keycloak integration code moved to new API

domain/account/endpoint.go

@@ -1,12 +0,0 @@
-package account
-
-import (
-	"github.com/documize/community/core/env"
-	"github.com/documize/community/domain"
-)
-
-// Handler contains the runtime information such as logging and database.
-type Handler struct {
-	Runtime *env.Runtime
-	Store   domain.Store
-}

domain/auth/keycloak/endpoint.go

@@ -0,0 +1,264 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+package keycloak
+
+import (
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"sort"
+	"strings"
+
+	"github.com/documize/community/core/env"
+	"github.com/documize/community/core/response"
+	"github.com/documize/community/core/secrets"
+	"github.com/documize/community/core/streamutil"
+	"github.com/documize/community/core/stringutil"
+	"github.com/documize/community/domain"
+	"github.com/documize/community/domain/auth"
+	usr "github.com/documize/community/domain/user"
+	ath "github.com/documize/community/model/auth"
+	"github.com/documize/community/model/user"
+)
+
+// Handler contains the runtime information such as logging and database.
+type Handler struct {
+	Runtime *env.Runtime
+	Store   *domain.Store
+}
+
+// Sync gets list of Keycloak users and inserts new users into Documize
+// and marks Keycloak disabled users as inactive.
+func (h *Handler) Sync(w http.ResponseWriter, r *http.Request) {
+	ctx := domain.GetRequestContext(r)
+
+	if !ctx.Administrator {
+		response.WriteForbiddenError(w)
+		return
+	}
+
+	var result struct {
+		Message string `json:"message"`
+		IsError bool   `json:"isError"`
+	}
+
+	// Org contains raw auth provider config
+	org, err := h.Store.Organization.GetOrganization(ctx, ctx.OrgID)
+	if err != nil {
+		result.Message = "Error: unable to get organization record"
+		result.IsError = true
+		h.Runtime.Log.Error(result.Message, err)
+		response.WriteJSON(w, result)
+		return
+	}
+
+	// Exit if not using Keycloak
+	if org.AuthProvider != "keycloak" {
+		result.Message = "Error: skipping user sync with Keycloak as it is not the configured option"
+		result.IsError = true
+		h.Runtime.Log.Info(result.Message)
+		response.WriteJSON(w, result)
+		return
+	}
+
+	// Make Keycloak auth provider config
+	c := keycloakConfig{}
+	err = json.Unmarshal([]byte(org.AuthConfig), &c)
+	if err != nil {
+		result.Message = "Error: unable read Keycloak configuration data"
+		result.IsError = true
+		h.Runtime.Log.Error(result.Message, err)
+		response.WriteJSON(w, result)
+		return
+	}
+
+	// User list from Keycloak
+	kcUsers, err := Fetch(c)
+	if err != nil {
+		result.Message = "Error: unable to fetch Keycloak users: " + err.Error()
+		result.IsError = true
+		h.Runtime.Log.Error(result.Message, err)
+		response.WriteJSON(w, result)
+		return
+	}
+
+	// User list from Documize
+	dmzUsers, err := h.Store.User.GetUsersForOrganization(ctx)
+	if err != nil {
+		result.Message = "Error: unable to fetch Documize users"
+		result.IsError = true
+		h.Runtime.Log.Error(result.Message, err)
+		response.WriteJSON(w, result)
+		return
+	}
+
+	sort.Slice(kcUsers, func(i, j int) bool { return kcUsers[i].Email < kcUsers[j].Email })
+	sort.Slice(dmzUsers, func(i, j int) bool { return dmzUsers[i].Email < dmzUsers[j].Email })
+
+	insert := []user.User{}
+
+	for _, k := range kcUsers {
+		exists := false
+
+		for _, d := range dmzUsers {
+			if k.Email == d.Email {
+				exists = true
+			}
+		}
+
+		if !exists {
+			insert = append(insert, k)
+		}
+	}
+
+	// Insert new users into Documize
+	for _, u := range insert {
+		err = addUser(ctx, h.Runtime, h.Store, u, c.DefaultPermissionAddSpace)
+	}
+
+	result.Message = fmt.Sprintf("Keycloak sync'ed %d users, %d new additions", len(kcUsers), len(insert))
+	h.Runtime.Log.Info(result.Message)
+	response.WriteJSON(w, result)
