Merge pull request #11603 from owncloud/oidc_claims_checker

feat: add a way to check for specific OIDC claims

Author: kobergj

deployments/examples/ocis_keycloak/config/keycloak/ocis-realm.dist.json

@@ -1877,7 +1877,7 @@
       "description": "OpenID Connect scope for add acr (authentication context class reference) to the token",
       "protocol": "openid-connect",
       "attributes": {
-        "include.in.token.scope": "false",
+        "include.in.token.scope": "true",
         "display.on.consent.screen": "false"
       },
       "protocolMappers": [
@@ -2899,7 +2899,7 @@
       "config": {}
     }
   ],
-  "browserFlow": "browser",
+  "browserFlow": "step up flow",
   "registrationFlow": "registration",
   "directGrantFlow": "direct grant",
   "resetCredentialsFlow": "reset credentials",

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -81,6 +81,8 @@ services:
       OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
       PROXY_CSP_CONFIG_FILE_LOCATION: /etc/ocis/csp.yaml
       KEYCLOAK_DOMAIN: ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
+      OCIS_MFA_ENABLED: ${OCIS_MFA_ENABLED:-false}
+      WEB_OIDC_SCOPE: "openid profile email acr"
     volumes:
       - ./config/ocis/banned-password-list.txt:/etc/ocis/banned-password-list.txt
       - ./config/ocis/csp.yaml:/etc/ocis/csp.yaml

ocis-pkg/mfa/mfa.go

@@ -0,0 +1,59 @@
+// Package mfa provides functionality for multi-factor authentication (MFA).
+// mfa_test.go contains usage examples and tests.
+package mfa
+
+import (
+	"context"
+	"net/http"
+)
+
+// MFAHeader is the header to be used across grpc and http services
+// to forward the access token.
+const MFAHeader = "X-Multi-Factor-Authentication"
+
+// MFARequiredHeader is the header returned by the server if step-up authentication is required.
+const MFARequiredHeader = "X-Ocis-Mfa-Required"
+
+type mfaKeyType struct{}
+
+var mfaKey = mfaKeyType{}
+
+// EnhanceRequest enhances the request context with the MFA status from the header.
+// This operation does not overwrite existing context values.
+func EnhanceRequest(req *http.Request) *http.Request {
+	ctx := req.Context()
+	if Has(ctx) {
+		return req
+	}
+	return req.WithContext(Set(ctx, req.Header.Get(MFAHeader) == "true"))
+}
+
+// SetRequiredStatus sets the MFA required header and the statuscode to 403
+func SetRequiredStatus(w http.ResponseWriter) {
+	w.Header().Set(MFARequiredHeader, "true")
+	w.WriteHeader(http.StatusForbidden)
+}
+
+// Has returns the mfa status from the context.
+func Has(ctx context.Context) bool {
+	mfa, ok := ctx.Value(mfaKey).(bool)
+	if !ok {
+		return false
+	}
+	return mfa
+}
+
+// Set stores the mfa status in the context.
+func Set(ctx context.Context, mfa bool) context.Context {
+	return context.WithValue(ctx, mfaKey, mfa)
+}
+
+// SetHeader sets the MFA header.
+func SetHeader(r *http.Request, mfa bool) {
+	if mfa {
+		r.Header.Set(MFAHeader, "true")
+		return
+	}
+
+	r.Header.Set(MFAHeader, "false")
+}

ocis-pkg/mfa/mfa_test.go

@@ -0,0 +1,68 @@
+package mfa_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
+	"github.com/test-go/testify/require"
+)
+
+func exampleUsage() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// In a central place of your service enhance request once.
+		// Note: This will not overwrite existing context values so it's safe (but unnecessary) to call multiple times.
+		r = mfa.EnhanceRequest(r)
+
+		// somewhere in your code extract the context
+		ctx := r.Context()
+
+		// now you can check if the user has MFA enabled
+		if !mfa.Has(ctx) {
+			// use this line to log access denied information
+			// mfa package will not log anything by itself
+			mfa.SetRequiredStatus(w)
+			return
+		}
+		// user has MFA enabled, you can now proceed with sensitive operation
+	}
+}
+
+func TestMFALifecycle(t *testing.T) {
+	testCases := []struct {
+		Alias         string
+		HasMFA        bool
+		ShouldHaveMFA bool
+		ResponseCode  int
+	}{
+		{
+			Alias:        "simple",
+			HasMFA:       true,
+			ResponseCode: http.StatusOK,
+		},
+		{
+			Alias:        "denied",
+			HasMFA:       false,
+			ResponseCode: http.StatusForbidden,
+		},
+	}
+
+	for _, tc := range testCases {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "http://url&method.doesnt.matter", nil)
+		mfa.SetHeader(r, tc.HasMFA)
+
+		exampleUsage().ServeHTTP(w, r)
+		res := w.Result()
+
+		require.Equal(t, tc.ResponseCode, res.StatusCode, tc.Alias)
+		if tc.ResponseCode == http.StatusForbidden {
+			require.Equal(t, "true", res.Header.Get(mfa.MFARequiredHeader), tc.Alias)
+		} else {
+			require.Empty(t, res.Header.Get(mfa.MFARequiredHeader), tc.Alias)
+		}
+
+	}
+
+}

services/frontend/pkg/config/config.go

@@ -63,6 +63,8 @@ type Config struct {
 
 	ServerManagedSpaces bool `yaml:"server_managed_spaces" env:"OCIS_CLAIM_MANAGED_SPACES_ENABLED" desc:"Enables Space management through OIDC claims. See the text description for more details." introductionVersion:"7.2.0"`
 
+	MultiFactorAuthentication MFAConfig `yaml:"mfa"`
+
 	Context context.Context `yaml:"-"`
 }
 
