feat(oauth): dev build supporting Oauth extension

2019-02-18 14:46:34 +13:00 · 2019-02-18 14:46:34 +13:00 · 7643f8d08c
parent 086bad2956
commit 7643f8d08c
13 changed files with 114 additions and 178 deletions
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@ -20,7 +20,6 @@ import (
 	"github.com/portainer/portainer/jwt"
 	"github.com/portainer/portainer/ldap"
 	"github.com/portainer/portainer/libcompose"
 	"github.com/portainer/portainer/oauth"
 	"log"
 )
@ -101,10 +100,6 @@ func initLDAPService() portainer.LDAPService {
 	return &ldap.Service{}
 }
 func initOAuthService() portainer.OAuthService {
 	return &oauth.Service{}
 }
 func initGitService() portainer.GitService {
 	return &git.Service{}
 }
@ -529,8 +524,6 @@ func main() {
 	ldapService := initLDAPService()
 	oauthService := initOAuthService()
 	gitService := initGitService()
 	cryptoService := initCryptoService()
@ -676,7 +669,6 @@ func main() {
 		JWTService:             jwtService,
 		FileService:            fileService,
 		LDAPService:            ldapService,
 		OAuthService:           oauthService,
 		GitService:             gitService,
 		SignatureService:       digitalSignatureService,
 		JobScheduler:           jobScheduler,
--- a/api/exec/extension.go
+++ b/api/exec/extension.go
@ -18,7 +18,8 @@ import (
 var extensionDownloadBaseURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com/extensions/"
 var extensionBinaryMap = map[portainer.ExtensionID]string{
-	portainer.RegistryManagementExtension: "extension-registry-management",
+	portainer.RegistryManagementExtension:  "extension-registry-management",
 	portainer.OAuthAuthenticationExtension: "extension-oauth-authentication",
 }
 // ExtensionManager represents a service used to
--- a/api/http/handler/auth/authenticate_oauth.go
+++ b/api/http/handler/auth/authenticate_oauth.go
@ -1,7 +1,8 @@
 package auth
 import (
-	"log"
+	"encoding/json"
 	"io/ioutil"
 	"net/http"
 	"github.com/asaskevich/govalidator"
@ -21,6 +22,54 @@ func (payload *oauthPayload) Validate(r *http.Request) error {
 	return nil
 }
 func (handler *Handler) authenticateThroughExtension(code, licenseKey string, settings *portainer.OAuthSettings) (string, error) {
 	extensionURL := handler.ProxyManager.GetExtensionURL(portainer.OAuthAuthenticationExtension)
 	encodedConfiguration, err := json.Marshal(settings)
 	if err != nil {
 		return "", nil
 	}
 	req, err := http.NewRequest("GET", extensionURL+"/validate", nil)
 	if err != nil {
 		return "", err
 	}
 	client := &http.Client{}
 	req.Header.Set("X-OAuth-Config", string(encodedConfiguration))
 	req.Header.Set("X-OAuth-Code", code)
 	req.Header.Set("X-PortainerExtension-License", licenseKey)
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", err
 	}
 	defer resp.Body.Close()
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
 	type extensionResponse struct {
 		Username string `json:"Username,omitempty"`
 		Err      string `json:"err,omitempty"`
 		Details  string `json:"details,omitempty"`
 	}
 	var extResp extensionResponse
 	err = json.Unmarshal(body, &extResp)
 	if err != nil {
 		return "", err
 	}
 	if resp.StatusCode != http.StatusOK {
 		return "", portainer.Error(extResp.Err + ":" + extResp.Details)
 	}
 	return extResp.Username, nil
 }
 func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload oauthPayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
@ -37,16 +86,16 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is not enabled", err}
 	}
-	token, err := handler.OAuthService.GetAccessToken(payload.Code, &settings.OAuthSettings)
+	extension, err := handler.ExtensionService.Extension(portainer.OAuthAuthenticationExtension)
-	if err != nil {
