2023-09-08 16:22:10 +00:00
|
|
|
// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
|
2020-10-08 02:18:34 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
2020-10-08 18:28:21 +00:00
|
|
|
package manager
|
2020-10-08 02:18:34 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
2020-10-23 23:25:44 +00:00
|
|
|
"strings"
|
2020-10-08 02:18:34 +00:00
|
|
|
"sync"
|
|
|
|
|
2020-12-03 01:39:45 +00:00
|
|
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
2020-10-08 02:18:34 +00:00
|
|
|
|
2022-07-14 16:51:11 +00:00
|
|
|
"go.pinniped.dev/generated/latest/client/supervisor/clientset/versioned/typed/config/v1alpha1"
|
2023-09-08 16:22:10 +00:00
|
|
|
"go.pinniped.dev/internal/httputil/requestutil"
|
2020-10-08 02:18:34 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
2020-11-05 01:06:47 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/auth"
|
2020-11-20 15:42:43 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/callback"
|
2020-11-11 20:29:14 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/csrftoken"
|
2020-10-08 02:18:34 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/discovery"
|
2021-04-07 23:12:13 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/dynamiccodec"
|
2021-05-11 17:31:33 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/idpdiscovery"
|
2020-10-17 00:51:40 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/jwks"
|
2022-05-19 23:02:08 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/login"
|
2022-07-20 20:55:56 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/oidcclientvalidator"
|
2020-10-08 18:28:21 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2020-12-03 20:34:58 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/token"
|
2020-11-10 15:22:16 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
2021-04-07 23:12:13 +00:00
|
|
|
"go.pinniped.dev/internal/secret"
|
2020-11-17 18:46:54 +00:00
|
|
|
"go.pinniped.dev/pkg/oidcclient/nonce"
|
|
|
|
"go.pinniped.dev/pkg/oidcclient/pkce"
|
2020-10-08 02:18:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Manager can manage multiple active OIDC providers. It acts as a request router for them.
|
|
|
|
//
|
|
|
|
// It is thread-safe.
|
|
|
|
type Manager struct {
|
2020-10-17 00:51:40 +00:00
|
|
|
mu sync.RWMutex
|
2020-12-17 19:34:49 +00:00
|
|
|
providers []*provider.FederationDomainIssuer
|
2021-04-07 23:12:13 +00:00
|
|
|
providerHandlers map[string]http.Handler // map of all routes for all providers
|
|
|
|
nextHandler http.Handler // the next handler in a chain, called when this manager didn't know how to handle a request
|
|
|
|
dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
|
|
|
|
upstreamIDPs oidc.UpstreamIdentityProvidersLister // in-memory cache of upstream IDPs
|
|
|
|
secretCache *secret.Cache // in-memory cache of cryptographic material
|
2020-12-03 01:39:45 +00:00
|
|
|
secretsClient corev1client.SecretInterface
|
2022-07-14 16:51:11 +00:00
|
|
|
oidcClientsClient v1alpha1.OIDCClientInterface
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
|
|
|
|
2020-10-08 18:28:21 +00:00
|
|
|
// NewManager returns an empty Manager.
|
2020-10-08 02:18:34 +00:00
|
|
|
// nextHandler will be invoked for any requests that could not be handled by this manager's providers.
|
2020-10-17 00:51:40 +00:00
|
|
|
// dynamicJWKSProvider will be used as an in-memory cache for per-issuer JWKS data.
|
2021-04-07 23:12:13 +00:00
|
|
|
// upstreamIDPs will be used as an in-memory cache of currently configured upstream IDPs.
|
2020-12-03 01:39:45 +00:00
|
|
|
func NewManager(
|
|
|
|
nextHandler http.Handler,
|
|
|
|
dynamicJWKSProvider jwks.DynamicJWKSProvider,
|
2021-04-07 23:12:13 +00:00
|
|
|
upstreamIDPs oidc.UpstreamIdentityProvidersLister,
|
2020-12-14 16:32:11 +00:00
|
|
|
secretCache *secret.Cache,
|
2020-12-03 01:39:45 +00:00
|
|
|
secretsClient corev1client.SecretInterface,
|
2022-07-14 16:51:11 +00:00
|
|
|
oidcClientsClient v1alpha1.OIDCClientInterface,
|
2020-12-03 01:39:45 +00:00
|
|
|
) *Manager {
|
2020-10-17 00:51:40 +00:00
|
|
|
return &Manager{
|
|
|
|
providerHandlers: make(map[string]http.Handler),
|
|
|
|
nextHandler: nextHandler,
|
|
|
|
dynamicJWKSProvider: dynamicJWKSProvider,
|
2021-04-07 23:12:13 +00:00
|
|
|
upstreamIDPs: upstreamIDPs,
|
2020-12-14 16:32:11 +00:00
|
|
|
secretCache: secretCache,
|
2020-12-03 01:39:45 +00:00
|
|
|
secretsClient: secretsClient,
|
2022-07-14 16:51:11 +00:00
|
|
|
oidcClientsClient: oidcClientsClient,
|
2020-10-17 00:51:40 +00:00
|
|
|
}
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// SetProviders adds or updates all the given providerHandlers using each provider's issuer string
|
|
|
|
// as the name of the provider to decide if it is an add or update operation.
