github
/
portainer
mirror of https://github.com/portainer/portainer
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(oauth): merge pr from https://github.com/portainer/portainer/pull/2515

pull/2749/head
Chaim Lev Ari 2018-12-30 18:02:22 +02:00
parent 463b379876
commit 241a701eca
19 changed files with 501 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
api/cmd/portainer/main.go
View File

@ -20,6 +20,7 @@ import (
"github.com/portainer/portainer/jwt"
"github.com/portainer/portainer/ldap"
"github.com/portainer/portainer/libcompose"
"github.com/portainer/portainer/oauth"
"log"
)
@ -100,6 +101,10 @@ func initLDAPService() portainer.LDAPService {
return &ldap.Service{}
}
func initOAuthService() portainer.OAuthService {
return &oauth.Service{}
}
func initGitService() portainer.GitService {
return &git.Service{}
}
@ -260,6 +265,7 @@ func initSettings(settingsService portainer.SettingsService, flags *portainer.CL
portainer.LDAPGroupSearchSettings{},
},
},
OAuthSettings: portainer.OAuthSettings{},
AllowBindMountsForRegularUsers: true,
AllowPrivilegedModeForRegularUsers: true,
EnableHostManagementFeatures: false,
@ -520,6 +526,8 @@ func main() {
ldapService := initLDAPService()
oauthService := initOAuthService()
gitService := initGitService()
cryptoService := initCryptoService()
@ -665,6 +673,7 @@ func main() {
JWTService: jwtService,
FileService: fileService,
LDAPService: ldapService,
OAuthService: oauthService,
GitService: gitService,
SignatureService: digitalSignatureService,
JobScheduler: jobScheduler,

63
api/http/handler/auth/authenticate.go
View File

@ -17,6 +17,10 @@ type authenticatePayload struct {
Password string
}
type oauthPayload struct {
Code string
}
type authenticateResponse struct {
JWT string `json:"jwt"`
}
@ -31,6 +35,13 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
return nil
}
func (payload *oauthPayload) Validate(r *http.Request) error {
if govalidator.IsNull(payload.Code) {
return portainer.Error("Invalid OAuth authorization code")
}
return nil
}
func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
if handler.authDisabled {
return &httperror.HandlerError{http.StatusServiceUnavailable, "Cannot authenticate user. Portainer was started with the --no-auth flag", ErrAuthDisabled}
@ -82,6 +93,58 @@ func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.
return handler.writeToken(w, user)
}
func (handler *Handler) authenticateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
var payload oauthPayload
err := request.DecodeAndValidateJSONPayload(r, &payload)
if err != nil {
return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
}
settings, err := handler.SettingsService.Settings()
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
}
if settings.AuthenticationMethod != 3 {
return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not being used", err}
}
token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
if err != nil {
return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
}
username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
if err != nil {
return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
}
u, err := handler.UserService.UserByUsername(username)
if err != nil && err != portainer.ErrObjectNotFound {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
}
if u == nil && !settings.OAuthSettings.OAuthAutoCreateUsers {
return &httperror.HandlerError{http.StatusForbidden, "Unregistered account", portainer.ErrUnauthorized}
}
if u == nil {
user := &portainer.User{
Username: username,
Role: portainer.StandardUserRole,
}
err = handler.UserService.CreateUser(user)
if err != nil {
return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
}
return handler.writeToken(w, user)
}
return handler.writeToken(w, u)
}
func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
err := handler.CryptoService.CompareHashAndData(user.Password, password)
if err != nil {

3
api/http/handler/auth/handler.go
View File

@ -25,6 +25,7 @@ type Handler struct {
CryptoService portainer.CryptoService
JWTService portainer.JWTService
LDAPService portainer.LDAPService
OAuthService portainer.OAuthService
SettingsService portainer.SettingsService
TeamService portainer.TeamService
TeamMembershipService portainer.TeamMembershipService
@ -38,6 +39,8 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
}
h.Handle("/auth",
rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticate)))).Methods(http.MethodPost)
h.Handle("/oauth",
rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.authenticateOAuth)))).Methods(http.MethodPost)
return h
}

