Merge branch 'main' into mtls

Author: techknowlogick

.github/workflows/docker.yml

@@ -18,7 +18,7 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: "1.16.x"
+          go-version: "1.19.x"
 
       - name: Checkout code
         uses: actions/checkout@v2

.github/workflows/go_test.yml

@@ -4,7 +4,7 @@ jobs:
   test:
     strategy:
       matrix:
-        go-version: [1.17.x, 1.18.x]
+        go-version: [1.17.x, 1.18.x, 1.19.x, 1.20.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -8,17 +8,17 @@ While performing simple user authentication is pretty straightforward, performin
 Docker Registry 2.0 introduced a new, token-based authentication and authorization protocol, but the server to generate them was not released.
 Thus, most guides found on the internet still describe a set up with a reverse proxy performing access control.
 
-This server fills the gap and implements the protocol described [here](https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md).
+This server fills the gap and implements the protocol described [here](https://github.com/docker/distribution/blob/main/docs/spec/auth/token.md).
 
 Supported authentication methods:
  * Static list of users
- * Google Sign-In (incl. Google for Work / GApps for domain) (documented [here](https://github.com/cesanta/docker_auth/blob/master/examples/reference.yml))
+ * Google Sign-In (incl. Google for Work / GApps for domain) (documented [here](https://github.com/cesanta/docker_auth/blob/main/examples/reference.yml))
  * [Github Sign-In](docs/auth-methods.md#github)
  * Gitlab Sign-In
  * LDAP bind ([demo](https://github.com/kwk/docker-registry-setup))
  * MongoDB user collection
  * MySQL/MariaDB, PostgreSQL, SQLite database table
- * [External program](https://github.com/cesanta/docker_auth/blob/master/examples/ext_auth.sh)
+ * [External program](https://github.com/cesanta/docker_auth/blob/main/examples/ext_auth.sh)
 
