Formatting and minor fixes

This commit is contained in:
Jan Eitzinger 2023-08-18 08:49:25 +02:00
parent 29552fadc3
commit d51be5c308
5 changed files with 74 additions and 50 deletions

View File

@ -102,7 +102,7 @@ func Init(configs map[string]interface{}) (*Authentication, error) {
} }
auth.JwtAuth = &JWTAuthenticator{} auth.JwtAuth = &JWTAuthenticator{}
if err := auth.JwtAuth.Init(configs["jwt"]); err != nil { if err := auth.JwtAuth.Init(); err != nil {
log.Error("Error while initializing authentication -> jwtAuth init failed") log.Error("Error while initializing authentication -> jwtAuth init failed")
return nil, err return nil, err
} }
@ -115,20 +115,26 @@ func Init(configs map[string]interface{}) (*Authentication, error) {
auth.LdapAuth = ldapAuth auth.LdapAuth = ldapAuth
auth.authenticators = append(auth.authenticators, auth.LdapAuth) auth.authenticators = append(auth.authenticators, auth.LdapAuth)
} }
} else {
log.Info("Missing LDAP configuration: No LDAP support!")
} }
jwtSessionAuth := &JWTSessionAuthenticator{} if config, ok := configs["jwt"]; ok {
if err := jwtSessionAuth.Init(configs["jwt"]); err != nil { jwtSessionAuth := &JWTSessionAuthenticator{}
log.Warn("Error while initializing authentication -> jwtSessionAuth init failed") if err := jwtSessionAuth.Init(config); err != nil {
} else { log.Warn("Error while initializing authentication -> jwtSessionAuth init failed")
auth.authenticators = append(auth.authenticators, jwtSessionAuth) } else {
} auth.authenticators = append(auth.authenticators, jwtSessionAuth)
}
jwtCookieSessionAuth := &JWTCookieSessionAuthenticator{} jwtCookieSessionAuth := &JWTCookieSessionAuthenticator{}
if err := jwtCookieSessionAuth.Init(configs["jwt"]); err != nil { if err := jwtCookieSessionAuth.Init(configs["jwt"]); err != nil {
log.Warn("Error while initializing authentication -> jwtCookieSessionAuth init failed") log.Warn("Error while initializing authentication -> jwtCookieSessionAuth init failed")
} else {
auth.authenticators = append(auth.authenticators, jwtCookieSessionAuth)
}
} else { } else {
auth.authenticators = append(auth.authenticators, jwtCookieSessionAuth) log.Info("Missing JWT configuration: No JWT token login support!")
} }
auth.LocalAuth = &LocalAuthenticator{} auth.LocalAuth = &LocalAuthenticator{}

View File

@ -22,12 +22,9 @@ import (
type JWTAuthenticator struct { type JWTAuthenticator struct {
publicKey ed25519.PublicKey publicKey ed25519.PublicKey
privateKey ed25519.PrivateKey privateKey ed25519.PrivateKey
config *schema.JWTAuthConfig
} }
func (ja *JWTAuthenticator) Init(conf interface{}) error { func (ja *JWTAuthenticator) Init() error {
ja.config = conf.(*schema.JWTAuthConfig)
pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY") pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
if pubKey == "" || privKey == "" { if pubKey == "" || privKey == "" {
log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)") log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")

View File

@ -8,6 +8,7 @@ import (
"crypto/ed25519" "crypto/ed25519"
"encoding/base64" "encoding/base64"
"errors" "errors"
"fmt"
"net/http" "net/http"
"os" "os"
@ -82,6 +83,7 @@ func (ja *JWTCookieSessionAuthenticator) Init(conf interface{}) error {
return errors.New("config for JWTs not configured (cross login via JWT cookie will fail)") return errors.New("config for JWTs not configured (cross login via JWT cookie will fail)")
} }
log.Info("JWT Cookie Session authenticator successfully registered")
return nil return nil
} }
@ -137,7 +139,7 @@ func (ja *JWTCookieSessionAuthenticator) Login(
return ja.publicKey, nil return ja.publicKey, nil
}) })
if err != nil { if err != nil {
log.Warn("error while parsing token") log.Warn("JWT cookie session: error while parsing token")
return nil, err return nil, err
} }
@ -151,8 +153,16 @@ func (ja *JWTCookieSessionAuthenticator) Login(
sub, _ := claims["sub"].(string) sub, _ := claims["sub"].(string)
var name string var name string
if val, ok := claims["name"]; ok { if wrap, ok := claims["name"].(map[string]interface{}); ok {
name, _ = val.(string) if vals, ok := wrap["values"].([]interface{}); ok {
if len(vals) != 0 {
name = fmt.Sprintf("%v", vals[0])
for i := 1; i < len(vals); i++ {
name += fmt.Sprintf(" %v", vals[i])
}
}
}
} }
var roles []string var roles []string
@ -188,10 +198,12 @@ func (ja *JWTCookieSessionAuthenticator) Login(
http.SetCookie(rw, deletedCookie) http.SetCookie(rw, deletedCookie)
if user == nil { if user == nil {
projects := make([]string, 0)
user = &schema.User{ user = &schema.User{
Username: sub, Username: sub,
Name: name, Name: name,
Roles: roles, Roles: roles,
Projects: projects,
AuthType: schema.AuthSession, AuthType: schema.AuthSession,
AuthSource: schema.AuthViaToken, AuthSource: schema.AuthViaToken,
} }

