kanidmd_core/https/
mod.rs

1mod apidocs;
2pub(crate) mod cache_buster;
3pub(crate) mod errors;
4mod extractors;
5mod generic;
6mod javascript;
7mod manifest;
8pub(crate) mod middleware;
9mod oauth2;
10pub(crate) mod trace;
11mod v1;
12mod v1_domain;
13mod v1_oauth2;
14mod v1_scim;
15mod views;
16
17use self::extractors::ClientConnInfo;
18use self::javascript::*;
19use crate::actors::{QueryServerReadV1, QueryServerWriteV1};
20use crate::config::{AddressSet, Configuration, ServerRole};
21use crate::CoreAction;
22use axum::{
23    body::Body,
24    extract::connect_info::IntoMakeServiceWithConnectInfo,
25    http::{HeaderMap, HeaderValue, Request},
26    middleware::{from_fn, from_fn_with_state},
27    response::Redirect,
28    routing::*,
29    Router,
30};
31use axum_extra::extract::cookie::CookieJar;
32use cidr::IpCidr;
33use compact_jwt::{error::JwtError, JwsCompact, JwsHs256Signer, JwsVerifier};
34use futures::pin_mut;
35use haproxy_protocol::{ProxyHdrV2, RemoteAddress};
36use hyper::body::Incoming;
37use hyper_util::rt::{TokioExecutor, TokioIo};
38use kanidm_lib_crypto::x509_cert::{der::Decode, x509_public_key_s256, Certificate};
39use kanidm_proto::{constants::KSESSIONID, internal::COOKIE_AUTH_SESSION_ID};
40use kanidmd_lib::{idm::ClientCertInfo, status::StatusActor};
41use serde::de::DeserializeOwned;
42use sketching::*;
43use std::fmt::Write;
44use std::io::ErrorKind;
45use std::path::PathBuf;
46use std::sync::Arc;
47use std::{
48    net::{IpAddr, SocketAddr},
49    str::FromStr,
50};
51use tokio::{
52    io::{AsyncRead, AsyncWrite},
53    net::{TcpListener, TcpStream},
54    sync::broadcast,
55    sync::mpsc,
56    task,
57};
58use tokio_rustls::TlsAcceptor;
59use tower::Service;
60use tower_http::{services::ServeDir, trace::TraceLayer};
61use url::Url;
62use uuid::Uuid;
63
64#[derive(Clone)]
65pub struct ServerState {
66    pub(crate) status_ref: &'static StatusActor,
67    pub(crate) qe_w_ref: &'static QueryServerWriteV1,
68    pub(crate) qe_r_ref: &'static QueryServerReadV1,
69    // Store the token management parts.
70    pub(crate) jws_signer: JwsHs256Signer,
71    pub(crate) trust_x_forward_for_ips: Option<Arc<AddressSet>>,
72    pub(crate) csp_header: HeaderValue,
73    pub(crate) origin: Url,
74    pub(crate) domain: String,
75    // This is set to true by default, and is only false on integration tests.
76    pub(crate) secure_cookies: bool,
77}
78
79impl ServerState {
80    /// Deserialize some input string validating that it was signed by our instance's
81    /// HMAC signer. This is used for short lived server-only sessions and context
82    /// data. This has applications in both accessing cookie content and header content.
83    fn deserialise_from_str<T: DeserializeOwned>(&self, input: &str) -> Option<T> {
84        match JwsCompact::from_str(input) {
85            Ok(val) => match self.jws_signer.verify(&val) {
86                Ok(val) => val.from_json::<T>().ok(),
87                Err(err) => {
88                    error!(?err, "Failed to deserialise JWT from request");
89                    if matches!(err, JwtError::InvalidSignature) {
90                        // The server has an ephemeral in memory HMAC signer. This is important as
91                        // auth (login) sessions on one node shouldn't validate on another. Sessions
92                        // that are shared beween nodes use the internal ECDSA signer.
93                        //
94                        // But because of this if the server restarts it rolls the key. Additionally
95                        // it can occur if the load balancer isn't sticking sessions to the correct
96                        // node. That can cause this error. So we want to specifically call it out
97                        // to admins so they can investigate that the fault is occurring *outside*
98                        // of kanidm.
99                        warn!("Invalid Signature errors can occur if your instance restarted recently, if a load balancer is not configured for sticky sessions, or a session was tampered with.");
100                    }
101                    None
102                }
103            },
104            Err(_) => None,
105        }
106    }
107
108    #[instrument(level = "trace", skip_all)]
109    fn get_current_auth_session_id(&self, headers: &HeaderMap, jar: &CookieJar) -> Option<Uuid> {
110        // We see if there is a signed header copy first.
