Головна сторінка Огляд Довідка
Реєстрація Увійти
Apq
/
sftpgo
дзеркало https://github.com/drakkan/sftpgo.git
1
0
Відгалуження 0
Файли Проблеми 0 Wiki
Дерево: 8d697bcc94
Гілки Теги
sftpgo
/
internal
/
httpd
/
oidc.go

oidc.go 28 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855 
  1. // Copyright (C) 2019 Nicola Murino
    2. 

  2. //
    3. 

  3. // This program is free software: you can redistribute it and/or modify
    4. 

  4. // it under the terms of the GNU Affero General Public License as published
    5. 

  5. // by the Free Software Foundation, version 3.
    6. 

  6. //
    7. 

  7. // This program is distributed in the hope that it will be useful,
    8. 

  8. // but WITHOUT ANY WARRANTY; without even the implied warranty of
    9. 

  9. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    10. 

  10. // GNU Affero General Public License for more details.
    11. 

  11. //
    12. 

  12. // You should have received a copy of the GNU Affero General Public License
    13. 

  13. // along with this program. If not, see <https://www.gnu.org/licenses/>.
    14. 

  14. 

  15. package httpd
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"encoding/hex"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"net/http"
    23. 

  23. 	"net/url"
    24. 

  24. 	"slices"
    25. 

  25. 	"strings"
    26. 

  26. 	"time"
    27. 

  27. 

  28. 	"github.com/coreos/go-oidc/v3/oidc"
    29. 

  29. 	"github.com/rs/xid"
    30. 

  30. 	"golang.org/x/oauth2"
    31. 

  31. 

  32. 	"github.com/drakkan/sftpgo/v2/internal/common"
    33. 

  33. 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
    34. 

  34. 	"github.com/drakkan/sftpgo/v2/internal/httpclient"
    35. 

  35. 	"github.com/drakkan/sftpgo/v2/internal/logger"
    36. 

  36. 	"github.com/drakkan/sftpgo/v2/internal/util"
    37. 

  37. )
    38. 

  38. 

  39. const (
    40. 

  40. 	oidcCookieKey       = "oidc"
    41. 

  41. 	adminRoleFieldValue = "admin"
    42. 

  42. 	authStateValidity   = 1 * 60 * 1000   // 1 minute
    43. 

  43. 	tokenUpdateInterval = 3 * 60 * 1000   // 3 minutes
    44. 

  44. 	tokenDeleteInterval = 2 * 3600 * 1000 // 2 hours
    45. 

  45. )
    46. 

  46. 

  47. var (
    48. 

  48. 	oidcTokenKey       = &contextKey{"OIDC token key"}
    49. 

  49. 	oidcGeneratedToken = &contextKey{"OIDC generated token"}
    50. 

  50. )
    51. 

  51. 

  52. // OAuth2Config defines an interface for OAuth2 methods, so we can mock them
    53. 

  53. type OAuth2Config interface {
    54. 

  54. 	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
    55. 

  55. 	Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error)
    56. 

  56. 	TokenSource(ctx context.Context, t *oauth2.Token) oauth2.TokenSource
    57. 

  57. }
    58. 

  58. 

  59. // OIDCTokenVerifier defines an interface for OpenID token verifier, so we can mock them
    60. 

  60. type OIDCTokenVerifier interface {
    61. 

  61. 	Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error)
    62. 

  62. }
    63. 

  63. 

  64. // OIDC defines the OpenID Connect configuration
    65. 

  65. type OIDC struct {
    66. 

  66. 	// ClientID is the application's ID
    67. 

  67. 	ClientID string `json:"client_id" mapstructure:"client_id"`
    68. 

  68. 	// ClientSecret is the application's secret
    69. 

  69. 	ClientSecret     string `json:"client_secret" mapstructure:"client_secret"`
    70. 

  70. 	ClientSecretFile string `json:"client_secret_file" mapstructure:"client_secret_file"`
    71. 

  71. 	// ConfigURL is the identifier for the service.
    72. 

  72. 	// SFTPGo will try to retrieve the provider configuration on startup and then
    73. 

  73. 	// will refuse to start if it fails to connect to the specified URL
    74. 

  74. 	ConfigURL string `json:"config_url" mapstructure:"config_url"`
    75. 

  75. 	// RedirectBaseURL is the base URL to redirect to after OpenID authentication.
    76. 

  76. 	// The suffix "/web/oidc/redirect" will be added to this base URL, adding also the
    77. 

  77. 	// "web_root" if configured
    78. 

  78. 	RedirectBaseURL string `json:"redirect_base_url" mapstructure:"redirect_base_url"`
    79. 

  79. 	// ID token claims field to map to the SFTPGo username
    80. 

  80. 	UsernameField string `json:"username_field" mapstructure:"username_field"`
    81. 

  81. 	// Optional ID token claims field to map to a SFTPGo role.
    82. 

  82. 	// If the defined ID token claims field is set to "admin" the authenticated user
    83. 

  83. 	// is mapped to an SFTPGo admin.
    84. 

  84. 	// You don't need to specify this field if you want to use OpenID only for the
    85. 

  85. 	// Web Client UI
    86. 

  86. 	RoleField string `json:"role_field" mapstructure:"role_field"`
    87. 

  87. 	// If set, the `RoleField` is ignored and the SFTPGo role is assumed based on
    88. 

  88. 	// the login link used
    89. 

  89. 	ImplicitRoles bool `json:"implicit_roles" mapstructure:"implicit_roles"`
    90. 

  90. 	// Scopes required by the OAuth provider to retrieve information about the authenticated user.
    91. 

  91. 	// The "openid" scope is required.
    92. 

  92. 	// Refer to your OAuth provider documentation for more information about this
    93. 

  93. 	Scopes []string `json:"scopes" mapstructure:"scopes"`
    94. 

  94. 	// Custom token claims fields to pass to the pre-login hook
    95. 

  95. 	CustomFields []string `json:"custom_fields" mapstructure:"custom_fields"`
    96. 

  96. 	// InsecureSkipSignatureCheck causes SFTPGo to skip JWT signature validation.
    97. 

  97. 	// It's intended for special cases where providers, such as Azure, use the "none"
    98. 

  98. 	// algorithm. Skipping the signature validation can cause security issues
    99. 

