feat(auth): add authentication, RBAC, API tokens, and default admin

Add a complete authentication and authorization system to Silo with three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak), session management, API token support, and role-based access control. Authentication backends: - Local: bcrypt (cost 12) password verification against users table - LDAP: FreeIPA simple bind with group-to-role mapping - OIDC: Keycloak redirect flow with realm role mapping - Backends are tried in order; users upserted to DB on first login Session and token management: - PostgreSQL-backed sessions via alexedwards/scs + pgxstore - Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once) - 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies Role-based access control (admin > editor > viewer): - RequireAuth middleware: Bearer token -> session -> redirect/401 - RequireRole middleware: per-route-group minimum role enforcement - CSRF protection via justinas/nosurf on web forms, API exempt - CORS locked to configured origins when auth enabled Route restructuring: - Public: /health, /ready, /login, /auth/oidc, /auth/callback - Web (auth + CSRF): /, /projects, /schemas, /settings - API read (viewer): GET /api/** - API write (editor): POST/PUT/PATCH/DELETE /api/** User context wiring: - created_by/updated_by columns on items, projects, relationships - All create/update handlers populate tracking fields from context - CSV and BOM import handlers pass authenticated username - Revision creation tracks user across all code paths Default admin account: - Configurable via auth.local.default_admin_username/password - Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD - Idempotent: created on first startup, skipped if exists CLI and FreeCAD plugin: - silo token create/list/revoke subcommands (HTTP API client) - FreeCAD SiloClient sends Bearer token on all requests - Token read from ApiToken preference or SILO_API_TOKEN env var Web UI: - Login page (Catppuccin Mocha themed, OIDC button conditional) - Settings page with account info and API token management - User display name, role badge, and logout button in header - One-time token display banner with copy-to-clipboard Database (migration 009): - users table with role, auth_source, oidc_subject, password_hash - api_tokens table with SHA-256 hash, prefix, expiry, scopes - sessions table (scs pgxstore schema) - audit_log table (schema ready for future use) - created_by/updated_by ALTER on items, relationships, projects New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3, justinas/nosurf, golang.org/x/oauth2
2026-01-31 11:20:12 -06:00
parent a5fba7bf99
commit 4f0107f1b2
32 changed files with 3538 additions and 138 deletions
--- a/deployments/config.prod.yaml
+++ b/deployments/config.prod.yaml
@@ -35,3 +35,48 @@ schemas:
 freecad:
  uri_scheme: "silo"
  executable: "/usr/bin/freecad"
+
+# Authentication
+# Set via SILO_SESSION_SECRET, SILO_OIDC_CLIENT_SECRET, SILO_LDAP_BIND_PASSWORD env vars
+auth:
+  enabled: true
+  session_secret: "" # Set via SILO_SESSION_SECRET
+
+  local:
+    enabled: true
+    default_admin_username: "admin"
+    default_admin_password: "" # Set via SILO_ADMIN_PASSWORD
+
+  ldap:
+    enabled: true
+    url: "ldaps://ipa.kindred.internal"
+    base_dn: "dc=kindred,dc=internal"
+    user_search_dn: "cn=users,cn=accounts,dc=kindred,dc=internal"
+    user_attr: "uid"
+    email_attr: "mail"
+    display_attr: "displayName"
+    group_attr: "memberOf"
+    role_mapping:
+      admin:
+        - "cn=silo-admins,cn=groups,cn=accounts,dc=kindred,dc=internal"
+      editor:
+        - "cn=silo-users,cn=groups,cn=accounts,dc=kindred,dc=internal"
+        - "cn=engineers,cn=groups,cn=accounts,dc=kindred,dc=internal"
+      viewer:
+        - "cn=silo-viewers,cn=groups,cn=accounts,dc=kindred,dc=internal"
+    tls_skip_verify: false
+
+  oidc:
+    enabled: false
+    issuer_url: "https://keycloak.kindred.internal/realms/silo"
+    client_id: "silo"
+    client_secret: "" # Set via SILO_OIDC_CLIENT_SECRET
+    redirect_url: "https://silo.kindred.internal/auth/callback"
+    scopes: ["openid", "profile", "email"]
+    admin_role: "silo-admin"
+    editor_role: "silo-editor"
+    default_role: "viewer"
+
+  cors:
+    allowed_origins:
+      - "https://silo.kindred.internal"
--- a/deployments/docker-compose.yaml
+++ b/deployments/docker-compose.yaml
@@ -60,6 +60,11 @@ services:
      SILO_MINIO_SECRET_KEY: ${MINIO_SECRET_KEY:-silominiosecret}
      SILO_MINIO_BUCKET: silo-files
      SILO_MINIO_USE_SSL: "false"
+      SILO_SESSION_SECRET: ${SILO_SESSION_SECRET:-change-me-in-production}
+      SILO_OIDC_CLIENT_SECRET: ${SILO_OIDC_CLIENT_SECRET:-}
+      SILO_LDAP_BIND_PASSWORD: ${SILO_LDAP_BIND_PASSWORD:-}
+      SILO_ADMIN_USERNAME: ${SILO_ADMIN_USERNAME:-admin}
+      SILO_ADMIN_PASSWORD: ${SILO_ADMIN_PASSWORD:-}
    ports:
      - "8080:8080"
    volumes: