2022-02-14 17:22:30 +01:00
|
|
|
package login
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
2022-05-02 17:26:54 +02:00
|
|
|
"strings"
|
2022-08-16 07:04:36 +02:00
|
|
|
"time"
|
2022-02-14 17:22:30 +01:00
|
|
|
|
|
|
|
|
"github.com/gorilla/csrf"
|
|
|
|
|
"github.com/gorilla/mux"
|
|
|
|
|
"github.com/rakyll/statik/fs"
|
|
|
|
|
|
2023-09-29 10:21:32 +02:00
|
|
|
"github.com/zitadel/zitadel/feature"
|
2022-04-27 01:01:45 +02:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
|
http_utils "github.com/zitadel/zitadel/internal/api/http"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/api/http/middleware"
|
|
|
|
|
_ "github.com/zitadel/zitadel/internal/api/ui/login/statik"
|
|
|
|
|
auth_repository "github.com/zitadel/zitadel/internal/auth/repository"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/form"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/static"
|
2022-02-14 17:22:30 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type Login struct {
|
2022-04-25 10:01:17 +02:00
|
|
|
endpoint string
|
|
|
|
|
router http.Handler
|
|
|
|
|
renderer *Renderer
|
|
|
|
|
parser *form.Parser
|
|
|
|
|
command *command.Commands
|
|
|
|
|
query *query.Queries
|
|
|
|
|
staticStorage static.Storage
|
2022-02-14 17:22:30 +01:00
|
|
|
authRepo auth_repository.Repository
|
2022-04-25 11:16:36 +02:00
|
|
|
externalSecure bool
|
2022-03-14 07:55:09 +01:00
|
|
|
consolePath string
|
2022-04-25 10:01:17 +02:00
|
|
|
oidcAuthCallbackURL func(context.Context, string) string
|
2022-09-12 17:18:08 +01:00
|
|
|
samlAuthCallbackURL func(context.Context, string) string
|
2022-03-14 07:55:09 +01:00
|
|
|
idpConfigAlg crypto.EncryptionAlgorithm
|
|
|
|
|
userCodeAlg crypto.EncryptionAlgorithm
|
2023-09-29 10:21:32 +02:00
|
|
|
featureCheck feature.Checker
|
2022-02-14 17:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type Config struct {
|
|
|
|
|
LanguageCookieName string
|
2022-03-14 07:55:09 +01:00
|
|
|
CSRFCookieName string
|
2022-02-14 17:22:30 +01:00
|
|
|
Cache middleware.CacheConfig
|
2022-08-16 07:04:36 +02:00
|
|
|
AssetCache middleware.CacheConfig
|
2023-08-24 11:41:52 +02:00
|
|
|
|
|
|
|
|
// LoginV2
|
|
|
|
|
DefaultOTPEmailURLV2 string
|
2022-02-14 17:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
login = "LOGIN"
|
|
|
|
|
HandlerPrefix = "/ui/login"
|
|
|
|
|
DefaultLoggedOutPath = HandlerPrefix + EndpointLogoutDone
|
|
|
|
|
)
|
|
|
|
|
|
2022-03-14 07:55:09 +01:00
|
|
|
func CreateLogin(config Config,
|
|
|
|
|
command *command.Commands,
|
|
|
|
|
query *query.Queries,
|
|
|
|
|
authRepo *eventsourcing.EsRepository,
|
|
|
|
|
staticStorage static.Storage,
|
2022-04-25 11:16:36 +02:00
|
|
|
consolePath string,
|
2022-04-25 10:01:17 +02:00
|
|
|
oidcAuthCallbackURL func(context.Context, string) string,
|
2022-09-12 17:18:08 +01:00
|
|
|
samlAuthCallbackURL func(context.Context, string) string,
|
2022-03-14 07:55:09 +01:00
|
|
|
externalSecure bool,
|
2022-03-29 11:53:19 +02:00
|
|
|
userAgentCookie,
|
2022-04-25 10:01:17 +02:00
|
|
|
issuerInterceptor,
|
2022-09-12 17:18:08 +01:00
|
|
|
oidcInstanceHandler,
|
2023-02-27 22:36:43 +01:00
|
|
|
samlInstanceHandler,
|
|
|
|
|
assetCache,
|
2023-02-15 02:52:11 +01:00
|
|
|
accessHandler mux.MiddlewareFunc,
|
2022-03-14 07:55:09 +01:00
|
|
|
userCodeAlg crypto.EncryptionAlgorithm,
|
|
|
|
|
idpConfigAlg crypto.EncryptionAlgorithm,
|
|
|
|
|
csrfCookieKey []byte,
|
2023-09-29 10:21:32 +02:00
|
|
|
featureCheck feature.Checker,
|
2022-03-14 07:55:09 +01:00
|
|
|
) (*Login, error) {
|
2022-02-14 17:22:30 +01:00
|
|
|
login := &Login{
|
|
|
|
|
oidcAuthCallbackURL: oidcAuthCallbackURL,
|
2022-09-12 17:18:08 +01:00
|
|
|
samlAuthCallbackURL: samlAuthCallbackURL,
|
2022-04-25 11:16:36 +02:00
|
|
|
externalSecure: externalSecure,
|
2022-03-14 07:55:09 +01:00
|
|
|
consolePath: consolePath,
|
2022-02-14 17:22:30 +01:00
|
|
|
command: command,
|
|
|
|
|
query: query,
|
|
|
|
|
staticStorage: staticStorage,
|
|
|
|
|
authRepo: authRepo,
|
2022-03-14 07:55:09 +01:00
|
|
|
idpConfigAlg: idpConfigAlg,
|
|
|
|
|
userCodeAlg: userCodeAlg,
|
2023-09-29 10:21:32 +02:00
|
|
|
featureCheck: featureCheck,
|
2022-02-14 17:22:30 +01:00
|
|
|
}
|
|
|
|
|
statikFS, err := fs.NewWithNamespace("login")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("unable to create filesystem: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-16 07:04:36 +02:00
|
|
|
csrfInterceptor := createCSRFInterceptor(config.CSRFCookieName, csrfCookieKey, externalSecure, login.csrfErrorHandler())
|
|
|
|
|
cacheInterceptor := createCacheInterceptor(config.Cache.MaxAge, config.Cache.SharedMaxAge, assetCache)
|
2022-02-14 17:22:30 +01:00
