2021-07-30 17:46:38 +02:00
|
|
|
package server
|
|
|
|
|
2021-09-02 14:41:54 +02:00
|
|
|
import (
|
2024-01-31 16:02:24 +01:00
|
|
|
"net/netip"
|
2022-05-13 14:11:21 +02:00
|
|
|
"net/url"
|
|
|
|
|
2022-03-26 12:08:54 +01:00
|
|
|
"github.com/netbirdio/netbird/management/server/idp"
|
|
|
|
"github.com/netbirdio/netbird/util"
|
2021-09-02 14:41:54 +02:00
|
|
|
)
|
|
|
|
|
2023-02-03 21:47:20 +01:00
|
|
|
type (
|
|
|
|
// Protocol type
|
|
|
|
Protocol string
|
|
|
|
|
|
|
|
// Provider authorization flow type
|
|
|
|
Provider string
|
|
|
|
)
|
2021-07-30 17:46:38 +02:00
|
|
|
|
|
|
|
const (
|
|
|
|
UDP Protocol = "udp"
|
|
|
|
DTLS Protocol = "dtls"
|
|
|
|
TCP Protocol = "tcp"
|
|
|
|
HTTP Protocol = "http"
|
|
|
|
HTTPS Protocol = "https"
|
2022-08-24 14:37:18 +02:00
|
|
|
NONE Provider = "none"
|
2021-07-30 17:46:38 +02:00
|
|
|
)
|
|
|
|
|
2023-04-05 17:46:34 +02:00
|
|
|
const (
|
|
|
|
// DefaultDeviceAuthFlowScope defines the bare minimum scope to request in the device authorization flow
|
|
|
|
DefaultDeviceAuthFlowScope string = "openid"
|
|
|
|
)
|
|
|
|
|
2021-07-30 17:46:38 +02:00
|
|
|
// Config of the Management service
|
|
|
|
type Config struct {
|
2021-09-02 14:41:54 +02:00
|
|
|
Stuns []*Host
|
|
|
|
TURNConfig *TURNConfig
|
|
|
|
Signal *Host
|
2021-07-30 17:46:38 +02:00
|
|
|
|
2023-09-19 18:08:40 +02:00
|
|
|
Datadir string
|
|
|
|
DataStoreEncryptionKey string
|
2021-08-07 12:26:07 +02:00
|
|
|
|
|
|
|
HttpConfig *HttpServerConfig
|
2022-01-24 11:21:30 +01:00
|
|
|
|
|
|
|
IdpManagerConfig *idp.Config
|
2022-05-08 11:04:57 +02:00
|
|
|
|
|
|
|
DeviceAuthorizationFlow *DeviceAuthorizationFlow
|
2023-07-27 11:31:07 +02:00
|
|
|
|
|
|
|
PKCEAuthorizationFlow *PKCEAuthorizationFlow
|
2023-10-12 15:42:36 +02:00
|
|
|
|
2023-10-16 11:19:39 +02:00
|
|
|
StoreConfig StoreConfig
|
2024-02-08 14:40:40 +01:00
|
|
|
|
|
|
|
ReverseProxy ReverseProxy
|
2021-08-07 12:26:07 +02:00
|
|
|
}
|
|
|
|
|
2023-04-04 16:40:56 +02:00
|
|
|
// GetAuthAudiences returns the audience from the http config and device authorization flow config
|
|
|
|
func (c Config) GetAuthAudiences() []string {
|
|
|
|
audiences := []string{c.HttpConfig.AuthAudience}
|
|
|
|
|
2024-08-01 18:52:50 +02:00
|
|
|
if c.HttpConfig.ExtraAuthAudience != "" {
|
|
|
|
audiences = append(audiences, c.HttpConfig.ExtraAuthAudience)
|
|
|
|
}
|
|
|
|
|
2023-04-04 16:40:56 +02:00
|
|
|
if c.DeviceAuthorizationFlow != nil && c.DeviceAuthorizationFlow.ProviderConfig.Audience != "" {
|
|
|
|
audiences = append(audiences, c.DeviceAuthorizationFlow.ProviderConfig.Audience)
|
|
|
|
}
|
|
|
|
|
|
|
|
return audiences
|
|
|
|
}
|
2023-04-05 17:46:34 +02:00
|
|
|
|
2021-09-02 14:41:54 +02:00
|
|
|
// TURNConfig is a config of the TURNCredentialsManager
|
|
|
|
type TURNConfig struct {
|
|
|
|
TimeBasedCredentials bool
|
|
|
|
CredentialsTTL util.Duration
|
2021-09-03 17:47:40 +02:00
|
|
|
Secret string
