hostsharing/hs.hsadmin.ng
1
0
Fork 0
Code Activity

migrate from CAS to Oauth2-JWT Auth (#197)

Browse Source 
Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/197
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
This commit is contained in:
Michael Hoennig
2025-09-08 15:27:28 +02:00
parent bc06001ce9
commit d7a78d0a79
125 changed files with 1537 additions and 1549 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bin/cas-curl
-261
View File
@@ -1,261 +0,0 @@
#!/bin/bash
if [ "$2" == "--show-password" ]; then
HSADMINNG_CAS_SHOW_PASSWORD=yes
shift
else
HSADMINNG_CAS_SHOW_PASSWORD=
fi
if [ "$1" == "--trace" ]; then
function trace() {
echo "$*" >&2
}
function doCurl() {
set -x
if [ -z "$HSADMINNG_CAS_ASSUME" ]; then
curl --fail-with-body \
--header "Authorization: $HSADMINNG_CAS_TICKET" \
"$@"
else
curl --fail-with-body \
--header "Authorization: $HSADMINNG_CAS_TICKET" \
--header "assumed-roles: $HSADMINNG_CAS_ASSUME" \
"$@"
fi
set +x
}
shift
else
function trace() {
: # noop
}
function doCurl() {
curl --fail-with-body --header "Authorization: $HSADMINNG_CAS_TICKET" "$@"
}
fi
export HSADMINNG_CAS_ASSUME_HEADER
if [ -f ~/.cas-curl-assume ]; then
HSADMINNG_CAS_ASSUME="$(cat ~/.cas-curl-assume)"
else
HSADMINNG_CAS_ASSUME=
fi
if [ -z "$HSADMINNG_CAS_LOGIN" ] || [ -z "$HSADMINNG_CAS_VALIDATE" ] || \
[ -z "$HSADMINNG_CAS_SERVICE_ID" ]; then
cat >&2 <<EOF
ERROR: environment incomplete
please set the following environment variables:
export HSADMINNG_CAS_LOGIN=https://login.hostsharing.net/cas/v1/tickets
export HSADMINNG_CAS_VALIDATE=https://login.hostsharing.net/cas/proxyValidate
export HSADMINNG_CAS_USERNAME=<<optionally, your username, or leave empty after '='>>
export HSADMINNG_CAS_PASSWORD=<<optionally, your password, or leave empty after '='>>
export HSADMINNG_CAS_SERVICE_ID=https://hsadminng.hostsharing.net:443/
EOF
exit 1
fi
function casCurlDocumentation() {
cat <<EOF
curl-wrapper utilizing CAS-authentication for hsadmin-ng
usage: $0 [--trace] [--show-password] <<command>> [parameters]
commands:
EOF
# filters out help texts (containing double-# and following lines with leading single-#) from the commands itself
# (the '' makes sure that this line is not found, just the lines with actual help texts)
sed -n '/#''#/ {x; p; x; s/#''#//; p; :a; n; /^[[:space:]]*#/!b; s/^[[:space:]]*#//; p; ba}' <$0
}
function casLogin() {
# ticket granting ticket exists and not expired?
if find ~/.cas-login-tgt -type f -size +0c -mmin -60 2>/dev/null | grep -q .; then
return
fi
if [ -z "$HSADMINNG_CAS_USERNAME" ]; then
read -e -p "Username: " HSADMINNG_CAS_USERNAME
fi
if [ -z "$HSADMINNG_CAS_PASSWORD" ]; then
read -s -e -p "Password: " HSADMINNG_CAS_PASSWORD
fi
if [ "$HSADMINNG_CAS_SHOW_PASSWORD" == "--show-password" ]; then
HSADMINNG_CAS_PASSWORD_DISPLAY=$HSADMINNG_CAS_PASSWORD
else
HSADMINNG_CAS_PASSWORD_DISPLAY="<<password hidden - use --show-password to show>>"
