mirror of
https://github.com/Termix-SSH/Termix.git
synced 2026-07-17 05:43:36 +00:00
ef4969dd35
Repositories are now the only data path. Replaces the 41 current-*-repository wrapper files, the DATABASE_LAYER_REPOSITORY_ROLLOUT flag/alias map and the unused database/runtime adapter with repositories/factory.ts, a plain DatabaseContext type and an in-memory TestSqliteDatabase test harness.
519 lines
14 KiB
TypeScript
519 lines
14 KiB
TypeScript
import { authLogger } from "../../utils/logger.js";
|
|
import type { SSOProviderType } from "../../../types/index.js";
|
|
import { DataCrypto } from "../../utils/data-crypto.js";
|
|
import { Agent } from "undici";
|
|
import { eq } from "drizzle-orm";
|
|
import { getDb } from "../db/index.js";
|
|
import { ssoProviders } from "../db/schema.js";
|
|
import {
|
|
createCurrentSettingsRepository,
|
|
createCurrentSsoProviderRepository,
|
|
} from "../repositories/factory.js";
|
|
|
|
const BACKCHANNEL_LOGOUT_EVENT =
|
|
"http://schemas.openid.net/event/backchannel-logout";
|
|
|
|
function normalizeIssuer(url: string): string {
|
|
return url.trim().replace(/\/+$/, "");
|
|
}
|
|
|
|
export type OIDCConfig = {
|
|
client_id: string;
|
|
client_secret: string;
|
|
issuer_url: string;
|
|
authorization_url: string;
|
|
token_url: string;
|
|
userinfo_url: string;
|
|
identifier_path: string;
|
|
name_path: string;
|
|
scopes: string;
|
|
allowed_users: string;
|
|
admin_group: string;
|
|
group_claim?: string;
|
|
ca_cert?: string;
|
|
};
|
|
|
|
export function buildFetchOptions(caCert?: string): Record<string, unknown> {
|
|
if (!caCert || !caCert.trim()) return {};
|
|
return { dispatcher: new Agent({ connect: { ca: caCert } }) };
|
|
}
|
|
|
|
export function getOIDCConfigFromEnv(): OIDCConfig | null {
|
|
const client_id = process.env.OIDC_CLIENT_ID;
|
|
const client_secret = process.env.OIDC_CLIENT_SECRET;
|
|
const issuer_url = process.env.OIDC_ISSUER_URL;
|
|
const authorization_url = process.env.OIDC_AUTHORIZATION_URL;
|
|
const token_url = process.env.OIDC_TOKEN_URL;
|
|
|
|
if (
|
|
!client_id ||
|
|
!client_secret ||
|
|
!issuer_url ||
|
|
!authorization_url ||
|
|
!token_url
|
|
) {
|
|
return null;
|
|
}
|
|
|
|
return {
|
|
client_id,
|
|
client_secret,
|
|
issuer_url,
|
|
authorization_url,
|
|
token_url,
|
|
userinfo_url: process.env.OIDC_USERINFO_URL || "",
|
|
identifier_path: process.env.OIDC_IDENTIFIER_PATH || "sub",
|
|
name_path: process.env.OIDC_NAME_PATH || "name",
|
|
scopes: process.env.OIDC_SCOPES || "openid email profile",
|
|
allowed_users: process.env.OIDC_ALLOWED_USERS || "",
|
|
admin_group: process.env.OIDC_ADMIN_GROUP || "",
|
|
group_claim: process.env.OIDC_GROUP_CLAIM || "",
|
|
};
|
|
}
|
|
|
|
/**
|
|
* Extracts the list of group/role names from an OIDC userInfo payload.
|
|
*
|
|
* When `groupClaim` is set, that claim is read first (useful for providers like
|
|
* Zitadel that nest roles under a custom path such as
|
|
* `urn:zitadel:iam:org:project:roles`). Otherwise the common `groups`, `roles`
|
|
* and `group` claims are tried. Values may be an array, a comma-separated
|
|
* string, or an object whose keys are the group names.