  99. 	InsecureSkipSignatureCheck bool `json:"insecure_skip_signature_check" mapstructure:"insecure_skip_signature_check"`
    100. 

  100. 	// Debug enables the OIDC debug mode. In debug mode, the received id_token will be logged
    101. 

  101. 	// at the debug level
    102. 

  102. 	Debug             bool `json:"debug" mapstructure:"debug"`
    103. 

  103. 	provider          *oidc.Provider
    104. 

  104. 	verifier          OIDCTokenVerifier
    105. 

  105. 	providerLogoutURL string
    106. 

  106. 	oauth2Config      OAuth2Config
    107. 

  107. }
    108. 

  108. 

  109. func (o *OIDC) isEnabled() bool {
    110. 

  110. 	return o.provider != nil
    111. 

  111. }
    112. 

  112. 

  113. func (o *OIDC) hasRoles() bool {
    114. 

  114. 	return o.isEnabled() && (o.RoleField != "" || o.ImplicitRoles)
    115. 

  115. }
    116. 

  116. 

  117. func (o *OIDC) getForcedRole(audience string) string {
    118. 

  118. 	if !o.ImplicitRoles {
    119. 

  119. 		return ""
    120. 

  120. 	}
    121. 

  121. 	if audience == tokenAudienceWebAdmin {
    122. 

  122. 		return adminRoleFieldValue
    123. 

  123. 	}
    124. 

  124. 	return ""
    125. 

  125. }
    126. 

  126. 

  127. func (o *OIDC) getRedirectURL() string {
    128. 

  128. 	url := o.RedirectBaseURL
    129. 

  129. 	if strings.HasSuffix(o.RedirectBaseURL, "/") {
    130. 

  130. 		url = strings.TrimSuffix(o.RedirectBaseURL, "/")
    131. 

  131. 	}
    132. 

  132. 	url += webOIDCRedirectPath
    133. 

  133. 	logger.Debug(logSender, "", "oidc redirect URL: %q", url)
    134. 

  134. 	return url
    135. 

  135. }
    136. 

  136. 

  137. func (o *OIDC) initialize() error {
    138. 

  138. 	if o.ConfigURL == "" {
    139. 

  139. 		return nil
    140. 

  140. 	}
    141. 

  141. 	if o.UsernameField == "" {
    142. 

  142. 		return errors.New("oidc: username field cannot be empty")
    143. 

  143. 	}
    144. 

  144. 	if o.RedirectBaseURL == "" {
    145. 

  145. 		return errors.New("oidc: redirect base URL cannot be empty")
    146. 

  146. 	}
    147. 

  147. 	if !slices.Contains(o.Scopes, oidc.ScopeOpenID) {
    148. 

  148. 		return fmt.Errorf("oidc: required scope %q is not set", oidc.ScopeOpenID)
    149. 

  149. 	}
    150. 

  150. 	if o.ClientSecretFile != "" {
    151. 

  151. 		secret, err := util.ReadConfigFromFile(o.ClientSecretFile, configurationDir)
    152. 

  152. 		if err != nil {
    153. 

  153. 			return err
    154. 

  154. 		}
    155. 

  155. 		o.ClientSecret = secret
    156. 

  156. 	}
    157. 

  157. 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    158. 

  158. 	defer cancel()
    159. 

  159. 

  160. 	provider, err := oidc.NewProvider(ctx, o.ConfigURL)
    161. 

  161. 	if err != nil {
    162. 

  162. 		return fmt.Errorf("oidc: unable to initialize provider for URL %q: %w", o.ConfigURL, err)
    163. 

  163. 	}
    164. 

  164. 	claims := make(map[string]any)
    165. 

  165. 	// we cannot get an error here because the response body was already parsed as JSON
    166. 

  166. 	// on provider creation
    167. 

  167. 	provider.Claims(&claims) //nolint:errcheck
    168. 

  168. 	endSessionEndPoint, ok := claims["end_session_endpoint"]
    169. 

  169. 	if ok {
    170. 

  170. 		if val, ok := endSessionEndPoint.(string); ok {
    171. 

  171. 			o.providerLogoutURL = val
    172. 

  172. 			logger.Debug(logSender, "", "oidc end session endpoint %q", o.providerLogoutURL)
    173. 

  173. 		}
    174. 

  174. 	}
    175. 

  175. 	o.provider = provider
    176. 

  176. 	o.verifier = nil
    177. 

  177. 	o.oauth2Config = &oauth2.Config{
    178. 

  178. 		ClientID:     o.ClientID,
    179. 

  179. 		ClientSecret: o.ClientSecret,
    180. 

  180. 		Endpoint:     o.provider.Endpoint(),
    181. 

  181. 		RedirectURL:  o.getRedirectURL(),
    182. 

  182. 		Scopes:       o.Scopes,
    183. 

  183. 	}
    184. 

  184. 

  185. 	return nil
    186. 

  186. }
    187. 

  187. 

  188. func (o *OIDC) getVerifier(ctx context.Context) OIDCTokenVerifier {
    189. 

  189. 	if o.verifier != nil {
    190. 

  190. 		return o.verifier
    191. 

  191. 	}
    192. 

  192. 	return o.provider.VerifierContext(ctx, &oidc.Config{
    193. 

  193. 		ClientID:                   o.ClientID,
    194. 

  194. 		InsecureSkipSignatureCheck: o.InsecureSkipSignatureCheck,
    195. 

  195. 	})
    196. 

  196. }
    197. 

  197. 

  198. type oidcPendingAuth struct {
    199. 

  199. 	State    string        `json:"state"`
    200. 

  200. 	Nonce    string        `json:"nonce"`
    201. 

  201. 	Audience tokenAudience `json:"audience"`
    202. 

  202. 	IssuedAt int64         `json:"issued_at"`
    203. 

  203. }
    204. 

  204. 

  205. func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
    206. 

  206. 	return oidcPendingAuth{
    207. 

  207. 		State:    xid.New().String(),
    208. 

  208. 		Nonce:    hex.EncodeToString(util.GenerateRandomBytes(20)),
    209. 

  209. 		Audience: audience,
    210. 

  210. 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),
    211. 

  211. 	}
    212. 

  212. }
    213. 