fi
# Do NOT use doCurl here! We do neither want to print the password nor pass a CAS service ticket.
trace "+ curl --fail-with-body -s -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d \"username=$HSADMINNG_CAS_USERNAME&password=$HSADMINNG_CAS_PASSWORD_DISPLAY\" \
$HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D -"
HSADMINNG_CAS_TGT=`curl --fail-with-body -s -i -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "username=$HSADMINNG_CAS_USERNAME&password=$HSADMINNG_CAS_PASSWORD" \
$HSADMINNG_CAS_LOGIN -o ~/.cas-login-tgt.response -D - \
| grep -i "^Location: " | sed -e 's/^Location: //' -e 's/\\r//'`
if [ -z "$HSADMINNG_CAS_TGT" ]; then
echo "ERROR: could not get ticket granting ticket" >&2
cat ~/.cas-login-tgt.response >&2
exit 1
fi
echo "$HSADMINNG_CAS_TGT" >~/.cas-login-tgt
trace "$HSADMINNG_CAS_TGT"
}
function casLogout() {
rm -f ~/.cas-login-tgt
}
function casTicket() {
HSADMINNG_CAS_TGT=$(<~/.cas-login-tgt)
if [[ -z "$HSADMINNG_CAS_TGT" ]]; then
echo "ERROR: cannot get CAS ticket granting ticket for $HSADMINNG_CAS_USERNAME" >&2
exit 1
fi
trace "CAS-TGT: $HSADMINNG_CAS_TGT"
trace "fetching CAS service ticket"
trace "curl -s -d \"service=$HSADMINNG_CAS_SERVICE_ID\" $HSADMINNG_CAS_TGT"
HSADMINNG_CAS_TICKET=$(curl -s -d "service=$HSADMINNG_CAS_SERVICE_ID" $HSADMINNG_CAS_TGT)
if [[ -z "$HSADMINNG_CAS_TICKET" ]]; then
echo "ERROR: cannot get CAS service ticket" >&2
exit 1
fi
echo $HSADMINNG_CAS_TICKET
}
function casTgt() {
HSADMINNG_CAS_TGT=$(<~/.cas-login-tgt)
if [[ -z "$HSADMINNG_CAS_TGT" ]]; then
echo "ERROR: cannot get CAS ticket granting ticket for $HSADMINNG_CAS_USERNAME" >&2
exit 1
fi
echo "CAS-TGT: $HSADMINNG_CAS_TGT"
}
function casValidate() {
HSADMINNG_CAS_TICKET=`casTicket`
trace "validating CAS-TICKET: $HSADMINNG_CAS_TICKET"
# Do NOT use doCurl here! We do not pass a CAS service ticket.
trace curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID}
HSADMINNG_CAS_USER=`curl -i -s $HSADMINNG_CAS_VALIDATE?ticket=${HSADMINNG_CAS_TICKET}\&service=${HSADMINNG_CAS_SERVICE_ID} | grep -oPm1 "(?<=<cas:user>)[^<]+"`
if [ -z "$HSADMINNG_CAS_USER" ]; then
echo "validation failed" >&2
exit 1
fi
echo "CAS-User: $HSADMINNG_CAS_USER"
}
case "${1,,}" in
# -- generic commands --------------------------------------------------------------------------
""|"-h"|"--help"|"help") ## prints documentation about commands and options
casCurlDocumentation
exit
;;
"env") ## prints all related HSADMINNG_CAS_... environment variables; use '--show-password' to show the password as well
# example: cas-curl env --show-password
echo "HSADMINNG_CAS_LOGIN: $HSADMINNG_CAS_LOGIN"
echo "HSADMINNG_CAS_VALIDATE: $HSADMINNG_CAS_VALIDATE"
echo "HSADMINNG_CAS_USERNAME: $HSADMINNG_CAS_USERNAME"
if [ "$2" == "--show-password" ]; then
echo "HSADMINNG_CAS_PASSWORD: $HSADMINNG_CAS_PASSWORD"
elif [ -z "$HSADMINNG_CAS_PASSWORD" ]; then
echo "HSADMINNG_CAS_PASSWORD: <<not given>>"
else
echo "HSADMINNG_CAS_PASSWORD: <<given, but hidden - add --show-password to show>>"
fi
echo "HSADMINNG_CAS_SERVICE_ID: $HSADMINNG_CAS_SERVICE_ID"
;;
# --- authentication-related commands ------------------------------------------------------------
"login") ## reads username+password and fetches ticket granting ticket (bypasses HSADMINNG_CAS_USERNAME+HSADMINNG_CAS_PASSWORD)
# example: cas-curl login
casLogout
export HSADMINNG_CAS_USERNAME=
export HSADMINNG_CAS_PASSWORD=
casLogin
;;
"assume") ## assumes the given comma-separated roles
# example using object-id-name: cas-curl assume 'hs_office.relation#ExampleMandant-with-PARTNER-ExamplePartner:AGENT'
# example using object-uuid: cas-curl assume 'hs_office.relation#1d3bc468-c5c8-11ef-9d0d-4751ecfda2b7:AGENT'
shift
if [ -z "$1" ]; then
echo "ERROR: requires comma-separated list of roles to assume" >&2
exit 1
fi
echo "$1" >~/.cas-curl-assume
;;
