mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
37412e6a00
Enhances authorized integrations (#12261) with a cache of the remote OpenID Connect descriptor file and JSON Web Key Set (JWKS), improving runtime performance and reducing intermittent reliability risks. By default a 10 minute cache is used, configurable through `[authorized_integration].CACHE_TTL`. To mock the cache for testing, mockery code generation is added, and a previous manually generated mock for `AuthorizationReducer` was replaced with the code generation. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. - Authorized integrations are not yet exposed to end-users. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12275 Reviewed-by: Gusted <gusted@noreply.codeberg.org>
423 lines
16 KiB
Go
423 lines
16 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package method
|
|
|
|
import (
|
|
"bufio"
|
|
"bytes"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"net/url"
|
|
"slices"
|
|
"sync"
|
|
"time"
|
|
|
|
auth_model "forgejo.org/models/auth"
|
|
user_model "forgejo.org/models/user"
|
|
"forgejo.org/modules/cache"
|
|
"forgejo.org/modules/hostmatcher"
|
|
"forgejo.org/modules/json"
|
|
"forgejo.org/modules/jwtx"
|
|
"forgejo.org/modules/log"
|
|
"forgejo.org/modules/proxy"
|
|
"forgejo.org/modules/setting"
|
|
"forgejo.org/modules/util"
|
|
"forgejo.org/services/auth"
|
|
"forgejo.org/services/authz"
|
|
|
|
"github.com/gobwas/glob"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
var (
|
|
_ auth.Method = &AuthorizedIntegration{}
|
|
|
|
aiHTTPClient *http.Client
|
|
initHTTPClient sync.Once
|
|
|
|
errParseInternalServer = errors.New("internal server error")
|
|
|
|
// Allow mocking / overridding during tests:
|
|
GetAuthorizedIntegrationHTTPClient = func() *http.Client {
|
|
initHTTPClient.Do(initAuthorizedIntegrationHTTPClient)
|
|
return aiHTTPClient
|
|
}
|
|
getCache = cache.GetCache
|
|
)
|
|
|
|
// Restrict document size to prevent resource exhaustion attack with a malicious authorized integration; largest
|
|
// real-world openid-configuration observed is about 1kB, largest JWKS is 6kB, so for both cases 16kB should be
|
|
// sufficient. If this needs to change in the future, it could be moved to a config setting -- but until a reason comes
|
|
// up it seems reasonable to keep microscopic settings out-of-sight.
|
|
const authorizedIntegrationRequestBodyLimit = int64(16 * 1024)
|
|
|
|
// Authenticates incoming requests by JWTs that are issued by an authorized integration. Authorized integrations are
|
|
// stored in the database in the [auth_model.AuthorizedIntegration] table. Once authenticated, the request can perform
|
|
// actions as the owner of the authorized integration, with limited access defined by the scope and resources stored on
|
|
// the database record.
|
|
//
|
|
// Authorization is received from HTTP requests as a `Authorization: Bearer [...jwt...]` (or `Authorization: Token
|
|
// [...jwt...]`).
|
|
type AuthorizedIntegration struct {
|
|
// Permit the use of `Authorization: Basic ...`, in addition to the typical bearer/token authorization header. If
|
|
// true, the basic password will be interpreted as a JWT token if present and valid. The username is ignored.
|
|
PermitBasic bool
|
|
|
|
// For testing -- interpret JWTs with now as a fixed time.
