diff options
| author |  Tobi Smethurst <31960611+tsmethurst@users.noreply.github.com> | 2021-07-23 10:36:28 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2021-07-23 10:36:28 +0200 |
| commit | 05e9af089c3041fa162e4dca3b1c5906496e8e90 (patch) | |
| tree | 6972d56a2ab5b5216ba7ec7c951605a775ac1c18 /internal | |
| parent | lil webfingy fix (#106) (diff) | |
| download | gotosocial-05e9af089c3041fa162e4dca3b1c5906496e8e90.tar.xz | |
Oidc (#109)
* add oidc config
* inching forward with oidc idp
* lil webfingy fix
* bit more progress
* further oidc
* oidc now working
* document dex config
* replace broken images
* add additional credits
* tiny doc update
* update
* add oidc config
* inching forward with oidc idp
* bit more progress
* further oidc
* oidc now working
* document dex config
* replace broken images
* add additional credits
* tiny doc update
* update
* document
* docs + comments
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/api/client/auth/auth.go | 24 | ||||
| -rw-r--r-- | internal/api/client/auth/authorize.go | 45 | ||||
| -rw-r--r-- | internal/api/client/auth/callback.go | 219 | ||||
| -rw-r--r-- | internal/api/client/auth/signin.go | 22 | ||||
| -rw-r--r-- | internal/api/client/auth/util.go | 17 | ||||
| -rw-r--r-- | internal/cliactions/admin/account/account.go | 2 | ||||
| -rw-r--r-- | internal/cliactions/server/server.go | 8 | ||||
| -rw-r--r-- | internal/cliactions/testrig/testrig.go | 8 | ||||
| -rw-r--r-- | internal/config/config.go | 65 | ||||
| -rw-r--r-- | internal/config/default.go | 36 | ||||
| -rw-r--r-- | internal/config/oidc.go | 30 | ||||
| -rw-r--r-- | internal/db/db.go | 4 | ||||
| -rw-r--r-- | internal/db/pg/pg.go | 74 | ||||
| -rw-r--r-- | internal/oidc/claims.go | 27 | ||||
| -rw-r--r-- | internal/oidc/handlecallback.go | 65 | ||||
| -rw-r--r-- | internal/oidc/idp.go | 121 | ||||
| -rw-r--r-- | internal/processing/account/create.go | 2 | ||||
| -rw-r--r-- | internal/router/session.go | 21 |
18 files changed, 715 insertions, 75 deletions
diff --git a/internal/api/client/auth/auth.go b/internal/api/client/auth/auth.go index 7cddc3e74..bcc338ce0 100644 --- a/internal/api/client/auth/auth.go +++ b/internal/api/client/auth/auth.go @@ -26,6 +26,7 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/internal/oidc" "github.com/superseriousbusiness/gotosocial/internal/router" ) @@ -36,40 +37,37 @@ const ( OauthTokenPath = "/oauth/token" // OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user) OauthAuthorizePath = "/oauth/authorize" + // CallbackPath is the API path for receiving callback tokens from external OIDC providers + CallbackPath = oidc.CallbackPath + + callbackStateParam = "state" + callbackCodeParam = "code" sessionUserID = "userid" sessionClientID = "client_id" sessionRedirectURI = "redirect_uri" sessionForceLogin = "force_login" sessionResponseType = "response_type" - sessionCode = "code" sessionScope = "scope" + sessionState = "state" ) -var sessionKeys []string = []string{ - sessionUserID, - sessionClientID, - sessionRedirectURI, - sessionForceLogin, - sessionResponseType, - sessionCode, - sessionScope, -} - // Module implements the ClientAPIModule interface for type Module struct { config *config.Config db db.DB server oauth.Server + idp oidc.IDP log *logrus.Logger } // New returns a new auth module -func New(config *config.Config, db db.DB, server oauth.Server, log *logrus.Logger) api.ClientModule { +func New(config *config.Config, db db.DB, server oauth.Server, idp oidc.IDP, log *logrus.Logger) api.ClientModule { return &Module{ config: config, db: db, server: server, + idp: idp, log: log, } } @@ -84,6 +82,8 @@ func (m *Module) Route(s router.Router) error { s.AttachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler) s.AttachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler) + s.AttachHandler(http.MethodGet, CallbackPath, m.CallbackGETHandler) + s.AttachMiddleware(m.OauthTokenMiddleware) return nil } diff --git a/internal/api/client/auth/authorize.go b/internal/api/client/auth/authorize.go index fb16b00fc..a10408723 100644 --- a/internal/api/client/auth/authorize.go +++ b/internal/api/client/auth/authorize.go @@ -23,9 +23,11 @@ import ( "fmt" "net/http" "net/url" + "strings" "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" + "github.com/google/uuid" "github.com/superseriousbusiness/gotosocial/internal/api/model" "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" @@ -46,16 +48,19 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) { form := &model.OAuthAuthorize{} if err := c.Bind(form); err != nil { l.Debugf("invalid auth form: %s", err) + m.clearSession(s) + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } - l.Tracef("parsed auth form: %+v", form) + l.Debugf("parsed auth form: %+v", form) if err := extractAuthForm(s, form); err != nil { l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err)) + m.clearSession(s) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } - c.Redirect(http.StatusFound, AuthSignInPath) + c.Redirect(http.StatusSeeOther, AuthSignInPath) return } @@ -69,6 +74,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) { ClientID: clientID, } if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil { + m.clearSession(s) c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)}) return } @@ -78,6 +84,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) { ID: userID, } if err := m.db.GetByID(user.ID, user); err != nil { + m.clearSession(s) c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return } @@ -87,6 +94,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) { } if err := m.db.GetByID(acct.ID, acct); err != nil { + m.clearSession(s) c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return } @@ -94,11 +102,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) { // Finally we should also get the redirect and scope of this particular request, as stored in the session. redirect, ok := s.Get(sessionRedirectURI).(string) if !ok || redirect == "" { + m.clearSession(s) c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"}) return } scope, ok := s.Get(sessionScope).(string) if !ok || scope == "" { + m.clearSession(s) c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"}) return } @@ -128,48 +138,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) { // recreate it on the request so that it can be used further by the oauth2 library. // So first fetch all the values from the session. + errs := []string{} + forceLogin, ok := s.Get(sessionForceLogin).(string) if !ok { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"}) - return + forceLogin = "false" } responseType, ok := s.Get(sessionResponseType).(string) if !ok || responseType == "" { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"}) - return + errs = append(errs, "session missing response_type") } clientID, ok := s.Get(sessionClientID).(string) if !ok || clientID == "" { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"}) - return + errs = append(errs, "session missing client_id") } redirectURI, ok := s.Get(sessionRedirectURI).(string) if !ok || redirectURI == "" { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"}) - return + errs = append(errs, "session missing redirect_uri") } scope, ok := s.Get(sessionScope).(string) if !ok { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"}) - return + errs = append(errs, "session missing scope") } userID, ok := s.Get(sessionUserID).(string) if !ok { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"}) - return + errs = append(errs, "session missing userid") } - // we're done with the session so we can clear it now - for _, key := range sessionKeys { - s.Delete(key) - } - if err := s.Save(); err != nil { - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + m.clearSession(s) + + if len(errs) != 0 { + c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")}) return } @@ -209,5 +213,6 @@ func extractAuthForm(s sessions.Session, form *model.OAuthAuthorize) error { s.Set(sessionClientID, form.ClientID) s.Set(sessionRedirectURI, form.RedirectURI) s.Set(sessionScope, form.Scope) + s.Set(sessionState, uuid.NewString()) return s.Save() } diff --git a/internal/api/client/auth/callback.go b/internal/api/client/auth/callback.go new file mode 100644 index 000000000..8bf2a50b5 --- /dev/null +++ b/internal/api/client/auth/callback.go @@ -0,0 +1,219 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package auth + +import ( + "errors" + "fmt" + "net" + "net/http" + "strconv" + "strings" + + "github.com/gin-contrib/sessions" + "github.com/gin-gonic/gin" + "github.com/google/uuid" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" + "github.com/superseriousbusiness/gotosocial/internal/oidc" + "github.com/superseriousbusiness/gotosocial/internal/util" +) + +// CallbackGETHandler parses a token from an external auth provider. +func (m *Module) CallbackGETHandler(c *gin.Context) { + s := sessions.Default(c) + + // first make sure the state set in the cookie is the same as the state returned from the external provider + state := c.Query(callbackStateParam) + if state == "" { + m.clearSession(s) + c.JSON(http.StatusForbidden, gin.H{"error": "state query not found on callback"}) + return + } + + savedStateI := s.Get(sessionState) + savedState, ok := savedStateI.(string) + if !ok { + m.clearSession(s) + c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"}) + return + } + + if state != savedState { + m.clearSession(s) + c.JSON(http.StatusForbidden, gin.H{"error": "state mismatch"}) + return + } + + code := c.Query(callbackCodeParam) + + claims, err := m.idp.HandleCallback(c.Request.Context(), code) + if err != nil { + m.clearSession(s) + c.JSON(http.StatusForbidden, gin.H{"error": err.Error()}) + return + } + + // We can use the client_id on the session to retrieve info about the app associated with the client_id + clientID, ok := s.Get(sessionClientID).