Implement client certificate login

2021-01-01 14:21:26 +01:00 · 2021-01-01 14:21:26 +01:00 · 7947eaf862
commit 7947eaf862
parent 714a07f162
9 changed files with 307 additions and 119 deletions
--- a/idp/handlers/consent.go
+++ b/idp/handlers/consent.go
@ -99,7 +99,7 @@ func (h *consentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 				r.Context(),
 				`SELECT email, verified, fname, mname, lname, dob, language, modified
 FROM users
-WHERE id = ?
+WHERE uniqueID = ?
  AND LOCKED = 0`,
 			)
 			if err != nil {
--- a/idp/handlers/login.go
+++ b/idp/handlers/login.go
@ -13,6 +13,7 @@ import (
 	"github.com/go-playground/form/v4"
 	"github.com/go-playground/validator/v10"
 	"github.com/gorilla/csrf"
+	"github.com/jmoiron/sqlx"
 	"github.com/nicksnyder/go-i18n/v2/i18n"
 	"github.com/ory/hydra-client-go/client/admin"
 	"github.com/ory/hydra-client-go/models"
@ -22,27 +23,26 @@ import (
 	"git.cacert.org/oidc_login/idp/services"
 )

+type acrType string
+
+const (
+	ClientCertificate acrType = "cert"     // client certificate login
+	Password          acrType = "password" // regular username + password login
+	// ClientCertificateOTP   acrType = "cert+otp"
+	// ClientCertificateToken acrType = "cert+token"
+	// PasswordOTP            acrType = "password+otp"
+	// PasswordToken          acrType = "password+token"
+)
+
 type loginHandler struct {
 	adminClient    *admin.Client
 	bundle         *i18n.Bundle
 	context        context.Context
 	logger         *log.Logger
-	loginTemplate  *template.Template
+	templates      map[acrType]*template.Template
 	messageCatalog *commonServices.MessageCatalog
 }

-type acrType string
-
-const (
-	NoCredentials          acrType = "none"
-	ClientCertificate      acrType = "cert"
-	ClientCertificateOTP   acrType = "cert+otp"
-	ClientCertificateToken acrType = "cert+token"
-	Password               acrType = "password"
-	PasswordOTP            acrType = "password+otp"
-	PasswordToken          acrType = "password+token"
-)
-
 type LoginInformation struct {
 	Email    string `form:"email" validate:"required,email"`
 	Password string `form:"password" validate:"required"`
@ -55,104 +55,130 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	accept := r.Header.Get("Accept-Language")
 	localizer := i18n.NewLocalizer(h.bundle, accept)

+	certEmails := h.getCertEmails(r)
+
+	var loginInfo LoginInformation
 	validate := validator.New()

 	switch r.Method {
 	case http.MethodGet:
-		// render login form
-		h.renderLoginForm(w, r, map[string]string{}, &LoginInformation{}, localizer)
+		if certEmails != nil {
+			h.renderRequestForClientCert(w, r, certEmails, localizer)
+		} else {
+			// render login form
+			h.renderLoginForm(w, r, map[string]string{}, &LoginInformation{}, localizer)
+		}
 		break
 	case http.MethodPost:
-		var loginInfo LoginInformation
+		var userId *string
+		var authMethod acrType