+}
+
+// Authenticate checks Keycloak authentication credentials.
+func (h *Handler) Authenticate(w http.ResponseWriter, r *http.Request) {
+	method := "authenticate"
+	ctx := domain.GetRequestContext(r)
+
+	defer streamutil.Close(r.Body)
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		response.WriteBadRequestError(w, method, "Bad payload")
+		return
+	}
+
+	a := keycloakAuthRequest{}
+	err = json.Unmarshal(body, &a)
+	if err != nil {
+		response.WriteBadRequestError(w, method, err.Error())
+		return
+	}
+
+	a.Domain = strings.TrimSpace(strings.ToLower(a.Domain))
+	a.Domain = h.Store.Organization.CheckDomain(ctx, a.Domain) // TODO optimize by removing this once js allows empty domains
+	a.Email = strings.TrimSpace(strings.ToLower(a.Email))
+
+	// Check for required fields.
+	if len(a.Email) == 0 {
+		response.WriteUnauthorizedError(w)
+		return
+	}
+
+	org, err := h.Store.Organization.GetOrganizationByDomain(ctx, a.Domain)
+	if err != nil {
+		response.WriteUnauthorizedError(w)
+		return
+	}
+
+	ctx.OrgID = org.RefID
+
+	// Fetch Keycloak auth provider config
+	ac := keycloakConfig{}
+	err = json.Unmarshal([]byte(org.AuthConfig), &ac)
+	if err != nil {
+		response.WriteBadRequestError(w, method, "Unable to unmarshall Keycloak Public Key")
+		return
+	}
+
+	// Decode and prepare RSA Public Key used by keycloak to sign JWT.
+	pkb, err := secrets.DecodeBase64([]byte(ac.PublicKey))
+	if err != nil {
+		response.WriteBadRequestError(w, method, "Unable to base64 decode Keycloak Public Key")
+		return
+	}
+	pk := string(pkb)
+	pk = fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", pk)
+
+	// Decode and verify Keycloak JWT
+	claims, err := auth.DecodeKeycloakJWT(a.Token, pk)
+	if err != nil {
+		h.Runtime.Log.Info("decodeKeycloakJWT failed")
+		response.WriteBadRequestError(w, method, err.Error())
+		return
+	}
+
+	// Compare the contents from JWT with what we have.
+	// Guards against MITM token tampering.
+	if a.Email != claims["email"].(string) || claims["sub"].(string) != a.RemoteID {
+		response.WriteUnauthorizedError(w)
+		return
+	}
+
+	h.Runtime.Log.Info("keycloak logon attempt " + a.Email + " @ " + a.Domain)
+
+	u, err := h.Store.User.GetByDomain(ctx, a.Domain, a.Email)
+	if err != nil && err != sql.ErrNoRows {
+		response.WriteServerError(w, method, err)
+		return
+	}
+
+	// Create user account if not found
+	if err == sql.ErrNoRows {
+		h.Runtime.Log.Info("keycloak add user " + a.Email + " @ " + a.Domain)
+
+		u = user.User{}
+		u.Firstname = a.Firstname
+		u.Lastname = a.Lastname
+		u.Email = a.Email
+		u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
+		u.Salt = secrets.GenerateSalt()
+		u.Password = secrets.GeneratePassword(secrets.GenerateRandomPassword(), u.Salt)
+
+		err = addUser(ctx, h.Runtime, h.Store, u, ac.DefaultPermissionAddSpace)
+		if err != nil {
+			response.WriteServerError(w, method, err)
+			return
+		}
+	}
+
+	// Password correct and active user
+	if a.Email != strings.TrimSpace(strings.ToLower(u.Email)) {
+		response.WriteUnauthorizedError(w)
+		return
+	}
+
+	// Attach user accounts and work out permissions.
+	usr.AttachUserAccounts(ctx, *h.Store, org.RefID, &u)
+
+	// No accounts signals data integrity problem
+	// so we reject login request.
+	if len(u.Accounts) == 0 {
+		response.WriteUnauthorizedError(w)
+		return
+	}
+
+	// Abort login request if account is disabled.
+	for _, ac := range u.Accounts {
+		if ac.OrgID == org.RefID {
+			if ac.Active == false {
+				response.WriteUnauthorizedError(w)
+				return
+			}
+			break
+		}
+	}
+
+	// Generate JWT token
+	authModel := ath.AuthenticationModel{}
+	authModel.Token = auth.GenerateJWT(h.Runtime, u.RefID, org.RefID, a.Domain)
+	authModel.User = u
+
+	response.WriteJSON(w, authModel)
+}

