cc-backend/internal/auth/oidc.go

// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
// All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package auth

import (
	"context"
	"crypto/rand"
	"encoding/base64"
	"io"
	"net/http"
	"os"
	"time"

	"github.com/ClusterCockpit/cc-backend/internal/config"
	"github.com/ClusterCockpit/cc-backend/internal/repository"
	"github.com/ClusterCockpit/cc-backend/pkg/log"
	"github.com/ClusterCockpit/cc-backend/pkg/schema"
	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/gorilla/mux"
	"golang.org/x/oauth2"
)

type OIDC struct {
	client         *oauth2.Config
	provider       *oidc.Provider
	authentication *Authentication
	clientID       string
}

func randString(nByte int) (string, error) {
	b := make([]byte, nByte)
	if _, err := io.ReadFull(rand.Reader, b); err != nil {
		return "", err
	}
	return base64.RawURLEncoding.EncodeToString(b), nil
}

func setCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {
	c := &http.Cookie{
		Name:     name,
		Value:    value,
		MaxAge:   int(time.Hour.Seconds()),
		Secure:   r.TLS != nil,
		HttpOnly: true,
	}
	http.SetCookie(w, c)
}

func NewOIDC(a *Authentication) *OIDC {
	provider, err := oidc.NewProvider(context.Background(), config.Keys.OpenIDConfig.Provider)
	if err != nil {
		log.Fatal(err)
	}
	clientID := os.Getenv("OID_CLIENT_ID")
	if clientID == "" {
		log.Warn("environment variable 'OID_CLIENT_ID' not set (Open ID connect auth will not work)")
	}
	clientSecret := os.Getenv("OID_CLIENT_SECRET")
	if clientSecret == "" {
		log.Warn("environment variable 'OID_CLIENT_SECRET' not set (Open ID connect auth will not work)")
	}

	client := &oauth2.Config{
		ClientID:     clientID,
		ClientSecret: clientSecret,
		Endpoint:     provider.Endpoint(),
		RedirectURL:  "oidc-callback",
		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
	}

	oa := &OIDC{provider: provider, client: client, clientID: clientID, authentication: a}

	return oa
}

func (oa *OIDC) RegisterEndpoints(r *mux.Router) {
	r.HandleFunc("/oidc-login", oa.OAuth2Login)
	r.HandleFunc("/oidc-callback", oa.OAuth2Callback)
}

func (oa *OIDC) OAuth2Callback(rw http.ResponseWriter, r *http.Request) {
	c, err := r.Cookie("state")
	if err != nil {
		http.Error(rw, "state cookie not found", http.StatusBadRequest)
		return
	}
	state := c.Value

	c, err = r.Cookie("verifier")
	if err != nil {
		http.Error(rw, "verifier cookie not found", http.StatusBadRequest)
		return
	}
	codeVerifier := c.Value

	_ = r.ParseForm()
	if r.Form.Get("state") != state {
		http.Error(rw, "State invalid", http.StatusBadRequest)
		return
	}
	code := r.Form.Get("code")
	if code == "" {
		http.Error(rw, "Code not found", http.StatusBadRequest)
		return
	}
	token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(codeVerifier))
	if err != nil {
		http.Error(rw, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)
		return
	}

	userInfo, err := oa.provider.UserInfo(context.Background(), oauth2.StaticTokenSource(token))
	if err != nil {
		http.Error(rw, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)
		return
	}

	// // Extract the ID Token from OAuth2 token.
	// rawIDToken, ok := token.Extra("id_token").(string)
	// if !ok {
	// 	http.Error(rw, "Cannot access idToken", http.StatusInternalServerError)
	// }
	//
	// verifier := oa.provider.Verifier(&oidc.Config{ClientID: oa.clientID})
	// // Parse and verify ID Token payload.
	// idToken, err := verifier.Verify(context.Background(), rawIDToken)
	// if err != nil {
	// 	http.Error(rw, "Failed to extract idToken: "+err.Error(), http.StatusInternalServerError)
	// }

	projects := make([]string, 0)

