2016-07-26 01:30:28 +05:30
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
2017-03-09 00:03:19 +05:30
|
|
|
"context"
|
2020-10-02 01:02:23 +05:30
|
|
|
"crypto/rsa"
|
2017-04-18 04:11:41 +05:30
|
|
|
"encoding/json"
|
2016-07-26 01:30:28 +05:30
|
|
|
"errors"
|
|
|
|
"fmt"
|
2020-10-15 20:20:39 +05:30
|
|
|
"io/fs"
|
2016-07-26 01:30:28 +05:30
|
|
|
"net/http"
|
|
|
|
"net/url"
|
2021-03-22 16:15:17 +05:30
|
|
|
"os"
|
2016-07-26 01:30:28 +05:30
|
|
|
"path"
|
2017-12-20 20:33:32 +05:30
|
|
|
"strconv"
|
2017-10-26 22:30:43 +05:30
|
|
|
"strings"
|
2017-04-18 04:11:41 +05:30
|
|
|
"sync"
|
2016-08-11 09:21:58 +05:30
|
|
|
"sync/atomic"
|
2016-07-26 01:30:28 +05:30
|
|
|
"time"
|
|
|
|
|
2021-02-11 05:33:25 +05:30
|
|
|
gosundheit "github.com/AppsFlyer/go-sundheit"
|
2019-12-18 20:23:34 +05:30
|
|
|
"github.com/felixge/httpsnoop"
|
|
|
|
"github.com/gorilla/handlers"
|
|
|
|
"github.com/gorilla/mux"
|
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2016-10-06 05:08:20 +05:30
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
|
2018-09-03 12:14:44 +05:30
|
|
|
"github.com/dexidp/dex/connector"
|
2019-08-09 18:35:50 +05:30
|
|
|
"github.com/dexidp/dex/connector/atlassiancrowd"
|
2018-09-03 12:14:44 +05:30
|
|
|
"github.com/dexidp/dex/connector/authproxy"
|
2018-10-04 21:59:36 +05:30
|
|
|
"github.com/dexidp/dex/connector/bitbucketcloud"
|
2020-05-26 17:24:40 +05:30
|
|
|
"github.com/dexidp/dex/connector/gitea"
|
2018-09-03 12:14:44 +05:30
|
|
|
"github.com/dexidp/dex/connector/github"
|
|
|
|
"github.com/dexidp/dex/connector/gitlab"
|
2018-02-03 17:22:46 +05:30
|
|
|
"github.com/dexidp/dex/connector/google"
|
2018-12-13 16:52:53 +05:30
|
|
|
"github.com/dexidp/dex/connector/keystone"
|
2018-09-03 12:14:44 +05:30
|
|
|
"github.com/dexidp/dex/connector/ldap"
|
|
|
|
"github.com/dexidp/dex/connector/linkedin"
|
|
|
|
"github.com/dexidp/dex/connector/microsoft"
|
|
|
|
"github.com/dexidp/dex/connector/mock"
|
|
|
|
"github.com/dexidp/dex/connector/oidc"
|
2019-12-10 19:21:09 +05:30
|
|
|
"github.com/dexidp/dex/connector/openshift"
|
2018-09-03 12:14:44 +05:30
|
|
|
"github.com/dexidp/dex/connector/saml"
|
2019-02-22 17:49:23 +05:30
|
|
|
"github.com/dexidp/dex/pkg/log"
|
2018-09-03 12:14:44 +05:30
|
|
|
"github.com/dexidp/dex/storage"
|
2021-03-22 16:15:17 +05:30
|
|
|
"github.com/dexidp/dex/web"
|
2016-07-26 01:30:28 +05:30
|
|
|
)
|
|
|
|
|
2017-04-18 04:11:41 +05:30
|
|
|
// LocalConnector is the local passwordDB connector which is an internal
|
|
|
|
// connector maintained by the server.
|
|
|
|
const LocalConnector = "local"
|
|
|
|
|
|
|
|
// Connector is a connector with resource version metadata.
|
2016-07-26 01:30:28 +05:30
|
|
|
type Connector struct {
|
2017-04-18 04:11:41 +05:30
|
|
|
ResourceVersion string
|
|
|
|
Connector connector.Connector
|
2016-07-26 01:30:28 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
// Config holds the server's configuration options.
|
2016-08-20 05:54:49 +05:30
|
|
|
//
|
|
|
|
// Multiple servers using the same storage are expected to be configured identically.
|
2016-07-26 01:30:28 +05:30
|
|
|
type Config struct {
|
|
|
|
Issuer string
|
|
|
|
|
|
|
|
// The backing persistence layer.