111        headers
112            .get(KSESSIONID)
113            .and_then(|hv| {
114                trace!("trying header");
115                // Get the first header value.
116                hv.to_str().ok()
117            })
118            .or_else(|| {
119                trace!("trying cookie");
120                jar.get(COOKIE_AUTH_SESSION_ID).map(|c| c.value())
121            })
122            .and_then(|s| {
123                trace!(id_jws = %s);
124                self.deserialise_from_str::<Uuid>(s)
125            })
126    }
127}
128
129pub(crate) fn get_js_files(role: ServerRole) -> Result<Vec<JavaScriptFile>, ()> {
130    let mut all_pages: Vec<JavaScriptFile> = Vec::new();
131
132    if !matches!(role, ServerRole::WriteReplicaNoUI) {
133        // let's set up the list of js module hashes
134        let pkg_path = env!("KANIDM_SERVER_UI_PKG_PATH").to_owned();
135
136        let filelist = [
137            "external/bootstrap.bundle.min.js",
138            "external/htmx.min.1.9.12.js",
139            "external/confetti.js",
140            "external/base64.js",
141            "modules/cred_update.mjs",
142            "pkhtml.js",
143            "style.js",
144        ];
145
146        for filepath in filelist {
147            match generate_integrity_hash(format!("{pkg_path}/{filepath}",)) {
148                Ok(hash) => {
149                    debug!("Integrity hash for {}: {}", filepath, hash);
150                    let js = JavaScriptFile { hash };
151                    all_pages.push(js)
152                }
153                Err(err) => {
154                    admin_error!(
155                        ?err,
156                        "Failed to generate integrity hash for {} - cancelling startup!",
157                        filepath
158                    );
159                    return Err(());
160                }
161            }
162        }
163    }
164    Ok(all_pages)
165}
166
167pub async fn create_https_server(
168    config: Configuration,
169    jws_signer: JwsHs256Signer,
170    status_ref: &'static StatusActor,
171    qe_w_ref: &'static QueryServerWriteV1,
172    qe_r_ref: &'static QueryServerReadV1,
173    server_message_tx: broadcast::Sender<CoreAction>,
174    maybe_tls_acceptor: Option<TlsAcceptor>,
175    tls_acceptor_reload_rx: mpsc::Receiver<TlsAcceptor>,
176) -> Result<task::JoinHandle<()>, ()> {
177    let rx = server_message_tx.subscribe();
178
179    let all_js_files = get_js_files(config.role)?;
180    // set up the CSP headers
181    // script-src 'self'
182    //      'sha384-Zao7ExRXVZOJobzS/uMp0P1jtJz3TTqJU4nYXkdmsjpiVD+/wcwCyX7FGqRIqvIz'
183    //      'sha384-MrcW6ZMFYlzcLA8Nl+NtUVF0sA7MsXsP1UyJoMp4YLEuNSfAP+JcXn/tWtIaxVXM';
184
185    let js_directives = all_js_files
186        .into_iter()
187        .map(|f| f.hash)
188        .collect::<Vec<String>>();
189
190    let js_checksums: String = js_directives
191        .iter()
192        .fold(String::new(), |mut output, value| {
193            let _ = write!(output, " 'sha384-{value}'");
194            output
195        });
196
197    let csp_header = format!(
198        concat!(
199            "default-src 'self'; ",
200            "base-uri 'self' https:; ",
201            "form-action 'self' https:;",
202            "frame-ancestors 'none'; ",
203            "img-src 'self' data:; ",
204            "worker-src 'none'; ",
205            "script-src 'self' 'unsafe-eval'{};",
206        ),
207        js_checksums
208    );
209
210    let csp_header = HeaderValue::from_str(&csp_header).map_err(|err| {
211        error!(?err, "Unable to generate content security policy");
212    })?;
213
214    let trust_x_forward_for_ips = config
215        .http_client_address_info
216        .trusted_x_forward_for()
217        .map(Arc::new);
218
219    let trusted_proxy_v2_ips = config
220        .http_client_address_info
221        .trusted_proxy_v2()
222        .map(Arc::new);
223
224    let state = ServerState {
225        status_ref,
226        qe_w_ref,
227        qe_r_ref,
228        jws_signer,
229        trust_x_forward_for_ips,
230        csp_header,
231        origin: config.origin,
232        domain: config.domain.clone(),
233        secure_cookies: config.integration_test_config.is_none(),
234    };
235
236    let static_routes = match config.role {
237        ServerRole::WriteReplica | ServerRole::ReadOnlyReplica => {
238            Router::new()
239                .route("/ui/images/oauth2/:rs_name", get(oauth2::oauth2_image_get))
240                .route("/ui/images/domain", get(v1_domain::image_get))
241                .route("/manifest.webmanifest", get(manifest::manifest)) // skip_route_check
242                // Layers only apply to routes that are *already* added, not the ones
243                // added after.
