Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various bugfixes #1071

Merged
merged 7 commits into from
Aug 3, 2024
Merged

Various bugfixes #1071

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
58bad8b
shared/api: Add Config to ServerUntrusted
stgraber Aug 2, 2024
7608531
doc/rest-api: Refresh swagger YAML
stgraber Aug 3, 2024
c2c87ca
incusd/api_1.0: Expose user.ui config keys to all clients
stgraber Aug 2, 2024
5a60d44
doc/server: Mention user.ui config keys
stgraber Aug 3, 2024
e0d57b8
incusd/auth/oidc: Better handle logout
stgraber Aug 3, 2024
95ede11
incusd/networks: Emit lifecycle event and authz entries for OVN networks
stgraber Aug 3, 2024
f8f6d3f
incusd/network/ovn: Fix indent
stgraber Aug 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 17 additions & 5 deletions cmd/incusd/api_1.0.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"net"
"net/http"
"os"
"strings"

"github.com/lxc/incus/v6/client"
"github.com/lxc/incus/v6/internal/revert"
Expand Down Expand Up @@ -214,6 +215,12 @@ var api10 = []APIEndpoint{
func api10Get(d *Daemon, r *http.Request) response.Response {
s := d.State()

// Pull the full server config.
fullSrvConfig, err := daemonConfigRender(s)
if err != nil {
return response.InternalError(err)
}

// Get the authentication methods.
authMethods := []string{api.AuthenticationMethodTLS}

Expand All @@ -231,13 +238,21 @@ func api10Get(d *Daemon, r *http.Request) response.Response {
AuthMethods: authMethods,
}

// Populate the untrusted config (user.ui.XYZ).
srv.Config = map[string]string{}
for k, v := range fullSrvConfig {
if strings.HasPrefix(k, "user.ui.") {
srv.Config[k] = v
}
}

// If untrusted, return now
if d.checkTrustedClient(r) != nil {
return response.SyncResponseETag(true, srv, nil)
}

// If not authorized, return now.
err := s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectServer(), auth.EntitlementCanView)
err = s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectServer(), auth.EntitlementCanView)
if err != nil {
return response.SmartError(err)
}
Expand Down Expand Up @@ -379,10 +394,7 @@ func api10Get(d *Daemon, r *http.Request) response.Response {

err = s.Authorizer.CheckPermission(r.Context(), r, auth.ObjectServer(), auth.EntitlementCanEdit)
if err == nil {
fullSrv.Config, err = daemonConfigRender(s)
if err != nil {
return response.InternalError(err)
}
fullSrv.Config = fullSrvConfig
} else if !api.StatusErrorCheck(err, http.StatusForbidden) {
return response.SmartError(err)
}
Expand Down
14 changes: 14 additions & 0 deletions cmd/incusd/networks.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -503,6 +503,20 @@ func networksPost(d *Daemon, r *http.Request) response.Response {
if err != nil {
return response.SmartError(err)
}

// Create the authorization entry and advertise the network as existing.
err = s.Authorizer.AddNetwork(r.Context(), projectName, req.Name)
if err != nil {
logger.Error("Failed to add network to authorizer", logger.Ctx{"name": req.Name, "project": projectName, "error": err})
}

n, err := network.LoadByName(s, projectName, req.Name)
if err != nil {
return response.SmartError(fmt.Errorf("Failed loading network: %w", err))
}

requestor := request.CreateRequestor(r)
s.Events.SendLifecycle(projectName, lifecycle.NetworkCreated.Event(n, requestor, nil))
}

err = networksPostCluster(r.Context(), s, projectName, netInfo, req, clientType, netType)
Expand Down
8 changes: 8 additions & 0 deletions doc/rest-api.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5735,6 +5735,14 @@ definitions:
readOnly: true
type: array
x-go-name: AuthMethods
config:
additionalProperties:
type: string
description: Server configuration map (refer to doc/server.md)
example:
core.https_address: :8443
type: object
x-go-name: Config
public:
description: Whether the server is public-only (only public endpoints are implemented)
example: false
Expand Down
6 changes: 6 additions & 0 deletions doc/server_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,3 +109,9 @@ The following server options configure server-specific settings for {ref}`instan
:start-after: <!-- config group server-miscellaneous start -->
:end-before: <!-- config group server-miscellaneous end -->
```

(server-options-user)=
## User options

Additional user defined configuration keys are available within the `user.` namespace.
Note that keys starting with `user.ui.` are used for web UI configuration options and are visible even to unauthenticated users.
41 changes: 41 additions & 0 deletions internal/server/auth/oidc/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,21 @@ func (o *Verifier) Login(w http.ResponseWriter, r *http.Request) {
}

func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request) {
// Attempt to get the provider.
provider, _ := o.getProvider(r)

// Attempt to get the token.
var token string
cookie, err := r.Cookie("oidc_id")
if err == nil {
token = cookie.Value
}

// Attempt to end the OIDC session.
if provider != nil && token != "" {
_, _ = rp.EndSession(r.Context(), provider, token, fmt.Sprintf("https://%s", r.Host), "")
}

// Access token.
accessCookie := http.Cookie{
Name: "oidc_access",
Expand All @@ -172,6 +187,18 @@ func (o *Verifier) Logout(w http.ResponseWriter, r *http.Request) {

http.SetCookie(w, &accessCookie)

// ID token.
idCookie := http.Cookie{
Name: "oidc_id",
Path: "/",
Secure: true,
HttpOnly: false,
SameSite: http.SameSiteStrictMode,
Expires: time.Unix(0, 0),
}

http.SetCookie(w, &idCookie)

// Refresh token.
refreshCookie := http.Cookie{
Name: "oidc_refresh",
Expand Down Expand Up @@ -219,6 +246,20 @@ func (o *Verifier) Callback(w http.ResponseWriter, r *http.Request) {
http.SetCookie(w, &refreshCookie)
}

// ID token.
if tokens.IDToken != "" {
idCookie := http.Cookie{
Name: "oidc_id",
Value: tokens.IDToken,
Path: "/",
Secure: true,
HttpOnly: false,
SameSite: http.SameSiteStrictMode,
}

http.SetCookie(w, &idCookie)
}

// Send to the UI.
// NOTE: Once the UI does the redirection on its own, we may be able to use the referer here instead.
http.Redirect(w, r, "/ui/", http.StatusMovedPermanently)
Expand Down
4 changes: 2 additions & 2 deletions internal/server/network/ovn/ovn_nb_actions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1581,8 +1581,8 @@ func (o *NB) GetLogicalSwitchPortUUID(ctx context.Context, portName OVNSwitchPor
func (o *NB) CreateLogicalSwitchPort(ctx context.Context, switchName OVNSwitch, portName OVNSwitchPort, opts *OVNSwitchPortOpts, mayExist bool) error {
// Prepare the new switch port entry.
logicalSwitchPort := ovnNB.LogicalSwitchPort{
Name: string(portName),
UUID: "lsp",
Name: string(portName),
UUID: "lsp",
}

// Check if the entry already exists.
Expand Down
3 changes: 2 additions & 1 deletion shared/api/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,8 @@ type ServerPut struct {
//
// swagger:model
type ServerUntrusted struct {
ServerPut `yaml:",inline"`

// List of supported API extensions
// Read only: true
// Example: ["etag", "patch", "network", "storage"]
Expand Down Expand Up @@ -192,7 +194,6 @@ type ServerUntrusted struct {
//
// swagger:model
type Server struct {
ServerPut `yaml:",inline"`
ServerUntrusted `yaml:",inline"`

// The current API user identifier
Expand Down
Loading