@@ -200,3 +202,9 @@ type PasswordPolicy struct {
 type Validation struct {
 	MaxTagLength int `yaml:"max_tag_length" env:"OCIS_MAX_TAG_LENGTH" desc:"Define the maximum tag length. Defaults to 100 if not set. Set to 0 to not limit the tag length. Changes only impact the validation of new tags." introductionVersion:"7.2.0"`
 }
+
+// MFAConfig configures multi factor multifactor authentication
+type MFAConfig struct {
+	Enabled        bool     `yaml:"enabled" env:"OCIS_MFA_ENABLED" desc:"Set to true to enable multi factor authentication. See the documentation for more details." introductionVersion:"Balch"`
+	AuthLevelNames []string `yaml:"auth_level_names" env:"OCIS_MFA_AUTH_LEVEL_NAMES" desc:"This authentication level name indicates that multi-factor authentication was performed. The name must match the ACR claim in the access token received. Note: If multiple names are required, use a comma-separated list. The front-end service will use the first name in the list when requesting multi-factor authentication (MFA)." introductionVersion:"Balch"`
+}

services/frontend/pkg/config/defaults/defaultconfig.go

@@ -141,6 +141,9 @@ func DefaultConfig() *config.Config {
 		Validation: config.Validation{
 			MaxTagLength: 100,
 		},
+		MultiFactorAuthentication: config.MFAConfig{
+			AuthLevelNames: []string{"advanced"},
+		},
 	}
 }
 

services/frontend/pkg/revaconfig/config.go

@@ -340,6 +340,12 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 								"endpoints":    []string{"list", "get", "delete"},
 								"configurable": cfg.ConfigurableNotifications,
 							},
+							"auth": map[string]interface{}{
+								"mfa": map[string]interface{}{
+									"enabled":    cfg.MultiFactorAuthentication.Enabled,
+									"levelnames": cfg.MultiFactorAuthentication.AuthLevelNames,
+								},
+							},
 						},
 						"version": map[string]interface{}{
 							"product":        "Infinite Scale",

services/graph/pkg/middleware/auth.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/account"
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
 	opkgm "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/services/graph/pkg/errorcode"
 	"github.com/owncloud/reva/v2/pkg/auth/scope"
@@ -42,6 +43,8 @@ func Auth(opts ...account.Option) func(http.Handler) http.Handler {
 	}
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			r = mfa.EnhanceRequest(r)
+
 			ctx := r.Context()
 			t := r.Header.Get("x-access-token")
 			if t == "" {

services/graph/pkg/service/v0/drives.go

@@ -29,6 +29,7 @@ import (
 	"google.golang.org/protobuf/proto"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/l10n"
+	"github.com/owncloud/ocis/v2/ocis-pkg/mfa"
 	v0 "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/settings/v0"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
 	"github.com/owncloud/ocis/v2/services/graph/pkg/errorcode"
@@ -132,6 +133,13 @@ func (g Graph) GetAllDrives(version APIVersion) http.HandlerFunc {
 // GetAllDrivesV1 attempts to retrieve the current users drives;
 // it includes another user's drives, if the current user has the permission.
 func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) {
+	if !mfa.Has(r.Context()) {
+		logger := g.logger.SubloggerWithRequestID(r.Context())
+		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+		mfa.SetRequiredStatus(w)
+		return
+	}
+
 	spaces, errCode := g.getDrives(r, true, APIVersion_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)
@@ -152,6 +160,13 @@ func (g Graph) GetAllDrivesV1(w http.ResponseWriter, r *http.Request) {
 // it includes the grantedtoV2 property
 // it uses unified roles instead of the cs3 representations
 func (g Graph) GetAllDrivesV1Beta1(w http.ResponseWriter, r *http.Request) {
+	if !mfa.Has(r.Context()) {
+		logger := g.logger.SubloggerWithRequestID(r.Context())
+		logger.Error().Str("path", r.URL.Path).Msg("MFA required but not satisfied")
+		mfa.SetRequiredStatus(w)
+		return
+	}
+
 	drives, errCode := g.getDrives(r, true, APIVersion_1_Beta_1)
 	if errCode != nil {
 		errorcode.RenderError(w, r, errCode)

services/graph/pkg/service/v0/graph.go

@@ -8,6 +8,7 @@ import (
 	"path"
 	"strings"
 
+	"github.com/CiscoM31/godata"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	storageprovider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/go-chi/chi/v5"
@@ -152,3 +153,39 @@ func parseIDParam(r *http.Request, param string) (storageprovider.ResourceId, er
 	}
 	return id, nil
 }
+
+// regular users can only search for terms with a minimum length
+func hasAcceptableSearch(query *godata.GoDataQuery, minSearchLength int) bool {
+	if query == nil || query.Search == nil {
+		return false
+	}
+
+	if strings.HasPrefix(query.Search.RawValue, "\"") {
+		// if search starts with double quotes then it must finish with double quotes
+		// add +2 to the minimum search length in this case
+		minSearchLength += 2
+	}
+
+	return len(query.Search.RawValue) >= minSearchLength
+}
+
+// regular users can only filter by userType
+func hasAcceptableFilter(query *godata.GoDataQuery) bool {
+	switch {
+	case query == nil || query.Filter == nil:
+		return true
+	case query.Filter.Tree.Token.Type != godata.ExpressionTokenLogical:
+		return false
+	case query.Filter.Tree.Token.Value != "eq":
+		return false
+	case query.Filter.Tree.Children[0].Token.Value != "userType":
+		return false
+	}
+
+	return true
+}
+
+// regular users can only use basic queries without any expansions, computes or applies
+func hasAcceptableQuery(query *godata.GoDataQuery) bool {
+	return query != nil && query.Apply == nil && query.Expand == nil && query.Compute == nil
+}