|
2021-09-02 14:41:54 +02:00
|
|
|
Turns []*Host
|
|
|
|
}
|
|
|
|
|
2021-08-07 13:35:52 +02:00
|
|
|
// HttpServerConfig is a config of the HTTP Management service server
|
2021-08-07 12:26:07 +02:00
|
|
|
type HttpServerConfig struct {
|
2021-08-07 13:35:52 +02:00
|
|
|
LetsEncryptDomain string
|
2023-02-03 21:47:20 +01:00
|
|
|
// CertFile is the location of the certificate
|
2021-09-25 19:22:49 +02:00
|
|
|
CertFile string
|
2023-02-03 21:47:20 +01:00
|
|
|
// CertKey is the location of the certificate private key
|
2021-09-25 19:22:49 +02:00
|
|
|
CertKey string
|
2021-08-12 12:49:10 +02:00
|
|
|
// AuthAudience identifies the recipients that the JWT is intended for (aud in JWT)
|
|
|
|
AuthAudience string
|
2023-02-03 21:47:20 +01:00
|
|
|
// AuthIssuer identifies principal that issued the JWT
|
2021-08-12 12:49:10 +02:00
|
|
|
AuthIssuer string
|
2023-02-03 21:47:20 +01:00
|
|
|
// AuthUserIDClaim is the name of the claim that used as user ID
|
|
|
|
AuthUserIDClaim string
|
2021-08-12 12:49:10 +02:00
|
|
|
// AuthKeysLocation is a location of JWT key set containing the public keys used to verify JWT
|
|
|
|
AuthKeysLocation string
|
2022-08-23 15:46:12 +02:00
|
|
|
// OIDCConfigEndpoint is the endpoint of an IDP manager to get OIDC configuration
|
|
|
|
OIDCConfigEndpoint string
|
2023-04-15 02:44:42 +02:00
|
|
|
// IdpSignKeyRefreshEnabled identifies the signing key is currently being rotated or not
|
|
|
|
IdpSignKeyRefreshEnabled bool
|
2024-08-01 18:52:50 +02:00
|
|
|
// Extra audience
|
|
|
|
ExtraAuthAudience string
|
2021-07-30 17:46:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Host represents a Wiretrustee host (e.g. STUN, TURN, Signal)
|
|
|
|
type Host struct {
|
|
|
|
Proto Protocol
|
|
|
|
// URI e.g. turns://stun.wiretrustee.com:4430 or signal.wiretrustee.com:10000
|
|
|
|
URI string
|
|
|
|
Username string
|
2021-09-03 17:47:40 +02:00
|
|
|
Password string
|
2021-07-30 17:46:38 +02:00
|
|
|
}
|
2022-05-05 20:02:15 +02:00
|
|
|
|
2022-05-08 11:04:57 +02:00
|
|
|
// DeviceAuthorizationFlow represents Device Authorization Flow information
|
|
|
|
// that can be used by the client to login initiate a Oauth 2.0 device authorization grant flow
|
|
|
|
// see https://datatracker.ietf.org/doc/html/rfc8628
|
|
|
|
type DeviceAuthorizationFlow struct {
|
|
|
|
Provider string
|
|
|
|
ProviderConfig ProviderConfig
|
|
|
|
}
|
|
|
|
|
2023-07-27 11:31:07 +02:00
|
|
|
// PKCEAuthorizationFlow represents Authorization Code Flow information
|
|
|
|
// that can be used by the client to login initiate a Oauth 2.0 authorization code grant flow
|
|
|
|
// with Proof Key for Code Exchange (PKCE). See https://datatracker.ietf.org/doc/html/rfc7636
|
|
|
|
type PKCEAuthorizationFlow struct {
|
|
|
|
ProviderConfig ProviderConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
// ProviderConfig has all attributes needed to initiate a device/pkce authorization flow