(string) + if !ok || clientID == "" { + m.clearSession(s) + c.JSON(http.StatusInternalServerError, gin.H{"error": "no client_id found in session during callback"}) + return + } + app := >smodel.Application{ + ClientID: clientID, + } + if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil { + m.clearSession(s) + c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)}) + return + } + + user, err := m.parseUserFromClaims(claims, net.IP(c.ClientIP()), app.ID) + if err != nil { + m.clearSession(s) + c.JSON(http.StatusForbidden, gin.H{"error": err.Error()}) + return + } + + s.Set(sessionUserID, user.ID) + if err := s.Save(); err != nil { + m.clearSession(s) + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + return + } + + c.Redirect(http.StatusFound, OauthAuthorizePath) +} + +func (m *Module) parseUserFromClaims(claims *oidc.Claims, ip net.IP, appID string) (*gtsmodel.User, error) { + if claims.Email == "" { + return nil, errors.New("no email returned in claims") + } + + // see if we already have a user for this email address + user := >smodel.User{} + err := m.db.GetWhere([]db.Where{{Key: "email", Value: claims.Email}}, user) + if err == nil { + // we do! so we can just return it + return user, nil + } + + if _, ok := err.(db.ErrNoEntries); !ok { + // we have an actual error in the database + return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err) + } + + // maybe we have an unconfirmed user + err = m.db.GetWhere([]db.Where{{Key: "unconfirmed_email", Value: claims.Email}}, user) + if err == nil { + // user is unconfirmed so return an error + return nil, fmt.Errorf("user with email address %s is unconfirmed", claims.Email) + } + + if _, ok := err.(db.ErrNoEntries); !ok { + // we have an actual error in the database + return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err) + } + + // we don't have a confirmed or unconfirmed user with the claimed email address + // however, because we trust the OIDC provider, we should now create a user + account with the provided claims + + // check if the email address is available for use; if it's not there's nothing we can so + if err := m.db.IsEmailAvailable(claims.Email); err != nil { + return nil, fmt.Errorf("email %s not available: %s", claims.Email, err) + } + + // now we need a username + var username string + + // make sure claims.Name is defined since we'll be using that for the username + if claims.Name == "" { + return nil, errors.New("no name returned in claims") + } + + // check if we can just use claims.Name as-is + err = util.ValidateUsername(claims.Name) + if err == nil { + // the name we have on the claims is already a valid username + username = claims.Name + } else { + // not a valid username so we have to fiddle with it to try to make it valid + // first trim leading and trailing whitespace + trimmed := strings.TrimSpace(claims.Name) + // underscore any spaces in the middle of the name + underscored := strings.ReplaceAll(trimmed, " ", "_") + // lowercase the whole thing + lower := strings.ToLower(underscored) + // see if this is valid.... + if err := util.ValidateUsername(lower); err == nil { + // we managed to get a valid username + username = lower + } else { + return nil, fmt.Errorf("couldn't parse a valid username from claims.Name value of %s", claims.Name) + } + } + + var iString string + var found bool + // if the username isn't available we need to iterate on it until we find one that is + // we should try to do this in a predictable way so we just keep iterating i by one and trying + // the username with that number on the end + // + // note that for the first iteration, iString is still "" when the check is made, so our first choice + // is still the raw username with no integer stuck on the end + for i := 1; !found; i = i + 1 { + if err := m.db.IsUsernameAvailable(username + iString); err != nil { + if strings.Contains(err.Error(), "db error") { + // if there's an actual db error we should return + return nil, fmt.Errorf("error checking username availability: %s", err) + } + } else { + // no error so we've found a username that works + found = true + username = username + iString + continue + } + iString = strconv.Itoa(i) + } + + // check if the user is in any recognised admin groups + var admin bool + for _, g := range claims.Groups { + if strings.EqualFold(g, "admin") || strings.EqualFold(g, "admins") { + admin = true + } + } + + // we still need to set *a* password even if it's not a password the user will end up using, so set something random + // in this case, we'll just set two uuids on top of each other, which should be long + random enough to baffle any attempts to crack. + // + // if the user ever wants