mirror of
https://github.com/ClusterCockpit/cc-backend
synced 2024-12-26 05:19:05 +01:00
commit
19f2e16bae
2
Makefile
2
Makefile
@ -28,7 +28,7 @@ SVELTE_SRC = $(wildcard $(FRONTEND)/src/*.svelte) \
|
|||||||
$(wildcard $(FRONTEND)/src/plots/*.svelte) \
|
$(wildcard $(FRONTEND)/src/plots/*.svelte) \
|
||||||
$(wildcard $(FRONTEND)/src/joblist/*.svelte)
|
$(wildcard $(FRONTEND)/src/joblist/*.svelte)
|
||||||
|
|
||||||
.PHONY: clean test tags frontend $(TARGET)
|
.PHONY: clean distclean test tags frontend $(TARGET)
|
||||||
|
|
||||||
.NOTPARALLEL:
|
.NOTPARALLEL:
|
||||||
|
|
||||||
|
156
docs/dev-authentication.md
Normal file
156
docs/dev-authentication.md
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
# Overview
|
||||||
|
|
||||||
|
The implementation of authentication is not easy to understand by just looking
|
||||||
|
at the code. The authentication is implemented in `internal/auth/`. In `auth.go`
|
||||||
|
an interface is defined that any authentication provider must fulfill. It also
|
||||||
|
acts as a dispatcher to delegate the calls to the available authentication
|
||||||
|
providers.
|
||||||
|
|
||||||
|
The most important routine are:
|
||||||
|
* `CanLogin()` Check if the authentication method is supported for login attempt
|
||||||
|
* `Login()` Handle POST request to login user and start a new session
|
||||||
|
* `Auth()` Authenticate user and put User Object in context of the request
|
||||||
|
|
||||||
|
The http router calls auth in the following cases:
|
||||||
|
* `r.Handle("/login", authentication.Login( ... )).Methods(http.MethodPost)`:
|
||||||
|
The POST request on the `/login` route will call the Login callback.
|
||||||
|
* Any route in the secured subrouter will always call Auth(), on success it will
|
||||||
|
call the next handler in the chain, on failure it will render the login
|
||||||
|
template.
|
||||||
|
```
|
||||||
|
secured.Use(func(next http.Handler) http.Handler {
|
||||||
|
return authentication.Auth(
|
||||||
|
// On success;
|
||||||
|
next,
|
||||||
|
|
||||||
|
// On failure:
|
||||||
|
func(rw http.ResponseWriter, r *http.Request, err error) {
|
||||||
|
// Render login form
|
||||||
|
})
|
||||||
|
})
|
||||||
|
```
|
||||||
|
|
||||||
|
For non API routes a JWT token can be used to initiate an authenticated user
|
||||||
|
session. This can either happen by calling the login route with a token
|
||||||
|
provided in a header or query URL or via the `Auth()` method on first access
|
||||||
|
to a secured URL via a special cookie containing the JWT token.
|
||||||
|
For API routes the access is authenticated on every request using the JWT token
|
||||||
|
and no session is initiated.
|
||||||
|
|
||||||
|
# Login
|
||||||
|
|
||||||
|
The Login function (located in `auth.go`):
|
||||||
|
* Extracts the user name and gets the user from the user database table. In case the
|
||||||
|
user is not found the user object is set to nil.
|
||||||
|
* Iterates over all authenticators and:
|
||||||
|
- Calls the `CanLogin` function which checks if the authentication method is
|
||||||
|
supported for this user and the user object is valid.
|
||||||
|
- Calls the `Login` function to authenticate the user. On success a valid user
|
||||||
|
object is returned.
|
||||||
|
- Creates a new session object, stores the user attributes in the session and
|
||||||
|
saves the session.
|
||||||
|
- Starts the `onSuccess` http handler
|
||||||
|
|
||||||
|
## Local authenticator
|
||||||
|
|
||||||
|
This authenticator is applied if
|
||||||
|
```
|
||||||
|
return user != nil && user.AuthSource == AuthViaLocalPassword
|
||||||
|
```
|
||||||
|
|
||||||
|
Compares the password provided by the login form to the password hash stored in
|
||||||
|
the user database table:
|
||||||
|
```
|
||||||
|
if e := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(r.FormValue("password"))); e != nil {
|
||||||
|
log.Errorf("AUTH/LOCAL > Authentication for user %s failed!", user.Username)
|
||||||
|
return nil, fmt.Errorf("AUTH/LOCAL > Authentication failed")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## LDAP authenticator
|
||||||
|
|
||||||
|
This authenticator is applied if
|
||||||
|
```
|
||||||
|
return user != nil && user.AuthSource == AuthViaLDAP
|
||||||
|
```
|
||||||
|
|
||||||
|
Gets the LDAP connection and tries a bind with the provided credentials:
|
||||||
|
```
|
||||||
|
if err := l.Bind(userDn, r.FormValue("password")); err != nil {
|
||||||
|
log.Errorf("AUTH/LOCAL > Authentication for user %s failed: %v", user.Username, err)
|
||||||
|
return nil, fmt.Errorf("AUTH/LDAP > Authentication failed")
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## JWT authenticator
|
||||||
|
|
||||||
|
Login via JWT token will create a session without password.