|
2022-05-08 11:04:57 +02:00
|
|
|
type ProviderConfig struct {
|
|
|
|
// ClientID An IDP application client id
|
|
|
|
ClientID string
|
|
|
|
// ClientSecret An IDP application client secret
|
|
|
|
ClientSecret string
|
|
|
|
// Domain An IDP API domain
|
2022-08-23 15:46:12 +02:00
|
|
|
// Deprecated. Use TokenEndpoint and DeviceAuthEndpoint
|
2022-05-08 11:04:57 +02:00
|
|
|
Domain string
|
|
|
|
// Audience An Audience for to authorization validation
|
|
|
|
Audience string
|
2022-08-23 15:46:12 +02:00
|
|
|
// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
|
|
|
|
TokenEndpoint string
|
|
|
|
// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
|
|
|
|
DeviceAuthEndpoint string
|
2023-07-27 11:31:07 +02:00
|
|
|
// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code
|
|
|
|
AuthorizationEndpoint string
|
2023-04-05 17:46:34 +02:00
|
|
|
// Scopes provides the scopes to be included in the token request
|
|
|
|
Scope string
|
|
|
|
// UseIDToken indicates if the id token should be used for authentication
|
|
|
|
UseIDToken bool
|
2023-07-27 11:31:07 +02:00
|
|
|
// RedirectURL handles authorization code from IDP manager
|
|
|
|
RedirectURLs []string
|
2022-05-08 11:04:57 +02:00
|
|
|
}
|
|
|
|
|
2023-10-16 11:19:39 +02:00
|
|
|
// StoreConfig contains Store configuration
|
|
|
|
type StoreConfig struct {
|
|
|
|
Engine StoreEngine
|
|
|
|
}
|
|
|
|
|
2024-02-08 14:40:40 +01:00
|
|
|
// ReverseProxy contains reverse proxy configuration in front of management.
|
|
|
|
type ReverseProxy struct {
|
|
|
|
// TrustedHTTPProxies represents a list of trusted HTTP proxies by their IP prefixes.
|
|
|
|
// When extracting the real IP address from request headers, the middleware will verify
|
|
|
|
// if the peer's address falls within one of these trusted IP prefixes.
|
|
|
|
TrustedHTTPProxies []netip.Prefix
|
|
|
|
|
|
|
|
// TrustedHTTPProxiesCount specifies the count of trusted HTTP proxies between the internet
|
|
|
|
// and the server. When using the trusted proxy count method to extract the real IP address,
|
|
|
|
// the middleware will search the X-Forwarded-For IP list from the rightmost by this count
|
|
|
|
// minus one.
|
|
|
|
TrustedHTTPProxiesCount uint
|
|
|
|
|
|
|
|
// TrustedPeers represents a list of trusted peers by their IP prefixes.
|
|
|
|
// These peers are considered trustworthy by the gRPC server operator,
|
|
|
|
// and the middleware will attempt to extract the real IP address from
|
|
|
|
// request headers if the peer's address falls within one of these
|
|
|
|
// trusted IP prefixes.
|
|
|
|
TrustedPeers []netip.Prefix
|
|
|
|
}
|
|
|
|
|
2022-05-05 20:02:15 +02:00
|
|
|
// validateURL validates input http url
|
|
|
|
func validateURL(httpURL string) bool {
|
|
|
|
_, err := url.ParseRequestURI(httpURL)
|
2022-05-12 11:17:24 +02:00
|
|
|
return err == nil
|
2022-05-05 20:02:15 +02:00
|
|
|
}
|