Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 354fc9b3d6
Branches Tags
sftpgo
/
internal
/
httpd
/
oidc.go

oidc.go 26 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808 
  1. // Copyright (C) 2019-2023 Nicola Murino
    2. 

  2. //
    3. 

  3. // This program is free software: you can redistribute it and/or modify
    4. 

  4. // it under the terms of the GNU Affero General Public License as published
    5. 

  5. // by the Free Software Foundation, version 3.
    6. 

  6. //
    7. 

  7. // This program is distributed in the hope that it will be useful,
    8. 

  8. // but WITHOUT ANY WARRANTY; without even the implied warranty of
    9. 

  9. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    10. 

  10. // GNU Affero General Public License for more details.
    11. 

  11. //
    12. 

  12. // You should have received a copy of the GNU Affero General Public License
    13. 

  13. // along with this program. If not, see <https://www.gnu.org/licenses/>.
    14. 

  14. 

  15. package httpd
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"fmt"
    21. 

  21. 	"net/http"
    22. 

  22. 	"net/url"
    23. 

  23. 	"strings"
    24. 

  24. 	"time"
    25. 

  25. 

  26. 	"github.com/coreos/go-oidc/v3/oidc"
    27. 

  27. 	"github.com/rs/xid"
    28. 

  28. 	"golang.org/x/oauth2"
    29. 

  29. 

  30. 	"github.com/drakkan/sftpgo/v2/internal/common"
    31. 

  31. 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
    32. 

  32. 	"github.com/drakkan/sftpgo/v2/internal/httpclient"
    33. 

  33. 	"github.com/drakkan/sftpgo/v2/internal/logger"
    34. 

  34. 	"github.com/drakkan/sftpgo/v2/internal/util"
    35. 

  35. )
    36. 

  36. 

  37. const (
    38. 

  38. 	oidcCookieKey       = "oidc"
    39. 

  39. 	adminRoleFieldValue = "admin"
    40. 

  40. 	authStateValidity   = 1 * 60 * 1000   // 1 minute
    41. 

  41. 	tokenUpdateInterval = 3 * 60 * 1000   // 3 minutes
    42. 

  42. 	tokenDeleteInterval = 2 * 3600 * 1000 // 2 hours
    43. 

  43. )
    44. 

  44. 

  45. var (
    46. 

  46. 	oidcTokenKey       = &contextKey{"OIDC token key"}
    47. 

  47. 	oidcGeneratedToken = &contextKey{"OIDC generated token"}
    48. 

  48. )
    49. 

  49. 

  50. // OAuth2Config defines an interface for OAuth2 methods, so we can mock them
    51. 

  51. type OAuth2Config interface {
    52. 

  52. 	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
    53. 

  53. 	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
    54. 

  54. 	TokenSource(ctx context.Context, t *oauth2.Token) oauth2.TokenSource
    55. 

  55. }
    56. 

  56. 

  57. // OIDCTokenVerifier defines an interface for OpenID token verifier, so we can mock them
    58. 

  58. type OIDCTokenVerifier interface {
    59. 

  59. 	Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error)
    60. 

  60. }
    61. 

  61. 

  62. // OIDC defines the OpenID Connect configuration
    63. 

  63. type OIDC struct {
    64. 

  64. 	// ClientID is the application's ID
    65. 

  65. 	ClientID string `json:"client_id" mapstructure:"client_id"`
    66. 

  66. 	// ClientSecret is the application's secret
    67. 

  67. 	ClientSecret string `json:"client_secret" mapstructure:"client_secret"`
    68. 

  68. 	// ConfigURL is the identifier for the service.
    69. 

  69. 	// SFTPGo will try to retrieve the provider configuration on startup and then
    70. 

  70. 	// will refuse to start if it fails to connect to the specified URL
    71. 

  71. 	ConfigURL string `json:"config_url" mapstructure:"config_url"`
    72. 

  72. 	// RedirectBaseURL is the base URL to redirect to after OpenID authentication.
    73. 

  73. 	// The suffix "/web/oidc/redirect" will be added to this base URL, adding also the
    74. 

  74. 	// "web_root" if configured
    75. 

  75. 	RedirectBaseURL string `json:"redirect_base_url" mapstructure:"redirect_base_url"`
    76. 

  76. 	// ID token claims field to map to the SFTPGo username
    77. 

  77. 	UsernameField string `json:"username_field" mapstructure:"username_field"`
    78. 

  78. 	// Optional ID token claims field to map to a SFTPGo role.
    79. 

  79. 	// If the defined ID token claims field is set to "admin" the authenticated user
    80. 

  80. 	// is mapped to an SFTPGo admin.
    81. 

  81. 	// You don't need to specify this field if you want to use OpenID only for the
    82. 

  82. 	// Web Client UI
    83. 

  83. 	RoleField string `json:"role_field" mapstructure:"role_field"`
    84. 

  84. 	// If set, the `RoleField` is ignored and the SFTPGo role is assumed based on
    85. 

  85. 	// the login link used
    86. 

  86. 	ImplicitRoles bool `json:"implicit_roles" mapstructure:"implicit_roles"`
    87. 

  87. 	// Scopes required by the OAuth provider to retrieve information about the authenticated user.
    88. 

  88. 	// The "openid" scope is required.
    89. 

  89. 	// Refer to your OAuth provider documentation for more information about this
    90. 

  90. 	Scopes []string `json:"scopes" mapstructure:"scopes"`
    91. 

  91. 	// Custom token claims fields to pass to the pre-login hook
    92. 

  92. 	CustomFields []string `json:"custom_fields" mapstructure:"custom_fields"`
    93. 

  93. 	// InsecureSkipSignatureCheck causes SFTPGo to skip JWT signature validation.
    94. 

