Halaman utama Jelajahi Bantuan
Masuk
github-mirrors
/
mirror-seaweedfs
2
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Cabang: main
Ranting Tag
mirror-seaweedf...
/
weed
/
iam
/
providers
/
provider.go

provider.go 6.2 KB
Permalink Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227 
  1. package providers
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"fmt"
    6. 

  6. 	"net/mail"
    7. 

  7. 	"time"
    8. 

  8. 

  9. 	"github.com/seaweedfs/seaweedfs/weed/glog"
    10. 

  10. 	"github.com/seaweedfs/seaweedfs/weed/iam/policy"
    11. 

  11. )
    12. 

  12. 

  13. // IdentityProvider defines the interface for external identity providers
    14. 

  14. type IdentityProvider interface {
    15. 

  15. 	// Name returns the unique name of the provider
    16. 

  16. 	Name() string
    17. 

  17. 

  18. 	// Initialize initializes the provider with configuration
    19. 

  19. 	Initialize(config interface{}) error
    20. 

  20. 

  21. 	// Authenticate authenticates a user with a token and returns external identity
    22. 

  22. 	Authenticate(ctx context.Context, token string) (*ExternalIdentity, error)
    23. 

  23. 

  24. 	// GetUserInfo retrieves user information by user ID
    25. 

  25. 	GetUserInfo(ctx context.Context, userID string) (*ExternalIdentity, error)
    26. 

  26. 

  27. 	// ValidateToken validates a token and returns claims
    28. 

  28. 	ValidateToken(ctx context.Context, token string) (*TokenClaims, error)
    29. 

  29. }
    30. 

  30. 

  31. // ExternalIdentity represents an identity from an external provider
    32. 

  32. type ExternalIdentity struct {
    33. 

  33. 	// UserID is the unique identifier from the external provider
    34. 

  34. 	UserID string `json:"userId"`
    35. 

  35. 

  36. 	// Email is the user's email address
    37. 

  37. 	Email string `json:"email"`
    38. 

  38. 

  39. 	// DisplayName is the user's display name
    40. 

  40. 	DisplayName string `json:"displayName"`
    41. 

  41. 

  42. 	// Groups are the groups the user belongs to
    43. 

  43. 	Groups []string `json:"groups,omitempty"`
    44. 

  44. 

  45. 	// Attributes are additional user attributes
    46. 

  46. 	Attributes map[string]string `json:"attributes,omitempty"`
    47. 

  47. 

  48. 	// Provider is the name of the identity provider
    49. 

  49. 	Provider string `json:"provider"`
    50. 

  50. }
    51. 

  51. 

  52. // Validate validates the external identity structure
    53. 

  53. func (e *ExternalIdentity) Validate() error {
    54. 

  54. 	if e.UserID == "" {
    55. 

  55. 		return fmt.Errorf("user ID is required")
    56. 

  56. 	}
    57. 

  57. 

  58. 	if e.Provider == "" {
    59. 

  59. 		return fmt.Errorf("provider is required")
    60. 

  60. 	}
    61. 

  61. 

  62. 	if e.Email != "" {
    63. 

  63. 		if _, err := mail.ParseAddress(e.Email); err != nil {
    64. 

  64. 			return fmt.Errorf("invalid email format: %w", err)
    65. 

  65. 		}
    66. 

  66. 	}
    67. 

  67. 

  68. 	return nil
    69. 

  69. }
    70. 

  70. 

  71. // TokenClaims represents claims from a validated token
    72. 

  72. type TokenClaims struct {
    73. 

  73. 	// Subject (sub) - user identifier
    74. 

  74. 	Subject string `json:"sub"`
    75. 

  75. 

  76. 	// Issuer (iss) - token issuer
    77. 

  77. 	Issuer string `json:"iss"`
    78. 

  78. 

  79. 	// Audience (aud) - intended audience
    80. 

  80. 	Audience string `json:"aud"`
    81. 

  81. 

  82. 	// ExpiresAt (exp) - expiration time
    83. 

  83. 	ExpiresAt time.Time `json:"exp"`
    84. 

  84. 

  85. 	// IssuedAt (iat) - issued at time
    86. 

  86. 	IssuedAt time.Time `json:"iat"`
    87. 

  87. 

  88. 	// NotBefore (nbf) - not valid before time
    89. 

  89. 	NotBefore time.Time `json:"nbf,omitempty"`
    90. 

  90. 

  91. 	// Claims are additional claims from the token
    92. 

  92. 	Claims map[string]interface{} `json:"claims,omitempty"`
    93. 

  93. }
    94. 

  94. 

  95. // IsValid checks if the token claims are valid (not expired, etc.)
    96. 

  96. func (c *TokenClaims) IsValid() bool {
    97. 

  97. 	now := time.Now()
    98. 

  98. 

  99. 	// Check expiration
    100. 

  100. 	if !c.ExpiresAt.IsZero() && now.After(c.ExpiresAt) {
    101. 

  101. 		return false
    102. 

  102. 	}
    103. 

  103. 

  104. 	// Check not before
    105. 

  105. 	if !c.NotBefore.IsZero() && now.Before(c.NotBefore) {
    106. 

  106. 		return false
    107. 

  107. 	}
    108. 

  108. 

  109. 	// Check issued at (shouldn't be in the future)
    110. 

  110. 	if !c.IssuedAt.IsZero() && now.Before(c.IssuedAt) {
    111. 

  111. 		return false
    112. 

  112. 	}
    113. 

  113. 

  114. 	return true
    115. 

  115. }
    116. 

  116. 

  117. // GetClaimString returns a string claim value
    118. 

  118. func (c *TokenClaims) GetClaimString(key string) (string, bool) {
    119. 