-		// validate input
-		decoder := form.NewDecoder()
-		err = decoder.Decode(&loginInfo, r.Form)
-		if err != nil {
-			h.logger.Error(err)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-			return
-		}
-		err := validate.Struct(&loginInfo)
-		if err != nil {
-			errors := make(map[string]string)
-			for _, err := range err.(validator.ValidationErrors) {
-				accept := r.Header.Get("Accept-Language")
-				errors[err.Field()] = h.messageCatalog.LookupErrorMessage(err.Tag(), err.Field(), err.Value(), i18n.NewLocalizer(h.bundle, accept))
-			}
-			h.renderLoginForm(w, r, errors, &loginInfo, localizer)
-			return
-		}
-
-		db := services.GetDb(h.context)
-
-		stmt, err := db.PrepareContext(
-			r.Context(),
-			`SELECT id
-FROM users
-WHERE email = ?
-  AND password = ?
-  AND locked = 0`,
-		)
-		if err != nil {
-			h.logger.Errorf("error preparing login SQL: %v", err)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-			return
-		}
-		defer func() { _ = stmt.Close() }()
-
-		// FIXME: replace with a real password hash algorithm
-		passwordHash := sha1.Sum([]byte(loginInfo.Password))
-		password := hex.EncodeToString(passwordHash[:])
-		// FIXME: introduce a real opaque identifier (i.e. a UUID)
-		var userId string
-		// GET user data
-		err = stmt.QueryRowContext(r.Context(), loginInfo.Email, password).Scan(&userId)
-		switch {
-		case err == sql.ErrNoRows:
-			errors := map[string]string{
-				"Form": h.messageCatalog.LookupMessage(
-					"WrongOrLockedUserOrInvalidPassword",
-					nil,
-					localizer,
-				),
-			}
-			h.renderLoginForm(w, r, errors, &loginInfo, localizer)
-			return
-		case err != nil:
-			h.logger.Errorf("error performing login SQL: %v", err)
-			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-			return
-		default:
-			// finish login and redirect to target
-			loginRequest, err := h.adminClient.AcceptLoginRequest(
-				admin.NewAcceptLoginRequestParams().WithLoginChallenge(challenge).WithBody(&models.AcceptLoginRequest{
-					Acr:         string(Password),
-					Remember:    true,
-					RememberFor: 0,
-					Subject:     &userId,
-				}).WithTimeout(time.Second * 10))
-			if err != nil {
-				h.logger.Errorf("error getting login request: %#v", err)
-				http.Error(w, err.Error(), err.(*runtime.APIError).Code)
+		if certEmails != nil && r.PostFormValue("action") == "cert-login" {
+			if r.PostFormValue("use-certificate") == "" {
+				// render login form
+				h.renderLoginForm(w, r, map[string]string{}, &LoginInformation{}, localizer)
 				return
 			}
-			w.Header().Add("Location", *loginRequest.GetPayload().RedirectTo)
-			w.WriteHeader(http.StatusFound)
+			// perform certificate auth
+			h.logger.Infof("would perform certificate authentication with: %+v", certEmails)
+			userId, err = h.performCertificateLogin(certEmails, r)
+			if err != nil {
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+			if userId == nil {
+				errors := map[string]string{
+					"Form": h.messageCatalog.LookupMessage(
+						"WrongOrLockedUserOrInvalidPassword",
+						nil,
+						localizer,
+					),
+				}
+				h.renderLoginForm(w, r, errors, &loginInfo, localizer)
+				return
+			}
+			authMethod = ClientCertificate
+		} else {
+			decoder := form.NewDecoder()
+			// validate input
+			err = decoder.Decode(&loginInfo, r.Form)
+			if err != nil {
+				h.logger.Error(err)
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+			err := validate.Struct(&loginInfo)
+			if err != nil {
+				errors := make(map[string]string)
+				for _, err := range err.(validator.ValidationErrors) {
+					accept := r.Header.Get("Accept-Language")
+					errors[err.Field()] = h.messageCatalog.LookupErrorMessage(
+						err.Tag(),
+						err.Field(),
+						err.Value(),
+						i18n.NewLocalizer(h.bundle, accept),
+					)
+				}
+				h.renderLoginForm(w, r, errors, &loginInfo, localizer)
+				return
+			}
+			userId, err = h.performUserNamePasswordLogin(&loginInfo, r)
+			if err != nil {
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				return
+			}
+			if userId == nil {
+				errors := map[string]string{
+					"Form": h.messageCatalog.LookupMessage(
+						"WrongOrLockedUserOrInvalidPassword",
+						nil,
+						localizer,
+					),
+				}
+				h.renderLoginForm(w, r, errors, &loginInfo, localizer)
+				return
+			}
+			authMethod = Password
 		}
-		break
+
+		// finish login and redirect to target
+		loginRequest, err := h.adminClient.AcceptLoginRequest(
+			admin.NewAcceptLoginRequestParams().WithLoginChallenge(challenge).WithBody(&models.AcceptLoginRequest{
+				Acr:         string(authMethod),
+				Remember:    true,
+				RememberFor: 0,
+				Subject:     userId,
+			}).WithTimeout(time.Second * 10))
+		if err != nil {
+			h.logger.Errorf("error getting login request: %#v", err)
+			http.Error(w, err.Error(), err.(*runtime.APIError).Code)
+			return
+		}
+		w.Header().Add("Location", *loginRequest.GetPayload().RedirectTo)
+		w.WriteHeader(http.StatusFound)
 	default:
 		http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
 		return
 	}
 }

