Added redis backend, backend selection mechanism

2023-10-26 20:29:11 +02:00
parent 17086b1abf
commit d5af575e74
11 changed files with 393 additions and 81 deletions
--- a/app/ipasso/ldap.go
+++ b/app/ipasso/ldap.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"git.thequux.com/thequux/ipasso/sso-proxy/backend"
+	"git.thequux.com/thequux/ipasso/backend"
 	"git.thequux.com/thequux/ipasso/util"
 	"git.thequux.com/thequux/ipasso/util/genpool"
 	"git.thequux.com/thequux/ipasso/util/startup"
--- a/app/ipasso/loginKrb.go
+++ b/app/ipasso/loginKrb.go
@@ -2,7 +2,7 @@ package main

 import (
 	"errors"
-	"git.thequux.com/thequux/ipasso/sso-proxy/backend"
+	"git.thequux.com/thequux/ipasso/backend"
 	"git.thequux.com/thequux/ipasso/util/startup"
 	"github.com/go-ldap/ldap/v3"
 	"github.com/julienschmidt/httprouter"
@@ -78,7 +78,7 @@ func loginPassword(w http.ResponseWriter, r *http.Request) {
 }

 func finishLogin(w http.ResponseWriter, req *http.Request, entry *ldap.Entry, expiration *time.Time) {
-	SessionID, err := datastore.NewSessionID()
+	SessionID, err := backend.NewSessionID(req.Context(), backend.SessionStore)
 	if err != nil {
 		ReportError(w, err)
 		return
@@ -108,7 +108,7 @@ func finishLogin(w http.ResponseWriter, req *http.Request, entry *ldap.Entry, ex
 		ReportError(w, err)
 		return
 	}
-	_ = datastore.PutSession(session, sessionCache)
+	_ = backend.SessionStore.PutSession(req.Context(), session, sessionCache)

 	// TODO: set cookies, return success
 }
--- a/app/ipasso/main.go
+++ b/app/ipasso/main.go
@@ -4,7 +4,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"git.thequux.com/thequux/ipasso/sso-proxy/backend"
+	_ "git.thequux.com/thequux/ipasso/backend/all"
 	"git.thequux.com/thequux/ipasso/util/startup"
 	"github.com/julienschmidt/httprouter"
 	"go.uber.org/zap"
@@ -17,8 +17,6 @@ import (
 var (
 	domain = flag.String("domain", "thequux.com", "The base domain to enable SSO for")
 	listen = flag.String("listen", "0.0.0.0:80", "The address to listen on")
-
-	datastore backend.Backend = &backend.NullBackend{}
 )

 var (
--- a/backend/all/importAll.go
+++ b/backend/all/importAll.go
@@ -0,0 +1,12 @@
+// Shortcut to include all available backends
+// Usage:
+//
+// ```
+// import _ "git.thequux.com/thequux/ipasso/backend/all"
+// ```
+package all
+
+import (
+	_ "git.thequux.com/thequux/ipasso/backend/null"
+	_ "git.thequux.com/thequux/ipasso/backend/redis"
+)
--- a/backend/interface.go
+++ b/backend/interface.go
@@ -0,0 +1,71 @@
+package backend
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"time"
+)
+
+type UserType string
+
+var (
+	UtPerson  UserType = "person"
+	UtHost    UserType = "host"
+	UtService UserType = "service"
+
+	ErrTooManyAttempts   error = errors.New("too many attempts")
+	ErrReservationSniped error = errors.New("session ID reservation expired and was sniped")
+	ErrBackendData       error = errors.New("invalid data from backend")
+)
+
+// Session holds info about the logged-in user that won't change
+type Session struct {
+	SessionID  string
+	Expiration time.Time
+	UserID     string
+	UserType   UserType
+	LdapDN     string
+}
+
+// SessionCache holds volatile information about the logged-in user
+type SessionCache struct {
+	Valid       bool
+	Groups      []string
+	DisplayName string
+	GivenName   string
+	SurName     string
+	Email       string
+}
+
+type Backend interface {
+	PutSession(ctx context.Context, session Session, cache SessionCache) error
+	GetSession(ctx context.Context, id string) (Session, *SessionCache, error)
+	EndSession(ctx context.Context, id string)
+	// ReserveSessionID attempts to reserve a session ID. If the ID was successfully reserved, return true
+	// A reserved session ID should time out no sooner than 60s from the reservation.