|
|
*/
|
|
export function extractOidcGroups(
|
|
userInfo: Record<string, unknown>,
|
|
groupClaim?: string,
|
|
): string[] {
|
|
let raw: unknown;
|
|
if (groupClaim && groupClaim.trim()) {
|
|
raw = userInfo[groupClaim.trim()];
|
|
}
|
|
if (raw === undefined || raw === null) {
|
|
raw = userInfo.groups ?? userInfo.roles ?? userInfo.group;
|
|
}
|
|
|
|
if (Array.isArray(raw)) {
|
|
return raw.map(String);
|
|
}
|
|
if (typeof raw === "string") {
|
|
return raw
|
|
.split(",")
|
|
.map((s) => s.trim())
|
|
.filter(Boolean);
|
|
}
|
|
if (raw && typeof raw === "object") {
|
|
return Object.keys(raw as Record<string, unknown>);
|
|
}
|
|
return [];
|
|
}
|
|
|
|
export function isOIDCUserAllowed(
|
|
allowedUsers: string,
|
|
identifier: string,
|
|
email?: string,
|
|
): boolean {
|
|
if (!allowedUsers || !allowedUsers.trim()) return true;
|
|
const patterns = allowedUsers
|
|
.split(/[\n,]/)
|
|
.map((p) => p.trim())
|
|
.filter(Boolean);
|
|
if (patterns.length === 0) return true;
|
|
|
|
const values = [
|
|
identifier,
|
|
...(email && email !== identifier ? [email] : []),
|
|
];
|
|
for (const pattern of patterns) {
|
|
if (pattern === "*") return true;
|
|
if (pattern.includes("*")) {
|
|
const escaped = pattern
|
|
.toLowerCase()
|
|
.replace(/[.+^${}()|[\]\\]/g, "\\$&")
|
|
.replace(/\*/g, ".*");
|
|
const regex = new RegExp(`^${escaped}$`);
|
|
if (values.some((v) => v && regex.test(v.toLowerCase()))) return true;
|
|
continue;
|
|
}
|
|
for (const value of values) {
|
|
if (!value) continue;
|
|
if (pattern.toLowerCase().startsWith("@")) {
|
|
if (value.toLowerCase().endsWith(pattern.toLowerCase())) return true;
|
|
} else {
|
|
if (value.toLowerCase() === pattern.toLowerCase()) return true;
|
|
}
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
export async function verifyOIDCToken(
|
|
idToken: string,
|
|
issuerUrl: string,
|
|
clientId: string,
|
|
caCert?: string,
|
|
): Promise<Record<string, unknown>> {
|
|
const fetchOptions = buildFetchOptions(caCert);
|
|
const normalizedIssuerUrl = issuerUrl.endsWith("/")
|
|
? issuerUrl.slice(0, -1)
|
|
: issuerUrl;
|
|
const possibleIssuers = [
|
|
issuerUrl,
|
|
normalizedIssuerUrl,
|
|
issuerUrl.replace(/\/application\/o\/[^/]+$/, ""),
|
|
normalizedIssuerUrl.replace(/\/application\/o\/[^/]+$/, ""),
|
|
];
|
|
|
|
const jwksUrls = [
|
|
`${normalizedIssuerUrl}/.well-known/jwks.json`,
|
|
`${normalizedIssuerUrl}/jwks/`,
|
|
`${normalizedIssuerUrl.replace(/\/application\/o\/[^/]+$/, "")}/.well-known/jwks.json`,
|
|
];
|
|
|
|
try {
|
|
const discoveryUrl = `${normalizedIssuerUrl}/.well-known/openid-configuration`;
|
|
const discoveryResponse = await fetch(discoveryUrl, fetchOptions);
|
|
if (discoveryResponse.ok) {
|
|
const discovery = (await discoveryResponse.json()) as Record<
|
|
string,
|
|
unknown
|
|
>;
|
|
if (discovery.jwks_uri) {
|
|
jwksUrls.unshift(discovery.jwks_uri as string);
|
|
}
|
|
}
|
|
} catch (discoveryError) {
|
|
authLogger.error(`OIDC discovery failed: ${discoveryError}`);
|
|
}
|
|
|
|
let jwks: Record<string, unknown> | null = null;
|
|
|
|
for (const url of jwksUrls) {
|
|
try {
|
|
const response = await fetch(url, fetchOptions);
|
|
if (response.ok) {
|
|
const jwksData = (await response.json()) as Record<string, unknown>;
|
|
if (jwksData && jwksData.keys && Array.isArray(jwksData.keys)) {
|
|
jwks = jwksData;
|
|
break;
|
|