  213. 

  214. type oidcToken struct {
    215. 

  215. 	AccessToken                string          `json:"access_token"`
    216. 

  216. 	TokenType                  string          `json:"token_type,omitempty"`
    217. 

  217. 	RefreshToken               string          `json:"refresh_token,omitempty"`
    218. 

  218. 	ExpiresAt                  int64           `json:"expires_at,omitempty"`
    219. 

  219. 	SessionID                  string          `json:"session_id"`
    220. 

  220. 	IDToken                    string          `json:"id_token"`
    221. 

  221. 	Nonce                      string          `json:"nonce"`
    222. 

  222. 	Username                   string          `json:"username"`
    223. 

  223. 	Permissions                []string        `json:"permissions"`
    224. 

  224. 	HideUserPageSections       int             `json:"hide_user_page_sections,omitempty"`
    225. 

  225. 	MustSetTwoFactorAuth       bool            `json:"must_set_2fa,omitempty"`
    226. 

  226. 	MustChangePassword         bool            `json:"must_change_password,omitempty"`
    227. 

  227. 	RequiredTwoFactorProtocols []string        `json:"required_two_factor_protocols,omitempty"`
    228. 

  228. 	TokenRole                  string          `json:"token_role,omitempty"` // SFTPGo role name
    229. 

  229. 	Role                       any             `json:"role"`                 // oidc user role: SFTPGo user or admin
    230. 

  230. 	CustomFields               *map[string]any `json:"custom_fields,omitempty"`
    231. 

  231. 	Cookie                     string          `json:"cookie"`
    232. 

  232. 	UsedAt                     int64           `json:"used_at"`
    233. 

  233. }
    234. 

  234. 

  235. func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField string, customFields []string,
    236. 

  236. 	forcedRole string,
    237. 

  237. ) error {
    238. 

  238. 	getClaimsFields := func() []string {
    239. 

  239. 		keys := make([]string, 0, len(claims))
    240. 

  240. 		for k := range claims {
    241. 

  241. 			keys = append(keys, k)
    242. 

  242. 		}
    243. 

  243. 		return keys
    244. 

  244. 	}
    245. 

  245. 

  246. 	var username string
    247. 

  247. 	val, ok := getOIDCFieldFromClaims(claims, usernameField)
    248. 

  248. 	if ok {
    249. 

  249. 		username, ok = val.(string)
    250. 

  250. 	}
    251. 

  251. 	if !ok || username == "" {
    252. 

  252. 		logger.Warn(logSender, "", "username field %q not found, empty or not a string, claims fields: %+v",
    253. 

  253. 			usernameField, getClaimsFields())
    254. 

  254. 		return errors.New("no username field")
    255. 

  255. 	}
    256. 

  256. 	t.Username = username
    257. 

  257. 	if forcedRole != "" {
    258. 

  258. 		t.Role = forcedRole
    259. 

  259. 	} else {
    260. 

  260. 		t.getRoleFromField(claims, roleField)
    261. 

  261. 	}
    262. 

  262. 	t.CustomFields = nil
    263. 

  263. 	if len(customFields) > 0 {
    264. 

  264. 		for _, field := range customFields {
    265. 

  265. 			if val, ok := getOIDCFieldFromClaims(claims, field); ok {
    266. 

  266. 				if t.CustomFields == nil {
    267. 

  267. 					customFields := make(map[string]any)
    268. 

  268. 					t.CustomFields = &customFields
    269. 

  269. 				}
    270. 

  270. 				logger.Debug(logSender, "", "custom field %q found in token claims", field)
    271. 

  271. 				(*t.CustomFields)[field] = val
    272. 

  272. 			} else {
    273. 

  273. 				logger.Info(logSender, "", "custom field %q not found in token claims", field)
    274. 

  274. 			}
    275. 

  275. 		}
    276. 

  276. 	}
    277. 

  277. 	sid, ok := claims["sid"].(string)
    278. 

  278. 	if ok {
    279. 

  279. 		t.SessionID = sid
    280. 

  280. 	}
    281. 

  281. 	return nil
    282. 

  282. }
    283. 

  283. 

  284. func (t *oidcToken) getRoleFromField(claims map[string]any, roleField string) {
    285. 

  285. 	role, ok := getOIDCFieldFromClaims(claims, roleField)
    286. 

  286. 	if ok {
    287. 

  287. 		t.Role = role
    288. 

  288. 	}
    289. 

  289. }
    290. 

  290. 

  291. func (t *oidcToken) isAdmin() bool {
    292. 

  292. 	switch v := t.Role.(type) {
    293. 

  293. 	case string:
    294. 

  294. 		return v == adminRoleFieldValue
    295. 

  295. 	case []any:
    296. 

  296. 		for _, s := range v {
    297. 

  297. 			if val, ok := s.(string); ok && val == adminRoleFieldValue {
    298. 

  298. 				return true
    299. 

  299. 			}
    300. 

  300. 		}
    301. 

  301. 		return false
    302. 

  302. 	default:
    303. 

  303. 		return false
    304. 

  304. 	}
    305. 

  305. }
    306. 

  306. 

  307. func (t *oidcToken) isExpired() bool {
    308. 

  308. 	if t.ExpiresAt == 0 {
    309. 

  309. 		return false
    310. 

  310. 	}
    311. 

  311. 	return t.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now())
    312. 

  312. }
    313. 

  313. 

  314. func (t *oidcToken) refresh(ctx context.Context, config OAuth2Config, verifier OIDCTokenVerifier, r *http.Request) error {
    315. 

  315. 	if t.RefreshToken == "" {
    316. 

  316. 		logger.Debug(logSender, "", "refresh token not set, unable to refresh cookie %q", t.Cookie)
    317. 

  317. 		return errors.New("refresh token not set")
    318. 

  318. 	}
    319. 

  319. 	oauth2Token := oauth2.Token{
    320. 

  320. 		AccessToken:  t.AccessToken,
    321. 

  321. 		TokenType:    t.TokenType,
    322. 

  322. 		RefreshToken: t.RefreshToken,
    323. 

  323. 	}
    324. 

  324. 	if t.ExpiresAt > 0 {
    325. 

  325. 		oauth2Token.Expiry = util.GetTimeFromMsecSinceEpoch(t.ExpiresAt)
    326. 