	// Extract custom claims
	var claims struct {
		Username string `json:"preferred_username"`
		Name     string `json:"name"`
		Profile  struct {
			Client struct {
				Roles []string `json:"roles"`
			} `json:"clustercockpit"`
		} `json:"resource_access"`
	}
	if err := userInfo.Claims(&claims); err != nil {
		http.Error(rw, "Failed to extract Claims: "+err.Error(), http.StatusInternalServerError)
	}

	var roles []string
	for _, r := range claims.Profile.Client.Roles {
		switch r {
		case "user":
			roles = append(roles, schema.GetRoleString(schema.RoleUser))
		case "admin":
			roles = append(roles, schema.GetRoleString(schema.RoleAdmin))
		}
	}

	if len(roles) == 0 {
		roles = append(roles, schema.GetRoleString(schema.RoleUser))
	}

	user := &schema.User{
		Username:   claims.Username,
		Name:       claims.Name,
		Roles:      roles,
		Projects:   projects,
		AuthSource: schema.AuthViaOIDC,
	}

	if config.Keys.OpenIDConfig.SyncUserOnLogin {
		persistUser(user)
	}

	oa.authentication.SaveSession(rw, r, user)
	log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)
	ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
	http.RedirectHandler("/", http.StatusTemporaryRedirect).ServeHTTP(rw, r.WithContext(ctx))
}

func (oa *OIDC) OAuth2Login(rw http.ResponseWriter, r *http.Request) {
	state, err := randString(16)
	if err != nil {
		http.Error(rw, "Internal error", http.StatusInternalServerError)
		return
	}
	setCallbackCookie(rw, r, "state", state)

	// use PKCE to protect against CSRF attacks
	codeVerifier := oauth2.GenerateVerifier()
	setCallbackCookie(rw, r, "verifier", codeVerifier)

	// Redirect user to consent page to ask for permission
	url := oa.client.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(codeVerifier))
	http.Redirect(rw, r, url, http.StatusFound)
}
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.`
			`// All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`
			`package auth`

			`import (`
			`"context"`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`"crypto/rand"`
			`"encoding/base64"`
			`"io"`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`"net/http"`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`"os"`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`"time"`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`"github.com/ClusterCockpit/cc-backend/internal/config"`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`"github.com/ClusterCockpit/cc-backend/internal/repository"`
			`"github.com/ClusterCockpit/cc-backend/pkg/log"`
			`"github.com/ClusterCockpit/cc-backend/pkg/schema"`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`"github.com/coreos/go-oidc/v3/oidc"`
			`"github.com/gorilla/mux"`
			`"golang.org/x/oauth2"`
			`)`

			`type OIDC struct {`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`client *oauth2.Config`
			`provider *oidc.Provider`
			`authentication *Authentication`
			`clientID string`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`}`

Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`func randString(nByte int) (string, error) {`
			`b := make([]byte, nByte)`
			`if _, err := io.ReadFull(rand.Reader, b); err != nil {`
			`return "", err`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`}`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`return base64.RawURLEncoding.EncodeToString(b), nil`
			`}`

			`func setCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {`
			`c := &http.Cookie{`
			`Name: name,`
			`Value: value,`
			`MaxAge: int(time.Hour.Seconds()),`
			`Secure: r.TLS != nil,`
			`HttpOnly: true,`
			`}`
			`http.SetCookie(w, c)`
			`}`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`func NewOIDC(a Authentication) OIDC {`
Add central function to persist users on Login 2024-03-28 14:22:23 +01:00			`provider, err := oidc.NewProvider(context.Background(), config.Keys.OpenIDConfig.Provider)`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`if err != nil {`
			`log.Fatal(err)`
			`}`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`clientID := os.Getenv("OID_CLIENT_ID")`
			`if clientID == "" {`
			`log.Warn("environment variable 'OID_CLIENT_ID' not set (Open ID connect auth will not work)")`
			`}`
			`clientSecret := os.Getenv("OID_CLIENT_SECRET")`
			`if clientSecret == "" {`
			`log.Warn("environment variable 'OID_CLIENT_SECRET' not set (Open ID connect auth will not work)")`
			`}`
Fix conditional rendering of OIDC button in login 2024-03-28 13:18:25 +01:00
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`client := &oauth2.Config{`
			`ClientID: clientID,`
			`ClientSecret: clientSecret,`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`Endpoint: provider.Endpoint(),`
Fix conditional rendering of OIDC button in login 2024-03-28 13:18:25 +01:00			`RedirectURL: "oidc-callback",`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`Scopes: []string{oidc.ScopeOpenID, "profile", "email"},`
			`}`

Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`oa := &OIDC{provider: provider, client: client, clientID: clientID, authentication: a}`

			`return oa`
			`}`

			`func (oa OIDC) RegisterEndpoints(r mux.Router) {`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`r.HandleFunc("/oidc-login", oa.OAuth2Login)`
			`r.HandleFunc("/oidc-callback", oa.OAuth2Callback)`
			`}`