|
|
|
|
Storage storage.Storage
|
|
|
|
|
2016-08-20 05:54:49 +05:30
|
|
|
// Valid values are "code" to enable the code flow and "token" to enable the implicit
|
|
|
|
// flow. If no response types are supplied this value defaults to "code".
|
|
|
|
SupportedResponseTypes []string
|
|
|
|
|
2017-01-14 14:48:48 +05:30
|
|
|
// List of allowed origins for CORS requests on discovery, token and keys endpoint.
|
2016-12-29 14:55:16 +05:30
|
|
|
// If none are indicated, CORS requests are disabled. Passing in "*" will allow any
|
|
|
|
// domain.
|
2017-01-14 14:48:48 +05:30
|
|
|
AllowedOrigins []string
|
2016-12-29 14:55:16 +05:30
|
|
|
|
2016-10-08 00:23:01 +05:30
|
|
|
// If enabled, the server won't prompt the user to approve authorization requests.
|
|
|
|
// Logging in implies approval.
|
|
|
|
SkipApprovalScreen bool
|
|
|
|
|
2019-08-06 22:48:46 +05:30
|
|
|
// If enabled, the connectors selection page will always be shown even if there's only one
|
|
|
|
AlwaysShowLoginScreen bool
|
|
|
|
|
2020-01-29 00:44:30 +05:30
|
|
|
RotateKeysAfter time.Duration // Defaults to 6 hours.
|
|
|
|
IDTokensValidFor time.Duration // Defaults to 24 hours
|
|
|
|
AuthRequestsValidFor time.Duration // Defaults to 24 hours
|
|
|
|
DeviceRequestsValidFor time.Duration // Defaults to 5 minutes
|
2020-10-28 11:56:34 +05:30
|
|
|
|
|
|
|
// Refresh token expiration settings
|
|
|
|
RefreshTokenPolicy *RefreshTokenPolicy
|
|
|
|
|
2018-01-03 08:45:01 +05:30
|
|
|
// If set, the server will use this connector to handle password grants
|
|
|
|
PasswordConnector string
|
2020-02-04 20:37:18 +05:30
|
|
|
|
2016-10-13 07:21:32 +05:30
|
|
|
GCFrequency time.Duration // Defaults to 5 minutes
|
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
// If specified, the server will use this function for determining time.
|
|
|
|
Now func() time.Time
|
2016-08-26 01:40:19 +05:30
|
|
|
|
2016-12-01 03:56:54 +05:30
|
|
|
Web WebConfig
|
2016-11-23 05:05:46 +05:30
|
|
|
|
2019-02-22 17:49:23 +05:30
|
|
|
Logger log.Logger
|
2017-12-20 20:33:32 +05:30
|
|
|
|
|
|
|
PrometheusRegistry *prometheus.Registry
|
2021-02-11 05:33:25 +05:30
|
|
|
|
|
|
|
HealthChecker gosundheit.Health
|
2016-12-01 03:56:54 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
// WebConfig holds the server's frontend templates and asset configuration.
|
|
|
|
type WebConfig struct {
|
2021-03-22 16:15:17 +05:30
|
|
|
// A file path to static web assets.
|
2016-12-01 03:56:54 +05:30
|
|
|
//
|
|
|
|
// It is expected to contain the following directories:
|
|
|
|
//
|
|
|
|
// * static - Static static served at "( issuer URL )/static".
|
|
|
|
// * templates - HTML templates controlled by dex.
|
|
|
|
// * themes/(theme) - Static static served at "( issuer URL )/theme".
|
2020-10-15 06:49:23 +05:30
|
|
|
Dir string
|
2016-12-01 03:56:54 +05:30
|
|
|
|
2021-03-22 16:15:17 +05:30
|
|
|
// Alternative way to programatically configure static web assets.
|
|
|
|
// If Dir is specified, WebFS is ignored.
|
|
|
|
// It's expected to contain the same files and directories as mentioned above.
|
2021-03-04 20:47:05 +05:30
|
|
|
//
|
2021-03-22 16:15:17 +05:30
|
|
|
// Note: this is experimental. Might get removed without notice!
|
2020-10-15 20:20:39 +05:30
|
|
|
WebFS fs.FS
|
|
|
|
|
2016-12-01 03:56:54 +05:30
|
|
|
// Defaults to "( issuer URL )/theme/logo.png"
|
|
|
|
LogoURL string
|
|
|
|
|
|
|
|
// Defaults to "dex"
|
|
|
|
Issuer string
|
|
|
|
|
2021-01-12 23:50:38 +05:30
|
|
|
// Defaults to "light"
|
2016-12-01 03:56:54 +05:30
|
|
|
Theme string
|
2019-08-06 22:44:53 +05:30
|
|
|
|
|
|
|
// Map of extra values passed into the templates
|
|
|
|
Extra map[string]string
|
2016-07-26 01:30:28 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
func value(val, defaultValue time.Duration) time.Duration {
|
|
|
|
if val == 0 {
|
|
|
|
return defaultValue
|
|
|
|
}
|
|
|
|
return val
|
|
|
|
}
|
|
|
|
|
|
|
|
// Server is the top level object.