|
|
fixedTime *time.Time
|
|
}
|
|
|
|
func (a *AuthorizedIntegration) Verify(req *http.Request, w http.ResponseWriter, _ auth.SessionStore) auth.MethodOutput {
|
|
hasToken, token := tokenFromAuthorizationBearer(req).Get()
|
|
if !hasToken {
|
|
if !a.PermitBasic {
|
|
return &auth.AuthenticationNotAttempted{}
|
|
}
|
|
hasBasic, basicToken := tokenFromAuthorizationBasic(req).Get()
|
|
if !hasBasic {
|
|
return &auth.AuthenticationNotAttempted{}
|
|
}
|
|
token = basicToken
|
|
}
|
|
|
|
var authorizedIntegration *auth_model.AuthorizedIntegration
|
|
|
|
parsedToken, err := jwt.ParseWithClaims(token, &flexibleClaims{},
|
|
func(t *jwt.Token) (any, error) {
|
|
keyID, ok := t.Header["kid"]
|
|
if !ok {
|
|
return nil, errors.New("failed finding key identifer (kid) in JWT headers")
|
|
}
|
|
|
|
issuer, err := t.Claims.GetIssuer()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed getting `iss` claim: %w", err)
|
|
} else if len(issuer) == 0 {
|
|
return nil, fmt.Errorf("invalid `iss` claim: %q", issuer)
|
|
}
|
|
audienceArray, err := t.Claims.GetAudience()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed getting `aud` claim: %w", err)
|
|
} else if len(audienceArray) != 1 {
|
|
return nil, fmt.Errorf("required one and only one `aud` claim, but received %d", len(audienceArray))
|
|
}
|
|
audience := audienceArray[0]
|
|
if len(audience) == 0 {
|
|
return nil, fmt.Errorf("invalid `aud` claim: %q", audience)
|
|
}
|
|
|
|
authorizedIntegration, err = auth_model.GetAuthorizedIntegration(req.Context(), issuer, audience)
|
|
if errors.Is(err, util.ErrNotExist) {
|
|
return nil, errors.New("matching authorized_integration not found")
|
|
} else if err != nil {
|
|
return nil, fmt.Errorf("failure reading authorized_integration: %w (%w)", err, errParseInternalServer)
|
|
}
|
|
|
|
// Do the claim check before accessing the issuer's OIDC metadata and JWKS, to reduce risk of resource
|
|
// utilization attack through invalid JWTs causing remote requests.
|
|
err = a.checkClaims(t.Claims.(*flexibleClaims), authorizedIntegration.ClaimRules)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("claim mismatch: %w", err)
|
|
}
|
|
|
|
issuerURL, err := url.Parse(issuer)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed parsing issuer: %w", err)
|
|
}
|
|
|
|
issuerOIDCURL := issuerURL.JoinPath(".well-known/openid-configuration")
|
|
var oidcConfig openIDConfiguration
|
|
if err := authorizedIntegrationFetchJSON(issuerOIDCURL.String(), &oidcConfig); err != nil {
|
|
return nil, fmt.Errorf("error when fetching .well-known/openid-configuration from %s: %w", issuerOIDCURL, err)
|
|
}
|
|
|
|
if oidcConfig.Issuer != issuer {
|
|
return nil, fmt.Errorf("issuer mismatch; expected %q, received %q from %s", issuer, oidcConfig.Issuer, issuerOIDCURL)
|
|
}
|
|
if !slices.Contains(oidcConfig.IDTokenSigningAlgValuesSupported, t.Method.Alg()) {
|
|
return nil, fmt.Errorf("issuer supports signature algorithms %#v, but received token with algorithm %s", oidcConfig.IDTokenSigningAlgValuesSupported, t.Method.Alg())
|
|
}
|
|
|
|
jwksURI, err := url.Parse(oidcConfig.JwksURI)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed parsing jwks_uri: %w", err)
|
|
} else if jwksURI.Host != issuerURL.Host {
|
|
// Prevent SSRF which could occur if a malicious openid-connection response returned a jwks_uri field
|
|
// that causes Forgejo to access other hostnames. This could be considered a valid case as well and we
|
|
// can rely on the config-based allowed and blocked domains for the [authorized_integration] section,
|
|
// but until a real-world case comes up where that is needed, this is a safety-first restriction.
