From d5af575e74e02a5e93b9fadc7eb617d28dbf9230 Mon Sep 17 00:00:00 2001 From: TQ Hirsch Date: Thu, 26 Oct 2023 20:29:11 +0200 Subject: [PATCH] Added redis backend, backend selection mechanism --- app/ipasso/ldap.go | 2 +- app/ipasso/loginKrb.go | 6 +- app/ipasso/main.go | 4 +- backend/all/importAll.go | 12 +++ backend/interface.go | 71 ++++++++++++++++ backend/null/null.go | 47 +++++++++++ backend/redis/redis.go | 145 +++++++++++++++++++++++++++++++++ backend/registration.go | 104 +++++++++++++++++++++++ go.mod | 3 + go.sum | 6 ++ sso-proxy/backend/interface.go | 74 ----------------- 11 files changed, 393 insertions(+), 81 deletions(-) create mode 100644 backend/all/importAll.go create mode 100644 backend/interface.go create mode 100644 backend/null/null.go create mode 100644 backend/redis/redis.go create mode 100644 backend/registration.go delete mode 100644 sso-proxy/backend/interface.go diff --git a/app/ipasso/ldap.go b/app/ipasso/ldap.go index cbb53fb..4537d69 100644 --- a/app/ipasso/ldap.go +++ b/app/ipasso/ldap.go @@ -4,7 +4,7 @@ import ( "errors" "flag" "fmt" - "git.thequux.com/thequux/ipasso/sso-proxy/backend" + "git.thequux.com/thequux/ipasso/backend" "git.thequux.com/thequux/ipasso/util" "git.thequux.com/thequux/ipasso/util/genpool" "git.thequux.com/thequux/ipasso/util/startup" diff --git a/app/ipasso/loginKrb.go b/app/ipasso/loginKrb.go index aa5d02d..3f2cb41 100644 --- a/app/ipasso/loginKrb.go +++ b/app/ipasso/loginKrb.go @@ -2,7 +2,7 @@ package main import ( "errors" - "git.thequux.com/thequux/ipasso/sso-proxy/backend" + "git.thequux.com/thequux/ipasso/backend" "git.thequux.com/thequux/ipasso/util/startup" "github.com/go-ldap/ldap/v3" "github.com/julienschmidt/httprouter" @@ -78,7 +78,7 @@ func loginPassword(w http.ResponseWriter, r *http.Request) { } func finishLogin(w http.ResponseWriter, req *http.Request, entry *ldap.Entry, expiration *time.Time) { - SessionID, err := datastore.NewSessionID() + SessionID, err := backend.NewSessionID(req.Context(), backend.SessionStore) if err != nil { ReportError(w, err) return @@ -108,7 +108,7 @@ func finishLogin(w http.ResponseWriter, req *http.Request, entry *ldap.Entry, ex ReportError(w, err) return } - _ = datastore.PutSession(session, sessionCache) + _ = backend.SessionStore.PutSession(req.Context(), session, sessionCache) // TODO: set cookies, return success } diff --git a/app/ipasso/main.go b/app/ipasso/main.go index 897b189..6cdc4e1 100644 --- a/app/ipasso/main.go +++ b/app/ipasso/main.go @@ -4,7 +4,7 @@ import ( "errors" "flag" "fmt" - "git.thequux.com/thequux/ipasso/sso-proxy/backend" + _ "git.thequux.com/thequux/ipasso/backend/all" "git.thequux.com/thequux/ipasso/util/startup" "github.com/julienschmidt/httprouter" "go.uber.org/zap" @@ -17,8 +17,6 @@ import ( var ( domain = flag.String("domain", "thequux.com", "The base domain to enable SSO for") listen = flag.String("listen", "0.0.0.0:80", "The address to listen on") - - datastore backend.Backend = &backend.NullBackend{} ) var ( diff --git a/backend/all/importAll.go b/backend/all/importAll.go new file mode 100644 index 0000000..fb220c9 --- /dev/null +++ b/backend/all/importAll.go @@ -0,0 +1,12 @@ +// Shortcut to include all available backends +// Usage: +// +// ``` +// import _ "git.thequux.com/thequux/ipasso/backend/all" +// ``` +package all + +import ( + _ "git.thequux.com/thequux/ipasso/backend/null" + _ "git.thequux.com/thequux/ipasso/backend/redis" +) diff --git a/backend/interface.go b/backend/interface.go new file mode 100644 index 0000000..9cb6098 --- /dev/null +++ b/backend/interface.go @@ -0,0 +1,71 @@ +package backend + +import ( + "context" + "crypto/rand" + "encoding/base64" + "errors" + "time" +) + +type UserType string + +var ( + UtPerson UserType = "person" + UtHost UserType = "host" + UtService UserType = "service" + + ErrTooManyAttempts error = errors.New("too many attempts") + ErrReservationSniped error = errors.New("session ID reservation expired and was sniped") + ErrBackendData error = errors.New("invalid data from backend") +) + +// Session holds info about the logged-in user that won't change +type