|
|
|
|
type Server struct {
|
|
|
|
issuerURL url.URL
|
|
|
|
|
2017-04-18 04:11:41 +05:30
|
|
|
// mutex for the connectors map.
|
|
|
|
mu sync.Mutex
|
|
|
|
// Map of connector IDs to connectors.
|
2016-07-26 01:30:28 +05:30
|
|
|
connectors map[string]Connector
|
|
|
|
|
|
|
|
storage storage.Storage
|
|
|
|
|
|
|
|
mux http.Handler
|
|
|
|
|
2016-08-26 01:40:19 +05:30
|
|
|
templates *templates
|
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
// If enabled, don't prompt user for approval after logging in through connector.
|
|
|
|
skipApproval bool
|
|
|
|
|
2019-08-06 22:48:46 +05:30
|
|
|
// If enabled, show the connector selection screen even if there's only one
|
|
|
|
alwaysShowLogin bool
|
|
|
|
|
2018-01-03 08:45:01 +05:30
|
|
|
// Used for password grant
|
|
|
|
passwordConnector string
|
|
|
|
|
2016-08-20 05:54:49 +05:30
|
|
|
supportedResponseTypes map[string]bool
|
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
now func() time.Time
|
|
|
|
|
2020-01-29 00:44:30 +05:30
|
|
|
idTokensValidFor time.Duration
|
|
|
|
authRequestsValidFor time.Duration
|
|
|
|
deviceRequestsValidFor time.Duration
|
2016-11-23 05:05:46 +05:30
|
|
|
|
2020-10-28 11:56:34 +05:30
|
|
|
refreshTokenPolicy *RefreshTokenPolicy
|
|
|
|
|
2019-02-22 17:49:23 +05:30
|
|
|
logger log.Logger
|
2016-07-26 01:30:28 +05:30
|
|
|
}
|
|
|
|
|
2016-10-04 12:56:04 +05:30
|
|
|
// NewServer constructs a server from the provided config.
|
2016-10-13 07:21:32 +05:30
|
|
|
func NewServer(ctx context.Context, c Config) (*Server, error) {
|
|
|
|
return newServer(ctx, c, defaultRotationStrategy(
|
2016-07-26 01:30:28 +05:30
|
|
|
value(c.RotateKeysAfter, 6*time.Hour),
|
|
|
|
value(c.IDTokensValidFor, 24*time.Hour),
|
|
|
|
))
|
|
|
|
}
|
|
|
|
|
2020-10-02 01:02:23 +05:30
|
|
|
// NewServerWithKey constructs a server from the provided config and a static signing key.
|
|
|
|
func NewServerWithKey(ctx context.Context, c Config, privateKey *rsa.PrivateKey) (*Server, error) {
|
|
|
|
return newServer(ctx, c, staticRotationStrategy(
|
|
|
|
privateKey,
|
|
|
|
))
|
|
|
|
}
|
|
|
|
|
2016-10-13 07:21:32 +05:30
|
|
|
func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy) (*Server, error) {
|
2016-07-26 01:30:28 +05:30
|
|
|
issuerURL, err := url.Parse(c.Issuer)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("server: can't parse issuer URL")
|
|
|
|
}
|
2016-10-06 05:08:20 +05:30
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
if c.Storage == nil {
|
|
|
|
return nil, errors.New("server: storage cannot be nil")
|
|
|
|
}
|
2020-09-25 21:29:42 +05:30
|
|
|
|
2016-08-20 05:54:49 +05:30
|
|
|
if len(c.SupportedResponseTypes) == 0 {
|
|
|
|
c.SupportedResponseTypes = []string{responseTypeCode}
|
|
|
|
}
|
|
|
|
|
|
|
|
supported := make(map[string]bool)
|
|
|
|
for _, respType := range c.SupportedResponseTypes {
|
|
|
|
switch respType {
|
2017-01-10 00:16:16 +05:30
|
|
|
case responseTypeCode, responseTypeIDToken, responseTypeToken:
|
2016-08-20 05:54:49 +05:30
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("unsupported response_type %q", respType)
|
|
|
|
}
|
|
|
|
supported[respType] = true
|
|
|
|
}
|
2016-07-26 01:30:28 +05:30
|
|
|
|
2021-03-22 16:15:17 +05:30
|
|
|
webFS := web.FS()
|
|
|
|
if c.Web.Dir != "" {
|
|
|
|
webFS = os.DirFS(c.Web.Dir)
|
|
|
|
} else if c.Web.WebFS != nil {
|
|
|
|
webFS = c.Web.WebFS
|
|
|
|
}
|
|
|
|
|
2020-10-15 20:20:39 +05:30
|
|
|