domain/auth/keycloak/keycloak.go

@@ -0,0 +1,204 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+package keycloak
+
+import (
+	"bytes"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"github.com/documize/community/core/env"
+	"github.com/documize/community/core/stringutil"
+	"github.com/documize/community/core/uniqueid"
+	"github.com/documize/community/domain"
+	usr "github.com/documize/community/domain/user"
+	"github.com/documize/community/model/account"
+	"github.com/documize/community/model/user"
+	"github.com/pkg/errors"
+)
+
+// Fetch gets list of Keycloak users for specified Realm, Client Id
+func Fetch(c keycloakConfig) (users []user.User, err error) {
+	users = []user.User{}
+
+	form := url.Values{}
+	form.Add("username", c.AdminUser)
+	form.Add("password", c.AdminPassword)
+	form.Add("client_id", "admin-cli")
+	form.Add("grant_type", "password")
+
+	req, err := http.NewRequest("POST",
+		fmt.Sprintf("%s/realms/master/protocol/openid-connect/token", c.URL),
+		bytes.NewBufferString(form.Encode()))
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Content-Length", strconv.Itoa(len(form.Encode())))
+
+	client := &http.Client{}
+	res, err := client.Do(req)
+	if err != nil {
+		err = errors.Wrap(err, "cannot connect to Keycloak auth URL")
+		return users, err
+	}
+
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		err = errors.Wrap(err, "cannot read Keycloak response from auth request")
+		return users, err
+	}
+
+	if res.StatusCode != http.StatusOK {
+		if res.StatusCode == http.StatusUnauthorized {
+			return users, errors.New("Check Keycloak username/password")
+		}
+
+		return users, errors.New("Keycloak authentication failed " + res.Status)
+	}
+
+	ka := keycloakAPIAuth{}
+	err = json.Unmarshal(body, &ka)
+	if err != nil {
+		return users, err
+	}
+
+	url := fmt.Sprintf("%s/admin/realms/%s/users?max=500", c.URL, c.Realm)
+	c.Group = strings.TrimSpace(c.Group)
+
+	if len(c.Group) > 0 {
+		url = fmt.Sprintf("%s/admin/realms/%s/groups/%s/members?max=500", c.URL, c.Realm, c.Group)
+	}
+
+	req, err = http.NewRequest("GET", url, nil)
+	req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", ka.AccessToken))
+
+	client = &http.Client{}
+	res, err = client.Do(req)
+	if err != nil {
+		err = errors.Wrap(err, "cannot fetch Keycloak users")
+		return users, err
+
+	}
+
+	defer res.Body.Close()
+	body, err = ioutil.ReadAll(res.Body)
+	if err != nil {
+		err = errors.Wrap(err, "cannot read Keycloak user list response")
+		return users, err
+	}
+
+	if res.StatusCode != http.StatusOK {
+		if res.StatusCode == http.StatusNotFound {
+			if c.Group != "" {
+				return users, errors.New("Keycloak Realm/Client/Group ID not found")
+			}
+
+			return users, errors.New("Keycloak Realm/Client Id not found")
+		}
+
+		return users, errors.New("Keycloak users list call failed " + res.Status)
+	}
+
+	kcUsers := []keycloakUser{}
+	err = json.Unmarshal(body, &kcUsers)
+	if err != nil {
+		err = errors.Wrap(err, "cannot unmarshal Keycloak user list response")
+		return users, err
+	}
+
+	for _, kc := range kcUsers {
+		u := user.User{}
+		u.Email = kc.Email
+		u.Firstname = kc.Firstname
+		u.Lastname = kc.Lastname
+		u.Initials = stringutil.MakeInitials(u.Firstname, u.Lastname)
+		u.Active = kc.Enabled
+		u.Editor = false
+
+		users = append(users, u)
+	}
+
+	return users, nil
+}
+
+// Helper method to setup user account in Documize using Keycloak provided user data.
+func addUser(ctx domain.RequestContext, rt *env.Runtime, store *domain.Store, u user.User, addSpace bool) (err error) {
+	// only create account if not dupe
+	addUser := true
+	addAccount := true
+	var userID string
+
+	userDupe, err := store.User.GetByEmail(ctx, u.Email)
+	if err != nil && err != sql.ErrNoRows {
+		return err
+	}
+
+	if u.Email == userDupe.Email {
+		addUser = false
+		userID = userDupe.RefID
+	}
+
+	ctx.Transaction, err = rt.Db.Beginx()
+	if err != nil {
+		return err
+	}
+
+	if addUser {
+		userID = uniqueid.Generate()
+		u.RefID = userID
+
+		err = store.User.Add(ctx, u)
+		if err != nil {
+			ctx.Transaction.Rollback()
+			return err
+		}
+	} else {
+		usr.AttachUserAccounts(ctx, *store, ctx.OrgID, &userDupe)
+
+		for _, a := range userDupe.Accounts {
+			if a.OrgID == ctx.OrgID {
+				addAccount = false
+				break
+			}
+		}
+	}
+
+	// set up user account for the org
+	if addAccount {
+		var a account.Account
+		a.UserID = userID
+		a.OrgID = ctx.OrgID
+		a.Editor = addSpace
+		a.Admin = false
+		accountID := uniqueid.Generate()
+		a.RefID = accountID
+		a.Active = true
+
+		err = store.Account.Add(ctx, a)
+		if err != nil {
+			ctx.Transaction.Rollback()
+			return err
+		}
+	}
+
+	ctx.Transaction.Commit()
+
+	u, err = store.User.Get(ctx, userID)
+
+	return err
+}

