From 23e111f60df7a50f4fdd970065e96fb6b2f473f3 Mon Sep 17 00:00:00 2001 From: Harvey Kandola Date: Wed, 2 Aug 2017 10:29:25 +0100 Subject: [PATCH] keycloak integration code moved to new API --- domain/account/endpoint.go | 12 -- domain/auth/{keycloak.go => auth.go} | 0 domain/auth/keycloak/endpoint.go | 264 +++++++++++++++++++++++++++ domain/auth/keycloak/keycloak.go | 204 +++++++++++++++++++++ domain/auth/keycloak/model.go | 52 ++++++ server/routing/routes.go | 6 +- 6 files changed, 524 insertions(+), 14 deletions(-) delete mode 100644 domain/account/endpoint.go rename domain/auth/{keycloak.go => auth.go} (100%) create mode 100644 domain/auth/keycloak/endpoint.go create mode 100644 domain/auth/keycloak/keycloak.go create mode 100644 domain/auth/keycloak/model.go diff --git a/domain/account/endpoint.go b/domain/account/endpoint.go deleted file mode 100644 index 5e7f5f0a..00000000 --- a/domain/account/endpoint.go +++ /dev/null @@ -1,12 +0,0 @@ -package account - -import ( - "github.com/documize/community/core/env" - "github.com/documize/community/domain" -) - -// Handler contains the runtime information such as logging and database. -type Handler struct { - Runtime *env.Runtime - Store domain.Store -} diff --git a/domain/auth/keycloak.go b/domain/auth/auth.go similarity index 100% rename from domain/auth/keycloak.go rename to domain/auth/auth.go diff --git a/domain/auth/keycloak/endpoint.go b/domain/auth/keycloak/endpoint.go new file mode 100644 index 00000000..5ef355bf --- /dev/null +++ b/domain/auth/keycloak/endpoint.go @@ -0,0 +1,264 @@ +// Copyright 2016 Documize Inc. . All rights reserved. +// +// This software (Documize Community Edition) is licensed under +// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html +// +// You can operate outside the AGPL restrictions by purchasing +// Documize Enterprise Edition and obtaining a commercial license +// by contacting . +// +// https://documize.com + +package keycloak + +import ( + "database/sql" + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + "sort" + "strings" + + "github.com/documize/community/core/env" + "github.com/documize/community/core/response" + "github.com/documize/community/core/secrets" + "github.com/documize/community/core/streamutil" + "github.com/documize/community/core/stringutil" + "github.com/documize/community/domain" + "github.com/documize/community/domain/auth" + usr "github.com/documize/community/domain/user" + ath "github.com/documize/community/model/auth" + "github.com/documize/community/model/user" +) + +// Handler contains the runtime information such as logging and database. +type Handler struct { + Runtime *env.Runtime + Store *domain.Store +} + +// Sync gets list of Keycloak users and inserts new users into Documize +// and marks Keycloak disabled users as inactive. +func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) { + ctx := domain.GetRequestContext(r) + + if !ctx.Administrator { + response.WriteForbiddenError(w) + return + } + + var result struct { + Message string `json:"message"` + IsError bool `json:"isError"` + } + + // Org contains raw auth provider config + org, err := h.Store.Organization.GetOrganization(ctx, ctx.OrgID) + if err != nil { + result.Message = "Error: unable to get organization record" + result.IsError = true + h.Runtime.Log.Error(result.Message, err) + response.WriteJSON(w, result) + return + } + + // Exit if not using Keycloak + if org.AuthProvider != "keycloak" { + result.Message = "Error: skipping user sync with Keycloak as it is not the configured option" + result.IsError = true + h.Runtime.Log.Info(result.Message) + response.WriteJSON(w, result) + return + } + + // Make Keycloak auth provider config + c := keycloakConfig{} + err = json.Unmarshal([]byte(org.AuthConfig), &c) + if err != nil { + result.Message = "Error: unable read Keycloak configuration data" + result.IsError = true + h.Runtime.Log.Error(result.Message, err) + response.WriteJSON(w, result) + return + } + + // User list from Keycloak + kcUsers, err := Fetch(c) + if err != nil { + result.Message = "Error: unable to fetch Keycloak users: " + err.Error() + result.IsError = true + h.Runtime.Log.Error(result.Message, err) + response.WriteJSON(w, result) + return + } + + // User list from Documize + dmzUsers, err := h.Store.User.GetUsersForOrganization(ctx) + if err != nil { + result.Message = "Error: unable to fetch Documize users" + result.IsError = true + h.Runtime.Log.Error(result.Message, err) + response.WriteJSON(w, result) + return + } + + sort.Slice(kcUsers, func(i, j int) bool { return kcUsers[i].Email < kcUsers[j].Email }) + sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email }) + + insert := []user.User{} + + for _, k := range kcUsers { + exists := false + + for _, d := range dmzUsers { + if k.Email == d.Email { + exists = true + } + } + + if !exists { + insert = append(insert, k) + } + } + + // Insert new users into Documize + for _, u := range insert { + err = addUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace) + } + + result.Message = fmt.Sprintf("Keycloak sync'ed %d users, %d new additions", len(kcUsers), len(insert)) + h.Runtime.Log.Info(result.Message) + response.WriteJSON(w, result) +} + +// Authenticate checks Keycloak authentication credentials. +func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) { + method := "authenticate" + ctx := domain.GetRequestContext(r) + + defer streamutil.Close(r.Body) + body, err := ioutil.ReadAll(r.Body) + if err != nil { + response.WriteBadRequestError(w, method, "Bad payload") + return + } + + a := keycloakAuthRequest{} + err = json.Unmarshal(body, &a) + if err != nil { + response.WriteBadRequestError(w, method, err.Error()) + return + } + + a.Domain = strings.TrimSpace(strings.ToLower(a.Domain)) + a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains + a.Email = strings.TrimSpace(strings.ToLower(a.Email)) + + // Check for required fields. + if len(a.Email) == 0 { + response.WriteUnauthorizedError(w) + return + } + + org, err := h.Store.Organization.GetOrganizationByDomain(ctx, a.Domain) + if err != nil { + response.WriteUnauthorizedError(w) + return + } + + ctx.OrgID = org.RefID + + // Fetch Keycloak auth provider config + ac := keycloakConfig{} + err = json.Unmarshal([]byte(org.AuthConfig), &ac) + if err != nil { + response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key") + return + } + + // Decode and prepare RSA Public Key used by keycloak to sign JWT. + pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey)) + if err != nil { + response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key") + return + } + pk := string(pkb) + pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk) + + // Decode and verify Keycloak JWT + claims, err := auth.DecodeKeycloakJWT(a.Token, pk) + if err != nil { + h.Runtime.Log.Info("decodeKeycloakJWT failed") + response.WriteBadRequestError(w, method, err.Error()) + return + } + + // Compare the contents from JWT with what we have. + // Guards against MITM token tampering. + if a.Email != claims["email"].(string) || claims["sub"].(string) != a.RemoteID { + response.WriteUnauthorizedError(w) + return + } + + h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain) + + u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email) + if err != nil && err != sql.ErrNoRows { + response.WriteServerError(w, method, err) + return + } + + // Create user account if not found + if err == sql.ErrNoRows { + h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain) + + u = user.User{} + u.Firstname = a.Firstname + u.Lastname = a.Lastname + u.Email = a.Email + u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname) + u.Salt = secrets.GenerateSalt() + u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt) + + err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace) + if err != nil { + response.WriteServerError(w, method, err) + return + } + } + + // Password correct and active user + if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) { + response.WriteUnauthorizedError(w) + return + } + + // Attach user accounts and work out permissions. + usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u) + + // No accounts signals data integrity problem + // so we reject login request. + if len(u.Accounts) == 0 { + response.WriteUnauthorizedError(w) + return + } + + // Abort login request if account is disabled. + for _, ac := range u.Accounts { + if ac.OrgID == org.RefID { + if ac.Active == false { + response.WriteUnauthorizedError(w) + return + } + break + } + } + + // Generate JWT token + authModel := ath.AuthenticationModel{} + authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain) + authModel.User = u + + response.WriteJSON(w, authModel) +} diff --git a/domain/auth/keycloak/keycloak.go b/domain/auth/keycloak/keycloak.go new file mode 100644 index 00000000..228431fb --- /dev/null +++ b/domain/auth/keycloak/keycloak.go @@ -0,0 +1,204 @@ +// Copyright 2016 Documize Inc. . All rights reserved. +// +// This software (Documize Community Edition) is