You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
377 lines
10 KiB
Go
377 lines
10 KiB
Go
/*
|
|
Copyright 2020-2023 CAcert Inc.
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
https://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package handlers
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"html/template"
|
|
"net/http"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/gorilla/csrf"
|
|
"github.com/nicksnyder/go-i18n/v2/i18n"
|
|
"github.com/ory/hydra-client-go/client/admin"
|
|
hydra "github.com/ory/hydra-client-go/models"
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
"code.cacert.org/cacert/oidc-idp/internal/services"
|
|
"code.cacert.org/cacert/oidc-idp/ui"
|
|
)
|
|
|
|
type acrType string
|
|
|
|
const (
|
|
ClientCertificate acrType = "cert" // client certificate login
|
|
// ClientCertificateOTP acrType = "cert+otp"
|
|
// ClientCertificateToken acrType = "cert+token"
|
|
)
|
|
|
|
type templateName string
|
|
|
|
const (
|
|
CertificateLogin templateName = "cert"
|
|
NoEmailsInClientCertificate templateName = "no_emails"
|
|
NoChallengeInRequest templateName = "no_challenge"
|
|
)
|
|
|
|
const TimeoutTen = 10 * time.Second
|
|
|
|
type LoginHandler struct {
|
|
adminClient admin.ClientService
|
|
bundle *i18n.Bundle
|
|
logger *log.Logger
|
|
templates map[templateName]*template.Template
|
|
messageCatalog *services.MessageCatalog
|
|
}
|
|
|
|
func (h *LoginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet && r.Method != http.MethodPost {
|
|
http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
|
|
|
|
return
|
|
}
|
|
|
|
accept := r.Header.Get("Accept-Language")
|
|
localizer := i18n.NewLocalizer(h.bundle, accept)
|
|
|
|
challenge := r.URL.Query().Get("login_challenge")
|
|
|
|
if challenge == "" {
|
|
h.renderNoChallengeInRequest(w, localizer)
|
|
|
|
return
|
|
}
|
|
|
|
h.logger.WithField("challenge", challenge).Debug("received login challenge")
|
|
|
|
certEmails := h.getEmailAddressesFromClientCertificate(r)
|
|
|
|
if certEmails == nil {
|
|
h.renderNoEmailsInClientCertificate(w, localizer)
|
|
|
|
return
|
|
}
|
|
|
|
if r.Method == http.MethodGet {
|
|
h.handleGet(w, r, challenge, certEmails, localizer)
|
|
} else {
|
|
h.handlePost(w, r, challenge, certEmails, localizer)
|
|
}
|
|
}
|
|
|
|
func (h *LoginHandler) handleGet(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
challenge string,
|
|
certEmails []string,
|
|
localizer *i18n.Localizer,
|
|
) {
|
|
loginRequest, err := h.adminClient.GetLoginRequest(admin.NewGetLoginRequestParams().WithLoginChallenge(challenge))
|
|
if err != nil {
|
|
h.logger.WithError(err).WithField(
|
|
"challenge", challenge,
|
|
).Warn("could not get login request for challenge")
|
|
|
|
var notFound *admin.GetLoginRequestNotFound
|
|
|
|
if errors.As(err, ¬Found) {
|
|
w.WriteHeader(http.StatusNotFound)
|
|
|
|
http.Error(w, notFound.GetPayload().ErrorDescription, http.StatusNotFound)
|
|
|
|
return
|
|
}
|
|
|
|
var gone *admin.GetLoginRequestGone
|
|
|
|
if errors.As(err, &gone) {
|
|
w.Header().Set("Location", *gone.GetPayload().RedirectTo)
|
|
w.WriteHeader(http.StatusGone)
|
|
|
|
return
|
|
}
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
}
|
|
|
|
h.renderRequestForClientCert(w, r, certEmails, localizer, loginRequest)
|
|
}
|
|
|
|
func (h *LoginHandler) handlePost(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
challenge string,
|
|
certEmails []string,
|
|
localizer *i18n.Localizer,
|
|
) {
|
|
if r.FormValue("use-identity") != "accept" {
|
|
h.rejectLogin(w, challenge, localizer)
|
|
|
|
return
|
|
}
|
|
|
|
// perform certificate auth
|
|
h.logger.WithField("emails", certEmails).Info("will perform certificate authentication")
|
|
|
|
userID, err := h.performCertificateLogin(certEmails, r)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
}
|
|
|
|
// finish login and redirect to target
|
|
loginRequest, err := h.adminClient.AcceptLoginRequest(
|
|
admin.NewAcceptLoginRequestParams().WithLoginChallenge(challenge).WithBody(
|
|
&hydra.AcceptLoginRequest{
|
|
Acr: string(ClientCertificate),
|
|
Remember: true,
|
|
RememberFor: 0,
|
|
Subject: &userID,
|
|
}).WithTimeout(TimeoutTen))
|
|
if err != nil {
|
|
h.logger.WithError(err).Error("error getting login request")
|
|
|
|
h.fillAcceptLoginRequestErrorBucket(r, err)
|
|
|
|
return
|
|
}
|
|
|
|
w.Header().Add("Location", *loginRequest.GetPayload().RedirectTo)
|
|
w.WriteHeader(http.StatusFound)
|
|
}
|
|
|
|
func (h *LoginHandler) fillAcceptLoginRequestErrorBucket(r *http.Request, err error) {
|
|
if errorBucket := GetErrorBucket(r); errorBucket != nil {
|
|
var (
|
|
errorDetails *ErrorDetails
|
|
acceptLoginRequestNotFound *admin.AcceptLoginRequestNotFound
|
|
)
|
|
|
|
if errors.As(err, &acceptLoginRequestNotFound) {
|
|
payload := acceptLoginRequestNotFound.GetPayload()
|
|
errorDetails = &ErrorDetails{
|
|
ErrorMessage: payload.Error,
|
|
ErrorDetails: []string{payload.ErrorDescription},
|
|
}
|
|
|
|
if acceptLoginRequestNotFound.Payload.StatusCode != 0 {
|
|
errorDetails.ErrorCode = strconv.Itoa(int(payload.StatusCode))
|
|
}
|
|
} else {
|
|
errorDetails = &ErrorDetails{
|
|
ErrorMessage: "could not accept login",
|
|
ErrorDetails: []string{err.Error()},
|
|
}
|
|
}
|
|
|
|
errorBucket.AddError(errorDetails)
|
|
}
|
|
}
|
|
|
|
func (h *LoginHandler) rejectLogin(w http.ResponseWriter, challenge string, localizer *i18n.Localizer) {
|
|
const Ten = 10 * time.Second
|
|
|
|
rejectLoginRequest, err := h.adminClient.RejectLoginRequest(
|
|
admin.NewRejectLoginRequestParams().WithLoginChallenge(challenge).WithBody(
|
|
&hydra.RejectRequest{
|
|
ErrorDescription: h.messageCatalog.LookupMessage("LoginDeniedByUser", nil, localizer),
|
|
ErrorHint: h.messageCatalog.LookupMessage("HintChooseAnIdentityForAuthentication", nil, localizer),
|
|
StatusCode: http.StatusForbidden,
|
|
},
|
|
).WithTimeout(Ten))
|
|
if err != nil {
|
|
h.logger.WithError(err).Error("error getting reject login request")
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Location", *rejectLoginRequest.GetPayload().RedirectTo)
|
|
w.WriteHeader(http.StatusFound)
|
|
}
|
|
|
|
func (h *LoginHandler) getEmailAddressesFromClientCertificate(r *http.Request) []string {
|
|
if r.TLS != nil && r.TLS.PeerCertificates != nil && len(r.TLS.PeerCertificates) > 0 {
|
|
firstCert := r.TLS.PeerCertificates[0]
|
|
|
|
if !isClientCertificate(firstCert) {
|
|
return nil
|
|
}
|
|
|
|
for _, email := range firstCert.EmailAddresses {
|
|
h.logger.WithField(
|
|
"email", email,
|
|
).Info("authenticated with a client certificate for email address")
|
|
}
|
|
|
|
return firstCert.EmailAddresses
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func isClientCertificate(cert *x509.Certificate) bool {
|
|
for _, ext := range cert.ExtKeyUsage {
|
|
if ext == x509.ExtKeyUsageClientAuth {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (h *LoginHandler) renderRequestForClientCert(
|
|
w http.ResponseWriter,
|
|
r *http.Request,
|
|
emails []string,
|
|
localizer *i18n.Localizer,
|
|
loginRequest *admin.GetLoginRequestOK,
|
|
