Can now run as a Ory Hydra login and consent app

2023-11-03 18:18:25 +01:00
parent 6498a8bd06
commit 805bfe56db
9 changed files with 226 additions and 5 deletions
--- a/app/ipasso/cookies.go
+++ b/app/ipasso/cookies.go
@@ -27,6 +27,7 @@ func (l loginStateMw) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		if cookie.Name != "IPASSO_SID" {
 			continue
 		}
+		zap.L().Debug("Session ID found in req", zap.String(cookie.Name, cookie.Value))

 		sid := cookie.Value
 		if sid == "[logout]" {
--- a/app/ipasso/loginKrb.go
+++ b/app/ipasso/loginKrb.go
@@ -2,10 +2,15 @@ package main

 import (
 	"errors"
+	"flag"
 	"git.thequux.com/thequux/ipasso/backend"
+	"git.thequux.com/thequux/ipasso/resources"
 	"git.thequux.com/thequux/ipasso/util/startup"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/julienschmidt/httprouter"
+	hydra "github.com/ory/hydra-client-go/v2"
+	"go.uber.org/zap"
+	"io"
 	"log"
 	"net/http"
 	"net/http/fcgi"
@@ -13,11 +18,48 @@ import (
 	"time"
 )

+var hydraConfig = hydra.NewConfiguration()
+
+var (
+	hydraAdmin   = flag.String("hydra-admin", "http://localhost:4445", "URL at which the Hydra admin API can be found")
+	hydraClient  *hydra.APIClient
+	oauth2Logger *zap.Logger
+)
+
 func init() {
 	startup.Routes.Add(func(router *httprouter.Router) {
+		router.Handler("GET", "/login", LoginStateMw(http.HandlerFunc(loginPage)))
+		router.Handler("GET", "/consent", LoginStateMw(http.HandlerFunc(consentPage)))
 		router.HandlerFunc("POST", "/login/krb5", loginKrb)
 		router.HandlerFunc("POST", "/login/password", loginPassword)
 	})
+
+	startup.Logger.Add(func() {
+		oauth2Logger = zap.L().Named("oauth2")
+	})
+	startup.PostFlags.Add(func() {
+		hydraConfig.Servers = []hydra.ServerConfiguration{
+			{
+				URL: *hydraAdmin,
+			},
+		}
+		hydraClient = hydra.NewAPIClient(hydraConfig)
+	})
+
+}
+
+func loginPage(w http.ResponseWriter, r *http.Request) {
+	if finishOauth2(w, r, nil, true) {
+		return
+	}
+
+	f, err := resources.StaticFiles.Open("login/index.html")
+	if err != nil {
+		ReportError(w, err)
+	}
+	w.Header().Set("Content-Type", "text/html")
+	w.WriteHeader(http.StatusOK)
+	_, _ = io.Copy(w, f)
 }

 func loginKrb(w http.ResponseWriter, r *http.Request) {
@@ -116,13 +158,119 @@ func finishLogin(w http.ResponseWriter, req *http.Request, entry *ldap.Entry, ex
 		Name:     "IPASSO_SID",
 		Value:    SessionID,
 		Domain:   req.Host,
+		Path:     "/",
 		HttpOnly: true,
 		Secure:   true,
 		Expires:  session.Expiration,
 		SameSite: http.SameSiteStrictMode,
 	}