 Supported authorization methods:
  * Static ACL
@@ -55,7 +55,7 @@ $ docker run \
     cesanta/docker_auth:1 /config/auth_config.yml
 ```
 
-See the [example config files](https://github.com/cesanta/docker_auth/tree/master/examples/) to get an idea of what is possible.
+See the [example config files](https://github.com/cesanta/docker_auth/tree/main/examples/) to get an idea of what is possible.
 
 ## Troubleshooting
 

auth_server/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.17-alpine3.14 as build
+FROM golang:1.20-alpine3.17 as build
 
 ARG VERSION
 ENV VERSION "${VERSION}"
@@ -12,7 +12,7 @@ COPY . /build
 WORKDIR /build
 RUN make build
 
-FROM alpine:3.14
+FROM alpine:3.17
 COPY --from=build /build/auth_server /docker_auth/
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 ENTRYPOINT ["/docker_auth/auth_server"]

auth_server/authn/data/oidc_auth.tmpl

@@ -9,7 +9,7 @@
 <body>
   <div id="panel">
     <p>
-      <a id="login-with-oidc" href="{{.AuthEndpoint}}?response_type=code&scope=openid%20email&client_id={{.ClientId}}&redirect_uri={{.RedirectURI}}">
+      <a id="login-with-oidc" href="{{.AuthEndpoint}}?response_type=code&scope={{.Scope}}&client_id={{.ClientId}}&redirect_uri={{.RedirectURI}}">
         Login with OIDC Provider
       </a>
     </p>

auth_server/authn/ldap_auth.go

@@ -32,6 +32,7 @@ import (
 type LabelMap struct {
 	Attribute string `yaml:"attribute,omitempty"`
 	ParseCN   bool   `yaml:"parse_cn,omitempty"`
+	LowerCase bool   `yaml:"lower_case",omitempty"`
 }
 
 type LDAPAuthConfig struct {
@@ -299,6 +300,11 @@ func (la *LDAPAuth) getLabelsFromMap(attrMap map[string][]string) (map[string][]
 					mappingValues[i] = cn
 				}
 			}
+			if mapping.LowerCase {
+				for i, value := range mappingValues {
+					mappingValues[i] = strings.ToLower(value)
+				}
+			}
 			labels[key] = mappingValues
 		}
 	}

auth_server/authn/oidc_auth.go

@@ -21,13 +21,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"golang.org/x/oauth2"
 	"html/template"
 	"io/ioutil"
 	"net/http"
 	"strings"
 	"time"
 
+	"golang.org/x/oauth2"
+
 	"github.com/coreos/go-oidc/v3/oidc"
 
 	"github.com/cesanta/glog"
@@ -52,6 +53,14 @@ type OIDCAuthConfig struct {
 	HTTPTimeout int `yaml:"http_timeout,omitempty"`
 	// the URL of the docker registry. Used to generate a full docker login command after authentication
 	RegistryURL string `yaml:"registry_url,omitempty"`
+	// --- optional ---
+	// String claim to use for the username
+	UserClaim string `yaml:"user_claim,omitempty"`
+	// --- optional ---
+	// []string to add as labels.
+	LabelsClaims []string `yaml:"labels_claims,omitempty"`
+	// --- optional ---
+	Scopes []string `yaml:"scopes,omitempty"`
 }
 
 // OIDCRefreshTokenResponse is sent by OIDC provider in response to the grant_type=refresh_token request.
@@ -66,14 +75,6 @@ type OIDCRefreshTokenResponse struct {
 	ErrorDescription string `json:"error_description,omitempty"`
 }
 
-// ProfileResponse is sent by the /userinfo endpoint or contained in the ID token.
-// We use it to validate access token and (re)verify the email address associated with it.
-type OIDCProfileResponse struct {
-	Email         string `json:"email,omitempty"`
-	VerifiedEmail bool   `json:"verified_email,omitempty"`
-	// There are more fields, but we only need email.
-}
-
 // The specific OIDC authenticator
 type OIDCAuth struct {
 	config     *OIDCAuthConfig
@@ -109,7 +110,7 @@ func NewOIDCAuth(c *OIDCAuthConfig) (*OIDCAuth, error) {
 		ClientSecret: c.ClientSecret,
 		Endpoint:     prov.Endpoint(),
 		RedirectURL:  c.RedirectURL,
-		Scopes:       []string{oidc.ScopeOpenID, "email"},
+		Scopes:       c.Scopes,
 	}
 	return &OIDCAuth{
 		config:     c,
@@ -144,11 +145,12 @@ Executes tmpl for the OIDC login page.