) {
|
|
msg := h.messageCatalog.LookupMessage
|
|
msgPlural := h.messageCatalog.LookupMessagePlural
|
|
msgMarkdown := h.messageCatalog.LookupMarkdownMessage
|
|
|
|
rendered := bytes.NewBuffer(make([]byte, 0))
|
|
|
|
err := h.templates[CertificateLogin].Lookup("base").Execute(rendered, map[string]interface{}{
|
|
"Title": msg("LoginTitle", nil, localizer),
|
|
csrf.TemplateTag: csrf.TemplateField(r),
|
|
"IntroText": template.HTML(msgMarkdown( //nolint:gosec
|
|
"CertLoginIntroText",
|
|
map[string]interface{}{"ClientName": loginRequest.GetPayload().Client.ClientName},
|
|
localizer,
|
|
)),
|
|
"EmailChoiceText": msgPlural("EmailChoiceText", nil, localizer, len(emails)),
|
|
"emails": emails,
|
|
"RequestText": msg("CertLoginRequestText", nil, localizer),
|
|
"AcceptLabel": msg("LabelAcceptCertLogin", nil, localizer),
|
|
"RejectLabel": msg("LabelRejectCertLogin", nil, localizer),
|
|
})
|
|
if err != nil {
|
|
h.logger.WithError(err).Error("template rendering failed")
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
}
|
|
|
|
w.Header().Add("Pragma", "no-cache")
|
|
w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
|
|
_, _ = w.Write(rendered.Bytes())
|
|
}
|
|
|
|
func (h *LoginHandler) performCertificateLogin(emails []string, r *http.Request) (string, error) {
|
|
requestedEmail := r.PostFormValue("email")
|
|
for _, email := range emails {
|
|
if email == requestedEmail {
|
|
return email, nil
|
|
}
|
|
}
|
|
|
|
return "", fmt.Errorf("no user found")
|
|
}
|
|
|
|
func (h *LoginHandler) renderNoEmailsInClientCertificate(w http.ResponseWriter, localizer *i18n.Localizer) {
|
|
msg := h.messageCatalog.LookupMessage
|
|
|
|
err := h.templates[NoEmailsInClientCertificate].Lookup("base").Execute(w, map[string]interface{}{
|
|
"Title": msg("NoEmailsInClientCertificateTitle", nil, localizer),
|
|
"Explanation": msg("NoEmailsInClientCertificateExplanation", nil, localizer),
|
|
})
|
|
if err != nil {
|
|
h.logger.WithError(err).Error("template rendering failed")
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
}
|
|
}
|
|
|
|
func (h *LoginHandler) renderNoChallengeInRequest(w http.ResponseWriter, localizer *i18n.Localizer) {
|
|
err := h.templates[NoChallengeInRequest].Lookup("base").Execute(w, map[string]interface{}{
|
|
"Title": h.messageCatalog.LookupMessage("NoChallengeInRequestTitle", nil, localizer),
|
|
"Explanation": template.HTML(h.messageCatalog.LookupMarkdownMessage( //nolint:gosec
|
|
"NoChallengeInRequestExplanation",
|
|
nil,
|
|
localizer,
|
|
)),
|
|
})
|
|
if err != nil {
|
|
h.logger.WithError(err).Error("template rendering failed")
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
}
|
|
}
|
|
|
|
func NewLoginHandler(
|
|
logger *log.Logger,
|
|
bundle *i18n.Bundle,
|
|
messageCatalog *services.MessageCatalog,
|
|
adminClient admin.ClientService,
|
|
) *LoginHandler {
|
|
return &LoginHandler{
|
|
adminClient: adminClient,
|
|
bundle: bundle,
|
|
logger: logger,
|
|
templates: map[templateName]*template.Template{
|
|
CertificateLogin: template.Must(template.ParseFS(
|
|
ui.Templates,
|
|
"templates/base.gohtml",
|
|
"templates/client_certificate.gohtml",
|
|
)),
|
|
NoEmailsInClientCertificate: template.Must(template.ParseFS(
|
|
ui.Templates,
|
|
"templates/base.gohtml",
|
|
"templates/no_email_in_client_certificate.gohtml",
|
|
)),
|
|
NoChallengeInRequest: template.Must(template.ParseFS(
|
|
ui.Templates,
|
|
"templates/base.gohtml",
|
|
"templates/no_challenge_in_request.gohtml",
|
|
)),
|
|
},
|
|
messageCatalog: messageCatalog,
|
|
}
|
|
}
|