MB-62604: Add cb-on-behalf extras

cb-on-behalf-extras (optional) header populates auth context
for SAML sessions.

checkPermission, getUserBuckets endpoints are modified
to accept an additional context parameter.

on-behalf-of requests parse the context if present to
determine extra groups and roles associated with the SAML
session.

Corresponding cbauth change:
https://review.couchbase.org/c/cbauth/+/214565

Change-Id: I13481b35f037cef78c305dbd7ebfbe3aa947e83c
Reviewed-on: https://review.couchbase.org/c/ns_server/+/214426
Well-Formed: Restriction Checker
Well-Formed: Build Bot <[email protected]>
Tested-by: Neelima Premsankar <[email protected]>
Reviewed-by: Timofey Barmin <[email protected]>

Author: neelima32

src/goxdcr_rest.erl

@@ -40,8 +40,8 @@ headers_for_proxy(MochiReq, AuthnRes) ->
                                 {true, {convert_header_name(Name), Value}}
                         end
                 end, HeadersList),
-    [menelaus_rest:on_behalf_header(AuthnRes),
-     menelaus_rest:special_auth_header() | Headers].
+    menelaus_rest:on_behalf_headers(AuthnRes) ++
+        [menelaus_rest:special_auth_header() | Headers].
 
 send(MochiReq, Method, Path, Headers, Body) ->
     Params = mochiweb_request:parse_qs(MochiReq),

src/menelaus_auth.erl

@@ -42,7 +42,9 @@
          new_session_id/0,
          get_resp_headers/1,
          acting_on_behalf/1,
-         init_auth/1]).
+         init_auth/1,
+         on_behalf_context/1,
+         get_authn_res_from_on_behalf_of/3]).
 
 %% rpc from ns_couchdb node
 -export([authenticate/1,
@@ -501,7 +503,7 @@ verify_rest_auth(Req, Permission) ->
         {ok, #authn_res{} = AuthnRes,
          RespHeaders} ->
             Req2 = append_resp_headers(RespHeaders, Req),
-            case apply_on_behalf_of_identity(AuthnRes, Req2) of
+            case apply_on_behalf_of_authn_res(AuthnRes, Req2) of
                 error ->
                     Req3 = maybe_store_rejected_user(
                              get_rejected_user(Auth), Req2),
@@ -526,15 +528,41 @@ verify_rest_auth(Req, Permission) ->
             {auth_failure, Req2}
     end.
 
--spec apply_on_behalf_of_identity(#authn_res{}, mochiweb_request()) ->
-                                        error | #authn_res{}.
-apply_on_behalf_of_identity(AuthnRes, Req) ->
-    case extract_on_behalf_of_identity(Req) of
+%% Specify authentication context for SAML (and later JWT) in on-behalf-of
+%% extras. {User, Domain} aren't sufficient to determine the full set of
+%% privileges available to the user.
+-spec on_behalf_context(#authn_res{}) -> {string(), boolean()}.
+on_behalf_context(#authn_res{session_id = Id}) when is_binary(Id) ->
+            {"context:ui=" ++ binary_to_list(Id), true};
+on_behalf_context(_) -> {"", false}.
+
+-spec get_authn_res_from_on_behalf_of(User :: rbac_user_id(),
+                                      Domain :: rbac_identity_type(),
+                                      Context :: string() | undefined) ->
+          #authn_res{}.
+get_authn_res_from_on_behalf_of(User, Domain, Context) ->
+    AuthnRes0 = #authn_res{identity = {User, Domain}},
+    case Context of
+        undefined -> AuthnRes0;
+        "ui=" ++ Id ->
+            UiAuthnRes = menelaus_ui_auth:get_authn_res_from_ui_session(Id),
+            case UiAuthnRes of
+                undefined -> AuthnRes0;
+                #authn_res{identity = {User0, Domain0}}
+                  when User0 =:= User, Domain0 =:= Domain -> UiAuthnRes;
+                _ -> AuthnRes0
+            end
+    end.
+
+-spec apply_on_behalf_of_authn_res(#authn_res{}, mochiweb_request()) ->
+          error | #authn_res{}.
+apply_on_behalf_of_authn_res(AuthnRes, Req) ->
+    case extract_on_behalf_of_authn_res(Req) of
         error ->
             error;
         undefined ->
             AuthnRes;
-        {ok, RealIdentity} ->
+        {User, Domain, Context} ->
             %% The permission is formed the way that it is currently granted
             %% to full admins only. We might consider to reformulate it
             %% like {[onbehalf], impersonate} or, such in the upcoming
@@ -547,9 +575,7 @@ apply_on_behalf_of_identity(AuthnRes, Req) ->
             case menelaus_roles:is_allowed(
                    {[admin, security, admin], impersonate}, AuthnRes) of
                 true ->
-                    AuthnRes#authn_res{identity = RealIdentity,
-                                       extra_groups = [],
-                                       extra_roles = []};
+                    get_authn_res_from_on_behalf_of(User, Domain, Context);
                 false ->
                     error
             end
@@ -559,17 +585,23 @@ apply_on_behalf_of_identity(AuthnRes, Req) ->
 acting_on_behalf(Req) ->
     get_authenticated_identity(Req) =/= get_identity(Req).
 