"unassume") ## do not assume any particular role anymore, use the plain user as RBAC subject
rm ~/.cas-curl-assume
;;
"tgt") ## prints the current ticket granting ticket
casTgt
;;
"validate") ## validates current ticket granting ticket and prints currently logged in user
casValidate
;;
"logout") ## logout, deletes ticket granting ticket
casLogout
;;
# --- HTTP-commands ----------------------------------------------------------------------
"get") ## HTTP GET, add URL as parameter
# example: cas-curl GET http://localhost:8080/api/hs/office/partners/P-10003 | jq
# hint: '| jq' is just for human-readable formatted JSON output
shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket`
doCurl "$*"
;;
"post") ## HTTP POST, add curl options to specify the request body and the URL as last parameter
# example: cas-curl POST \
# -d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
# http://localhost:8080/api/test/customers | jq
# hint: '| jq' is just for human-readable formatted JSON output
shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket`
doCurl --header "Content-Type: application/json" -X POST "$@"
;;
"patch") ## HTTP PATCH, add curl options to specify the request body and the URL as last parameterparameter
# example: cas-curl PATCH \
# -d '{ "reference":80002 }' \
# http://localhost:8080/api/test/customers/ae90ac2a-4728-4ca9-802e-a0d0108b2324 | jq
# hint: '| jq' is just for human-readable formatted JSON output
shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket`
doCurl --header "Content-Type: application/json" -X POST "$*"
;;
"delete") ## HTTP DELETE, add curl options to specify the request body and the URL as last parameter
# example: cas-curl DELETE http://localhost:8080/api/hs/office/persons/ae90ac2a-4728-4ca9-802e-a0d0108b2324
shift
casLogin
HSADMINNG_CAS_TICKET=`casTicket`
curl -X POST "$@"
;;
*)
cat >&2 <<EOF
unknown command: '$1'
valid commands: help, login, logout, validate, get, post, patch, delete
EOF
exit 1
;;
esac
bin/jwt-curl
Executable
+279
View File
@@ -0,0 +1,279 @@
#!/bin/bash
if [ "$1" == "--show-password" ]; then
HSADMINNG_JWT_SHOW_PASSWORD=yes
shift
else
HSADMINNG_JWT_SHOW_PASSWORD=
fi
if [ "$1" == "--trace" ]; then
function trace() {
echo "$*" >&2
}
function doCurl() {
set -x
if [ -z "$HSADMINNG_JWT_ASSUME" ]; then
curl --fail-with-body \
--header "Authorization: Bearer $HSADMINNG_JWT_TOKEN" \
"$@"
else
curl --fail-with-body \
--header "Authorization: Bearer $HSADMINNG_JWT_TOKEN" \
--header "assumed-roles: $HSADMINNG_JWT_ASSUME" \
"$@"
fi
set +x
echo
}
shift
else
function trace() {
: # noop
}
function doCurl() {
if [ -z "$HSADMINNG_JWT_ASSUME" ]; then
curl --fail-with-body --header "Authorization: Bearer $HSADMINNG_JWT_TOKEN" "$@"
else
curl --fail-with-body \
--header "Authorization: Bearer $HSADMINNG_JWT_TOKEN" \
--header "assumed-roles: $HSADMINNG_JWT_ASSUME" \
"$@"
echo
fi
}
fi
export HSADMINNG_JWT_ASSUME_HEADER
if [ -f ~/.cas-curl-assume ]; then
HSADMINNG_JWT_ASSUME="$(cat ~/.cas-curl-assume)"
else
HSADMINNG_JWT_ASSUME=
fi
if [ -z "$HSADMINNG_JWT_TOKEN_URL" ]; then
cat >&2 <<EOF
ERROR: environment incomplete
please set the following environment variables:
export HSADMINNG_JWT_TOKEN_URL=https://login.hostsharing.net/oauth/token
export HSADMINNG_JWT_USERNAME=<<optionally, your username, or leave empty after '='>>
export HSADMINNG_JWT_PASSWORD=<<optionally, your password, or leave empty after '='>>
EOF
exit 1
fi
function jwtCurlDocumentation() {
cat <<EOF
curl-wrapper utilizing JWT-authentication for hsadmin-ng
usage: $0 [--trace] [--show-password] <<command>> [parameters]
commands:
EOF
# filters out help texts (containing double-# and following lines with leading single-#) from the commands itself
# (the '' makes sure that this line is not found, just the lines with actual help texts)
sed -n '/#''#/ {x; p; x; s/#''#//; p; :a; n; /^[[:space:]]*#/!b; s/^[[:space:]]*#//; p; ba}' <$0
