groupware: add OIDC authentication support between Groupware backend and Stalwart

 * re-implement the auth-api service to authenticate Reva tokens
   following the OIDC Userinfo endpoint specification

 * pass the context where necessary and add an authenticator interface
   to the JMAP HTTP driver, in order to select between master
   authentication (which is used when GROUPWARE_JMAP_MASTER_USERNAME and
   GROUPWARE_JMAP_MASTER_PASSWORD are both set) and OIDC token
   forwarding through bearer auth

 * add Stalwart directory configuration "idmoidc" which uses the
   OpenCloud auth-api service API (/auth/) to validate the token it
   received as bearer auth from the Groupware backend's JMAP client,
   using it as an OIDC Userinfo endpoint

 * implement optional additional shared secret to secure the Userinfo
   service, as an additional path parameter

Author: pbleser-oc

.vscode/launch.json

@@ -137,8 +137,15 @@
         "OC_SERVICE_ACCOUNT_ID": "service-account-id",
         "OC_SERVICE_ACCOUNT_SECRET": "service-account-secret",
 
-        "OC_ADD_RUN_SERVICES": "groupware",
-        "GROUPWARE_LOG_LEVEL": "trace"
+        "OC_ADD_RUN_SERVICES": "auth-api,groupware",
+        "GROUPWARE_LOG_LEVEL": "trace",
+
+        "GROUPWARE_JMAP_MASTER_USERNAME": "",
+        "GROUPWARE_JMAP_MASTER_PASSWORD": "admin",
+
+        "AUTHAPI_HTTP_ADDR": "0.0.0.0:10000",
+        "AUTHAPI_AUTH_REQUIRE_SHARED_SECRET": "true",
+        "AUTHAPI_AUTH_SHARED_SECRETS": "stalwart=maethaR9eiXaiph8ahn8ohH6dahPiequ;unused=eeyaigh6hae1zo5ahGeete6oohaiquei",
       }
     },
     {

devtools/deployments/opencloud_full/.env

@@ -311,11 +311,11 @@ KEYCLOAK_ADMIN_PASSWORD=
 # Domain of Stalwart
 # Defaults to "stalwart.opencloud.test"
 STALWART_DOMAIN=
-
 # LDAP configuration to use for Stalwart:
 # Can either be either
-# - idmldap: for the built-in IDP/IDM
-# - ldap: when using KeyCloak and OpenLDAP
+# - idmldap: for the built-in IDP/IDM, using Master Authentication between Groupware and Stalwart, and LDAP in Stalwart
+# - idmoidc: built-in IDP/IDM, using OIDC Userinfo between Groupware and Stalwart
+# - ldap: when using KeyCloak and OpenLDAP, with Master Authentication between Groupware and Stalwart, and LDAP in Stalwart
 STALWART_AUTH_DIRECTORY=idmldap
 
