mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-24 12:46:38 +00:00
9bf448be7a
* Add support for very basic RBAC * Add some small tests for allowedGroup and adminGroup * Switch to table-driven tests
407 lines
14 KiB
Go
407 lines
14 KiB
Go
// GoToSocial
|
|
// Copyright (C) GoToSocial Authors admin@gotosocial.org
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package auth
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"slices"
|
|
"strings"
|
|
|
|
"github.com/gin-contrib/sessions"
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/google/uuid"
|
|
apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util"
|
|
"github.com/superseriousbusiness/gotosocial/internal/config"
|
|
"github.com/superseriousbusiness/gotosocial/internal/db"
|
|
"github.com/superseriousbusiness/gotosocial/internal/gtserror"
|
|
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
|
|
"github.com/superseriousbusiness/gotosocial/internal/oauth"
|
|
"github.com/superseriousbusiness/gotosocial/internal/oidc"
|
|
"github.com/superseriousbusiness/gotosocial/internal/validate"
|
|
)
|
|
|
|
// extraInfo wraps a form-submitted username and transmitted name
|
|
type extraInfo struct {
|
|
Username string `form:"username"`
|
|
Name string `form:"name"` // note that this is only used for re-rendering the page in case of an error
|
|
}
|
|
|
|
// CallbackGETHandler parses a token from an external auth provider.
|
|
func (m *Module) CallbackGETHandler(c *gin.Context) {
|
|
if !config.GetOIDCEnabled() {
|
|
err := errors.New("oidc is not enabled for this server")
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorNotFound(err, err.Error()), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
s := sessions.Default(c)
|
|
|
|
// check the query vs session state parameter to mitigate csrf
|
|
// https://auth0.com/docs/secure/attack-protection/state-parameters
|
|
|
|
returnedInternalState := c.Query(callbackStateParam)
|
|
if returnedInternalState == "" {
|
|
m.clearSession(s)
|
|
err := fmt.Errorf("%s parameter not found on callback query", callbackStateParam)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
savedInternalStateI := s.Get(sessionInternalState)
|
|
savedInternalState, ok := savedInternalStateI.(string)
|
|
if !ok {
|
|
m.clearSession(s)
|
|
err := fmt.Errorf("key %s was not found in session", sessionInternalState)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
if returnedInternalState != savedInternalState {
|
|
m.clearSession(s)
|
|
err := errors.New("mismatch between callback state and saved state")
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
// retrieve stored claims using code
|
|
code := c.Query(callbackCodeParam)
|
|
if code == "" {
|
|
m.clearSession(s)
|
|
err := fmt.Errorf("%s parameter not found on callback query", callbackCodeParam)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
claims, errWithCode := m.idp.HandleCallback(c.Request.Context(), code)
|
|
if errWithCode != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
// We can use the client_id on the session to retrieve
|
|
// info about the app associated with the client_id
|
|
clientID, ok := s.Get(sessionClientID).(string)
|
|
if !ok || clientID == "" {
|
|
m.clearSession(s)
|
|
err := fmt.Errorf("key %s was not found in session", sessionClientID)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
app, err := m.db.GetApplicationByClientID(c.Request.Context(), clientID)
|
|
if err != nil {
|
|
m.clearSession(s)
|
|
safe := fmt.Sprintf("application for %s %s could not be retrieved", sessionClientID, clientID)
|
|
var errWithCode gtserror.WithCode
|
|
if err == db.ErrNoEntries {
|
|
errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
|
|
} else {
|
|
errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
|
|
}
|
|
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
user, errWithCode := m.fetchUserForClaims(c.Request.Context(), claims, net.IP(c.ClientIP()), app.ID)
|
|
if errWithCode != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
if user == nil {
|
|
// no user exists yet - let's ask them for their preferred username
|
|
instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context())
|
|
if errWithCode != nil {
|
|
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
// store the claims in the session - that way we know the user is authenticated when processing the form later
|
|
s.Set(sessionClaims, claims)
|
|
s.Set(sessionAppID, app.ID)
|
|
if err := s.Save(); err != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorInternalError(err), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
page := apiutil.WebPage{
|
|
Template: "finalize.tmpl",
|
|
Instance: instance,
|
|
Extra: map[string]any{
