Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID via Proxy #845

Merged
merged 28 commits into from
Nov 15, 2024
Merged

OpenID via Proxy #845

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
e826d05
Cleanup
moubctez Nov 6, 2024
e2c447c
Shape AuthInfo RPC
moubctez Nov 7, 2024
2d21b15
Return AuthInfoResponse
moubctez Nov 7, 2024
5b01c4a
Handle AuthInfoRequest
moubctez Nov 10, 2024
b0cfc81
Get ready for AuthCallback
moubctez Nov 10, 2024
80c97ed
Now User-Agent header is required to authenticate
moubctez Nov 10, 2024
6c0e2db
Put UserAgentParser behind LazyLock
moubctez Nov 11, 2024
ef577f7
Fold common code
moubctez Nov 11, 2024
c27607a
Fold common logic into user_from_claims()
moubctez Nov 11, 2024
3cbf7ff
Return empty response for AuthCallback
moubctez Nov 12, 2024
d4a7a90
Add migration to make openid_sub unique
moubctez Nov 12, 2024
23eec57
deny auth info when not enterprise
t-aleksander Nov 13, 2024
a04e1f3
disallow disabled users
t-aleksander Nov 14, 2024
0be42c4
log an error if id_token or state is missing
t-aleksander Nov 14, 2024
7a85d63
Switch to authorization code flow
moubctez Nov 14, 2024
50409b2
Handle "aud" in token claims
moubctez Nov 14, 2024
ebf42da
add oidc button display name, pass token and url to proxy
t-aleksander Nov 14, 2024
552d896
update protobufs
t-aleksander Nov 14, 2024
980a586
Merge last migrations
moubctez Nov 14, 2024
1c56a98
preserve full error
t-aleksander Nov 15, 2024
cb6da6c
login -> sign in, change flow to auth code in proxy
t-aleksander Nov 15, 2024
4d63298
add useeffect dependency
t-aleksander Nov 15, 2024
78a5c66
Merge branch 'dev' into oauth2proxy
t-aleksander Nov 15, 2024
f2bbfcb
cleanup
t-aleksander Nov 15, 2024
0d46cc3
log error details
t-aleksander Nov 15, 2024
ce0b7cb
sqlx prepare
t-aleksander Nov 15, 2024
b281648
add display name to test
t-aleksander Nov 15, 2024
c7962b7
remove user agent parser
t-aleksander Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions ...9cdc53103547d3d273803313bc091c72c323.json → ...c7e64b747ea250e6e27a5177f89116cb4775.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions ...627ef6f053bcb59d81e41dd1cf1bd199b543.json → ...2c0315892c7d2c012c7cc4c399410189814b.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions ...a7b39b9389ae01437b7d9405ffa074388279.json → ...d798082c152c7c629190b6c6edd3f113c544.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions ...696bb16daaece311438358321c8e8ea3b65f.json → ...b8a0a34a7376b86242814bda2f8e004d1589.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions ...4de34b7c3ca8bd5e48ed9f313d20cbe8f8e4.json → ...00053846b927c80463b3fd836ea0af11cf07.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 3 additions & 2 deletions ...ca6caf4a42bb9ad01d6f44db41a572abce95.json → ...601bc4b08439d2516802d06dfd5da3692fd3.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions ...a71cbb3019f86f5d69e186efba7f0fabd4d1.json → ...748410f91dd5775508cf403b88eabf26c515.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 9 additions & 3 deletions ...f8bde2ff8f3db10090cef071aeb932c99ab2.json → ...44eb5e7cd0c3bdbb808b7898997328c91a1d.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ edition = "2021"
license = "Apache-2.0"
homepage = "https://defguard.net/"
repository = "https://github.com/DefGuard/defguard"
rust-version = "1.76"
rust-version = "1.80"

[workspace]

Expand Down
2 changes: 2 additions & 0 deletions migrations/20241112105513_openid_sub_unique.down.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ALTER TABLE openidprovider DROP COLUMN display_name;
ALTER TABLE "user" DROP CONSTRAINT "user_openid_sub_key";
4 changes: 4 additions & 0 deletions migrations/20241112105513_openid_sub_unique.up.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-- Make openid_sub unique.
-- This migration may fail if duplicate openid_subs exist in the database.
ALTER TABLE "user" ADD CONSTRAINT "user_openid_sub_key" UNIQUE (openid_sub);
ALTER TABLE openidprovider ADD COLUMN display_name TEXT DEFAULT NULL;
2 changes: 1 addition & 1 deletion proto
Open in desktop
Submodule proto updated 2 files
+1 −5 client/client.proto
+26 −0 core/proxy.proto
4 changes: 0 additions & 4 deletions src/appstate.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ use tokio::{
},
task::spawn,
};
use uaparser::UserAgentParser;
use webauthn_rs::prelude::*;

