headscale/oidc.go

package headscale

import (
	"context"
	"crypto/rand"
	"encoding/hex"
	"fmt"
	"net/http"
	"regexp"
	"strings"
	"time"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/gin-gonic/gin"
	"github.com/patrickmn/go-cache"
	"github.com/rs/zerolog/log"
	"golang.org/x/oauth2"
)

type IDTokenClaims struct {
	Name     string   `json:"name,omitempty"`
	Groups   []string `json:"groups,omitempty"`
	Email    string   `json:"email"`
	Username string   `json:"preferred_username,omitempty"`
}

func (h *Headscale) initOIDC() error {
	var err error
	// grab oidc config if it hasn't been already
	if h.oauth2Config == nil {
		h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)

		if err != nil {
			log.Error().Msgf("Could not retrieve OIDC Config: %s", err.Error())
			return err
		}

		h.oauth2Config = &oauth2.Config{
			ClientID:     h.cfg.OIDC.ClientID,
			ClientSecret: h.cfg.OIDC.ClientSecret,
			Endpoint:     h.oidcProvider.Endpoint(),
			RedirectURL:  fmt.Sprintf("%s/oidc/callback", strings.TrimSuffix(h.cfg.ServerURL, "/")),
			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
		}
	}

	// init the state cache if it hasn't been already
	if h.oidcStateCache == nil {
		h.oidcStateCache = cache.New(time.Minute*5, time.Minute*10)
	}

	return nil
}

// RegisterOIDC redirects to the OIDC provider for authentication
// Puts machine key in cache so the callback can retrieve it using the oidc state param
// Listens in /oidc/register/:mKey
func (h *Headscale) RegisterOIDC(c *gin.Context) {
	mKeyStr := c.Param("mkey")
	if mKeyStr == "" {
		c.String(http.StatusBadRequest, "Wrong params")
		return
	}

	b := make([]byte, 16)
	_, err := rand.Read(b)
	if err != nil {
		log.Error().Msg("could not read 16 bytes from rand")
		c.String(http.StatusInternalServerError, "could not read 16 bytes from rand")
		return
	}

	stateStr := hex.EncodeToString(b)[:32]

	// place the machine key into the state cache, so it can be retrieved later
	h.oidcStateCache.Set(stateStr, mKeyStr, time.Minute*5)

	authUrl := h.oauth2Config.AuthCodeURL(stateStr)
	log.Debug().Msgf("Redirecting to %s for authentication", authUrl)

	c.Redirect(http.StatusFound, authUrl)
}

// OIDCCallback handles the callback from the OIDC endpoint
// Retrieves the mkey from the state cache and adds the machine to the users email namespace
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into machine HostInfo
// Listens in /oidc/callback
func (h *Headscale) OIDCCallback(c *gin.Context) {
	code := c.Query("code")
	state := c.Query("state")

	if code == "" || state == "" {
		c.String(http.StatusBadRequest, "Wrong params")
		return
	}

	oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
	if err != nil {
		c.String(http.StatusBadRequest, "Could not exchange code for token")
		return
	}

	log.Debug().Msgf("AccessToken: %v", oauth2Token.AccessToken)

	rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
	if !rawIDTokenOK {
		c.String(http.StatusBadRequest, "Could not extract ID Token")
		return
	}

	verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})

	idToken, err := verifier.Verify(context.Background(), rawIDToken)
	if err != nil {
		c.String(http.StatusBadRequest, "Failed to verify id token: %s", err.Error())
		return
	}

	// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
	//userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
	//if err != nil {
	//	c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo: %s", err))
	//	return
	//}

	// Extract custom claims
	var claims IDTokenClaims
	if err = idToken.Claims(&claims); err != nil {
		c.String(http.StatusBadRequest, fmt.Sprintf("Failed to decode id token claims: %s", err))
		return
	}

	// retrieve machinekey from state cache
	mKeyIf, mKeyFound := h.oidcStateCache.Get(state)

	if !mKeyFound {
		log.Error().Msg("requested machine state key expired before authorisation completed")
		c.String(http.StatusBadRequest, "state has expired")
		return
	}
	mKeyStr, mKeyOK := mKeyIf.(string)

	if !mKeyOK {
		log.Error().Msg("could not get machine key from cache")
		c.String(http.StatusInternalServerError, "could not get machine key from cache")
		return
	}