2
api/http/handler/handler.go
View File

@ -60,6 +60,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
switch {
case strings.HasPrefix(r.URL.Path, "/api/auth"):
http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
case strings.HasPrefix(r.URL.Path, "/api/oauth"):
http.StripPrefix("/api", h.AuthHandler).ServeHTTP(w, r)
case strings.HasPrefix(r.URL.Path, "/api/dockerhub"):
http.StripPrefix("/api", h.DockerHubHandler).ServeHTTP(w, r)
case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):

2
api/http/handler/settings/handler.go
View File

@ -11,6 +11,7 @@ import (
func hideFields(settings *portainer.Settings) {
settings.LDAPSettings.Password = ""
settings.OAuthSettings.ClientSecret = ""
}
// Handler is the HTTP handler used to handle settings operations.
@ -18,6 +19,7 @@ type Handler struct {
*mux.Router
SettingsService portainer.SettingsService
LDAPService portainer.LDAPService
OAuthService portainer.OAuthService
FileService portainer.FileService
JobScheduler portainer.JobScheduler
ScheduleService portainer.ScheduleService

8
api/http/handler/settings/settings_public.go
View File

@ -15,6 +15,10 @@ type publicSettingsResponse struct {
AllowPrivilegedModeForRegularUsers bool `json:"AllowPrivilegedModeForRegularUsers"`
EnableHostManagementFeatures bool `json:"EnableHostManagementFeatures"`
ExternalTemplates bool `json:"ExternalTemplates"`
AuthorizationURI string `json:"AuthorizationURI"`
ClientID string `json:"ClientID"`
RedirectURI string `json:"RedirectURI"`
Scopes string `json:"Scopes"`
}
// GET request on /api/settings/public
@ -31,6 +35,10 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
EnableHostManagementFeatures: settings.EnableHostManagementFeatures,
ExternalTemplates: false,
AuthorizationURI: settings.OAuthSettings.AuthorizationURI,
ClientID: settings.OAuthSettings.ClientID,
RedirectURI: settings.OAuthSettings.RedirectURI,
Scopes: settings.OAuthSettings.Scopes,
}
if settings.TemplatesURL != "" {

7
api/http/handler/settings/settings_update.go
View File

@ -16,6 +16,7 @@ type settingsUpdatePayload struct {
BlackListedLabels []portainer.Pair
AuthenticationMethod *int
LDAPSettings *portainer.LDAPSettings
OAuthSettings *portainer.OAuthSettings
AllowBindMountsForRegularUsers *bool
AllowPrivilegedModeForRegularUsers *bool
EnableHostManagementFeatures *bool
@ -24,7 +25,7 @@ type settingsUpdatePayload struct {
}
func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
if *payload.AuthenticationMethod != 1 && *payload.AuthenticationMethod != 2 {
if *payload.AuthenticationMethod != 1 && *payload.AuthenticationMethod != 2 && *payload.AuthenticationMethod != 3 {
return portainer.Error("Invalid authentication method value. Value must be one of: 1 (internal) or 2 (LDAP/AD)")
}
if payload.LogoURL != nil && *payload.LogoURL != "" && !govalidator.IsURL(*payload.LogoURL) {
@ -69,6 +70,10 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
settings.LDAPSettings = *payload.LDAPSettings
}
if payload.OAuthSettings != nil {
settings.OAuthSettings = *payload.OAuthSettings
}
if payload.AllowBindMountsForRegularUsers != nil {
settings.AllowBindMountsForRegularUsers = *payload.AllowBindMountsForRegularUsers
}