View File

@ -6,6 +6,7 @@ package auth
import ( import (
"encoding/base64" "encoding/base64"
"errors"
"fmt" "fmt"
"net/http" "net/http"
"os" "os"
@ -37,6 +38,7 @@ func (ja *JWTSessionAuthenticator) Init(conf interface{}) error {
ja.loginTokenKey = bytes ja.loginTokenKey = bytes
} }
log.Info("JWT Session authenticator successfully registered")
return nil return nil
} }
@ -46,7 +48,8 @@ func (ja *JWTSessionAuthenticator) CanLogin(
rw http.ResponseWriter, rw http.ResponseWriter,
r *http.Request) (*schema.User, bool) { r *http.Request) (*schema.User, bool) {
return user, r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != "" return user, r.Header.Get("Authorization") != "" ||
r.URL.Query().Get("login-token") != ""
} }
func (ja *JWTSessionAuthenticator) Login( func (ja *JWTSessionAuthenticator) Login(
@ -79,29 +82,38 @@ func (ja *JWTSessionAuthenticator) Login(
sub, _ := claims["sub"].(string) sub, _ := claims["sub"].(string)
var name string var name string
// Java/Grails Issued Token
if wrap, ok := claims["name"].(map[string]interface{}); ok { if wrap, ok := claims["name"].(map[string]interface{}); ok {
if vals, ok := wrap["values"].([]interface{}); ok { if vals, ok := wrap["values"].([]interface{}); ok {
name = fmt.Sprintf("%v %v", vals[0], vals[1]) if len(vals) != 0 {
} name = fmt.Sprintf("%v", vals[0])
} else if val, ok := claims["name"]; ok {
name, _ = val.(string)
}
var roles []string for i := 1; i < len(vals); i++ {
// Java/Grails Issued Token name += fmt.Sprintf(" %v", vals[i])
if rawroles, ok := claims["roles"].([]interface{}); ok {
for _, rr := range rawroles {
if r, ok := rr.(string); ok {
if schema.IsValidRole(r) {
roles = append(roles, r)
} }
} }
} }
} else if rawroles, ok := claims["roles"]; ok { }
for _, r := range rawroles.([]string) {
if schema.IsValidRole(r) { var roles []string
roles = append(roles, r)
if ja.config.ValidateUser {
// Deny any logins for unknown usernames
if user == nil {
log.Warn("Could not find user from JWT in internal database.")
return nil, errors.New("unknown user")
}
// Take user roles from database instead of trusting the JWT
roles = user.Roles
} else {
// Extract roles from JWT (if present)
if rawroles, ok := claims["roles"].([]interface{}); ok {
for _, rr := range rawroles {
if r, ok := rr.(string); ok {
if schema.IsValidRole(r) {
roles = append(roles, r)
}
}
} }
} }
} }

View File

@ -57,7 +57,7 @@ func (la *LdapAuthenticator) Init(conf interface{}) error {
} }
}() }()
} else { } else {
return fmt.Errorf("missing LDAP configuration") log.Info("Missing LDAP configuration key sync_interval")
} }
return nil return nil
@ -69,10 +69,12 @@ func (la *LdapAuthenticator) CanLogin(
rw http.ResponseWriter, rw http.ResponseWriter,
r *http.Request) (*schema.User, bool) { r *http.Request) (*schema.User, bool) {
if user != nil && user.AuthSource == schema.AuthViaLDAP { if user != nil {
return user, true if user.AuthSource == schema.AuthViaLDAP {
return user, true
}
} else { } else {
if la.config != nil && la.config.SyncUserOnLogin { if la.config.SyncUserOnLogin {
l, err := la.getLdapConnection(true) l, err := la.getLdapConnection(true)
if err != nil { if err != nil {
log.Error("LDAP connection error") log.Error("LDAP connection error")
@ -89,12 +91,12 @@ func (la *LdapAuthenticator) CanLogin(
sr, err := l.Search(searchRequest) sr, err := l.Search(searchRequest)
if err != nil { if err != nil {
log.Warn(err) log.Warn(err)
return user, false return nil, false
} }
if len(sr.Entries) != 1 { if len(sr.Entries) != 1 {
log.Warn("User does not exist or too many entries returned") log.Warn("LDAP: User does not exist or too many entries returned")
return user, false return nil, false
} }
entry := sr.Entries[0] entry := sr.Entries[0]
@ -117,12 +119,6 @@ func (la *LdapAuthenticator) CanLogin(
return nil, false return nil, false
} }
// if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
// username, 1, name, "[\""+schema.GetRoleString(schema.RoleUser)+"\"]"); err != nil {
// log.Errorf("User '%s' new in LDAP: Insert into DB failed", username)
// return false
// }
return user, true return user, true
} }
} }
@ -144,7 +140,8 @@ func (la *LdapAuthenticator) Login(
userDn := strings.Replace(la.config.UserBind, "{username}", user.Username, -1) userDn := strings.Replace(la.config.UserBind, "{username}", user.Username, -1)
if err := l.Bind(userDn, r.FormValue("password")); err != nil { if err := l.Bind(userDn, r.FormValue("password")); err != nil {
log.Errorf("AUTH/LOCAL > Authentication for user %s failed: %v", user.Username, err) log.Errorf("AUTH/LOCAL > Authentication for user %s failed: %v",
user.Username, err)
return nil, fmt.Errorf("AUTH/LDAP > Authentication failed") return nil, fmt.Errorf("AUTH/LDAP > Authentication failed")
} }