 ## IMPORTANT ##

devtools/deployments/opencloud_full/config/stalwart/idmoidc.toml

@@ -0,0 +1,67 @@
+authentication.fallback-admin.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.fallback-admin.user = "mailadmin"
+authentication.master.secret = "$6$4qPYDVhaUHkKcY7s$bB6qhcukb9oFNYRIvaDZgbwxrMa2RvF5dumCjkBFdX19lSNqrgKltf3aPrFMuQQKkZpK2YNuQ83hB1B3NiWzj."
+authentication.master.user = "master"
+directory.oidc.cache.size = 1048576
+directory.oidc.cache.ttl.negative = "10m"
+directory.oidc.cache.ttl.positive = "1h"
+directory.oidc.endpoint.method = "userinfo"
+directory.oidc.endpoint.url = "http://172.17.0.1:10000/auth/maethaR9eiXaiph8ahn8ohH6dahPiequ"
+directory.oidc.fields.email = "email"
+directory.oidc.fields.full-name = "name"
+directory.oidc.fields.username = "preferred_username"
+directory.oidc.timeout = "15s"
+directory.oidc.type = "oidc"
+http.allowed-endpoint = 200
+http.hsts = true
+http.permissive-cors = false
+http.url = "'https://' + config_get('server.hostname')"
+http.use-x-forwarded = true
+metrics.prometheus.auth.secret = "secret"
+metrics.prometheus.auth.username = "metrics"
+metrics.prometheus.enable = true
+server.listener.http.bind = "0.0.0.0:8080"
+server.listener.http.protocol = "http"
+server.listener.https.bind = "0.0.0.0:443"
+server.listener.https.protocol = "http"
+server.listener.https.tls.implicit = true
+server.listener.imap.bind = "0.0.0.0:143"
+server.listener.imap.protocol = "imap"
+server.listener.imaptls.bind = "0.0.0.0:993"
+server.listener.imaptls.protocol = "imap"
+server.listener.imaptls.tls.implicit = true
+server.listener.pop3.bind = "0.0.0.0:110"
+server.listener.pop3.protocol = "pop3"
+server.listener.pop3s.bind = "0.0.0.0:995"
+server.listener.pop3s.protocol = "pop3"
+server.listener.pop3s.tls.implicit = true
+server.listener.sieve.bind = "0.0.0.0:4190"
+server.listener.sieve.protocol = "managesieve"
+server.listener.smtp.bind = "0.0.0.0:25"
+server.listener.smtp.protocol = "smtp"
+server.listener.submission.bind = "0.0.0.0:587"
+server.listener.submission.protocol = "smtp"
+server.listener.submissions.bind = "0.0.0.0:465"
+server.listener.submissions.protocol = "smtp"
+server.listener.submissions.tls.implicit = true
+server.max-connections = 8192
+server.socket.backlog = 1024
+server.socket.nodelay = true
+server.socket.reuse-addr = true
+server.socket.reuse-port = true
+sharing.allow-directory-query = false
+storage.blob = "rocksdb"
+storage.data = "rocksdb"
+storage.directory = "oidc"
+storage.fts = "rocksdb"
+storage.lookup = "rocksdb"
+store.rocksdb.compression = "lz4"
+store.rocksdb.path = "/opt/stalwart/data"
+store.rocksdb.type = "rocksdb"
+tracer.console.ansi = true
+tracer.console.buffered = true
+tracer.console.enable = true
+tracer.console.level = "trace"
+tracer.console.lossy = false
+tracer.console.multiline = false
+tracer.console.type = "stdout"

devtools/deployments/opencloud_full/opencloud.yml

@@ -64,6 +64,8 @@ services:
       GROUPS_LDAP_BIND_PASSWORD: "admin"
       IDM_LDAPS_ADDR: 0.0.0.0:9235
       GROUPWARE_JMAP_BASE_URL: https://${STALWART_DOMAIN:-stalwart.opencloud.test}
+      GROUPWARE_JMAP_MASTER_USERNAME: "master"
+      GROUPWARE_JMAP_MASTER_PASSWORD: "admin"
     volumes:
       - ./config/opencloud/app-registry.yaml:/etc/opencloud/app-registry.yaml
       - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml

go.mod

@@ -7,9 +7,7 @@ require (
 	github.com/CiscoM31/godata v1.0.11
 	github.com/KimMachineGun/automemlimit v0.7.5
 	github.com/Masterminds/semver v1.5.0
-	github.com/MicahParks/jwkset v0.8.0
 	github.com/MicahParks/keyfunc/v2 v2.1.0
-	github.com/MicahParks/keyfunc/v3 v3.3.11
 	github.com/Nerzal/gocloak/v13 v13.9.0
 	github.com/ProtonMail/go-crypto v1.1.5
 	github.com/bbalet/stopwords v1.0.0
@@ -103,7 +101,6 @@ require (
 	github.com/tidwall/sjson v1.2.5
 	github.com/tus/tusd/v2 v2.8.0
 	github.com/unrolled/secure v1.16.0
-	github.com/urfave/cli/v2 v2.27.7
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/wk8/go-ordered-map v1.0.0
 	github.com/xhit/go-simple-mail/v2 v2.16.0
@@ -386,6 +383,7 @@ require (
 	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
 	github.com/trustelem/zxcvbn v1.0.1 // indirect
+	github.com/urfave/cli/v2 v2.27.7 // indirect
 	github.com/valyala/fastjson v1.6.4 // indirect
 	github.com/vektah/gqlparser/v2 v2.5.31 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect

go.sum

@@ -82,12 +82,8 @@ github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1
 github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
-github.com/MicahParks/jwkset v0.8.0 h1:jHtclI38Gibmu17XMI6+6/UB59srp58pQVxePHRK5o8=
-github.com/MicahParks/jwkset v0.8.0/go.mod h1:fVrj6TmG1aKlJEeceAz7JsXGTXEn72zP1px3us53JrA=
 github.com/MicahParks/keyfunc/v2 v2.1.0 h1:6ZXKb9Rp6qp1bDbJefnG7cTH8yMN1IC/4nf+GVjO99k=
 github.com/MicahParks/keyfunc/v2 v2.1.0/go.mod h1:rW42fi+xgLJ2FRRXAfNx9ZA8WpD4OeE/yHVMteCkw9k=
-github.com/MicahParks/keyfunc/v3 v3.3.11 h1:eA6wNltwdSRX2gtpTwZseBCC9nGeBkI9KxHtTyZbDbo=
-github.com/MicahParks/keyfunc/v3 v3.3.11/go.mod h1:y6Ed3dMgNKTcpxbaQHD8mmrYDUZWJAxteddA6OQj+ag=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=

pkg/config/config.go

@@ -89,6 +89,7 @@ type Config struct {
 	AppProvider       *appProvider.Config    `yaml:"app_provider"`
 	AppRegistry       *appRegistry.Config    `yaml:"app_registry"`
 	Audit             *audit.Config          `yaml:"audit"`
+	AuthApi           *authapi.Config        `yaml:"auth_api"`
 	AuthApp           *authapp.Config        `yaml:"auth_app"`
 	AuthBasic         *authbasic.Config      `yaml:"auth_basic"`
 	AuthBearer        *authbearer.Config     `yaml:"auth_bearer"`
@@ -126,5 +127,4 @@ type Config struct {
 	WebDAV            *webdav.Config         `yaml:"webdav"`
 	Webfinger         *webfinger.Config      `yaml:"webfinger"`
 	Search            *search.Config         `yaml:"search"`
-	AuthApi           *authapi.Config        `yaml:"authapi"`
 }

pkg/jmap/api.go

@@ -23,12 +23,12 @@ type WsClient interface {
 }
 
 type WsClientFactory interface {
-	EnableNotifications(pushState State, sessionProvider func() (*Session, error), listener WsPushListener) (WsClient, Error)
+	EnableNotifications(ctx context.Context, pushState State, sessionProvider func() (*Session, error), listener WsPushListener) (WsClient, Error)
 	io.Closer
 }
 
 type SessionClient interface {
-	GetSession(baseurl *url.URL, username string, logger *log.Logger) (SessionResponse, Error)
+	GetSession(ctx context.Context, baseurl *url.URL, username string, logger *log.Logger) (SessionResponse, Error)
 	io.Closer
 }
 

pkg/jmap/api_ws.go

@@ -1,7 +1,9 @@
 package jmap
 
-func (j *Client) EnablePushNotifications(pushState State, sessionProvider func() (*Session, error)) (WsClient, error) {
-	return j.ws.EnableNotifications(pushState, sessionProvider, j)
+import "context"
+
+func (j *Client) EnablePushNotifications(ctx context.Context, pushState State, sessionProvider func() (*Session, error)) (WsClient, error) {
+	return j.ws.EnableNotifications(ctx, pushState, sessionProvider, j)
 }
 
 func (j *Client) AddWsPushListener(listener WsPushListener) {

pkg/jmap/client.go

@@ -1,6 +1,7 @@
 package jmap
 
 import (
+	"context"
 	"errors"
 	"io"
 	"net/url"
@@ -55,8 +56,8 @@ func (j *Client) OnNotification(username string, stateChange StateChange) {
 }
 
 // Retrieve JMAP well-known data from the Stalwart server and create a Session from that.
-func (j *Client) FetchSession(sessionUrl *url.URL, username string, logger *log.Logger) (Session, Error) {
-	wk, err := j.session.GetSession(sessionUrl, username, logger)
+func (j *Client) FetchSession(ctx context.Context, sessionUrl *url.URL, username string, logger *log.Logger) (Session, Error) {
+	wk, err := j.session.GetSession(ctx, sessionUrl, username, logger)
 	if err != nil {
 		return Session{}, err
 	}