djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/oidc/callback/callback_handler.go

128 lines
4.8 KiB
Go
Raw Normal View History

Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 17:31:39 +00:00
// SPDX-License-Identifier: Apache-2.0
// Package callback provides a handler for the OIDC callback endpoint.
package callback
import (
"net/http"
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
"net/url"
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 17:31:39 +00:00
require groups scope to get groups back from supervisor Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 15:00:17 +00:00
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation.
2020-11-18 21:38:13 +00:00
"github.com/ory/fosite"
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 17:31:39 +00:00
"go.pinniped.dev/internal/httputil/httperr"
Add Cache-Control, Pragma, Expires, and X-DNS-Prefetch-Control headers Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-14 23:28:32 +00:00
"go.pinniped.dev/internal/httputil/securityheader"
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 23:59:51 +00:00
"go.pinniped.dev/internal/oidc"
Extract some trivial helpers for identical code usages
2021-06-30 22:02:14 +00:00
"go.pinniped.dev/internal/oidc/downstreamsession"
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 23:59:51 +00:00
"go.pinniped.dev/internal/oidc/provider"
Add custom response_mode=form_post HTML template. This is a new pacakge internal/oidc/provider/formposthtml containing a number of static files embedded using the relatively recent Go "//go:embed" functionality introduced in Go 1.16 (https://blog.golang.org/go1.16). The Javascript and CSS files are minifiied and injected to make a single self-contained HTML response. There is a special Content-Security-Policy helper to calculate hash-based script-src and style-src rules. This new code is covered by a new integration test that exercises the JS/HTML functionality in a real browser outside of the rest of the Supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-30 16:50:01 +00:00
"go.pinniped.dev/internal/oidc/provider/formposthtml"
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
"go.pinniped.dev/internal/plog"
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 17:31:39 +00:00
)
callback_handler.go: Add JWT Issuer claim to storage
2020-11-19 16:35:23 +00:00
func NewHandler(
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
upstreamIDPs oidc.UpstreamOIDCIdentityProvidersLister,
callback_handler.go: Add JWT Issuer claim to storage
2020-11-19 16:35:23 +00:00
oauthHelper fosite.OAuth2Provider,
stateDecoder, cookieDecoder oidc.Decoder,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
redirectURI string,
callback_handler.go: Add JWT Issuer claim to storage
2020-11-19 16:35:23 +00:00
) http.Handler {
Add custom response_mode=form_post HTML template. This is a new pacakge internal/oidc/provider/formposthtml containing a number of static files embedded using the relatively recent Go "//go:embed" functionality introduced in Go 1.16 (https://blog.golang.org/go1.16). The Javascript and CSS files are minifiied and injected to make a single self-contained HTML response. There is a special Content-Security-Policy helper to calculate hash-based script-src and style-src rules. This new code is covered by a new integration test that exercises the JS/HTML functionality in a real browser outside of the rest of the Supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-30 16:50:01 +00:00
handler := httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
state, err := validateRequest(r, stateDecoder, cookieDecoder)
if err != nil {
callback_handler.go: write 2 invalid cookie tests Also common-ize some more constants shared between the auth and callback endpoints. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 16:47:49 +00:00
return err
}
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
upstreamIDPConfig := findUpstreamIDPConfig(state.UpstreamName, upstreamIDPs)
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
if upstreamIDPConfig == nil {
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
plog.Warning("upstream provider not found")
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 23:59:51 +00:00
return httperr.New(http.StatusUnprocessableEntity, "upstream provider not found")
}
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
downstreamAuthParams, err := url.ParseQuery(state.AuthParams)
if err != nil {
callback_handler.go: start to test upstream token corner cases Also refactor to get rid of duplicate test structs. Also also don't default groups ID token claim because there is no standard one. Also also also add some logging that will hopefully help us in debugging in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 19:19:01 +00:00
plog.Error("error reading state downstream auth params", err)
callback_handler.go: test when state missing a needed param Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 13:51:23 +00:00
return httperr.New(http.StatusBadRequest, "error reading state downstream auth params")
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
}
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
// Recreate enough of the original authorize request so we can pass it to NewAuthorizeRequest().