--spec extract_on_behalf_of_identity(mochiweb_request()) ->
-                                                error | undefined
-                                                | {ok, rbac_identity()}.
-extract_on_behalf_of_identity(Req) ->
+-spec extract_on_behalf_of_authn_res(mochiweb_request()) ->
+          error | undefined |
+          {rbac_user_id(), rbac_identity_type(), string() | undefined}.
+extract_on_behalf_of_authn_res(Req) ->
     case read_on_behalf_of_header(Req) of
         Header when is_list(Header) ->
             case parse_on_behalf_of_header(Header) of
                 {User, Domain} ->
-                    try
-                        ExistingDomain = list_to_existing_atom(Domain),
-                        {ok, {User, ExistingDomain}}
+                    try list_to_existing_atom(Domain) of
+                        ExistingDomain ->
+                            case parse_on_behalf_of_extras(Req) of
+                                error -> error;
+                                Context when is_list(Context) ->
+                                    {User, ExistingDomain, Context};
+                                undefined ->
+                                    {User, ExistingDomain, undefined}
+                            end
                     catch
                         error:badarg ->
                             ?log_debug("Invalid domain in cb-on-behalf-of: ~s",
@@ -582,12 +614,21 @@ extract_on_behalf_of_identity(Req) ->
                     error
             end;
         undefined ->
-            undefined
+            case read_on_behalf_of_extras(Req) of
+                undefined -> undefined;
+                Hdr ->
+                    ?log_debug("Unexpected cb-on-behalf-extras: ~s",
+                               [ns_config_log:tag_user_name(Hdr)]),
+                    undefined
+            end
     end.
 
 read_on_behalf_of_header(Req) ->
     mochiweb_request:get_header_value("cb-on-behalf-of", Req).
 
+read_on_behalf_of_extras(Req) ->
+    mochiweb_request:get_header_value("cb-on-behalf-extras", Req).
+
 parse_on_behalf_of_header(Header) ->
     case (catch base64:decode_to_string(Header)) of
         UserDomainStr when is_list(UserDomainStr) ->
@@ -602,6 +643,29 @@ parse_on_behalf_of_header(Header) ->
             error
     end.
 
+parse_on_behalf_of_extras(Req) ->
+    case read_on_behalf_of_extras(Req) of
+        undefined -> undefined;
+        Extras when is_list(Extras) ->
+            Status =
+                case (catch base64:decode_to_string(Extras)) of
+                    ContextStr when is_list(ContextStr) ->
+                        case ContextStr of
+                            "context:" ++ X -> X;
+                            _ -> error
+                        end;
+                    _ -> error
+                end,
+            case Status of
+                error ->
+                    ?log_debug("Invalid context in cb-on-behalf-extras:~s",
+                               [ns_config_log:tag_user_name(Extras)]),
+                    error;
+                S -> S
+            end;
+        _ -> error
+    end.
+
 -spec extract_identity_from_cert(binary()) ->
           tuple() | auth_failure | temporary_failure.
 extract_identity_from_cert(CertDer) ->

src/menelaus_pluggable_ui.erl

@@ -291,8 +291,8 @@ proxy_req(RestPrefix, Path, PluginsConfig, Req) ->
                     % this node and the destination node are same.
 
                     AuthnRes = menelaus_auth:get_authn_res(Req),
-                    FwdHeader = [menelaus_rest:on_behalf_header(AuthnRes),
-                                 menelaus_rest:special_auth_header(Node)],
+                    FwdHeader = menelaus_rest:on_behalf_headers(AuthnRes) ++
+                        [menelaus_rest:special_auth_header(Node)],
 
                     Headers = FwdHeader ++
                         convert_headers(Req, add_filter_headers(HdrFilter)) ++

src/menelaus_rest.erl

@@ -26,7 +26,7 @@
          special_auth_header/1,
          is_auth_header/1,
          if_none_match_header/1,
-         on_behalf_header/1]).
+         on_behalf_headers/1]).
 
 -spec rest_url(string(), string() | integer(), string(), string() | atom()) -> string().
 rest_url(Host, Port, Path, Scheme) when is_atom(Scheme) ->
@@ -55,9 +55,17 @@ special_auth_header(Node) when is_atom(Node) ->
     basic_auth_header(?HIDE({basic_auth, ns_config_auth:get_user(special),
                              ns_config_auth:get_password(Node, special)})).
 