|
|
return nil, fmt.Errorf("jwks_uri host mismatch: must be the same as issuer host %q, but was %q", issuerURL.Host, jwksURI.Host)
|
|
}
|
|
var keys openIDKeys
|
|
if err := authorizedIntegrationFetchJSON(oidcConfig.JwksURI, &keys); err != nil {
|
|
return nil, fmt.Errorf("error when fetching JWKS from %s: %w", oidcConfig.JwksURI, err)
|
|
}
|
|
|
|
for _, key := range keys.Keys {
|
|
if key["kid"] == keyID {
|
|
alg, algPresent := key["alg"] // "alg" is an optional field
|
|
if algPresent && alg != t.Method.Alg() {
|
|
return nil, fmt.Errorf("kid %q doesn't match expected algorithm %s, was %v", keyID, t.Method.Alg(), key["alg"])
|
|
}
|
|
|
|
use, usePresent := key["use"] // "use" is also an optional field
|
|
if usePresent && use != "sig" {
|
|
return nil, fmt.Errorf("kid %q isn't designated for signing usage, was %s", keyID, key["use"])
|
|
}
|
|
|
|
pub, err := jwtx.ParseJWKToPublicKey(key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to parse JWKS: %w", err)
|
|
}
|
|
return pub, nil
|
|
}
|
|
}
|
|
|
|
return nil, errors.New("no key identified")
|
|
},
|
|
jwt.WithValidMethods(jwtx.ValidAsymmetricAlgorithms), // only asymetric algorithms, as JWKS must have a public key only
|
|
jwt.WithIssuedAt(),
|
|
jwt.WithTimeFunc(func() time.Time {
|
|
if a.fixedTime != nil {
|
|
return *a.fixedTime
|
|
}
|
|
return time.Now()
|
|
}),
|
|
)
|
|
if err != nil && errors.Is(err, errParseInternalServer) {
|
|
// Errors from parsing marked errParseInternalServer are AuthenticationError, not incorrect creds:
|
|
return &auth.AuthenticationError{Error: err}
|
|
} else if err != nil {
|
|
return &auth.AuthenticationAttemptedIncorrectCredential{Error: fmt.Errorf("authorized integration: parse JWT error: %w", err)}
|
|
} else if !parsedToken.Valid {
|
|
return &auth.AuthenticationAttemptedIncorrectCredential{Error: errors.New("authorized integration: JWT not valid")}
|
|
} else if authorizedIntegration == nil { // shouldn't be possible, but overly safe
|
|
return &auth.AuthenticationError{Error: errors.New("authorized integration: nil authorized integration")}
|
|
}
|
|
|
|
u, err := user_model.GetUserByID(req.Context(), authorizedIntegration.UserID)
|
|
if err != nil {
|
|
return &auth.AuthenticationError{Error: fmt.Errorf("authorized integration: GetUserByID: %w", err)}
|
|
}
|
|
|
|
if err = authorizedIntegration.UpdateLastUsed(req.Context()); err != nil {
|
|
log.Error("UpdateLastUsed: %v", err)
|
|
}
|
|
|
|
reducer, err := authz.GetAuthorizationReducerForAuthorizedIntegration(req.Context(), authorizedIntegration)
|
|
if err != nil {
|
|
return &auth.AuthenticationError{Error: fmt.Errorf("authorized integration GetAuthorizationReducerForAuthorizedIntegration: %w", err)}
|
|
}
|
|
|
|
return &auth.AuthenticationSuccess{
|
|
Result: &authorizedIntegrationAuthenticationResult{
|
|
user: u,
|
|
scope: authorizedIntegration.Scope,
|
|
reducer: reducer,
|
|
},
|
|
}
|
|
}
|
|
|
|
func initAuthorizedIntegrationHTTPClient() {
|
|
blockList := hostmatcher.ParseSimpleMatchList("authorized_integration.BLOCKED_DOMAINS", setting.AuthorizedIntegration.BlockedDomains)
|
|
|
|
allowList := hostmatcher.ParseSimpleMatchList("authorized_integration.ALLOWED_DOMAINS", setting.AuthorizedIntegration.AllowedDomains)
|
|
if allowList.IsEmpty() {
|
|
// the default policy is that authorized integrations can access external hosts
|
|
allowList.AppendBuiltin(hostmatcher.MatchBuiltinExternal)
|
|
}
|
|
if setting.AuthorizedIntegration.AllowLocalNetworks {
|
|
allowList.AppendBuiltin(hostmatcher.MatchBuiltinPrivate)
|
|
allowList.AppendBuiltin(hostmatcher.MatchBuiltinLoopback)
|
|
}
|
|
|
|
aiHTTPClient = &http.Client{
|
|
Timeout: setting.AuthorizedIntegration.RequestTimeout,
|
|
Transport: &http.Transport{
|
|
Proxy: proxy.Proxy(),
|
|
DialContext: hostmatcher.NewDialContext("authorized_integration", allowList, blockList, setting.Proxy.ProxyURLFixed),
|
|
},
|
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
|
// It might be possible to come up with some reasonable capability to support redirects -- such as
|
|
// keeping them within the same issuer host? -- but there are risks that this can be used for SSRF
|
|
// attacks. In the face of those risks, and with a lack of real-world use-cases, disable redirects.