  326. 	}
    327. 

  327. 

  328. 	newToken, err := config.TokenSource(ctx, &oauth2Token).Token()
    329. 

  329. 	if err != nil {
    330. 

  330. 		logger.Debug(logSender, "", "unable to refresh token for cookie %q: %v", t.Cookie, err)
    331. 

  331. 		return err
    332. 

  332. 	}
    333. 

  333. 	rawIDToken, ok := newToken.Extra("id_token").(string)
    334. 

  334. 	if !ok {
    335. 

  335. 		logger.Debug(logSender, "", "the refreshed token has no id token, cookie %q", t.Cookie)
    336. 

  336. 		return errors.New("the refreshed token has no id token")
    337. 

  337. 	}
    338. 

  338. 

  339. 	t.AccessToken = newToken.AccessToken
    340. 

  340. 	t.TokenType = newToken.TokenType
    341. 

  341. 	t.RefreshToken = newToken.RefreshToken
    342. 

  342. 	t.IDToken = rawIDToken
    343. 

  343. 	if !newToken.Expiry.IsZero() {
    344. 

  344. 		t.ExpiresAt = util.GetTimeAsMsSinceEpoch(newToken.Expiry)
    345. 

  345. 	} else {
    346. 

  346. 		t.ExpiresAt = 0
    347. 

  347. 	}
    348. 

  348. 	idToken, err := verifier.Verify(ctx, rawIDToken)
    349. 

  349. 	if err != nil {
    350. 

  350. 		logger.Debug(logSender, "", "unable to verify refreshed id token for cookie %q: %v", t.Cookie, err)
    351. 

  351. 		return err
    352. 

  352. 	}
    353. 

  353. 	if idToken.Nonce != "" && idToken.Nonce != t.Nonce {
    354. 

  354. 		logger.Warn(logSender, "", "unable to verify refreshed id token for cookie %q: nonce mismatch, expected: %q, actual: %q",
    355. 

  355. 			t.Cookie, t.Nonce, idToken.Nonce)
    356. 

  356. 		return errors.New("the refreshed token nonce mismatch")
    357. 

  357. 	}
    358. 

  358. 	claims := make(map[string]any)
    359. 

  359. 	err = idToken.Claims(&claims)
    360. 

  360. 	if err != nil {
    361. 

  361. 		logger.Warn(logSender, "", "unable to get refreshed id token claims for cookie %q: %v", t.Cookie, err)
    362. 

  362. 		return err
    363. 

  363. 	}
    364. 

  364. 	sid, ok := claims["sid"].(string)
    365. 

  365. 	if ok {
    366. 

  366. 		t.SessionID = sid
    367. 

  367. 	}
    368. 

  368. 	err = t.refreshUser(r)
    369. 

  369. 	if err != nil {
    370. 

  370. 		logger.Debug(logSender, "", "unable to refresh user after token refresh for cookie %q: %v", t.Cookie, err)
    371. 

  371. 		return err
    372. 

  372. 	}
    373. 

  373. 	logger.Debug(logSender, "", "oidc token refreshed for user %q, cookie %q", t.Username, t.Cookie)
    374. 

  374. 	oidcMgr.addToken(*t)
    375. 

  375. 

  376. 	return nil
    377. 

  377. }
    378. 

  378. 

  379. func (t *oidcToken) refreshUser(r *http.Request) error {
    380. 

  380. 	if t.isAdmin() {
    381. 

  381. 		admin, err := dataprovider.AdminExists(t.Username)
    382. 

  382. 		if err != nil {
    383. 

  383. 			return err
    384. 

  384. 		}
    385. 

  385. 		if err := admin.CanLogin(util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {
    386. 

  386. 			return err
    387. 

  387. 		}
    388. 

  388. 		t.Permissions = admin.Permissions
    389. 

  389. 		t.TokenRole = admin.Role
    390. 

  390. 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
    391. 

  391. 		return nil
    392. 

  392. 	}
    393. 

  393. 	user, err := dataprovider.GetUserWithGroupSettings(t.Username, "")
    394. 

  394. 	if err != nil {
    395. 

  395. 		return err
    396. 

  396. 	}
    397. 

  397. 	if err := user.CheckLoginConditions(); err != nil {
    398. 

  398. 		return err
    399. 

  399. 	}
    400. 

  400. 	if err := checkHTTPClientUser(&user, r, xid.New().String(), true); err != nil {
    401. 

  401. 		return err
    402. 

  402. 	}
    403. 

  403. 	t.Permissions = user.Filters.WebClient
    404. 

  404. 	t.TokenRole = user.Role
    405. 

  405. 	t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
    406. 

  406. 	t.MustChangePassword = user.MustChangePassword()
    407. 

  407. 	t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
    408. 

  408. 	return nil
    409. 

  409. }
    410. 

  410. 

  411. func (t *oidcToken) getUser(r *http.Request) error {
    412. 

  412. 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
    413. 

  413. 	params := common.EventParams{
    414. 

  414. 		Name:      t.Username,
    415. 

  415. 		IP:        ipAddr,
    416. 

  416. 		Protocol:  common.ProtocolOIDC,
    417. 

  417. 		Timestamp: time.Now(),
    418. 

  418. 		Status:    1,
    419. 

  419. 	}
    420. 

  420. 	if t.isAdmin() {
    421. 

  421. 		params.Event = common.IDPLoginAdmin
    422. 

  422. 		_, admin, err := common.HandleIDPLoginEvent(params, t.CustomFields)
    423. 

  423. 		if err != nil {
    424. 

  424. 			return err
    425. 

  425. 		}
    426. 

  426. 		if admin == nil {
    427. 

  427. 			a, err := dataprovider.AdminExists(t.Username)
    428. 

  428. 			if err != nil {
    429. 

  429. 				return err
    430. 

  430. 			}
    431. 

  431. 			admin = &a
    432. 

  432. 		}
    433. 

  433. 		if err := admin.CanLogin(ipAddr); err != nil {
    434. 

  434. 			return err
    435. 

  435. 		}
    436. 

  436. 		t.Permissions = admin.Permissions
    437. 

  437. 		t.TokenRole = admin.Role
    438. 

