2021-09-26 10:53:05 +02:00
package headscale
import (
2021-10-06 11:19:15 +02:00
"context"
2021-09-26 10:53:05 +02:00
"crypto/rand"
"encoding/hex"
"fmt"
2021-10-18 21:27:52 +02:00
"net/http"
"regexp"
"strings"
"time"
2021-10-06 11:19:15 +02:00
"github.com/coreos/go-oidc/v3/oidc"
2021-09-26 10:53:05 +02:00
"github.com/gin-gonic/gin"
"github.com/patrickmn/go-cache"
"github.com/rs/zerolog/log"
2021-10-06 11:19:15 +02:00
"golang.org/x/oauth2"
2021-09-26 10:53:05 +02:00
)
2021-11-14 18:31:51 +01:00
const (
OIDC_STATE_CACHE_EXPIRATION = time . Minute * 5
OIDC_STATE_CACHE_CLEANUP_INTERVAL = time . Minute * 10
RANDOM_BYTE_SIZE = 16
)
2021-10-06 11:19:15 +02:00
type IDTokenClaims struct {
2021-09-26 10:53:05 +02:00
Name string ` json:"name,omitempty" `
Groups [ ] string ` json:"groups,omitempty" `
Email string ` json:"email" `
Username string ` json:"preferred_username,omitempty" `
}
2021-10-08 11:43:52 +02:00
func ( h * Headscale ) initOIDC ( ) error {
2021-09-26 10:53:05 +02:00
var err error
// grab oidc config if it hasn't been already
2021-10-08 11:43:52 +02:00
if h . oauth2Config == nil {
2021-10-18 21:27:52 +02:00
h . oidcProvider , err = oidc . NewProvider ( context . Background ( ) , h . cfg . OIDC . Issuer )
2021-09-26 10:53:05 +02:00
if err != nil {
2021-10-06 11:19:15 +02:00
log . Error ( ) . Msgf ( "Could not retrieve OIDC Config: %s" , err . Error ( ) )
2021-11-14 16:46:09 +01:00
2021-10-08 11:43:52 +02:00
return err
2021-09-26 10:53:05 +02:00
}
2021-10-06 11:19:15 +02:00
2021-10-08 11:43:52 +02:00
h . oauth2Config = & oauth2 . Config {
2021-10-18 21:27:52 +02:00
ClientID : h . cfg . OIDC . ClientID ,
ClientSecret : h . cfg . OIDC . ClientSecret ,
2021-10-08 11:43:52 +02:00
Endpoint : h . oidcProvider . Endpoint ( ) ,
2021-11-13 09:36:45 +01:00
RedirectURL : fmt . Sprintf (
"%s/oidc/callback" ,
strings . TrimSuffix ( h . cfg . ServerURL , "/" ) ,
) ,
Scopes : [ ] string { oidc . ScopeOpenID , "profile" , "email" } ,
2021-10-06 11:19:15 +02:00
}
2021-10-08 11:43:52 +02:00
}
// init the state cache if it hasn't been already
if h . oidcStateCache == nil {
2021-11-14 18:31:51 +01:00
h . oidcStateCache = cache . New (
OIDC_STATE_CACHE_EXPIRATION ,
OIDC_STATE_CACHE_CLEANUP_INTERVAL ,
)
2021-10-08 11:43:52 +02:00
}
2021-10-06 11:19:15 +02:00
2021-10-08 11:43:52 +02:00
return nil
}
// RegisterOIDC redirects to the OIDC provider for authentication
// Puts machine key in cache so the callback can retrieve it using the oidc state param
2021-11-13 09:39:04 +01:00
// Listens in /oidc/register/:mKey.