+	if err == portainer.ErrObjectNotFound {
-		log.Printf("[DEBUG] - Failed retrieving access token: %v", err)
+		return &httperror.HandlerError{http.StatusNotFound, "Oauth authentication extension is not enabled", err}
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid access token", portainer.ErrUnauthorized}
+	} else if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a extension with the specified identifier inside the database", err}
 	}
-	username, err := handler.OAuthService.GetUsername(token, &settings.OAuthSettings)
+	username, err := handler.authenticateThroughExtension(payload.Code, extension.License.LicenseKey, &settings.OAuthSettings)
 	if err != nil {
-		log.Printf("[DEBUG] - Failed acquiring username: %v", err)
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to authenticate through OAuth", portainer.ErrUnauthorized}
 		return &httperror.HandlerError{http.StatusForbidden, "Unable to acquire username", portainer.ErrUnauthorized}
 	}
 	user, err := handler.UserService.UserByUsername(username)
@ -85,18 +134,3 @@ func (handler *Handler) validateOAuth(w http.ResponseWriter, r *http.Request) *h
 	return handler.writeToken(w, user)
 }
 func (handler *Handler) loginOAuth(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	settings, err := handler.SettingsService.Settings()
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}
 	if settings.AuthenticationMethod != 3 {
 		return &httperror.HandlerError{http.StatusForbidden, "OAuth authentication is disabled", err}
 	}
 	url := handler.OAuthService.BuildLoginURL(&settings.OAuthSettings)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 	return nil
 }
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@ -6,6 +6,7 @@ import (
 	"github.com/gorilla/mux"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/portainer"
 	"github.com/portainer/portainer/http/proxy"
 	"github.com/portainer/portainer/http/security"
 )
@ -25,10 +26,11 @@ type Handler struct {
 	CryptoService         portainer.CryptoService
 	JWTService            portainer.JWTService
 	LDAPService           portainer.LDAPService
 	OAuthService          portainer.OAuthService
 	SettingsService       portainer.SettingsService
 	TeamService           portainer.TeamService
 	TeamMembershipService portainer.TeamMembershipService
 	ExtensionService      portainer.ExtensionService
 	ProxyManager          *proxy.Manager
 }
 // NewHandler creates a handler to manage authentication operations.
@ -38,8 +40,6 @@ func NewHandler(bouncer *security.RequestBouncer, rateLimiter *security.RateLimi
 		authDisabled: authDisabled,
 	}
 	h.Handle("/auth/oauth/login",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.loginOAuth)))).Methods(http.MethodGet)
 	h.Handle("/auth/oauth/validate",
 		rateLimiter.LimitAccess(bouncer.PublicAccess(httperror.LoggerHandler(h.validateOAuth)))).Methods(http.MethodPost)
 	h.Handle("/auth",
--- a/api/http/handler/settings/handler.go
+++ b/api/http/handler/settings/handler.go
@ -19,7 +19,6 @@ type Handler struct {
 	*mux.Router
 	SettingsService portainer.SettingsService
 	LDAPService     portainer.LDAPService
 	OAuthService    portainer.OAuthService
 	FileService     portainer.FileService
 	JobScheduler    portainer.JobScheduler
 	ScheduleService portainer.ScheduleService
--- a/api/http/handler/settings/settings_public.go
+++ b/api/http/handler/settings/settings_public.go
@ -33,6 +33,7 @@ func (handler *Handler) settingsPublic(w http.ResponseWriter, r *http.Request) *
 		AllowPrivilegedModeForRegularUsers: settings.AllowPrivilegedModeForRegularUsers,
 		EnableHostManagementFeatures:       settings.EnableHostManagementFeatures,
 		ExternalTemplates:                  false,