-	//http.SetCookie(w, &cookie)
-	cookie.Domain = "." + *domain
 	http.SetCookie(w, &cookie)
+	//cookie.Domain = "." + *domain
+	//http.SetCookie(w, &cookie)
+
+	// Handle OAuth2 if necessary
+	finishOauth2(w, req, &session, false)
+}
+
+// Finish OAuth2 processing if appropriate. Returns false if normal processing should continue
+func finishOauth2(w http.ResponseWriter, req *http.Request, session *backend.Session, redirect bool) bool {
+	if session == nil {
+		beSession := GetSession(req.Context(), false)
+		if beSession == nil || beSession.Session == nil {
+			oauth2Logger.Debug("Not finishing oauth flow: no active session")
+			return false
+		}
+		session = beSession.Session
+	}
+
+	query := req.URL.Query()
+	if query.Has("login_challenge") {
+
+		challenge := query.Get("login_challenge")
+		acceptOAuth2LoginRequest := hydra.AcceptOAuth2LoginRequest{
+			Remember:    hydra.PtrBool(true),
+			RememberFor: hydra.PtrInt64(int64(session.Expiration.Sub(time.Now()).Seconds())),
+			Subject:     session.UserID,
+		}
+
+		oauth2Logger.Info("Accepting challenge", zap.Any("response", acceptOAuth2LoginRequest))
+
+		redirectTo, _, err := hydraClient.OAuth2Api.AcceptOAuth2LoginRequest(req.Context()).LoginChallenge(challenge).AcceptOAuth2LoginRequest(acceptOAuth2LoginRequest).Execute()
+		if err != nil {
+			oauth2Logger.Warn("AcceptOAuth2LoginRequest failed", zap.Error(err))
+			return false
+		}
+		if redirect {
+			http.Redirect(w, req, redirectTo.RedirectTo, http.StatusSeeOther)
+		} else {
+			w.Header().Set("Content-Type", "text/plain")
+			w.WriteHeader(200)
+			_, _ = w.Write([]byte(redirectTo.RedirectTo))
+		}
+		oauth2Logger.Debug("Finishing oauth flow")
+		return true
+	}
+	oauth2Logger.Debug("Not finishing oauth flow: no challenge")
+	return false
+}
+
+type consentParams struct {
+	ConsentChallenge string
+	ConsentRequest   string
+}
+
+type IdToken struct {
+	Name              string `json:"name"`
+	Sub               string `json:"sub"`
+	GivenName         string `json:"given_name"`
+	FamilyName        string `json:"family_name"`
+	PreferredUsername string `json:"preferred_username"`
+	Email             string `json:"email"`
+	EmailVerified     bool   `json:"email_verified"`
+}
+
+func consentPage(w http.ResponseWriter, req *http.Request) {
+	session := GetSession(req.Context(), true)
+	// We can assume that we've got a session, I think.
+
+	query := req.URL.Query()
+	consentChallenge := query.Get("consent_challenge")
+	ocr, _, err := hydraClient.OAuth2Api.GetOAuth2ConsentRequest(req.Context()).ConsentChallenge(consentChallenge).Execute()
+	if err != nil {
+		ReportError(w, err)
+		return
+	}
+	//reqJSON, _ := json.MarshalIndent(oAuth2ConsentRequest, "", "  ")
+	//params := consentParams{
+	//	ConsentRequest:   string(reqJSON),
+	//	ConsentChallenge: consentChallenge,
+	//}
+	//RenderPage(w, req, "consent", params)
+
+	// TODO: We should really have a consent page here, but in the mean time, not having it is OK
+	acr := hydra.AcceptOAuth2ConsentRequest{}
+	acr.Session = &hydra.AcceptOAuth2ConsentRequestSession{
+		AccessToken: map[string]string{},
+		IdToken: IdToken{
+			Name:              session.Cache.DisplayName,
+			Sub:               session.Session.UserID,
+			GivenName:         session.Cache.GivenName,
+			FamilyName:        session.Cache.FamilyName,
+			PreferredUsername: session.Session.UserID,
+			Email:             session.Cache.Email,
+			EmailVerified:     true,
+		},
+	}
+	acr.GrantScope = ocr.GetRequestedScope()
+	acr.GrantAccessTokenAudience = ocr.RequestedAccessTokenAudience
+
+	oauth2Logger.Info("Accepting consent", zap.Any("acr", acr))
+	redirectTo, _, err := hydraClient.OAuth2Api.AcceptOAuth2ConsentRequest(req.Context()).ConsentChallenge(consentChallenge).AcceptOAuth2ConsentRequest(acr).Execute()
+	if err != nil {
+		ReportError(w, err)
+		return
+	}
+
+	http.Redirect(w, req, redirectTo.RedirectTo, http.StatusSeeOther)
 }
--- a/app/ipasso/renderCommon.go
+++ b/app/ipasso/renderCommon.go
@@ -45,7 +45,7 @@ func ReportError(w http.ResponseWriter, err error) {