 */
 func (ga *OIDCAuth) doOIDCAuthPage(rw http.ResponseWriter) {
 	if err := ga.tmpl.Execute(rw, struct {
-		AuthEndpoint, RedirectURI, ClientId string
+		AuthEndpoint, RedirectURI, ClientId, Scope string
 	}{
 		AuthEndpoint: ga.provider.Endpoint().AuthURL,
 		RedirectURI:  ga.oauth.RedirectURL,
 		ClientId:     ga.oauth.ClientID,
+		Scope:        strings.Join(ga.config.Scopes, " "),
 	}); err != nil {
 		http.Error(rw, fmt.Sprintf("Template error: %s", err), http.StatusInternalServerError)
 	}
@@ -191,32 +193,47 @@ func (ga *OIDCAuth) doOIDCAuthCreateToken(rw http.ResponseWriter, code string) {
 		http.Error(rw, fmt.Sprintf("Failed to verify ID token: %s", err), http.StatusInternalServerError)
 		return
 	}
-	var prof OIDCProfileResponse
-	if err := idTok.Claims(&prof); err != nil {
-		http.Error(rw, fmt.Sprintf("Failed to get mail information from ID token: %s", err), http.StatusInternalServerError)
+	var claims map[string]interface{}
+	if err := idTok.Claims(&claims); err != nil {
+		http.Error(rw, fmt.Sprintf("Failed to get claims from ID token: %s", err), http.StatusInternalServerError)
 		return
 	}
-	if prof.Email == "" {
-		http.Error(rw, fmt.Sprintf("No mail information given in ID token"), http.StatusInternalServerError)
+	username, _ := claims[ga.config.UserClaim].(string)
+	if username == "" {
+		http.Error(rw, fmt.Sprintf("No %q claim in ID token", ga.config.UserClaim), http.StatusInternalServerError)
 		return
 	}
 
-	glog.V(2).Infof("New OIDC auth token for %s (Current time: %s, expiration time: %s)", prof.Email, time.Now().String(), tok.Expiry.String())
+	glog.V(2).Infof("New OIDC auth token for %s (Current time: %s, expiration time: %s)", username, time.Now().String(), tok.Expiry.String())
 
 	dbVal := &TokenDBValue{
 		TokenType:    tok.TokenType,
 		AccessToken:  tok.AccessToken,
 		RefreshToken: tok.RefreshToken,
 		ValidUntil:   tok.Expiry.Add(time.Duration(-30) * time.Second),
+		Labels:       ga.getLabels(claims),
 	}
-	dp, err := ga.db.StoreToken(prof.Email, dbVal, true)
+	dp, err := ga.db.StoreToken(username, dbVal, true)
 	if err != nil {
 		glog.Errorf("Failed to record server token: %s", err)
 		http.Error(rw, "Failed to record server token: %s", http.StatusInternalServerError)
 		return
 	}
 
-	ga.doOIDCAuthResultPage(rw, prof.Email, dp)
+	ga.doOIDCAuthResultPage(rw, username, dp)
+}
+
+func (ga *OIDCAuth) getLabels(claims map[string]interface{}) api.Labels {
+	labels := make(api.Labels, len(ga.config.LabelsClaims))
+	for _, claim := range ga.config.LabelsClaims {
+		values, _ := claims[claim].([]interface{})
+		for _, v := range values {
+			if str, _ := v.(string); str != "" {
+				labels[claim] = append(labels[claim], str)
+			}
+		}
+	}
+	return labels
 }
 
 /*
@@ -294,8 +311,15 @@ func (ga *OIDCAuth) validateServerToken(user string) (*TokenDBValue, error) {
 		glog.Warningf("Token for %q failed validation: %s", user, err)
 		return nil, fmt.Errorf("server token invalid: %s", err)
 	}
-	if tokUser.Email != user {
-		glog.Errorf("token for wrong user: expected %s, found %s", user, tokUser.Email)
+
+	var claims map[string]interface{}
+	if err := tokUser.Claims(&claims); err != nil {
+		glog.Errorf("error retrieving claims: %v", err)
+		return nil, fmt.Errorf("error retrieving claims: %w", err)
+	}
+	claimUsername, _ := claims[ga.config.UserClaim].(string)
+	if claimUsername != user {
+		glog.Errorf("token for wrong user: expected %s, found %s", user, claimUsername)
 		return nil, fmt.Errorf("found token for wrong user")
 	}
 	texp := v.ValidUntil.Sub(time.Now())
@@ -335,7 +359,15 @@ func (ga *OIDCAuth) Authenticate(user string, password api.PasswordString) (bool
 	} else if err != nil {
 		return false, nil, err
 	}
-	return true, nil, nil