3
api/http/server.go
View File

@ -55,6 +55,7 @@ type Server struct {
GitService portainer.GitService
JWTService portainer.JWTService
LDAPService portainer.LDAPService
OAuthService portainer.OAuthService
ExtensionService portainer.ExtensionService
RegistryService portainer.RegistryService
ResourceControlService portainer.ResourceControlService
@ -104,6 +105,7 @@ func (server *Server) Start() error {
authHandler.CryptoService = server.CryptoService
authHandler.JWTService = server.JWTService
authHandler.LDAPService = server.LDAPService
authHandler.OAuthService = server.OAuthService
authHandler.SettingsService = server.SettingsService
authHandler.TeamService = server.TeamService
authHandler.TeamMembershipService = server.TeamMembershipService
@ -155,6 +157,7 @@ func (server *Server) Start() error {
var settingsHandler = settings.NewHandler(requestBouncer)
settingsHandler.SettingsService = server.SettingsService
settingsHandler.LDAPService = server.LDAPService
settingsHandler.OAuthService = server.OAuthService
settingsHandler.FileService = server.FileService
settingsHandler.JobScheduler = server.JobScheduler
settingsHandler.ScheduleService = server.ScheduleService

168
api/oauth/oauth.go Normal file
View File

@ -0,0 +1,168 @@
package oauth
import (
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"log"
"mime"
"net/http"
"net/url"
"strings"
"github.com/portainer/portainer"
"golang.org/x/oauth2"
)
const (
// ErrInvalidCode defines an error raised when the user authorization code is invalid
ErrInvalidCode = portainer.Error("Authorization code is invalid")
)
// Service represents a service used to authenticate users against an authorization server
type Service struct{}
// GetAccessToken takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint
func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (string, error) {
v := url.Values{}
v.Set("client_id", settings.ClientID)
v.Set("client_secret", settings.ClientSecret)
v.Set("redirect_uri", settings.RedirectURI)
v.Set("code", code)
v.Set("grant_type", "authorization_code")
req, err := http.NewRequest("POST", settings.AccessTokenURI, strings.NewReader(v.Encode()))
if err != nil {
return "", err
}
client := &http.Client{}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
r, err := client.Do(req)
if err != nil {
return "", err
}
body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))
if err != nil {
return "", fmt.Errorf("oauth2: cannot fetch token: %v", err)
}
if r.StatusCode != http.StatusOK {
log.Printf("[Error] - request returned with bad status code %v, body is %v", r.StatusCode, string(body))
type ErrorMessage struct {
Message string
Type string
Code int
}
type ErrorResponse struct {
Error ErrorMessage
}
var response ErrorResponse
if err = json.Unmarshal(body, &response); err != nil {
// report also error
log.Printf("[Error] - Failed parsing error body: %v", err)
return "", errors.New("oauth2: cannot fetch token")
}
return "", errors.New(response.Error.Message)
}
content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))
if content == "application/x-www-form-urlencoded" || content == "text/plain" {
values, err := url.ParseQuery(string(body))
if err != nil {
return "", err
}
token := values.Get("access_token")
log.Printf("[DEBUG] - returned body %v", values)
if token == "" {
log.Printf("[DEBUG] - access token returned empty - %v", values)
return "", errors.New("oauth2: cannot fetch token")
}
return token, nil
}
type tokenJSON struct {
AccessToken string `json:"access_token"`
}
var tj tokenJSON
if err = json.Unmarshal(body, &tj); err != nil {
return "", err
}
token := tj.AccessToken
if token == "" {
log.Printf("[DEBUG] - access token returned empty - %v with status code", string(body), r.StatusCode)
return "", errors.New("oauth2: cannot fetch token")
}
return token, nil
}
// GetUsername takes a token and retrieves the portainer OAuthSettings user identifier from resource server.
func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (string, error) {
req, err := http.NewRequest("GET", settings.ResourceURI, nil)
if err != nil {
return "", err
}
client := &http.Client{}
req.Header.Set("Authorization", "Bearer "+token)
resp, err := client.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return "", err
}
if resp.StatusCode != http.StatusOK {
return "", &oauth2.RetrieveError{
Response: resp,
Body: body,
}
}
content, _, _ := mime.ParseMediaType(resp.Header.Get("Content-Type"))
if content == "application/x-www-form-urlencoded" || content == "text/plain" {
values, err := url.ParseQuery(string(body))
if err != nil {
return "", err
}
username := values.Get(settings.UserIdentifier)
return username, nil
}
var datamap map[string]interface{}
if err = json.Unmarshal(body, &datamap); err != nil {
return "", err
}
username, ok := datamap[settings.UserIdentifier].(string)
if ok && username != "" {
return username, nil
}
if !ok {
username, ok := datamap[settings.UserIdentifier].(float64)
if ok {
return fmt.Sprint(int(username)), nil
}
}
return "", &oauth2.RetrieveError{
Response: resp,
Body: body,
}
}