}
function jwtLogin() {
# JWT token exists and not expired?
if [ -f ~/.jwt-token ]; then
# Check if token is still valid (simple expiry check - you might want to add JWT parsing for more precise validation)
if find ~/.jwt-token -type f -size +0c -mmin -55 2>/dev/null | grep -q .; then
HSADMINNG_JWT_TOKEN=$(<~/.jwt-token)
return
fi
fi
if [ -z "$HSADMINNG_JWT_USERNAME" ]; then
read -e -p "Username: " HSADMINNG_JWT_USERNAME
fi
if [ -z "$HSADMINNG_JWT_PASSWORD" ]; then
read -s -e -p "Password: " HSADMINNG_JWT_PASSWORD
fi
if [ "$HSADMINNG_JWT_SHOW_PASSWORD" == "yes" ]; then
HSADMINNG_JWT_PASSWORD_DISPLAY=$HSADMINNG_JWT_PASSWORD
else
HSADMINNG_JWT_PASSWORD_DISPLAY="<<password hidden - use --show-password to show>>"
fi
# OAuth2 Resource Owner Password Credentials Grant (public client)
trace "+ curl --fail-with-body --show-error -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d \"grant_type=password&username=$HSADMINNG_JWT_USERNAME&password=$HSADMINNG_JWT_PASSWORD_DISPLAY\" \
$HSADMINNG_JWT_TOKEN_URL -o ~/.jwt-token.response"
JWT_RESPONSE=$(curl --fail-with-body --show-error -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "grant_type=password&username=$HSADMINNG_JWT_USERNAME&password=$HSADMINNG_JWT_PASSWORD" \
$HSADMINNG_JWT_TOKEN_URL 2>&1 | tee ~/.jwt-token.response)
# Extract access token from JSON response
HSADMINNG_JWT_TOKEN=$(echo "$JWT_RESPONSE" | grep -o '"access_token":"[^"]*' | cut -d'"' -f4)
if [ -z "$HSADMINNG_JWT_TOKEN" ]; then
echo "ERROR: could not get JWT access token: $JWT_RESPONSE" >&2
echo >&2
exit 1
fi
echo "$HSADMINNG_JWT_TOKEN" > ~/.jwt-token
trace "JWT Token acquired (length: ${#HSADMINNG_JWT_TOKEN})"
}
function jwtLogout() {
rm -f ~/.jwt-token ~/.jwt-token.response
}
function jwtValidate() {
if [ ! -f ~/.jwt-token ]; then
echo "ERROR: no JWT token found, please login first" >&2
exit 1
fi
HSADMINNG_JWT_TOKEN=$(<~/.jwt-token)
# Simple JWT validation - decode payload (base64 decode the middle part)
JWT_PAYLOAD=$(echo "$HSADMINNG_JWT_TOKEN" | cut -d'.' -f2)
# Add padding if needed for base64 decoding
case $((${#JWT_PAYLOAD} % 4)) in
2) JWT_PAYLOAD="${JWT_PAYLOAD}==" ;;
3) JWT_PAYLOAD="${JWT_PAYLOAD}=" ;;
esac
if command -v base64 >/dev/null 2>&1; then
JWT_DECODED=$(echo "$JWT_PAYLOAD" | base64 -d 2>/dev/null)
if [ $? -eq 0 ]; then
OAUTH_USER=$(echo "$JWT_DECODED" | grep -o '"sub":"[^"]*' | cut -d'"' -f4)
if [ -z "$OAUTH_USER" ]; then
OAUTH_USER=$(echo "$JWT_DECODED" | grep -o '"preferred_username":"[^"]*' | cut -d'"' -f4)
fi
if [ -z "$OAUTH_USER" ]; then
OAUTH_USER=$(echo "$JWT_DECODED" | grep -o '"username":"[^"]*' | cut -d'"' -f4)
fi
if [ -n "$OAUTH_USER" ]; then
echo "OAuth User: $OAUTH_USER"
# Check expiry
EXP=$(echo "$JWT_DECODED" | grep -o '"exp":[0-9]*' | cut -d':' -f2)
if [ -n "$EXP" ]; then
CURRENT_TIME=$(date +%s)
if [ "$EXP" -lt "$CURRENT_TIME" ]; then
echo "WARNING: JWT token has expired" >&2
else
echo "Token expires: $(date -d "@$EXP" 2>/dev/null || date -r "$EXP" 2>/dev/null || echo "unknown")"
fi
fi
else
echo "Could not extract user from JWT token" >&2
fi
else
echo "Could not decode JWT token" >&2
fi
else
echo "JWT token present but cannot validate (base64 command not available)" >&2
fi
}
function jwtToken() {
if [ ! -f ~/.jwt-token ]; then
echo "ERROR: no JWT token found, please login first" >&2
