Move authenticators over to being more dynamic, fix bug with authentication attempts

Author: NHAS

go.mod

@@ -16,7 +16,7 @@ require (
 	go.etcd.io/etcd/client/v3 v3.5.11
 	go.etcd.io/etcd/server/v3 v3.5.11
 	golang.org/x/crypto v0.17.0
-	golang.org/x/net v0.19.0
+	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2
 	golang.org/x/sys v0.16.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 )
@@ -60,7 +60,6 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.26.0 // indirect
 	github.com/prometheus/procfs v0.6.0 // indirect
-	github.com/r3labs/diff v1.1.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/soheilhy/cmux v0.1.5 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -84,7 +83,7 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
 	go.uber.org/zap v1.17.0 // indirect
-	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
+	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -210,8 +210,6 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0 h1:mxy4L2jP6qMonqmq+aTtOx1ifVWUgG/TAmntgbh3xv4=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/r3labs/diff v1.1.0 h1:V53xhrbTHrWFWq3gI4b94AjgEJOerO1+1l0xyHOBi8M=
-github.com/r3labs/diff v1.1.0/go.mod h1:7WjXasNzi0vJetRcB/RqNl5dlIsmXcTTLmF5IoH6Xig=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
@@ -231,7 +229,6 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=

internal/config/config.go

@@ -6,17 +6,14 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"net/url"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
 
 	"github.com/NHAS/wag/internal/acls"
 	"github.com/NHAS/wag/internal/routetypes"
-	"github.com/NHAS/wag/internal/webserver/authenticators"
 	"github.com/NHAS/wag/pkg/control"
-	"github.com/NHAS/webauthn/webauthn"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
@@ -52,19 +49,19 @@ type Config struct {
 	path          string
 	Socket        string `json:",omitempty"`
 	GID           *int   `json:",omitempty"`
-	CheckUpdates  bool   `json:",omitempty"`
+	CheckUpdates  bool   `json:",omitempty"` // Done
 	NumberProxies int
 	Proxied       bool
 	ExposePorts   []string `json:",omitempty"`
 	NAT           *bool
 
 	MFATemplatesDirectory string `json:",omitempty"`
 
-	HelpMail                        string
-	Lockout                         int
-	ExternalAddress                 string
-	MaxSessionLifetimeMinutes       int
-	SessionInactivityTimeoutMinutes int
+	HelpMail                        string // Done
+	Lockout                         int    // Done
+	ExternalAddress                 string // Done
+	MaxSessionLifetimeMinutes       int    // Done
+	SessionInactivityTimeoutMinutes int    // Done
 
 	DownloadConfigFileName string `json:",omitempty"`
 
@@ -87,10 +84,10 @@ type Config struct {
 	}
 
 	Authenticators struct {
-		DefaultMethod string `json:",omitempty"`
-		Issuer        string
+		DefaultMethod string   `json:",omitempty"` // Done
+		Issuer        string   // Done
 		Methods       []string `json:",omitempty"`
-		DomainURL     string
+		DomainURL     string   // Done
 
 		OIDC struct {
 			IssuerURL       string
@@ -102,9 +99,6 @@ type Config struct {
 		PAM struct {
 			ServiceName string
 		} `json:",omitempty"`
-
-		//Not externally configurable
-		Webauthn *webauthn.WebAuthn `json:"-"`
 	}
 	Wireguard struct {
 		DevName    string
@@ -365,112 +359,10 @@ func load(path string) (c Config, err error) {
 		}
 	}
 
