2020-08-05 08:36:46 +00:00
|
|
|
package oauth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/json"
|
2022-10-17 18:29:12 +00:00
|
|
|
"io"
|
2020-08-05 08:36:46 +00:00
|
|
|
"mime"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2022-07-06 01:22:57 +00:00
|
|
|
"strings"
|
2021-06-10 22:09:04 +00:00
|
|
|
|
2022-09-16 16:18:44 +00:00
|
|
|
portainer "github.com/portainer/portainer/api"
|
2020-08-05 08:36:46 +00:00
|
|
|
|
2022-10-19 21:26:11 +00:00
|
|
|
"github.com/golang-jwt/jwt/v4"
|
2022-07-06 01:22:57 +00:00
|
|
|
"github.com/pkg/errors"
|
2022-09-16 16:18:44 +00:00
|
|
|
"github.com/rs/zerolog/log"
|
|
|
|
"golang.org/x/oauth2"
|
2020-08-05 08:36:46 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Service represents a service used to authenticate users against an authorization server
|
|
|
|
type Service struct{}
|
|
|
|
|
|
|
|
// NewService returns a pointer to a new instance of this service
|
|
|
|
func NewService() *Service {
|
|
|
|
return &Service{}
|
|
|
|
}
|
|
|
|
|
2021-09-20 00:14:22 +00:00
|
|
|
// Authenticate takes an access code and exchanges it for an access token from portainer OAuthSettings token environment(endpoint).
|
2021-06-10 22:09:04 +00:00
|
|
|
// On success, it will then return the username and token expiry time associated to authenticated user by fetching this information
|
2020-08-05 08:36:46 +00:00
|
|
|
// from the resource server and matching it with the user identifier setting.
|
2021-08-05 12:54:38 +00:00
|
|
|
func (*Service) Authenticate(code string, configuration *portainer.OAuthSettings) (string, error) {
|
2021-06-10 22:09:04 +00:00
|
|
|
token, err := getOAuthToken(code, configuration)
|
2020-08-05 08:36:46 +00:00
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Debug().Err(err).Msg("failed retrieving oauth token")
|
|
|
|
|
2021-08-05 12:54:38 +00:00
|
|
|
return "", err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
2022-07-06 01:22:57 +00:00
|
|
|
|
|
|
|
idToken, err := getIdToken(token)
|
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Debug().Err(err).Msg("failed parsing id_token")
|
2022-07-06 01:22:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
resource, err := getResource(token.AccessToken, configuration)
|
2021-06-10 22:09:04 +00:00
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Debug().Err(err).Msg("failed retrieving resource")
|
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
resource = mergeSecondIntoFirst(idToken, resource)
|
|
|
|
|
|
|
|
username, err := getUsername(resource, configuration)
|
|
|
|
if err != nil {
|
2022-09-16 16:18:44 +00:00
|
|
|
log.Debug().Err(err).Msg("failed retrieving username")
|
|
|
|
|
2021-08-05 12:54:38 +00:00
|
|
|
return "", err
|
2021-06-10 22:09:04 +00:00
|
|
|
}
|
2022-09-16 16:18:44 +00:00
|
|
|
|
2021-08-05 12:54:38 +00:00
|
|
|
return username, nil
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
// mergeSecondIntoFirst merges the overlap map into the base overwriting any existing values.
|
|
|
|
func mergeSecondIntoFirst(base map[string]interface{}, overlap map[string]interface{}) map[string]interface{} {
|
|
|
|
for k, v := range overlap {
|
|
|
|
base[k] = v
|
|
|
|
}
|
2022-09-16 16:18:44 +00:00
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
return base
|
|
|
|
}
|
|
|
|
|
2021-06-10 22:09:04 +00:00
|
|
|
func getOAuthToken(code string, configuration *portainer.OAuthSettings) (*oauth2.Token, error) {
|
2020-08-05 08:36:46 +00:00
|
|
|
unescapedCode, err := url.QueryUnescape(code)
|
|
|
|
if err != nil {
|
2021-06-10 22:09:04 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
config := buildConfig(configuration)
|
|
|
|
token, err := config.Exchange(context.Background(), unescapedCode)
|
|
|
|
if err != nil {
|
2021-06-10 22:09:04 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
2021-06-10 22:09:04 +00:00
|
|
|
return token, nil
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
// getIdToken retrieves parsed id_token from the OAuth token response.