exit 1
fi
HSADMINNG_JWT_TOKEN=$(<~/.jwt-token)
echo "$HSADMINNG_JWT_TOKEN"
}
case "${1,,}" in
# -- generic commands --------------------------------------------------------------------------
""|"-h"|"--help"|"help") ## prints documentation about commands and options
jwtCurlDocumentation
exit
;;
"env") ## prints all related HSADMINNG_JWT_... environment variables; use '--show-password' to show the password as well
# example: jwt-curl -show-password env
echo "export HSADMINNG_JWT_TOKEN_URL=$HSADMINNG_JWT_TOKEN_URL"
echo "export HSADMINNG_JWT_USERNAME=$HSADMINNG_JWT_USERNAME"
if [ "$HSADMINNG_JWT_SHOW_PASSWORD" == "yes" ]; then
echo "export HSADMINNG_JWT_PASSWORD=$HSADMINNG_JWT_PASSWORD"
elif [ -z "$HSADMINNG_JWT_PASSWORD" ]; then
echo "export HSADMINNG_JWT_PASSWORD=#<<not given>>"
else
echo "export HSADMINNG_JWT_PASSWORD=#<<given, but hidden - add --show-password to show>>"
fi
;;
# --- authentication-related commands ------------------------------------------------------------
"login") ## reads username+password and fetches JWT access token (bypasses HSADMINNG_JWT_USERNAME+HSADMINNG_JWT_PASSWORD)
# example: jwt-curl login
jwtLogout
export HSADMINNG_JWT_USERNAME=
export HSADMINNG_JWT_PASSWORD=
jwtLogin
;;
"assume") ## assumes the given comma-separated roles
# example using object-id-name: jwt-curl assume 'hs_office.relation#ExampleMandant-with-PARTNER-ExamplePartner:AGENT'
# example using object-uuid: jwt-curl assume 'hs_office.relation#1d3bc468-c5c8-11ef-9d0d-4751ecfda2b7:AGENT'
shift
if [ -z "$1" ]; then
echo "ERROR: requires comma-separated list of roles to assume" >&2
exit 1
fi
echo "$1" >~/.cas-curl-assume
;;
"unassume") ## do not assume any particular role anymore, use the plain user as RBAC subject
rm -f ~/.cas-curl-assume
;;
"token") ## prints the current JWT access token
jwtToken
;;
"validate") ## validates current JWT token and prints currently logged in user
jwtValidate
;;
"logout") ## logout, deletes JWT token
jwtLogout
;;
# --- HTTP-commands ----------------------------------------------------------------------
"get") ## HTTP GET, add URL as parameter
# example: jwt-curl GET http://localhost:8080/api/hs/office/partners/P-10003 | jq
# hint: '| jq' is just for human-readable formatted JSON output
shift
jwtLogin
doCurl "$*"
;;
"post") ## HTTP POST, add curl options to specify the request body and the URL as last parameter
# example: jwt-curl POST \
# -d '{ "prefix":"ttt", "reference":80001, "adminUserName":"admin@ttt.example.com" }' \
# http://localhost:8080/api/test/customers | jq
# hint: '| jq' is just for human-readable formatted JSON output
shift
jwtLogin
doCurl --header "Content-Type: application/json" -X POST "$@"
;;
"patch") ## HTTP PATCH, add curl options to specify the request body and the URL as last parameterparameter
# example: jwt-curl PATCH \
# -d '{ "reference":80002 }' \
# http://localhost:8080/api/test/customers/ae90ac2a-4728-4ca9-802e-a0d0108b2324 | jq
# hint: '| jq' is just for human-readable formatted JSON output
shift
jwtLogin
doCurl --header "Content-Type: application/json" -X POST "$*"
;;
# --- unknown command --------------------------------------------------------------------
*)
cat >&2 <<EOF
unknown command: '$1'
valid commands: help, login, logout, validate, get, post, patch, delete
EOF
exit 1
;;
esac