sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-21 01:36:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "add management side of OIDC authentication"

Browse Source 
This reverts commit 02ce918114.
This commit is contained in:
Alisdair MacLeod
2026-02-03 10:03:38 +00:00
parent 02ce918114
commit 76a39c1dcb
5 changed files with 16 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
management/internals/modules/reverseproxy/manager/manager.go
View File

@@ -145,12 +145,7 @@ func (m *managerImpl) CreateReverseProxy(ctx context.Context, accountID, userID
return nil, fmt.Errorf("failed to create setup key for reverse proxy: %w", err) return nil, fmt.Errorf("failed to create setup key for reverse proxy: %w", err)
} }
idp, err := m.getIdentityProvider(ctx, accountID, userID, reverseProxy.Auth.BearerAuth) m.proxyGRPCServer.SendReverseProxyUpdate(reverseProxy.ToProtoMapping(reverseproxy.Create, key.Key))
if err != nil {
return nil, fmt.Errorf("failed to get identity provider: %w", err)
}
m.proxyGRPCServer.SendReverseProxyUpdate(reverseProxy.ToProtoMapping(reverseproxy.Create, key.Key, idp))
return reverseProxy, nil return reverseProxy, nil
} }
@@ -196,12 +191,7 @@ func (m *managerImpl) UpdateReverseProxy(ctx context.Context, accountID, userID
m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyUpdated, reverseProxy.EventMeta()) m.accountManager.StoreEvent(ctx, userID, reverseProxy.ID, accountID, activity.ReverseProxyUpdated, reverseProxy.EventMeta())
idp, err := m.getIdentityProvider(ctx, accountID, userID, reverseProxy.Auth.BearerAuth) m.proxyGRPCServer.SendReverseProxyUpdate(reverseProxy.ToProtoMapping(reverseproxy.Update, ""))
if err != nil {
return nil, fmt.Errorf("failed to get identity provider: %w", err)
}
m.proxyGRPCServer.SendReverseProxyUpdate(reverseProxy.ToProtoMapping(reverseproxy.Update, "", idp))
return reverseProxy, nil return reverseProxy, nil
} }
@@ -235,14 +225,7 @@ func (m *managerImpl) DeleteReverseProxy(ctx context.Context, accountID, userID,
m.accountManager.StoreEvent(ctx, userID, reverseProxyID, accountID, activity.ReverseProxyDeleted, reverseProxy.EventMeta()) m.accountManager.StoreEvent(ctx, userID, reverseProxyID, accountID, activity.ReverseProxyDeleted, reverseProxy.EventMeta())
m.proxyGRPCServer.SendReverseProxyUpdate(reverseProxy.ToProtoMapping(reverseproxy.Delete, "", nil)) m.proxyGRPCServer.SendReverseProxyUpdate(reverseProxy.ToProtoMapping(reverseproxy.Delete, ""))
return nil return nil
} }
func (m *managerImpl) getIdentityProvider(ctx context.Context, accountID, userID string, bearerAuth *reverseproxy.BearerAuthConfig) (*types.IdentityProvider, error) {
if bearerAuth == nil || !bearerAuth.Enabled || bearerAuth.IdentityProviderID == "" {
return nil, nil
}
return m.accountManager.GetIdentityProvider(ctx, accountID, bearerAuth.IdentityProviderID, userID)
}

