2021-01-16 20:41:39 +00:00
|
|
|
package ak
|
|
|
|
|
|
|
|
import (
|
2021-05-16 19:07:01 +00:00
|
|
|
"context"
|
|
|
|
"fmt"
|
2021-01-16 20:41:39 +00:00
|
|
|
"math/rand"
|
2021-05-16 19:07:01 +00:00
|
|
|
"net/http"
|
2021-01-16 20:41:39 +00:00
|
|
|
"net/url"
|
2021-11-24 21:41:55 +00:00
|
|
|
"os"
|
|
|
|
"os/signal"
|
|
|
|
"syscall"
|
2021-01-16 20:41:39 +00:00
|
|
|
"time"
|
|
|
|
|
2021-12-12 12:46:31 +00:00
|
|
|
"github.com/getsentry/sentry-go"
|
2021-05-11 19:46:30 +00:00
|
|
|
"github.com/google/uuid"
|
2021-12-11 21:48:33 +00:00
|
|
|
"github.com/gorilla/websocket"
|
2021-09-08 18:04:56 +00:00
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2021-06-29 14:21:00 +00:00
|
|
|
"goauthentik.io/api"
|
2021-07-17 10:49:13 +00:00
|
|
|
"goauthentik.io/internal/constants"
|
2021-01-16 20:41:39 +00:00
|
|
|
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
)
|
|
|
|
|
|
|
|
const ConfigLogLevel = "log_level"
|
|
|
|
|
|
|
|
// APIController main controller which connects to the authentik api via http and ws
|
|
|
|
type APIController struct {
|
2021-08-21 12:13:46 +00:00
|
|
|
Client *api.APIClient
|
|
|
|
Outpost api.Outpost
|
|
|
|
GlobalConfig api.Config
|
2021-01-16 20:41:39 +00:00
|
|
|
|
|
|
|
Server Outpost
|
|
|
|
|
2021-08-21 12:13:46 +00:00
|
|
|
token string
|
|
|
|
|
2021-04-23 08:08:19 +00:00
|
|
|
logger *log.Entry
|
2021-01-16 20:41:39 +00:00
|
|
|
|
2021-12-11 21:48:33 +00:00
|
|
|
reloadOffset time.Duration
|
|
|
|
|
|
|
|
wsConn *websocket.Conn
|
|
|
|
lastWsReconnect time.Time
|
|
|
|
wsIsReconnecting bool
|
|
|
|
wsBackoffMultiplier int
|
2021-01-16 20:41:39 +00:00
|
|
|
|
2021-05-11 19:46:30 +00:00
|
|
|
instanceUUID uuid.UUID
|
2021-01-16 20:41:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewAPIController initialise new API Controller instance from URL and API token
|
2021-04-19 16:38:16 +00:00
|
|
|
func NewAPIController(akURL url.URL, token string) *APIController {
|
2021-12-13 15:18:26 +00:00
|
|
|
rsp := sentry.StartSpan(context.Background(), "authentik.outposts.init")
|
2021-12-12 12:46:31 +00:00
|
|
|
|
2021-05-16 19:07:01 +00:00
|
|
|
config := api.NewConfiguration()
|
|
|
|
config.Host = akURL.Host
|
|
|
|
config.Scheme = akURL.Scheme
|
|
|
|
config.HTTPClient = &http.Client{
|
2021-12-12 12:46:31 +00:00
|
|
|
Transport: NewUserAgentTransport(constants.OutpostUserAgent(), NewTracingTransport(rsp.Context(), GetTLSTransport())),
|
2021-05-16 19:07:01 +00:00
|
|
|
}
|
|
|
|
config.AddDefaultHeader("Authorization", fmt.Sprintf("Bearer %s", token))
|
2021-01-16 20:41:39 +00:00
|
|
|
|
|
|
|
// create the API client, with the transport
|
2021-05-16 19:07:01 +00:00
|
|
|
apiClient := api.NewAPIClient(config)
|
2021-01-16 20:41:39 +00:00
|
|
|
|
2021-02-11 22:48:54 +00:00
|
|
|
log := log.WithField("logger", "authentik.outpost.ak-api-controller")
|
|
|
|
|
2021-01-16 20:41:39 +00:00
|
|
|
// Because we don't know the outpost UUID, we simply do a list and pick the first
|
|
|
|
// The service account this token belongs to should only have access to a single outpost
|
2021-05-16 19:35:23 +00:00
|
|
|
outposts, _, err := apiClient.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
|
2021-01-16 20:41:39 +00:00
|
|
|
|
|
|
|
if err != nil {
|
2021-08-21 12:13:46 +00:00
|
|
|
log.WithError(err).Error("Failed to fetch outpost configuration")
|
2021-06-23 18:40:51 +00:00
|
|
|
return nil
|
2021-01-16 20:41:39 +00:00
|
|
|
}
|
2021-05-16 19:07:01 +00:00
|
|
|
outpost := outposts.Results[0]
|
2021-01-16 20:41:39 +00:00
|
|
|
|
2021-08-21 14:17:30 +00:00
|
|
|
log.WithField("name", outpost.Name).Debug("Fetched outpost configuration")
|
|
|
|
|
|
|
|
akConfig, _, err := apiClient.RootApi.RootConfigRetrieve(context.Background()).Execute()
|
|
|
|
if err != nil {
|
|
|
|
log.WithError(err).Error("Failed to fetch global configuration")
