final fixes for external authentication

2025-03-30 00:00:12 +01:00 · 2021-02-04 20:04:29 +01:00 · 2021-02-04 20:04:29 +01:00 · b24387a22a
commit b24387a22a
parent 914db083ed
3 changed files with 96 additions and 80 deletions
--- a/configuration/config.go
+++ b/configuration/config.go
@ -62,8 +62,15 @@ func InitConfig() error {
 		s3PathStyle              = flag.Bool("s3-pathstyle", false, "Use path-style S3 API")
 		jwtSecret                = flag.String("jwt-secret", "This should NOT be here!!@33$8&", "The JSON Web Token secret")
 		jwtExpiresAfter          = flag.String("jwt-expires-after", "168h" /* 1 week */, "The time after which the JSON Web Token expires")
+		authExternal             = flag.Bool("auth-external", false, "Use external authentication via X-Forwarded-User header (e.g. OAuth2 Proxy)")
+		authExternalAuthorizeURL = flag.String("authexternal-authorize-url", "/oauth2/start", "A URL to initiate external login procedure")
+		authExternalProviderName = flag.String("auth-external-provider-name", "JupyterHub", "A name of the external authentication provider")
+		authLogoutURL            = flag.String("auth-logout-url", "/oauth2/sign_out?rd=https%3A%2F%2Fjupyter.k8s.eonerc.rwth-aachen.de%2Fhub%2Flogout", "The URL to redirect the user to log out")
+		title                    = flag.String("title", "VILLASweb", "Title shown in the frontend")
+		subTitle                 = flag.String("sub-title", "", "Sub-title shown in the frontend")
+		contactName              = flag.String("contact-name", "Steffen Vogel", "Name of the administrative contact")
+		contactMail              = flag.String("contact-mail", "svogel2@eonerc.rwth-aachen.de", "EMail of the administrative contact")
 		testDataPath             = flag.String("test-data-path", "database/testdata.json", "The path to the test data json file (used in test mode)")
-		authExternal    = flag.Bool("auth.external", false, "Use external authentication via X-Forwarded-User header (e.g. OAuth2 Proxy)")
 	)
 	flag.Parse()

@ -88,6 +95,13 @@ func InitConfig() error {
 		"s3.region":                   *s3Region,
 		"jwt.secret":                  *jwtSecret,
 		"jwt.expires-after":           *jwtExpiresAfter,
+		"auth.external.authorize-url": *authExternalAuthorizeURL,
+		"auth.external.provider-name": *authExternalProviderName,
+		"auth.logout-url":             *authLogoutURL,
+		"title":                       *title,
+		"sub-title":                   *subTitle,
+		"contact.name":                *contactName,
+		"contact.mail":                *contactMail,
 		"test.datapath":               *testDataPath,
 	}

@ -104,16 +118,16 @@ func InitConfig() error {
 	}

 	if *authExternal == true {
-		static["auth.external"] = "true"
+		static["auth.external.enabled"] = "true"
 	} else {
-		static["auth.external"] = "false"
+		static["auth.external.enabled"] = "false"
 	}

 	mappings := map[string]string{}
-	for name, value := range static {
-		envName := strings.Replace(name, ".", "_")
-		envName := strings.Replace(envName, "-", "_")
-		envName := strings.ToUpper(envName)
+	for name := range static {
+		envName := strings.ReplaceAll(name, ".", "_")
+		envName = strings.ReplaceAll(envName, "-", "_")
+		envName = strings.ToUpper(envName)

 		mappings[envName] = name
 	}
--- a/routes/config/config_endpoint.go
+++ b/routes/config/config_endpoint.go
@ -39,7 +39,6 @@ type ConfigAuthenticationExternal struct {

 type ConfigAuthentication struct {
 	External  ConfigAuthenticationExternal `json:"external"`
-	LoginURL  string                       `json:"login_url"`
 	LogoutURL string                       `json:"logout_url"`
 }