|
|
return errors.New("authorized integration: HTTP redirects are disabled")
|
|
},
|
|
}
|
|
}
|
|
|
|
func authorizedIntegrationCacheKey(urlString string) string {
|
|
return fmt.Sprintf("auth-int-remote:%s", urlString)
|
|
}
|
|
|
|
func authorizedIntegrationCacheGetJSON[K any](urlString string, v *K) bool {
|
|
conn := getCache()
|
|
if conn == nil {
|
|
return false
|
|
}
|
|
|
|
cachedAny := conn.Get(authorizedIntegrationCacheKey(urlString))
|
|
if cachedAny == nil {
|
|
return false
|
|
}
|
|
cachedBytes, ok := cachedAny.([]byte)
|
|
if !ok {
|
|
cachedString, ok := cachedAny.(string)
|
|
if !ok {
|
|
log.Error("cached content was not []byte or string, but was %T", cachedAny)
|
|
return false
|
|
}
|
|
cachedBytes = []byte(cachedString)
|
|
}
|
|
|
|
err := json.Unmarshal(cachedBytes, &v)
|
|
if err != nil {
|
|
// This error case shouldn't occur, as we only store data in the cache once we're sure we could unmarshal it.
|
|
// If it does occur, log and fallback to treating as uncached.
|
|
log.Error("failed to Unmarshal cached content: %s", err)
|
|
// Caller may reuse `v` in a future unmarshal/decode call, and failure here may have polluted it.
|
|
var zeroValue K
|
|
*v = zeroValue
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
func authorizedIntegrationCacheSetJSON(urlString string, buf []byte) {
|
|
conn := getCache()
|
|
if conn == nil {
|
|
return
|
|
}
|
|
err := conn.Put(authorizedIntegrationCacheKey(urlString), buf, int64(setting.AuthorizedIntegration.CacheTTL.Seconds()))
|
|
if err != nil {
|
|
log.Error("failed to put cache: %s", err)
|
|
}
|
|
}
|
|
|
|
func authorizedIntegrationFetchJSON[K any](urlString string, v *K) error {
|
|
parsedURL, err := url.Parse(urlString)
|
|
if err != nil {
|
|
return fmt.Errorf("failed parsing URL %q: %w", urlString, err)
|
|
}
|
|
// Fetching openid-connect or JWKS needs to come from a source that is authentic, and therefore only `https` is
|
|
// supported. This also protects against a trusted issuer being configured maliciously as `file://` or a JKWS URI
|
|
// being `file://` -- the HTTP client won't permit that, but, extra safety doesn't hurt.
|
|
if parsedURL.Scheme != "https" {
|
|
return fmt.Errorf("unsupported URL scheme: %q", parsedURL.String())
|
|
}
|
|
|
|
// Check our cache, save a remote HTTP interaction.
|
|
if authorizedIntegrationCacheGetJSON(urlString, v) {
|
|
return nil
|
|
}
|
|
|
|
resp, err := GetAuthorizedIntegrationHTTPClient().Get(parsedURL.String())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
return fmt.Errorf("non-OK response code: %s", resp.Status)
|
|
}
|
|
|
|
bodyReader := io.LimitReader(resp.Body, authorizedIntegrationRequestBodyLimit)
|
|
var buf bytes.Buffer
|
|
_, err = io.Copy(bufio.NewWriter(&buf), bodyReader)
|
|
if err != nil {
|
|
return fmt.Errorf("read from remote error: %w", err)
|
|
}
|
|
|
|
err = json.Unmarshal(buf.Bytes(), &v)
|
|
if err != nil {
|
|
// If a decoding error is hit, decorate with information about the limited body size so that it doesn't look
|
|
// like the remote server provided an incomplete response. err should be something like `io.UnexpectedEOF` in
|
|
// this case, but it actually isn't, so don't bother trying to detect precisely.