  94. 	// It's intended for special cases where providers, such as Azure, use the "none"
    95. 

  95. 	// algorithm. Skipping the signature validation can cause security issues
    96. 

  96. 	InsecureSkipSignatureCheck bool `json:"insecure_skip_signature_check" mapstructure:"insecure_skip_signature_check"`
    97. 

  97. 	// Debug enables the OIDC debug mode. In debug mode, the received id_token will be logged
    98. 

  98. 	// at the debug level
    99. 

  99. 	Debug             bool `json:"debug" mapstructure:"debug"`
    100. 

  100. 	provider          *oidc.Provider
    101. 

  101. 	verifier          OIDCTokenVerifier
    102. 

  102. 	providerLogoutURL string
    103. 

  103. 	oauth2Config      OAuth2Config
    104. 

  104. }
    105. 

  105. 

  106. func (o *OIDC) isEnabled() bool {
    107. 

  107. 	return o.provider != nil
    108. 

  108. }
    109. 

  109. 

  110. func (o *OIDC) hasRoles() bool {
    111. 

  111. 	return o.isEnabled() && (o.RoleField != "" || o.ImplicitRoles)
    112. 

  112. }
    113. 

  113. 

  114. func (o *OIDC) getForcedRole(audience string) string {
    115. 

  115. 	if !o.ImplicitRoles {
    116. 

  116. 		return ""
    117. 

  117. 	}
    118. 

  118. 	if audience == tokenAudienceWebAdmin {
    119. 

  119. 		return adminRoleFieldValue
    120. 

  120. 	}
    121. 

  121. 	return ""
    122. 

  122. }
    123. 

  123. 

  124. func (o *OIDC) getRedirectURL() string {
    125. 

  125. 	url := o.RedirectBaseURL
    126. 

  126. 	if strings.HasSuffix(o.RedirectBaseURL, "/") {
    127. 

  127. 		url = strings.TrimSuffix(o.RedirectBaseURL, "/")
    128. 

  128. 	}
    129. 

  129. 	url += webOIDCRedirectPath
    130. 

  130. 	logger.Debug(logSender, "", "oidc redirect URL: %q", url)
    131. 

  131. 	return url
    132. 

  132. }
    133. 

  133. 

  134. func (o *OIDC) initialize() error {
    135. 

  135. 	if o.ConfigURL == "" {
    136. 

  136. 		return nil
    137. 

  137. 	}
    138. 

  138. 	if o.UsernameField == "" {
    139. 

  139. 		return errors.New("oidc: username field cannot be empty")
    140. 

  140. 	}
    141. 

  141. 	if o.RedirectBaseURL == "" {
    142. 

  142. 		return errors.New("oidc: redirect base URL cannot be empty")
    143. 

  143. 	}
    144. 

  144. 	if !util.Contains(o.Scopes, oidc.ScopeOpenID) {
    145. 

  145. 		return fmt.Errorf("oidc: required scope %q is not set", oidc.ScopeOpenID)
    146. 

  146. 	}
    147. 

  147. 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    148. 

  148. 	defer cancel()
    149. 

  149. 

  150. 	provider, err := oidc.NewProvider(ctx, o.ConfigURL)
    151. 

  151. 	if err != nil {
    152. 

  152. 		return fmt.Errorf("oidc: unable to initialize provider for URL %q: %w", o.ConfigURL, err)
    153. 

  153. 	}
    154. 

  154. 	claims := make(map[string]any)
    155. 

  155. 	// we cannot get an error here because the response body was already parsed as JSON
    156. 

  156. 	// on provider creation
    157. 

  157. 	provider.Claims(&claims) //nolint:errcheck
    158. 

  158. 	endSessionEndPoint, ok := claims["end_session_endpoint"]
    159. 

  159. 	if ok {
    160. 

  160. 		if val, ok := endSessionEndPoint.(string); ok {
    161. 

  161. 			o.providerLogoutURL = val
    162. 

  162. 			logger.Debug(logSender, "", "oidc end session endpoint %q", o.providerLogoutURL)
    163. 

  163. 		}
    164. 

  164. 	}
    165. 

  165. 	o.provider = provider
    166. 

  166. 	o.verifier = provider.Verifier(&oidc.Config{
    167. 

  167. 		ClientID:                   o.ClientID,
    168. 

  168. 		InsecureSkipSignatureCheck: o.InsecureSkipSignatureCheck,
    169. 

  169. 	})
    170. 

  170. 	o.oauth2Config = &oauth2.Config{
    171. 

  171. 		ClientID:     o.ClientID,
    172. 

  172. 		ClientSecret: o.ClientSecret,
    173. 

  173. 		Endpoint:     o.provider.Endpoint(),
    174. 

  174. 		RedirectURL:  o.getRedirectURL(),
    175. 

  175. 		Scopes:       o.Scopes,
    176. 

  176. 	}
    177. 

  177. 

  178. 	return nil
    179. 

  179. }
    180. 

  180. 

  181. type oidcPendingAuth struct {
    182. 

  182. 	State    string        `json:"state"`
    183. 

  183. 	Nonce    string        `json:"nonce"`
    184. 

  184. 	Audience tokenAudience `json:"audience"`
    185. 

  185. 	IssuedAt int64         `json:"issued_at"`
    186. 

  186. }
    187. 

  187. 

  188. func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
    189. 

  189. 	return oidcPendingAuth{
    190. 

  190. 		State:    xid.New().String(),
    191. 

  191. 		Nonce:    xid.New().String(),
    192. 

  192. 		Audience: audience,
    193. 

  193. 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),
    194. 

  194. 	}
    195. 

  195. }
    196. 

  196. 

  197. type oidcToken struct {
    198. 

