headscale/oidc.go

517 lines
13 KiB
Go
Raw Normal View History

2021-09-26 16:53:05 +08:00
package headscale
import (
2021-12-22 19:43:53 -07:00
"bytes"
"context"
2021-09-26 16:53:05 +08:00
"crypto/rand"
"encoding/hex"
"errors"
2021-09-26 16:53:05 +08:00
"fmt"
2021-12-22 19:43:53 -07:00
"html/template"
2021-10-18 19:27:52 +00:00
"net/http"
"strings"
"time"
2021-10-18 19:27:52 +00:00
"github.com/coreos/go-oidc/v3/oidc"
2022-06-20 12:31:19 +02:00
"github.com/gorilla/mux"
2021-09-26 16:53:05 +08:00
"github.com/rs/zerolog/log"
"golang.org/x/oauth2"
"tailscale.com/types/key"
2021-09-26 16:53:05 +08:00
)
const (
randomByteSize = 16
)
type IDTokenClaims struct {
2021-09-26 16:53:05 +08:00
Name string `json:"name,omitempty"`
Groups []string `json:"groups,omitempty"`
Email string `json:"email"`
Username string `json:"preferred_username,omitempty"`
}
2021-10-08 17:43:52 +08:00
func (h *Headscale) initOIDC() error {
2021-09-26 16:53:05 +08:00
var err error
// grab oidc config if it hasn't been already
2021-10-08 17:43:52 +08:00
if h.oauth2Config == nil {
2021-10-18 19:27:52 +00:00
h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)
2021-09-26 16:53:05 +08:00
if err != nil {
log.Error().
Err(err).
Caller().
Msgf("Could not retrieve OIDC Config: %s", err.Error())
2021-11-14 16:46:09 +01:00
2021-10-08 17:43:52 +08:00
return err
2021-09-26 16:53:05 +08:00
}
2021-10-08 17:43:52 +08:00
h.oauth2Config = &oauth2.Config{
2021-10-18 19:27:52 +00:00
ClientID: h.cfg.OIDC.ClientID,
ClientSecret: h.cfg.OIDC.ClientSecret,
2021-10-08 17:43:52 +08:00
Endpoint: h.oidcProvider.Endpoint(),
2021-11-13 08:36:45 +00:00
RedirectURL: fmt.Sprintf(
"%s/oidc/callback",
strings.TrimSuffix(h.cfg.ServerURL, "/"),
),
Scopes: h.cfg.OIDC.Scope,
}
2021-10-08 17:43:52 +08:00
}
return nil
}
// RegisterOIDC redirects to the OIDC provider for authentication
// Puts machine key in cache so the callback can retrieve it using the oidc state param
2021-11-13 08:39:04 +00:00
// Listens in /oidc/register/:mKey.
2022-06-20 12:31:19 +02:00
func (h *Headscale) RegisterOIDC(
2022-06-26 11:55:37 +02:00
writer http.ResponseWriter,
req *http.Request,
2022-06-20 12:31:19 +02:00
) {
2022-06-26 11:55:37 +02:00
vars := mux.Vars(req)
2022-06-20 12:31:19 +02:00
machineKeyStr, ok := vars["mkey"]
if !ok || machineKeyStr == "" {
log.Error().
Caller().
Msg("Missing machine key in URL")
2022-06-26 11:55:37 +02:00
http.Error(writer, "Missing machine key in URL", http.StatusBadRequest)
2021-11-14 16:46:09 +01:00
2021-10-08 17:43:52 +08:00
return
2021-09-26 16:53:05 +08:00
}
log.Trace().
Caller().
Str("machine_key", machineKeyStr).
Msg("Received oidc register call")
randomBlob := make([]byte, randomByteSize)
2021-11-15 16:15:50 +00:00
if _, err := rand.Read(randomBlob); err != nil {
log.Error().
Caller().
Msg("could not read 16 bytes from rand")
2022-06-26 11:55:37 +02:00
http.Error(writer, "Internal server error", http.StatusInternalServerError)
2021-11-14 16:46:09 +01:00
return
}
2021-11-15 16:15:50 +00:00
stateStr := hex.EncodeToString(randomBlob)[:32]
2021-09-26 16:53:05 +08:00
// place the machine key into the state cache, so it can be retrieved later
h.registrationCache.Set(stateStr, machineKeyStr, registerCacheExpiration)
2021-09-26 16:53:05 +08:00
// Add any extra parameter provided in the configuration to the Authorize Endpoint request
extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
for k, v := range h.cfg.OIDC.ExtraParams {
extras = append(extras, oauth2.SetAuthURLParam(k, v))
}
authURL := h.oauth2Config.AuthCodeURL(stateStr, extras...)