			`func (oa OIDC) OAuth2Callback(rw http.ResponseWriter, r http.Request) {`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`c, err := r.Cookie("state")`
			`if err != nil {`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`http.Error(rw, "state cookie not found", http.StatusBadRequest)`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`return`
			`}`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`state := c.Value`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`c, err = r.Cookie("verifier")`
Add central function to persist users on Login 2024-03-28 14:22:23 +01:00			`if err != nil {`
			`http.Error(rw, "verifier cookie not found", http.StatusBadRequest)`
			`return`
			`}`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`codeVerifier := c.Value`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`_ = r.ParseForm()`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`if r.Form.Get("state") != state {`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`http.Error(rw, "State invalid", http.StatusBadRequest)`
			`return`
			`}`
			`code := r.Form.Get("code")`
			`if code == "" {`
			`http.Error(rw, "Code not found", http.StatusBadRequest)`
			`return`
			`}`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`token, err := oa.client.Exchange(context.Background(), code, oauth2.VerifierOption(codeVerifier))`
			`if err != nil {`
			`http.Error(rw, "Failed to exchange token: "+err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

			`userInfo, err := oa.provider.UserInfo(context.Background(), oauth2.StaticTokenSource(token))`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`if err != nil {`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`http.Error(rw, "Failed to get userinfo: "+err.Error(), http.StatusInternalServerError)`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`return`
			`}`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00
			`// // Extract the ID Token from OAuth2 token.`
			`// rawIDToken, ok := token.Extra("id_token").(string)`
			`// if !ok {`
			`// http.Error(rw, "Cannot access idToken", http.StatusInternalServerError)`
			`// }`
			`//`
			`// verifier := oa.provider.Verifier(&oidc.Config{ClientID: oa.clientID})`
			`// // Parse and verify ID Token payload.`
			`// idToken, err := verifier.Verify(context.Background(), rawIDToken)`
			`// if err != nil {`
			`// http.Error(rw, "Failed to extract idToken: "+err.Error(), http.StatusInternalServerError)`
			`// }`

			`projects := make([]string, 0)`

			`// Extract custom claims`
			`var claims struct {`
			Username string `json:"preferred_username"`
			Name string `json:"name"`
			`Profile struct {`
			`Client struct {`
			Roles []string `json:"roles"`
			} `json:"clustercockpit"`
			} `json:"resource_access"`
			`}`
			`if err := userInfo.Claims(&claims); err != nil {`
			`http.Error(rw, "Failed to extract Claims: "+err.Error(), http.StatusInternalServerError)`
			`}`

			`var roles []string`
			`for _, r := range claims.Profile.Client.Roles {`
			`switch r {`
			`case "user":`
			`roles = append(roles, schema.GetRoleString(schema.RoleUser))`
			`case "admin":`
			`roles = append(roles, schema.GetRoleString(schema.RoleAdmin))`
			`}`
			`}`

Add central function to persist users on Login 2024-03-28 14:22:23 +01:00			`if len(roles) == 0 {`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`roles = append(roles, schema.GetRoleString(schema.RoleUser))`
			`}`

			`user := &schema.User{`
			`Username: claims.Username,`
			`Name: claims.Name,`
			`Roles: roles,`
			`Projects: projects,`
			`AuthSource: schema.AuthViaOIDC,`
			`}`
Add central function to persist users on Login 2024-03-28 14:22:23 +01:00
			`if config.Keys.OpenIDConfig.SyncUserOnLogin {`
			`persistUser(user)`
			`}`

Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`oa.authentication.SaveSession(rw, r, user)`
			`log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)`
			`ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)`
			`http.RedirectHandler("/", http.StatusTemporaryRedirect).ServeHTTP(rw, r.WithContext(ctx))`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`}`

			`func (oa OIDC) OAuth2Login(rw http.ResponseWriter, r http.Request) {`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`state, err := randString(16)`
			`if err != nil {`
			`http.Error(rw, "Internal error", http.StatusInternalServerError)`
			`return`
			`}`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`setCallbackCookie(rw, r, "state", state)`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`// use PKCE to protect against CSRF attacks`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`codeVerifier := oauth2.GenerateVerifier()`
Add OpenID Connect authentication Fixes #236 Template conditional not yet working Needs more testing 2024-03-28 12:01:13 +01:00			`setCallbackCookie(rw, r, "verifier", codeVerifier)`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00
			`// Redirect user to consent page to ask for permission`
Extend oidc auth provider 2024-03-13 17:09:36 +01:00			`url := oa.client.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(codeVerifier))`
Add initial code for oidc authentication support 2024-03-13 09:37:12 +01:00			`http.Redirect(rw, r, url, http.StatusFound)`
			`}`