  198. 	AccessToken          string          `json:"access_token"`
    199. 

  199. 	TokenType            string          `json:"token_type,omitempty"`
    200. 

  200. 	RefreshToken         string          `json:"refresh_token,omitempty"`
    201. 

  201. 	ExpiresAt            int64           `json:"expires_at,omitempty"`
    202. 

  202. 	SessionID            string          `json:"session_id"`
    203. 

  203. 	IDToken              string          `json:"id_token"`
    204. 

  204. 	Nonce                string          `json:"nonce"`
    205. 

  205. 	Username             string          `json:"username"`
    206. 

  206. 	Permissions          []string        `json:"permissions"`
    207. 

  207. 	HideUserPageSections int             `json:"hide_user_page_sections,omitempty"`
    208. 

  208. 	TokenRole            string          `json:"token_role,omitempty"` // SFTPGo role name
    209. 

  209. 	Role                 any             `json:"role"`                 // oidc user role: SFTPGo user or admin
    210. 

  210. 	CustomFields         *map[string]any `json:"custom_fields,omitempty"`
    211. 

  211. 	Cookie               string          `json:"cookie"`
    212. 

  212. 	UsedAt               int64           `json:"used_at"`
    213. 

  213. }
    214. 

  214. 

  215. func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField string, customFields []string,
    216. 

  216. 	forcedRole string,
    217. 

  217. ) error {
    218. 

  218. 	getClaimsFields := func() []string {
    219. 

  219. 		keys := make([]string, 0, len(claims))
    220. 

  220. 		for k := range claims {
    221. 

  221. 			keys = append(keys, k)
    222. 

  222. 		}
    223. 

  223. 		return keys
    224. 

  224. 	}
    225. 

  225. 

  226. 	var username string
    227. 

  227. 	val, ok := getOIDCFieldFromClaims(claims, usernameField)
    228. 

  228. 	if ok {
    229. 

  229. 		username, ok = val.(string)
    230. 

  230. 	}
    231. 

  231. 	if !ok || username == "" {
    232. 

  232. 		logger.Warn(logSender, "", "username field %q not found, empty or not a string, claims fields: %+v",
    233. 

  233. 			usernameField, getClaimsFields())
    234. 

  234. 		return errors.New("no username field")
    235. 

  235. 	}
    236. 

  236. 	t.Username = username
    237. 

  237. 	if forcedRole != "" {
    238. 

  238. 		t.Role = forcedRole
    239. 

  239. 	} else {
    240. 

  240. 		t.getRoleFromField(claims, roleField)
    241. 

  241. 	}
    242. 

  242. 	t.CustomFields = nil
    243. 

  243. 	if len(customFields) > 0 {
    244. 

  244. 		for _, field := range customFields {
    245. 

  245. 			if val, ok := getOIDCFieldFromClaims(claims, field); ok {
    246. 

  246. 				if t.CustomFields == nil {
    247. 

  247. 					customFields := make(map[string]any)
    248. 

  248. 					t.CustomFields = &customFields
    249. 

  249. 				}
    250. 

  250. 				logger.Debug(logSender, "", "custom field %q found in token claims", field)
    251. 

  251. 				(*t.CustomFields)[field] = val
    252. 

  252. 			} else {
    253. 

  253. 				logger.Info(logSender, "", "custom field %q not found in token claims", field)
    254. 

  254. 			}
    255. 

  255. 		}
    256. 

  256. 	}
    257. 

  257. 	sid, ok := claims["sid"].(string)
    258. 

  258. 	if ok {
    259. 

  259. 		t.SessionID = sid
    260. 

  260. 	}
    261. 

  261. 	return nil
    262. 

  262. }
    263. 

  263. 

  264. func (t *oidcToken) getRoleFromField(claims map[string]any, roleField string) {
    265. 

  265. 	role, ok := getOIDCFieldFromClaims(claims, roleField)
    266. 

  266. 	if ok {
    267. 

  267. 		t.Role = role
    268. 

  268. 	}
    269. 

  269. }
    270. 

  270. 

  271. func (t *oidcToken) isAdmin() bool {
    272. 

  272. 	switch v := t.Role.(type) {
    273. 

  273. 	case string:
    274. 

  274. 		return v == adminRoleFieldValue
    275. 

  275. 	case []any:
    276. 

  276. 		for _, s := range v {
    277. 

  277. 			if val, ok := s.(string); ok && val == adminRoleFieldValue {
    278. 

  278. 				return true
    279. 

  279. 			}
    280. 

  280. 		}
    281. 

  281. 		return false
    282. 

  282. 	default:
    283. 

  283. 		return false
    284. 

  284. 	}
    285. 

  285. }
    286. 

  286. 

  287. func (t *oidcToken) isExpired() bool {
    288. 

  288. 	if t.ExpiresAt == 0 {
    289. 

  289. 		return false
    290. 

  290. 	}
    291. 

  291. 	return t.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now())
    292. 

  292. }
    293. 

  293. 

  294. func (t *oidcToken) refresh(config OAuth2Config, verifier OIDCTokenVerifier, r *http.Request) error {
    295. 

  295. 	if t.RefreshToken == "" {
    296. 

  296. 		logger.Debug(logSender, "", "refresh token not set, unable to refresh cookie %q", t.Cookie)
    297. 

  297. 		return errors.New("refresh token not set")
    298. 

  298. 	}
    299. 

  299. 	oauth2Token := oauth2.Token{
    300. 

  300. 		AccessToken:  t.AccessToken,
    301. 

  301. 		TokenType:    t.TokenType,
    302. 

  302. 		RefreshToken: t.RefreshToken,
    303. 

  303. 	}
    304. 

  304. 	if t.ExpiresAt > 0 {
    305. 

  305. 		oauth2Token.Expiry = util.GetTimeFromMsecSinceEpoch(t.ExpiresAt)
    306. 