  438. 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
    439. 

  439. 		dataprovider.UpdateAdminLastLogin(admin)
    440. 

  440. 		common.DelayLogin(nil)
    441. 

  441. 		return nil
    442. 

  442. 	}
    443. 

  443. 	params.Event = common.IDPLoginUser
    444. 

  444. 	user, _, err := common.HandleIDPLoginEvent(params, t.CustomFields)
    445. 

  445. 	if err != nil {
    446. 

  446. 		return err
    447. 

  447. 	}
    448. 

  448. 	if user == nil {
    449. 

  449. 		u, err := dataprovider.GetUserAfterIDPAuth(t.Username, ipAddr, common.ProtocolOIDC, t.CustomFields)
    450. 

  450. 		if err != nil {
    451. 

  451. 			return err
    452. 

  452. 		}
    453. 

  453. 		user = &u
    454. 

  454. 	}
    455. 

  455. 	if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil {
    456. 

  456. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
    457. 

  457. 		return fmt.Errorf("access denied: %w", err)
    458. 

  458. 	}
    459. 

  459. 	if err := user.CheckLoginConditions(); err != nil {
    460. 

  460. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
    461. 

  461. 		return err
    462. 

  462. 	}
    463. 

  463. 	connectionID := fmt.Sprintf("%s_%s", common.ProtocolOIDC, xid.New().String())
    464. 

  464. 	if err := checkHTTPClientUser(user, r, connectionID, true); err != nil {
    465. 

  465. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
    466. 

  466. 		return err
    467. 

  467. 	}
    468. 

  468. 	defer user.CloseFs() //nolint:errcheck
    469. 

  469. 	err = user.CheckFsRoot(connectionID)
    470. 

  470. 	if err != nil {
    471. 

  471. 		logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
    472. 

  472. 		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure)
    473. 

  473. 		return err
    474. 

  474. 	}
    475. 

  475. 	updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil)
    476. 

  476. 	dataprovider.UpdateLastLogin(user)
    477. 

  477. 	t.Permissions = user.Filters.WebClient
    478. 

  478. 	t.TokenRole = user.Role
    479. 

  479. 	t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
    480. 

  480. 	t.MustChangePassword = user.MustChangePassword()
    481. 

  481. 	t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
    482. 

  482. 	return nil
    483. 

  483. }
    484. 

  484. 

  485. func (s *httpdServer) validateOIDCToken(w http.ResponseWriter, r *http.Request, isAdmin bool) (oidcToken, error) {
    486. 

  486. 	doRedirect := func() {
    487. 

  487. 		removeOIDCCookie(w, r)
    488. 

  488. 		if isAdmin {
    489. 

  489. 			http.Redirect(w, r, webAdminLoginPath, http.StatusFound)
    490. 

  490. 			return
    491. 

  491. 		}
    492. 

  492. 		http.Redirect(w, r, webClientLoginPath, http.StatusFound)
    493. 

  493. 	}
    494. 

  494. 

  495. 	cookie, err := r.Cookie(oidcCookieKey)
    496. 

  496. 	if err != nil {
    497. 

  497. 		logger.Debug(logSender, "", "no oidc cookie, redirecting to login page")
    498. 

  498. 		doRedirect()
    499. 

  499. 		return oidcToken{}, errInvalidToken
    500. 

  500. 	}
    501. 

  501. 	token, err := oidcMgr.getToken(cookie.Value)
    502. 

  502. 	if err != nil {
    503. 

  503. 		logger.Debug(logSender, "", "error getting oidc token associated with cookie %q: %v", cookie.Value, err)
    504. 

  504. 		doRedirect()
    505. 

  505. 		return oidcToken{}, errInvalidToken
    506. 

  506. 	}
    507. 

  507. 	if token.isExpired() {
    508. 

  508. 		logger.Debug(logSender, "", "oidc token associated with cookie %q is expired", token.Cookie)
    509. 

  509. 		ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
    510. 

  510. 		defer cancel()
    511. 

  511. 

  512. 		if err = token.refresh(ctx, s.binding.OIDC.oauth2Config, s.binding.OIDC.getVerifier(ctx), r); err != nil {
    513. 

  513. 			setFlashMessage(w, r, newFlashMessage("Your OpenID token is expired, please log-in again", util.I18nOIDCTokenExpired))
    514. 

  514. 			doRedirect()
    515. 

  515. 			return oidcToken{}, errInvalidToken
    516. 

  516. 		}
    517. 

  517. 	} else {
    518. 

  518. 		oidcMgr.updateTokenUsage(token)
    519. 

  519. 	}
    520. 

  520. 	if isAdmin {
    521. 

  521. 		if !token.isAdmin() {
    522. 

  522. 			logger.Debug(logSender, "", "oidc token associated with cookie %q is not valid for admin users", token.Cookie)
    523. 

  523. 			setFlashMessage(w, r, newFlashMessage(
    524. 

  524. 				"Your OpenID token is not valid for the SFTPGo Web Admin UI. Please logout from your OpenID server and log-in as an SFTPGo admin",
    525. 

  525. 				util.I18nOIDCTokenInvalidAdmin,
    526. 

  526. 			))
    527. 

  527. 			doRedirect()
    528. 

  528. 			return oidcToken{}, errInvalidToken
    529. 

  529. 		}
    530. 

  530. 		return token, nil
    531. 

  531. 	}
    532. 

  532. 	if token.isAdmin() {
    533. 

  533. 		logger.Debug(logSender, "", "oidc token associated with cookie %q is valid for admin users", token.Cookie)
    534. 

  534. 		setFlashMessage(w, r, newFlashMessage(
    535. 

  535. 			"Your OpenID token is not valid for the SFTPGo Web Client UI. Please logout from your OpenID server and log-in as an SFTPGo user",
    536. 

  536. 			util.I18nOIDCTokenInvalidUser,
    537. 

  537. 		))
    538. 

  538. 		doRedirect()
    539. 

  539. 		return oidcToken{}, errInvalidToken
    540. 

  540. 	}
    541. 

  541. 	return token, nil
    542. 

  542. }
    543. 

  543. 

  544. func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next http.Handler) http.Handler {
    545. 

  545. 	return func(next http.Handler) http.Handler {
    546. 

