kindred/silo
1
1
Fork 0
Code Issues 30 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f0107f1b225a6cc5ea0071e8b2b5f7bf645ac03
silo/internal/config/config.go
Forbes 4f0107f1b2 feat(auth): add authentication, RBAC, API tokens, and default admin 
Add a complete authentication and authorization system to Silo with
three pluggable backends (local bcrypt, LDAP/FreeIPA, OIDC/Keycloak),
session management, API token support, and role-based access control.

Authentication backends:
- Local: bcrypt (cost 12) password verification against users table
- LDAP: FreeIPA simple bind with group-to-role mapping
- OIDC: Keycloak redirect flow with realm role mapping
- Backends are tried in order; users upserted to DB on first login

Session and token management:
- PostgreSQL-backed sessions via alexedwards/scs + pgxstore
- Opaque API tokens (silo_ prefix, SHA-256 hashed, shown once)
- 24h session lifetime, HttpOnly/SameSite=Lax/Secure cookies

Role-based access control (admin > editor > viewer):
- RequireAuth middleware: Bearer token -> session -> redirect/401
- RequireRole middleware: per-route-group minimum role enforcement
- CSRF protection via justinas/nosurf on web forms, API exempt
- CORS locked to configured origins when auth enabled

Route restructuring:
- Public: /health, /ready, /login, /auth/oidc, /auth/callback
- Web (auth + CSRF): /, /projects, /schemas, /settings
- API read (viewer): GET /api/**
- API write (editor): POST/PUT/PATCH/DELETE /api/**

User context wiring:
- created_by/updated_by columns on items, projects, relationships
- All create/update handlers populate tracking fields from context
- CSV and BOM import handlers pass authenticated username
- Revision creation tracks user across all code paths

Default admin account:
- Configurable via auth.local.default_admin_username/password
- Env var overrides: SILO_ADMIN_USERNAME, SILO_ADMIN_PASSWORD
- Idempotent: created on first startup, skipped if exists

CLI and FreeCAD plugin:
- silo token create/list/revoke subcommands (HTTP API client)
- FreeCAD SiloClient sends Bearer token on all requests
- Token read from ApiToken preference or SILO_API_TOKEN env var

Web UI:
- Login page (Catppuccin Mocha themed, OIDC button conditional)
- Settings page with account info and API token management
- User display name, role badge, and logout button in header
- One-time token display banner with copy-to-clipboard

Database (migration 009):
- users table with role, auth_source, oidc_subject, password_hash
- api_tokens table with SHA-256 hash, prefix, expiry, scopes
- sessions table (scs pgxstore schema)
- audit_log table (schema ready for future use)
- created_by/updated_by ALTER on items, relationships, projects

New dependencies: scs/v2, scs/pgxstore, go-oidc/v3, go-ldap/v3,
justinas/nosurf, golang.org/x/oauth2
2026-01-31 11:20:12 -06:00