@ -76,8 +75,8 @@ func getConfig(c *gin.Context) {
 	resp.BasePath, _ = cfg.String("base.path")
 	resp.Authentication.LogoutURL, _ = cfg.String("auth.logout-url")
 	resp.Authentication.External.Enabled, _ = cfg.Bool("auth.external")
-	resp.Authentication.External.AuthorizeURL, _ = cfg.String("auth.external-authorize-url")
-	resp.Authentication.External.ProviderName, _ = cfg.String("auth.external-provider-name")
+	resp.Authentication.External.AuthorizeURL, _ = cfg.String("auth.external.authorize-url")
+	resp.Authentication.External.ProviderName, _ = cfg.String("auth.external.provider-name")
 	resp.Title, _ = cfg.String("title")
 	resp.SubTitle, _ = cfg.String("sub-title")
 	resp.Contact.Name, _ = cfg.String("contact.name")
--- a/routes/user/authenticate_endpoint.go
+++ b/routes/user/authenticate_endpoint.go
@ -41,7 +41,7 @@ type tokenClaims struct {

 func RegisterAuthenticate(r *gin.RouterGroup) {
 	r.GET("", authenticated)
-	r.POST("", authenticate)
+	r.POST("/:mechanism", authenticate)
 }

 // authenticated godoc
@ -105,48 +105,57 @@ func authenticated(c *gin.Context) {
 // @Produce json
 // @Tags authentication
 // @Param inputUser body user.loginRequest true "loginRequest of user"
+// @Param mechanism path string true "Login mechanism" Enums(internal, external)
 // @Success 200 {object} api.ResponseAuthenticate "JSON web token, success status, message and authenticated user object"
 // @Failure 401 {object} api.ResponseError "Unauthorized"
 // @Failure 500 {object} api.ResponseError "Internal server error."
-// @Router /authenticate [post]
+// @Router /authenticate{mechanism} [post]
 func authenticate(c *gin.Context) {
-	var user *User
+	var user *User = nil

+	switch c.Param("mechanism") {
+	case "internal":
+		user = authenticateInternal(c)
+	case "external":
 		authExternal, err := configuration.GlobalConfig.Bool("auth.external")
-	if err != nil {
-		helper.UnauthorizedError(c, "Backend configuration error")
-		return
-	}
-
-	if err != nil || !authExternal {
-		user = authenticateStandard(c)
-	} else {
+		if err == nil && authExternal {
 			user = authenticateExternal(c)
+		} else {
+			helper.BadRequestError(c, "External authentication is not activated")
+		}
+	default:
+		helper.BadRequestError(c, "Invalid authentication mechanism")
 	}

 	if user == nil {
 		return
 	}

+	// Check if this is an active user
+	if !user.Active {
+		helper.UnauthorizedError(c, "User is not active")
+		return
+	}
+
 	expiresStr, err := configuration.GlobalConfig.String("jwt.expires-after")
 	if err != nil {
-		helper.UnauthorizedError(c, "Backend configuration error")
+		helper.InternalServerError(c, "Invalid backend configuration: jwt.expires-after")
 		return
 	}

 	expiresDuration, err := time.ParseDuration(expiresStr)
 	if err != nil {
-		helper.UnauthorizedError(c, "Backend configuration error")
+		helper.InternalServerError(c, "Invalid backend configuration: jwt.expires-after")
 		return
 	}

 	secret, err := configuration.GlobalConfig.String("jwt.secret")
 	if err != nil {
-		helper.UnauthorizedError(c, "Backend configuration error")
+		helper.InternalServerError(c, "Invalid backend configuration: jwt.secret")
 		return
 	}

-	// create authentication token
+	// Create authentication token
 	claims := tokenClaims{
 		user.ID,
 		user.Role,
@ -161,7 +170,7 @@ func authenticate(c *gin.Context) {

 	tokenString, err := token.SignedString([]byte(secret))
 	if err != nil {
-		helper.InternalServerError(c, err.Error())
+		helper.InternalServerError(c, "Invalid backend configuration: jwt.secret")
 		return
 	}

@ -173,7 +182,7 @@ func authenticate(c *gin.Context) {
 	})
 }

-func authenticateStandard(c *gin.Context) *User {
+func authenticateInternal(c *gin.Context) *User {
 	// Bind the response (context) with the loginRequest struct
 	var credentials loginRequest
 	if err := c.ShouldBindJSON(&credentials); err != nil {
@ -195,12 +204,6 @@ func authenticateStandard(c *gin.Context) *User {
 		return nil
 	}

-	// Check if this is an active user
-	if !user.Active {
-		helper.UnauthorizedError(c, "User is not active")
-		return nil
-	}
-
 	// Validate the password
 	err = user.validatePassword(credentials.Password)
 	if err != nil {