 		// TODO: check if state=portainer useful or not
 		OAuthLoginURI: fmt.Sprintf("%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=portainer",
 			settings.OAuthSettings.AuthorizationURI,
 			settings.OAuthSettings.ClientID,
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@ -12,7 +12,8 @@ import (
 // TODO: contain code related to legacy extension management
 var extensionPorts = map[portainer.ExtensionID]string{
-	portainer.RegistryManagementExtension: "7001",
+	portainer.RegistryManagementExtension:  "7001",
 	portainer.OAuthAuthenticationExtension: "7002",
 }
 type (
@ -103,6 +104,10 @@ func (manager *Manager) CreateExtensionProxy(extensionID portainer.ExtensionID)
 	return proxy, nil
 }
 func (manager *Manager) GetExtensionURL(extensionID portainer.ExtensionID) string {
 	return "http://localhost:" + extensionPorts[extensionID]
 }
 // DeleteExtensionProxy deletes the extension proxy associated to an extension identifier
 func (manager *Manager) DeleteExtensionProxy(extensionID portainer.ExtensionID) {
 	manager.extensionProxies.Remove(strconv.Itoa(int(extensionID)))
--- a/api/http/server.go
+++ b/api/http/server.go
@ -55,7 +55,6 @@ type Server struct {
 	GitService             portainer.GitService
 	JWTService             portainer.JWTService
 	LDAPService            portainer.LDAPService
 	OAuthService           portainer.OAuthService
 	ExtensionService       portainer.ExtensionService
 	RegistryService        portainer.RegistryService
 	ResourceControlService portainer.ResourceControlService
@ -105,10 +104,11 @@ func (server *Server) Start() error {
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
 	authHandler.LDAPService = server.LDAPService
 	authHandler.OAuthService = server.OAuthService
 	authHandler.SettingsService = server.SettingsService
 	authHandler.TeamService = server.TeamService
 	authHandler.TeamMembershipService = server.TeamMembershipService
 	authHandler.ExtensionService = server.ExtensionService
 	authHandler.ProxyManager = proxyManager
 	var dockerHubHandler = dockerhub.NewHandler(requestBouncer)
 	dockerHubHandler.DockerHubService = server.DockerHubService
@ -157,7 +157,6 @@ func (server *Server) Start() error {
 	var settingsHandler = settings.NewHandler(requestBouncer)
 	settingsHandler.SettingsService = server.SettingsService
 	settingsHandler.LDAPService = server.LDAPService
 	settingsHandler.OAuthService = server.OAuthService
 	settingsHandler.FileService = server.FileService
 	settingsHandler.JobScheduler = server.JobScheduler
 	settingsHandler.ScheduleService = server.ScheduleService
--- a/api/oauth/oauth.go
+++ b/api/oauth/oauth.go
@ -1,123 +0,0 @@
 package oauth
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"mime"
 	"net/http"
 	"net/url"
 	"github.com/portainer/portainer"
 	"golang.org/x/oauth2"
 )
 const (
 	// ErrInvalidCode defines an error raised when the user authorization code is invalid
 	ErrInvalidCode = portainer.Error("Invalid OAuth authorization code")
 )
 // Service represents a service used to authenticate users against an authorization server
 type Service struct{}
 // GetAccessToken takes an access code and exchanges it for an access token from portainer OAuthSettings token endpoint
 func (*Service) GetAccessToken(code string, settings *portainer.OAuthSettings) (string, error) {
 	unescapedCode, err := url.QueryUnescape(code)
 	if err != nil {
 		return "", err
 	}
 	config := buildConfig(settings)
 	token, err := config.Exchange(context.Background(), unescapedCode)
 	if err != nil {
 		return "", err
 	}
 	return token.AccessToken, nil
 }
 // GetUsername takes a token and retrieves the portainer OAuthSettings user identifier from resource server.