|
|
return fmt.Errorf("failed to decode (response body restricted to %d bytes): %w", authorizedIntegrationRequestBodyLimit, err)
|
|
}
|
|
|
|
// Successfully decoded the response -- cache the raw bytes for later access.
|
|
authorizedIntegrationCacheSetJSON(urlString, buf.Bytes())
|
|
|
|
return nil
|
|
}
|
|
|
|
// Compare a map[string]any of incoming claims against an array of claim rules. All rules must match successfully or
|
|
// else an error with the mismatch detail is returned.
|
|
func (a *AuthorizedIntegration) checkClaims(incomingClaims any, stored *auth_model.ClaimRules) error {
|
|
if stored == nil {
|
|
return nil
|
|
}
|
|
|
|
for _, rule := range stored.Rules {
|
|
var lhs any
|
|
|
|
if lhsClaim, isFlex := incomingClaims.(*flexibleClaims); isFlex {
|
|
switch rule.Claim {
|
|
case "iss":
|
|
lhs = lhsClaim.Issuer
|
|
case "sub":
|
|
lhs = lhsClaim.Subject
|
|
case "jti":
|
|
lhs = lhsClaim.ID
|
|
case "aud":
|
|
audienceArray, err := lhsClaim.GetAudience()
|
|
if err != nil {
|
|
return fmt.Errorf("failed getting `aud` claim: %w", err)
|
|
} else if len(audienceArray) != 1 {
|
|
return fmt.Errorf("required one and only one `aud` claim, but received %d", len(audienceArray))
|
|
}
|
|
lhs = audienceArray[0]
|
|
default:
|
|
v, present := lhsClaim.other[rule.Claim]
|
|
if !present {
|
|
return fmt.Errorf("claim rule on %q couldn't be satisfied: claim not found", rule.Claim)
|
|
}
|
|
lhs = v
|
|
}
|
|
} else if lhsMap, isMap := incomingClaims.(map[string]any); isMap {
|
|
v, present := lhsMap[rule.Claim]
|
|
if !present {
|
|
return fmt.Errorf("claim rule on %q couldn't be satisfied: claim not found", rule.Claim)
|
|
}
|
|
lhs = v
|
|
} else {
|
|
return fmt.Errorf("unexpected incoming claims type: %T", incomingClaims)
|
|
}
|
|
|
|
switch rule.Comparison {
|
|
case auth_model.ClaimEqual:
|
|
lhsStr, ok := lhs.(string)
|
|
if !ok {
|
|
return fmt.Errorf("claim %q must be a string, but was %T", rule.Claim, lhs)
|
|
} else if lhsStr != rule.Value {
|
|
return fmt.Errorf("claim %q must be %q, but was %q", rule.Claim, rule.Value, lhsStr)
|
|
}
|
|
case auth_model.ClaimGlob:
|
|
lhsStr, ok := lhs.(string)
|
|
if !ok {
|
|
return fmt.Errorf("claim %q must be a string, but was %T", rule.Claim, lhs)
|
|
}
|
|
r, err := glob.Compile(rule.Value)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to parse glob for claim rule on %q; glob = %q, err = %w", rule.Claim, rule.Value, err)
|
|
}
|
|
if !r.Match(lhsStr) {
|
|
return fmt.Errorf("claim %q must match glob %q, but value %q did not match", rule.Claim, rule.Value, lhsStr)
|
|
}
|
|
case auth_model.ClaimNested:
|
|
lhsMap, ok := lhs.(map[string]any)
|
|
if !ok {
|
|
return fmt.Errorf("claim %q must be a map, but was %T", rule.Claim, lhs)
|
|
} else if err := a.checkClaims(lhsMap, rule.Nested); err != nil {
|
|
return fmt.Errorf("in nested claim %q: %w", rule.Claim, err)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|