  306. 	}
    307. 

  307. 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
    308. 

  308. 	defer cancel()
    309. 

  309. 

  310. 	newToken, err := config.TokenSource(ctx, &oauth2Token).Token()
    311. 

  311. 	if err != nil {
    312. 

  312. 		logger.Debug(logSender, "", "unable to refresh token for cookie %q: %v", t.Cookie, err)
    313. 

  313. 		return err
    314. 

  314. 	}
    315. 

  315. 	rawIDToken, ok := newToken.Extra("id_token").(string)
    316. 

  316. 	if !ok {
    317. 

  317. 		logger.Debug(logSender, "", "the refreshed token has no id token, cookie %q", t.Cookie)
    318. 

  318. 		return errors.New("the refreshed token has no id token")
    319. 

  319. 	}
    320. 

  320. 

  321. 	t.AccessToken = newToken.AccessToken
    322. 

  322. 	t.TokenType = newToken.TokenType
    323. 

  323. 	t.RefreshToken = newToken.RefreshToken
    324. 

  324. 	t.IDToken = rawIDToken
    325. 

  325. 	if !newToken.Expiry.IsZero() {
    326. 

  326. 		t.ExpiresAt = util.GetTimeAsMsSinceEpoch(newToken.Expiry)
    327. 

  327. 	} else {
    328. 

  328. 		t.ExpiresAt = 0
    329. 

  329. 	}
    330. 

  330. 	idToken, err := verifier.Verify(ctx, rawIDToken)
    331. 

  331. 	if err != nil {
    332. 

  332. 		logger.Debug(logSender, "", "unable to verify refreshed id token for cookie %q: %v", t.Cookie, err)
    333. 

  333. 		return err
    334. 

  334. 	}
    335. 

  335. 	if idToken.Nonce != t.Nonce {
    336. 

  336. 		logger.Debug(logSender, "", "unable to verify refreshed id token for cookie %q: nonce mismatch", t.Cookie)
    337. 

  337. 		return errors.New("the refreshed token nonce mismatch")
    338. 

  338. 	}
    339. 

  339. 	claims := make(map[string]any)
    340. 

  340. 	err = idToken.Claims(&claims)
    341. 

  341. 	if err != nil {
    342. 

  342. 		logger.Debug(logSender, "", "unable to get refreshed id token claims for cookie %q: %v", t.Cookie, err)
    343. 

  343. 		return err
    344. 

  344. 	}
    345. 

  345. 	sid, ok := claims["sid"].(string)
    346. 

  346. 	if ok {
    347. 

  347. 		t.SessionID = sid
    348. 

  348. 	}
    349. 

  349. 	err = t.refreshUser(r)
    350. 

  350. 	if err != nil {
    351. 

  351. 		logger.Debug(logSender, "", "unable to refresh user after token refresh for cookie %q: %v", t.Cookie, err)
    352. 

  352. 		return err
    353. 

  353. 	}
    354. 

  354. 	logger.Debug(logSender, "", "oidc token refreshed for user %q, cookie %q", t.Username, t.Cookie)
    355. 

  355. 	oidcMgr.addToken(*t)
    356. 

  356. 

  357. 	return nil
    358. 

  358. }
    359. 

  359. 

  360. func (t *oidcToken) refreshUser(r *http.Request) error {
    361. 

  361. 	if t.isAdmin() {
    362. 

  362. 		admin, err := dataprovider.AdminExists(t.Username)
    363. 

  363. 		if err != nil {
    364. 

  364. 			return err
    365. 

  365. 		}
    366. 

  366. 		if err := admin.CanLogin(util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {
    367. 

  367. 			return err
    368. 

  368. 		}
    369. 

  369. 		t.Permissions = admin.Permissions
    370. 

  370. 		t.TokenRole = admin.Role
    371. 

  371. 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
    372. 

  372. 		return nil
    373. 

  373. 	}
    374. 

  374. 	user, err := dataprovider.GetUserWithGroupSettings(t.Username, "")
    375. 

  375. 	if err != nil {
    376. 

  376. 		return err
    377. 

  377. 	}
    378. 

  378. 	if err := user.CheckLoginConditions(); err != nil {
    379. 

  379. 		return err
    380. 

  380. 	}
    381. 

  381. 	if err := checkHTTPClientUser(&user, r, xid.New().String(), true); err != nil {
    382. 

  382. 		return err
    383. 

  383. 	}
    384. 

  384. 	t.Permissions = user.Filters.WebClient
    385. 

  385. 	t.TokenRole = user.Role
    386. 

  386. 	return nil
    387. 

  387. }
    388. 

  388. 

  389. func (t *oidcToken) getUser(r *http.Request) error {
    390. 

  390. 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
    391. 

  391. 	params := common.EventParams{
    392. 

  392. 		Name:      t.Username,
    393. 

  393. 		IP:        ipAddr,
    394. 

  394. 		Protocol:  common.ProtocolOIDC,
    395. 

  395. 		Timestamp: time.Now().UnixNano(),
    396. 

  396. 		Status:    1,
    397. 

  397. 	}
    398. 

  398. 	if t.isAdmin() {
    399. 

  399. 		params.Event = common.IDPLoginAdmin
    400. 

  400. 		_, admin, err := common.HandleIDPLoginEvent(params, t.CustomFields)
    401. 

  401. 		if err != nil {
    402. 

  402. 			return err
    403. 

  403. 		}
    404. 

  404. 		if admin == nil {
    405. 

  405. 			a, err := dataprovider.AdminExists(t.Username)
    406. 

  406. 			if err != nil {
    407. 

  407. 				return err
    408. 

  408. 			}
    409. 

  409. 			admin = &a
    410. 

  410. 		}
    411. 

  411. 		if err := admin.CanLogin(ipAddr); err != nil {
    412. 