244                .layer(middleware::compression::new())
245                .layer(from_fn(middleware::caching::cache_me_short))
246                .route("/", get(|| async { Redirect::to("/ui") }))
247                .nest("/ui", views::view_router())
248            // Can't compress on anything that changes
249        }
250        ServerRole::WriteReplicaNoUI => Router::new(),
251    };
252    let app = Router::new()
253        .merge(oauth2::route_setup(state.clone()))
254        .merge(v1_scim::route_setup())
255        .merge(v1::route_setup(state.clone()))
256        .route("/robots.txt", get(generic::robots_txt))
257        .route(
258            views::constants::Urls::WellKnownChangePassword.as_ref(),
259            get(generic::redirect_to_update_credentials),
260        );
261
262    let app = match config.role {
263        ServerRole::WriteReplicaNoUI => app,
264        ServerRole::WriteReplica | ServerRole::ReadOnlyReplica => {
265            let pkg_path = PathBuf::from(env!("KANIDM_SERVER_UI_PKG_PATH"));
266            if !pkg_path.exists() {
267                eprintln!(
268                    "Couldn't find htmx UI package path: ({}), quitting.",
269                    env!("KANIDM_SERVER_UI_PKG_PATH")
270                );
271                std::process::exit(1);
272            }
273            let pkg_router = Router::new()
274                .nest_service("/pkg", ServeDir::new(pkg_path))
275                // TODO: Add in the br precompress
276                .layer(from_fn(middleware::caching::cache_me_short));
277
278            app.merge(pkg_router)
279        }
280    };
281
282    // this sets up the default span which logs the URL etc.
283    let trace_layer = TraceLayer::new_for_http()
284        .make_span_with(trace::DefaultMakeSpanKanidmd::new())
285        // setting these to trace because all they do is print "started processing request", and we are already doing that enough!
286        .on_response(trace::DefaultOnResponseKanidmd::new());
287
288    let app = app
289        .merge(static_routes)
290        .layer(from_fn_with_state(
291            state.clone(),
292            middleware::security_headers::security_headers_layer,
293        ))
294        .layer(from_fn(middleware::version_middleware))
295        .layer(from_fn(
296            middleware::hsts_header::strict_transport_security_layer,
297        ));
298
299    // layer which checks the responses have a content-type of JSON when we're in debug mode
300    #[cfg(any(test, debug_assertions))]
301    let app = app.layer(from_fn(middleware::are_we_json_yet));
302
303    let app = app
304        .route("/status", get(generic::status))
305        // This must be the LAST middleware.
306        // This is because the last middleware here is the first to be entered and the last
307        // to be exited, and this middleware sets up ids' and other bits for for logging
308        // coherence to be maintained.
309        .layer(from_fn_with_state(
310            state.clone(),
311            middleware::ip_address_middleware,
312        ))
313        .layer(from_fn(middleware::kopid_middleware))
314        .merge(apidocs::router())
315        // this MUST be the last layer before with_state else the span never starts and everything breaks.
