4f0107f1b2
Add a complete authentication and authorization system to Silo with three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak), session management, API token support, and role-based access control. Authentication backends: - Local: bcrypt (cost 12) password verification against users table - LDAP: FreeIPA simple bind with group-to-role mapping - OIDC: Keycloak redirect flow with realm role mapping - Backends are tried in order; users upserted to DB on first login Session and token management: - PostgreSQL-backed sessions via alexedwards/scs + pgxstore - Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once) - 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies Role-based access control (admin > editor > viewer): - RequireAuth middleware: Bearer token -> session -> redirect/401 - RequireRole middleware: per-route-group minimum role enforcement - CSRF protection via justinas/nosurf on web forms, API exempt - CORS locked to configured origins when auth enabled Route restructuring: - Public: /health, /ready, /login, /auth/oidc, /auth/callback - Web (auth + CSRF): /, /projects, /schemas, /settings - API read (viewer): GET /api/** - API write (editor): POST/PUT/PATCH/DELETE /api/** User context wiring: - created_by/updated_by columns on items, projects, relationships - All create/update handlers populate tracking fields from context - CSV and BOM import handlers pass authenticated username - Revision creation tracks user across all code paths Default admin account: - Configurable via auth.local.default_admin_username/password - Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD - Idempotent: created on first startup, skipped if exists CLI and FreeCAD plugin: - silo token create/list/revoke subcommands (HTTP API client) - FreeCAD SiloClient sends Bearer token on all requests - Token read from ApiToken preference or SILO_API_TOKEN env var Web UI: - Login page (Catppuccin Mocha themed, OIDC button conditional) - Settings page with account info and API token management - User display name, role badge, and logout button in header - One-time token display banner with copy-to-clipboard Database (migration 009): - users table with role, auth_source, oidc_subject, password_hash - api_tokens table with SHA-256 hash, prefix, expiry, scopes - sessions table (scs pgxstore schema) - audit_log table (schema ready for future use) - created_by/updated_by ALTER on items, relationships, projects New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3, justinas/nosurf, golang.org/x/oauth2
221 lines
6.8 KiB
Go
221 lines
6.8 KiB
Go
// Command silod is the Silo HTTP API server.
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"flag"
|
|
"fmt"
|
|
"net/http"
|
|
"os"
|
|
"os/signal"
|
|
"syscall"
|
|
"time"
|
|
|
|
"github.com/alexedwards/scs/pgxstore"
|
|
"github.com/alexedwards/scs/v2"
|
|
"github.com/kindredsystems/silo/internal/api"
|
|
"github.com/kindredsystems/silo/internal/auth"
|
|
"github.com/kindredsystems/silo/internal/config"
|
|
"github.com/kindredsystems/silo/internal/db"
|
|
"github.com/kindredsystems/silo/internal/schema"
|
|
"github.com/kindredsystems/silo/internal/storage"
|
|
"github.com/rs/zerolog"
|
|
)
|
|
|
|
func main() {
|
|
// Parse flags
|
|
configPath := flag.String("config", "config.yaml", "Path to configuration file")
|
|
flag.Parse()
|
|
|
|
// Setup logger
|
|
logger := zerolog.New(os.Stdout).With().Timestamp().Logger()
|
|
|
|
// Load configuration
|
|
cfg, err := config.Load(*configPath)
|
|
if err != nil {
|
|
logger.Fatal().Err(err).Msg("failed to load configuration")
|
|
}
|
|
|
|
logger.Info().
|
|
Str("host", cfg.Server.Host).
|
|
Int("port", cfg.Server.Port).
|
|
Str("database", cfg.Database.Host).
|
|
Str("storage", cfg.Storage.Endpoint).