reconstitutedAuthRequest := &http.Request{Form: downstreamAuthParams}
authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest)
if err != nil {
callback_handler.go: start to test upstream token corner cases Also refactor to get rid of duplicate test structs. Also also don't default groups ID token claim because there is no standard one. Also also also add some logging that will hopefully help us in debugging in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 19:19:01 +00:00
plog.Error("error using state downstream auth params", err)
callback_handler.go: test when state missing a needed param Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 13:51:23 +00:00
return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
}
Allow dynamic clients to be used in downstream OIDC flows This is only a first commit towards making this feature work. - Hook dynamic clients into fosite by returning them from the storage interface (after finding and validating them) - In the auth endpoint, prevent the use of the username and password headers for dynamic clients to force them to use the browser-based login flows for all the upstream types - Add happy path integration tests in supervisor_login_test.go - Add lots of comments (and some small refactors) in supervisor_login_test.go to make it much easier to understand - Add lots of unit tests for the auth endpoint regarding dynamic clients (more unit tests to be added for other endpoints in follow-up commits) - Enhance crud.go to make lifetime=0 mean never garbage collect, since we want client secret storage Secrets to last forever - Move the OIDCClient validation code to a package where it can be shared between the controller and the fosite storage interface - Make shared test helpers for tests that need to create OIDC client secret storage Secrets - Create a public const for "pinniped-cli" now that we are using that string in several places in the production code
2022-07-14 16:51:11 +00:00
// Automatically grant the openid, offline_access, pinniped:request-audience, and groups scopes, but only if they were requested.
// This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned
// an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here.
require groups scope to get groups back from supervisor Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 15:00:17 +00:00
downstreamsession.GrantScopesIfRequested(authorizeRequester, []string{coreosoidc.ScopeOpenID, coreosoidc.ScopeOfflineAccess, oidc.RequestAudienceScope, oidc.DownstreamGroupsScope})
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-04 21:33:36 +00:00
token, err := upstreamIDPConfig.ExchangeAuthcodeAndValidateTokens(
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
r.Context(),
callback_handler.go: Add JWT Audience claim to storage
2020-11-19 16:53:53 +00:00
authcode(r),
callback_handler.go: assert correct args are passed to token exchange Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 15:20:46 +00:00
state.PKCECode,
state.Nonce,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
redirectURI,
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
)
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
if err != nil {
callback_handler.go: start to test upstream token corner cases Also refactor to get rid of duplicate test structs. Also also don't default groups ID token claim because there is no standard one. Also also also add some logging that will hopefully help us in debugging in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 19:19:01 +00:00
plog.WarningErr("error exchanging and validating upstream tokens", err, "upstreamName", upstreamIDPConfig.GetName())
callback_handler.go: add test for failed upstream exchange/validation Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 14:00:41 +00:00
return httperr.New(http.StatusBadGateway, "error exchanging and validating upstream tokens")
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
}
Some refactors based on PR feedback from @enj
2021-08-17 20:14:09 +00:00
subject, username, groups, err := downstreamsession.GetDownstreamIdentityFromUpstreamIDToken(upstreamIDPConfig, token.IDToken.Claims)
callback_handler.go: test invalid upstream ID token username/groups Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 20:53:21 +00:00
if err != nil {
Refactor some authorize and callback error handling, and add more tests
2021-08-18 19:06:46 +00:00
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
callback_handler.go: test invalid upstream ID token username/groups Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-19 20:53:21 +00:00
}
Store access token when refresh not available for authcode flow. Also refactor oidc downstreamsessiondata code to be shared between callback handler and auth handler. Signed-off-by: Ryan Richard <richardry@vmware.com>
2022-01-11 19:00:54 +00:00
customSessionData, err := downstreamsession.MakeDownstreamOIDCCustomSessionData(upstreamIDPConfig, token)
Addressing PR feedback store issuer and subject in storage for refresh Clean up some constants Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-01-07 23:04:58 +00:00
if err != nil {
return httperr.Wrap(http.StatusUnprocessableEntity, err.Error(), err)
}
require groups scope to get groups back from supervisor Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-06-15 15:00:17 +00:00
openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups, authorizeRequester.GetGrantedScopes(), customSessionData)
Extract some trivial helpers for identical code usages
2021-06-30 22:02:14 +00:00
callback_handler.go: start to test upstream token corner cases Also refactor to get rid of duplicate test structs. Also also don't default groups ID token claim because there is no standard one. Also also also add some logging that will hopefully help us in debugging in the future. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-19 19:19:01 +00:00
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
if err != nil {
callback_handler.go: Prepend iss to sub when making default username - Also handle several more error cases - Move RequireTimeInDelta to shared testutils package so other tests can also use it - Move all of the oidc test helpers into a new oidc/oidctestutils package to break a circular import dependency. The shared testutil package can't depend on any of our other packages or else we end up with circular dependencies. - Lots more assertions about what was stored at the end of the request to build confidence that we are going to pass all of the right settings over to the token endpoint through the storage, and also to avoid accidental regressions in that area in the future Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-20 01:57:07 +00:00
plog.WarningErr("error while generating and saving authcode", err, "upstreamName", upstreamIDPConfig.GetName())
return httperr.Wrap(http.StatusInternalServerError, "error while generating and saving authcode", err)
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
}
oauthHelper.WriteAuthorizeResponse(w, authorizeRequester, authorizeResponder)
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
return nil
Add custom response_mode=form_post HTML template. This is a new pacakge internal/oidc/provider/formposthtml containing a number of static files embedded using the relatively recent Go "//go:embed" functionality introduced in Go 1.16 (https://blog.golang.org/go1.16). The Javascript and CSS files are minifiied and injected to make a single self-contained HTML response. There is a special Content-Security-Policy helper to calculate hash-based script-src and style-src rules. This new code is covered by a new integration test that exercises the JS/HTML functionality in a real browser outside of the rest of the Supervisor. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2021-06-30 16:50:01 +00:00
})
return securityheader.WrapWithCustomCSP(handler, formposthtml.ContentSecurityPolicy())
callback_handler.go: initial API/test shape with 1 test Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-13 17:31:39 +00:00
}
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 23:59:51 +00:00
callback_handler.go: Add JWT Audience claim to storage
2020-11-19 16:53:53 +00:00
func authcode(r *http.Request) string {
return r.FormValue("code")
}
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
func validateRequest(r *http.Request, stateDecoder, cookieDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
if r.Method != http.MethodGet {
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
return nil, httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
}
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared.
2022-04-26 22:30:39 +00:00
_, decodedState, err := oidc.ReadStateParamAndValidateCSRFCookie(r, cookieDecoder, stateDecoder)
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
if err != nil {
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared.
2022-04-26 22:30:39 +00:00
plog.InfoErr("state or CSRF error", err)
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
return nil, err
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
}
callback_handler.go: Add JWT Audience claim to storage
2020-11-19 16:53:53 +00:00
if authcode(r) == "" {
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
plog.Info("code param not found")
callback_handler.go: start happy path test with redirect Next steps: fosite storage? Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-16 22:07:34 +00:00
return nil, httperr.New(http.StatusBadRequest, "code param not found")
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
}
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared.
2022-04-26 22:30:39 +00:00
return decodedState, nil
callback_handler.go: add CSRF and version state validations Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-16 19:41:00 +00:00
}
Supervisor pre-factor to make room for upstream LDAP identity providers
2021-04-07 23:12:13 +00:00
func findUpstreamIDPConfig(upstreamName string, upstreamIDPs oidc.UpstreamOIDCIdentityProvidersLister) provider.UpstreamOIDCIdentityProviderI {
for _, p := range upstreamIDPs.GetOIDCIdentityProviders() {
callback_handler.go: Get upstream name from state instead of path Also use ConstantTimeCompare() to compare CSRF tokens to prevent leaking any information in how quickly we reject bad tokens. Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-20 21:33:08 +00:00
if p.GetName() == upstreamName {
Start using fosite in the Supervisor's callback handler
2020-11-19 01:15:01 +00:00
return p
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 23:59:51 +00:00
}
}
return nil
}