} else {
|
|
authLogger.error(
|
|
`Invalid JWKS structure from ${url}: ${JSON.stringify(jwksData)}`,
|
|
);
|
|
}
|
|
} else {
|
|
// expected - non-ok response, try next URL
|
|
}
|
|
} catch {
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (!jwks) {
|
|
throw new Error("Failed to fetch JWKS from any URL");
|
|
}
|
|
|
|
if (!jwks.keys || !Array.isArray(jwks.keys)) {
|
|
throw new Error(
|
|
`Invalid JWKS response structure. Expected 'keys' array, got: ${JSON.stringify(jwks)}`,
|
|
);
|
|
}
|
|
|
|
const header = JSON.parse(
|
|
Buffer.from(idToken.split(".")[0], "base64").toString(),
|
|
);
|
|
const keyId = header.kid;
|
|
|
|
const publicKey = jwks.keys.find(
|
|
(key: Record<string, unknown>) => key.kid === keyId,
|
|
);
|
|
if (!publicKey) {
|
|
throw new Error(
|
|
`No matching public key found for key ID: ${keyId}. Available keys: ${jwks.keys.map((k: Record<string, unknown>) => k.kid).join(", ")}`,
|
|
);
|
|
}
|
|
|
|
const { importJWK, jwtVerify } = await import("jose");
|
|
const key = await importJWK(publicKey);
|
|
|
|
const { payload } = await jwtVerify(idToken, key, {
|
|
issuer: possibleIssuers,
|
|
audience: clientId,
|
|
});
|
|
|
|
return payload;
|
|
}
|
|
|
|
const GOOGLE_DEFAULTS = {
|
|
issuer_url: "https://accounts.google.com",
|
|
authorization_url: "https://accounts.google.com/o/oauth2/v2/auth",
|
|
token_url: "https://oauth2.googleapis.com/token",
|
|
userinfo_url: "https://openidconnect.googleapis.com/v1/userinfo",
|
|
identifier_path: "sub",
|
|
name_path: "name",
|
|
scopes: "openid email profile",
|
|
};
|
|
|
|
const GITHUB_DEFAULTS = {
|
|
issuer_url: "https://token.actions.githubusercontent.com",
|
|
authorization_url: "https://github.com/login/oauth/authorize",
|
|
token_url: "https://github.com/login/oauth/access_token",
|
|
userinfo_url: "https://api.github.com/user",
|
|
identifier_path: "id",
|
|
name_path: "name",
|
|
scopes: "read:user user:email",
|
|
};
|
|
|
|
function applyProviderDefaults(
|
|
config: OIDCConfig,
|
|
providerType: string,
|
|
): OIDCConfig {
|
|
const defaults =
|
|
providerType === "google"
|
|
? GOOGLE_DEFAULTS
|
|
: providerType === "github"
|
|
? GITHUB_DEFAULTS
|
|
: null;
|
|
if (!defaults) return config;
|
|
return {
|
|
...config,
|
|
issuer_url: config.issuer_url || defaults.issuer_url,
|
|
authorization_url: config.authorization_url || defaults.authorization_url,
|
|
token_url: config.token_url || defaults.token_url,
|
|
userinfo_url: config.userinfo_url || defaults.userinfo_url,
|
|
identifier_path: config.identifier_path || defaults.identifier_path,
|
|
name_path: config.name_path || defaults.name_path,
|
|
scopes: config.scopes || defaults.scopes,
|
|
};
|
|
}
|
|
|
|
function decryptConfigSecret(
|
|
config: Record<string, unknown>,
|
|
): Record<string, unknown> {
|
|
const out = { ...config };
|
|
for (const field of ["client_secret", "bindPassword"] as const) {
|
|
const val = out[field] as string | undefined;
|
|
if (val?.startsWith("encoded:")) {
|
|
try {
|
|
out[field] = Buffer.from(val.substring(8), "base64").toString("utf8");
|
|
} catch {
|
|
// leave as-is
|
|
}
|
|
} else if (val?.startsWith("encrypted:")) {
|
|
// encrypted: prefix means it was encrypted with DataCrypto; without a
|
|
// userId/dataKey here we cannot decrypt it. The caller should use the
|
|
// full admin decrypt path when possible. Fall back to stripping prefix.