domain/auth/keycloak/model.go

@@ -0,0 +1,52 @@
+// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
+//
+// This software (Documize Community Edition) is licensed under
+// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
+//
+// You can operate outside the AGPL restrictions by purchasing
+// Documize Enterprise Edition and obtaining a commercial license
+// by contacting <sales@documize.com>.
+//
+// https://documize.com
+
+package keycloak
+
+// Data received via Keycloak client library
+type keycloakAuthRequest struct {
+	Domain    string `json:"domain"`
+	Token     string `json:"token"`
+	RemoteID  string `json:"remoteId"`
+	Email     string `json:"email"`
+	Username  string `json:"username"`
+	Firstname string `json:"firstname"`
+	Lastname  string `json:"lastname"`
+	Enabled   bool   `json:"enabled"`
+}
+
+// Keycloak server configuration
+type keycloakConfig struct {
+	URL                       string `json:"url"`
+	Realm                     string `json:"realm"`
+	ClientID                  string `json:"clientId"`
+	PublicKey                 string `json:"publicKey"`
+	AdminUser                 string `json:"adminUser"`
+	AdminPassword             string `json:"adminPassword"`
+	Group                     string `json:"group"`
+	DisableLogout             bool   `json:"disableLogout"`
+	DefaultPermissionAddSpace bool   `json:"defaultPermissionAddSpace"`
+}
+
+// keycloakAPIAuth is returned when authenticating with Keycloak REST API.
+type keycloakAPIAuth struct {
+	AccessToken string `json:"access_token"`
+}
+
+// keycloakUser details user record returned by Keycloak
+type keycloakUser struct {
+	ID        string `json:"id"`
+	Username  string `json:"username"`
+	Email     string `json:"email"`
+	Firstname string `json:"firstName"`
+	Lastname  string `json:"lastName"`
+	Enabled   bool   `json:"enabled"`
+}

server/routing/routes.go

@@ -19,6 +19,7 @@ import (
 	"github.com/documize/community/domain"
 	"github.com/documize/community/domain/attachment"
 	"github.com/documize/community/domain/auth"
+	"github.com/documize/community/domain/auth/keycloak"
 	"github.com/documize/community/domain/block"
 	"github.com/documize/community/domain/document"
 	"github.com/documize/community/domain/link"
@@ -51,6 +52,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
 	block := block.Handler{Runtime: rt, Store: s}
 	section := section.Handler{Runtime: rt, Store: s}
 	setting := setting.Handler{Runtime: rt, Store: s}
+	keycloak := keycloak.Handler{Runtime: rt, Store: s}
 	document := document.Handler{Runtime: rt, Store: s, Indexer: indexer}
 	attachment := attachment.Handler{Runtime: rt, Store: s}
 	organization := organization.Handler{Runtime: rt, Store: s}
@@ -59,7 +61,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
 	// Non-secure routes
 	//**************************************************
 	Add(rt, RoutePrefixPublic, "meta", []string{"GET", "OPTIONS"}, nil, meta.Meta)
-	Add(rt, RoutePrefixPublic, "authenticate/keycloak", []string{"POST", "OPTIONS"}, nil, endpoint.AuthenticateKeycloak)
+	Add(rt, RoutePrefixPublic, "authenticate/keycloak", []string{"POST", "OPTIONS"}, nil, keycloak.Authenticate)
 	Add(rt, RoutePrefixPublic, "authenticate", []string{"POST", "OPTIONS"}, nil, auth.Login)
 	Add(rt, RoutePrefixPublic, "validate", []string{"GET", "OPTIONS"}, nil, auth.ValidateToken)
 	Add(rt, RoutePrefixPublic, "forgot", []string{"POST", "OPTIONS"}, nil, user.ForgotPassword)
@@ -127,7 +129,7 @@ func RegisterEndpoints(rt *env.Runtime, s *domain.Store) {
 	Add(rt, RoutePrefixPrivate, "users/{userID}", []string{"GET", "OPTIONS"}, nil, user.Get)
 	Add(rt, RoutePrefixPrivate, "users/{userID}", []string{"PUT", "OPTIONS"}, nil, user.Update)
 	Add(rt, RoutePrefixPrivate, "users/{userID}", []string{"DELETE", "OPTIONS"}, nil, user.Delete)
-	Add(rt, RoutePrefixPrivate, "users/sync", []string{"GET", "OPTIONS"}, nil, endpoint.SyncKeycloak)
+	Add(rt, RoutePrefixPrivate, "users/sync", []string{"GET", "OPTIONS"}, nil, keycloak.Sync)
 
 	Add(rt, RoutePrefixPrivate, "search", []string{"GET", "OPTIONS"}, nil, document.SearchDocuments)