2021-11-14 20:32:03 +01:00
func ( h * Headscale ) RegisterOIDC ( ctx * gin . Context ) {
mKeyStr := ctx . Param ( "mkey" )
2021-10-08 11:43:52 +02:00
if mKeyStr == "" {
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusBadRequest , "Wrong params" )
2021-11-14 16:46:09 +01:00
2021-10-08 11:43:52 +02:00
return
2021-09-26 10:53:05 +02:00
}
2021-11-15 17:15:50 +01:00
randomBlob := make ( [ ] byte , RANDOM_BYTE_SIZE )
if _ , err := rand . Read ( randomBlob ) ; err != nil {
2021-09-26 15:12:36 +02:00
log . Error ( ) . Msg ( "could not read 16 bytes from rand" )
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusInternalServerError , "could not read 16 bytes from rand" )
2021-11-14 16:46:09 +01:00
2021-09-26 15:12:36 +02:00
return
}
2021-11-15 17:15:50 +01:00
stateStr := hex . EncodeToString ( randomBlob ) [ : 32 ]
2021-09-26 10:53:05 +02:00
// place the machine key into the state cache, so it can be retrieved later
2021-11-14 18:31:51 +01:00
h . oidcStateCache . Set ( stateStr , mKeyStr , OIDC_STATE_CACHE_EXPIRATION )
2021-09-26 10:53:05 +02:00
2021-10-08 11:43:52 +02:00
authUrl := h . oauth2Config . AuthCodeURL ( stateStr )
2021-10-06 11:19:15 +02:00
log . Debug ( ) . Msgf ( "Redirecting to %s for authentication" , authUrl )
2021-09-26 10:53:05 +02:00
2021-11-14 20:32:03 +01:00
ctx . Redirect ( http . StatusFound , authUrl )
2021-09-26 10:53:05 +02:00
}
// OIDCCallback handles the callback from the OIDC endpoint
2021-10-06 11:19:15 +02:00
// Retrieves the mkey from the state cache and adds the machine to the users email namespace
// TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
// TODO: Add groups information from OIDC tokens into machine HostInfo
2021-11-13 09:39:04 +01:00
// Listens in /oidc/callback.
2021-11-14 20:32:03 +01:00
func ( h * Headscale ) OIDCCallback ( ctx * gin . Context ) {
code := ctx . Query ( "code" )
state := ctx . Query ( "state" )
2021-09-26 10:53:05 +02:00
if code == "" || state == "" {
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusBadRequest , "Wrong params" )
2021-11-14 16:46:09 +01:00
2021-09-26 10:53:05 +02:00
return
}
2021-10-08 11:43:52 +02:00
oauth2Token , err := h . oauth2Config . Exchange ( context . Background ( ) , code )
2021-09-26 10:53:05 +02:00
if err != nil {
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusBadRequest , "Could not exchange code for token" )
2021-11-14 16:46:09 +01:00
2021-09-26 10:53:05 +02:00
return
}
2021-10-10 11:22:42 +02:00
log . Debug ( ) . Msgf ( "AccessToken: %v" , oauth2Token . AccessToken )
2021-10-06 11:19:15 +02:00
rawIDToken , rawIDTokenOK := oauth2Token . Extra ( "id_token" ) . ( string )
if ! rawIDTokenOK {
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusBadRequest , "Could not extract ID Token" )
2021-11-14 16:46:09 +01:00
2021-10-06 11:19:15 +02:00
return
}
2021-10-18 21:27:52 +02:00
verifier := h . oidcProvider . Verifier ( & oidc . Config { ClientID : h . cfg . OIDC . ClientID } )
2021-09-26 10:53:05 +02:00
2021-10-06 11:19:15 +02:00
idToken , err := verifier . Verify ( context . Background ( ) , rawIDToken )
2021-09-26 10:53:05 +02:00
if err != nil {
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusBadRequest , "Failed to verify id token: %s" , err . Error ( ) )
2021-11-14 16:46:09 +01:00
2021-10-06 11:19:15 +02:00
return
}
2021-10-10 11:22:42 +02:00
// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
2021-11-14 18:44:37 +01:00
// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
// if err != nil {
// c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo: %s", err))
// return
// }
2021-10-06 11:19:15 +02:00
// Extract custom claims
var claims IDTokenClaims
if err = idToken . Claims ( & claims ) ; err != nil {
2021-11-14 20:32:03 +01:00
ctx . String (
2021-11-13 09:36:45 +01:00
http . StatusBadRequest ,
fmt . Sprintf ( "Failed to decode id token claims: %s" , err ) ,
)
2021-11-14 16:46:09 +01:00
2021-09-26 10:53:05 +02:00
return
}
2021-10-18 21:27:52 +02:00
// retrieve machinekey from state cache
2021-10-08 11:43:52 +02:00
mKeyIf , mKeyFound := h . oidcStateCache . Get ( state )
2021-09-26 10:53:05 +02:00
if ! mKeyFound {
2021-11-13 09:36:45 +01:00
log . Error ( ) .
