ContainerImage.Pinniped/internal/oidc/callback/callback_handler.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package callback provides a handler for the OIDC callback endpoint.
package callback

import (
	"fmt"
	"net/http"
	"net/url"
	"path"

	"github.com/ory/fosite"

	"go.pinniped.dev/internal/httputil/httperr"
	"go.pinniped.dev/internal/oidc"
	"go.pinniped.dev/internal/oidc/csrftoken"
	"go.pinniped.dev/internal/oidc/provider"
	"go.pinniped.dev/internal/plog"
)

func NewHandler(idpListGetter oidc.IDPListGetter, oauthHelper fosite.OAuth2Provider, stateDecoder, cookieDecoder oidc.Decoder) http.Handler {
	return httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
		state, err := validateRequest(r, stateDecoder, cookieDecoder)
		if err != nil {
			return err
		}

		if findUpstreamIDPConfig(r, idpListGetter) == nil {
			plog.Warning("upstream provider not found")
			return httperr.New(http.StatusUnprocessableEntity, "upstream provider not found")
		}

		downstreamAuthParams, err := url.ParseQuery(state.AuthParams)
		if err != nil {
			panic(err)
		}

		downstreamCallbackURL := fmt.Sprintf(
			"%s?code=%s&state=%s",
			downstreamAuthParams.Get("redirect_uri"),
			url.QueryEscape("some-code"),
			url.QueryEscape(downstreamAuthParams.Get("state")),
		)
		http.Redirect(w, r, downstreamCallbackURL, 302)

		return nil
	})
}

func validateRequest(r *http.Request, stateDecoder, cookieDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
	if r.Method != http.MethodGet {
		return nil, httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)
	}

	csrfValue, err := readCSRFCookie(r, cookieDecoder)
	if err != nil {
		plog.InfoErr("error reading CSRF cookie", err)
		return nil, err
	}

	if r.FormValue("code") == "" {
		plog.Info("code param not found")
		return nil, httperr.New(http.StatusBadRequest, "code param not found")
	}

	if r.FormValue("state") == "" {
		plog.Info("state param not found")
		return nil, httperr.New(http.StatusBadRequest, "state param not found")
	}

	state, err := readState(r, stateDecoder)
	if err != nil {
		plog.InfoErr("error reading state", err)
		return nil, err
	}

	if state.CSRFToken != csrfValue {
		plog.InfoErr("CSRF value does not match", err)
		return nil, httperr.Wrap(http.StatusForbidden, "CSRF value does not match", err)
	}

	return state, nil
}

func findUpstreamIDPConfig(r *http.Request, idpListGetter oidc.IDPListGetter) *provider.UpstreamOIDCIdentityProviderI {
	_, lastPathComponent := path.Split(r.URL.Path)
	for _, p := range idpListGetter.GetIDPList() {
		if p.GetName() == lastPathComponent {
			return &p
		}
	}
	return nil
}

func readCSRFCookie(r *http.Request, cookieDecoder oidc.Decoder) (csrftoken.CSRFToken, error) {
	receivedCSRFCookie, err := r.Cookie(oidc.CSRFCookieName)
	if err != nil {
		// Error means that the cookie was not found
		return "", httperr.Wrap(http.StatusForbidden, "CSRF cookie is missing", err)
	}

	var csrfFromCookie csrftoken.CSRFToken
	err = cookieDecoder.Decode(oidc.CSRFCookieEncodingName, receivedCSRFCookie.Value, &csrfFromCookie)
	if err != nil {
		return "", httperr.Wrap(http.StatusForbidden, "error reading CSRF cookie", err)
	}

	return csrfFromCookie, nil
}

func readState(r *http.Request, stateDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
	var state oidc.UpstreamStateParamData
	if err := stateDecoder.Decode(
		oidc.UpstreamStateParamEncodingName,
		r.FormValue("state"),
		&state,
	); err != nil {
		return nil, httperr.New(http.StatusBadRequest, "error reading state")
	}

	if state.FormatVersion != oidc.UpstreamStateParamFormatVersion {
		return nil, httperr.New(http.StatusUnprocessableEntity, "state format version is invalid")
	}

	return &state, nil
}
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// Package callback provides a handler for the OIDC callback endpoint.`
			`package callback`