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
2021-09-26 16:53:05 +08:00
2022-06-26 11:55:37 +02:00
http.Redirect(writer, req, authURL, http.StatusFound)
2021-09-26 16:53:05 +08:00
}
2021-12-22 19:43:53 -07:00
type oidcCallbackTemplateConfig struct {
User string
Verb string
}
var oidcCallbackTemplate = template.Must(
template.New("oidccallback").Parse(`<html>
<body>
<h1>headscale</h1>
<p>
{{.Verb}} as {{.User}}, you can now close this window.
</p>
</body>
</html>`),
)
2021-09-26 16:53:05 +08:00
// OIDCCallback handles the callback from the OIDC endpoint
// Retrieves the mkey from the state cache and adds the machine to the users email namespace
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into machine HostInfo
2021-11-13 08:39:04 +00:00
// Listens in /oidc/callback.
2022-06-17 17:42:17 +02:00
func (h *Headscale) OIDCCallback(
2022-06-26 12:01:04 +02:00
writer http.ResponseWriter,
req *http.Request,
2022-06-17 17:42:17 +02:00
) {
2022-06-26 12:01:04 +02:00
code := req.URL.Query().Get("code")
state := req.URL.Query().Get("state")
2021-09-26 16:53:05 +08:00
if code == "" || state == "" {
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Wrong params"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
2021-09-26 16:53:05 +08:00
return
}
2021-10-08 17:43:52 +08:00
oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
2021-09-26 16:53:05 +08:00
if err != nil {
2022-03-18 09:40:12 +01:00
log.Error().
Err(err).
Caller().
Msg("Could not exchange code for token")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Could not exchange code for token"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
2021-09-26 16:53:05 +08:00
return
}
log.Trace().
Caller().
Str("code", code).
Str("state", state).
Msg("Got oidc callback")
2021-10-10 17:22:42 +08:00
rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
if !rawIDTokenOK {
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Could not extract ID Token"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
return
}
2021-10-18 19:27:52 +00:00
verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
2021-09-26 16:53:05 +08:00
idToken, err := verifier.Verify(context.Background(), rawIDToken)
2021-09-26 16:53:05 +08:00
if err != nil {
log.Error().
Err(err).
Caller().
Msg("failed to verify id token")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Failed to verify id token"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
return
}
2021-10-10 17:22:42 +08:00
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
2021-11-14 18:44:37 +01:00
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
// if err != nil {
2021-11-21 21:54:19 +00:00
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
2021-11-14 18:44:37 +01:00
// return
// }
// Extract custom claims
var claims IDTokenClaims
if err = idToken.Claims(&claims); err != nil {
log.Error().
Err(err).
Caller().
Msg("Failed to decode id token claims")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Failed to decode id token claims"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
2021-09-26 16:53:05 +08:00
return
}
// If AllowedDomains is provided, check that the authenticated principal ends with @<alloweddomain>.
if len(h.cfg.OIDC.AllowedDomains) > 0 {
if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
!IsStringInSlice(h.cfg.OIDC.AllowedDomains, claims.Email[at+1:]) {
log.Error().Msg("authenticated principal does not match any allowed domain")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("unauthorized principal (domain mismatch)"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
return
}
}
// If AllowedUsers is provided, check that the authenticated princial is part of that list.
if len(h.cfg.OIDC.AllowedUsers) > 0 &&
!IsStringInSlice(h.cfg.OIDC.AllowedUsers, claims.Email) {
log.Error().Msg("authenticated principal does not match any allowed user")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("unauthorized principal (user mismatch)"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
return
}
2021-10-18 19:27:52 +00:00
// retrieve machinekey from state cache
machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
2021-09-26 16:53:05 +08:00
if !machineKeyFound {
2021-11-13 08:36:45 +00:00
log.Error().
Msg("requested machine state key expired before authorisation completed")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("state has expired"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
2021-09-26 16:53:05 +08:00
return
}
machineKeyFromCache, machineKeyOK := machineKeyIf.(string)
var machineKey key.MachinePublic
err = machineKey.UnmarshalText(
[]byte(MachinePublicKeyEnsurePrefix(machineKeyFromCache)),
)
if err != nil {
log.Error().