web := webConfig{
|
2021-03-22 16:15:17 +05:30
|
|
|
webFS: webFS,
|
2020-10-15 20:20:39 +05:30
|
|
|
logoURL: c.Web.LogoURL,
|
|
|
|
issuerURL: c.Issuer,
|
|
|
|
issuer: c.Web.Issuer,
|
|
|
|
theme: c.Web.Theme,
|
|
|
|
extra: c.Web.Extra,
|
2020-10-15 06:49:23 +05:30
|
|
|
}
|
|
|
|
|
2020-10-15 20:20:39 +05:30
|
|
|
static, theme, tmpls, err := loadWebConfig(web)
|
2016-08-26 01:40:19 +05:30
|
|
|
if err != nil {
|
2020-10-15 20:20:39 +05:30
|
|
|
return nil, fmt.Errorf("server: failed to load web static: %v", err)
|
2016-08-26 01:40:19 +05:30
|
|
|
}
|
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
now := c.Now
|
|
|
|
if now == nil {
|
|
|
|
now = time.Now
|
|
|
|
}
|
|
|
|
|
|
|
|
s := &Server{
|
2017-01-14 14:48:48 +05:30
|
|
|
issuerURL: *issuerURL,
|
|
|
|
connectors: make(map[string]Connector),
|
|
|
|
storage: newKeyCacher(c.Storage, now),
|
|
|
|
supportedResponseTypes: supported,
|
|
|
|
idTokensValidFor: value(c.IDTokensValidFor, 24*time.Hour),
|
2018-12-13 16:10:58 +05:30
|
|
|
authRequestsValidFor: value(c.AuthRequestsValidFor, 24*time.Hour),
|
2020-01-29 00:44:30 +05:30
|
|
|
deviceRequestsValidFor: value(c.DeviceRequestsValidFor, 5*time.Minute),
|
2020-10-28 11:56:34 +05:30
|
|
|
refreshTokenPolicy: c.RefreshTokenPolicy,
|
2017-01-14 14:48:48 +05:30
|
|
|
skipApproval: c.SkipApprovalScreen,
|
2019-08-06 22:48:46 +05:30
|
|
|
alwaysShowLogin: c.AlwaysShowLoginScreen,
|
2017-01-14 14:48:48 +05:30
|
|
|
now: now,
|
|
|
|
templates: tmpls,
|
2018-01-03 08:45:01 +05:30
|
|
|
passwordConnector: c.PasswordConnector,
|
2017-01-14 14:48:48 +05:30
|
|
|
logger: c.Logger,
|
2016-07-26 01:30:28 +05:30
|
|
|
}
|
|
|
|
|
2017-04-18 04:11:41 +05:30
|
|
|
// Retrieves connector objects in backend storage. This list includes the static connectors
|
|
|
|
// defined in the ConfigMap and dynamic connectors retrieved from the storage.
|
|
|
|
storageConnectors, err := c.Storage.ListConnectors()
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("server: failed to list connector objects from storage: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(storageConnectors) == 0 && len(s.connectors) == 0 {
|
|
|
|
return nil, errors.New("server: no connectors specified")
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, conn := range storageConnectors {
|
|
|
|
if _, err := s.OpenConnector(conn); err != nil {
|
|
|
|
return nil, fmt.Errorf("server: Failed to open connector %s: %v", conn.ID, err)
|
|
|
|
}
|
2016-07-26 01:30:28 +05:30
|
|
|
}
|
|
|
|
|
2021-01-15 20:52:38 +05:30
|
|
|
instrumentHandlerCounter := func(_ string, handler http.Handler) http.HandlerFunc {
|
|
|
|
return handler.ServeHTTP
|
2017-12-20 20:33:32 +05:30
|
|
|
}
|
|
|
|
|
2018-02-21 21:53:50 +05:30
|
|
|
if c.PrometheusRegistry != nil {
|
|
|
|
requestCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
|
|
|
|
Name: "http_requests_total",
|
|
|
|
Help: "Count of all HTTP requests.",
|
|
|
|
}, []string{"handler", "code", "method"})
|
|
|
|
|
|
|
|
err = c.PrometheusRegistry.Register(requestCounter)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("server: Failed to register Prometheus HTTP metrics: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
instrumentHandlerCounter = func(handlerName string, handler http.Handler) http.HandlerFunc {
|
2021-01-15 20:52:38 +05:30
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2018-02-21 21:53:50 +05:30
|
|
|
m := httpsnoop.CaptureMetrics(handler, w, r)