 var ctypes = [resources.ATComboCount]contentnegotiation.Negotiator{
 	contentnegotiation.NewNegotiator("application/json"),
-	contentnegotiation.NewNegotiator("text/html", "application/json", "text/html"),
+	contentnegotiation.NewNegotiator("text/html", "application/json"),
 	contentnegotiation.NewNegotiator("text/plain", "application/json"),
 	contentnegotiation.NewNegotiator("text/html", "text/plain", "application/json"),
 }
@@ -57,6 +57,7 @@ func RenderPage(w http.ResponseWriter, req *http.Request, template string, data
 	negotiator := ctypes[act]
 	ctype, _, err := negotiator.Negotiate(req.Header.Get("Accept"))
 	if err != nil {
+		templateLogger.Warn("Negotiate failed", zap.Error(err), zap.String("ctype", ctype.String()))
 		w.Header().Set("Content-Length", "0")
 		w.WriteHeader(http.StatusUnsupportedMediaType)
 		return
--- a/go.mod
+++ b/go.mod
@@ -22,6 +22,7 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
@@ -29,10 +30,14 @@ require (
 	github.com/jcmturner/gofork v1.7.6 // indirect
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/ory/hydra-client-go/v2 v2.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/redis/go-redis/v9 v9.2.1 // indirect
 	github.com/stretchr/testify v1.8.4 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/crypto v0.13.0 // indirect
 	golang.org/x/net v0.15.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -19,6 +19,11 @@ github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
 github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
@@ -42,6 +47,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
 github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
+github.com/ory/hydra-client-go/v2 v2.1.1 h1:3JatU9uFbw5XhF3lgPCas1l1Kok2v5Mq1p26zZwGHNg=
+github.com/ory/hydra-client-go/v2 v2.1.1/go.mod h1:IiIwChp/9wRvPoyFQblqPvg78uVishCCrV9+/M7Pl34=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -72,6 +79,7 @@ golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -82,6 +90,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -101,6 +111,7 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
@@ -112,6 +123,13 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/resources/static/login/index.html
+++ b/resources/static/login/index.html
@@ -3,9 +3,10 @@
 <head>
    <meta charset="UTF-8">
    <title>SSO Login</title>
+    <script src="/login/login.js"></script>
 </head>
 <body>
-    <form action="password" method="post">
+    <form method="post">
        <table>
            <tr>
                <td><label for="user">User</label></td>
@@ -18,7 +19,7 @@
            <tr>
                <td></td>
                <td>
-                   <input type="submit" value="Log in">
+                   <input type="submit" value="Log in" id="doit">
                </td>
            </tr>
        </table>
--- a/resources/static/login/login.js
+++ b/resources/static/login/login.js
@@ -0,0 +1,33 @@
+
+// Attempt to log in using ambient authority (e.g., Kerberos, SSL, etc)
+async function tryLoginAmbient() {
+    let resp = await fetch("/login/krb5" + window.location.search, {method: "POST", redirect: "manual"})
+    if (resp.ok) {
+        window.location = await resp.text()
+    }
+}
+
+async function tryLoginPassword() {
+    let userField = document.getElementById("user")
+    let passwordField = document.getElementById("password")
+    let doit = document.getElementById("doit")
+    try {
+        userField.enabled = passwordField.enabled = doit.enabled = false
+        let resp = await fetch("/login/password" + window.location.search, {method: "POST"})
+        if (resp.ok) {
+            window.location = await resp.text()
+        }
+    } catch (e) {
+        userField.enabled = passwordField.enabled = doit.enabled = true
+        throw e
+    }
+}
+
+tryLoginAmbient() // don't bother awaiting, just let 'er go
+document.addEventListener("load", () => {
+    document.getElementById("doit").form.addEventListener("submit", function (e) {
+        e.preventDefault()
+        tryLoginPassword()
+        return false
+    })
+})
--- a/resources/templates/consent.html
+++ b/resources/templates/consent.html
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Consent request</title>
+</head>
+<body>
+
+<pre>{{ .ConsentRequest }}</pre>
+
+<hr>
+</body>
+</html>
--- a/resources/templates/consent.txt
+++ b/resources/templates/consent.txt
@@ -0,0 +1 @@
+{{ .ConsentRequest }}