|
||||||
|
For login the `X-Auth-Token` header is not supported.
|
||||||
|
This authenticator is applied if either user is not nil and auth source is
|
||||||
|
`AuthViaToken` or the Authorization header is present or the URL query key
|
||||||
|
login-token is present:
|
||||||
|
```
|
||||||
|
return (user != nil && user.AuthSource == AuthViaToken) ||
|
||||||
|
r.Header.Get("Authorization") != "" ||
|
||||||
|
r.URL.Query().Get("login-token") != ""
|
||||||
|
```
|
||||||
|
|
||||||
|
The Login function:
|
||||||
|
* Parses the token
|
||||||
|
* Check if the signing method is EdDSA or HS256 or HS512
|
||||||
|
* Check if claims are valid and extracts the claims
|
||||||
|
* The following claims have to be present:
|
||||||
|
- `sub`: The subject, in this case this is the username
|
||||||
|
- `exp`: Expiration in Unix epoch time
|
||||||
|
- `roles`: String array with roles of user
|
||||||
|
* In case user is not yet set, which is usually the case:
|
||||||
|
- Try to fetch user from database
|
||||||
|
- In case user is not yet present add user to user database table with `AuthViaToken` AuthSource.
|
||||||
|
* Return valid user object
|
||||||
|
|
||||||
|
# Auth
|
||||||
|
|
||||||
|
The Auth function (located in `auth.go`):
|
||||||
|
* Returns a new http handler function that is defined right away
|
||||||
|
* This handler iterates over all authenticators
|
||||||
|
* Calls `Auth()` on every authenticator
|
||||||
|
* If err is not nil and the user object is valid it puts the user object in the
|
||||||
|
request context and starts the onSuccess http handler
|
||||||
|
* Otherwise it calls the onFailure handler
|
||||||
|
|
||||||
|
## Local
|
||||||
|
|
||||||
|
Calls the `AuthViaSession()` function in `auth.go`. This will extract username,
|
||||||
|
projects and roles from the session and initialize a user object with those
|
||||||
|
values.
|
||||||
|
|
||||||
|
## LDAP
|
||||||
|
|
||||||
|
Calls the `AuthViaSession()` function in `auth.go`. This will extract username,
|
||||||
|
projects and roles from the session and initialize a user object with those
|
||||||
|
values.
|
||||||
|
|
||||||
|
# JWT
|
||||||
|
|
||||||
|
Check for JWT token:
|
||||||
|
* Is token passed in the `X-Auth-Token` or `Authorization` header
|
||||||
|
* If no token is found in a header it tries to read the token from a configured
|
||||||
|
cookie.
|
||||||
|
|
||||||
|
Finally it calls AuthViaSession in `auth.go` if a valid session exists. This is
|
||||||
|
true if a JWT token was previously used to initiate a session. In this case the
|
||||||
|
user object initialized with the session is returned right away.
|
||||||
|
|
||||||
|
In case a token was found extract and parse the token:
|
||||||
|
* Check if signing method is Ed25519/EdDSA
|
||||||
|
* In case publicKeyCrossLogin is configured:
|
||||||
|
- Check if `iss` issuer claim matched trusted issuer from configuration
|
||||||
|
- Return public cross login key
|
||||||
|
- Otherwise return standard public key
|
||||||
|
* Check if claims are valid
|
||||||
|
* Depending on the option `ForceJWTValidationViaDatabase ` the roles are
|
||||||
|
extracted from JWT token or taken from user object fetched from database
|
||||||
|
* In case the token was extracted from cookie create a new session and ask the
|
||||||
|
browser to delete the JWT cookie
|
||||||
|
* Return valid user object
|
||||||
|
|
@ -75,10 +75,7 @@ func getRoleEnum(roleStr string) Role {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func isValidRole(role string) bool {
|
func isValidRole(role string) bool {
|
||||||
if getRoleEnum(role) == RoleError {
|
return getRoleEnum(role) != RoleError
|
||||||
return false
|
|
||||||
}
|
|
||||||
return true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (u *User) HasValidRole(role string) (hasRole bool, isValid bool) {
|
func (u *User) HasValidRole(role string) (hasRole bool, isValid bool) {
|
||||||
@ -175,7 +172,7 @@ func GetValidRolesMap(user *User) (map[string]Role, error) {
|
|||||||
}
|
}
|
||||||
return named, nil
|
return named, nil
|
||||||
}
|
}
|
||||||
return named, fmt.Errorf("Only known users are allowed to fetch a list of roles")
|
return named, fmt.Errorf("only known users are allowed to fetch a list of roles")
|
||||||
}
|
}
|
||||||
|
|
||||||
// Find highest role
|
// Find highest role
|
||||||
@ -300,6 +297,7 @@ func (auth *Authentication) AuthViaSession(
|
|||||||
return nil, nil
|
return nil, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO Check if keys are present in session?