|
|
|
security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
|
2022-04-25 10:01:17 +02:00
|
|
|
|
2023-02-15 02:52:11 +01:00
|
|
|
login.router = CreateRouter(login, statikFS, middleware.TelemetryHandler(IgnoreInstanceEndpoints...), oidcInstanceHandler, samlInstanceHandler, csrfInterceptor, cacheInterceptor, security, userAgentCookie, issuerInterceptor, accessHandler)
|
2022-04-25 11:16:36 +02:00
|
|
|
login.renderer = CreateRenderer(HandlerPrefix, statikFS, staticStorage, config.LanguageCookieName)
|
2022-02-14 17:22:30 +01:00
|
|
|
login.parser = form.NewParser()
|
|
|
|
|
return login, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func csp() *middleware.CSP {
|
|
|
|
|
csp := middleware.DefaultSCP
|
|
|
|
|
csp.ObjectSrc = middleware.CSPSourceOptsSelf()
|
|
|
|
|
csp.StyleSrc = csp.StyleSrc.AddNonce()
|
|
|
|
|
csp.ScriptSrc = csp.ScriptSrc.AddNonce()
|
|
|
|
|
return &csp
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-16 07:04:36 +02:00
|
|
|
func createCSRFInterceptor(cookieName string, csrfCookieKey []byte, externalSecure bool, errorHandler http.Handler) func(http.Handler) http.Handler {
|
2022-02-14 17:22:30 +01:00
|
|
|
path := "/"
|
2022-05-02 17:26:54 +02:00
|
|
|
return func(handler http.Handler) http.Handler {
|
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if strings.HasPrefix(r.URL.Path, EndpointResources) {
|
|
|
|
|
handler.ServeHTTP(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
2023-08-31 08:39:16 +02:00
|
|
|
// ignore form post callback
|
|
|
|
|
// it will redirect to the "normal" callback, where the cookie is set again
|
|
|
|
|
if r.URL.Path == EndpointExternalLoginCallbackFormPost && r.Method == http.MethodPost {
|
|
|
|
|
handler.ServeHTTP(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-05-02 17:26:54 +02:00
|
|
|
csrf.Protect(csrfCookieKey,
|
|
|
|
|
csrf.Secure(externalSecure),
|
|
|
|
|
csrf.CookieName(http_utils.SetCookiePrefix(cookieName, "", path, externalSecure)),
|
|
|
|
|
csrf.Path(path),
|
|
|
|
|
csrf.ErrorHandler(errorHandler),
|
|
|
|
|
)(handler).ServeHTTP(w, r)
|
|
|
|
|
})
|
2022-08-16 07:04:36 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createCacheInterceptor(maxAge, sharedMaxAge time.Duration, assetCache mux.MiddlewareFunc) func(http.Handler) http.Handler {
|
|
|
|
|
return func(handler http.Handler) http.Handler {
|
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if strings.HasPrefix(r.URL.Path, EndpointDynamicResources) {
|
|
|
|
|
assetCache.Middleware(handler).ServeHTTP(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if strings.HasPrefix(r.URL.Path, EndpointResources) {
|
|
|
|
|
middleware.AssetsCacheInterceptor(maxAge, sharedMaxAge).Handler(handler).ServeHTTP(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
middleware.NoCacheInterceptor().Handler(handler).ServeHTTP(w, r)
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-02-14 17:22:30 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Login) Handler() http.Handler {
|
|
|
|
|
return l.router
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Login) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgName string) ([]string, error) {
|
2022-04-25 11:16:36 +02:00
|
|
|
loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+domain.NewIAMDomainName(orgName, authz.GetInstance(ctx).RequestedDomain()), query.TextEndsWithIgnoreCase)
|
2022-02-14 17:22:30 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-11-30 17:01:17 +01:00
|
|
|
users, err := l.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}}, false)
|
2022-02-14 17:22:30 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
userIDs := make([]string, len(users.Users))
|
|
|
|
|
for i, user := range users.Users {
|
|
|
|
|
userIDs[i] = user.ID
|
|
|
|
|
}
|
|
|
|
|
return userIDs, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func setContext(ctx context.Context, resourceOwner string) context.Context {
|
|
|
|
|
data := authz.CtxData{
|
|
|
|
|
UserID: login,
|
|
|
|
|
OrgID: resourceOwner,
|
|
|
|
|
}
|
|
|
|
|
return authz.SetCtxData(ctx, data)
|
|
|
|
|
}
|
2022-04-25 11:16:36 +02:00
|
|
|
|
2023-08-15 14:47:05 +02:00
|
|
|
func setUserContext(ctx context.Context, userID, resourceOwner string) context.Context {
|
|
|
|
|
data := authz.CtxData{
|
|
|
|
|
UserID: userID,
|
|
|
|
|
OrgID: resourceOwner,
|
|
|
|
|
}
|
|
|
|
|
return authz.SetCtxData(ctx, data)
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-25 11:16:36 +02:00
|
|
|
func (l *Login) baseURL(ctx context.Context) string {
|
|
|
|
|
return http_utils.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), l.externalSecure) + HandlerPrefix
|
|
|
|
|
}
|