  412. 			return err
    413. 

  413. 		}
    414. 

  414. 		t.Permissions = admin.Permissions
    415. 

  415. 		t.TokenRole = admin.Role
    416. 

  416. 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
    417. 

  417. 		dataprovider.UpdateAdminLastLogin(admin)
    418. 

  418. 		return nil
    419. 

  419. 	}
    420. 

  420. 	params.Event = common.IDPLoginUser
    421. 

  421. 	user, _, err := common.HandleIDPLoginEvent(params, t.CustomFields)
    422. 

  422. 	if err != nil {
    423. 

  423. 		return err
    424. 

  424. 	}
    425. 

  425. 	if user == nil {
    426. 

  426. 		u, err := dataprovider.GetUserAfterIDPAuth(t.Username, ipAddr, common.ProtocolOIDC, t.CustomFields)
    427. 

  427. 		if err != nil {
    428. 

  428. 			return err
    429. 

  429. 		}
    430. 

  430. 		user = &u
    431. 

  431. 	}
    432. 

  432. 	if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil {
    433. 

  433. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
    434. 

  434. 		return fmt.Errorf("access denied: %w", err)
    435. 

  435. 	}
    436. 

  436. 	if err := user.CheckLoginConditions(); err != nil {
    437. 

  437. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
    438. 

  438. 		return err
    439. 

  439. 	}
    440. 

  440. 	connectionID := fmt.Sprintf("%s_%s", common.ProtocolOIDC, xid.New().String())
    441. 

  441. 	if err := checkHTTPClientUser(user, r, connectionID, true); err != nil {
    442. 

  442. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
    443. 

  443. 		return err
    444. 

  444. 	}
    445. 

  445. 	defer user.CloseFs() //nolint:errcheck
    446. 

  446. 	err = user.CheckFsRoot(connectionID)
    447. 

  447. 	if err != nil {
    448. 

  448. 		logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
    449. 

  449. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure)
    450. 

  450. 		return err
    451. 

  451. 	}
    452. 

  452. 	updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil)
    453. 

  453. 	dataprovider.UpdateLastLogin(user)
    454. 

  454. 	t.Permissions = user.Filters.WebClient
    455. 

  455. 	t.TokenRole = user.Role
    456. 

  456. 	return nil
    457. 

  457. }
    458. 

  458. 

  459. func (s *httpdServer) validateOIDCToken(w http.ResponseWriter, r *http.Request, isAdmin bool) (oidcToken, error) {
    460. 

  460. 	doRedirect := func() {
    461. 

  461. 		removeOIDCCookie(w, r)
    462. 

  462. 		if isAdmin {
    463. 

  463. 			http.Redirect(w, r, webAdminLoginPath, http.StatusFound)
    464. 

  464. 			return
    465. 

  465. 		}
    466. 

  466. 		http.Redirect(w, r, webClientLoginPath, http.StatusFound)
    467. 

  467. 	}
    468. 

  468. 

  469. 	cookie, err := r.Cookie(oidcCookieKey)
    470. 

  470. 	if err != nil {
    471. 

  471. 		logger.Debug(logSender, "", "no oidc cookie, redirecting to login page")
    472. 

  472. 		doRedirect()
    473. 

  473. 		return oidcToken{}, errInvalidToken
    474. 

  474. 	}
    475. 

  475. 	token, err := oidcMgr.getToken(cookie.Value)
    476. 

  476. 	if err != nil {
    477. 

  477. 		logger.Debug(logSender, "", "error getting oidc token associated with cookie %q: %v", cookie.Value, err)
    478. 

  478. 		doRedirect()
    479. 

  479. 		return oidcToken{}, errInvalidToken
    480. 

  480. 	}
    481. 

  481. 	if token.isExpired() {
    482. 

  482. 		logger.Debug(logSender, "", "oidc token associated with cookie %q is expired", token.Cookie)
    483. 

  483. 		if err = token.refresh(s.binding.OIDC.oauth2Config, s.binding.OIDC.verifier, r); err != nil {
    484. 

  484. 			setFlashMessage(w, r, "Your OpenID token is expired, please log-in again")
    485. 

  485. 			doRedirect()
    486. 

  486. 			return oidcToken{}, errInvalidToken
    487. 

  487. 		}
    488. 

  488. 	} else {
    489. 

  489. 		oidcMgr.updateTokenUsage(token)
    490. 

  490. 	}
    491. 

  491. 	if isAdmin {
    492. 

  492. 		if !token.isAdmin() {
    493. 

  493. 			logger.Debug(logSender, "", "oidc token associated with cookie %q is not valid for admin users", token.Cookie)
    494. 

  494. 			setFlashMessage(w, r, "Your OpenID token is not valid for the SFTPGo Web Admin UI. Please logout from your OpenID server and log-in as an SFTPGo admin")
    495. 

  495. 			doRedirect()
    496. 

  496. 			return oidcToken{}, errInvalidToken
    497. 

  497. 		}
    498. 

  498. 		return token, nil
    499. 

  499. 	}
    500. 

  500. 	if token.isAdmin() {
    501. 

  501. 		logger.Debug(logSender, "", "oidc token associated with cookie %q is valid for admin users", token.Cookie)
    502. 

  502. 		setFlashMessage(w, r, "Your OpenID token is not valid for the SFTPGo Web Client UI. Please logout from your OpenID server and log-in as an SFTPGo user")
    503. 

  503. 		doRedirect()
    504. 

  504. 		return oidcToken{}, errInvalidToken
    505. 

  505. 	}
    506. 

  506. 	return token, nil
    507. 

  507. }
    508. 

  508. 

  509. func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next http.Handler) http.Handler {
    510. 

  510. 	return func(next http.Handler) http.Handler {
    511. 