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
log.Debug("Fetched global configuration")
|
|
|
|
|
2021-11-29 13:42:19 +00:00
|
|
|
doGlobalSetup(outpost, akConfig)
|
|
|
|
|
2021-01-16 20:41:39 +00:00
|
|
|
ac := &APIController{
|
2021-08-21 12:13:46 +00:00
|
|
|
Client: apiClient,
|
|
|
|
GlobalConfig: akConfig,
|
2021-01-16 20:41:39 +00:00
|
|
|
|
2021-08-21 12:13:46 +00:00
|
|
|
token: token,
|
2021-02-11 22:48:54 +00:00
|
|
|
logger: log,
|
2021-01-16 20:41:39 +00:00
|
|
|
|
2021-12-11 21:48:33 +00:00
|
|
|
reloadOffset: time.Duration(rand.Intn(10)) * time.Second,
|
|
|
|
instanceUUID: uuid.New(),
|
|
|
|
Outpost: outpost,
|
|
|
|
wsBackoffMultiplier: 1,
|
2021-01-16 20:41:39 +00:00
|
|
|
}
|
2021-11-24 21:41:55 +00:00
|
|
|
ac.logger.WithField("offset", ac.reloadOffset.String()).Debug("HA Reload offset")
|
2021-12-11 21:48:33 +00:00
|
|
|
err = ac.initWS(akURL, outpost.Pk)
|
|
|
|
if err != nil {
|
|
|
|
go ac.reconnectWS()
|
|
|
|
}
|
2021-11-24 21:41:55 +00:00
|
|
|
ac.configureRefreshSignal()
|
2021-01-16 20:41:39 +00:00
|
|
|
return ac
|
|
|
|
}
|
|
|
|
|
|
|
|
// Start Starts all handlers, non-blocking
|
|
|
|
func (a *APIController) Start() error {
|
2021-12-20 20:47:32 +00:00
|
|
|
err := a.Server.Refresh()
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
err = a.StartBackgorundTasks()
|
2021-07-29 09:30:30 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
go func() {
|
|
|
|
err := a.Server.Start()
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-11-24 21:41:55 +00:00
|
|
|
func (a *APIController) configureRefreshSignal() {
|
|
|
|
s := make(chan os.Signal, 1)
|
|
|
|
go func() {
|
|
|
|
for {
|
|
|
|
<-s
|
|
|
|
err := a.OnRefresh()
|
|
|
|
if err != nil {
|
|
|
|
a.logger.WithError(err).Warning("failed to refresh")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
signal.Notify(s, syscall.SIGUSR1)
|
|
|
|
a.logger.Debug("Enabled USR1 hook to reload")
|
|
|
|
}
|
|
|
|
|
2021-09-10 10:18:19 +00:00
|
|
|
func (a *APIController) OnRefresh() error {
|
|
|
|
// Because we don't know the outpost UUID, we simply do a list and pick the first
|
|
|
|
// The service account this token belongs to should only have access to a single outpost
|
|
|
|
outposts, _, err := a.Client.OutpostsApi.OutpostsInstancesList(context.Background()).Execute()
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
log.WithError(err).Error("Failed to fetch outpost configuration")
|
|
|
|
return err
|
|
|
|
}
|
2021-09-26 09:40:18 +00:00
|
|
|
a.Outpost = outposts.Results[0]
|
2021-09-10 10:18:19 +00:00
|
|
|
|
2021-11-11 22:18:32 +00:00
|
|
|
a.logger.WithField("name", a.Outpost.Name).Debug("Fetched outpost configuration")
|
2021-12-20 20:08:03 +00:00
|
|
|
doGlobalSetup(a.Outpost, a.GlobalConfig)
|
2021-09-10 10:18:19 +00:00
|
|
|
return a.Server.Refresh()
|
|
|
|
}
|
|
|
|
|
2021-07-29 09:30:30 +00:00
|
|
|
func (a *APIController) StartBackgorundTasks() error {
|
2021-09-16 10:09:12 +00:00
|
|
|
OutpostInfo.With(prometheus.Labels{
|
|
|
|
"outpost_name": a.Outpost.Name,
|
|
|
|
"outpost_type": a.Server.Type(),
|
|
|
|
"uuid": a.instanceUUID.String(),
|
|
|
|
"version": constants.VERSION,
|
|
|
|
"build": constants.BUILD(),
|
|
|
|
}).Set(1)
|
2021-01-16 20:41:39 +00:00
|
|
|
go func() {
|
|
|
|
a.logger.Debug("Starting WS Handler...")
|
|
|
|
a.startWSHandler()
|
|
|
|
}()
|
|
|
|
go func() {
|
|
|
|
a.logger.Debug("Starting WS Health notifier...")
|
|
|
|
a.startWSHealth()
|
|
|
|
}()
|
2021-05-10 23:07:26 +00:00
|
|
|
go func() {
|
|
|
|
a.logger.Debug("Starting Interval updater...")
|
|
|
|
a.startIntervalUpdater()
|
|
|
|
}()
|
2021-08-21 14:17:30 +00:00
|
|
|
go func() {
|
|
|
|
a.logger.Debug("Starting periodical timer...")
|
|
|
|
a.startPeriodicalTasks()
|
|
|
|
}()
|
2021-01-16 20:41:39 +00:00
|
|
|
return nil
|
|
|
|
}
|