19
management/internals/modules/reverseproxy/reverseproxy.go
View File

@@ -6,11 +6,9 @@ import (
"net/url" "net/url"
"strconv" "strconv"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/rs/xid" "github.com/rs/xid"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"github.com/netbirdio/netbird/management/server/types"
"github.com/netbirdio/netbird/shared/management/http/api" "github.com/netbirdio/netbird/shared/management/http/api"
"github.com/netbirdio/netbird/shared/management/proto" "github.com/netbirdio/netbird/shared/management/proto"
) )
@@ -45,7 +43,6 @@ type PINAuthConfig struct {
type BearerAuthConfig struct { type BearerAuthConfig struct {
Enabled bool `json:"enabled"` Enabled bool `json:"enabled"`
IdentityProviderID string `json:"identity_provider_id,omitempty"`
DistributionGroups []string `json:"distribution_groups,omitempty" gorm:"serializer:json"` DistributionGroups []string `json:"distribution_groups,omitempty" gorm:"serializer:json"`
} }
@@ -102,7 +99,6 @@ func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
authConfig.BearerAuth = &api.BearerAuthConfig{ authConfig.BearerAuth = &api.BearerAuthConfig{
Enabled: r.Auth.BearerAuth.Enabled, Enabled: r.Auth.BearerAuth.Enabled,
DistributionGroups: &r.Auth.BearerAuth.DistributionGroups, DistributionGroups: &r.Auth.BearerAuth.DistributionGroups,
IdentityProviderId: &r.Auth.BearerAuth.IdentityProviderID,
} }
} }
@@ -136,7 +132,7 @@ func (r *ReverseProxy) ToAPIResponse() *api.ReverseProxy {
} }
} }
func (r *ReverseProxy) ToProtoMapping(operation Operation, setupKey string, idp *types.IdentityProvider) *proto.ProxyMapping { func (r *ReverseProxy) ToProtoMapping(operation Operation, setupKey string) *proto.ProxyMapping {
pathMappings := make([]*proto.PathMapping, 0, len(r.Targets)) pathMappings := make([]*proto.PathMapping, 0, len(r.Targets))
for _, target := range r.Targets { for _, target := range r.Targets {
if !target.Enabled { if !target.Enabled {
@@ -173,12 +169,12 @@ func (r *ReverseProxy) ToProtoMapping(operation Operation, setupKey string, idp
auth.Pin = true auth.Pin = true
} }
if r.Auth.BearerAuth != nil && r.Auth.BearerAuth.Enabled && idp != nil { if r.Auth.BearerAuth != nil && r.Auth.BearerAuth.Enabled {
auth.Oidc = &proto.OIDC{ auth.Oidc = &proto.OIDC{
OidcProviderUrl: idp.Issuer, OidcProviderUrl: "", // TODO:
OidcClientId: idp.ClientID, OidcClientId: "", // TODO:
OidcClientSecret: idp.ClientSecret, OidcClientSecret: "", // TODO:
OidcScopes: []string{oidc.ScopeOpenID, "profile", "email"}, OidcScopes: nil, // TODO:
DistributionGroups: r.Auth.BearerAuth.DistributionGroups, DistributionGroups: r.Auth.BearerAuth.DistributionGroups,
} }
} }
@@ -251,9 +247,6 @@ func (r *ReverseProxy) FromAPIRequest(req *api.ReverseProxyRequest, accountID st
bearerAuth := &BearerAuthConfig{ bearerAuth := &BearerAuthConfig{
Enabled: req.Auth.BearerAuth.Enabled, Enabled: req.Auth.BearerAuth.Enabled,
} }
if req.Auth.BearerAuth.IdentityProviderId != nil {
bearerAuth.IdentityProviderID = *req.Auth.BearerAuth.IdentityProviderId
}
if req.Auth.BearerAuth.DistributionGroups != nil { if req.Auth.BearerAuth.DistributionGroups != nil {
bearerAuth.DistributionGroups = *req.Auth.BearerAuth.DistributionGroups bearerAuth.DistributionGroups = *req.Auth.BearerAuth.DistributionGroups
} }