 func (*Service) GetUsername(token string, settings *portainer.OAuthSettings) (string, error) {
 	req, err := http.NewRequest("GET", settings.ResourceURI, nil)
 	if err != nil {
 		return "", err
 	}
 	client := &http.Client{}
 	req.Header.Set("Authorization", "Bearer "+token)
 	resp, err := client.Do(req)
 	if err != nil {
 		return "", err
 	}
 	defer resp.Body.Close()
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return "", err
 	}
 	if resp.StatusCode != http.StatusOK {
 		return "", &oauth2.RetrieveError{
 			Response: resp,
 			Body:     body,
 		}
 	}
 	content, _, err := mime.ParseMediaType(resp.Header.Get("Content-Type"))
 	if err != nil {
 		return "", err
 	}
 	if content == "application/x-www-form-urlencoded" || content == "text/plain" {
 		values, err := url.ParseQuery(string(body))
 		if err != nil {
 			return "", err
 		}
 		username := values.Get(settings.UserIdentifier)
 		return username, nil
 	}
 	var datamap map[string]interface{}
 	if err = json.Unmarshal(body, &datamap); err != nil {
 		return "", err
 	}
 	username, ok := datamap[settings.UserIdentifier].(string)
 	if ok && username != "" {
 		return username, nil
 	}
 	if !ok {
 		username, ok := datamap[settings.UserIdentifier].(float64)
 		if ok && username != 0 {
 			return fmt.Sprint(int(username)), nil
 		}
 	}
 	return "", &oauth2.RetrieveError{
 		Response: resp,
 		Body:     body,
 	}
 }
 // BuildLoginURL creates a login url for the oauth provider
 func (*Service) BuildLoginURL(oauthSettings *portainer.OAuthSettings) string {
 	oauthConfig := buildConfig(oauthSettings)
 	return oauthConfig.AuthCodeURL("portainer")
 }
 func buildConfig(oauthSettings *portainer.OAuthSettings) *oauth2.Config {
 	endpoint := oauth2.Endpoint{
 		AuthURL:  oauthSettings.AuthorizationURI,
 		TokenURL: oauthSettings.AccessTokenURI,
 	}
 	return &oauth2.Config{
 		ClientID:     oauthSettings.ClientID,
 		ClientSecret: oauthSettings.ClientSecret,
 		Endpoint:     endpoint,
 		RedirectURL:  oauthSettings.RedirectURI,
 		Scopes:       []string{oauthSettings.Scopes},
 	}
 }
--- a/api/portainer.go
+++ b/api/portainer.go
@ -67,7 +67,7 @@ type (
 		UserIdentifier       string `json:"UserIdentifier"`
 		Scopes               string `json:"Scopes"`
 		OAuthAutoCreateUsers bool   `json:"OAuthAutoCreateUsers"`
-		DefaultTeamID        TeamID     `json:"DefaultTeamID"`
+		DefaultTeamID        TeamID `json:"DefaultTeamID"`
 	}
 	// TLSConfiguration represents a TLS configuration
@ -764,13 +764,6 @@ type (
 		GetUserGroups(username string, settings *LDAPSettings) ([]string, error)
 	}
 	// OAuthService represents a service used to authenticate users against an authorization server
 	OAuthService interface {
 		GetAccessToken(code string, settings *OAuthSettings) (string, error)
 		GetUsername(token string, settings *OAuthSettings) (string, error)
 		BuildLoginURL(oauthSettings *OAuthSettings) string
 	}
 	// SwarmStackManager represents a service to manage Swarm stacks
 	SwarmStackManager interface {
 		Login(dockerhub *DockerHub, registries []Registry, endpoint *Endpoint)
@ -809,7 +802,8 @@ const (
 	// MessageOfTheDayURL represents the URL where Portainer MOTD message can be retrieved
 	MessageOfTheDayURL = AssetsServerURL + "/motd.html"
 	// ExtensionDefinitionsURL represents the URL where Portainer extension definitions can be retrieved
-	ExtensionDefinitionsURL = AssetsServerURL + "/extensions.json"
+	// TODO: UPDATE URL to production URL
 	ExtensionDefinitionsURL = AssetsServerURL + "/extensions-dev.json"
 	// PortainerAgentHeader represents the name of the header available in any agent response
 	PortainerAgentHeader = "Portainer-Agent"
 	// PortainerAgentTargetHeader represent the name of the header containing the target node name
@ -936,6 +930,8 @@ const (
 	_ ExtensionID = iota
 	// RegistryManagementExtension represents the registry management extension
 	RegistryManagementExtension
 	// OAuthAuthenticationExtension represents the OAuth authentication extension
 	OAuthAuthenticationExtension
 )
 const (
--- a/app/portainer/services/api/extensionService.js
+++ b/app/portainer/services/api/extensionService.js
@ -62,5 +62,20 @@ angular.module('portainer.app')
    return deferred.promise;
  };
