satellite/{admin,ui}: implement changes for oauth2 proxy

We want to put the OAuth2 proxy, https://github.com/oauth2-proxy/oauth2-proxy, in front of the satellite admin ui. This change implements the changes required/necessary for this to work. Issue: https://github.com/storj/storj/issues/5072 Change-Id: I6da0df090cc6f0c18f1bf41e48ae082493f53f20
2022-11-10 13:19:42 +00:00 · 2022-11-10 13:19:42 +00:00 · c1ed5c06e8
commit c1ed5c06e8
parent 9a0c2dd878
4 changed files with 73 additions and 58 deletions
--- a/satellite/admin/server.go
+++ b/satellite/admin/server.go
@ -8,6 +8,7 @@ import (
 	"context"
 	"crypto/subtle"
 	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"time"
@ -32,6 +33,7 @@ import (
 type Config struct {
 	Address          string `help:"admin peer http listening address" releaseDefault:"" devDefault:""`
 	StaticDir        string `help:"an alternate directory path which contains the static assets to serve. When empty, it uses the embedded assets" releaseDefault:"" devDefault:""`
+	AllowedOauthHost string `help:"the oauth host allowed to bypass token authentication."`

 	AuthorizationToken string `internal:"true"`
 }
@ -87,7 +89,7 @@ func NewServer(log *zap.Logger, listener net.Listener, db DB, buckets *buckets.S
 	root := mux.NewRouter()

 	api := root.PathPrefix("/api/").Subrouter()
-	api.Use(allowedAuthorization(config.AuthorizationToken))
+	api.Use(allowedAuthorization(log, config))

 	// When adding new options, also update README.md
 	api.HandleFunc("/users", server.addUser).Methods("POST")
@ -159,10 +161,13 @@ func (server *Server) Close() error {
 	return Error.Wrap(server.server.Close())
 }

-func allowedAuthorization(token string) func(next http.Handler) http.Handler {
+func allowedAuthorization(log *zap.Logger, config Config) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if token == "" {
+
+			if r.Host != config.AllowedOauthHost {
+				// not behind the proxy; use old authentication method.
+				if config.AuthorizationToken == "" {
 					sendJSONError(w, "Authorization not enabled.",
 						"", http.StatusForbidden)
 					return
@ -170,13 +175,22 @@ func allowedAuthorization(token string) func(next http.Handler) http.Handler {

 				equality := subtle.ConstantTimeCompare(
 					[]byte(r.Header.Get("Authorization")),
-				[]byte(token),
+					[]byte(config.AuthorizationToken),
 				)
 				if equality != 1 {
 					sendJSONError(w, "Forbidden",
 						"", http.StatusForbidden)
 					return
 				}
+			}
+
+			log.Info(
+				"admin action",
+				zap.String("host", r.Host),
+				zap.String("user", r.Header.Get("X-Forwarded-Email")),
+				zap.String("action", fmt.Sprintf("%s-%s", r.Method, r.RequestURI)),
+				zap.String("queries", r.URL.Query().Encode()),
+			)

 			r.Header.Set("Cache-Control", "must-revalidate")
 			next.ServeHTTP(w, r)
--- a/satellite/admin/ui/src/lib/Api.svelte
+++ b/satellite/admin/ui/src/lib/Api.svelte
@ -16,7 +16,7 @@ wants to perform.
 	import UIGen from '$lib/UIGenerator.svelte';

 	const baseURL = `${window.location.protocol}//${window.location.host}/api`;
-	let api: Admin;
+	let api: Admin = new Admin(baseURL);
 	let selectedGroupOp: Operation[];
 	let selectedOp: Operation;
 	let authToken: string;
@ -25,21 +25,19 @@ wants to perform.
 		if (authToken) {
 			api = new Admin(baseURL, authToken);
 		} else {
-			api = null;
+			api = new Admin(baseURL);
 		}
 	}
 </script>

 <p>
-	In order to use the API you have to set the authentication token in the input box and press enter
-	or click the "confirm" button.
+	If you did not log in using Oauth (e.g. with Google), you have to set the authentication token in
+	the input box and press enter or click the "confirm" button.
 </p>
 <p>
 	Token: <input
 		bind:value={authToken}
 		on:focus={() => {
-			api = null;
-
 			// This allows to select the empty item of the second select.
 			selectedOp = null;
 		}}
@ -52,8 +50,7 @@ wants to perform.
 	<button on:click={confirmAuthToken}>confirm</button>
 </p>

-{#if api}
-	<p>
+<p>
 	Operation:
 	<select
 		bind:value={selectedGroupOp}
@ -77,13 +74,12 @@ wants to perform.
 			{/each}
 		</select>
 	{/if}
-	</p>
-	<hr />
-	<p>
+</p>
+<hr />
+<p>
 	{#if selectedOp}
 		{#key selectedOp}
 			<UIGen operation={selectedOp} />
 		{/key}
 	{/if}
-	</p>
-{/if}
+</p>
--- a/satellite/admin/ui/src/lib/api.ts
+++ b/satellite/admin/ui/src/lib/api.ts
@ -408,7 +408,7 @@ Blank fields will not be updated.`,

 	private readonly baseURL: string;

-	constructor(baseURL: string, private readonly authToken: string) {
+	constructor(baseURL: string, private readonly authToken: string = '') {
 		this.baseURL = baseURL.endsWith('/') ? baseURL.substring(0, baseURL.length - 1) : baseURL;
 	}

@ -419,9 +419,11 @@ Blank fields will not be updated.`,
 		data?: Record<string, unknown>
 	): Promise<Record<string, unknown> | null> {
 		const url = this.apiURL(path, query);
-		const headers = new window.Headers({
-			Authorization: this.authToken
-		});
+		const headers = new window.Headers();
+
+		if (this.authToken) {
+			headers.set('Authorization', this.authToken);
+		}

 		let body: string;
 		if (data) {
--- a/scripts/testdata/satellite-config.yaml.lock
+++ b/scripts/testdata/satellite-config.yaml.lock
@ -1,6 +1,9 @@
 # admin peer http listening address
 # admin.address: ""

+# the oauth host allowed to bypass token authentication.
+# admin.allowed-oauth-host: ""
+
 # an alternate directory path which contains the static assets to serve. When empty, it uses the embedded assets
 # admin.static-dir: ""