2022-01-07 23:04:58 +00:00
|
|
|
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
2020-11-13 17:31:39 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package callback provides a handler for the OIDC callback endpoint.
|
|
|
|
package callback
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
2020-11-16 22:07:34 +00:00
|
|
|
"net/url"
|
2020-11-13 17:31:39 +00:00
|
|
|
|
2022-06-15 15:00:17 +00:00
|
|
|
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
|
2020-11-18 21:38:13 +00:00
|
|
|
"github.com/ory/fosite"
|
|
|
|
|
2020-11-13 17:31:39 +00:00
|
|
|
"go.pinniped.dev/internal/httputil/httperr"
|
2020-12-14 23:28:32 +00:00
|
|
|
"go.pinniped.dev/internal/httputil/securityheader"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
2021-06-30 22:02:14 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/downstreamsession"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2021-06-30 16:50:01 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider/formposthtml"
|
2020-11-16 19:41:00 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
2020-11-13 17:31:39 +00:00
|
|
|
)
|
|
|
|
|
2020-11-19 16:35:23 +00:00
|
|
|
func NewHandler(
|
2021-04-07 23:12:13 +00:00
|
|
|
upstreamIDPs oidc.UpstreamOIDCIdentityProvidersLister,
|
2020-11-19 16:35:23 +00:00
|
|
|
oauthHelper fosite.OAuth2Provider,
|
|
|
|
stateDecoder, cookieDecoder oidc.Decoder,
|
2020-12-02 16:36:07 +00:00
|
|
|
redirectURI string,
|
2020-11-19 16:35:23 +00:00
|
|
|
) http.Handler {
|
2021-06-30 16:50:01 +00:00
|
|
|
handler := httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
|
2020-11-16 22:07:34 +00:00
|
|
|
state, err := validateRequest(r, stateDecoder, cookieDecoder)
|
|
|
|
if err != nil {
|
2020-11-16 16:47:49 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-04-07 23:12:13 +00:00
|
|
|
upstreamIDPConfig := findUpstreamIDPConfig(state.UpstreamName, upstreamIDPs)
|
2020-11-19 01:15:01 +00:00
|
|
|
if upstreamIDPConfig == nil {
|
2020-11-16 19:41:00 +00:00
|
|
|
plog.Warning("upstream provider not found")
|
2020-11-13 23:59:51 +00:00
|
|
|
return httperr.New(http.StatusUnprocessableEntity, "upstream provider not found")
|
|
|
|
}
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
downstreamAuthParams, err := url.ParseQuery(state.AuthParams)
|
|
|
|
if err != nil {
|
2020-11-19 19:19:01 +00:00
|
|
|
plog.Error("error reading state downstream auth params", err)
|
2020-11-19 13:51:23 +00:00
|
|
|
return httperr.New(http.StatusBadRequest, "error reading state downstream auth params")
|
2020-11-16 22:07:34 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 01:15:01 +00:00
|
|
|
// Recreate enough of the original authorize request so we can pass it to NewAuthorizeRequest().
|
|
|
|
reconstitutedAuthRequest := &http.Request{Form: downstreamAuthParams}
|
|
|
|
authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest)
|
|
|
|
if err != nil {
|
2022-07-21 16:26:00 +00:00
|
|
|
plog.Error("error using state downstream auth params", err,
|
|
|
|
"fositeErr", oidc.FositeErrorForLog(err))
|
2020-11-19 13:51:23 +00:00
|
|
|
return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
|
2020-11-19 01:15:01 +00:00
|
|
|
}
|
|
|
|
|
2022-07-14 16:51:11 +00:00
|
|
|
// Automatically grant the openid, offline_access, pinniped:request-audience, and groups scopes, but only if they were requested.
|
|
|
|
// This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned
|
|
|
|
// an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here.