+func (h *loginHandler) getCertEmails(r *http.Request) []string {
+	if r.TLS != nil && r.TLS.PeerCertificates != nil && len(r.TLS.PeerCertificates) > 0 {
+		firstCert := r.TLS.PeerCertificates[0]
+		for _, email := range firstCert.EmailAddresses {
+			h.logger.Infof("authenticated with a client certificate for email address %s", email)
+		}
+		return firstCert.EmailAddresses
+	}
+	return nil
+}
+
 func (h *loginHandler) renderLoginForm(w http.ResponseWriter, r *http.Request, errors map[string]string, info *LoginInformation, localizer *i18n.Localizer) {
 	trans := func(label string) string {
 		return h.messageCatalog.LookupMessage(label, nil, localizer)
 	}

-	err := h.loginTemplate.Lookup("base").Execute(w, map[string]interface{}{
+	err := h.templates[Password].Lookup("base").Execute(w, map[string]interface{}{
 		"Title":          trans("LoginTitle"),
 		csrf.TemplateTag: csrf.TemplateField(r),
 		"LabelEmail":     trans("LabelEmail"),
@ -168,18 +194,121 @@ func (h *loginHandler) renderLoginForm(w http.ResponseWriter, r *http.Request, e
 	}
 }

+func (h *loginHandler) renderRequestForClientCert(w http.ResponseWriter, r *http.Request, emails []string, localizer *i18n.Localizer) {
+	trans := func(label string) string {
+		return h.messageCatalog.LookupMessage(label, nil, localizer)
+	}
+
+	err := h.templates[ClientCertificate].Lookup("base").Execute(w, map[string]interface{}{
+		"Title":          trans("LoginTitle"),
+		csrf.TemplateTag: csrf.TemplateField(r),
+		"IntroText":      trans("CertLoginIntroText"),
+		"emails":         emails,
+		"RequestText":    trans("CertLoginRequestText"),
+		"AcceptLabel":    trans("LabelAcceptCertLogin"),
+		"RejectLabel":    trans("LabelRejectCertLogin"),
+	})
+	if err != nil {
+		h.logger.Error(err)
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+		return
+	}
+}
+
+func (h *loginHandler) performUserNamePasswordLogin(loginInfo *LoginInformation, r *http.Request) (*string, error) {
+	db := services.GetDb(h.context)
+
+	stmt, err := db.PrepareContext(
+		r.Context(),
+		`SELECT uniqueID
+FROM users
+WHERE email = ?
+  AND password = ?
+  AND locked = 0`,
+	)
+	if err != nil {
+		h.logger.Errorf("error preparing login SQL: %v", err)
+		return nil, err
+	}
+	defer func() { _ = stmt.Close() }()
+
+	// FIXME: replace with a real password hash algorithm
+	passwordHash := sha1.Sum([]byte(loginInfo.Password))
+	password := hex.EncodeToString(passwordHash[:])
+
+	var userId string
+	// GET user data
+	err = stmt.QueryRowContext(r.Context(), loginInfo.Email, password).Scan(&userId)
+	switch {
+	case err == sql.ErrNoRows:
+		return nil, nil
+	case err != nil:
+		h.logger.Errorf("error performing login SQL: %v", err)
+		return nil, err
+	default:
+		h.logger.Infof("found user %s", userId)
+		return &userId, nil
+	}
+}
+