|
||||||
username, _ := session.Values["username"].(string)
|
username, _ := session.Values["username"].(string)
|
||||||
projects, _ := session.Values["projects"].([]string)
|
projects, _ := session.Values["projects"].([]string)
|
||||||
roles, _ := session.Values["roles"].([]string)
|
roles, _ := session.Values["roles"].([]string)
|
||||||
@ -320,11 +318,9 @@ func (auth *Authentication) Login(
|
|||||||
err := errors.New("no authenticator applied")
|
err := errors.New("no authenticator applied")
|
||||||
username := r.FormValue("username")
|
username := r.FormValue("username")
|
||||||
user := (*User)(nil)
|
user := (*User)(nil)
|
||||||
|
|
||||||
if username != "" {
|
if username != "" {
|
||||||
if user, _ = auth.GetUser(username); err != nil {
|
user, _ = auth.GetUser(username)
|
||||||
// log.Warnf("login of unkown user %v", username)
|
|
||||||
_ = err
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, authenticator := range auth.authenticators {
|
for _, authenticator := range auth.authenticators {
|
||||||
|
@ -92,7 +92,7 @@ func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {
|
|||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
ja.publicKeyCrossLogin = nil
|
ja.publicKeyCrossLogin = nil
|
||||||
log.Warn("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
|
log.Debug("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
@ -103,7 +103,9 @@ func (ja *JWTAuthenticator) CanLogin(
|
|||||||
rw http.ResponseWriter,
|
rw http.ResponseWriter,
|
||||||
r *http.Request) bool {
|
r *http.Request) bool {
|
||||||
|
|
||||||
return (user != nil && user.AuthSource == AuthViaToken) || r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
|
return (user != nil && user.AuthSource == AuthViaToken) ||
|
||||||
|
r.Header.Get("Authorization") != "" ||
|
||||||
|
r.URL.Query().Get("login-token") != ""
|
||||||
}
|
}
|
||||||
|
|
||||||
func (ja *JWTAuthenticator) Login(
|
func (ja *JWTAuthenticator) Login(
|
||||||
@ -111,13 +113,9 @@ func (ja *JWTAuthenticator) Login(
|
|||||||
rw http.ResponseWriter,
|
rw http.ResponseWriter,
|
||||||
r *http.Request) (*User, error) {
|
r *http.Request) (*User, error) {
|
||||||
|
|
||||||
rawtoken := r.Header.Get("X-Auth-Token")
|
rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
|
||||||
if rawtoken == "" {
|
if rawtoken == "" {
|
||||||
rawtoken = r.Header.Get("Authorization")
|
rawtoken = r.URL.Query().Get("login-token")
|
||||||
rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
|
|
||||||
if rawtoken == "" {
|
|
||||||
rawtoken = r.URL.Query().Get("login-token")
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
|
token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
|
||||||
@ -134,7 +132,7 @@ func (ja *JWTAuthenticator) Login(
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := token.Claims.Valid(); err != nil {
|
if err = token.Claims.Valid(); err != nil {
|
||||||
log.Warn("jwt token claims are not valid")
|
log.Warn("jwt token claims are not valid")
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
@ -220,7 +218,10 @@ func (ja *JWTAuthenticator) Auth(
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Is there more than one public key?
|
// Is there more than one public key?
|
||||||
if ja.publicKeyCrossLogin != nil && ja.config != nil && ja.config.TrustedExternalIssuer != "" {
|
if ja.publicKeyCrossLogin != nil &&
|
||||||
|
ja.config != nil &&
|
||||||
|
ja.config.TrustedExternalIssuer != "" {
|
||||||
|
|
||||||
// Determine whether to use the external public key
|
// Determine whether to use the external public key
|
||||||
unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
|
unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
|
||||||
if success && unvalidatedIssuer == ja.config.TrustedExternalIssuer {
|
if success && unvalidatedIssuer == ja.config.TrustedExternalIssuer {
|
||||||
|
Loading…
Reference in New Issue
Block a user