  service.OAuthAuthenticationEnabled = function() {
    var deferred = $q.defer();
    service.extensions(false)
    .then(function onSuccess(extensions) {
      var extensionAvailable = _.find(extensions, { Id: 2, Enabled: true }) ? true : false;
      deferred.resolve(extensionAvailable);
    })
    .catch(function onError(err) {
      deferred.reject(err);
    });
    return deferred.promise;
  };
  return service;
 }]);
--- a/app/portainer/views/settings/authentication/settingsAuthentication.html
+++ b/app/portainer/views/settings/authentication/settingsAuthentication.html
@ -37,7 +37,7 @@
                  <p>LDAP authentication</p>
                </label>
              </div>
-              <div>
+              <div ng-if="oauthAuthenticationAvailable">
                <input type="radio" id="registry_auth" ng-model="settings.AuthenticationMethod" ng-value="3">
                <label for="registry_auth">
                  <div class="boxselector_header">
@ -47,6 +47,16 @@
                  <p>OAuth authentication</p>
                </label>
              </div>
              <div style="color: #767676;" ng-click="goToOAuthExtensionView()" ng-if="!oauthAuthenticationAvailable">
                <input type="radio" id="registry_auth" ng-model="settings.AuthenticationMethod" ng-value="3" disabled>
                <label for="registry_auth" tooltip-append-to-body="true" tooltip-placement="bottom" tooltip-class="portainer-tooltip" uib-tooltip="Feature available via an extension" style="cursor:pointer; border-color: #767676">
                  <div class="boxselector_header">
                    <i class="fa fa-users" aria-hidden="true" style="margin-right: 2px;"></i>
                    OAuth (extension)
                  </div>
                  <p>OAuth authentication</p>
                </label>
              </div>
            </div>
          </div>
--- a/app/portainer/views/settings/authentication/settingsAuthenticationController.js
+++ b/app/portainer/views/settings/authentication/settingsAuthenticationController.js
@ -1,6 +1,6 @@
 angular.module('portainer.app')
-.controller('SettingsAuthenticationController', ['$q', '$scope', 'Notifications', 'SettingsService', 'FileUploadService', 'TeamService',
+.controller('SettingsAuthenticationController', ['$q', '$scope', '$state', 'Notifications', 'SettingsService', 'FileUploadService', 'TeamService', 'ExtensionService',
-function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamService) {
+function($q, $scope, $state, Notifications, SettingsService, FileUploadService, TeamService, ExtensionService) {
  $scope.state = {
    successfulConnectivityCheck: false,
@ -14,6 +14,10 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamSer
    TLSCACert: ''
  };
  $scope.goToOAuthExtensionView = function() {
    $state.go('portainer.extensions.extension', { id: 2 });
  };
  $scope.isOauthEnabled = function isOauthEnabled() {
    return $scope.settings && $scope.settings.AuthenticationMethod === 3;
  };
@ -25,7 +29,7 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamSer
  $scope.removeSearchConfiguration = function(index) {
    $scope.LDAPSettings.SearchSettings.splice(index, 1);
  };
-  
+
  $scope.addGroupSearchConfiguration = function() {
    $scope.LDAPSettings.GroupSearchSettings.push({ GroupBaseDN: '', GroupAttribute: '', GroupFilter: '' });
  };
@ -98,14 +102,17 @@ function ($q, $scope, Notifications, SettingsService, FileUploadService, TeamSer
  function initView() {
    $q.all({
      settings: SettingsService.settings(),
-      teams: TeamService.teams()
+      teams: TeamService.teams(),
-    }).then(function success(data) {
+      oauthAuthentication: ExtensionService.OAuthAuthenticationEnabled()
    })
    .then(function success(data) {
      var settings = data.settings;
      $scope.teams = data.teams;
      $scope.settings = settings;
      $scope.LDAPSettings = settings.LDAPSettings;
      $scope.OAuthSettings = settings.OAuthSettings;
      $scope.formValues.TLSCACert = settings.LDAPSettings.TLSConfig.TLSCACert;
      $scope.oauthAuthenticationAvailable = data.oauthAuthentication;
    })
    .catch(function error(err) {
      Notifications.error('Failure', err, 'Unable to retrieve application settings');