|
|
|
|
//
|
|
|
|
// It also removes any providerHandlers that were previously added but were not passed in to
|
|
|
|
// the current invocation.
|
|
|
|
//
|
2020-12-17 19:34:49 +00:00
|
|
|
// This method assumes that all of the FederationDomainIssuer arguments have already been validated
|
2020-10-08 02:18:34 +00:00
|
|
|
// by someone else before they are passed to this method.
|
2020-12-17 19:34:49 +00:00
|
|
|
func (m *Manager) SetProviders(federationDomains ...*provider.FederationDomainIssuer) {
|
2020-10-08 21:40:56 +00:00
|
|
|
m.mu.Lock()
|
|
|
|
defer m.mu.Unlock()
|
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
m.providers = federationDomains
|
2020-10-08 21:40:56 +00:00
|
|
|
m.providerHandlers = make(map[string]http.Handler)
|
|
|
|
|
2020-12-11 16:11:10 +00:00
|
|
|
var csrfCookieEncoder = dynamiccodec.New(
|
|
|
|
oidc.CSRFCookieLifespan,
|
2020-12-14 16:32:11 +00:00
|
|
|
m.secretCache.GetCSRFCookieEncoderHashKey,
|
|
|
|
func() []byte { return nil },
|
2020-12-11 16:11:10 +00:00
|
|
|
)
|
2020-12-11 01:18:02 +00:00
|
|
|
|
2020-12-16 22:27:09 +00:00
|
|
|
for _, incomingProvider := range federationDomains {
|
2020-12-03 01:39:45 +00:00
|
|
|
issuer := incomingProvider.Issuer()
|
|
|
|
issuerHostWithPath := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath()
|
2020-10-17 00:51:40 +00:00
|
|
|
|
2020-12-14 16:32:11 +00:00
|
|
|
tokenHMACKeyGetter := wrapGetter(incomingProvider.Issuer(), m.secretCache.GetTokenHMACKey)
|
|
|
|
|
2020-12-10 20:15:40 +00:00
|
|
|
timeoutsConfiguration := oidc.DefaultOIDCTimeoutsConfiguration()
|
|
|
|
|
2020-11-11 22:49:24 +00:00
|
|
|
// Use NullStorage for the authorize endpoint because we do not actually want to store anything until
|
|
|
|
// the upstream callback endpoint is called later.
|
2022-07-14 16:51:11 +00:00
|
|
|
oauthHelperWithNullStorage := oidc.FositeOauth2Helper(
|
2022-07-20 20:55:56 +00:00
|
|
|
oidc.NewNullStorage(m.secretsClient, m.oidcClientsClient, oidcclientvalidator.DefaultMinBcryptCost),
|
2022-07-14 16:51:11 +00:00
|
|
|
issuer,
|
|
|
|
tokenHMACKeyGetter,
|
|
|
|
nil,
|
|
|
|
timeoutsConfiguration,
|
|
|
|
)
|
2020-12-03 01:39:45 +00:00
|
|
|
|
|
|
|
// For all the other endpoints, make another oauth helper with exactly the same settings except use real storage.
|
2022-07-14 16:51:11 +00:00
|
|
|
oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(
|
2022-07-20 20:55:56 +00:00
|
|
|
oidc.NewKubeStorage(m.secretsClient, m.oidcClientsClient, timeoutsConfiguration, oidcclientvalidator.DefaultMinBcryptCost),
|
2022-07-14 16:51:11 +00:00
|
|
|
issuer,
|
|
|
|
tokenHMACKeyGetter,
|
|
|
|
m.dynamicJWKSProvider,
|
|
|
|
timeoutsConfiguration,
|
|
|
|
)
|
2020-12-11 01:18:02 +00:00
|
|
|
|
2020-12-11 16:11:10 +00:00
|
|
|
var upstreamStateEncoder = dynamiccodec.New(
|
2020-12-14 16:44:01 +00:00
|
|
|
timeoutsConfiguration.UpstreamStateParamLifespan,
|
2020-12-14 16:32:11 +00:00
|
|
|
wrapGetter(incomingProvider.Issuer(), m.secretCache.GetStateEncoderHashKey),
|
|
|
|
wrapGetter(incomingProvider.Issuer(), m.secretCache.GetStateEncoderBlockKey),
|
2020-12-11 16:11:10 +00:00
|
|
|
)
|
2020-11-11 01:58:00 +00:00
|
|
|
|
2021-05-11 17:31:33 +00:00
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer)
|
2020-12-03 01:39:45 +00:00
|
|
|
|
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.JWKSEndpointPath)] = jwks.NewHandler(issuer, m.dynamicJWKSProvider)
|
|
|
|
|
2021-05-13 17:05:56 +00:00
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.PinnipedIDPsPathV1Alpha1)] = idpdiscovery.NewHandler(m.upstreamIDPs)
|
2021-05-11 17:31:33 +00:00
|
|
|
|
2020-12-03 01:39:45 +00:00