Session struct { + SessionID string + Expiration time.Time + UserID string + UserType UserType + LdapDN string +} + +// SessionCache holds volatile information about the logged-in user +type SessionCache struct { + Valid bool + Groups []string + DisplayName string + GivenName string + SurName string + Email string +} + +type Backend interface { + PutSession(ctx context.Context, session Session, cache SessionCache) error + GetSession(ctx context.Context, id string) (Session, *SessionCache, error) + EndSession(ctx context.Context, id string) + // ReserveSessionID attempts to reserve a session ID. If the ID was successfully reserved, return true + // A reserved session ID should time out no sooner than 60s from the reservation. + // Ergo, once reserved, a session ID should be used within 60s + ReserveSessionID(ctx context.Context, sessionID string) (bool, error) + DoMaintenance(ctx context.Context) + Ping(ctx context.Context) error +} + +func NewSessionID(ctx context.Context, backend Backend) (string, error) { + var data = make([]byte, 18) + for i := 0; i < 10; i++ { + _, err := rand.Read(data[2:]) + if err != nil { + return "", err + } + encoded := base64.URLEncoding.EncodeToString(data) + success, err := backend.ReserveSessionID(ctx, encoded) + if err != nil { + return "", err + } + if success { + return encoded, nil + } + } + return "", ErrTooManyAttempts +} diff --git a/backend/null/null.go b/backend/null/null.go new file mode 100644 index 0000000..dd61d33 --- /dev/null +++ b/backend/null/null.go @@ -0,0 +1,47 @@ +package backend + +import ( + "context" + "errors" + "git.thequux.com/thequux/ipasso/backend" + "go.uber.org/zap" + "net/url" +) + +type NullBackend struct{} + +func (n *NullBackend) PutSession(ctx context.Context, session backend.Session, cache backend.SessionCache) error { + //TODO implement me + zap.L().Info("Put session", zap.Any("session", session), zap.Any("cache", cache)) + return nil +} + +func (n *NullBackend) GetSession(ctx context.Context, id string) (backend.Session, *backend.SessionCache, error) { + //TODO implement me + return backend.Session{}, nil, errors.New("no such session") +} + +func (n *NullBackend) EndSession(ctx context.Context, id string) { + //TODO implement me +} + +func (n *NullBackend) ReserveSessionID(ctx context.Context, sessionID string) (bool, error) { + //TODO implement me + return false, nil +} + +func (n *NullBackend) Ping(ctx context.Context) error { + //TODO implement me + return nil +} + +func (n *NullBackend) DoMaintenance(ctx context.Context) { + //TODO implement me +} + +func init() { + backend.RegisterBackendFactory("null", "Do-nothing backend. Probably not useful", "Usage: null://", + func(*url.URL) (backend.Backend, error) { + return &NullBackend{}, nil + }) +} diff --git a/backend/redis/redis.go b/backend/redis/redis.go new file mode 100644 index 0000000..5b2cc2b --- /dev/null +++ b/backend/redis/redis.go @@ -0,0 +1,145 @@ +package redis + +import ( + "context" + "encoding/json" + "git.thequux.com/thequux/ipasso/backend" + "github.com/redis/go-redis/v9" + "net/url" + "time" +) + +var redisHelp = ` +Usage: redis://:@:/ + redisu://:@?db= + rediss://:@:/?addr=&addr=... + +The redis scheme connects to a normal Redis server over TCP +the redisu scheme connects to a normal Redis server over a Unix domain socket +the rediss scheme connects to a redis cluster +` + +func init() { + backend.RegisterBackendFactory("redis", "Redis TCP", redisHelp, DialRedis) + backend.RegisterBackendFactory("redisu", "Redis Unix", redisHelp, DialRedis) + backend.RegisterBackendFactory("rediss", "Redis Cluster", redisHelp, DialRedis) +} + +func DialRedis(url *url.URL) (be backend.Backend, err error) { + var urlString = url.String() + var client redis.UniversalClient + if url.Scheme == "redis" || url.Scheme == "redisu" { + var options *redis.Options + options, err = redis.ParseURL(urlString) + client = redis.NewClient(options) + } else if url.Scheme == "rediss" { + var options *redis.ClusterOptions + options, err = redis.ParseClusterURL(urlString) + client = redis.NewClusterClient(options) + } + if err == nil { + be = &RedisBackend{ + rdb: client, + } + } + return +} + +func sessionKey(id string) string { + return "session:" + id +} +func scacheKey(id string) string { + return "scache:" + id +} + +type RedisBackend struct { + rdb redis.UniversalClient +} + +var putSessionScript = redis.NewScript(` +local skey = KEYS[1] +local ckey = KEYS[2] +local session = ARGS[1] +local sexp = ARGS[2] +local cache = ARGS[3] +local clifetime = ARGS[4] + +if redis.call("GET", skey) != "" then + return false +else + redis.call("SET", skey, session, "EXAT", sexp) + redis.call("SET", ckey, cache, "EX", 30) + return true +end +`) + +func (r *RedisBackend) PutSession(ctx context.Context, session backend.Session, cache backend.SessionCache) error { + jsonSession, err := json.Marshal(session) + if err != nil { + return err + } + jsonCache, err := json.Marshal(cache) + if err != nil { + return err + } + + result, err := putSessionScript.Run(ctx, r.rdb, + []string{sessionKey(session.SessionID), scacheKey(session.SessionID)}, + jsonSession, + session.Expiration.Unix(), + jsonCache, + 30, + ).Bool() + + if err != nil { + return err + } else if result { + return nil + } else { + return backend.ErrReservationSniped + } +} + +func (r *RedisBackend) GetSession(ctx context.Context, id string) (backend.Session, *backend.SessionCache, error) { + var session backend.Session + var cache backend.SessionCache + + result, err := r.rdb.MGet(ctx, sessionKey(id), scacheKey(id)).Result() + if err != nil { + return session, nil, err + } + + v, ok := result[0].([]byte) + if !ok { + return backend.Session{}, nil, backend.ErrBackendData + } + if err = json.Unmarshal(v, &session); err != nil { + return backend.Session{}, nil, err + } + + v, ok = result[1].([]byte) + if !ok { + return backend.Session{}, nil, backend.ErrBackendData + } + if err = json.Unmarshal(v, &cache); err != nil { + return backend.Session{}, nil, err + } + + return session, &cache, nil +} + +func (r *RedisBackend) EndSession(ctx context.Context, id string) { + r.rdb.Del(ctx, sessionKey(id), scacheKey(id)) +} + +func (r *RedisBackend) ReserveSessionID(ctx context.Context, id string) (bool, error) { + return r.rdb.SetNX(ctx, sessionKey(id), "", time.Second*60).Result() +} + +func (r *RedisBackend) DoMaintenance(ctx context.Context) { + // Redis handles cleaning up expired keys itself +} + +func (r *RedisBackend) Ping(ctx context.Context) error { + return r.rdb.Ping(ctx).Err() +} diff --git a/backend/registration.go b/backend/registration.go new file mode 100644 index 0000000..e3a62e4 --- /dev/null +++ b/backend/registration.go @@ -0,0 +1,104 @@ +package backend + +import ( + "flag" + "fmt" + "git.thequux.com/thequux/ipasso/util/startup" + "go.uber.org/zap" + "net/url" + "os" + "sort" + "strings" +) + +var backendUrl = flag.String("backend", "help://", "URL of backend. Use help:// for a list, or help://[backend] for details on a particular backend") + +var SessionStore Backend + +type backendRecord struct { + description string + help string + factory Factory +} + +// Factory for backend objects. You don't need this unless you're working on +// initialization machinery or implementing a backend +type Factory func(url *url.URL) (Backend, error) + +var sessionLogger *zap.Logger + +var registry = make(map[string]backendRecord) + +func RegisterBackendFactory(scheme string, description string, help string, factory Factory) { + scheme = strings.ToLower(scheme) + _, exist := registry[scheme] + if exist { + panic("Scheme " + scheme + " registered multiple times") + } + + registry[scheme] = backendRecord{ + description: description, + help: help, + factory: factory, + } +} + +func init() { + // register the help factory + RegisterBackendFactory("help", "Help on backends", ` +Usage: + help:// List available backends + help://backend Print help on a specific backend +`, + backendHelp, + ) + + startup.Logger.Add(func() { + sessionLogger = zap.L().Named("session") + }) + startup.PostFlags.Add(func() { + parsed, err := url.Parse(*backendUrl) + if err != nil { + sessionLogger.Fatal("Invalid backend spec", zap.Error(err)) + } + backend, ok := registry[parsed.Scheme] + if !ok { + sessionLogger.Fatal("Unknown backend type", zap.String("scheme", parsed.Scheme)) + } + SessionStore, err = backend.factory(parsed) + if err != nil { + sessionLogger.Fatal("Failed to initialize backend", zap.Error(err)) + } + + }) +} + +func backendHelp(url *url.URL) (Backend, error) { + + scheme := url.Hostname() + if scheme != "" { + backend, ok := registry[scheme] + if ok { + fmt.Println(strings.TrimPrefix(backend.help, "\n")) + os.Exit(1) + } + } + + var backendList []string + + var maxLen = 0 + for name := range registry { + backendList = append(backendList, name) + if len(name) > maxLen { + maxLen = len(name) + } + } + sort.Strings(backendList) + + fmt.Println("Available backends:") + for _, name := range backendList { + fmt.Printf("%*s %s\n", maxLen, name, registry[name].description) + } + os.Exit(1) + return nil, nil +} diff --git a/go.mod b/go.mod index b509703..dc4e17e 100644 --- a/go.mod +++ b/go.mod @@ -18,7 +18,9 @@ require ( github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/CloudyKit/fastprinter v0.0.0-20200109182630-33d98a066a53 // indirect github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect + github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect github.com/google/uuid v1.3.1 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect @@ -28,6 +30,7 @@ require ( github.com/jcmturner/goidentity/v6 v6.0.1 // indirect github.com/jcmturner/rpc/v2 v2.0.3 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect + github.com/redis/go-redis/v9 v9.2.1 // indirect github.com/stretchr/testify v1.8.4 // indirect go.uber.org/multierr v1.10.0 // indirect golang.org/x/crypto v0.13.0 // indirect diff --git a/go.sum b/go.sum index 6cf4eaf..f7f4bef 100644 --- a/go.sum +++ b/go.sum @@ -6,10 +6,14 @@ github.com/CloudyKit/jet/v6 v6.2.0 h1:EpcZ6SR9n28BUGtNJSvlBqf90IpjeFr36Tizxhn/oM github.com/CloudyKit/jet/v6 v6.2.0/go.mod h1:d3ypHeIRNo2+XyqnGA8s+aphtcVpjP5hPwP/Lzo7Ro4= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA= github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA= github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0= @@ -41,6 +45,8 @@ github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/redis/go-redis/v9 v9.2.1 h1:WlYJg71ODF0dVspZZCpYmoF1+U1Jjk9Rwd7pq6QmlCg= +github.com/redis/go-redis/v9 v9.2.1/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= diff --git a/sso-proxy/backend/interface.go b/sso-proxy/backend/interface.go deleted file mode 100644 index 16bb2fe..0000000 --- a/sso-proxy/backend/interface.go +++ /dev/null @@ -1,74 +0,0 @@ -package backend - -import ( - "errors" - "go.uber.org/zap" - "time" -) - -type UserType string - -var ( - UtPerson UserType = "person" - UtHost UserType = "host" - UtService UserType = "service" -) - -// Session holds info about the logged-in user that won't change -type Session struct { - SessionID string - Expiration time.Time - UserID string - UserType UserType - LdapDN string -} - -// SessionCache holds volatile information about the logged-in user -type SessionCache struct { - Valid bool - Groups []string - DisplayName string - GivenName string - SurName string - Email string -} - -type Backend interface { - PutSession(session Session, cache SessionCache) error - GetSession(id string) (Session, *SessionCache, error) - EndSession(id string) - NewSessionID() (string, error) - DoMaintenance() - Ping() error -} - -type NullBackend struct{} - -func (n *NullBackend) PutSession(session Session, cache SessionCache) error { - //TODO implement me - zap.L().Info("Put session", zap.Any("session", session), zap.Any("cache", cache)) - return nil -} - -func (n *NullBackend) GetSession(id string) (Session, *SessionCache, error) { - //TODO implement me - return Session{}, nil, errors.New("no such session") -} - -func (n *NullBackend) EndSession(id string) { - //TODO implement me -} - -func (n *NullBackend) NewSessionID() (string, error) { - //TODO implement me - return "foo", nil -} - -func (n *NullBackend) DoMaintenance() { - //TODO implement me -} - -func (n *NullBackend) Ping() error { - //TODO implement me - return nil -}