Accept externally generated JWTs provided via cookie

If there is an external service like an AuthAPI that can generate JWTs and hand them over to ClusterCockpit via cookies, CC can be configured to accept them
2025-07-19 03:11:40 +02:00 · 2022-10-19 13:36:13 +02:00
parent 7814a184a1
commit f817ac5240
8 changed files with 283 additions and 7 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -23,8 +23,9 @@ import (
 type JWTAuthenticator struct {
 	auth *Authentication

-	publicKey  ed25519.PublicKey
-	privateKey ed25519.PrivateKey
+	publicKey           ed25519.PublicKey
+	privateKey          ed25519.PrivateKey
+	publicKeyCrossLogin ed25519.PublicKey // For accepting externally generated JWTs

 	loginTokenKey []byte // HS256 key

@@ -62,6 +63,34 @@ func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {
 		ja.loginTokenKey = bytes
 	}

+	// Look for external public keys
+	pubKeyCrossLogin, keyFound := os.LookupEnv("CROSS_LOGIN_JWT_PUBLIC_KEY")
+	if keyFound && pubKeyCrossLogin != "" {
+		bytes, err := base64.StdEncoding.DecodeString(pubKeyCrossLogin)
+		if err != nil {
+			return err
+		}
+		ja.publicKeyCrossLogin = ed25519.PublicKey(bytes)
+
+		// Warn if other necessary settings are not configured
+		if ja.config != nil {
+			if ja.config.CookieName == "" {
+				log.Warn("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
+			}
+			if !ja.config.ForceJWTValidationViaDatabase {
+				log.Warn("forceJWTValidationViaDatabase not set to true: CC will accept users and roles defined in JWTs regardless of its own database!")
+			}
+			if ja.config.TrustedExternalIssuer == "" {
+				log.Warn("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
+			}
+		} else {
+			log.Warn("cookieName and trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
+		}
+	} else {
+		ja.publicKeyCrossLogin = nil
+		log.Warn("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
+	}
+
 	return nil
 }

@@ -149,38 +178,120 @@ func (ja *JWTAuthenticator) Auth(
 		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
 	}

+	// If no auth header was found, check for a certain cookie containing a JWT
+	cookieName := ""
+	cookieFound := false
+	if ja.config != nil && ja.config.CookieName != "" {
+		cookieName = ja.config.CookieName
+	}
+
+	// Try to read the JWT cookie
+	if rawtoken == "" && cookieName != "" {
+		jwtCookie, err := r.Cookie(cookieName)
+
+		if err == nil && jwtCookie.Value != "" {
+			rawtoken = jwtCookie.Value
+			cookieFound = true
+		}
+	}
+
 	// Because a user can also log in via a token, the
 	// session cookie must be checked here as well:
 	if rawtoken == "" {
 		return ja.auth.AuthViaSession(rw, r)
 	}

+	// Try to parse JWT
 	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
 		if t.Method != jwt.SigningMethodEdDSA {
 			return nil, errors.New("only Ed25519/EdDSA supported")
 		}
+
+		// Is there more than one public key?
+		if ja.publicKeyCrossLogin != nil && ja.config != nil && ja.config.TrustedExternalIssuer != "" {
+			// Determine whether to use the external public key
+			unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
+			if success && unvalidatedIssuer == ja.config.TrustedExternalIssuer {
+				// The (unvalidated) issuer seems to be the expected one,
+				// use public cross login key from config
+				return ja.publicKeyCrossLogin, nil
+			}
+		}
+
+		// No cross login key configured or issuer not expected
+		// Try own key
 		return ja.publicKey, nil
 	})
 	if err != nil {
 		return nil, err
 	}

+	// Check token validity
 	if err := token.Claims.Valid(); err != nil {
 		return nil, err
 	}

+	// Token is valid, extract payload
 	claims := token.Claims.(jwt.MapClaims)
 	sub, _ := claims["sub"].(string)

 	var roles []string
-	if rawroles, ok := claims["roles"].([]interface{}); ok {
-		for _, rr := range rawroles {
-			if r, ok := rr.(string); ok {
-				roles = append(roles, r)
+
+	// Validate user + roles from JWT against database?
+	if ja.config != nil && ja.config.ForceJWTValidationViaDatabase {
+		user, err := ja.auth.GetUser(sub)
+
+		// Deny any logins for unknown usernames
+		if err != nil {
+			log.Warn("Could not find user from JWT in internal database.")
+			return nil, errors.New("unknown user")
+		}
+
+		// Take user roles from database instead of trusting the JWT
+		roles = user.Roles
+	} else {
+		// Extract roles from JWT (if present)
+		if rawroles, ok := claims["roles"].([]interface{}); ok {
+			for _, rr := range rawroles {
+				if r, ok := rr.(string); ok {
+					roles = append(roles, r)
+				}
 			}
 		}
 	}

+	if cookieFound {
+		// Create a session so that we no longer need the JTW Cookie
+		session, err := ja.auth.sessionStore.New(r, "session")
+		if err != nil {
+			log.Errorf("session creation failed: %s", err.Error())
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return nil, err
+		}
+
+		if ja.auth.SessionMaxAge != 0 {
+			session.Options.MaxAge = int(ja.auth.SessionMaxAge.Seconds())
+		}
+		session.Values["username"] = sub
+		session.Values["roles"] = roles
+
+		if err := ja.auth.sessionStore.Save(r, rw, session); err != nil {
+			log.Errorf("session save failed: %s", err.Error())
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return nil, err
+		}
+
+		// (Ask browser to) Delete JWT cookie
+		deletedCookie := &http.Cookie{
+			Name:     cookieName,
+			Value:    "",
+			Path:     "/",
+			MaxAge:   -1,
+			HttpOnly: true,
+		}
+		http.SetCookie(rw, deletedCookie)
+	}
+
 	return &User{
 		Username:   sub,
 		Roles:      roles,