+	// Ergo, once reserved, a session ID should be used within 60s
+	ReserveSessionID(ctx context.Context, sessionID string) (bool, error)
+	DoMaintenance(ctx context.Context)
+	Ping(ctx context.Context) error
+}
+
+func NewSessionID(ctx context.Context, backend Backend) (string, error) {
+	var data = make([]byte, 18)
+	for i := 0; i < 10; i++ {
+		_, err := rand.Read(data[2:])
+		if err != nil {
+			return "", err
+		}
+		encoded := base64.URLEncoding.EncodeToString(data)
+		success, err := backend.ReserveSessionID(ctx, encoded)
+		if err != nil {
+			return "", err
+		}
+		if success {
+			return encoded, nil
+		}
+	}
+	return "", ErrTooManyAttempts
+}
--- a/backend/null/null.go
+++ b/backend/null/null.go
@@ -0,0 +1,47 @@
+package backend
+
+import (
+	"context"
+	"errors"
+	"git.thequux.com/thequux/ipasso/backend"
+	"go.uber.org/zap"
+	"net/url"
+)
+
+type NullBackend struct{}
+
+func (n *NullBackend) PutSession(ctx context.Context, session backend.Session, cache backend.SessionCache) error {
+	//TODO implement me
+	zap.L().Info("Put session", zap.Any("session", session), zap.Any("cache", cache))
+	return nil
+}
+
+func (n *NullBackend) GetSession(ctx context.Context, id string) (backend.Session, *backend.SessionCache, error) {
+	//TODO implement me
+	return backend.Session{}, nil, errors.New("no such session")
+}
+
+func (n *NullBackend) EndSession(ctx context.Context, id string) {
+	//TODO implement me
+}
+
+func (n *NullBackend) ReserveSessionID(ctx context.Context, sessionID string) (bool, error) {
+	//TODO implement me
+	return false, nil
+}
+
+func (n *NullBackend) Ping(ctx context.Context) error {
+	//TODO implement me
+	return nil
+}
+
+func (n *NullBackend) DoMaintenance(ctx context.Context) {
+	//TODO implement me
+}
+
+func init() {
+	backend.RegisterBackendFactory("null", "Do-nothing backend. Probably not useful", "Usage: null://",
+		func(*url.URL) (backend.Backend, error) {
+			return &NullBackend{}, nil
+		})
+}
--- a/backend/redis/redis.go
+++ b/backend/redis/redis.go
@@ -0,0 +1,145 @@
+package redis
+
+import (
+	"context"
+	"encoding/json"
+	"git.thequux.com/thequux/ipasso/backend"
+	"github.com/redis/go-redis/v9"
+	"net/url"
+	"time"
+)
+
+var redisHelp = `
+Usage: redis://<user>:<password>@<host>:<port>/<db_number>
+       redisu://<user>:<password>@</path/to/redis.sock>?db=<db_number>
+       rediss://<user>:<password>@<host>:<port>/<db_number>?addr=<host:port>&addr=<host:port>...