Msg("could not parse machine public key")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusBadRequest)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("could not parse public key"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
return
}
2021-09-26 16:53:05 +08:00
if !machineKeyOK {
2021-10-10 17:22:42 +08:00
log.Error().Msg("could not get machine key from cache")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("could not get machine key from cache"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-11-14 16:46:09 +01:00
2021-09-26 16:53:05 +08:00
return
}
2022-02-28 23:00:41 +00:00
// retrieve machine information if it exist
2022-03-02 07:29:40 +00:00
// The error is not important, because if it does not
// exist, then this is a new machine and we will move
// on to registration.
2022-03-01 18:51:56 +00:00
machine, _ := h.GetMachineByMachineKey(machineKey)
2021-09-26 16:53:05 +08:00
if machine != nil {
log.Trace().
Caller().
2022-04-24 20:55:54 +01:00
Str("machine", machine.Hostname).
Msg("machine already registered, reauthenticating")
2022-06-26 12:30:52 +02:00
err := h.RefreshMachine(machine, time.Time{})
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to refresh machine")
http.Error(writer, "Failed to refresh machine", http.StatusInternalServerError)
return
}
2021-12-22 19:43:53 -07:00
var content bytes.Buffer
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
User: claims.Email,
Verb: "Reauthenticated",
}); err != nil {
log.Error().
Str("func", "OIDCCallback").
Str("type", "reauthenticate").
Err(err).
Msg("Could not render OIDC callback template")
2022-06-17 17:42:17 +02:00
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Could not render OIDC callback template"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2022-06-17 17:42:17 +02:00
return
2021-12-22 19:43:53 -07:00
}
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
writer.WriteHeader(http.StatusOK)
2022-06-26 12:30:52 +02:00
_, err = writer.Write(content.Bytes())
2022-06-26 12:21:35 +02:00
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
return
}
namespaceName, err := NormalizeToFQDNRules(
2022-02-23 14:22:21 +01:00
claims.Email,
h.cfg.OIDC.StripEmaildomain,
)
2022-02-22 12:46:45 +01:00
if err != nil {
log.Error().Err(err).Caller().Msgf("couldn't normalize email")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("couldn't normalize email"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2022-02-22 21:05:39 +01:00
2022-02-22 12:46:45 +01:00
return
}
2022-02-22 12:46:45 +01:00
// register the machine if it's new
log.Debug().Msg("Registering new machine after successful callback")
2021-09-26 16:53:05 +08:00
namespace, err := h.GetNamespace(namespaceName)
if errors.Is(err, errNamespaceNotFound) {
namespace, err = h.CreateNamespace(namespaceName)
2021-09-26 16:53:05 +08:00
2022-02-22 12:46:45 +01:00
if err != nil {
2021-12-22 19:43:53 -07:00
log.Error().
Err(err).
Caller().
Msgf("could not create new namespace '%s'", namespaceName)
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("could not create namespace"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-12-22 19:43:53 -07:00
2022-02-22 12:46:45 +01:00
return
}
} else if err != nil {
log.Error().
Caller().
Err(err).
Str("namespace", namespaceName).
Msg("could not find or create namespace")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("could not find or create namespace"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
return
}
machineKeyStr := MachinePublicKeyStripPrefix(machineKey)
_, err = h.RegisterMachineFromAuthCallback(
machineKeyStr,
namespace.Name,
RegisterMethodOIDC,
)
if err != nil {
log.Error().
Caller().
Err(err).
Msg("could not register machine")
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("could not register machine"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
return
2021-10-18 19:27:52 +00:00
}
2022-02-22 12:46:45 +01:00
var content bytes.Buffer
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
User: claims.Email,
Verb: "Authenticated",
}); err != nil {
log.Error().
Str("func", "OIDCCallback").
Str("type", "authenticate").
Err(err).
Msg("Could not render OIDC callback template")
2022-06-17 17:42:17 +02:00
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
writer.WriteHeader(http.StatusInternalServerError)
2022-06-26 12:21:35 +02:00
_, err := writer.Write([]byte("Could not render OIDC callback template"))
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2022-06-17 17:42:17 +02:00
return
2021-10-18 19:27:52 +00:00
}
2022-06-26 12:01:04 +02:00
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
writer.WriteHeader(http.StatusOK)
2022-06-26 12:21:35 +02:00
_, err = writer.Write(content.Bytes())
if err != nil {
log.Error().
Caller().
Err(err).
Msg("Failed to write response")
}
2021-09-26 16:53:05 +08:00
}