22
api/portainer.go
View File

@ -56,6 +56,19 @@ type (
AutoCreateUsers bool `json:"AutoCreateUsers"`
}
// OAuthSettings represents the settings used to authorize with an authorization server
OAuthSettings struct {
ClientID string `json:"ClientID"`
ClientSecret string `json:"ClientSecret,omitempty"`
AccessTokenURI string `json:"AccessTokenURI"`
AuthorizationURI string `json:"AuthorizationURI"`
ResourceURI string `json:"ResourceURI"`
RedirectURI string `json:"RedirectURI"`
UserIdentifier string `json:"UserIdentifier"`
Scopes string `json:"Scopes"`
OAuthAutoCreateUsers bool `json:"OAuthAutoCreateUsers"`
}
// TLSConfiguration represents a TLS configuration
TLSConfiguration struct {
TLS bool `json:"TLS"`
@ -85,6 +98,7 @@ type (
BlackListedLabels []Pair `json:"BlackListedLabels"`
AuthenticationMethod AuthenticationMethod `json:"AuthenticationMethod"`
LDAPSettings LDAPSettings `json:"LDAPSettings"`
OAuthSettings OAuthSettings `json:"OAuthSettings"`
AllowBindMountsForRegularUsers bool `json:"AllowBindMountsForRegularUsers"`
AllowPrivilegedModeForRegularUsers bool `json:"AllowPrivilegedModeForRegularUsers"`
SnapshotInterval string `json:"SnapshotInterval"`
@ -748,6 +762,12 @@ type (
GetUserGroups(username string, settings *LDAPSettings) ([]string, error)
}
// OAuthService represents a service used to authenticate users against an authorization server
OAuthService interface {
GetAccessToken(code string, settings *OAuthSettings) (string, error)
GetUsername(token string, settings *OAuthSettings) (string, error)
}
// SwarmStackManager represents a service to manage Swarm stacks
SwarmStackManager interface {
Login(dockerhub *DockerHub, registries []Registry, endpoint *Endpoint)
@ -833,6 +853,8 @@ const (
AuthenticationInternal
// AuthenticationLDAP represents the LDAP authentication method (authentication against a LDAP server)
AuthenticationLDAP
//AuthenticationOAuth represents the OAuth authentication method (authentication against a authorization server)
AuthenticationOAuth
)
const (

1
app/constants.js
View File

@ -4,6 +4,7 @@ angular.module('portainer')
.constant('API_ENDPOINT_ENDPOINTS', 'api/endpoints')
.constant('API_ENDPOINT_ENDPOINT_GROUPS', 'api/endpoint_groups')
.constant('API_ENDPOINT_MOTD', 'api/motd')
.constant('API_ENDPOINT_OAUTH', 'api/oauth')
.constant('API_ENDPOINT_EXTENSIONS', 'api/extensions')
.constant('API_ENDPOINT_REGISTRIES', 'api/registries')
.constant('API_ENDPOINT_RESOURCE_CONTROLS', 'api/resource_controls')

3
app/portainer/components/datatables/users-datatable/usersDatatable.html
View File

@ -65,8 +65,9 @@
</span>
</td>
<td>
<span ng-if="item.Id === 1 || $ctrl.authenticationMethod !== 2">Internal</span>
<span ng-if="item.Id === 1 || $ctrl.authenticationMethod !== 2 && $ctrl.authenticationMethod !== 3">Internal</span>
<span ng-if="item.Id !== 1 && $ctrl.authenticationMethod === 2">LDAP</span>
<span ng-if="item.Id !== 1 && $ctrl.authenticationMethod === 3">OAuth</span>
</td>
</tr>
<tr ng-if="!$ctrl.dataset">