to log in using gts password rather than oidc flow, they'll have to request a password reset, which is fine + password := uuid.NewString() + uuid.NewString() + + // create the user! this will also create an account and store it in the database so we don't need to do that here + user, err = m.db.NewSignup(username, "", m.config.AccountsConfig.RequireApproval, claims.Email, password, ip, "", appID, claims.EmailVerified, admin) + if err != nil { + return nil, fmt.Errorf("error creating user: %s", err) + } + + return user, nil + +} diff --git a/internal/api/client/auth/signin.go b/internal/api/client/auth/signin.go index 7974a8cfa..543505cbd 100644 --- a/internal/api/client/auth/signin.go +++ b/internal/api/client/auth/signin.go @@ -39,7 +39,24 @@ type login struct { // The idea is to present a sign in page to the user, where they can enter their username and password. // The form will then POST to the sign in page, which will be handled by SignInPOSTHandler func (m *Module) SignInGETHandler(c *gin.Context) { - m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html") + l := m.log.WithField("func", "SignInGETHandler") + l.Trace("entering sign in handler") + if m.idp != nil { + s := sessions.Default(c) + + stateI := s.Get(sessionState) + state, ok := stateI.(string) + if !ok { + m.clearSession(s) + c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"}) + return + } + + redirect := m.idp.AuthCodeURL(state) + l.Debugf("redirecting to external idp at %s", redirect) + c.Redirect(http.StatusSeeOther, redirect) + return + } c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{}) } @@ -52,6 +69,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) { form := &login{} if err := c.ShouldBind(form); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + m.clearSession(s) return } l.Tracef("parsed form: %+v", form) @@ -59,12 +77,14 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) { userid, err := m.ValidatePassword(form.Email, form.Password) if err != nil { c.String(http.StatusForbidden, err.Error()) + m.clearSession(s) return } s.Set(sessionUserID, userid) if err := s.Save(); err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + m.clearSession(s) return } diff --git a/internal/api/client/auth/util.go b/internal/api/client/auth/util.go new file mode 100644 index 000000000..48fe4748a --- /dev/null +++ b/internal/api/client/auth/util.go @@ -0,0 +1,17 @@ +package auth + +import ( + "github.com/gin-contrib/sessions" +) + +func (m *Module) clearSession(s sessions.Session) { + s.Clear() + + // newOptions := router.SessionOptions(m.config) + // newOptions.MaxAge = -1 // instruct browser to delete cookie immediately + // s.Options(newOptions) + + if err := s.Save(); err != nil { + panic(err) + } +} diff --git a/internal/cliactions/admin/account/account.go b/internal/cliactions/admin/account/account.go index 3bb1afada..123913327 100644 --- a/internal/cliactions/admin/account/account.go +++ b/internal/cliactions/admin/account/account.go @@ -64,7 +64,7 @@ var Create cliactions.GTSAction = func(ctx context.Context, c *config.Config, lo return err } - _, err = dbConn.NewSignup(username, "", false, email, password, nil, "", "") + _, err = dbConn.NewSignup(username, "", false, email, password, nil, "", "", false, false) if err != nil { return err } diff --git a/internal/cliactions/server/server.go b/internal/cliactions/server/server.go index 316be614e..3c4f97dea 100644 --- a/internal/cliactions/server/server.go +++ b/internal/cliactions/server/server.go @@ -42,6 +42,7 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/media" "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/internal/oidc" "github.com/superseriousbusiness/gotosocial/internal/processing" "github.com/superseriousbusiness/gotosocial/internal/router" timelineprocessing "github.com/superseriousbusiness/gotosocial/internal/timeline" @@ -121,8 +122,13 @@ var Start cliactions.GTSAction = func(ctx context.Context, c *config.Config, log return fmt.Errorf("error starting processor: %s", err) } + idp, err := oidc.NewIDP(c, log) + if err != nil { + return fmt.Errorf("error creating oidc idp: %s", err) + } + // build client api modules - authModule := auth.New(c, dbService, oauthServer, log) + authModule := auth.New(c, dbService, oauthServer, idp, log) accountModule := account.New(c, processor, log) instanceModule := instance.New(c, processor, log) appsModule := app.New(c, processor, log) diff --git a/internal/cliactions/testrig/testrig.go b/internal/cliactions/testrig/testrig.go index c669dd851..e2b97fe61 100644 --- a/internal/cliactions/testrig/testrig.go +++ b/internal/cliactions/testrig/testrig.go @@ -37,6 +37,7 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/cliactions" "github.com/superseriousbusiness/gotosocial/internal/config" "github.com/superseriousbusiness/gotosocial/internal/gotosocial" + "github.com/superseriousbusiness/gotosocial/internal/oidc" "github.com/superseriousbusiness/gotosocial/internal/web" "github.com/superseriousbusiness/gotosocial/testrig" ) @@ -66,8 +67,13 @@ var Start cliactions.GTSAction = func(ctx context.Context, _ *config.Config, log return fmt.Errorf("error starting processor: %s", err) } + idp, err := oidc.NewIDP(c, log) + if err != nil { + return fmt.Errorf("error creating oidc idp: %s", err) + } + // build client api modules - authModule := auth.New(c, dbService, oauthServer, log) + authModule := auth.New(c, dbService, oauthServer, idp, log) accountModule := account.New(c, processor, log) instanceModule := instance.New(c, processor, log) appsModule := app.New(c, processor, log) diff --git a/internal/config/config.go b/internal/config/config.go index e2bfd0b68..117b8efb5 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -57,6 +57,7 @@ type Config struct { StorageConfig *StorageConfig `yaml:"storage"` StatusesConfig *StatusesConfig `yaml:"statuses"` LetsEncryptConfig *LetsEncryptConfig `yaml:"letsEncrypt"` + OIDCConfig *OIDCConfig `yaml:"oidc"` /* Not parsed from .yaml configuration file. @@ -87,6 +88,7 @@ func Empty() *Config { StorageConfig: &StorageConfig{}, StatusesConfig: &StatusesConfig{}, LetsEncryptConfig: &LetsEncryptConfig{}, + OIDCConfig: &OIDCConfig{}, AccountCLIFlags: make(map[string]string), } } @@ -268,7 +270,34 @@ func (c *Config) ParseCLIFlags(f KeyedFlags, version string) error { c.LetsEncryptConfig.EmailAddress = f.String(fn.LetsEncryptEmailAddress) } - c.SoftwareVersion = GetDefaults().SoftwareVersion + // OIDC flags + if f.IsSet(fn.OIDCEnabled) { + c.OIDCConfig.Enabled = f.Bool(fn.OIDCEnabled) + } + + if c.OIDCConfig.IDPName == "" || f.IsSet(fn.OIDCIdpName) { + c.OIDCConfig.IDPName = f.String(fn.OIDCIdpName) + } + + if f.IsSet(fn.OIDCSkipVerification) { + c.OIDCConfig.SkipVerification = f.Bool(fn.OIDCSkipVerification) + } + + if c.OIDCConfig.Issuer == "" || f.IsSet(fn.OIDCIssuer) { + c.OIDCConfig.Issuer = f.String(fn.OIDCIssuer) + } + + if c.OIDCConfig.ClientID == "" || f.IsSet(fn.OIDCClientID) { + c.OIDCConfig.ClientID = f.String(fn.OIDCClientID) + } + + if c.OIDCConfig.ClientSecret == "" || f.IsSet(fn.OIDCClientSecret) { + c.OIDCConfig.ClientSecret = f.String(fn.OIDCClientSecret) + } + + if len(c.OIDCConfig.Scopes) == 0 || f.IsSet(fn.OIDCScopes) { + c.OIDCConfig.Scopes = f.StringSlice(fn.OIDCScopes) + } // command-specific flags @@ -278,7 +307,6 @@ func (c *Config) ParseCLIFlags(f KeyedFlags, version string) error { c.AccountCLIFlags[PasswordFlag] = f.String(PasswordFlag) c.SoftwareVersion = version - return nil } @@ -287,6 +315,7 @@ func (c *Config) ParseCLIFlags(f KeyedFlags, version string) error { type KeyedFlags interface { Bool(k string) bool String(k string) string + StringSlice(k string) []string Int(k string) int IsSet(k string) bool } @@ -337,6 +366,14 @@ type Flags struct { LetsEncryptEnabled string LetsEncryptCertDir string LetsEncryptEmailAddress string + + OIDCEnabled string + OIDCIdpName string + OIDCSkipVerification string + OIDCIssuer string + OIDCClientID string + OIDCClientSecret string + OIDCScopes string } // Defaults contains all the default values for a gotosocial config @@ -385,6 +422,14 @@ type Defaults struct { LetsEncryptEnabled bool LetsEncryptCertDir string LetsEncryptEmailAddress string + + OIDCEnabled bool + OIDCIdpName string + OIDCSkipVerification bool + OIDCIssuer string + OIDCClientID string + OIDCClientSecret string + OIDCScopes []string } // GetFlagNames returns a struct containing the names of the various flags used for @@ -434,6 +479,14 @@ func GetFlagNames() Flags { LetsEncryptEnabled: "letsencrypt-enabled", LetsEncryptCertDir: "letsencrypt-cert-dir", LetsEncryptEmailAddress: "letsencrypt-email", + + OIDCEnabled: "oidc-enabled", + OIDCIdpName: "oidc-idp-name", + OIDCSkipVerification: "oidc-skip-verification", + OIDCIssuer: "oidc-issuer", + OIDCClientID: "oidc-client-id", + OIDCClientSecret: "oidc-client-secret", + OIDCScopes: "oidc-scopes", } } @@ -484,5 +537,13 @@ func GetEnvNames() Flags { LetsEncryptEnabled: "GTS_LETSENCRYPT_ENABLED", LetsEncryptCertDir: "GTS_LETSENCRYPT_CERT_DIR", LetsEncryptEmailAddress: "GTS_LETSENCRYPT_EMAIL", + + OIDCEnabled: "GTS_OIDC_ENABLED", + OIDCIdpName: "GTS_OIDC_IDP_NAME", + OIDCSkipVerification: "GTS_OIDC_SKIP_VERIFICATION", + OIDCIssuer: "GTS_OIDC_ISSUER", + OIDCClientID: "GTS_OIDC_CLIENT_ID", + OIDCClientSecret: "GTS_OIDC_CLIENT_SECRET", + OIDCScopes: "GTS_OIDC_SCOPES", } } diff --git a/internal/config/default.go b/internal/config/default.go index 099eead1c..61940eff4 100644 --- a/internal/config/default.go +++ b/internal/config/default.go @@ -1,5 +1,7 @@ package config +import "github.com/coreos/go-oidc/v3/oidc" + // TestDefault returns a default config for testing func TestDefault() *Config { defaults := GetTestDefaults() @@ -52,6 +54,15 @@ func TestDefault() *Config { CertDir: defaults.LetsEncryptCertDir, EmailAddress: defaults.LetsEncryptEmailAddress, }, + OIDCConfig: &OIDCConfig{ + Enabled: defaults.OIDCEnabled, + IDPName: defaults.OIDCIdpName, + SkipVerification: defaults.OIDCSkipVerification, + Issuer: defaults.OIDCIssuer, + ClientID: defaults.OIDCClientID, + ClientSecret: defaults.OIDCClientSecret, + Scopes: defaults.OIDCScopes, + }, } } @@ -107,6 +118,15 @@ func Default() *Config { CertDir: defaults.LetsEncryptCertDir, EmailAddress: defaults.LetsEncryptEmailAddress, }, + OIDCConfig: &OIDCConfig{ + Enabled: defaults.OIDCEnabled, + IDPName: defaults.OIDCIdpName, + SkipVerification: defaults.OIDCSkipVerification, + Issuer: defaults.OIDCIssuer, + ClientID: defaults.OIDCClientID, + ClientSecret: defaults.OIDCClientSecret, + Scopes: defaults.OIDCScopes, + }, } } @@ -157,6 +177,14 @@ func GetDefaults() Defaults { LetsEncryptEnabled: true, LetsEncryptCertDir: "/gotosocial/storage/certs", LetsEncryptEmailAddress: "", + + OIDCEnabled: false, + OIDCIdpName: "", + OIDCSkipVerification: false, + OIDCIssuer: "", + OIDCClientID: "", + OIDCClientSecret: "", + OIDCScopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"}, } } @@ -204,5 +232,13 @@ func GetTestDefaults() Defaults { LetsEncryptEnabled: false, LetsEncryptCertDir: "", LetsEncryptEmailAddress: "", + + OIDCEnabled: false, + OIDCIdpName: "", + OIDCSkipVerification: false, + OIDCIssuer: "", + OIDCClientID: "", + OIDCClientSecret: "", + OIDCScopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"}, } } diff --git a/internal/config/oidc.go b/internal/config/oidc.go new file mode 100644 index 000000000..06158bbb7 --- /dev/null +++ b/internal/config/oidc.go @@ -0,0 +1,30 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package config + +// OIDCConfig contains configuration values for openID connect (oauth) authorization by an external service such as Dex. +type OIDCConfig struct { + Enabled bool `yaml:"enabled"` + IDPName string `yaml:"idpName"` + SkipVerification bool `yaml:"skipVerification"` + Issuer string `yaml:"issuer"` + ClientID string `yaml:"clientID"` + ClientSecret string `yaml:"clientSecret"` + Scopes []string `yaml:"scopes"` +} diff --git a/internal/db/db.go b/internal/db/db.go index bbe780e80..c764cc716 100644 --- a/internal/db/db.go +++ b/internal/db/db.go @@ -177,9 +177,9 @@ type DB interface { // C) something went wrong in the db IsEmailAvailable(email string) error - // NewSignup creates a new user in the database with the given parameters, with an *unconfirmed* email address. + // NewSignup creates a new user in the database with the given parameters. // By the time this function is called, it should be assumed that all the parameters have passed validation! - NewSignup(username string, reason string, requireApproval bool, email string, password string, signUpIP net.IP, locale string, appID string) (*gtsmodel.User, error) + NewSignup(username string, reason string, requireApproval bool, email string, password string, signUpIP net.IP, locale string, appID string, emailVerified bool, admin bool) (*gtsmodel.User, error) // SetHeaderOrAvatarForAccountID sets the header or avatar for the given accountID to the given media attachment. SetHeaderOrAvatarForAccountID(mediaAttachment *gtsmodel.MediaAttachment, accountID string) error diff --git a/internal/db/pg/pg.go b/internal/db/pg/pg.go index 31312b61e..d49c50114 100644 --- a/internal/db/pg/pg.go +++ b/internal/db/pg/pg.go @@ -548,38 +548,49 @@ func (ps *postgresService) IsEmailAvailable(email string) error { return nil } -func (ps *postgresService) NewSignup(username string, reason string, requireApproval bool, email string, password string, signUpIP net.IP, locale string, appID string) (*gtsmodel.User, error) { +func (ps *postgresService) NewSignup(username string, reason string, requireApproval bool, email string, password string, signUpIP net.IP, locale string, appID string, emailVerified bool, admin bool) (*gtsmodel.User, error) { key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { ps.log.Errorf("error creating new rsa key: %s", err) return nil, err } - newAccountURIs := util.GenerateURIsForAccount(username, ps.config.Protocol, ps.config.Host) - newAccountID, err := id.NewRandomULID() + // if something went wrong while creating a user, we might already have an account, so check here first... + a := >smodel.Account{} + err = ps.conn.Model(a).Where("username = ?", username).Where("? IS NULL", pg.Ident("domain")).Select() if err != nil { - return nil, err - } + // there's been an actual error + if err != pg.ErrNoRows { + return nil, fmt.Errorf("db error checking existence of account: %s", err) + } - a := >smodel.Account{ - ID: newAccountID, - Username: username, - DisplayName: username, - Reason: reason, - URL: newAccountURIs.UserURL, - PrivateKey: key, - PublicKey: &key.PublicKey, - PublicKeyURI: newAccountURIs.PublicKeyURI, - ActorType: gtsmodel.ActivityStreamsPerson, - URI: newAccountURIs.UserURI, - InboxURI: newAccountURIs.InboxURI, - OutboxURI: newAccountURIs.OutboxURI, - FollowersURI: newAccountURIs.FollowersURI, - FollowingURI: newAccountURIs.FollowingURI, - FeaturedCollectionURI: newAccountURIs.CollectionURI, - } - if _, err = ps.conn.Model(a).Insert(); err != nil { - return nil, err + // we just don't have an account yet create one + newAccountURIs := util.GenerateURIsForAccount(username, ps.config.Protocol, ps.config.Host) + newAccountID, err := id.NewRandomULID() + if err != nil { + return nil, err + } + + a = >smodel.Account{ + ID: newAccountID, + Username: username, + DisplayName: username, + Reason: reason, + URL: newAccountURIs.UserURL, + PrivateKey: key, + PublicKey: &key.PublicKey, + PublicKeyURI: newAccountURIs.PublicKeyURI, + ActorType: gtsmodel.ActivityStreamsPerson, + URI: newAccountURIs.UserURI, + InboxURI: newAccountURIs.InboxURI, + OutboxURI: newAccountURIs.OutboxURI, + FollowersURI: newAccountURIs.FollowersURI, + FollowingURI: newAccountURIs.FollowingURI, + FeaturedCollectionURI: newAccountURIs.CollectionURI, + } + if _, err = ps.conn.Model(a).Insert(); err != nil { + return nil, err + } } pw, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) @@ -594,14 +605,25 @@ func (ps *postgresService) NewSignup(username string, reason string, requireAppr u := >smodel.User{ ID: newUserID, - AccountID: newAccountID, + AccountID: a.ID, EncryptedPassword: string(pw), - SignUpIP: signUpIP, + SignUpIP: signUpIP.To4(), Locale: locale, UnconfirmedEmail: email, CreatedByApplicationID: appID, Approved: !requireApproval, // if we don't require moderator approval, just pre-approve the user } + + if emailVerified { + u.ConfirmedAt = time.Now() + u.Email = email + } + + if admin { + u.Admin = true + u.Moderator = true + } + if _, err = ps.conn.Model(u).Insert(); err != nil { return nil, err } diff --git a/internal/oidc/claims.go b/internal/oidc/claims.go new file mode 100644 index 000000000..b58c4662b --- /dev/null +++ b/internal/oidc/claims.go @@ -0,0 +1,27 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oidc + +// Claims represents claims as found in an id_token returned from an OIDC flow. +type Claims struct { + Email string `json:"email"` + EmailVerified bool `json:"email_verified"` + Groups []string `json:"groups"` + Name string `json:"name"` +} diff --git a/internal/oidc/handlecallback.go b/internal/oidc/handlecallback.go new file mode 100644 index 000000000..2fbdc9309 --- /dev/null +++ b/internal/oidc/handlecallback.go @@ -0,0 +1,65 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oidc + +import ( + "context" + "errors" + "fmt" +) + +func (i *idp) HandleCallback(ctx context.Context, code string) (*Claims, error) { + l := i.log.WithField("func", "HandleCallback") + if code == "" { + return nil, errors.New("code was empty string") + } + + l.Debug("exchanging code for oauth2token") + oauth2Token, err := i.oauth2Config.Exchange(ctx, code) + if err != nil { + return nil, fmt.Errorf("error exchanging code for oauth2token: %s", err) + } + + l.Debug("extracting id_token") + rawIDToken, ok := oauth2Token.Extra("id_token").(string) + if !ok { + return nil, errors.New("no id_token in oauth2token") + } + l.Debugf("raw id token: %s", rawIDToken) + + // Parse and verify ID Token payload. + l.Debug("verifying id_token") + idTokenVerifier := i.provider.Verifier(i.oidcConf) + idToken, err := idTokenVerifier.Verify(ctx, rawIDToken) + if err != nil { + return nil, fmt.Errorf("could not verify id token: %s", err) + } + + l.Debug("extracting claims from id_token") + claims := &Claims{} + if err := idToken.Claims(claims); err != nil { + return nil, fmt.Errorf("could not parse claims from idToken: %s", err) + } + + return claims, nil +} + +func (i *idp) AuthCodeURL(state string) string { + return i.oauth2Config.AuthCodeURL(state) +} diff --git a/internal/oidc/idp.go b/internal/oidc/idp.go new file mode 100644 index 000000000..8758f6aad --- /dev/null +++ b/internal/oidc/idp.go @@ -0,0 +1,121 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oidc + +import ( + "context" + "fmt" + + "github.com/coreos/go-oidc/v3/oidc" + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/config" + "golang.org/x/oauth2" +) + +const ( + // CallbackPath is the API path for receiving callback tokens from external OIDC providers + CallbackPath = "/auth/callback" +) + +// IDP contains logic for parsing an OIDC access code into a set of claims by calling an external OIDC provider. +type IDP interface { + // HandleCallback accepts a context (pass the context from the http.Request), and an oauth2 code as returned from a successful + // login through an OIDC provider. It uses the code to request a token from the OIDC provider, which should