Msg ( "requested machine state key expired before authorisation completed" )
2021-11-14 20:32:03 +01:00
ctx . String ( http . StatusBadRequest , "state has expired" )
2021-11-14 16:46:09 +01:00
2021-09-26 10:53:05 +02:00
return
}
mKeyStr , mKeyOK := mKeyIf . ( string )
if ! mKeyOK {
2021-10-10 11:22:42 +02:00
log . Error ( ) . Msg ( "could not get machine key from cache" )
2021-11-14 20:32:03 +01:00
ctx . String (
http . StatusInternalServerError ,
"could not get machine key from cache" ,
)
2021-11-14 16:46:09 +01:00
2021-09-26 10:53:05 +02:00
return
}
// retrieve machine information
2021-11-14 20:32:03 +01:00
machine , err := h . GetMachineByMachineKey ( mKeyStr )
2021-10-10 11:22:42 +02:00
if err != nil {
2021-09-26 10:53:05 +02:00
log . Error ( ) . Msg ( "machine key not found in database" )
2021-11-14 20:32:03 +01:00
ctx . String (
2021-11-13 09:36:45 +01:00
http . StatusInternalServerError ,
"could not get machine info from database" ,
)
2021-11-14 16:46:09 +01:00
2021-09-26 10:53:05 +02:00
return
}
2021-10-10 11:22:42 +02:00
now := time . Now ( ) . UTC ( )
2021-11-14 20:32:03 +01:00
if namespaceName , ok := h . getNamespaceFromEmail ( claims . Email ) ; ok {
2021-10-18 21:27:52 +02:00
// register the machine if it's new
2021-11-14 20:32:03 +01:00
if ! machine . Registered {
2021-10-18 21:27:52 +02:00
log . Debug ( ) . Msg ( "Registering new machine after successful callback" )
2021-10-08 11:43:52 +02:00
2021-11-14 20:32:03 +01:00
namespace , err := h . GetNamespace ( namespaceName )
2021-10-18 21:27:52 +02:00
if err != nil {
2021-11-14 20:32:03 +01:00
namespace , err = h . CreateNamespace ( namespaceName )
2021-10-18 21:27:52 +02:00
if err != nil {
2021-11-13 09:36:45 +01:00
log . Error ( ) .
Msgf ( "could not create new namespace '%s'" , claims . Email )
2021-11-14 20:32:03 +01:00
ctx . String (
2021-11-13 09:36:45 +01:00
http . StatusInternalServerError ,
"could not create new namespace" ,
)
2021-11-14 16:46:09 +01:00
2021-10-18 21:27:52 +02:00
return
}
}
2021-09-26 15:12:36 +02:00
2021-10-18 21:27:52 +02:00
ip , err := h . getAvailableIP ( )
2021-09-26 15:12:36 +02:00
if err != nil {
2021-11-14 20:32:03 +01:00
ctx . String (
2021-11-13 09:36:45 +01:00
http . StatusInternalServerError ,
"could not get an IP from the pool" ,
)
2021-11-14 16:46:09 +01:00
2021-09-26 15:12:36 +02:00
return
}
2021-09-26 10:53:05 +02:00
2021-11-14 20:32:03 +01:00
machine . IPAddress = ip . String ( )
machine . NamespaceID = namespace . ID
machine . Registered = true
machine . RegisterMethod = "oidc"
machine . LastSuccessfulUpdate = & now
h . db . Save ( & machine )
2021-09-26 10:53:05 +02:00
}
2021-11-14 20:32:03 +01:00
h . updateMachineExpiry ( machine )
2021-09-26 10:53:05 +02:00
2021-11-14 20:32:03 +01:00
ctx . Data ( http . StatusOK , "text/html; charset=utf-8" , [ ] byte ( fmt . Sprintf ( `
2021-09-26 10:53:05 +02:00
< html >
< body >
< h1 > headscale < / h1 >
< p >
2021-09-26 15:12:36 +02:00
Authenticated as % s , you can now close this window .
2021-09-26 10:53:05 +02:00
< / p >
< / body >
< / html >
2021-09-26 15:12:36 +02:00
` , claims . Email ) ) )
2021-10-18 21:27:52 +02:00
}
log . Error ( ) .
Str ( "email" , claims . Email ) .
Str ( "username" , claims . Username ) .
2021-11-14 20:32:03 +01:00
Str ( "machine" , machine . Name ) .
2021-10-18 21:27:52 +02:00
Msg ( "Email could not be mapped to a namespace" )
2021-11-14 20:32:03 +01:00
ctx . String (
2021-11-13 09:36:45 +01:00
http . StatusBadRequest ,
"email from claim could not be mapped to a namespace" ,
)
2021-10-18 21:27:52 +02:00
}
2021-10-19 19:25:59 +02:00
// getNamespaceFromEmail passes the users email through a list of "matchers"
// and iterates through them until it matches and returns a namespace.
// If no match is found, an empty string will be returned.
// TODO(kradalby): golang Maps key order is not stable, so this list is _not_ deterministic. Find a way to make the list of keys stable, preferably in the order presented in a users configuration.
2021-10-18 21:27:52 +02:00
func ( h * Headscale ) getNamespaceFromEmail ( email string ) ( string , bool ) {
for match , namespace := range h . cfg . OIDC . MatchMap {
regex := regexp . MustCompile ( match )
if regex . MatchString ( email ) {
return namespace , true
}
}
return "" , false
2021-09-26 10:53:05 +02:00
}