  546. 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    547. 

  547. 			if canSkipOIDCValidation(r) {
    548. 

  548. 				next.ServeHTTP(w, r)
    549. 

  549. 				return
    550. 

  550. 			}
    551. 

  551. 			token, err := s.validateOIDCToken(w, r, audience == tokenAudienceWebAdmin)
    552. 

  552. 			if err != nil {
    553. 

  553. 				return
    554. 

  554. 			}
    555. 

  555. 			jwtTokenClaims := jwtTokenClaims{
    556. 

  556. 				JwtID:                token.Cookie,
    557. 

  557. 				Username:             token.Username,
    558. 

  558. 				Permissions:          token.Permissions,
    559. 

  559. 				Role:                 token.TokenRole,
    560. 

  560. 				HideUserPageSections: token.HideUserPageSections,
    561. 

  561. 			}
    562. 

  562. 			if audience == tokenAudienceWebClient {
    563. 

  563. 				jwtTokenClaims.MustSetTwoFactorAuth = token.MustSetTwoFactorAuth
    564. 

  564. 				jwtTokenClaims.MustChangePassword = token.MustChangePassword
    565. 

  565. 				jwtTokenClaims.RequiredTwoFactorProtocols = token.RequiredTwoFactorProtocols
    566. 

  566. 			}
    567. 

  567. 			_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))
    568. 

  568. 			if err != nil {
    569. 

  569. 				setFlashMessage(w, r, newFlashMessage("Unable to create cookie", util.I18nError500Message))
    570. 

  570. 				if audience == tokenAudienceWebAdmin {
    571. 

  571. 					http.Redirect(w, r, webAdminLoginPath, http.StatusFound)
    572. 

  572. 				} else {
    573. 

  573. 					http.Redirect(w, r, webClientLoginPath, http.StatusFound)
    574. 

  574. 				}
    575. 

  575. 				return
    576. 

  576. 			}
    577. 

  577. 			ctx := context.WithValue(r.Context(), oidcTokenKey, token.Cookie)
    578. 

  578. 			ctx = context.WithValue(ctx, oidcGeneratedToken, tokenString)
    579. 

  579. 

  580. 			next.ServeHTTP(w, r.WithContext(ctx))
    581. 

  581. 		})
    582. 

  582. 	}
    583. 

  583. }
    584. 

  584. 

  585. func (s *httpdServer) handleWebAdminOIDCLogin(w http.ResponseWriter, r *http.Request) {
    586. 

  586. 	s.oidcLoginRedirect(w, r, tokenAudienceWebAdmin)
    587. 

  587. }
    588. 

  588. 

  589. func (s *httpdServer) handleWebClientOIDCLogin(w http.ResponseWriter, r *http.Request) {
    590. 

  590. 	s.oidcLoginRedirect(w, r, tokenAudienceWebClient)
    591. 

  591. }
    592. 

  592. 

  593. func (s *httpdServer) oidcLoginRedirect(w http.ResponseWriter, r *http.Request, audience tokenAudience) {
    594. 

  594. 	pendingAuth := newOIDCPendingAuth(audience)
    595. 

  595. 	oidcMgr.addPendingAuth(pendingAuth)
    596. 

  596. 	http.Redirect(w, r, s.binding.OIDC.oauth2Config.AuthCodeURL(pendingAuth.State,
    597. 

  597. 		oidc.Nonce(pendingAuth.Nonce)), http.StatusFound)
    598. 

  598. }
    599. 

  599. 

  600. func (s *httpdServer) debugTokenClaims(claims map[string]any, rawIDToken string) {
    601. 

  601. 	if s.binding.OIDC.Debug {
    602. 

  602. 		if claims == nil {
    603. 

  603. 			logger.Debug(logSender, "", "raw id token %q", rawIDToken)
    604. 

  604. 		} else {
    605. 

  605. 			logger.Debug(logSender, "", "raw id token %q, parsed claims %+v", rawIDToken, claims)
    606. 

  606. 		}
    607. 

  607. 	}
    608. 

  608. }
    609. 

  609. 

  610. func (s *httpdServer) handleOIDCRedirect(w http.ResponseWriter, r *http.Request) {
    611. 

  611. 	state := r.URL.Query().Get("state")
    612. 

  612. 	authReq, err := oidcMgr.getPendingAuth(state)
    613. 

  613. 	if err != nil {
    614. 

  614. 		logger.Debug(logSender, "", "oidc authentication state did not match")
    615. 

  615. 		oidcMgr.removePendingAuth(state)
    616. 

  616. 		s.renderClientMessagePage(w, r, util.I18nInvalidAuthReqTitle, http.StatusBadRequest,
    617. 

  617. 			util.NewI18nError(err, util.I18nInvalidAuth), "")
    618. 

  618. 		return
    619. 

  619. 	}
    620. 

  620. 	oidcMgr.removePendingAuth(state)
    621. 

  621. 

  622. 	doRedirect := func() {
    623. 

  623. 		if authReq.Audience == tokenAudienceWebAdmin {
    624. 

  624. 			http.Redirect(w, r, webAdminLoginPath, http.StatusFound)
    625. 

  625. 			return
    626. 

  626. 		}
    627. 

  627. 		http.Redirect(w, r, webClientLoginPath, http.StatusFound)
    628. 

  628. 	}
    629. 

  629. 	doLogout := func(rawIDToken string) {
    630. 

  630. 		s.logoutFromOIDCOP(rawIDToken)
    631. 

  631. 	}
    632. 

  632. 

  633. 	ctx, cancel := context.WithTimeout(r.Context(), 20*time.Second)
    634. 

  634. 	defer cancel()
    635. 

  635. 

  636. 	oauth2Token, err := s.binding.OIDC.oauth2Config.Exchange(ctx, r.URL.Query().Get("code"))
    637. 

  637. 	if err != nil {
    638. 

  638. 		logger.Debug(logSender, "", "failed to exchange oidc token: %v", err)
    639. 

  639. 		setFlashMessage(w, r, newFlashMessage("Failed to exchange OpenID token", util.I18nOIDCErrTokenExchange))
    640. 

  640. 		doRedirect()
    641. 

  641. 		return
    642. 

  642. 	}
    643. 

  643. 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
    644. 