17
app/portainer/models/settings.js
View File

@ -3,6 +3,11 @@ function SettingsViewModel(data) {
this.BlackListedLabels = data.BlackListedLabels;
this.AuthenticationMethod = data.AuthenticationMethod;
this.LDAPSettings = data.LDAPSettings;
this.OAuthSettings = data.OAuthSettings;
this.ClientID = data.ClientID;
this.RedirectURI = data.RedirectURI;
this.Scopes = data.Scopes;
this.AuthorizationURI = data.AuthorizationURI;
this.AllowBindMountsForRegularUsers = data.AllowBindMountsForRegularUsers;
this.AllowPrivilegedModeForRegularUsers = data.AllowPrivilegedModeForRegularUsers;
this.SnapshotInterval = data.SnapshotInterval;
@ -31,3 +36,15 @@ function LDAPGroupSearchSettings(GroupBaseDN, GroupAttribute, GroupFilter) {
this.GroupAttribute = GroupAttribute;
this.GroupFilter = GroupFilter;
}
function OAuthSettingsViewModel(data) {
this.ClientID = data.ClientID;
this.ClientSecret = data.ClientSecret;
this.AccessTokenURI = data.AccessTokenURI;
this.AuthorizationURI = data.AuthorizationURI;
this.ResourceURI = data.ResourceURI;
this.RedirectURI = data.RedirectURI;
this.UserIdentifier = data.UserIdentifier;
this.Scopes = data.Scopes;
this.OAuthAutoCreateUsers = data.OAuthAutoCreateUsers;
}

9
app/portainer/rest/oauth.js Normal file
View File

@ -0,0 +1,9 @@
angular.module('portainer.app')
.factory('OAuth', ['$resource', 'API_ENDPOINT_OAUTH', function OAuthFactory($resource, API_ENDPOINT_OAUTH) {
'use strict';
return $resource(API_ENDPOINT_OAUTH, {}, {
login: {
method: 'POST', ignoreLoadingBar: true
}
});
}]);

21
app/portainer/services/authentication.js
View File

@ -1,11 +1,12 @@
angular.module('portainer.app')
.factory('Authentication', ['$q', 'Auth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', function AuthenticationFactory($q, Auth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
.factory('Authentication', ['$q', 'Auth', 'OAuth', 'jwtHelper', 'LocalStorage', 'StateManager', 'EndpointProvider', function AuthenticationFactory($q, Auth, OAuth, jwtHelper, LocalStorage, StateManager, EndpointProvider) {
'use strict';
var service = {};
var user = {};
service.init = init;
service.oAuthLogin = oAuthLogin;
service.login = login;
service.logout = logout;
service.isAuthenticated = isAuthenticated;
@ -22,6 +23,24 @@ angular.module('portainer.app')
}
}
function oAuthLogin(code) {
var deferred = $q.defer();
OAuth.login({code: code}).$promise
.then(function success(data) {
LocalStorage.storeJWT(data.jwt);
var tokenPayload = jwtHelper.decodeToken(data.jwt);
user.username = tokenPayload.username;
user.ID = tokenPayload.id;
user.role = tokenPayload.role;
deferred.resolve();
})
.catch(function error() {
deferred.reject();
});
return deferred.promise;
}
function login(username, password) {
var deferred = $q.defer();

4
app/portainer/views/auth/auth.html
View File

@ -28,13 +28,15 @@
<!-- login button -->
<div class="form-group">
<div class="col-sm-12">
<a ng-href="{{ AuthorizationURI }}?response_type=code&client_id={{ ClientID }}&redirect_uri={{ RedirectURI }}&scope={{ Scopes }}&state=portainer"><div class="btn btn-primary btn-sm pull-right" ng-if="AuthenticationMethod === 3" style="margin-left:2px"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> OAuth Login</div></a>
<button type="submit" class="btn btn-primary btn-sm pull-right" ng-click="authenticateUser()"><i class="fa fa-sign-in-alt" aria-hidden="true"></i> Login</button>
<span class="pull-left" style="margin: 5px;" ng-if="state.AuthenticationError">
<span class="pull-left" style="margin: 5px;" ng-if="state.AuthenticationError">
<i class="fa fa-exclamation-triangle red-icon" aria-hidden="true" style="margin-right: 2px;"></i>
<span class="small text-danger">{{ state.AuthenticationError }}</span>
</span>
</div>
</div>
<!-- !login button -->
</form>
<!-- !login form -->

