bool
for _, g := range claims.Groups {
if strings.EqualFold(g, "admin") || strings.EqualFold(g, "admins") {
admin = true
}
}
// we still need to set *a* password even if it's not a password the user will end up using, so set something random
// in this case, we'll just set two uuids on top of each other, which should be long + random enough to baffle any attempts to crack.
//
// if the user ever wants to log in using gts password rather than oidc flow, they'll have to request a password reset, which is fine
password := uuid.NewString() + uuid.NewString()
// create the user! this will also create an account and store it in the database so we don't need to do that here
user, err = m.db.NewSignup(username, "", m.config.AccountsConfig.RequireApproval, claims.Email, password, ip, "", appID, claims.EmailVerified, admin)
if err != nil {
return nil, fmt.Errorf("error creating user: %s", err)
}
return user, nil
}

View File

@@ -39,7 +39,24 @@ type login struct {
// The idea is to present a sign in page to the user, where they can enter their username and password.
// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler
func (m *Module) SignInGETHandler(c *gin.Context) {
m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html")
l := m.log.WithField("func", "SignInGETHandler")
l.Trace("entering sign in handler")
if m.idp != nil {
s := sessions.Default(c)
stateI := s.Get(sessionState)
state, ok := stateI.(string)
if !ok {
m.clearSession(s)
c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
return
}
redirect := m.idp.AuthCodeURL(state)
l.Debugf("redirecting to external idp at %s", redirect)
c.Redirect(http.StatusSeeOther, redirect)
return
}
c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
}
@@ -52,6 +69,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
form := &login{}
if err := c.ShouldBind(form); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
m.clearSession(s)
return
}
l.Tracef("parsed form: %+v", form)
@@ -59,12 +77,14 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
userid, err := m.ValidatePassword(form.Email, form.Password)
if err != nil {
c.String(http.StatusForbidden, err.Error())
m.clearSession(s)
return
}
s.Set(sessionUserID, userid)
if err := s.Save(); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
m.clearSession(s)
return
}

View File

@@ -0,0 +1,17 @@
package auth
import (
"github.com/gin-contrib/sessions"
)
func (m *Module) clearSession(s sessions.Session) {
s.Clear()
// newOptions := router.SessionOptions(m.config)
// newOptions.MaxAge = -1 // instruct browser to delete cookie immediately
// s.Options(newOptions)
if err := s.Save(); err != nil {
panic(err)
}
}