|
|
"name": claims.Name,
|
|
"preferredUsername": claims.PreferredUsername,
|
|
},
|
|
}
|
|
|
|
apiutil.TemplateWebPage(c, page)
|
|
return
|
|
}
|
|
|
|
// Check user permissions on login
|
|
if !allowedGroup(claims.Groups) {
|
|
err := fmt.Errorf("User groups %+v do not include an allowed group", claims.Groups)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
s.Set(sessionUserID, user.ID)
|
|
if err := s.Save(); err != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorInternalError(err), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
c.Redirect(http.StatusFound, "/oauth"+OauthAuthorizePath)
|
|
}
|
|
|
|
// FinalizePOSTHandler registers the user after additional data has been provided
|
|
func (m *Module) FinalizePOSTHandler(c *gin.Context) {
|
|
s := sessions.Default(c)
|
|
|
|
form := &extraInfo{}
|
|
if err := c.ShouldBind(form); err != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
// since we have multiple possible validation error, `validationError` is a shorthand for rendering them
|
|
validationError := func(err error) {
|
|
instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context())
|
|
if errWithCode != nil {
|
|
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
page := apiutil.WebPage{
|
|
Template: "finalize.tmpl",
|
|
Instance: instance,
|
|
Extra: map[string]any{
|
|
"name": form.Name,
|
|
"preferredUsername": form.Username,
|
|
"error": err,
|
|
},
|
|
}
|
|
|
|
apiutil.TemplateWebPage(c, page)
|
|
}
|
|
|
|
// check if the username conforms to the spec
|
|
if err := validate.Username(form.Username); err != nil {
|
|
validationError(err)
|
|
return
|
|
}
|
|
|
|
// see if the username is still available
|
|
usernameAvailable, err := m.db.IsUsernameAvailable(c.Request.Context(), form.Username)
|
|
if err != nil {
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
if !usernameAvailable {
|
|
validationError(fmt.Errorf("Username %s is already taken", form.Username))
|
|
return
|
|
}
|
|
|
|
// retrieve the information previously set by the oidc logic
|
|
appID, ok := s.Get(sessionAppID).(string)
|
|
if !ok {
|
|
err := fmt.Errorf("key %s was not found in session", sessionAppID)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
// retrieve the claims returned by the IDP. Having this present means that we previously already verified these claims
|
|
claims, ok := s.Get(sessionClaims).(*oidc.Claims)
|
|
if !ok {
|
|
err := fmt.Errorf("key %s was not found in session", sessionClaims)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
|
|
// we're now ready to actually create the user
|
|
user, errWithCode := m.createUserFromOIDC(c.Request.Context(), claims, form, net.IP(c.ClientIP()), appID)
|
|
if errWithCode != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
s.Delete(sessionClaims)
|
|
s.Delete(sessionAppID)
|
|
s.Set(sessionUserID, user.ID)
|
|
if err := s.Save(); err != nil {
|
|
m.clearSession(s)
|
|
apiutil.ErrorHandler(c, gtserror.NewErrorInternalError(err), m.processor.InstanceGetV1)
|
|
return
|
|
}
|
|
c.Redirect(http.StatusFound, "/oauth"+OauthAuthorizePath)
|
|
}
|
|
|
|
func (m *Module) fetchUserForClaims(ctx context.Context, claims *oidc.Claims, ip net.IP, appID string) (*gtsmodel.User, gtserror.WithCode) {
|
|
if claims.Sub == "" {
|
|
err := errors.New("no sub claim found - is your provider OIDC compliant?")
|
|
return nil, gtserror.NewErrorBadRequest(err, err.Error())
|
|
}
|
|
user, err := m.db.GetUserByExternalID(ctx, claims.Sub)
|
|
if err == nil {
|
|
return user, nil
|
|
}
|
|
if err != db.ErrNoEntries {
|
|
err := fmt.Errorf("error checking database for externalID %s: %s", claims.Sub, err)
|
|
return nil, gtserror.NewErrorInternalError(err)
|
|
}
|
|
if !config.GetOIDCLinkExisting() {
|
|
return nil, nil
|
|
}
|
|
// fallback to email if we want to link existing users
|
|
user, err = m.db.GetUserByEmailAddress(ctx, claims.Email)
|
|
if err == db.ErrNoEntries {
|
|
return nil, nil
|
|
} else if err != nil {
|
|
err := fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
|
|
return nil, gtserror.NewErrorInternalError(err)
|
|
}
|
|
// at this point we have found a matching user but still need to link the newly received external ID
|
|
|
|
user.ExternalID = claims.Sub
|
|
err = m.db.UpdateUser(ctx, user, "external_id")
|
|
if err != nil {
|
|
err := fmt.Errorf("error linking existing user %s: %s", claims.Email, err)
|
|
return nil, gtserror.NewErrorInternalError(err)
|
|
}
|
|
return user, nil
|
|
}
|
|
|
|
func (m *Module) createUserFromOIDC(ctx context.Context, claims *oidc.Claims, extraInfo *extraInfo, ip net.IP, appID string) (*gtsmodel.User, gtserror.WithCode) {
|
|
// Check if the claimed email address is available for use.