45
app/portainer/views/auth/authController.js
View File

@ -1,6 +1,6 @@
angular.module('portainer.app')
.controller('AuthenticationController', ['$q', '$scope', '$state', '$transition$', '$sanitize', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
.controller('AuthenticationController', ['$q', '$scope', '$state', '$transition$', '$sanitize', '$location', '$window', 'Authentication', 'UserService', 'EndpointService', 'StateManager', 'Notifications', 'SettingsService',
function ($q, $scope, $state, $transition$, $sanitize, $location, $window, Authentication, UserService, EndpointService, StateManager, Notifications, SettingsService) {
$scope.logo = StateManager.getState().application.logo;
@ -12,6 +12,16 @@ function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserServi
$scope.state = {
AuthenticationError: ''
};
SettingsService.publicSettings()
.then(function success(settings) {
$scope.AuthenticationMethod = settings.AuthenticationMethod;
$scope.ClientID = settings.ClientID;
$scope.RedirectURI = settings.RedirectURI;
$scope.Scopes = settings.Scopes;
$scope.AuthorizationURI = settings.AuthorizationURI;
});
$scope.authenticateUser = function() {
var username = $scope.formValues.Username;
@ -74,6 +84,7 @@ function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserServi
$state.go('portainer.init.endpoint');
} else {
$state.go('portainer.home');
$window.location.search = '';
}
})
.catch(function error(err) {
@ -100,5 +111,35 @@ function ($q, $scope, $state, $transition$, $sanitize, Authentication, UserServi
}
}
function oAuthLogin(code) {
Authentication.oAuthLogin(code)
.then(function success() {
$state.go('portainer.home');
$window.location.search = '';
})
.catch(function error() {
$scope.state.AuthenticationError = 'Failed to authenticate with OAuth2 Provider';
});
}
function getParameter(param) {
var URL = $location.absUrl();
var params = URL.split('?')[1];
if (params === undefined) {
return null;
}
params = params.split('&');
for (var i = 0; i < params.length; i++) {
var parameter = params[i].split('=');
if (parameter[0] === param) {
return parameter[1].split('#')[0];
}
}
return null;
}
initView();
if (getParameter('code') !== null) {
oAuthLogin(getParameter('code'));
}
}]);

120
app/portainer/views/settings/authentication/settingsAuthentication.html
View File