316        .layer(trace_layer)
317        .with_state(state)
318        // the connect_info bit here lets us pick up the remote address of the client
319        .into_make_service_with_connect_info::<ClientConnInfo>();
320
321    let addr = SocketAddr::from_str(&config.address).map_err(|err| {
322        error!(
323            "Failed to parse address ({:?}) from config: {:?}",
324            config.address, err
325        );
326    })?;
327
328    info!("Starting the web server...");
329
330    let listener = match TcpListener::bind(addr).await {
331        Ok(l) => l,
332        Err(err) => {
333            error!(?err, "Failed to bind tcp listener");
334            return Err(());
335        }
336    };
337
338    match maybe_tls_acceptor {
339        Some(tls_acceptor) => Ok(task::spawn(server_tls_loop(
340            tls_acceptor,
341            listener,
342            app,
343            rx,
344            server_message_tx,
345            tls_acceptor_reload_rx,
346            trusted_proxy_v2_ips,
347        ))),
348        None => Ok(task::spawn(server_plaintext_loop(
349            listener,
350            app,
351            rx,
352            trusted_proxy_v2_ips,
353        ))),
354    }
355}
356
357async fn server_tls_loop(
358    mut tls_acceptor: TlsAcceptor,
359    listener: TcpListener,
360    app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
361    mut rx: broadcast::Receiver<CoreAction>,
362    server_message_tx: broadcast::Sender<CoreAction>,
363    mut tls_acceptor_reload_rx: mpsc::Receiver<TlsAcceptor>,
364    trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
365) {
366    pin_mut!(listener);
367
368    loop {
369        tokio::select! {
370            Ok(action) = rx.recv() => {
371                match action {
372                    CoreAction::Shutdown => break,
373                }
374            }
375            accept = listener.accept() => {
376                match accept {
377                    Ok((stream, addr)) => {
378                        let tls_acceptor = tls_acceptor.clone();
379                        let app = app.clone();
380                        task::spawn(handle_tls_conn(tls_acceptor, stream, app, addr, trusted_proxy_v2_ips.clone()));
381                    }
382                    Err(err) => {
383                        error!("Web server exited with {:?}", err);
384                        if let Err(err) = server_message_tx.send(CoreAction::Shutdown) {
385                            error!("Web server failed to send shutdown message! {:?}", err)
386                        };
387                        break;
388                    }
389                }
390            }
391            Some(mut new_tls_acceptor) = tls_acceptor_reload_rx.recv() => {
392                std::mem::swap(&mut tls_acceptor, &mut new_tls_acceptor);
393                info!("Reloaded http tls acceptor");
394            }
395        }
396    }
397
398    info!("Stopped {}", super::TaskName::HttpsServer);
399}
400
401async fn server_plaintext_loop(
402    listener: TcpListener,
403    app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
404    mut rx: broadcast::Receiver<CoreAction>,
405    trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
406) {
407    pin_mut!(listener);
408
409    loop {
410        tokio::select! {
411            Ok(action) = rx.recv() => {
412                match action {
413                    CoreAction::Shutdown => break,
414                }
415            }
416            accept = listener.accept() => {
417                match accept {
418                    Ok((stream, addr)) => {
419                        let app = app.clone();
420                        task::spawn(handle_conn(stream, app, addr, trusted_proxy_v2_ips.clone()));
421                    }
422                    Err(err) => {
423                        error!("Web server exited with {:?}", err);
424                        break;
425                    }
426                }
427            }
428        }
429    }
430
431    info!("Stopped {}", super::TaskName::HttpsServer);
432}
433
434/// This handles an individual connection.
435pub(crate) async fn handle_conn(
436    stream: TcpStream,
437    app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
438    connection_addr: SocketAddr,
439    trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
440) -> Result<(), std::io::Error> {
441    let (stream, client_ip_addr) =
442        process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
443
444    let client_conn_info = ClientConnInfo {
445        connection_addr,
446        client_ip_addr,
447        client_cert: None,
448    };
449
450    // Hyper has its own `AsyncRead` and `AsyncWrite` traits and doesn't use tokio.
451    // `TokioIo` converts between them.
452    let stream = TokioIo::new(stream);
453
454    process_client_hyper(stream, app, client_conn_info).await
455}
456
457/// This handles an individual connection.
458pub(crate) async fn handle_tls_conn(
459    acceptor: TlsAcceptor,
460    stream: TcpStream,
461    app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
462    connection_addr: SocketAddr,
463    trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
464) -> Result<(), std::io::Error> {
465    let (stream, client_ip_addr) =
466        process_client_addr(stream, connection_addr, trusted_proxy_v2_ips).await?;
467
468    let tls_stream = acceptor.accept(stream).await.map_err(|err| {
469        error!(?err, "Failed to create TLS stream");
470        std::io::Error::from(ErrorKind::ConnectionAborted)
471    })?;
472
473    let maybe_peer_cert = tls_stream
474        .get_ref()
475        .1
476        .peer_certificates()
477        // The first certificate relates to the peer.
478        .and_then(|peer_certs| peer_certs.first());
479
480    // Process the client cert (if any)
481    let client_cert = if let Some(peer_cert) = maybe_peer_cert {
482        // We don't need to check the CRL here - it's already completed as part of the
483        // TLS connection establishment process.