  511. 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    512. 

  512. 			if canSkipOIDCValidation(r) {
    513. 

  513. 				next.ServeHTTP(w, r)
    514. 

  514. 				return
    515. 

  515. 			}
    516. 

  516. 			token, err := s.validateOIDCToken(w, r, audience == tokenAudienceWebAdmin)
    517. 

  517. 			if err != nil {
    518. 

  518. 				return
    519. 

  519. 			}
    520. 

  520. 			jwtTokenClaims := jwtTokenClaims{
    521. 

  521. 				Username:             token.Username,
    522. 

  522. 				Permissions:          token.Permissions,
    523. 

  523. 				Role:                 token.TokenRole,
    524. 

  524. 				HideUserPageSections: token.HideUserPageSections,
    525. 

  525. 			}
    526. 

  526. 			_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))
    527. 

  527. 			if err != nil {
    528. 

  528. 				setFlashMessage(w, r, "Unable to create cookie")
    529. 

  529. 				if audience == tokenAudienceWebAdmin {
    530. 

  530. 					http.Redirect(w, r, webAdminLoginPath, http.StatusFound)
    531. 

  531. 				} else {
    532. 

  532. 					http.Redirect(w, r, webClientLoginPath, http.StatusFound)
    533. 

  533. 				}
    534. 

  534. 				return
    535. 

  535. 			}
    536. 

  536. 			ctx := context.WithValue(r.Context(), oidcTokenKey, token.Cookie)
    537. 

  537. 			ctx = context.WithValue(ctx, oidcGeneratedToken, tokenString)
    538. 

  538. 

  539. 			next.ServeHTTP(w, r.WithContext(ctx))
    540. 

  540. 		})
    541. 

  541. 	}
    542. 

  542. }
    543. 

  543. 

  544. func (s *httpdServer) handleWebAdminOIDCLogin(w http.ResponseWriter, r *http.Request) {
    545. 

  545. 	s.oidcLoginRedirect(w, r, tokenAudienceWebAdmin)
    546. 

  546. }
    547. 

  547. 

  548. func (s *httpdServer) handleWebClientOIDCLogin(w http.ResponseWriter, r *http.Request) {
    549. 

  549. 	s.oidcLoginRedirect(w, r, tokenAudienceWebClient)
    550. 

  550. }
    551. 

  551. 

  552. func (s *httpdServer) oidcLoginRedirect(w http.ResponseWriter, r *http.Request, audience tokenAudience) {
    553. 

  553. 	pendingAuth := newOIDCPendingAuth(audience)
    554. 

  554. 	oidcMgr.addPendingAuth(pendingAuth)
    555. 

  555. 	http.Redirect(w, r, s.binding.OIDC.oauth2Config.AuthCodeURL(pendingAuth.State,
    556. 

  556. 		oidc.Nonce(pendingAuth.Nonce)), http.StatusFound)
    557. 

  557. }
    558. 

  558. 

  559. func (s *httpdServer) debugTokenClaims(claims map[string]any, rawIDToken string) {
    560. 

  560. 	if s.binding.OIDC.Debug {
    561. 

  561. 		if claims == nil {
    562. 

  562. 			logger.Debug(logSender, "", "raw id token %q", rawIDToken)
    563. 

  563. 		} else {
    564. 

  564. 			logger.Debug(logSender, "", "raw id token %q, parsed claims %+v", rawIDToken, claims)
    565. 

  565. 		}
    566. 

  566. 	}
    567. 

  567. }
    568. 

  568. 

  569. func (s *httpdServer) handleOIDCRedirect(w http.ResponseWriter, r *http.Request) {
    570. 

  570. 	state := r.URL.Query().Get("state")
    571. 

  571. 	authReq, err := oidcMgr.getPendingAuth(state)
    572. 

  572. 	if err != nil {
    573. 

  573. 		logger.Debug(logSender, "", "oidc authentication state did not match")
    574. 

  574. 		s.renderClientMessagePage(w, r, "Invalid authentication request", "Authentication state did not match",
    575. 

  575. 			http.StatusBadRequest, nil, "")
    576. 

  576. 		return
    577. 

  577. 	}
    578. 

  578. 	oidcMgr.removePendingAuth(state)
    579. 

  579. 

  580. 	doRedirect := func() {
    581. 

  581. 		if authReq.Audience == tokenAudienceWebAdmin {
    582. 

  582. 			http.Redirect(w, r, webAdminLoginPath, http.StatusFound)
    583. 

  583. 			return
    584. 

  584. 		}
    585. 

  585. 		http.Redirect(w, r, webClientLoginPath, http.StatusFound)
    586. 

  586. 	}
    587. 

  587. 	doLogout := func(rawIDToken string) {
    588. 

  588. 		s.logoutFromOIDCOP(rawIDToken)
    589. 

  589. 	}
    590. 

  590. 

  591. 	ctx, cancel := context.WithTimeout(r.Context(), 20*time.Second)
    592. 

  592. 	defer cancel()
    593. 

  593. 

  594. 	oauth2Token, err := s.binding.OIDC.oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
    595. 

  595. 	if err != nil {
    596. 

  596. 		logger.Debug(logSender, "", "failed to exchange oidc token: %v", err)
    597. 

  597. 		setFlashMessage(w, r, "Failed to exchange OpenID token")
    598. 

  598. 		doRedirect()
    599. 

  599. 		return
    600. 

  600. 	}
    601. 

  601. 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
    602. 

  602. 	if !ok {
    603. 

  603. 		logger.Debug(logSender, "", "no id_token field in OAuth2 OpenID token")
    604. 

  604. 		setFlashMessage(w, r, "No id_token field in OAuth2 OpenID token")
    605. 

  605. 		doRedirect()
    606. 

