restapi.go 5.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217
  1. package httpservers
  2. import (
  3. "context"
  4. "net/http"
  5. "strings"
  6. "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
  7. log "github.com/sirupsen/logrus"
  8. "google.golang.org/grpc"
  9. "google.golang.org/grpc/credentials/insecure"
  10. "google.golang.org/grpc/metadata"
  11. "google.golang.org/protobuf/encoding/protojson"
  12. "google.golang.org/protobuf/reflect/protoreflect"
  13. apiv1 "github.com/OliveTin/OliveTin/gen/grpc/olivetin/api/v1"
  14. "github.com/OliveTin/OliveTin/internal/acl"
  15. config "github.com/OliveTin/OliveTin/internal/config"
  16. cors "github.com/OliveTin/OliveTin/internal/cors"
  17. )
  18. var (
  19. cfg *config.Config
  20. )
  21. func parseHttpHeaderForAuth(req *http.Request) (string, string) {
  22. username, ok := req.Header[cfg.AuthHttpHeaderUsername]
  23. if !ok {
  24. log.Warnf("Config has AuthHttpHeaderUsername set to %v, but it was not found", cfg.AuthHttpHeaderUsername)
  25. return "", ""
  26. }
  27. if cfg.AuthHttpHeaderUserGroup != "" {
  28. usergroup, ok := req.Header[cfg.AuthHttpHeaderUserGroup]
  29. if ok {
  30. log.Debugf("HTTP Header Auth found a username and usergroup")
  31. return username[0], usergroup[0]
  32. } else {
  33. log.Warnf("Config has AuthHttpHeaderUserGroup set to %v, but it was not found", cfg.AuthHttpHeaderUserGroup)
  34. }
  35. }
  36. log.Debugf("HTTP Header Auth found a username, but usergroup is not being used")
  37. return username[0], ""
  38. }
  39. //gocyclo:ignore
  40. func authHttpRequest(req *http.Request) acl.UnauthenticatedUser {
  41. ret := acl.UnauthenticatedUser{
  42. Username: "",
  43. Usergroup: "",
  44. Provider: "unknown",
  45. Sid: "",
  46. }
  47. if cfg.AuthJwtHeader != "" {
  48. ret.Username, ret.Usergroup = parseJwtHeader(req)
  49. ret.Provider = "jwt-header"
  50. }
  51. if cfg.AuthJwtCookieName != "" && ret.Username == "" {
  52. ret.Username, ret.Usergroup = parseJwtCookie(req)
  53. ret.Provider = "jwt-cookie"
  54. }
  55. if cfg.AuthHttpHeaderUsername != "" && ret.Username == "" {
  56. ret.Username, ret.Usergroup = parseHttpHeaderForAuth(req)
  57. ret.Provider = "http-header"
  58. }
  59. if len(cfg.AuthOAuth2Providers) > 0 && ret.Username == "" {
  60. ret.Username, ret.Usergroup, ret.Sid = parseOAuth2Cookie(req)
  61. ret.Provider = "oauth2"
  62. }
  63. if cfg.AuthLocalUsers.Enabled && ret.Username == "" {
  64. ret.Username, ret.Usergroup, ret.Sid = parseLocalUserCookie(req)
  65. ret.Provider = "local"
  66. }
  67. return ret
  68. }
  69. func authHttpRequestToMetadata(ctx context.Context, req *http.Request) metadata.MD {
  70. authMetadata := authHttpRequest(req)
  71. md := metadata.New(map[string]string{
  72. "username": authMetadata.Username,
  73. "usergroup": authMetadata.Usergroup,
  74. "provider": authMetadata.Provider,
  75. "sid": authMetadata.Sid,
  76. })
  77. log.Tracef("api request metadata: %+v", md)
  78. return md
  79. }
  80. func parseJwtHeader(req *http.Request) (string, string) {
  81. // JWTs in the Authorization header are usually prefixed with "Bearer " which is not part of the JWT token.