  644. 	if !ok {
    645. 

  645. 		logger.Debug(logSender, "", "no id_token field in OAuth2 OpenID token")
    646. 

  646. 		setFlashMessage(w, r, newFlashMessage("No id_token field in OAuth2 OpenID token", util.I18nOIDCTokenInvalid))
    647. 

  647. 		doRedirect()
    648. 

  648. 		return
    649. 

  649. 	}
    650. 

  650. 	s.debugTokenClaims(nil, rawIDToken)
    651. 

  651. 	idToken, err := s.binding.OIDC.getVerifier(ctx).Verify(ctx, rawIDToken)
    652. 

  652. 	if err != nil {
    653. 

  653. 		logger.Debug(logSender, "", "failed to verify oidc token: %v", err)
    654. 

  654. 		setFlashMessage(w, r, newFlashMessage("Failed to verify OpenID token", util.I18nOIDCTokenInvalid))
    655. 

  655. 		doRedirect()
    656. 

  656. 		doLogout(rawIDToken)
    657. 

  657. 		return
    658. 

  658. 	}
    659. 

  659. 	if idToken.Nonce != authReq.Nonce {
    660. 

  660. 		logger.Debug(logSender, "", "oidc authentication nonce did not match")
    661. 

  661. 		setFlashMessage(w, r, newFlashMessage("OpenID authentication nonce did not match", util.I18nOIDCTokenInvalid))
    662. 

  662. 		doRedirect()
    663. 

  663. 		doLogout(rawIDToken)
    664. 

  664. 		return
    665. 

  665. 	}
    666. 

  666. 

  667. 	claims := make(map[string]any)
    668. 

  668. 	err = idToken.Claims(&claims)
    669. 

  669. 	if err != nil {
    670. 

  670. 		logger.Debug(logSender, "", "unable to get oidc token claims: %v", err)
    671. 

  671. 		setFlashMessage(w, r, newFlashMessage("Unable to get OpenID token claims", util.I18nOIDCTokenInvalid))
    672. 

  672. 		doRedirect()
    673. 

  673. 		doLogout(rawIDToken)
    674. 

  674. 		return
    675. 

  675. 	}
    676. 

  676. 	s.debugTokenClaims(claims, rawIDToken)
    677. 

  677. 	token := oidcToken{
    678. 

  678. 		AccessToken:  oauth2Token.AccessToken,
    679. 

  679. 		TokenType:    oauth2Token.TokenType,
    680. 

  680. 		RefreshToken: oauth2Token.RefreshToken,
    681. 

  681. 		IDToken:      rawIDToken,
    682. 

  682. 		Nonce:        idToken.Nonce,
    683. 

  683. 		Cookie:       xid.New().String(),
    684. 

  684. 	}
    685. 

  685. 	if !oauth2Token.Expiry.IsZero() {
    686. 

  686. 		token.ExpiresAt = util.GetTimeAsMsSinceEpoch(oauth2Token.Expiry)
    687. 

  687. 	}
    688. 

  688. 	err = token.parseClaims(claims, s.binding.OIDC.UsernameField, s.binding.OIDC.RoleField,
    689. 

  689. 		s.binding.OIDC.CustomFields, s.binding.OIDC.getForcedRole(authReq.Audience))
    690. 

  690. 	if err != nil {
    691. 

  691. 		logger.Debug(logSender, "", "unable to parse oidc token claims: %v", err)
    692. 

  692. 		setFlashMessage(w, r, newFlashMessage(fmt.Sprintf("Unable to parse OpenID token claims: %v", err), util.I18nOIDCTokenInvalid))
    693. 

  693. 		doRedirect()
    694. 

  694. 		doLogout(rawIDToken)
    695. 

  695. 		return
    696. 

  696. 	}
    697. 

  697. 	switch authReq.Audience {
    698. 

  698. 	case tokenAudienceWebAdmin:
    699. 

  699. 		if !token.isAdmin() {
    700. 

  700. 			logger.Debug(logSender, "", "wrong oidc token role, the mapped user is not an SFTPGo admin")
    701. 

  701. 			setFlashMessage(w, r, newFlashMessage(
    702. 

  702. 				"Wrong OpenID role, the logged in user is not an SFTPGo admin",
    703. 

  703. 				util.I18nOIDCTokenInvalidRoleAdmin))
    704. 

  704. 			doRedirect()
    705. 

  705. 			doLogout(rawIDToken)
    706. 

  706. 			return
    707. 

  707. 		}
    708. 

  708. 	case tokenAudienceWebClient:
    709. 

  709. 		if token.isAdmin() {
    710. 

  710. 			logger.Debug(logSender, "", "wrong oidc token role, the mapped user is an SFTPGo admin")
    711. 

  711. 			setFlashMessage(w, r, newFlashMessage(
    712. 

  712. 				"Wrong OpenID role, the logged in user is an SFTPGo admin",
    713. 

  713. 				util.I18nOIDCTokenInvalidRoleUser,
    714. 

  714. 			))
    715. 

  715. 			doRedirect()
    716. 

  716. 			doLogout(rawIDToken)
    717. 

  717. 			return
    718. 

  718. 		}
    719. 

  719. 	}
    720. 

  720. 	err = token.getUser(r)
    721. 

  721. 	if err != nil {
    722. 

  722. 		logger.Debug(logSender, "", "unable to get the sftpgo user associated with oidc token: %v", err)
    723. 

  723. 		setFlashMessage(w, r, newFlashMessage("Unable to get the user associated with the OpenID token", util.I18nOIDCErrGetUser))
    724. 

  724. 		doRedirect()
    725. 

  725. 		doLogout(rawIDToken)
    726. 

  726. 		return
    727. 

  727. 	}
    728. 

  728. 

  729. 	loginOIDCUser(w, r, token)
    730. 

  730. }
    731. 

  731. 

  732. func loginOIDCUser(w http.ResponseWriter, r *http.Request, token oidcToken) {
    733. 

  733. 	oidcMgr.addToken(token)
    734. 

  734. 

  735. 	cookie := http.Cookie{
    736. 