|
|
|
|
requestCounter.With(prometheus.Labels{"handler": handlerName, "code": strconv.Itoa(m.Code), "method": r.Method}).Inc()
|
2021-01-15 20:52:38 +05:30
|
|
|
}
|
2018-02-21 21:53:50 +05:30
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
r := mux.NewRouter()
|
2019-02-04 23:15:13 +05:30
|
|
|
handle := func(p string, h http.Handler) {
|
|
|
|
r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
|
|
|
|
}
|
2016-07-26 01:30:28 +05:30
|
|
|
handleFunc := func(p string, h http.HandlerFunc) {
|
2019-02-04 23:15:13 +05:30
|
|
|
handle(p, h)
|
2016-07-26 01:30:28 +05:30
|
|
|
}
|
2016-12-01 03:56:54 +05:30
|
|
|
handlePrefix := func(p string, h http.Handler) {
|
|
|
|
prefix := path.Join(issuerURL.Path, p)
|
|
|
|
r.PathPrefix(prefix).Handler(http.StripPrefix(prefix, h))
|
|
|
|
}
|
2017-01-14 14:48:48 +05:30
|
|
|
handleWithCORS := func(p string, h http.HandlerFunc) {
|
|
|
|
var handler http.Handler = h
|
|
|
|
if len(c.AllowedOrigins) > 0 {
|
2020-10-05 19:23:48 +05:30
|
|
|
allowedHeaders := []string{
|
|
|
|
"Authorization",
|
|
|
|
}
|
|
|
|
cors := handlers.CORS(
|
|
|
|
handlers.AllowedOrigins(c.AllowedOrigins),
|
|
|
|
handlers.AllowedHeaders(allowedHeaders),
|
|
|
|
)
|
|
|
|
handler = cors(handler)
|
2017-01-14 14:48:48 +05:30
|
|
|
}
|
2019-04-20 02:45:32 +05:30
|
|
|
r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, handler))
|
2017-01-14 14:48:48 +05:30
|
|
|
}
|
2020-10-18 03:24:27 +05:30
|
|
|
r.NotFoundHandler = http.NotFoundHandler()
|
2016-07-26 01:30:28 +05:30
|
|
|
|
2016-08-26 04:48:09 +05:30
|
|
|
discoveryHandler, err := s.discoveryHandler()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-01-14 14:48:48 +05:30
|
|
|
handleWithCORS("/.well-known/openid-configuration", discoveryHandler)
|
2016-08-26 04:48:09 +05:30
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
// TODO(ericchiang): rate limit certain paths based on IP.
|
2017-01-14 14:48:48 +05:30
|
|
|
handleWithCORS("/token", s.handleToken)
|
|
|
|
handleWithCORS("/keys", s.handlePublicKeys)
|
2019-05-27 12:47:39 +05:30
|
|
|
handleWithCORS("/userinfo", s.handleUserInfo)
|
2016-07-26 01:30:28 +05:30
|
|
|
handleFunc("/auth", s.handleAuthorization)
|
|
|
|
handleFunc("/auth/{connector}", s.handleConnectorLogin)
|
2020-01-29 00:44:30 +05:30
|
|
|
handleFunc("/device", s.handleDeviceExchange)
|
|
|
|
handleFunc("/device/auth/verify_code", s.verifyUserCode)
|
2020-01-16 21:25:07 +05:30
|
|
|
handleFunc("/device/code", s.handleDeviceCode)
|
2021-02-24 18:44:28 +05:30
|
|
|
// TODO(nabokihms): "/device/token" endpoint is deprecated, consider using /token endpoint instead
|
2021-02-25 13:23:25 +05:30
|
|
|
handleFunc("/device/token", s.handleDeviceTokenDeprecated)
|
2020-05-14 01:08:43 +05:30
|
|
|
handleFunc(deviceCallbackURI, s.handleDeviceCallback)
|
2017-10-26 22:30:43 +05:30
|
|
|
r.HandleFunc(path.Join(issuerURL.Path, "/callback"), func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
// Strip the X-Remote-* headers to prevent security issues on
|
|
|
|
// misconfigured authproxy connector setups.
|
|
|
|
for key := range r.Header {
|
|
|
|
if strings.HasPrefix(strings.ToLower(key), "x-remote-") {
|
|
|
|
r.Header.Del(key)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
s.handleConnectorCallback(w, r)
|
|
|
|
})
|
2017-10-21 20:24:54 +05:30
|
|
|
// For easier connector-specific web server configuration, e.g. for the
|
|
|
|
// "authproxy" connector.