contain an id_token + // with a set of claims. + // + // Note that this function *does not* verify state. That should be handled by the caller *before* this function is called. + HandleCallback(ctx context.Context, code string) (*Claims, error) + // AuthCodeURL returns the proper redirect URL for this IDP, for redirecting requesters to the correct OIDC endpoint. + AuthCodeURL(state string) string +} + +type idp struct { + oauth2Config oauth2.Config + provider *oidc.Provider + oidcConf *oidc.Config + log *logrus.Logger +} + +// NewIDP returns a new IDP configured with the given config and logger. +// If the passed config contains a nil value for the OIDCConfig, or OIDCConfig.Enabled +// is set to false, then nil, nil will be returned. If OIDCConfig.Enabled is true, +// then the other OIDC config fields must also be set. +func NewIDP(config *config.Config, log *logrus.Logger) (IDP, error) { + + // oidc isn't enabled so we don't need to do anything + if config.OIDCConfig == nil || !config.OIDCConfig.Enabled { + return nil, nil + } + + // validate config fields + if config.OIDCConfig.IDPName == "" { + return nil, fmt.Errorf("not set: IDPName") + } + if config.OIDCConfig.Issuer == "" { + return nil, fmt.Errorf("not set: Issuer") + } + if config.OIDCConfig.ClientID == "" { + return nil, fmt.Errorf("not set: ClientID") + } + if config.OIDCConfig.ClientSecret == "" { + return nil, fmt.Errorf("not set: ClientSecret") + } + if len(config.OIDCConfig.Scopes) == 0 { + return nil, fmt.Errorf("not set: Scopes") + } + + provider, err := oidc.NewProvider(context.Background(), config.OIDCConfig.Issuer) + if err != nil { + return nil, err + } + + oauth2Config := oauth2.Config{ + // client_id and client_secret of the client. + ClientID: config.OIDCConfig.ClientID, + ClientSecret: config.OIDCConfig.ClientSecret, + + // The redirectURL. + RedirectURL: fmt.Sprintf("%s://%s%s", config.Protocol, config.Host, CallbackPath), + + // Discovery returns the OAuth2 endpoints. + Endpoint: provider.Endpoint(), + + // "openid" is a required scope for OpenID Connect flows. + // + // Other scopes, such as "groups" can be requested. + Scopes: config.OIDCConfig.Scopes, + } + + // create a config for verifier creation + oidcConf := &oidc.Config{ + ClientID: config.OIDCConfig.ClientID, + } + if config.OIDCConfig.SkipVerification { + oidcConf.SkipClientIDCheck = true + oidcConf.SkipExpiryCheck = true + oidcConf.SkipIssuerCheck = true + } + + return &idp{ + oauth2Config: oauth2Config, + oidcConf: oidcConf, + provider: provider, + log: log, + }, nil +} diff --git a/internal/processing/account/create.go b/internal/processing/account/create.go index 8b29f147f..58ac0e43c 100644 --- a/internal/processing/account/create.go +++ b/internal/processing/account/create.go @@ -45,7 +45,7 @@ func (p *processor) Create(applicationToken oauth2.TokenInfo, application *gtsmo } l.Trace("creating new username and account") - user, err := p.db.NewSignup(form.Username, util.RemoveHTML(reason), p.config.AccountsConfig.RequireApproval, form.Email, form.Password, form.IP, form.Locale, application.ID) + user, err := p.db.NewSignup(form.Username, util.RemoveHTML(reason), p.config.AccountsConfig.RequireApproval, form.Email, form.Password, form.IP, form.Locale, application.ID, false, false) if err != nil { return nil, fmt.Errorf("error creating new signup in the database: %s", err) } diff --git a/internal/router/session.go b/internal/router/session.go index 2d00f7677..2b9be2f56 100644 --- a/internal/router/session.go +++ b/internal/router/session.go @@ -33,6 +33,18 @@ import ( "github.com/superseriousbusiness/gotosocial/internal/id" ) +// SessionOptions returns the standard set of options to use for each session. +func SessionOptions(cfg *config.Config) sessions.Options { + return sessions.Options{ + Path: "/", + Domain: cfg.Host, + MaxAge: 120, // 2 minutes + Secure: true, // only use cookie over https + HttpOnly: true, // exclude javascript from inspecting cookie + SameSite: http.SameSiteDefaultMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 + } +} + func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error { // check if we have a saved router session already routerSessions := []*gtsmodel.RouterSession{} @@ -64,14 +76,7 @@ func useSession(cfg *config.Config, dbService db.DB, engine *gin.Engine) error { } store := memstore.NewStore(rs.Auth, rs.Crypt) - store.Options(sessions.Options{ - Path: "/", - Domain: cfg.Host, - MaxAge: 120, // 2 minutes - Secure: true, // only use cookie over https - HttpOnly: true, // exclude javascript from inspecting cookie - SameSite: http.SameSiteStrictMode, // https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00#section-4.1.1 - }) + store.Options(SessionOptions(cfg)) sessionName := fmt.Sprintf("gotosocial-%s", cfg.Host) engine.Use(sessions.Sessions(sessionName, store)) return nil |