|
|
Msg("starting silo server")
|
|
|
|
// Connect to database
|
|
ctx := context.Background()
|
|
database, err := db.Connect(ctx, db.Config{
|
|
Host: cfg.Database.Host,
|
|
Port: cfg.Database.Port,
|
|
Name: cfg.Database.Name,
|
|
User: cfg.Database.User,
|
|
Password: cfg.Database.Password,
|
|
SSLMode: cfg.Database.SSLMode,
|
|
MaxConnections: cfg.Database.MaxConnections,
|
|
})
|
|
if err != nil {
|
|
logger.Fatal().Err(err).Msg("failed to connect to database")
|
|
}
|
|
defer database.Close()
|
|
logger.Info().Msg("connected to database")
|
|
|
|
// Connect to storage (optional - may be externally managed)
|
|
var store *storage.Storage
|
|
if cfg.Storage.Endpoint != "" {
|
|
store, err = storage.Connect(ctx, storage.Config{
|
|
Endpoint: cfg.Storage.Endpoint,
|
|
AccessKey: cfg.Storage.AccessKey,
|
|
SecretKey: cfg.Storage.SecretKey,
|
|
Bucket: cfg.Storage.Bucket,
|
|
UseSSL: cfg.Storage.UseSSL,
|
|
Region: cfg.Storage.Region,
|
|
})
|
|
if err != nil {
|
|
logger.Warn().Err(err).Msg("failed to connect to storage - file operations disabled")
|
|
store = nil
|
|
} else {
|
|
logger.Info().Msg("connected to storage")
|
|
}
|
|
} else {
|
|
logger.Info().Msg("storage not configured - file operations disabled")
|
|
}
|
|
|
|
// Load schemas
|
|
schemas, err := schema.LoadAll(cfg.Schemas.Directory)
|
|
if err != nil {
|
|
logger.Fatal().Err(err).Str("directory", cfg.Schemas.Directory).Msg("failed to load schemas")
|
|
}
|
|
logger.Info().Int("count", len(schemas)).Msg("loaded schemas")
|
|
|
|
// Initialize authentication
|
|
userRepo := db.NewUserRepository(database)
|
|
tokenRepo := db.NewTokenRepository(database)
|
|
|
|
// Session manager (PostgreSQL-backed via scs + pgxstore)
|
|
sessionManager := scs.New()
|
|
sessionManager.Store = pgxstore.New(database.Pool())
|
|
sessionManager.Lifetime = 24 * time.Hour
|
|
sessionManager.Cookie.Name = "silo_session"
|
|
sessionManager.Cookie.HttpOnly = true
|
|
sessionManager.Cookie.Secure = cfg.Auth.Enabled // Secure cookies when auth is active
|
|
sessionManager.Cookie.SameSite = http.SameSiteLaxMode
|
|
|
|
// Build auth backends from config
|
|
var backends []auth.Backend
|
|
if cfg.Auth.Local.Enabled {
|
|
backends = append(backends, auth.NewLocalBackend(userRepo))
|
|
logger.Info().Msg("auth backend: local")
|
|
}
|
|
if cfg.Auth.LDAP.Enabled {
|
|
backends = append(backends, auth.NewLDAPBackend(auth.LDAPConfig{
|
|
URL: cfg.Auth.LDAP.URL,
|
|
BaseDN: cfg.Auth.LDAP.BaseDN,
|
|
UserSearchDN: cfg.Auth.LDAP.UserSearchDN,
|
|
BindDN: cfg.Auth.LDAP.BindDN,
|
|
BindPassword: cfg.Auth.LDAP.BindPassword,
|
|
UserAttr: cfg.Auth.LDAP.UserAttr,
|
|
EmailAttr: cfg.Auth.LDAP.EmailAttr,
|
|
DisplayAttr: cfg.Auth.LDAP.DisplayAttr,
|
|
GroupAttr: cfg.Auth.LDAP.GroupAttr,
|
|
RoleMapping: cfg.Auth.LDAP.RoleMapping,
|
|
TLSSkipVerify: cfg.Auth.LDAP.TLSSkipVerify,
|
|
}))
|
|
logger.Info().Str("url", cfg.Auth.LDAP.URL).Msg("auth backend: ldap")
|
|
}
|
|
|
|
authService := auth.NewService(logger, userRepo, tokenRepo, backends...)