  736. 		Name:     oidcCookieKey,
    737. 

  737. 		Value:    token.Cookie,
    738. 

  738. 		Path:     "/",
    739. 

  739. 		HttpOnly: true,
    740. 

  740. 		Secure:   isTLS(r),
    741. 

  741. 		SameSite: http.SameSiteLaxMode,
    742. 

  742. 	}
    743. 

  743. 	// we don't set a cookie expiration so we can refresh the token without setting a new cookie
    744. 

  744. 	// the cookie will be invalidated on browser close
    745. 

  745. 	http.SetCookie(w, &cookie)
    746. 

  746. 	w.Header().Add("Cache-Control", `no-cache="Set-Cookie"`)
    747. 

  747. 	if token.isAdmin() {
    748. 

  748. 		http.Redirect(w, r, webUsersPath, http.StatusFound)
    749. 

  749. 		return
    750. 

  750. 	}
    751. 

  751. 	http.Redirect(w, r, webClientFilesPath, http.StatusFound)
    752. 

  752. }
    753. 

  753. 

  754. func (s *httpdServer) logoutOIDCUser(w http.ResponseWriter, r *http.Request) {
    755. 

  755. 	if oidcKey, ok := r.Context().Value(oidcTokenKey).(string); ok {
    756. 

  756. 		removeOIDCCookie(w, r)
    757. 

  757. 		token, err := oidcMgr.getToken(oidcKey)
    758. 

  758. 		if err == nil {
    759. 

  759. 			s.logoutFromOIDCOP(token.IDToken)
    760. 

  760. 		}
    761. 

  761. 		oidcMgr.removeToken(oidcKey)
    762. 

  762. 	}
    763. 

  763. }
    764. 

  764. 

  765. func (s *httpdServer) logoutFromOIDCOP(idToken string) {
    766. 

  766. 	if s.binding.OIDC.providerLogoutURL == "" {
    767. 

  767. 		logger.Debug(logSender, "", "oidc: provider logout URL not set, unable to logout from the OP")
    768. 

  768. 		return
    769. 

  769. 	}
    770. 

  770. 	go s.doOIDCFromLogout(idToken)
    771. 

  771. }
    772. 

  772. 

  773. func (s *httpdServer) doOIDCFromLogout(idToken string) {
    774. 

  774. 	logoutURL, err := url.Parse(s.binding.OIDC.providerLogoutURL)
    775. 

  775. 	if err != nil {
    776. 

  776. 		logger.Warn(logSender, "", "oidc: unable to parse logout URL: %v", err)
    777. 

  777. 		return
    778. 

  778. 	}
    779. 

  779. 	query := logoutURL.Query()
    780. 

  780. 	if idToken != "" {
    781. 

  781. 		query.Set("id_token_hint", idToken)
    782. 

  782. 	}
    783. 

  783. 	logoutURL.RawQuery = query.Encode()
    784. 

  784. 	resp, err := httpclient.RetryableGet(logoutURL.String())
    785. 

  785. 	if err != nil {
    786. 

  786. 		logger.Warn(logSender, "", "oidc: error calling logout URL %q: %v", logoutURL.String(), err)
    787. 

  787. 		return
    788. 

  788. 	}
    789. 

  789. 	defer resp.Body.Close()
    790. 

  790. 	logger.Debug(logSender, "", "oidc: logout url response code %v", resp.StatusCode)
    791. 

  791. }
    792. 

  792. 

  793. func removeOIDCCookie(w http.ResponseWriter, r *http.Request) {
    794. 

  794. 	http.SetCookie(w, &http.Cookie{
    795. 

  795. 		Name:     oidcCookieKey,
    796. 

  796. 		Value:    "",
    797. 

  797. 		Path:     "/",
    798. 

  798. 		Expires:  time.Unix(0, 0),
    799. 

  799. 		MaxAge:   -1,
    800. 

  800. 		HttpOnly: true,
    801. 

  801. 		Secure:   isTLS(r),
    802. 

  802. 		SameSite: http.SameSiteLaxMode,
    803. 

  803. 	})
    804. 

  804. }
    805. 

  805. 

  806. // canSkipOIDCValidation returns true if there is no OIDC cookie but a jwt cookie is set
    807. 

  807. // and so we check if the user is logged in using a built-in user
    808. 

  808. func canSkipOIDCValidation(r *http.Request) bool {
    809. 

  809. 	_, err := r.Cookie(oidcCookieKey)
    810. 

  810. 	if err != nil {
    811. 

  811. 		_, err = r.Cookie(jwtCookieKey)
    812. 

  812. 		return err == nil
    813. 

  813. 	}
    814. 

  814. 	return false
    815. 

  815. }
    816. 

  816. 

  817. func isLoggedInWithOIDC(r *http.Request) bool {
    818. 

  818. 	_, ok := r.Context().Value(oidcTokenKey).(string)
    819. 

  819. 	return ok
    820. 

  820. }
    821. 

  821. 

  822. func getOIDCFieldFromClaims(claims map[string]any, fieldName string) (any, bool) {
    823. 

  823. 	if fieldName == "" {
    824. 

  824. 		return nil, false
    825. 

  825. 	}
    826. 

  826. 	val, ok := claims[fieldName]
    827. 

  827. 	if ok {
    828. 

  828. 		return val, true
    829. 

  829. 	}
    830. 

  830. 	if !strings.Contains(fieldName, ".") {
    831. 

  831. 		return nil, false
    832. 

  832. 	}
    833. 

  833. 

  834. 	getStructValue := func(outer any, field string) (any, bool) {
    835. 

  835. 		switch v := outer.(type) {
    836. 

  836. 		case map[string]any:
    837. 

  837. 			res, ok := v[field]
    838. 

  838. 			return res, ok
    839. 

  839. 		}
    840. 

  840. 		return nil, false
    841. 

  841. 	}
    842. 

  842. 

  843. 	for idx, field := range strings.Split(fieldName, ".") {
    844. 

  844. 		if idx == 0 {
    845. 

  845. 			val, ok = getStructValue(claims, field)
    846. 

  846. 		} else {
    847. 

  847. 			val, ok = getStructValue(val, field)
    848. 

  848. 		}
    849. 

  849. 		if !ok {
    850. 

  850. 			return nil, false
    851. 

  851. 		}
    852. 

  852. 	}
    853. 

  853. 

  854. 	return val, ok
    855. 

  855. }
    856.