484
485        // Extract the cert from rustls DER to x509-cert which is a better
486        // parser to handle the various extensions.
487        let certificate = Certificate::from_der(peer_cert).map_err(|ossl_err| {
488            error!(?ossl_err, "unable to process DER certificate to x509");
489            std::io::Error::from(ErrorKind::ConnectionAborted)
490        })?;
491
492        let public_key_s256 = x509_public_key_s256(&certificate).ok_or_else(|| {
493            error!("subject public key bitstring is not octet aligned");
494            std::io::Error::from(ErrorKind::ConnectionAborted)
495        })?;
496
497        Some(ClientCertInfo {
498            public_key_s256,
499            certificate,
500        })
501    } else {
502        None
503    };
504
505    let client_conn_info = ClientConnInfo {
506        connection_addr,
507        client_ip_addr,
508        client_cert,
509    };
510
511    // Hyper has its own `AsyncRead` and `AsyncWrite` traits and doesn't use tokio.
512    // `TokioIo` converts between them.
513    let stream = TokioIo::new(tls_stream);
514
515    process_client_hyper(stream, app, client_conn_info).await
516}
517
518async fn process_client_addr(
519    stream: TcpStream,
520    connection_addr: SocketAddr,
521    trusted_proxy_v2_ips: Option<Arc<Vec<IpCidr>>>,
522) -> Result<(TcpStream, IpAddr), std::io::Error> {
523    let enable_proxy_v2_hdr = trusted_proxy_v2_ips
524        .map(|trusted| {
525            trusted
526                .iter()
527                .any(|ip_cidr| ip_cidr.contains(&connection_addr.ip()))
528        })
529        .unwrap_or_default();
530
531    let (stream, client_addr) = if enable_proxy_v2_hdr {
532        match ProxyHdrV2::parse_from_read(stream).await {
533            Ok((stream, hdr)) => {
534                let remote_socket_addr = match hdr.to_remote_addr() {
535                    RemoteAddress::Local => {
536                        debug!("PROXY protocol liveness check - will not contain client data");
537                        return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
538                    }
539                    RemoteAddress::TcpV4 { src, dst: _ } => SocketAddr::from(src),
540                    RemoteAddress::TcpV6 { src, dst: _ } => SocketAddr::from(src),
541                    remote_addr => {
542                        error!(?remote_addr, "remote address in proxy header is invalid");
543                        return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
544                    }
545                };
546
547                (stream, remote_socket_addr)
548            }
549            Err(err) => {
550                error!(?connection_addr, ?err, "Unable to process proxy v2 header");
551                return Err(std::io::Error::from(ErrorKind::ConnectionAborted));
552            }
553        }
554    } else {
555        (stream, connection_addr)
556    };
557
558    Ok((stream, client_addr.ip()))
559}
560
561async fn process_client_hyper<T>(
562    stream: TokioIo<T>,
563    mut app: IntoMakeServiceWithConnectInfo<Router, ClientConnInfo>,
564    client_conn_info: ClientConnInfo,
565) -> Result<(), std::io::Error>
566where
567    T: AsyncRead + AsyncWrite + std::marker::Unpin + std::marker::Send + 'static,
568{
569    debug!(?client_conn_info);
570
571    let svc = tower::MakeService::<ClientConnInfo, hyper::Request<Body>>::make_service(
572        &mut app,
573        client_conn_info,
574    );
575
576    let svc = svc.await.map_err(|e| {
577        error!("Failed to build HTTP response: {:?}", e);
578        std::io::Error::from(ErrorKind::Other)
579    })?;
580
581    // Hyper also has its own `Service` trait and doesn't use tower. We can use
582    // `hyper::service::service_fn` to create a hyper `Service` that calls our app through
583    // `tower::Service::call`.
584    let hyper_service = hyper::service::service_fn(move |request: Request<Incoming>| {
585        // We have to clone `tower_service` because hyper's `Service` uses `&self` whereas
586        // tower's `Service` requires `&mut self`.
587        //
588        // We don't need to call `poll_ready` since `Router` is always ready.
589        svc.clone().call(request)
590    });
591
592    hyper_util::server::conn::auto::Builder::new(TokioExecutor::new())
593        .serve_connection_with_upgrades(stream, hyper_service)
594        .await
595        .map_err(|e| {
596            debug!("Failed to complete connection: {:?}", e);
597            std::io::Error::from(ErrorKind::ConnectionAborted)
598        })
599}