|
|
|
|
// OIDC backend (separate from the Backend interface since it uses redirect flow)
|
|
var oidcBackend *auth.OIDCBackend
|
|
if cfg.Auth.OIDC.Enabled {
|
|
oidcBackend, err = auth.NewOIDCBackend(ctx, auth.OIDCConfig{
|
|
IssuerURL: cfg.Auth.OIDC.IssuerURL,
|
|
ClientID: cfg.Auth.OIDC.ClientID,
|
|
ClientSecret: cfg.Auth.OIDC.ClientSecret,
|
|
RedirectURL: cfg.Auth.OIDC.RedirectURL,
|
|
Scopes: cfg.Auth.OIDC.Scopes,
|
|
AdminRole: cfg.Auth.OIDC.AdminRole,
|
|
EditorRole: cfg.Auth.OIDC.EditorRole,
|
|
DefaultRole: cfg.Auth.OIDC.DefaultRole,
|
|
})
|
|
if err != nil {
|
|
logger.Fatal().Err(err).Msg("failed to initialize OIDC backend")
|
|
}
|
|
logger.Info().Str("issuer", cfg.Auth.OIDC.IssuerURL).Msg("auth backend: oidc")
|
|
}
|
|
|
|
if cfg.Auth.Enabled {
|
|
logger.Info().Msg("authentication enabled")
|
|
} else {
|
|
logger.Warn().Msg("authentication disabled - all routes are open")
|
|
}
|
|
|
|
// Seed default admin account (idempotent — skips if user already exists)
|
|
if u := cfg.Auth.Local.DefaultAdminUsername; u != "" {
|
|
if p := cfg.Auth.Local.DefaultAdminPassword; p != "" {
|
|
existing, err := userRepo.GetByUsername(ctx, u)
|
|
if err != nil {
|
|
logger.Error().Err(err).Msg("failed to check for default admin user")
|
|
} else if existing != nil {
|
|
logger.Debug().Str("username", u).Msg("default admin user already exists, skipping")
|
|
} else {
|
|
hash, err := auth.HashPassword(p)
|
|
if err != nil {
|
|
logger.Fatal().Err(err).Msg("failed to hash default admin password")
|
|
}
|
|
adminUser := &db.User{
|
|
Username: u,
|
|
DisplayName: "Administrator",
|
|
Role: auth.RoleAdmin,
|
|
AuthSource: "local",
|
|
}
|
|
if err := userRepo.Create(ctx, adminUser, hash); err != nil {
|
|
logger.Fatal().Err(err).Msg("failed to create default admin user")
|
|
}
|
|
logger.Info().Str("username", u).Msg("default admin user created")
|
|
}
|
|
}
|
|
}
|
|
|
|
// Create API server
|
|
server := api.NewServer(logger, database, schemas, cfg.Schemas.Directory, store,
|
|
authService, sessionManager, oidcBackend, &cfg.Auth)
|
|
router := api.NewRouter(server, logger)
|
|
|
|
// Create HTTP server
|
|
addr := fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port)
|
|
httpServer := &http.Server{
|
|
Addr: addr,
|
|
Handler: router,
|
|
ReadTimeout: 15 * time.Second,
|
|
WriteTimeout: 15 * time.Second,
|
|
IdleTimeout: 60 * time.Second,
|
|
}
|
|
|
|
// Start server in goroutine
|
|
go func() {
|
|
logger.Info().Str("addr", addr).Msg("listening")
|
|
if err := httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
|
|
logger.Fatal().Err(err).Msg("server error")
|
|
}
|
|
}()
|
|
|
|
// Wait for interrupt signal
|
|
quit := make(chan os.Signal, 1)
|
|
signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
|
|
<-quit
|
|
|
|
logger.Info().Msg("shutting down server")
|
|
|
|
// Graceful shutdown with timeout
|
|
shutdownCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
|
defer cancel()
|
|
|
|
if err := httpServer.Shutdown(shutdownCtx); err != nil {
|
|
logger.Fatal().Err(err).Msg("server forced to shutdown")
|
|
}
|
|
|
|
logger.Info().Msg("server stopped")
|
|
}
|