	// retrieve machine information
	m, err := h.GetMachineByMachineKey(mKeyStr)
	if err != nil {
		log.Error().Msg("machine key not found in database")
		c.String(http.StatusInternalServerError, "could not get machine info from database")
		return
	}

	now := time.Now().UTC()

	if nsName, ok := h.getNamespaceFromEmail(claims.Email); ok {
		// register the machine if it's new
		if !m.Registered {

			log.Debug().Msg("Registering new machine after successful callback")

			ns, err := h.GetNamespace(nsName)
			if err != nil {
				ns, err = h.CreateNamespace(nsName)

				if err != nil {
					log.Error().Msgf("could not create new namespace '%s'", claims.Email)
					c.String(http.StatusInternalServerError, "could not create new namespace")
					return
				}
			}

			ip, err := h.getAvailableIP()
			if err != nil {
				c.String(http.StatusInternalServerError, "could not get an IP from the pool")
				return
			}

			m.IPAddress = ip.String()
			m.NamespaceID = ns.ID
			m.Registered = true
			m.RegisterMethod = "oidc"
			m.LastSuccessfulUpdate = &now
			h.db.Save(&m)
		}

		h.updateMachineExpiry(m)

		c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(fmt.Sprintf(`
<html>
<body>
<h1>headscale</h1>
<p>
    Authenticated as %s, you can now close this window.
</p>
</body>
</html>

`, claims.Email)))

	}

	log.Error().
		Str("email", claims.Email).
		Str("username", claims.Username).
		Str("machine", m.Name).
		Msg("Email could not be mapped to a namespace")
	c.String(http.StatusBadRequest, "email from claim could not be mapped to a namespace")
}

// getNamespaceFromEmail passes the users email through a list of "matchers"
// and iterates through them until it matches and returns a namespace.
// If no match is found, an empty string will be returned.
// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.
func (h *Headscale) getNamespaceFromEmail(email string) (string, bool) {
	for match, namespace := range h.cfg.OIDC.MatchMap {
		regex := regexp.MustCompile(match)
		if regex.MatchString(email) {
			return namespace, true
		}
	}

	return "", false
}
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`package headscale`

			`import (`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`"context"`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`"crypto/rand"`
			`"encoding/hex"`
			`"fmt"`
Implement namespace matching 2021-10-18 19:27:52 +00:00			`"net/http"`
			`"regexp"`
			`"strings"`
			`"time"`

use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`"github.com/coreos/go-oidc/v3/oidc"`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`"github.com/gin-gonic/gin"`
			`"github.com/patrickmn/go-cache"`
			`"github.com/rs/zerolog/log"`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`"golang.org/x/oauth2"`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`)`

use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`type IDTokenClaims struct {`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			Name string `json:"name,omitempty"`
			Groups []string `json:"groups,omitempty"`
			Email string `json:"email"`
			Username string `json:"preferred_username,omitempty"`
			`}`

updates from code review 2021-10-08 17:43:52 +08:00			`func (h *Headscale) initOIDC() error {`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`var err error`
			`// grab oidc config if it hasn't been already`
updates from code review 2021-10-08 17:43:52 +08:00			`if h.oauth2Config == nil {`
Implement namespace matching 2021-10-18 19:27:52 +00:00			`h.oidcProvider, err = oidc.NewProvider(context.Background(), h.cfg.OIDC.Issuer)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
			`if err != nil {`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`log.Error().Msgf("Could not retrieve OIDC Config: %s", err.Error())`
updates from code review 2021-10-08 17:43:52 +08:00			`return err`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`}`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00
updates from code review 2021-10-08 17:43:52 +08:00			`h.oauth2Config = &oauth2.Config{`
Implement namespace matching 2021-10-18 19:27:52 +00:00			`ClientID: h.cfg.OIDC.ClientID,`
			`ClientSecret: h.cfg.OIDC.ClientSecret,`
updates from code review 2021-10-08 17:43:52 +08:00			`Endpoint: h.oidcProvider.Endpoint(),`
Handle trailing slash on uris Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no> 2021-10-08 15:26:31 +08:00			`RedirectURL: fmt.Sprintf("%s/oidc/callback", strings.TrimSuffix(h.cfg.ServerURL, "/")),`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`Scopes: []string{oidc.ScopeOpenID, "profile", "email"},`
			`}`
updates from code review 2021-10-08 17:43:52 +08:00			`}`