  82. return parseJwt(strings.TrimPrefix(req.Header.Get(cfg.AuthJwtHeader), "Bearer "))
  83. }
  84. func forwardResponseHandler(ctx context.Context, w http.ResponseWriter, msg protoreflect.ProtoMessage) error {
  85. md, ok := runtime.ServerMetadataFromContext(ctx)
  86. if !ok {
  87. log.Warn("Could not get ServerMetadata from context")
  88. return nil
  89. }
  90. forwardResponseHandlerLoginLocalUser(md.HeaderMD, w)
  91. forwardResponseHandlerLogout(md.HeaderMD, w)
  92. return nil
  93. }
  94. func forwardResponseHandlerLogout(md metadata.MD, w http.ResponseWriter) {
  95. if getMetadataKeyOrEmpty(md, "logout-provider") != "" {
  96. sid := getMetadataKeyOrEmpty(md, "logout-sid")
  97. delete(registeredStates, sid)
  98. http.SetCookie(
  99. w,
  100. &http.Cookie{
  101. Name: "olivetin-sid-oauth",
  102. MaxAge: 31556952, // 1 year
  103. Value: "",
  104. HttpOnly: true,
  105. Path: "/",
  106. },
  107. )
  108. deleteLocalUserSession("local", sid)
  109. http.SetCookie(
  110. w,
  111. &http.Cookie{
  112. Name: "olivetin-sid-local",
  113. MaxAge: 31556952, // 1 year
  114. Value: "",
  115. HttpOnly: true,
  116. Path: "/",
  117. },
  118. )
  119. w.Header().Set("Content-Type", "text/html")
  120. // We cannot send a HTTP redirect here, because we don't have access to req.
  121. w.Write([]byte("<script>window.location.href = '/';</script>"))
  122. }
  123. }
  124. func getMetadataKeyOrEmpty(md metadata.MD, key string) string {
  125. mdValues := md.Get(key)
  126. if len(mdValues) > 0 {
  127. return mdValues[0]
  128. }
  129. return ""
  130. }
  131. func SetGlobalRestConfig(config *config.Config) {
  132. cfg = config
  133. }
  134. func startRestAPIServer(globalConfig *config.Config) error {
  135. cfg = globalConfig
  136. loadUserSessions()
  137. log.WithFields(log.Fields{
  138. "address": cfg.ListenAddressRestActions,
  139. }).Info("Starting REST API")
  140. mux := newMux()
  141. return http.ListenAndServe(cfg.ListenAddressRestActions, cors.AllowCors(mux))
  142. }
  143. func newMux() *runtime.ServeMux {
  144. // The MarshalOptions set some important compatibility settings for the webui. See below.
  145. mux := runtime.NewServeMux(
  146. runtime.WithMetadata(authHttpRequestToMetadata),
  147. runtime.WithForwardResponseOption(forwardResponseHandler),
  148. runtime.WithMarshalerOption(runtime.MIMEWildcard, &runtime.HTTPBodyMarshaler{
  149. Marshaler: &runtime.JSONPb{
  150. MarshalOptions: protojson.MarshalOptions{
  151. UseProtoNames: false, // eg: canExec for js instead of can_exec from protobuf
  152. EmitUnpopulated: true, // Emit empty fields so that javascript does not get "undefined" when accessing fields with empty values.
  153. },
  154. },
  155. }),
  156. )
  157. ctx := context.Background()
  158. opts := []grpc.DialOption{
  159. grpc.WithTransportCredentials(
  160. insecure.NewCredentials(),
  161. ),
  162. }
  163. err := apiv1.RegisterOliveTinApiServiceHandlerFromEndpoint(ctx, mux, cfg.ListenAddressGrpcActions, opts)
  164. if err != nil {
  165. log.Panicf("Could not register REST API Handler %v", err)
  166. }
  167. return mux
  168. }