  606. 		return
    607. 

  607. 	}
    608. 

  608. 	s.debugTokenClaims(nil, rawIDToken)
    609. 

  609. 	idToken, err := s.binding.OIDC.verifier.Verify(ctx, rawIDToken)
    610. 

  610. 	if err != nil {
    611. 

  611. 		logger.Debug(logSender, "", "failed to verify oidc token: %v", err)
    612. 

  612. 		setFlashMessage(w, r, "Failed to verify OpenID token")
    613. 

  613. 		doRedirect()
    614. 

  614. 		doLogout(rawIDToken)
    615. 

  615. 		return
    616. 

  616. 	}
    617. 

  617. 	if idToken.Nonce != authReq.Nonce {
    618. 

  618. 		logger.Debug(logSender, "", "oidc authentication nonce did not match")
    619. 

  619. 		setFlashMessage(w, r, "OpenID authentication nonce did not match")
    620. 

  620. 		doRedirect()
    621. 

  621. 		doLogout(rawIDToken)
    622. 

  622. 		return
    623. 

  623. 	}
    624. 

  624. 

  625. 	claims := make(map[string]any)
    626. 

  626. 	err = idToken.Claims(&claims)
    627. 

  627. 	if err != nil {
    628. 

  628. 		logger.Debug(logSender, "", "unable to get oidc token claims: %v", err)
    629. 

  629. 		setFlashMessage(w, r, "Unable to get OpenID token claims")
    630. 

  630. 		doRedirect()
    631. 

  631. 		doLogout(rawIDToken)
    632. 

  632. 		return
    633. 

  633. 	}
    634. 

  634. 	s.debugTokenClaims(claims, rawIDToken)
    635. 

  635. 	token := oidcToken{
    636. 

  636. 		AccessToken:  oauth2Token.AccessToken,
    637. 

  637. 		TokenType:    oauth2Token.TokenType,
    638. 

  638. 		RefreshToken: oauth2Token.RefreshToken,
    639. 

  639. 		IDToken:      rawIDToken,
    640. 

  640. 		Nonce:        idToken.Nonce,
    641. 

  641. 		Cookie:       xid.New().String(),
    642. 

  642. 	}
    643. 

  643. 	if !oauth2Token.Expiry.IsZero() {
    644. 

  644. 		token.ExpiresAt = util.GetTimeAsMsSinceEpoch(oauth2Token.Expiry)
    645. 

  645. 	}
    646. 

  646. 	err = token.parseClaims(claims, s.binding.OIDC.UsernameField, s.binding.OIDC.RoleField,
    647. 

  647. 		s.binding.OIDC.CustomFields, s.binding.OIDC.getForcedRole(authReq.Audience))
    648. 

  648. 	if err != nil {
    649. 

  649. 		logger.Debug(logSender, "", "unable to parse oidc token claims: %v", err)
    650. 

  650. 		setFlashMessage(w, r, fmt.Sprintf("Unable to parse OpenID token claims: %v", err))
    651. 

  651. 		doRedirect()
    652. 

  652. 		doLogout(rawIDToken)
    653. 

  653. 		return
    654. 

  654. 	}
    655. 

  655. 	switch authReq.Audience {
    656. 

  656. 	case tokenAudienceWebAdmin:
    657. 

  657. 		if !token.isAdmin() {
    658. 

  658. 			logger.Debug(logSender, "", "wrong oidc token role, the mapped user is not an SFTPGo admin")
    659. 

  659. 			setFlashMessage(w, r, "Wrong OpenID role, the logged in user is not an SFTPGo admin")
    660. 

  660. 			doRedirect()
    661. 

  661. 			doLogout(rawIDToken)
    662. 

  662. 			return
    663. 

  663. 		}
    664. 

  664. 	case tokenAudienceWebClient:
    665. 

  665. 		if token.isAdmin() {
    666. 

  666. 			logger.Debug(logSender, "", "wrong oidc token role, the mapped user is an SFTPGo admin")
    667. 

  667. 			setFlashMessage(w, r, "Wrong OpenID role, the logged in user is an SFTPGo admin")
    668. 

  668. 			doRedirect()
    669. 

  669. 			doLogout(rawIDToken)
    670. 

  670. 			return
    671. 

  671. 		}
    672. 

  672. 	}
    673. 

  673. 	err = token.getUser(r)
    674. 

  674. 	if err != nil {
    675. 

  675. 		logger.Debug(logSender, "", "unable to get the sftpgo user associated with oidc token: %v", err)
    676. 

  676. 		setFlashMessage(w, r, "Unable to get the user associated with the OpenID token")
    677. 

  677. 		doRedirect()
    678. 

  678. 		doLogout(rawIDToken)
    679. 

  679. 		return
    680. 

  680. 	}
    681. 

  681. 

  682. 	loginOIDCUser(w, r, token)
    683. 

  683. }
    684. 

  684. 

  685. func loginOIDCUser(w http.ResponseWriter, r *http.Request, token oidcToken) {
    686. 

  686. 	oidcMgr.addToken(token)
    687. 

  687. 

  688. 	cookie := http.Cookie{
    689. 

  689. 		Name:     oidcCookieKey,
    690. 

  690. 		Value:    token.Cookie,
    691. 

  691. 		Path:     "/",
    692. 

  692. 		HttpOnly: true,
    693. 

  693. 		Secure:   isTLS(r),
    694. 

  694. 		SameSite: http.SameSiteLaxMode,
    695. 

  695. 	}
    696. 

  696. 	// we don't set a cookie expiration so we can refresh the token without setting a new cookie
    697. 

  697. 	// the cookie will be invalidated on browser close
    698. 

  698. 	http.SetCookie(w, &cookie)
    699. 

  699. 	w.Header().Add("Cache-Control", `no-cache="Set-Cookie"`)
    700. 