licensed under +// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html +// +// You can operate outside the AGPL restrictions by purchasing +// Documize Enterprise Edition and obtaining a commercial license +// by contacting . +// +// https://documize.com + +package keycloak + +import ( + "bytes" + "database/sql" + "encoding/json" + "fmt" + "io/ioutil" + "net/http" + "net/url" + "strconv" + "strings" + + "github.com/documize/community/core/env" + "github.com/documize/community/core/stringutil" + "github.com/documize/community/core/uniqueid" + "github.com/documize/community/domain" + usr "github.com/documize/community/domain/user" + "github.com/documize/community/model/account" + "github.com/documize/community/model/user" + "github.com/pkg/errors" +) + +// Fetch gets list of Keycloak users for specified Realm, Client Id +func Fetch(c keycloakConfig) (users []user.User, err error) { + users = []user.User{} + + form := url.Values{} + form.Add("username", c.AdminUser) + form.Add("password", c.AdminPassword) + form.Add("client_id", "admin-cli") + form.Add("grant_type", "password") + + req, err := http.NewRequest("POST", + fmt.Sprintf("%s/realms/master/protocol/openid-connect/token", c.URL), + bytes.NewBufferString(form.Encode())) + + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Content-Length", strconv.Itoa(len(form.Encode()))) + + client := &http.Client{} + res, err := client.Do(req) + if err != nil { + err = errors.Wrap(err, "cannot connect to Keycloak auth URL") + return users, err + } + + defer res.Body.Close() + body, err := ioutil.ReadAll(res.Body) + if err != nil { + err = errors.Wrap(err, "cannot read Keycloak response from auth request") + return users, err + } + + if res.StatusCode != http.StatusOK { + if res.StatusCode == http.StatusUnauthorized { + return users, errors.New("Check Keycloak username/password") + } + + return users, errors.New("Keycloak authentication failed " + res.Status) + } + + ka := keycloakAPIAuth{} + err = json.Unmarshal(body, &ka) + if err != nil { + return users, err + } + + url := fmt.Sprintf("%s/admin/realms/%s/users?max=500", c.URL, c.Realm) + c.Group = strings.TrimSpace(c.Group) + + if len(c.Group) > 0 { + url = fmt.Sprintf("%s/admin/realms/%s/groups/%s/members?max=500", c.URL, c.Realm, c.Group) + } + + req, err = http.NewRequest("GET", url, nil) + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", ka.AccessToken)) + + client = &http.Client{} + res, err = client.Do(req) + if err != nil { + err = errors.Wrap(err, "cannot fetch Keycloak users") + return users, err + + } + + defer res.Body.Close() + body, err = ioutil.ReadAll(res.Body) + if err != nil { + err = errors.Wrap(err, "cannot read Keycloak user list response") + return users, err + } + + if res.StatusCode != http.StatusOK { + if res.StatusCode == http.StatusNotFound { + if c.Group != "" { + return users, errors.New("Keycloak Realm/Client/Group ID not found") + } + + return users, errors.New("Keycloak Realm/Client Id not found") + } + + return users, errors.New("Keycloak users list call failed " + res.Status) + } + + kcUsers := []keycloakUser{} + err = json.Unmarshal(body, &kcUsers) + if err != nil { + err = errors.Wrap(err, "cannot unmarshal Keycloak user list response") + return users, err + } + + for _, kc := range kcUsers { + u := user.User{} + u.Email = kc.Email + u.Firstname = kc.Firstname + u.Lastname = kc.Lastname + u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname) + u.Active = kc.Enabled + u.Editor = false + + users = append(users, u) + } + + return users, nil +} + +// Helper method to setup user account in Documize using Keycloak provided user data. +func addUser(ctx domain.RequestContext, rt *env.Runtime, store *domain.Store, u user.User, addSpace bool) (err error) { + // only create account if not dupe + addUser := true + addAccount := true + var userID string + + userDupe, err := store.User.GetByEmail(ctx, u.Email) + if err != nil && err != sql.ErrNoRows { + return err + } + + if u.Email == userDupe.Email { + addUser = false + userID = userDupe.RefID + } + + ctx.Transaction, err = rt.Db.Beginx() + if err != nil { + return err + } + + if addUser { + userID = uniqueid.Generate() + u.RefID = userID + + err = store.User.Add(ctx, u) + if err != nil { + ctx.Transaction.Rollback() + return err + } + } else { + usr.AttachUserAccounts(ctx, *store, ctx.OrgID, &userDupe) + + for _, a := range userDupe.Accounts { + if a.OrgID == ctx.OrgID { + addAccount = false + break + } + } + } + + // set up user account for the org + if