use crate::{
Expand All @@ -30,7 +29,6 @@ pub struct AppState {
wireguard_tx: Sender<GatewayEvent>,
pub mail_tx: UnboundedSender<Mail>,
pub webauthn: Arc<Webauthn>,
pub user_agent_parser: Arc<UserAgentParser>,
pub failed_logins: Arc<Mutex<FailedLoginMap>>,
key: Key,
}
Expand Down Expand Up @@ -103,7 +101,6 @@ impl AppState {
rx: UnboundedReceiver<AppEvent>,
wireguard_tx: Sender<GatewayEvent>,
mail_tx: UnboundedSender<Mail>,
user_agent_parser: Arc<UserAgentParser>,
failed_logins: Arc<Mutex<FailedLoginMap>>,
) -> Self {
spawn(Self::handle_triggers(pool.clone(), rx));
Expand Down Expand Up @@ -131,7 +128,6 @@ impl AppState {
wireguard_tx,
mail_tx,
webauthn,
user_agent_parser,
failed_logins,
key,
}
Expand Down
6 changes: 2 additions & 4 deletions src/bin/defguard.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ use defguard::{
limits::update_counts,
},
grpc::{run_grpc_bidi_stream, run_grpc_server, GatewayMap, WorkerState},
headers::create_user_agent_parser,
init_dev_env, init_vpn_location,
mail::{run_mail_handler, Mail},
run_web_server,
Expand Down Expand Up @@ -82,7 +81,6 @@ async fn main() -> Result<(), anyhow::Error> {
let (mail_tx, mail_rx) = unbounded_channel::<Mail>();
let worker_state = Arc::new(Mutex::new(WorkerState::new(webhook_tx.clone())));
let gateway_state = Arc::new(Mutex::new(GatewayMap::new()));
let user_agent_parser = create_user_agent_parser();

// initialize admin user
User::init_admin_user(&pool, config.default_admin_password.expose_secret()).await?;
Expand Down Expand Up @@ -119,9 +117,9 @@ async fn main() -> Result<(), anyhow::Error> {

// run services
tokio::select! {
res = run_grpc_bidi_stream(pool.clone(), wireguard_tx.clone(), mail_tx.clone(), user_agent_parser.clone()), if config.proxy_url.is_some() => error!("Proxy gRPC stream returned early: {res:#?}"),
res = run_grpc_bidi_stream(pool.clone(), wireguard_tx.clone(), mail_tx.clone()), if config.proxy_url.is_some() => error!("Proxy gRPC stream returned early: {res:#?}"),
res = run_grpc_server(Arc::clone(&worker_state), pool.clone(), Arc::clone(&gateway_state), wireguard_tx.clone(), mail_tx.clone(), grpc_cert, grpc_key, failed_logins.clone()) => error!("gRPC server returned early: {res:#?}"),
res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins) => error!("Web server returned early: {res:#?}"),
res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), failed_logins) => error!("Web server returned early: {res:#?}"),
res = run_mail_handler(mail_rx, pool.clone()) => error!("Mail handler returned early: {res:#?}"),
res = run_periodic_peer_disconnect(pool.clone(), wireguard_tx) => error!("Periodic peer disconnect task returned early: {res:#?}"),
res = run_periodic_stats_purge(pool.clone(), config.stats_purge_frequency.into(), config.stats_purge_threshold.into()), if !config.disable_stats_purge => error!("Periodic stats purge task returned early: {res:#?}"),
Expand Down
34 changes: 28 additions & 6 deletions src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,17 @@ impl DefGuardConfig {
None
}
}

/// Returns configured URL with "auth/callback" appended to the path.
#[must_use]
pub(crate) fn callback_url(&self) -> Url {
let mut url = self.url.clone();
// Append "auth/callback" to the URL.
if let Ok(mut path_segments) = url.path_segments_mut() {
path_segments.extend(&["auth", "callback"]);
}
url
}
}

impl Default for DefGuardConfig {
Expand All @@ -308,10 +319,7 @@ mod tests {

#[test]
fn test_generate_rp_id() {
// unset variables
env::remove_var("DEFGUARD_URL");
env::remove_var("DEFGUARD_WEBAUTHN_RP_ID");

env::set_var("DEFGUARD_URL", "https://defguard.example.com");

let config = DefGuardConfig::new();
Expand All @@ -330,10 +338,7 @@ mod tests {

#[test]
fn test_generate_cookie_domain() {
// unset variables
env::remove_var("DEFGUARD_URL");
env::remove_var("DEFGUARD_COOKIE_DOMAIN");

env::set_var("DEFGUARD_URL", "https://defguard.example.com");

let config = DefGuardConfig::new();
Expand All @@ -349,4 +354,21 @@ mod tests {

assert_eq!(config.cookie_domain, Some("example.com".to_string()));
}

#[test]
fn test_callback_url() {
env::set_var("DEFGUARD_URL", "https://defguard.example.com");
let config = DefGuardConfig::new();
assert_eq!(
config.callback_url().as_str(),
"https://defguard.example.com/auth/callback"
);

env::set_var("DEFGUARD_URL", "https://defguard.example.com:8443/path");
let config = DefGuardConfig::new();
assert_eq!(
config.callback_url().as_str(),
"https://defguard.example.com:8443/path/auth/callback"
);
}
}
2 changes: 1 addition & 1 deletion src/db/models/device_login.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ impl DeviceLoginEvent {
}
}

pub async fn find_device_login_event(
pub(crate) async fn find_device_login_event(
&self,
pool: &PgPool,
) -> Result<Option<DeviceLoginEvent<Id>>, SqlxError> {
Expand Down
Loading
Loading