+
+The redis  scheme connects to a normal Redis server over TCP
+the redisu scheme connects to a normal Redis server over a Unix domain socket
+the rediss scheme connects to a redis cluster 
+`
+
+func init() {
+	backend.RegisterBackendFactory("redis", "Redis TCP", redisHelp, DialRedis)
+	backend.RegisterBackendFactory("redisu", "Redis Unix", redisHelp, DialRedis)
+	backend.RegisterBackendFactory("rediss", "Redis Cluster", redisHelp, DialRedis)
+}
+
+func DialRedis(url *url.URL) (be backend.Backend, err error) {
+	var urlString = url.String()
+	var client redis.UniversalClient
+	if url.Scheme == "redis" || url.Scheme == "redisu" {
+		var options *redis.Options
+		options, err = redis.ParseURL(urlString)
+		client = redis.NewClient(options)
+	} else if url.Scheme == "rediss" {
+		var options *redis.ClusterOptions
+		options, err = redis.ParseClusterURL(urlString)
+		client = redis.NewClusterClient(options)
+	}
+	if err == nil {
+		be = &RedisBackend{
+			rdb: client,
+		}
+	}
+	return
+}
+
+func sessionKey(id string) string {
+	return "session:" + id
+}
+func scacheKey(id string) string {
+	return "scache:" + id
+}
+
+type RedisBackend struct {
+	rdb redis.UniversalClient
+}
+
+var putSessionScript = redis.NewScript(`
+local skey = KEYS[1]
+local ckey = KEYS[2]
+local session = ARGS[1]
+local sexp = ARGS[2]
+local cache = ARGS[3]
+local clifetime = ARGS[4]
+
+if redis.call("GET", skey) != "" then
+	return false
+else
+	redis.call("SET", skey, session, "EXAT", sexp)
+	redis.call("SET", ckey, cache, "EX", 30)
+	return true
+end
+`)
+
+func (r *RedisBackend) PutSession(ctx context.Context, session backend.Session, cache backend.SessionCache) error {
+	jsonSession, err := json.Marshal(session)
+	if err != nil {
+		return err
+	}
+	jsonCache, err := json.Marshal(cache)
+	if err != nil {
+		return err
+	}
+
+	result, err := putSessionScript.Run(ctx, r.rdb,
+		[]string{sessionKey(session.SessionID), scacheKey(session.SessionID)},
+		jsonSession,
+		session.Expiration.Unix(),
+		jsonCache,
+		30,
+	).Bool()
+
+	if err != nil {
+		return err
+	} else if result {
+		return nil
+	} else {
+		return backend.ErrReservationSniped
+	}
+}
+
+func (r *RedisBackend) GetSession(ctx context.Context, id string) (backend.Session, *backend.SessionCache, error) {
+	var session backend.Session
+	var cache backend.SessionCache
+
+	result, err := r.rdb.MGet(ctx, sessionKey(id), scacheKey(id)).Result()
+	if err != nil {
+		return session, nil, err
+	}
+
+	v, ok := result[0].([]byte)
+	if !ok {
+		return backend.Session{}, nil, backend.ErrBackendData
+	}
+	if err = json.Unmarshal(v, &session); err != nil {
+		return backend.Session{}, nil, err
+	}
+
+	v, ok = result[1].([]byte)
+	if !ok {
+		return backend.Session{}, nil, backend.ErrBackendData
+	}
+	if err = json.Unmarshal(v, &cache); err != nil {
+		return backend.Session{}, nil, err
+	}
+
+	return session, &cache, nil
+}
+
+func (r *RedisBackend) EndSession(ctx context.Context, id string) {
+	r.rdb.Del(ctx, sessionKey(id), scacheKey(id))
+}
+
+func (r *RedisBackend) ReserveSessionID(ctx context.Context, id string) (bool, error) {
+	return r.rdb.SetNX(ctx, sessionKey(id), "", time.Second*60).Result()
+}
+
+func (r *RedisBackend) DoMaintenance(ctx context.Context) {
+	// Redis handles cleaning up expired keys itself
+}
+
+func (r *RedisBackend) Ping(ctx context.Context) error {
+	return r.rdb.Ping(ctx).Err()
+}
--- a/backend/registration.go
+++ b/backend/registration.go
@@ -0,0 +1,104 @@
+package backend
+
+import (
+	"flag"
+	"fmt"
+	"git.thequux.com/thequux/ipasso/util/startup"
+	"go.uber.org/zap"
+	"net/url"
+	"os"
+	"sort"
+	"strings"
+)
+
+var backendUrl = flag.String("backend", "help://", "URL of backend. Use help:// for a list, or help://[backend] for details on a particular backend")
+
+var SessionStore Backend
+
+type backendRecord struct {
+	description string
+	help        string
+	factory     Factory
+}
+
+// Factory for backend objects. You don't need this unless you're working on
+// initialization machinery or implementing a backend
+type Factory func(url *url.URL) (Backend, error)
+
+var sessionLogger *zap.Logger
+
+var registry = make(map[string]backendRecord)
+
+func RegisterBackendFactory(scheme string, description string, help string, factory Factory) {