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.AuthorizationEndpointPath)] = auth.NewHandler(
|
|
|
|
issuer,
|
2021-04-07 23:12:13 +00:00
|
|
|
m.upstreamIDPs,
|
2020-12-03 01:39:45 +00:00
|
|
|
oauthHelperWithNullStorage,
|
2021-04-08 00:05:25 +00:00
|
|
|
oauthHelperWithKubeStorage,
|
2020-12-02 16:36:07 +00:00
|
|
|
csrftoken.Generate,
|
|
|
|
pkce.Generate,
|
|
|
|
nonce.Generate,
|
2020-12-10 01:24:12 +00:00
|
|
|
upstreamStateEncoder,
|
|
|
|
csrfCookieEncoder,
|
2020-12-02 16:36:07 +00:00
|
|
|
)
|
2020-11-05 01:06:47 +00:00
|
|
|
|
2020-12-03 01:39:45 +00:00
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.CallbackEndpointPath)] = callback.NewHandler(
|
2021-04-07 23:12:13 +00:00
|
|
|
m.upstreamIDPs,
|
2020-12-03 01:39:45 +00:00
|
|
|
oauthHelperWithKubeStorage,
|
2020-12-10 01:24:12 +00:00
|
|
|
upstreamStateEncoder,
|
|
|
|
csrfCookieEncoder,
|
2020-12-03 01:39:45 +00:00
|
|
|
issuer+oidc.CallbackEndpointPath,
|
2020-12-02 16:36:07 +00:00
|
|
|
)
|
2020-11-05 01:06:47 +00:00
|
|
|
|
2020-12-03 20:34:58 +00:00
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.TokenEndpointPath)] = token.NewHandler(
|
2021-10-13 19:31:20 +00:00
|
|
|
m.upstreamIDPs,
|
2020-12-03 20:34:58 +00:00
|
|
|
oauthHelperWithKubeStorage,
|
|
|
|
)
|
|
|
|
|
2022-04-26 22:30:39 +00:00
|
|
|
m.providerHandlers[(issuerHostWithPath + oidc.PinnipedLoginPath)] = login.NewHandler(
|
|
|
|
upstreamStateEncoder,
|
|
|
|
csrfCookieEncoder,
|
2022-05-19 23:02:08 +00:00
|
|
|
login.NewGetHandler(incomingProvider.IssuerPath()+oidc.PinnipedLoginPath),
|
2022-04-29 23:01:51 +00:00
|
|
|
login.NewPostHandler(issuer, m.upstreamIDPs, oauthHelperWithKubeStorage),
|
2022-04-26 22:30:39 +00:00
|
|
|
)
|
2022-04-26 19:51:56 +00:00
|
|
|
|
2020-12-03 01:39:45 +00:00
|
|
|
plog.Debug("oidc provider manager added or updated issuer", "issuer", issuer)
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ServeHTTP implements the http.Handler interface.
|
2020-10-08 21:40:56 +00:00
|
|
|
func (m *Manager) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
|
|
|
|
requestHandler := m.findHandler(req)
|
|
|
|
|
2023-09-08 16:22:10 +00:00
|
|
|
// Using Info level so the user can safely configure a production Supervisor to show this message if they choose.
|
|
|
|
plog.Info("received incoming request",
|
|
|
|
"proto", req.Proto,
|
2020-10-08 21:40:56 +00:00
|
|
|
"method", req.Method,
|
|
|
|
"host", req.Host,
|
2023-09-08 16:22:10 +00:00
|
|
|
"requestSNIServerName", requestutil.SNIServerName(req),
|
2020-10-08 21:40:56 +00:00
|
|
|
"path", req.URL.Path,
|
2023-09-08 16:22:10 +00:00
|
|
|
"remoteAddr", req.RemoteAddr,
|
|
|
|
"foundFederationDomainRequestHandler", requestHandler != nil,
|
2020-10-08 21:40:56 +00:00
|
|
|
)
|
2020-10-08 02:18:34 +00:00
|
|
|
|
2020-10-08 21:40:56 +00:00
|
|
|
if requestHandler == nil {
|
|
|
|
requestHandler = m.nextHandler // couldn't find an issuer to handle the request
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
2020-10-08 21:40:56 +00:00
|
|
|
requestHandler.ServeHTTP(resp, req)
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
|
|
|
|
2020-10-08 21:40:56 +00:00
|
|
|
func (m *Manager) findHandler(req *http.Request) http.Handler {
|
|
|
|
m.mu.RLock()
|
|
|
|
defer m.mu.RUnlock()
|
|
|
|
|
2020-10-23 23:25:44 +00:00
|
|
|
return m.providerHandlers[strings.ToLower(req.Host)+"/"+req.URL.Path]
|
2020-10-08 02:18:34 +00:00
|
|
|
}
|
2020-12-14 16:32:11 +00:00
|
|
|
|
|
|
|
func wrapGetter(issuer string, getter func(string) []byte) func() []byte {
|
|
|
|
return func() []byte {
|
|
|
|
return getter(issuer)
|
|
|
|
}
|
|
|
|
}
|