-on_behalf_header(#authn_res{identity = {User, Domain}}) ->
-    {"cb-on-behalf-of",
-     base64:encode_to_string(User ++ ":" ++ atom_to_list(Domain))}.
+%% Allow specifying on behalf of user (User, Domain) in cb-on-behalf-of header
+%% and an optional on-behalf-extras header for additional auth context.
+%% on-behalf-extras can specify multiple kv pairs separated by ;
+%% [key1:v1;key2:v2;key3:v3]
+%% Currently only (optional) UI context is specified as
+%% context:ui=<session_id>.
+on_behalf_headers(#authn_res{identity = {User, Domain}} = AuthnRes) ->
+    {Value, Present} = menelaus_auth:on_behalf_context(AuthnRes),
+    [{"cb-on-behalf-of",
+      base64:encode_to_string(User ++ ":" ++ atom_to_list(Domain))}] ++
+        [{"cb-on-behalf-extras", base64:encode_to_string(Value)} || Present].
 
 is_auth_header(Header) when is_atom(Header) ->
     is_auth_header(atom_to_list(Header));
@@ -68,6 +76,8 @@ is_auth_header_lc("authorization") ->
     true;
 is_auth_header_lc("cb-on-behalf-of") ->
     true;
+is_auth_header_lc("cb-on-behalf-extras") ->
+    true;
 is_auth_header_lc("ns-server-auth-token") ->
     true;
 is_auth_header_lc("ns-server-ui") ->

src/menelaus_ui_auth.erl

@@ -17,7 +17,8 @@
 
 -export([start_ui_session/3, maybe_refresh/1,
          check/1, reset/0, logout/1, session_type_by_id/1,
-         logout_by_session_name/2, logout_by_session_type/1]).
+         logout_by_session_name/2, logout_by_session_type/1,
+         get_authn_res_from_ui_session/1]).
 
 start_link() ->
     token_server:start_link(?MODULE, 1024, ?UI_AUTH_EXPIRATION_SECONDS,
@@ -108,3 +109,20 @@ logout_by_session_name(Type, SessionName) ->
 logout_by_session_type(Type) ->
     Pattern = #uisession{type = Type, _ = '_'},
     token_server:purge(?MODULE, Pattern).
+
+-spec get_authn_res_from_ui_session(Id :: string()) -> #authn_res{} | undefined.
+get_authn_res_from_ui_session(Id) ->
+    case ns_node_disco:couchdb_node() == node() of
+        false ->
+            SessionBin = list_to_binary(Id),
+            AuthPattern = #authn_res{type = ui, session_id = SessionBin,
+                                     _ = '_'},
+            MemoPattern = #uisession{authn_res = AuthPattern, _ = '_'},
+            case token_server:find_memos(?MODULE, MemoPattern) of
+                [] -> undefined;
+                [#uisession{authn_res = UiAuthnRes}] -> UiAuthnRes
+            end;
+        true ->
+            rpc:call(ns_node_disco:ns_server_node(),
+                     ?MODULE, get_authn_res_from_ui_session, [Id])
+    end.

src/menelaus_web_rbac.erl

@@ -1405,8 +1405,8 @@ check_permissions_url_version(Snapshot) ->
            menelaus_roles:params_version(Snapshot)]),
     base64:encode(crypto:hash(sha, B)).
 
-get_accessible_buckets(Identity) ->
-    Roles = menelaus_roles:get_compiled_roles(Identity),
+get_accessible_buckets(AuthnRes) ->
+    Roles = menelaus_roles:get_compiled_roles(AuthnRes),
     lists:filter(
       fun (Bucket) ->
               lists:any(
@@ -1417,9 +1417,12 @@ get_accessible_buckets(Identity) ->
 
 handle_get_user_buckets_for_cbauth(Req) ->
     Params = mochiweb_request:parse_qs(Req),
-    Identity = {proplists:get_value("user", Params),
-                list_to_existing_atom(proplists:get_value("domain", Params))},
-    Buckets = [list_to_binary(B) || B <- get_accessible_buckets(Identity)],
+    User = proplists:get_value("user", Params),
+    Domain = list_to_existing_atom(proplists:get_value("domain", Params)),
+    Context = proplists:get_value("context", Params, undefined),
+    AuthnRes = menelaus_auth:get_authn_res_from_on_behalf_of(User, Domain,
+                                                             Context),
+    Buckets = [list_to_binary(B) || B <- get_accessible_buckets(AuthnRes)],
     menelaus_util:reply_json(Req, Buckets, 200).
 
 handle_get_user_uuid_for_cbauth(Req) ->
@@ -1433,13 +1436,15 @@ handle_get_user_uuid_for_cbauth(Req) ->
 
 handle_check_permission_for_cbauth(Req) ->
     Params = mochiweb_request:parse_qs(Req),
-    Identity = {proplists:get_value("user", Params),
-                list_to_existing_atom(proplists:get_value("domain", Params))},
     RawPermission = proplists:get_value("permission", Params),
     Permission = parse_permission(string:trim(RawPermission)),
+    User = proplists:get_value("user", Params),
+    Domain = list_to_existing_atom(proplists:get_value("domain", Params)),
+    Context = proplists:get_value("context", Params, undefined),
+    AuthnRes = menelaus_auth:get_authn_res_from_on_behalf_of(User, Domain,
+                                                             Context),
 
-    case menelaus_roles:is_allowed(Permission,
-                                   #authn_res{identity = Identity}) of
+    case menelaus_roles:is_allowed(Permission, AuthnRes) of
         true ->
             menelaus_util:reply_text(Req, "", 200);
         false ->