			`// init the state cache if it hasn't been already`
			`if h.oidcStateCache == nil {`
			`h.oidcStateCache = cache.New(time.Minute5, time.Minute10)`
			`}`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00
updates from code review 2021-10-08 17:43:52 +08:00			`return nil`
			`}`

			`// RegisterOIDC redirects to the OIDC provider for authentication`
			`// Puts machine key in cache so the callback can retrieve it using the oidc state param`
			`// Listens in /oidc/register/:mKey`
			`func (h Headscale) RegisterOIDC(c gin.Context) {`
			`mKeyStr := c.Param("mkey")`
			`if mKeyStr == "" {`
			`c.String(http.StatusBadRequest, "Wrong params")`
			`return`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`}`

			`b := make([]byte, 16)`
updates from code review 2021-10-08 17:43:52 +08:00			`_, err := rand.Read(b)`
fix linter errors, error out if jwt does not contain a key id 2021-09-26 21:12:36 +08:00			`if err != nil {`
			`log.Error().Msg("could not read 16 bytes from rand")`
			`c.String(http.StatusInternalServerError, "could not read 16 bytes from rand")`
			`return`
			`}`

initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`stateStr := hex.EncodeToString(b)[:32]`

			`// place the machine key into the state cache, so it can be retrieved later`
updates from code review 2021-10-08 17:43:52 +08:00			`h.oidcStateCache.Set(stateStr, mKeyStr, time.Minute*5)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
updates from code review 2021-10-08 17:43:52 +08:00			`authUrl := h.oauth2Config.AuthCodeURL(stateStr)`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`log.Debug().Msgf("Redirecting to %s for authentication", authUrl)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
			`c.Redirect(http.StatusFound, authUrl)`
			`}`

			`// OIDCCallback handles the callback from the OIDC endpoint`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`// Retrieves the mkey from the state cache and adds the machine to the users email namespace`
			`// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities`
			`// TODO: Add groups information from OIDC tokens into machine HostInfo`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`// Listens in /oidc/callback`
			`func (h Headscale) OIDCCallback(c gin.Context) {`
			`code := c.Query("code")`
			`state := c.Query("state")`

			`if code == "" \|\| state == "" {`
			`c.String(http.StatusBadRequest, "Wrong params")`
			`return`
			`}`

updates from code review 2021-10-08 17:43:52 +08:00			`oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`if err != nil {`
			`c.String(http.StatusBadRequest, "Could not exchange code for token")`
			`return`
			`}`

updates from code review 2021-10-10 17:22:42 +08:00			`log.Debug().Msgf("AccessToken: %v", oauth2Token.AccessToken)`

use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)`
			`if !rawIDTokenOK {`
			`c.String(http.StatusBadRequest, "Could not extract ID Token")`
			`return`
			`}`

Implement namespace matching 2021-10-18 19:27:52 +00:00			`verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`idToken, err := verifier.Verify(context.Background(), rawIDToken)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`if err != nil {`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`c.String(http.StatusBadRequest, "Failed to verify id token: %s", err.Error())`
			`return`
			`}`

updates from code review 2021-10-10 17:22:42 +08:00			`// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`//userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))`
			`//if err != nil {`
updates from code review 2021-10-10 17:22:42 +08:00			`// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo: %s", err))`
use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00			`// return`
			`//}`

			`// Extract custom claims`
			`var claims IDTokenClaims`
			`if err = idToken.Claims(&claims); err != nil {`
updates from code review 2021-10-10 17:22:42 +08:00			`c.String(http.StatusBadRequest, fmt.Sprintf("Failed to decode id token claims: %s", err))`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`return`
			`}`

Implement namespace matching 2021-10-18 19:27:52 +00:00			`// retrieve machinekey from state cache`
updates from code review 2021-10-08 17:43:52 +08:00			`mKeyIf, mKeyFound := h.oidcStateCache.Get(state)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
			`if !mKeyFound {`
updates from code review 2021-10-10 17:22:42 +08:00			`log.Error().Msg("requested machine state key expired before authorisation completed")`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`c.String(http.StatusBadRequest, "state has expired")`
			`return`
			`}`
			`mKeyStr, mKeyOK := mKeyIf.(string)`