-	if len(c.Authenticators.Methods) == 0 {
-		for method := range authenticators.MFA {
-			c.Authenticators.Methods = append(c.Authenticators.Methods, method)
-		}
-	}
-
-	resultMFAMap := make(map[string]authenticators.Authenticator)
-	for _, method := range c.Authenticators.Methods {
-		_, ok := authenticators.MFA[method]
-		if !ok {
-			return c, errors.New("mfa method invalid: " + method)
-		}
-
-		resultMFAMap[method] = authenticators.MFA[method]
-
-		settings := make(map[string]string)
-		switch method {
-
-		case "oidc":
-			if c.Authenticators.DomainURL == "" {
-				return c, errors.New("Authenticators.DomainURL unset, needed for oidc")
-			}
-
-			if c.Authenticators.OIDC.GroupsClaimName == "" {
-				c.Authenticators.OIDC.GroupsClaimName = "groups"
-			}
-
-			if c.Authenticators.OIDC.IssuerURL == "" {
-				return c, errors.New("OIDC issuer url is not set, but oidc authentication method is enabled")
-			}
-
-			tunnelURL, err := url.Parse(c.Authenticators.OIDC.IssuerURL)
-			if err != nil {
-				return c, errors.New("unable to parse Authenticators.OIDC.IssuerURL: " + err.Error())
-			}
-
-			if tunnelURL.Scheme != "https" && tunnelURL.Scheme != "http" {
-				return c, errors.New("Authenticators.OIDC.IssuerURL was not HTTP/HTTPS")
-			}
-
-			if tunnelURL.Scheme == "http" {
-				log.Println("[WARNING] OIDC issuer url is http, this may be insecure")
-			}
-
-			if c.Authenticators.OIDC.ClientSecret == "" {
-				return c, errors.New("Authenticators.OIDC.ClientSecret is empty, but oidc authentication method is enabled")
-			}
-
-			if c.Authenticators.OIDC.ClientID == "" {
-				return c, errors.New("Authenticators.OIDC.ClientID is empty, but oidc authentication method is enabled")
-			}
-
-			settings["ClientID"] = c.Authenticators.OIDC.ClientID
-			settings["ClientSecret"] = c.Authenticators.OIDC.ClientSecret
-			settings["IssuerURL"] = c.Authenticators.OIDC.IssuerURL
-			settings["DomainURL"] = c.Authenticators.DomainURL
-
-		case "webauthn":
-
-			if c.Authenticators.DomainURL == "" {
-				return c, errors.New("Authenticators.DomainURL unset, needed for webauthn")
-			}
-
-			tunnelURL, err := url.Parse(c.Authenticators.DomainURL)
-			if err != nil {
-				return c, errors.New("unable to parse Authenticators.DomainURL: " + err.Error())
-			}
-
-			if !c.Webserver.Tunnel.SupportsTLS() && c.NumberProxies == 0 {
-				return c, errors.New("tunnel does not support TLS (no cert/key given) required by webauthn")
-			}
-
-			if tunnelURL.Scheme != "https" {
-				return c, errors.New("Authenticators.DomainURL was not HTTPS, yet webauthn was enabled (javascript wont be able to access window.PublicKeyCredential)")
-			}
-
-			c.Authenticators.Webauthn, err = webauthn.New(&webauthn.Config{
-				RPDisplayName: c.Authenticators.Issuer,               // Display Name for your site
-				RPID:          strings.Split(tunnelURL.Host, ":")[0], // Generally the domain name for your site
-				RPOrigin:      c.Authenticators.DomainURL,            // The origin URL for WebAuthn requests
-			})
-
-			if err != nil {
-				return c, errors.New("could not configure webauthn domain: " + err.Error())
-			}
-		}
-
-		if err := resultMFAMap[method].Init(settings); err != nil {
-			return c, err
-		}
-	}
-
-	if c.Authenticators.DefaultMethod != "" {
-		_, ok := resultMFAMap[c.Authenticators.DefaultMethod]
-		if !ok {
-			return c, errors.New("default mfa method invalid: " + c.Authenticators.DefaultMethod + " valid methods: " + strings.Join(c.Authenticators.Methods, ","))
-		}
-	}
-
 	if len(c.Authenticators.Methods) == 1 {
 		c.Authenticators.DefaultMethod = c.Authenticators.Methods[len(c.Authenticators.Methods)-1]
 	}
 
-	// Remove all uneeded MFA methods from the MFA map
-	authenticators.MFA = resultMFAMap
-
 	return c, nil
 }
 

internal/data/config.go

@@ -5,22 +5,50 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/url"
 	"strconv"
+	"strings"
 
 	clientv3 "go.etcd.io/etcd/client/v3"
 )
 