  700. 	if token.isAdmin() {
    701. 

  701. 		http.Redirect(w, r, webUsersPath, http.StatusFound)
    702. 

  702. 		return
    703. 

  703. 	}
    704. 

  704. 	http.Redirect(w, r, webClientFilesPath, http.StatusFound)
    705. 

  705. }
    706. 

  706. 

  707. func (s *httpdServer) logoutOIDCUser(w http.ResponseWriter, r *http.Request) {
    708. 

  708. 	if oidcKey, ok := r.Context().Value(oidcTokenKey).(string); ok {
    709. 

  709. 		removeOIDCCookie(w, r)
    710. 

  710. 		token, err := oidcMgr.getToken(oidcKey)
    711. 

  711. 		if err == nil {
    712. 

  712. 			s.logoutFromOIDCOP(token.IDToken)
    713. 

  713. 		}
    714. 

  714. 		oidcMgr.removeToken(oidcKey)
    715. 

  715. 	}
    716. 

  716. }
    717. 

  717. 

  718. func (s *httpdServer) logoutFromOIDCOP(idToken string) {
    719. 

  719. 	if s.binding.OIDC.providerLogoutURL == "" {
    720. 

  720. 		logger.Debug(logSender, "", "oidc: provider logout URL not set, unable to logout from the OP")
    721. 

  721. 		return
    722. 

  722. 	}
    723. 

  723. 	go s.doOIDCFromLogout(idToken)
    724. 

  724. }
    725. 

  725. 

  726. func (s *httpdServer) doOIDCFromLogout(idToken string) {
    727. 

  727. 	logoutURL, err := url.Parse(s.binding.OIDC.providerLogoutURL)
    728. 

  728. 	if err != nil {
    729. 

  729. 		logger.Warn(logSender, "", "oidc: unable to parse logout URL: %v", err)
    730. 

  730. 		return
    731. 

  731. 	}
    732. 

  732. 	query := logoutURL.Query()
    733. 

  733. 	if idToken != "" {
    734. 

  734. 		query.Set("id_token_hint", idToken)
    735. 

  735. 	}
    736. 

  736. 	logoutURL.RawQuery = query.Encode()
    737. 

  737. 	resp, err := httpclient.RetryableGet(logoutURL.String())
    738. 

  738. 	if err != nil {
    739. 

  739. 		logger.Warn(logSender, "", "oidc: error calling logout URL %q: %v", logoutURL.String(), err)
    740. 

  740. 		return
    741. 

  741. 	}
    742. 

  742. 	defer resp.Body.Close()
    743. 

  743. 	logger.Debug(logSender, "", "oidc: logout url response code %v", resp.StatusCode)
    744. 

  744. }
    745. 

  745. 

  746. func removeOIDCCookie(w http.ResponseWriter, r *http.Request) {
    747. 

  747. 	http.SetCookie(w, &http.Cookie{
    748. 

  748. 		Name:     oidcCookieKey,
    749. 

  749. 		Value:    "",
    750. 

  750. 		Path:     "/",
    751. 

  751. 		Expires:  time.Unix(0, 0),
    752. 

  752. 		MaxAge:   -1,
    753. 

  753. 		HttpOnly: true,
    754. 

  754. 		Secure:   isTLS(r),
    755. 

  755. 		SameSite: http.SameSiteLaxMode,
    756. 

  756. 	})
    757. 

  757. }
    758. 

  758. 

  759. // canSkipOIDCValidation returns true if there is no OIDC cookie but a jwt cookie is set
    760. 

  760. // and so we check if the user is logged in using a built-in user
    761. 

  761. func canSkipOIDCValidation(r *http.Request) bool {
    762. 

  762. 	_, err := r.Cookie(oidcCookieKey)
    763. 

  763. 	if err != nil {
    764. 

  764. 		_, err = r.Cookie(jwtCookieKey)
    765. 

  765. 		return err == nil
    766. 

  766. 	}
    767. 

  767. 	return false
    768. 

  768. }
    769. 

  769. 

  770. func isLoggedInWithOIDC(r *http.Request) bool {
    771. 

  771. 	_, ok := r.Context().Value(oidcTokenKey).(string)
    772. 

  772. 	return ok
    773. 

  773. }
    774. 

  774. 

  775. func getOIDCFieldFromClaims(claims map[string]any, fieldName string) (any, bool) {
    776. 

  776. 	if fieldName == "" {
    777. 

  777. 		return nil, false
    778. 

  778. 	}
    779. 

  779. 	val, ok := claims[fieldName]
    780. 

  780. 	if ok {
    781. 

  781. 		return val, true
    782. 

  782. 	}
    783. 

  783. 	if !strings.Contains(fieldName, ".") {
    784. 

  784. 		return nil, false
    785. 

  785. 	}
    786. 

  786. 

  787. 	getStructValue := func(outer any, field string) (any, bool) {
    788. 

  788. 		switch v := outer.(type) {
    789. 

  789. 		case map[string]any:
    790. 

  790. 			res, ok := v[field]
    791. 

  791. 			return res, ok
    792. 

  792. 		}
    793. 

  793. 		return nil, false
    794. 

  794. 	}
    795. 

  795. 

  796. 	for idx, field := range strings.Split(fieldName, ".") {
    797. 

  797. 		if idx == 0 {
    798. 

  798. 			val, ok = getStructValue(claims, field)
    799. 

  799. 		} else {
    800. 

  800. 			val, ok = getStructValue(val, field)
    801. 

  801. 		}
    802. 

  802. 		if !ok {
    803. 

  803. 			return nil, false
    804. 

  804. 		}
    805. 

  805. 	}
    806. 

  806. 

  807. 	return val, ok
    808. 

  808. }
    809.