|
|
|
|
// This is necessary for OAuth providers like Azure
|
|
|
|
// that do not provide information about user groups on the user resource endpoint.
|
|
|
|
func getIdToken(token *oauth2.Token) (map[string]interface{}, error) {
|
|
|
|
tokenData := make(map[string]interface{})
|
|
|
|
|
|
|
|
idToken := token.Extra("id_token")
|
|
|
|
if idToken == nil {
|
|
|
|
return tokenData, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
jwtParser := jwt.Parser{
|
|
|
|
SkipClaimsValidation: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
t, _, err := jwtParser.ParseUnverified(idToken.(string), jwt.MapClaims{})
|
|
|
|
if err != nil {
|
|
|
|
return tokenData, errors.Wrap(err, "failed to parse id_token")
|
|
|
|
}
|
|
|
|
|
|
|
|
if claims, ok := t.Claims.(jwt.MapClaims); ok {
|
|
|
|
for k, v := range claims {
|
|
|
|
tokenData[k] = v
|
|
|
|
}
|
|
|
|
}
|
2022-09-16 16:18:44 +00:00
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
return tokenData, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func getResource(token string, configuration *portainer.OAuthSettings) (map[string]interface{}, error) {
|
2020-08-05 08:36:46 +00:00
|
|
|
req, err := http.NewRequest("GET", configuration.ResourceURI, nil)
|
|
|
|
if err != nil {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
client := &http.Client{}
|
|
|
|
req.Header.Set("Authorization", "Bearer "+token)
|
2023-03-27 18:14:16 +00:00
|
|
|
|
2020-08-05 08:36:46 +00:00
|
|
|
resp, err := client.Do(req)
|
|
|
|
if err != nil {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
defer resp.Body.Close()
|
2023-03-27 18:14:16 +00:00
|
|
|
|
2022-10-17 18:29:12 +00:00
|
|
|
body, err := io.ReadAll(resp.Body)
|
2020-08-05 08:36:46 +00:00
|
|
|
if err != nil {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, &oauth2.RetrieveError{
|
2020-08-05 08:36:46 +00:00
|
|
|
Response: resp,
|
|
|
|
Body: body,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
|
|
|
|
if err != nil {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if content == "application/x-www-form-urlencoded" || content == "text/plain" {
|
|
|
|
values, err := url.ParseQuery(string(body))
|
|
|
|
if err != nil {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
datamap := make(map[string]interface{})
|
|
|
|
for k, v := range values {
|
|
|
|
if len(v) == 0 {
|
|
|
|
datamap[k] = ""
|
|
|
|
} else {
|
|
|
|
datamap[k] = v[0]
|
2020-08-18 12:38:58 +00:00
|
|
|
}
|
|
|
|
}
|
2022-07-06 01:22:57 +00:00
|
|
|
return datamap, nil
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
var datamap map[string]interface{}
|
|
|
|
if err = json.Unmarshal(body, &datamap); err != nil {
|
2022-07-06 01:22:57 +00:00
|
|
|
return nil, err
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
2022-07-06 01:22:57 +00:00
|
|
|
return datamap, nil
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func buildConfig(configuration *portainer.OAuthSettings) *oauth2.Config {
|
|
|
|
endpoint := oauth2.Endpoint{
|
|
|
|
AuthURL: configuration.AuthorizationURI,
|
|
|
|
TokenURL: configuration.AccessTokenURI,
|
|
|
|
}
|
|
|
|
|
|
|
|
return &oauth2.Config{
|
|
|
|
ClientID: configuration.ClientID,
|
|
|
|
ClientSecret: configuration.ClientSecret,
|
|
|
|
Endpoint: endpoint,
|
|
|
|
RedirectURL: configuration.RedirectURI,
|
2022-07-06 01:22:57 +00:00
|
|
|
Scopes: strings.Split(configuration.Scopes, ","),
|
2020-08-05 08:36:46 +00:00
|
|
|
}
|
|
|
|
}
|