+
+	v, err := ga.db.GetValue(user)
+	if err != nil || v == nil {
+		if err == nil {
+			err = errors.New("no db value, please sign out and sign in again")
+		}
+		return false, nil, err
+	}
+	return true, v.Labels, err
 }
 
 func (ga *OIDCAuth) Stop() {

auth_server/go.mod

@@ -3,42 +3,58 @@ module github.com/cesanta/docker_auth/auth_server
 go 1.16
 
 require (
-	cloud.google.com/go v0.78.0 // indirect
-	cloud.google.com/go/storage v1.14.0
-	github.com/casbin/casbin/v2 v2.24.0
+	cloud.google.com/go/compute v1.10.0 // indirect
+	cloud.google.com/go/iam v0.5.0 // indirect
+	cloud.google.com/go/storage v1.27.0
+	github.com/PuerkitoBio/goquery v1.5.1 // indirect
+	github.com/casbin/casbin/v2 v2.55.1
 	github.com/cesanta/glog v0.0.0-20150527111657-22eb27a0ae19
-	github.com/coreos/go-oidc/v3 v3.0.0
-	github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5
-	github.com/deckarep/golang-set v1.7.1
-	github.com/docker/distribution v2.8.0+incompatible
+	github.com/coreos/go-oidc/v3 v3.4.0
+	github.com/dchest/uniuri v0.0.0-20220929095258-3027df40b6ce
+	github.com/deckarep/golang-set v1.8.0
+	github.com/docker/distribution v2.8.1+incompatible
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7
 	github.com/go-ldap/ldap v3.0.3+incompatible
 	github.com/go-redis/redis v6.15.9+incompatible
-	github.com/go-sql-driver/mysql v1.5.0
-	github.com/golang/snappy v0.0.3 // indirect
+	github.com/go-sql-driver/mysql v1.6.0
+	github.com/go-stack/stack v1.8.1 // indirect
+	github.com/gobuffalo/genny v0.1.1 // indirect
+	github.com/gobuffalo/gogen v0.1.1 // indirect
+	github.com/goccy/go-json v0.9.11 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/jstemmer/go-junit-report v1.0.0 // indirect
+	github.com/karrick/godirwalk v1.10.3 // indirect
+	github.com/klauspost/compress v1.15.11 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lib/pq v1.9.0
-	github.com/magefile/mage v1.11.0 // indirect
+	github.com/lib/pq v1.10.7
+	github.com/magefile/mage v1.14.0 // indirect
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible
+	github.com/montanaflynn/stats v0.6.6 // indirect
+	github.com/pelletier/go-toml v1.7.0 // indirect
 	github.com/schwarmco/go-cartesian-product v0.0.0-20180515110546-d5ee747a6dc9
-	github.com/sirupsen/logrus v1.8.0 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/stretchr/testify v1.7.0 // indirect
 	github.com/syndtr/goleveldb v1.0.0
-	go.mongodb.org/mongo-driver v1.7.1
+	github.com/youmark/pkcs8 v0.0.0-20201027041543-1326539a0a0a // indirect
+	go.mongodb.org/mongo-driver v1.10.2
 	go.opencensus.io v0.23.0 // indirect
-	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b
-	golang.org/x/net v0.0.0-20210326060303-6b1517762897
-	golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93
-	golang.org/x/sys v0.0.0-20210502180810-71e4cd670f79 // indirect
-	google.golang.org/api v0.40.0
-	google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb // indirect
-	google.golang.org/grpc v1.36.0 // indirect
+	golang.org/x/crypto v0.0.0-20220926161630-eccd6366d1be
+	golang.org/x/net v0.0.0-20220930213112-107f3e3c3b0b
+	golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1
+	golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0 // indirect
+	golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec // indirect
+	golang.org/x/tools v0.1.12 // indirect
+	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
+	google.golang.org/api v0.98.0
+	google.golang.org/genproto v0.0.0-20220930163606-c98284e70a91 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/fsnotify.v1 v1.4.7
 	gopkg.in/mgo.v2 v2.0.0-20190816093944-a6b53ec6cb22
 	gopkg.in/yaml.v2 v2.4.0
-	xorm.io/builder v0.3.9 // indirect
-	xorm.io/xorm v1.0.7
+	xorm.io/builder v0.3.12 // indirect
+	xorm.io/xorm v1.3.2
 )