|
|
|
|
handleFunc("/callback/{connector}", s.handleConnectorCallback)
|
2016-07-26 01:30:28 +05:30
|
|
|
handleFunc("/approval", s.handleApproval)
|
2021-02-11 05:33:25 +05:30
|
|
|
handle("/healthz", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if !c.HealthChecker.IsHealthy() {
|
|
|
|
s.renderError(r, w, http.StatusInternalServerError, "Health check failed.")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
fmt.Fprintf(w, "Health check passed")
|
|
|
|
}))
|
2020-10-15 06:49:23 +05:30
|
|
|
|
2020-10-15 20:20:39 +05:30
|
|
|
handlePrefix("/static", static)
|
|
|
|
handlePrefix("/theme", theme)
|
2016-07-26 01:30:28 +05:30
|
|
|
s.mux = r
|
|
|
|
|
2016-12-13 04:24:01 +05:30
|
|
|
s.startKeyRotation(ctx, rotationStrategy, now)
|
|
|
|
s.startGarbageCollection(ctx, value(c.GCFrequency, 5*time.Minute), now)
|
2016-10-13 07:21:32 +05:30
|
|
|
|
2016-07-26 01:30:28 +05:30
|
|
|
return s, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
s.mux.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) absPath(pathItems ...string) string {
|
|
|
|
paths := make([]string, len(pathItems)+1)
|
|
|
|
paths[0] = s.issuerURL.Path
|
|
|
|
copy(paths[1:], pathItems)
|
|
|
|
return path.Join(paths...)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Server) absURL(pathItems ...string) string {
|
|
|
|
u := s.issuerURL
|
|
|
|
u.Path = s.absPath(pathItems...)
|
|
|
|
return u.String()
|
|
|
|
}
|
2016-08-11 09:21:58 +05:30
|
|
|
|
2016-10-06 05:08:20 +05:30
|
|
|
func newPasswordDB(s storage.Storage) interface {
|
|
|
|
connector.Connector
|
|
|
|
connector.PasswordConnector
|
|
|
|
} {
|
|
|
|
return passwordDB{s}
|
|
|
|
}
|
|
|
|
|
|
|
|
type passwordDB struct {
|
|
|
|
s storage.Storage
|
|
|
|
}
|
|
|
|
|
2016-11-19 03:10:41 +05:30
|
|
|
func (db passwordDB) Login(ctx context.Context, s connector.Scopes, email, password string) (connector.Identity, bool, error) {
|
2016-10-06 05:08:20 +05:30
|
|
|
p, err := db.s.GetPassword(email)
|
|
|
|
if err != nil {
|
|
|
|
if err != storage.ErrNotFound {
|
2016-12-13 04:24:01 +05:30
|
|
|
return connector.Identity{}, false, fmt.Errorf("get password: %v", err)
|
2016-10-06 05:08:20 +05:30
|
|
|
}
|
2016-11-02 02:33:22 +05:30
|
|
|
return connector.Identity{}, false, nil
|
2016-10-06 05:08:20 +05:30
|
|
|
}
|
2017-08-18 03:16:07 +05:30
|
|
|
// This check prevents dex users from logging in using static passwords
|
|
|
|
// configured with hash costs that are too high or low.
|
|
|
|
if err := checkCost(p.Hash); err != nil {
|
2017-07-26 02:56:47 +05:30
|
|
|
return connector.Identity{}, false, err
|
2016-10-06 05:08:20 +05:30
|
|
|
}
|
2017-08-18 03:16:07 +05:30
|
|
|
if err := bcrypt.CompareHashAndPassword(p.Hash, []byte(password)); err != nil {
|
|
|
|
return connector.Identity{}, false, nil
|
|
|
|
}
|
2016-10-06 05:08:20 +05:30
|
|
|
return connector.Identity{
|
|
|
|
UserID: p.UserID,
|
|
|
|
Username: p.Username,
|
|
|
|
Email: p.Email,
|
|
|
|
EmailVerified: true,
|
|
|
|
}, true, nil
|
|
|
|
}
|
|
|
|
|
2016-11-19 03:10:41 +05:30
|
|
|
func (db passwordDB) Refresh(ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
|
|
|
|
// If the user has been deleted, the refresh token will be rejected.
|
|
|
|
p, err := db.s.GetPassword(identity.Email)
|
|
|
|
if err != nil {
|
|
|
|
if err == storage.ErrNotFound {
|
|
|
|
return connector.Identity{}, errors.New("user not found")
|
|
|
|
}
|
|
|
|
return connector.Identity{}, fmt.Errorf("get password: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// User removed but a new user with the same email exists.