219 lines
6.1 KiB
Go
Raw Blame History

// Package config handles configuration loading.
package config
import (
"fmt"
"os"
"gopkg.in/yaml.v3"
)
// Config holds all application configuration.
type Config struct {
Server ServerConfig `yaml:"server"`
Database DatabaseConfig `yaml:"database"`
Storage StorageConfig `yaml:"storage"`
Schemas SchemasConfig `yaml:"schemas"`
FreeCAD FreeCADConfig `yaml:"freecad"`
Odoo OdooConfig `yaml:"odoo"`
Auth AuthConfig `yaml:"auth"`
}
// AuthConfig holds authentication and authorization settings.
type AuthConfig struct {
Enabled bool `yaml:"enabled"`
SessionSecret string `yaml:"session_secret"`
Local LocalAuth `yaml:"local"`
LDAP LDAPAuth `yaml:"ldap"`
OIDC OIDCAuth `yaml:"oidc"`
CORS CORSConfig `yaml:"cors"`
}
// LocalAuth holds settings for local account authentication.
type LocalAuth struct {
Enabled bool `yaml:"enabled"`
DefaultAdminUsername string `yaml:"default_admin_username"`
DefaultAdminPassword string `yaml:"default_admin_password"`
}
// LDAPAuth holds settings for LDAP/FreeIPA authentication.
type LDAPAuth struct {
Enabled bool `yaml:"enabled"`
URL string `yaml:"url"`
BaseDN string `yaml:"base_dn"`
UserSearchDN string `yaml:"user_search_dn"`
BindDN string `yaml:"bind_dn"`
BindPassword string `yaml:"bind_password"`
UserAttr string `yaml:"user_attr"`
EmailAttr string `yaml:"email_attr"`
DisplayAttr string `yaml:"display_attr"`
GroupAttr string `yaml:"group_attr"`
RoleMapping map[string][]string `yaml:"role_mapping"`
TLSSkipVerify bool `yaml:"tls_skip_verify"`
}
// OIDCAuth holds settings for OIDC/Keycloak authentication.
type OIDCAuth struct {
Enabled bool `yaml:"enabled"`
IssuerURL string `yaml:"issuer_url"`
ClientID string `yaml:"client_id"`
ClientSecret string `yaml:"client_secret"`
RedirectURL string `yaml:"redirect_url"`
Scopes []string `yaml:"scopes"`
AdminRole string `yaml:"admin_role"`
EditorRole string `yaml:"editor_role"`
DefaultRole string `yaml:"default_role"`
}
// CORSConfig holds CORS settings.
type CORSConfig struct {
AllowedOrigins []string `yaml:"allowed_origins"`
}
// ServerConfig holds HTTP server settings.
type ServerConfig struct {
Host string `yaml:"host"`
Port int `yaml:"port"`
BaseURL string `yaml:"base_url"`
}
// DatabaseConfig holds PostgreSQL connection settings.
type DatabaseConfig struct {
Host string `yaml:"host"`
Port int `yaml:"port"`
Name string `yaml:"name"`
User string `yaml:"user"`
Password string `yaml:"password"`
SSLMode string `yaml:"sslmode"`
MaxConnections int `yaml:"max_connections"`
}
// StorageConfig holds MinIO connection settings.
type StorageConfig struct {
Endpoint string `yaml:"endpoint"`
AccessKey string `yaml:"access_key"`
SecretKey string `yaml:"secret_key"`
Bucket string `yaml:"bucket"`
UseSSL bool `yaml:"use_ssl"`
Region string `yaml:"region"`
}
// SchemasConfig holds schema loading settings.
type SchemasConfig struct {
Directory string `yaml:"directory"`
Default string `yaml:"default"`
}
// FreeCADConfig holds FreeCAD integration settings.
type FreeCADConfig struct {
URIScheme string `yaml:"uri_scheme"`
Executable string `yaml:"executable"`
}
// OdooConfig holds Odoo ERP integration settings.
type OdooConfig struct {
Enabled bool `yaml:"enabled"`
URL string `yaml:"url"`
Database string `yaml:"database"`
Username string `yaml:"username"`
APIKey string `yaml:"api_key"`
}
// Load reads configuration from a YAML file.
func Load(path string) (*Config, error) {
data, err := os.ReadFile(path)
if err != nil {
return nil, fmt.Errorf("reading config file: %w", err)
}
// Expand environment variables
data = []byte(os.ExpandEnv(string(data)))
var cfg Config
if err := yaml.Unmarshal(data, &cfg); err != nil {
return nil, fmt.Errorf("parsing config YAML: %w", err)
}
// Apply defaults
if cfg.Server.Port == 0 {
cfg.Server.Port = 8080
}
if cfg.Database.Port == 0 {
cfg.Database.Port = 5432
}
if cfg.Database.SSLMode == "" {
cfg.Database.SSLMode = "require"
}
if cfg.Database.MaxConnections == 0 {
cfg.Database.MaxConnections = 10
}
if cfg.Storage.Region == "" {
cfg.Storage.Region = "us-east-1"
}
if cfg.Schemas.Directory == "" {
cfg.Schemas.Directory = "/etc/silo/schemas"
}
if cfg.FreeCAD.URIScheme == "" {
cfg.FreeCAD.URIScheme = "silo"
}
// Override with environment variables
if v := os.Getenv("SILO_DB_HOST"); v != "" {
cfg.Database.Host = v
}
if v := os.Getenv("SILO_DB_NAME"); v != "" {
cfg.Database.Name = v
}
if v := os.Getenv("SILO_DB_USER"); v != "" {
cfg.Database.User = v
}
if v := os.Getenv("SILO_DB_PASSWORD"); v != "" {
cfg.Database.Password = v
}
if v := os.Getenv("SILO_MINIO_ENDPOINT"); v != "" {
cfg.Storage.Endpoint = v
}
if v := os.Getenv("SILO_MINIO_ACCESS_KEY"); v != "" {
cfg.Storage.AccessKey = v
}
if v := os.Getenv("SILO_MINIO_SECRET_KEY"); v != "" {
cfg.Storage.SecretKey = v
}
// Auth defaults
if cfg.Auth.LDAP.UserAttr == "" {
cfg.Auth.LDAP.UserAttr = "uid"
}
if cfg.Auth.LDAP.EmailAttr == "" {
cfg.Auth.LDAP.EmailAttr = "mail"
}
if cfg.Auth.LDAP.DisplayAttr == "" {
cfg.Auth.LDAP.DisplayAttr = "displayName"
}
if cfg.Auth.LDAP.GroupAttr == "" {
cfg.Auth.LDAP.GroupAttr = "memberOf"
}
if cfg.Auth.OIDC.DefaultRole == "" {
cfg.Auth.OIDC.DefaultRole = "viewer"
}
// Auth environment variable overrides
if v := os.Getenv("SILO_SESSION_SECRET"); v != "" {
cfg.Auth.SessionSecret = v
}
if v := os.Getenv("SILO_OIDC_CLIENT_SECRET"); v != "" {
cfg.Auth.OIDC.ClientSecret = v
}
if v := os.Getenv("SILO_LDAP_BIND_PASSWORD"); v != "" {
cfg.Auth.LDAP.BindPassword = v
}
if v := os.Getenv("SILO_ADMIN_USERNAME"); v != "" {
cfg.Auth.Local.DefaultAdminUsername = v
}
if v := os.Getenv("SILO_ADMIN_PASSWORD"); v != "" {
cfg.Auth.Local.DefaultAdminPassword = v
}
return &cfg, nil
}
Reference in New Issue View Git Blame Copy Permalink