29
management/internals/shared/grpc/proxy.go
View File

@@ -27,10 +27,9 @@ type reverseProxyStore interface {
GetReverseProxyByID(ctx context.Context, lockStrength store.LockingStrength, accountID string, serviceID string) (*reverseproxy.ReverseProxy, error) GetReverseProxyByID(ctx context.Context, lockStrength store.LockingStrength, accountID string, serviceID string) (*reverseproxy.ReverseProxy, error)
} }
type accountStore interface { type keyStore interface {
GetGroupByName(ctx context.Context, groupName string, accountID string) (*types.Group, error) GetGroupByName(ctx context.Context, groupName string, accountID string) (*types.Group, error)
CreateSetupKey(ctx context.Context, accountID string, keyName string, keyType types.SetupKeyType, expiresIn time.Duration, autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error) CreateSetupKey(ctx context.Context, accountID string, keyName string, keyType types.SetupKeyType, expiresIn time.Duration, autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error)
GetIdentityProvider(ctx context.Context, accountID, idpID, userID string) (*types.IdentityProvider, error)
} }
// ProxyServiceServer implements the ProxyService gRPC server // ProxyServiceServer implements the ProxyService gRPC server
@@ -46,8 +45,8 @@ type ProxyServiceServer struct {
// Store of reverse proxies // Store of reverse proxies
reverseProxyStore reverseProxyStore reverseProxyStore reverseProxyStore
// Store for accounts and authentication information // Store for client setup keys
accountStore accountStore keyStore keyStore
// Manager for access logs // Manager for access logs
accessLogManager accesslogs.Manager accessLogManager accesslogs.Manager
@@ -65,11 +64,11 @@ type proxyConnection struct {
} }
// NewProxyServiceServer creates a new proxy service server // NewProxyServiceServer creates a new proxy service server
func NewProxyServiceServer(store reverseProxyStore, keys accountStore, accessLogMgr accesslogs.Manager) *ProxyServiceServer { func NewProxyServiceServer(store reverseProxyStore, keys keyStore, accessLogMgr accesslogs.Manager) *ProxyServiceServer {
return &ProxyServiceServer{ return &ProxyServiceServer{
updatesChan: make(chan *proto.ProxyMapping, 100), updatesChan: make(chan *proto.ProxyMapping, 100),
reverseProxyStore: store, reverseProxyStore: store,
accountStore: keys, keyStore: keys,
accessLogManager: accessLogMgr, accessLogManager: accessLogMgr,
} }
} }
@@ -140,7 +139,7 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
continue continue
} }
group, err := s.accountStore.GetGroupByName(ctx, rp.Name, rp.AccountID) group, err := s.keyStore.GetGroupByName(ctx, rp.Name, rp.AccountID)
if err != nil { if err != nil {
log.WithFields(log.Fields{ log.WithFields(log.Fields{
"proxy": rp.Name, "proxy": rp.Name,
@@ -150,7 +149,7 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
} }
// TODO: should this even be here? We're running in a loop, and on each proxy, this will create a LOT of setup key entries that we currently have no way to remove. // TODO: should this even be here? We're running in a loop, and on each proxy, this will create a LOT of setup key entries that we currently have no way to remove.
key, err := s.accountStore.CreateSetupKey(ctx, key, err := s.keyStore.CreateSetupKey(ctx,
rp.AccountID, rp.AccountID,
rp.Name, rp.Name,
types.SetupKeyReusable, types.SetupKeyReusable,
@@ -170,25 +169,11 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
continue continue
} }
var idp *types.IdentityProvider
if rp.Auth.BearerAuth != nil && rp.Auth.BearerAuth.Enabled && rp.Auth.BearerAuth.IdentityProviderID != "" {
idp, err = s.accountStore.GetIdentityProvider(ctx, rp.AccountID, rp.Auth.BearerAuth.IdentityProviderID, activity.SystemInitiator)
if err != nil {
log.WithFields(log.Fields{
"proxy": rp.Name,
"account": rp.AccountID,
"idp_id": rp.Auth.BearerAuth.IdentityProviderID,
}).WithError(err).Warn("Failed to get identity provider for reverse proxy, but bearer auth is enabled. Bearer auth will be disabled")
rp.Auth.BearerAuth.Enabled = false
}
}
if err := conn.stream.Send(&proto.GetMappingUpdateResponse{ if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
Mapping: []*proto.ProxyMapping{ Mapping: []*proto.ProxyMapping{
rp.ToProtoMapping( rp.ToProtoMapping(
reverseproxy.Create, // Initial snapshot, all records are "new" for the proxy. reverseproxy.Create, // Initial snapshot, all records are "new" for the proxy.
key.Key, key.Key,
idp,
), ),
}, },
}); err != nil { }); err != nil {

3
shared/management/http/api/openapi.yml
View File

@@ -2962,9 +2962,6 @@ components:
enabled: enabled:
type: boolean type: boolean
description: Whether bearer auth is enabled description: Whether bearer auth is enabled
identity_provider_id:
type: string
description: ID of the identity provider to use for OIDC authentication
distribution_groups: distribution_groups:
type: array type: array
items: items:

3
shared/management/http/api/types.gen.go
View File

@@ -474,9 +474,6 @@ type BearerAuthConfig struct {
// Enabled Whether bearer auth is enabled // Enabled Whether bearer auth is enabled
Enabled bool `json:"enabled"` Enabled bool `json:"enabled"`
// IdentityProviderId ID of the identity provider to use for OIDC authentication
IdentityProviderId *string `json:"identity_provider_id,omitempty"`
} }
// BundleParameters These parameters control what gets included in the bundle and how it is processed. // BundleParameters These parameters control what gets included in the bundle and how it is processed.