|
|
|
|
if p.UserID != identity.UserID {
|
|
|
|
return connector.Identity{}, errors.New("user not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// If a user has updated their username, that will be reflected in the
|
|
|
|
// refreshed token.
|
|
|
|
//
|
|
|
|
// No other fields are expected to be refreshable as email is effectively used
|
|
|
|
// as an ID and this implementation doesn't deal with groups.
|
|
|
|
identity.Username = p.Username
|
|
|
|
|
|
|
|
return identity, nil
|
|
|
|
}
|
|
|
|
|
2017-11-07 14:58:21 +05:30
|
|
|
func (db passwordDB) Prompt() string {
|
|
|
|
return "Email Address"
|
|
|
|
}
|
|
|
|
|
2016-08-11 09:21:58 +05:30
|
|
|
// newKeyCacher returns a storage which caches keys so long as the next
|
|
|
|
func newKeyCacher(s storage.Storage, now func() time.Time) storage.Storage {
|
|
|
|
if now == nil {
|
|
|
|
now = time.Now
|
|
|
|
}
|
|
|
|
return &keyCacher{Storage: s, now: now}
|
|
|
|
}
|
|
|
|
|
|
|
|
type keyCacher struct {
|
|
|
|
storage.Storage
|
|
|
|
|
|
|
|
now func() time.Time
|
|
|
|
keys atomic.Value // Always holds nil or type *storage.Keys.
|
|
|
|
}
|
|
|
|
|
|
|
|
func (k *keyCacher) GetKeys() (storage.Keys, error) {
|
|
|
|
keys, ok := k.keys.Load().(*storage.Keys)
|
|
|
|
if ok && keys != nil && k.now().Before(keys.NextRotation) {
|
|
|
|
return *keys, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
storageKeys, err := k.Storage.GetKeys()
|
|
|
|
if err != nil {
|
|
|
|
return storageKeys, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if k.now().Before(storageKeys.NextRotation) {
|
|
|
|
k.keys.Store(&storageKeys)
|
|
|
|
}
|
|
|
|
return storageKeys, nil
|
|
|
|
}
|
2016-10-13 07:21:32 +05:30
|
|
|
|
2016-12-13 04:24:01 +05:30
|
|
|
func (s *Server) startGarbageCollection(ctx context.Context, frequency time.Duration, now func() time.Time) {
|
2016-10-13 07:21:32 +05:30
|
|
|
go func() {
|
|
|
|
for {
|
|
|
|
select {
|
|
|
|
case <-ctx.Done():
|
|
|
|
return
|
|
|
|
case <-time.After(frequency):
|
2016-12-13 04:24:01 +05:30
|
|
|
if r, err := s.storage.GarbageCollect(now()); err != nil {
|
|
|
|
s.logger.Errorf("garbage collection failed: %v", err)
|
2021-01-11 14:03:10 +05:30
|
|
|
} else if !r.IsEmpty() {
|
|
|
|
s.logger.Infof("garbage collection run, delete auth requests=%d, auth codes=%d, device requests=%d, device tokens=%d",
|
2020-01-16 21:25:07 +05:30
|
|
|
r.AuthRequests, r.AuthCodes, r.DeviceRequests, r.DeviceTokens)
|
2016-10-13 07:21:32 +05:30
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
}
|
2017-04-18 04:11:41 +05:30
|
|
|
|
|
|
|
// ConnectorConfig is a configuration that can open a connector.
|
|
|
|
type ConnectorConfig interface {
|
2019-02-22 17:49:23 +05:30
|
|
|
Open(id string, logger log.Logger) (connector.Connector, error)
|
2017-04-18 04:11:41 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
// ConnectorsConfig variable provides an easy way to return a config struct
|
|
|
|
// depending on the connector type.