+type OIDC struct {
+	IssuerURL       string
+	ClientSecret    string
+	ClientID        string
+	GroupsClaimName string `json:",omitempty"`
+}
+
+type PAM struct {
+	ServiceName string
+}
+
+type Webauthn struct {
+	DisplayName string
+	ID          string
+	Origin      string
+}
+
 const (
-	fullJsonConfigKey    = "wag-config-full"
+	fullJsonConfigKey = "wag-config-full"
+
 	helpMailKey          = "wag-config-general-help-mail"
+	defaultWGFileNameKey = "wag-config-general-wg-filename"
+	checkUpdatesKey      = "wag-config-general-check-updates"
+
 	inactivityTimeoutKey = "wag-config-authentication-inactivity-timeout"
 	sessionLifetimeKey   = "wag-config-authentication-max-session-lifetime"
 	lockoutKey           = "wag-config-authentication-lockout"
 	issuerKey            = "wag-config-authentication-issuer"
 	domainKey            = "wag-config-authentication-domain"
+	methodsEnabledKey    = "wag-config-authentication-methods"
 	defaultMFAMethodKey  = "wag-config-authentication-default-method"
-	externalAddressKey   = "wag-config-network-external-address"
-	dnsKey               = "wag-config-network-dns"
+
+	oidcDetailsKey = "wag-config-authentication-oidc"
+	pamDetailsKey  = "wag-config-authentication-pam"
+
+	externalAddressKey = "wag-config-network-external-address"
+	dnsKey             = "wag-config-network-dns"
 )
 
 func getGeneric(key string) (string, error) {
@@ -36,6 +64,119 @@ func getGeneric(key string) (string, error) {
 	return string(resp.Kvs[0].Value), nil
 }
 
+func SetPAM(details PAM) error {
+	d, err := json.Marshal(details)
+	if err != nil {
+		return err
+	}
+
+	_, err = etcd.Put(context.Background(), pamDetailsKey, string(d))
+	return err
+}
+
+func GetPAM() (details PAM, err error) {
+
+	v, err := getGeneric(pamDetailsKey)
+	if err != nil {
+		return PAM{}, nil
+	}
+
+	err = json.Unmarshal([]byte(v), &details)
+	return
+}
+
+func SetOidc(details OIDC) error {
+	d, err := json.Marshal(details)
+	if err != nil {
+		return err
+	}
+
+	_, err = etcd.Put(context.Background(), oidcDetailsKey, string(d))
+	return err
+}
+
+func GetOidc() (details OIDC, err error) {
+
+	v, err := getGeneric(oidcDetailsKey)
+	if err != nil {
+		return OIDC{}, nil
+	}
+
+	err = json.Unmarshal([]byte(v), &details)
+	return
+}
+
+func GetWebauthn() (wba Webauthn, err error) {
+
+	txn := etcd.Txn(context.Background())
+	response, err := txn.Then(clientv3.OpGet(issuerKey),
+		clientv3.OpGet(domainKey)).Commit()
+	if err != nil {
+		return wba, err
+	}
+
+	if response.Responses[0].GetResponseRange().Count != 1 {
+		return wba, errors.New("no issuer set")
+	}
+
+	if response.Responses[1].GetResponseRange().Count != 1 {
+		return wba, errors.New("no domain set")
+	}
+
+	tunnelURL, err := url.Parse(string(response.Responses[1].GetResponseRange().Kvs[0].Value))
+	if err != nil {
+		return wba, errors.New("unable to parse Authenticators.DomainURL: " + err.Error())
+	}
+
+	wba.Origin = tunnelURL.String()
+	wba.DisplayName = string(response.Responses[0].GetResponseRange().Kvs[0].Value)
+	wba.ID = strings.Split(tunnelURL.Host, ":")[0]
+
+	return
+}
+
+func SetWireguardConfigName(wgConfig string) error {
+	_, err := etcd.Put(context.Background(), defaultWGFileNameKey, wgConfig)
+	return err
+}
+
+func GetWireguardConfigName() (string, error) {
+	return getGeneric(defaultWGFileNameKey)
+}
+
+func SetAuthenticationMethods(methods []string) error {
+	data, _ := json.Marshal(methods)
+	_, err := etcd.Put(context.Background(), methodsEnabledKey, string(data))
+	return err
+}
+
+func GetAuthenicationMethods() (result []string, err error) {
+
+	val, err := getGeneric(methodsEnabledKey)
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal([]byte(val), &result)
+
+	return
+}
+
+func SetCheckUpdates(doChecks bool) error {
+	_, err := etcd.Put(context.Background(), checkUpdatesKey, strconv.FormatBool(doChecks))
+	return err
+}
+
+func CheckUpdates() (bool, error) {
+
+	val, err := getGeneric(checkUpdatesKey)
+	if err != nil {
+		return false, err
+	}
+
+	return val == "true", nil
+}
+
 func SetDomain(domain string) error {
 	_, err := etcd.Put(context.Background(), domainKey, domain)
 	return err