|
|
try {
|
|
out[field] = Buffer.from(val.substring(10), "base64").toString("utf8");
|
|
} catch {
|
|
// leave as-is
|
|
}
|
|
}
|
|
}
|
|
return out;
|
|
}
|
|
|
|
export async function loadProviderConfig(
|
|
providerId: number | null | undefined,
|
|
adminUserId?: string,
|
|
): Promise<{
|
|
config: OIDCConfig;
|
|
providerType: SSOProviderType;
|
|
providerDbId: number | null;
|
|
} | null> {
|
|
if (providerId != null) {
|
|
try {
|
|
const row =
|
|
await createCurrentSsoProviderRepository().findById(providerId);
|
|
if (row) {
|
|
let parsed: Record<string, unknown>;
|
|
try {
|
|
parsed = JSON.parse(row.config);
|
|
} catch {
|
|
parsed = {};
|
|
}
|
|
if (adminUserId) {
|
|
try {
|
|
const adminDataKey = DataCrypto.getUserDataKey(adminUserId);
|
|
if (adminDataKey) {
|
|
parsed = DataCrypto.decryptRecord(
|
|
"settings",
|
|
parsed,
|
|
adminUserId,
|
|
adminDataKey,
|
|
);
|
|
}
|
|
} catch {
|
|
parsed = decryptConfigSecret(parsed);
|
|
}
|
|
} else {
|
|
parsed = decryptConfigSecret(parsed);
|
|
}
|
|
const providerType = row.type as SSOProviderType;
|
|
const config = applyProviderDefaults(
|
|
parsed as unknown as OIDCConfig,
|
|
providerType,
|
|
);
|
|
return {
|
|
config,
|
|
providerType,
|
|
providerDbId: row.id,
|
|
};
|
|
}
|
|
} catch (err) {
|
|
authLogger.error("Failed to load SSO provider config by id", err, {
|
|
providerId,
|
|
});
|
|
}
|
|
}
|
|
|
|
// Fallback: env vars
|
|
const envConfig = getOIDCConfigFromEnv();
|
|
if (envConfig) {
|
|
return { config: envConfig, providerType: "oidc", providerDbId: null };
|
|
}
|
|
|
|
// Fallback: first enabled OIDC-type provider in ssoProviders table
|
|
try {
|
|
const oidcRow =
|
|
await createCurrentSsoProviderRepository().findFirstEnabledOidcLike();
|
|
if (oidcRow) {
|
|
let parsed: Record<string, unknown>;
|
|
try {
|
|
parsed = JSON.parse(oidcRow.config);
|
|
} catch {
|
|
parsed = {};
|
|
}
|
|
parsed = decryptConfigSecret(parsed);
|
|
const oidcProviderType = oidcRow.type as SSOProviderType;
|
|
return {
|
|
config: applyProviderDefaults(
|
|
parsed as unknown as OIDCConfig,
|
|
oidcProviderType,
|
|
),
|
|
providerType: oidcProviderType,
|
|
providerDbId: oidcRow.id,
|
|
};
|
|
}
|
|
} catch {
|
|
// fall through to legacy
|
|
}
|
|
|
|
// Fallback: legacy settings blob
|
|
try {
|
|
const legacyValue =
|
|
await createCurrentSettingsRepository().get("oidc_config");
|
|
if (legacyValue) {
|
|
let config = JSON.parse(legacyValue) as Record<string, unknown>;
|
|
config = decryptConfigSecret(config);
|
|
return {
|
|
config: config as unknown as OIDCConfig,
|
|
providerType: "oidc",
|
|
providerDbId: null,
|
|
};
|
|
}
|
|
} catch {
|
|
// no legacy config
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