|
|
|
|
var ConnectorsConfig = map[string]func() ConnectorConfig{
|
2018-11-27 15:58:46 +05:30
|
|
|
"keystone": func() ConnectorConfig { return new(keystone.Config) },
|
2018-10-04 21:59:36 +05:30
|
|
|
"mockCallback": func() ConnectorConfig { return new(mock.CallbackConfig) },
|
|
|
|
"mockPassword": func() ConnectorConfig { return new(mock.PasswordConfig) },
|
|
|
|
"ldap": func() ConnectorConfig { return new(ldap.Config) },
|
2020-05-26 17:24:40 +05:30
|
|
|
"gitea": func() ConnectorConfig { return new(gitea.Config) },
|
2018-10-04 21:59:36 +05:30
|
|
|
"github": func() ConnectorConfig { return new(github.Config) },
|
|
|
|
"gitlab": func() ConnectorConfig { return new(gitlab.Config) },
|
2018-02-03 17:22:46 +05:30
|
|
|
"google": func() ConnectorConfig { return new(google.Config) },
|
2018-10-04 21:59:36 +05:30
|
|
|
"oidc": func() ConnectorConfig { return new(oidc.Config) },
|
|
|
|
"saml": func() ConnectorConfig { return new(saml.Config) },
|
|
|
|
"authproxy": func() ConnectorConfig { return new(authproxy.Config) },
|
|
|
|
"linkedin": func() ConnectorConfig { return new(linkedin.Config) },
|
|
|
|
"microsoft": func() ConnectorConfig { return new(microsoft.Config) },
|
|
|
|
"bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) },
|
2019-12-10 19:21:09 +05:30
|
|
|
"openshift": func() ConnectorConfig { return new(openshift.Config) },
|
2019-08-09 18:35:50 +05:30
|
|
|
"atlassian-crowd": func() ConnectorConfig { return new(atlassiancrowd.Config) },
|
2017-04-18 04:11:41 +05:30
|
|
|
// Keep around for backwards compatibility.
|
|
|
|
"samlExperimental": func() ConnectorConfig { return new(saml.Config) },
|
|
|
|
}
|
|
|
|
|
|
|
|
// openConnector will parse the connector config and open the connector.
|
2019-02-22 17:49:23 +05:30
|
|
|
func openConnector(logger log.Logger, conn storage.Connector) (connector.Connector, error) {
|
2017-04-18 04:11:41 +05:30
|
|
|
var c connector.Connector
|
|
|
|
|
|
|
|
f, ok := ConnectorsConfig[conn.Type]
|
|
|
|
if !ok {
|
2018-12-13 16:52:53 +05:30
|
|
|
return c, fmt.Errorf("unknown connector type %q", conn.Type)
|
2017-04-18 04:11:41 +05:30
|
|
|
}
|
|
|
|
|
|
|
|
connConfig := f()
|
|
|
|
if len(conn.Config) != 0 {
|
|
|
|
data := []byte(string(conn.Config))
|
|
|
|
if err := json.Unmarshal(data, connConfig); err != nil {
|
|
|
|
return c, fmt.Errorf("parse connector config: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-21 20:24:54 +05:30
|
|
|
c, err := connConfig.Open(conn.ID, logger)
|
2017-04-18 04:11:41 +05:30
|
|
|
if err != nil {
|
|
|
|
return c, fmt.Errorf("failed to create connector %s: %v", conn.ID, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return c, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// OpenConnector updates server connector map with specified connector object.
|
|
|
|
func (s *Server) OpenConnector(conn storage.Connector) (Connector, error) {
|
|
|
|
var c connector.Connector
|
|
|
|
|
|
|
|
if conn.Type == LocalConnector {
|
|
|
|
c = newPasswordDB(s.storage)
|
|
|
|
} else {
|
|
|
|
var err error
|
2019-02-23 01:56:30 +05:30
|
|
|
c, err = openConnector(s.logger, conn)
|
2017-04-18 04:11:41 +05:30
|
|
|
if err != nil {
|
|
|
|
return Connector{}, fmt.Errorf("failed to open connector: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
connector := Connector{
|
|
|
|
ResourceVersion: conn.ResourceVersion,
|
|
|
|
Connector: c,
|
|
|
|
}
|
|
|
|
s.mu.Lock()
|
|
|
|
s.connectors[conn.ID] = connector
|
|
|
|
s.mu.Unlock()
|
|
|
|
|
|
|
|
return connector, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// getConnector retrieves the connector object with the given id from the storage
|
|
|
|
// and updates the connector list for server if necessary.
|
|
|
|
func (s *Server) getConnector(id string) (Connector, error) {
|
|
|
|
storageConnector, err := s.storage.GetConnector(id)
|
|
|
|
if err != nil {
|
|
|
|
return Connector{}, fmt.Errorf("failed to get connector object from storage: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var conn Connector
|
|
|
|
var ok bool
|
|
|
|
s.mu.Lock()
|
|
|
|
conn, ok = s.connectors[id]
|
|
|
|
s.mu.Unlock()
|
|
|
|
|
|
|
|
if !ok || storageConnector.ResourceVersion != conn.ResourceVersion {
|
|
|
|
// Connector object does not exist in server connectors map or
|
|
|
|
// has been updated in the storage. Need to get latest.
|
|
|
|
conn, err := s.OpenConnector(storageConnector)
|
|
|
|
if err != nil {
|
|
|
|
return Connector{}, fmt.Errorf("failed to open connector: %v", err)
|
|
|
|
}
|
|
|
|
return conn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return conn, nil
|
|
|
|
}
|