@ -37,6 +37,16 @@
<p>LDAP authentication</p>
</label>
</div>
<div>
<input type="radio" id="registry_auth" ng-model="settings.AuthenticationMethod" ng-value="3">
<label for="registry_auth">
<div class="boxselector_header">
<i class="fa fa-users" aria-hidden="true" style="margin-right: 2px;"></i>
OAuth
</div>
<p>OAuth authentication</p>
</label>
</div>
</div>
</div>
<div class="col-sm-12 form-section-title">
@ -52,6 +62,11 @@
When using LDAP authentication, Portainer will delegate user authentication to a LDAP server and fallback to internal authentication if LDAP authentication fails.
</span>
</div>
<div class="form-group" ng-if="settings.AuthenticationMethod === 3">
<span class="col-sm-12 text-muted small">
When using OAuth authentication, Portainer will allow users to optionally authenticate with an OAuth authorization server.
</span>
</div>
<div ng-if="settings.AuthenticationMethod === 2">
<div class="col-sm-12 form-section-title">
@ -306,7 +321,110 @@
<!-- !group-search-settings -->
</div>
<!-- actions -->
<div ng-if="settings.AuthenticationMethod === 3">
<div class="col-sm-12 form-section-title">
OAuth Configuration
</div>
<div class="form-group">
<label for="oauth_client_id" class="col-sm-3 col-lg-2 control-label text-left">
Client ID
<portainer-tooltip position="bottom" message="Client ID that authorization server supports"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_client_id" ng-model="OAuthSettings.ClientID" placeholder="xxxxxxxxxxxxxxxxxxxx">
</div>
</div>
<div class="form-group">
<label for="oauth_client_secret" class="col-sm-3 col-lg-2 control-label text-left">
Client Secret
<portainer-tooltip position="bottom" message="Client secret that authorization server supports"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="password" class="form-control" id="oauth_client_secret" ng-model="OAuthSettings.ClientSecret" placeholder="xxxxxxxxxxxxxxxxxxxx">
</div>
</div>
<div class="form-group">
<label for="oauth_authorization_uri" class="col-sm-3 col-lg-2 control-label text-left">
Authorization URI
<portainer-tooltip position="bottom" message="URI where the user is redirected in order to login with OAuth provider"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_authorization_uri" ng-model="OAuthSettings.AuthorizationURI" placeholder="https://example.com/oauth/authorize">
</div>
</div>
<div class="form-group">
<label for="oauth_access_token_uri" class="col-sm-3 col-lg-2 control-label text-left">
Access Token URI
<portainer-tooltip position="bottom" message="URI where portainer will attempt to obtain an access token"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_access_token_uri" ng-model="OAuthSettings.AccessTokenURI" placeholder="https://example.com/oauth/token">
</div>
</div>
<div class="form-group">
<label for="oauth_resource_uri" class="col-sm-3 col-lg-2 control-label text-left">
Resource URI
<portainer-tooltip position="bottom" message="URI where portainer will attempt to retrieve the user identifier value"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_resource_uri" ng-model="OAuthSettings.ResourceURI" placeholder="https://example.com/user">
</div>
</div>
<div class="form-group">
<label for="oauth_redirect_uri" class="col-sm-3 col-lg-2 control-label text-left">
Redirect URI
<portainer-tooltip position="bottom" message="Set this as your portainer index"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_redirect_uri" ng-model="OAuthSettings.RedirectURI" placeholder="http://yourportainer.com/">
</div>
</div>
<div class="form-group">
<label for="oauth_user_identifier" class="col-sm-3 col-lg-2 control-label text-left">
User Identifier
<portainer-tooltip position="bottom" message="Key that identifies the user in the resource server request"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_user_identifier" ng-model="OAuthSettings.UserIdentifier" placeholder="id">
</div>
</div>
<div class="form-group">
<label for="oauth_scopes" class="col-sm-3 col-lg-2 control-label text-left">
Scopes
<portainer-tooltip position="bottom" message="Scopes that are required to obtain the user identifier separated by delimiter if server expects it"></portainer-tooltip>
</label>
<div class="col-sm-9 col-lg-10">
<input type="text" class="form-control" id="oauth_scopes" ng-model="OAuthSettings.Scopes" placeholder="id,email,name">
</div>
</div>
<div class="form-group">
<span class="col-sm-12 text-muted small">
With automatic user provisioning enabled, Portainer will create user(s) automatically with standard user role. If disabled, users must be created in Portainer in order to login.
</span>
</div>
<div class="form-group">
<div class="col-sm-12">
<label for="oauth_provisioning">
Automatic user provisioning
</label>
<label class="switch" style="margin-left: 20px">
<input type="checkbox" ng-model="OAuthSettings.OAuthAutoCreateUsers"><i></i>
</label>
</div>
</div>
</div>
<!-- actions -->
<div class="form-group">
<div class="col-sm-12">
<button type="button" class="btn btn-primary btn-sm" ng-click="saveSettings()" ng-disabled="state.actionInProgress" button-spinner="state.actionInProgress">

1
app/portainer/views/settings/authentication/settingsAuthenticationController.js
View File

@ -97,6 +97,7 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService) {
var settings = data;
$scope.settings = settings;
$scope.LDAPSettings = settings.LDAPSettings;
$scope.OAuthSettings = settings.OAuthSettings;
$scope.formValues.TLSCACert = settings.LDAPSettings.TLSConfig.TLSCACert;
})
.catch(function error(err) {