			`import (`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`"fmt"`
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`"net/http"`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`"net/url"`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`"path"`
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`"github.com/ory/fosite"`

callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`"go.pinniped.dev/internal/httputil/httperr"`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`"go.pinniped.dev/internal/oidc"`
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 16:47:49 +00:00			`"go.pinniped.dev/internal/oidc/csrftoken"`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`"go.pinniped.dev/internal/oidc/provider"`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`"go.pinniped.dev/internal/plog"`
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`)`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`func NewHandler(idpListGetter oidc.IDPListGetter, oauthHelper fosite.OAuth2Provider, stateDecoder, cookieDecoder oidc.Decoder) http.Handler {`
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`return httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`state, err := validateRequest(r, stateDecoder, cookieDecoder)`
			`if err != nil {`
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 16:47:49 +00:00			`return err`
			`}`

Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`if findUpstreamIDPConfig(r, idpListGetter) == nil {`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`plog.Warning("upstream provider not found")`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`return httperr.New(http.StatusUnprocessableEntity, "upstream provider not found")`
			`}`

callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`downstreamAuthParams, err := url.ParseQuery(state.AuthParams)`
			`if err != nil {`
			`panic(err)`
			`}`

			`downstreamCallbackURL := fmt.Sprintf(`
			`"%s?code=%s&state=%s",`
			`downstreamAuthParams.Get("redirect_uri"),`
			`url.QueryEscape("some-code"),`
			`url.QueryEscape(downstreamAuthParams.Get("state")),`
			`)`
			`http.Redirect(w, r, downstreamCallbackURL, 302)`

callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`return nil`
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-13 17:31:39 +00:00			`})`
			`}`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`func validateRequest(r http.Request, stateDecoder, cookieDecoder oidc.Decoder) (oidc.UpstreamStateParamData, error) {`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`if r.Method != http.MethodGet {`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return nil, httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

			`csrfValue, err := readCSRFCookie(r, cookieDecoder)`
			`if err != nil {`
			`plog.InfoErr("error reading CSRF cookie", err)`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return nil, err`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

			`if r.FormValue("code") == "" {`
			`plog.Info("code param not found")`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return nil, httperr.New(http.StatusBadRequest, "code param not found")`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

			`if r.FormValue("state") == "" {`
			`plog.Info("state param not found")`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return nil, httperr.New(http.StatusBadRequest, "state param not found")`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

			`state, err := readState(r, stateDecoder)`
			`if err != nil {`
			`plog.InfoErr("error reading state", err)`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return nil, err`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

			`if state.CSRFToken != csrfValue {`
			`plog.InfoErr("CSRF value does not match", err)`
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return nil, httperr.Wrap(http.StatusForbidden, "CSRF value does not match", err)`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-16 22:07:34 +00:00			`return state, nil`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`}`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`func findUpstreamIDPConfig(r http.Request, idpListGetter oidc.IDPListGetter) provider.UpstreamOIDCIdentityProviderI {`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`_, lastPathComponent := path.Split(r.URL.Path)`
			`for _, p := range idpListGetter.GetIDPList() {`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`if p.GetName() == lastPathComponent {`
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-13 23:59:51 +00:00			`return &p`
			`}`
			`}`
			`return nil`
			`}`
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 16:47:49 +00:00
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`func readCSRFCookie(r *http.Request, cookieDecoder oidc.Decoder) (csrftoken.CSRFToken, error) {`
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 16:47:49 +00:00			`receivedCSRFCookie, err := r.Cookie(oidc.CSRFCookieName)`
			`if err != nil {`
			`// Error means that the cookie was not found`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`return "", httperr.Wrap(http.StatusForbidden, "CSRF cookie is missing", err)`
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 16:47:49 +00:00			`}`

			`var csrfFromCookie csrftoken.CSRFToken`
			`err = cookieDecoder.Decode(oidc.CSRFCookieEncodingName, receivedCSRFCookie.Value, &csrfFromCookie)`
			`if err != nil {`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00			`return "", httperr.Wrap(http.StatusForbidden, "error reading CSRF cookie", err)`
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 16:47:49 +00:00			`}`

			`return csrfFromCookie, nil`
			`}`
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-16 19:41:00 +00:00
			`func readState(r http.Request, stateDecoder oidc.Decoder) (oidc.UpstreamStateParamData, error) {`
			`var state oidc.UpstreamStateParamData`
			`if err := stateDecoder.Decode(`
			`oidc.UpstreamStateParamEncodingName,`
			`r.FormValue("state"),`
			`&state,`
			`); err != nil {`
			`return nil, httperr.New(http.StatusBadRequest, "error reading state")`
			`}`

			`if state.FormatVersion != oidc.UpstreamStateParamFormatVersion {`
			`return nil, httperr.New(http.StatusUnprocessableEntity, "state format version is invalid")`
			`}`

			`return &state, nil`
			`}`