|
|
emailAvailable, err := m.db.IsEmailAvailable(ctx, claims.Email)
|
|
if err != nil {
|
|
err := gtserror.Newf("db error checking email availability: %w", err)
|
|
return nil, gtserror.NewErrorInternalError(err)
|
|
}
|
|
|
|
if !emailAvailable {
|
|
const help = "The email address given to us by your authentication provider already exists in our records and the server administrator has not enabled account migration"
|
|
err := gtserror.Newf("email address %s is not available", claims.Email)
|
|
return nil, gtserror.NewErrorConflict(err, help)
|
|
}
|
|
|
|
if !allowedGroup(claims.Groups) {
|
|
err := fmt.Errorf("User groups %+v do not include an allowed group", claims.Groups)
|
|
return nil, gtserror.NewErrorUnauthorized(err, err.Error())
|
|
}
|
|
|
|
// We still need to set something as a password, even
|
|
// if it's not a password the user will end up using.
|
|
//
|
|
// We'll just set two uuids on top of each other, which
|
|
// should be long + random enough to baffle any attempts
|
|
// to crack, and which is also, conveniently, 72 bytes,
|
|
// which is the maximum length that bcrypt can handle.
|
|
//
|
|
// If the user ever wants to log in using a password
|
|
// rather than oidc flow, they'll have to request a
|
|
// password reset, which is fine.
|
|
password := uuid.NewString() + uuid.NewString()
|
|
|
|
// Since this user is created via OIDC, we can assume
|
|
// that the account should be preapproved, and the email
|
|
// address should be considered as verified already,
|
|
// since the OIDC login was successful.
|
|
//
|
|
// If we don't assume this, we end up in a situation
|
|
// where the admin first adds a user to OIDC, then has
|
|
// to approve them again in GoToSocial when they log in
|
|
// there for the first time, which doesn't make sense.
|
|
//
|
|
// In other words, if a user logs in via OIDC, they
|
|
// should be able to use their account straight away.
|
|
var (
|
|
preApproved = true
|
|
emailVerified = true
|
|
)
|
|
|
|
// If one of the claimed groups corresponds to one of
|
|
// the configured admin OIDC groups, create this user
|
|
// as an admin.
|
|
admin := adminGroup(claims.Groups)
|
|
|
|
// Create the user! This will also create an account and
|
|
// store it in the database, so we don't need to do that.
|
|
user, err := m.db.NewSignup(ctx, gtsmodel.NewSignup{
|
|
Username: extraInfo.Username,
|
|
Email: claims.Email,
|
|
Password: password,
|
|
SignUpIP: ip,
|
|
AppID: appID,
|
|
ExternalID: claims.Sub,
|
|
PreApproved: preApproved,
|
|
EmailVerified: emailVerified,
|
|
Admin: admin,
|
|
})
|
|
if err != nil {
|
|
err := gtserror.Newf("db error doing new signup: %w", err)
|
|
return nil, gtserror.NewErrorInternalError(err)
|
|
}
|
|
|
|
return user, nil
|
|
}
|
|
|
|
// adminGroup returns true if one of the given OIDC
|
|
// groups is equal to at least one admin OIDC group.
|
|
func adminGroup(groups []string) bool {
|
|
adminGroups := config.GetOIDCAdminGroups()
|
|
for _, claimedGroup := range groups {
|
|
if slices.ContainsFunc(adminGroups, func(allowedGroup string) bool {
|
|
return strings.EqualFold(claimedGroup, allowedGroup)
|
|
}) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
// User is in no admin groups,
|
|
// ∴ user is not an admin.
|
|
return false
|
|
}
|
|
|
|
// allowedGroup returns true if one of the given OIDC
|
|
// groups is equal to at least one allowed OIDC group.
|
|
func allowedGroup(groups []string) bool {
|
|
allowedGroups := config.GetOIDCAllowedGroups()
|
|
if len(allowedGroups) == 0 {
|
|
// If no groups are configured, allow access (for backwards compatibility)
|
|
return true
|
|
}
|
|
for _, claimedGroup := range groups {
|
|
if slices.ContainsFunc(allowedGroups, func(allowedGroup string) bool {
|
|
return strings.EqualFold(claimedGroup, allowedGroup)
|
|
}) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
// User is in no allowed groups,
|
|
// ∴ user is not allowed to log in
|
|
return false
|
|
}
|