addAccount { + var a account.Account + a.UserID = userID + a.OrgID = ctx.OrgID + a.Editor = addSpace + a.Admin = false + accountID := uniqueid.Generate() + a.RefID = accountID + a.Active = true + + err = store.Account.Add(ctx, a) + if err != nil { + ctx.Transaction.Rollback() + return err + } + } + + ctx.Transaction.Commit() + + u, err = store.User.Get(ctx, userID) + + return err +} diff --git a/domain/auth/keycloak/model.go b/domain/auth/keycloak/model.go new file mode 100644 index 00000000..705ffaae --- /dev/null +++ b/domain/auth/keycloak/model.go @@ -0,0 +1,52 @@ +// Copyright 2016 Documize Inc. . All rights reserved. +// +// This software (Documize Community Edition) is licensed under +// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html +// +// You can operate outside the AGPL restrictions by purchasing +// Documize Enterprise Edition and obtaining a commercial license +// by contacting . +// +// https://documize.com + +package keycloak + +// Data received via Keycloak client library +type keycloakAuthRequest struct { + Domain string `json:"domain"` + Token string `json:"token"` + RemoteID string `json:"remoteId"` + Email string `json:"email"` + Username string `json:"username"` + Firstname string `json:"firstname"` + Lastname string `json:"lastname"` + Enabled bool `json:"enabled"` +} + +// Keycloak server configuration +type keycloakConfig struct { + URL string `json:"url"` + Realm string `json:"realm"` + ClientID string `json:"clientId"` + PublicKey string `json:"publicKey"` + AdminUser string `json:"adminUser"` + AdminPassword string `json:"adminPassword"` + Group string `json:"group"` + DisableLogout bool `json:"disableLogout"` + DefaultPermissionAddSpace bool `json:"defaultPermissionAddSpace"` +} + +// keycloakAPIAuth is returned when authenticating with Keycloak REST API. +type keycloakAPIAuth struct { + AccessToken string `json:"access_token"` +} + +// keycloakUser details user record returned by Keycloak +type keycloakUser struct { + ID string `json:"id"` + Username string `json:"username"` + Email string `json:"email"` + Firstname string `json:"firstName"` + Lastname string `json:"lastName"` + Enabled bool `json:"enabled"` +} diff --git a/server/routing/routes.go b/server/routing/routes.go index bf190b10..4a6209e4 100644 --- a/server/routing/routes.go +++ b/server/routing/routes.go @@ -19,6 +19,7 @@ import ( "github.com/documize/community/domain" "github.com/documize/community/domain/attachment" "github.com/documize/community/domain/auth" + "github.com/documize/community/domain/auth/keycloak" "github.com/documize/community/domain/block" "github.com/documize/community/domain/document" "github.com/documize/community/domain/link" @@ -51,6 +52,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) { block := block.Handler{Runtime: rt, Store: s} section := section.Handler{Runtime: rt, Store: s} setting := setting.Handler{Runtime: rt, Store: s} + keycloak := keycloak.Handler{Runtime: rt, Store: s} document := document.Handler{Runtime: rt, Store: s, Indexer: indexer} attachment := attachment.Handler{Runtime: rt, Store: s} organization := organization.Handler{Runtime: rt, Store: s} @@ -59,7 +61,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) { // Non-secure routes //************************************************** Add(rt, RoutePrefixPublic, "meta", []string{"GET", "OPTIONS"}, nil, meta.Meta) - Add(rt, RoutePrefixPublic, "authenticate/keycloak", []string{"POST", "OPTIONS"}, nil, endpoint.AuthenticateKeycloak) + Add(rt, RoutePrefixPublic, "authenticate/keycloak", []string{"POST", "OPTIONS"}, nil, keycloak.Authenticate) Add(rt, RoutePrefixPublic, "authenticate", []string{"POST", "OPTIONS"}, nil, auth.Login) Add(rt, RoutePrefixPublic, "validate", []string{"GET", "OPTIONS"}, nil, auth.ValidateToken) Add(rt, RoutePrefixPublic, "forgot", []string{"POST", "OPTIONS"}, nil, user.ForgotPassword) @@ -127,7 +129,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) { Add(rt, RoutePrefixPrivate, "users/{userID}", []string{"GET", "OPTIONS"}, nil, user.Get) Add(rt, RoutePrefixPrivate, "users/{userID}", []string{"PUT", "OPTIONS"}, nil, user.Update) Add(rt, RoutePrefixPrivate, "users/{userID}", []string{"DELETE", "OPTIONS"}, nil, user.Delete) - Add(rt, RoutePrefixPrivate, "users/sync", []string{"GET", "OPTIONS"}, nil, endpoint.SyncKeycloak) + Add(rt, RoutePrefixPrivate, "users/sync", []string{"GET", "OPTIONS"}, nil, keycloak.Sync) Add(rt, RoutePrefixPrivate, "search", []string{"GET", "OPTIONS"}, nil, document.SearchDocuments)