+func (h *loginHandler) performCertificateLogin(emails []string, r *http.Request) (*string, error) {
+	db := services.GetDb(h.context)
+
+	query, args, err := sqlx.In(
+		`SELECT DISTINCT u.uniqueID
+FROM users u
+         JOIN email e ON e.memid = u.id
+WHERE e.email IN (?)
+  AND u.locked = 0`,
+		emails,
+	)
+	if err != nil {
+		h.logger.Errorf("could not parse IN query for certificate login: %v", err)
+		return nil, err
+	}
+	stmt, err := db.PreparexContext(r.Context(), query)
+	if err != nil {
+		h.logger.Errorf("error preparing login SQL: %v", err)
+		return nil, err
+	}
+	defer func() { _ = stmt.Close() }()
+
+	var userId string
+	err = stmt.QueryRowContext(r.Context(), args...).Scan(&userId)
+	switch {
+	case err == sql.ErrNoRows:
+		return nil, nil
+	case err != nil:
+		h.logger.Errorf("error performing login SQL: %v", err)
+		return nil, err
+	default:
+		h.logger.Infof("found user %s", userId)
+		return &userId, nil
+	}
+}
+
 func NewLoginHandler(ctx context.Context, logger *log.Logger) (*loginHandler, error) {
+	var err error
 	loginTemplate, err := template.ParseFiles(
 		"templates/idp/base.gohtml", "templates/idp/login.gohtml")
 	if err != nil {
 		return nil, err
 	}
+	clientCertTemplate, err := template.ParseFiles(
+		"templates/idp/base.gohtml", "templates/idp/client_certificate.gohtml")
+	if err != nil {
+		return nil, err
+	}
+	formTemplates := map[acrType]*template.Template{
+		Password:          loginTemplate,
+		ClientCertificate: clientCertTemplate,
+	}
 	return &loginHandler{
 		adminClient:    ctx.Value(CtxAdminClient).(*admin.Client),
 		bundle:         commonServices.GetI18nBundle(ctx),
 		context:        ctx,
 		logger:         logger,
-		loginTemplate:  loginTemplate,
+		templates:      formTemplates,
 		messageCatalog: commonServices.GetMessageCatalog(ctx),
 	}, nil
 }
--- a/idp/services/i18n.go
+++ b/idp/services/i18n.go
@ -89,5 +89,23 @@ func AddMessages(ctx context.Context) {
 		Description: "Label for a login button",
 		Other:       "Login",
 	}
+	messages["CertLoginIntroText"] = &i18n.Message{
+		ID:    "CertLoginIntroText",
+		Other: "You have presented a valid client certificate for the following email addresses:",
+	}
+	messages["CertLoginRequestText"] = &i18n.Message{
+		ID:    "CertLoginRequestText",
+		Other: "Do you want to use this certificate for authentication or do you want to use a different method?",
+	}
+	messages["LabelAcceptCertLogin"] = &i18n.Message{
+		ID:          "LabelAcceptCertLogin",
+		Description: "Label for a button to accept certificate login",
+		Other:       "Yes, please use the certificate",
+	}
+	messages["LabelRejectCertLogin"] = &i18n.Message{
+		ID:          "LabelRejectCertLogin",
+		Description: "Label for a button to reject certificate login",
+		Other:       "No, please ask for my password",
+	}
 	services.GetMessageCatalog(ctx).AddMessages(messages)
 }