  119. 	if value, exists := c.Claims[key]; exists {
    120. 

  120. 		if str, ok := value.(string); ok {
    121. 

  121. 			return str, true
    122. 

  122. 		}
    123. 

  123. 	}
    124. 

  124. 	return "", false
    125. 

  125. }
    126. 

  126. 

  127. // GetClaimStringSlice returns a string slice claim value
    128. 

  128. func (c *TokenClaims) GetClaimStringSlice(key string) ([]string, bool) {
    129. 

  129. 	if value, exists := c.Claims[key]; exists {
    130. 

  130. 		switch v := value.(type) {
    131. 

  131. 		case []string:
    132. 

  132. 			return v, true
    133. 

  133. 		case []interface{}:
    134. 

  134. 			var result []string
    135. 

  135. 			for _, item := range v {
    136. 

  136. 				if str, ok := item.(string); ok {
    137. 

  137. 					result = append(result, str)
    138. 

  138. 				}
    139. 

  139. 			}
    140. 

  140. 			return result, len(result) > 0
    141. 

  141. 		case string:
    142. 

  142. 			// Single string can be treated as slice
    143. 

  143. 			return []string{v}, true
    144. 

  144. 		}
    145. 

  145. 	}
    146. 

  146. 	return nil, false
    147. 

  147. }
    148. 

  148. 

  149. // ProviderConfig represents configuration for identity providers
    150. 

  150. type ProviderConfig struct {
    151. 

  151. 	// Type of provider (oidc, ldap, saml)
    152. 

  152. 	Type string `json:"type"`
    153. 

  153. 

  154. 	// Name of the provider instance
    155. 

  155. 	Name string `json:"name"`
    156. 

  156. 

  157. 	// Enabled indicates if the provider is active
    158. 

  158. 	Enabled bool `json:"enabled"`
    159. 

  159. 

  160. 	// Config is provider-specific configuration
    161. 

  161. 	Config map[string]interface{} `json:"config"`
    162. 

  162. 

  163. 	// RoleMapping defines how to map external identities to roles
    164. 

  164. 	RoleMapping *RoleMapping `json:"roleMapping,omitempty"`
    165. 

  165. }
    166. 

  166. 

  167. // RoleMapping defines rules for mapping external identities to roles
    168. 

  168. type RoleMapping struct {
    169. 

  169. 	// Rules are the mapping rules
    170. 

  170. 	Rules []MappingRule `json:"rules"`
    171. 

  171. 

  172. 	// DefaultRole is assigned if no rules match
    173. 

  173. 	DefaultRole string `json:"defaultRole,omitempty"`
    174. 

  174. }
    175. 

  175. 

  176. // MappingRule defines a single mapping rule
    177. 

  177. type MappingRule struct {
    178. 

  178. 	// Claim is the claim key to check
    179. 

  179. 	Claim string `json:"claim"`
    180. 

  180. 

  181. 	// Value is the expected claim value (supports wildcards)
    182. 

  182. 	Value string `json:"value"`
    183. 

  183. 

  184. 	// Role is the role ARN to assign
    185. 

  185. 	Role string `json:"role"`
    186. 

  186. 

  187. 	// Condition is additional condition logic (optional)
    188. 

  188. 	Condition string `json:"condition,omitempty"`
    189. 

  189. }
    190. 

  190. 

  191. // Matches checks if a rule matches the given claims
    192. 

  192. func (r *MappingRule) Matches(claims *TokenClaims) bool {
    193. 

  193. 	if r.Claim == "" || r.Value == "" {
    194. 

  194. 		glog.V(3).Infof("Rule invalid: claim=%s, value=%s", r.Claim, r.Value)
    195. 

  195. 		return false
    196. 

  196. 	}
    197. 

  197. 

  198. 	claimValue, exists := claims.GetClaimString(r.Claim)
    199. 

  199. 	if !exists {
    200. 

  200. 		glog.V(3).Infof("Claim '%s' not found as string, trying as string slice", r.Claim)
    201. 

  201. 		// Try as string slice
    202. 

  202. 		if claimSlice, sliceExists := claims.GetClaimStringSlice(r.Claim); sliceExists {
    203. 

  203. 			glog.V(3).Infof("Claim '%s' found as string slice: %v", r.Claim, claimSlice)
    204. 

  204. 			for _, val := range claimSlice {
    205. 

  205. 				glog.V(3).Infof("Checking if '%s' matches rule value '%s'", val, r.Value)
    206. 

  206. 				if r.matchValue(val) {
    207. 

  207. 					glog.V(3).Infof("Match found: '%s' matches '%s'", val, r.Value)
    208. 

  208. 					return true
    209. 

  209. 				}
    210. 

  210. 			}
    211. 

  211. 		} else {
    212. 

  212. 			glog.V(3).Infof("Claim '%s' not found in any format", r.Claim)
    213. 

  213. 		}
    214. 

  214. 		return false
    215. 

  215. 	}
    216. 

  216. 

  217. 	glog.V(3).Infof("Claim '%s' found as string: '%s'", r.Claim, claimValue)
    218. 

  218. 	return r.matchValue(claimValue)
    219. 

  219. }
    220. 

  220. 

  221. // matchValue checks if a value matches the rule value (with wildcard support)
    222. 

  222. // Uses AWS IAM-compliant case-insensitive wildcard matching for consistency with policy engine
    223. 

  223. func (r *MappingRule) matchValue(value string) bool {
    224. 

  224. 	matched := policy.AwsWildcardMatch(r.Value, value)
    225. 

  225. 	glog.V(3).Infof("AWS IAM pattern match result: '%s' matches '%s' = %t", value, r.Value, matched)
    226. 

  226. 	return matched
    227. 

  227. }
    228.