|
2022-06-15 15:00:17 +00:00
|
|
|
downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope})
|
2020-11-19 01:15:01 +00:00
|
|
|
|
2020-12-04 21:33:36 +00:00
|
|
|
token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens(
|
2020-11-19 01:15:01 +00:00
|
|
|
r.Context(),
|
2020-11-19 16:53:53 +00:00
|
|
|
authcode(r),
|
2020-11-19 15:20:46 +00:00
|
|
|
state.PKCECode,
|
|
|
|
state.Nonce,
|
2020-12-02 16:36:07 +00:00
|
|
|
redirectURI,
|
2020-11-16 22:07:34 +00:00
|
|
|
)
|
2020-11-19 01:15:01 +00:00
|
|
|
if err != nil {
|
2020-11-19 19:19:01 +00:00
|
|
|
plog.WarningErr("error exchanging and validating upstream tokens", err, "upstreamName", upstreamIDPConfig.GetName())
|
2020-11-19 14:00:41 +00:00
|
|
|
return httperr.New(http.StatusBadGateway, "error exchanging and validating upstream tokens")
|
2020-11-19 01:15:01 +00:00
|
|
|
}
|
|
|
|
|
2021-08-17 20:14:09 +00:00
|
|
|
subject, username, groups, err := downstreamsession.GetDownstreamIdentityFromUpstreamIDToken(upstreamIDPConfig, token.IDToken.Claims)
|
2020-11-19 20:53:21 +00:00
|
|
|
if err != nil {
|
2021-08-18 19:06:46 +00:00
|
|
|
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
2020-11-19 20:53:21 +00:00
|
|
|
}
|
|
|
|
|
2022-01-11 19:00:54 +00:00
|
|
|
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token)
|
2022-01-07 23:04:58 +00:00
|
|
|
if err != nil {
|
|
|
|
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
|
|
|
|
}
|
|
|
|
|
2022-06-15 15:00:17 +00:00
|
|
|
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData)
|
2021-06-30 22:02:14 +00:00
|
|
|
|
2020-11-19 19:19:01 +00:00
|
|
|
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
|
2020-11-19 01:15:01 +00:00
|
|
|
if err != nil {
|
2022-07-21 16:26:00 +00:00
|
|
|
plog.WarningErr("error while generating and saving authcode", err,
|
|
|
|
"upstreamName", upstreamIDPConfig.GetName(), "fositeErr", oidc.FositeErrorForLog(err))
|
2020-11-20 01:57:07 +00:00
|
|
|
return httperr.Wrap(http.StatusInternalServerError, "error while generating and saving authcode", err)
|
2020-11-19 01:15:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
oauthHelper.WriteAuthorizeResponse(w, authorizeRequester, authorizeResponder)
|
2020-11-16 22:07:34 +00:00
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
return nil
|
2021-06-30 16:50:01 +00:00
|
|
|
})
|
|
|
|
return securityheader.WrapWithCustomCSP(handler, formposthtml.ContentSecurityPolicy())
|
2020-11-13 17:31:39 +00:00
|
|
|
}
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-11-19 16:53:53 +00:00
|
|
|
func authcode(r *http.Request) string {
|
|
|
|
return r.FormValue("code")
|
|
|
|
}
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
func validateRequest(r *http.Request, stateDecoder, cookieDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
|
2020-11-16 19:41:00 +00:00
|
|
|
if r.Method != http.MethodGet {
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2022-04-26 22:30:39 +00:00
|
|
|
_, decodedState, err := oidc.ReadStateParamAndValidateCSRFCookie(r, cookieDecoder, stateDecoder)
|
2020-11-16 19:41:00 +00:00
|
|
|
if err != nil {
|
2022-04-26 22:30:39 +00:00
|
|
|
plog.InfoErr("state or CSRF error", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, err
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2020-11-19 16:53:53 +00:00
|
|
|
if authcode(r) == "" {
|
2020-11-16 19:41:00 +00:00
|
|
|
plog.Info("code param not found")
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.New(http.StatusBadRequest, "code param not found")
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2022-04-26 22:30:39 +00:00
|
|
|
return decodedState, nil
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
2021-04-07 23:12:13 +00:00
|
|
|
func findUpstreamIDPConfig(upstreamName string, upstreamIDPs oidc.UpstreamOIDCIdentityProvidersLister) provider.UpstreamOIDCIdentityProviderI {
|
|
|
|
for _, p := range upstreamIDPs.GetOIDCIdentityProviders() {
|
2020-11-20 21:33:08 +00:00
|
|
|
if p.GetName() == upstreamName {
|
2020-11-19 01:15:01 +00:00
|
|
|
return p
|
2020-11-13 23:59:51 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|