			`if !mKeyOK {`
updates from code review 2021-10-10 17:22:42 +08:00			`log.Error().Msg("could not get machine key from cache")`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`c.String(http.StatusInternalServerError, "could not get machine key from cache")`
			`return`
			`}`

			`// retrieve machine information`
updates from code review 2021-10-10 17:22:42 +08:00			`m, err := h.GetMachineByMachineKey(mKeyStr)`
			`if err != nil {`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`log.Error().Msg("machine key not found in database")`
			`c.String(http.StatusInternalServerError, "could not get machine info from database")`
			`return`
			`}`

updates from code review 2021-10-10 17:22:42 +08:00			`now := time.Now().UTC()`

Implement namespace matching 2021-10-18 19:27:52 +00:00			`if nsName, ok := h.getNamespaceFromEmail(claims.Email); ok {`
			`// register the machine if it's new`
			`if !m.Registered {`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
Implement namespace matching 2021-10-18 19:27:52 +00:00			`log.Debug().Msg("Registering new machine after successful callback")`
updates from code review 2021-10-08 17:43:52 +08:00
Implement namespace matching 2021-10-18 19:27:52 +00:00			`ns, err := h.GetNamespace(nsName)`
			`if err != nil {`
			`ns, err = h.CreateNamespace(nsName)`

			`if err != nil {`
			`log.Error().Msgf("could not create new namespace '%s'", claims.Email)`
			`c.String(http.StatusInternalServerError, "could not create new namespace")`
			`return`
			`}`
			`}`
fix linter errors, error out if jwt does not contain a key id 2021-09-26 21:12:36 +08:00
Implement namespace matching 2021-10-18 19:27:52 +00:00			`ip, err := h.getAvailableIP()`
fix linter errors, error out if jwt does not contain a key id 2021-09-26 21:12:36 +08:00			`if err != nil {`
Implement namespace matching 2021-10-18 19:27:52 +00:00			`c.String(http.StatusInternalServerError, "could not get an IP from the pool")`
fix linter errors, error out if jwt does not contain a key id 2021-09-26 21:12:36 +08:00			`return`
			`}`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
Implement namespace matching 2021-10-18 19:27:52 +00:00			`m.IPAddress = ip.String()`
			`m.NamespaceID = ns.ID`
			`m.Registered = true`
			`m.RegisterMethod = "oidc"`
			`m.LastSuccessfulUpdate = &now`
			`h.db.Save(&m)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`}`

Implement namespace matching 2021-10-18 19:27:52 +00:00			`h.updateMachineExpiry(m)`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
Implement namespace matching 2021-10-18 19:27:52 +00:00			c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(fmt.Sprintf(`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`<html>`
			`<body>`
			`<h1>headscale</h1>`
			`<p>`
fix linter errors, error out if jwt does not contain a key id 2021-09-26 21:12:36 +08:00			`Authenticated as %s, you can now close this window.`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`</p>`
			`</body>`
			`</html>`

fix linter errors, error out if jwt does not contain a key id 2021-09-26 21:12:36 +08:00			`, claims.Email)))
Implement namespace matching 2021-10-18 19:27:52 +00:00
			`}`

			`log.Error().`
			`Str("email", claims.Email).`
			`Str("username", claims.Username).`
			`Str("machine", m.Name).`
			`Msg("Email could not be mapped to a namespace")`
			`c.String(http.StatusBadRequest, "email from claim could not be mapped to a namespace")`
			`}`

Fix up leftovers from kradalby PR 2021-10-19 18:25:59 +01:00			`// getNamespaceFromEmail passes the users email through a list of "matchers"`
			`// and iterates through them until it matches and returns a namespace.`
			`// If no match is found, an empty string will be returned.`
			`// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.`
Implement namespace matching 2021-10-18 19:27:52 +00:00			`func (h *Headscale) getNamespaceFromEmail(email string) (string, bool) {`
			`for match, namespace := range h.cfg.OIDC.MatchMap {`
			`regex := regexp.MustCompile(match)`
			`if regex.MatchString(email) {`
			`return namespace, true`
			`}`
			`}`

			`return "", false`
initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00			`}`