+	scheme = strings.ToLower(scheme)
+	_, exist := registry[scheme]
+	if exist {
+		panic("Scheme " + scheme + " registered multiple times")
+	}
+
+	registry[scheme] = backendRecord{
+		description: description,
+		help:        help,
+		factory:     factory,
+	}
+}
+
+func init() {
+	// register the help factory
+	RegisterBackendFactory("help", "Help on backends", `
+Usage: 
+  help://          List available backends
+  help://backend   Print help on a specific backend
+`,
+		backendHelp,
+	)
+
+	startup.Logger.Add(func() {
+		sessionLogger = zap.L().Named("session")
+	})
+	startup.PostFlags.Add(func() {
+		parsed, err := url.Parse(*backendUrl)
+		if err != nil {
+			sessionLogger.Fatal("Invalid backend spec", zap.Error(err))
+		}
+		backend, ok := registry[parsed.Scheme]
+		if !ok {
+			sessionLogger.Fatal("Unknown backend type", zap.String("scheme", parsed.Scheme))
+		}
+		SessionStore, err = backend.factory(parsed)
+		if err != nil {
+			sessionLogger.Fatal("Failed to initialize backend", zap.Error(err))
+		}
+
+	})
+}
+
+func backendHelp(url *url.URL) (Backend, error) {
+
+	scheme := url.Hostname()
+	if scheme != "" {
+		backend, ok := registry[scheme]
+		if ok {
+			fmt.Println(strings.TrimPrefix(backend.help, "\n"))
+			os.Exit(1)
+		}
+	}
+
+	var backendList []string
+
+	var maxLen = 0
+	for name := range registry {
+		backendList = append(backendList, name)
+		if len(name) > maxLen {
+			maxLen = len(name)
+		}
+	}
+	sort.Strings(backendList)
+
+	fmt.Println("Available backends:")
+	for _, name := range backendList {
+		fmt.Printf("%*s  %s\n", maxLen, name, registry[name].description)
+	}
+	os.Exit(1)
+	return nil, nil
+}
--- a/go.mod
+++ b/go.mod
@@ -18,7 +18,9 @@ require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/google/uuid v1.3.1 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
@@ -28,6 +30,7 @@ require (
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/redis/go-redis/v9 v9.2.1 // indirect
 	github.com/stretchr/testify v1.8.4 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 	golang.org/x/crypto v0.13.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -6,10 +6,14 @@ github.com/CloudyKit/jet/v6 v6.2.0 h1:EpcZ6SR9n28BUGtNJSvlBqf90IpjeFr36Tizxhn/oM
 github.com/CloudyKit/jet/v6 v6.2.0/go.mod h1:d3ypHeIRNo2+XyqnGA8s+aphtcVpjP5hPwP/Lzo7Ro4=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
 github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
@@ -41,6 +45,8 @@ github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg=
+github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
--- a/sso-proxy/backend/interface.go
+++ b/sso-proxy/backend/interface.go
@@ -1,74 +0,0 @@
-package backend
-
-import (
-	"errors"
-	"go.uber.org/zap"
-	"time"
-)
-
-type UserType string
-
-var (
-	UtPerson  UserType = "person"
-	UtHost    UserType = "host"
-	UtService UserType = "service"
-)
-
-// Session holds info about the logged-in user that won't change
-type Session struct {
-	SessionID  string
-	Expiration time.Time
-	UserID     string
-	UserType   UserType
-	LdapDN     string
-}
-
-// SessionCache holds volatile information about the logged-in user
-type SessionCache struct {
-	Valid       bool
-	Groups      []string
-	DisplayName string
-	GivenName   string
-	SurName     string
-	Email       string
-}
-
-type Backend interface {
-	PutSession(session Session, cache SessionCache) error
-	GetSession(id string) (Session, *SessionCache, error)
-	EndSession(id string)
-	NewSessionID() (string, error)
-	DoMaintenance()
-	Ping() error
-}
-
-type NullBackend struct{}
-
-func (n *NullBackend) PutSession(session Session, cache SessionCache) error {
-	//TODO implement me
-	zap.L().Info("Put session", zap.Any("session", session), zap.Any("cache", cache))
-	return nil
-}
-
-func (n *NullBackend) GetSession(id string) (Session, *SessionCache, error) {
-	//TODO implement me
-	return Session{}, nil, errors.New("no such session")
-}
-
-func (n *NullBackend) EndSession(id string) {
-	//TODO implement me
-}
-
-func (n *NullBackend) NewSessionID() (string, error) {
-	//TODO implement me
-	return "foo", nil
-}
-
-func (n *NullBackend) DoMaintenance() {
-	//TODO implement me
-}
-
-func (n *NullBackend) Ping() error {
-	//TODO implement me
-	return nil
-}