export async function resolveProviderByIssuer(issuer: string): Promise<{
|
|
config: OIDCConfig;
|
|
providerType: SSOProviderType;
|
|
providerDbId: number | null;
|
|
} | null> {
|
|
const target = normalizeIssuer(issuer);
|
|
|
|
try {
|
|
const rows = await getDb()
|
|
.select()
|
|
.from(ssoProviders)
|
|
.where(eq(ssoProviders.enabled, true));
|
|
for (const row of rows) {
|
|
if (!["oidc", "github", "google"].includes(row.type)) continue;
|
|
let parsed: Record<string, unknown>;
|
|
try {
|
|
parsed = JSON.parse(row.config);
|
|
} catch {
|
|
continue;
|
|
}
|
|
parsed = decryptConfigSecret(parsed);
|
|
const providerType = row.type as SSOProviderType;
|
|
const config = applyProviderDefaults(
|
|
parsed as unknown as OIDCConfig,
|
|
providerType,
|
|
);
|
|
if (config.issuer_url && normalizeIssuer(config.issuer_url) === target) {
|
|
return { config, providerType, providerDbId: row.id };
|
|
}
|
|
}
|
|
} catch (err) {
|
|
authLogger.error("Failed to resolve SSO provider by issuer", err, {
|
|
issuer,
|
|
});
|
|
}
|
|
|
|
const envConfig = getOIDCConfigFromEnv();
|
|
if (
|
|
envConfig?.issuer_url &&
|
|
normalizeIssuer(envConfig.issuer_url) === target
|
|
) {
|
|
return { config: envConfig, providerType: "oidc", providerDbId: null };
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
export type LogoutTokenClaims = {
|
|
sub: string | null;
|
|
sid: string | null;
|
|
jti: string;
|
|
};
|
|
|
|
export function validateLogoutTokenClaims(
|
|
payload: Record<string, unknown>,
|
|
): LogoutTokenClaims {
|
|
if ("nonce" in payload) {
|
|
throw new Error("logout_token must not contain a nonce claim");
|
|
}
|
|
|
|
const event = (payload.events as Record<string, unknown> | undefined)?.[
|
|
BACKCHANNEL_LOGOUT_EVENT
|
|
];
|
|
if (!event || typeof event !== "object" || Array.isArray(event)) {
|
|
throw new Error("logout_token missing back-channel logout event");
|
|
}
|
|
|
|
if (!Number.isInteger(payload.iat)) {
|
|
throw new Error("logout_token missing iat claim");
|
|
}
|
|
|
|
const jti = typeof payload.jti === "string" ? payload.jti.trim() : "";
|
|
if (!jti) {
|
|
throw new Error("logout_token missing jti claim");
|
|
}
|
|
|
|
const sub = typeof payload.sub === "string" ? payload.sub : null;
|
|
const sid = typeof payload.sid === "string" ? payload.sid : null;
|
|
if (!sub && !sid) {
|
|
throw new Error("logout_token must contain sub and/or sid");
|
|
}
|
|
|
|
return { sub, sid, jti };
|
|
}
|
|
|
|
export async function validateLogoutToken(
|
|
logoutToken: string,
|
|
config: OIDCConfig,
|
|
): Promise<LogoutTokenClaims> {
|
|
const payload = await verifyOIDCToken(
|
|
logoutToken,
|
|
config.issuer_url,
|
|
config.client_id,
|
|
config.ca_cert,
|
|
);
|
|
|
|
return validateLogoutTokenClaims(payload);
|
|
}
|