djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/internal/oidc/provider/manager/manager.go

155 lines
6.1 KiB
Go
Raw Normal View History

Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
package manager
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
import (
"net/http"
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
"strings"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
"sync"
WIP for saving authorize endpoint state into upstream state param Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 01:58:00 +00:00
"github.com/gorilla/securecookie"
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
"go.pinniped.dev/internal/oidc"
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-05 01:06:47 +00:00
"go.pinniped.dev/internal/oidc/auth"
internal/oidc/provider/manager: route to callback endpoint Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-20 15:42:43 +00:00
"go.pinniped.dev/internal/oidc/callback"
Finish the WIP from the previous commit for saving authorize endpoint state Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 20:29:14 +00:00
"go.pinniped.dev/internal/oidc/csrftoken"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
"go.pinniped.dev/internal/oidc/discovery"
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
"go.pinniped.dev/internal/oidc/jwks"
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
"go.pinniped.dev/internal/oidc/provider"
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-03 20:34:58 +00:00
"go.pinniped.dev/internal/oidc/token"
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-10 15:22:16 +00:00
"go.pinniped.dev/internal/plog"
Move `./internal/oidcclient` to `./pkg/oidcclient`. This will allow it to be imported by Go code outside of our repository, which was something we have planned for since this code was written. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-11-17 18:46:54 +00:00
"go.pinniped.dev/pkg/oidcclient/nonce"
"go.pinniped.dev/pkg/oidcclient/pkce"
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
)
// Manager can manage multiple active OIDC providers. It acts as a request router for them.
//
// It is thread-safe.
type Manager struct {
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
mu sync.RWMutex
providers []*provider.OIDCProvider
providerHandlers map[string]http.Handler // map of all routes for all providers
nextHandler http.Handler // the next handler in a chain, called when this manager didn't know how to handle a request
dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
Tiny bit more code for Supervisor's callback_handler.go Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-13 23:59:51 +00:00
idpListGetter oidc.IDPListGetter // in-memory cache of upstream IDPs
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
secretsClient corev1client.SecretInterface
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Several small refactors related to OIDC providers
2020-10-08 18:28:21 +00:00
// NewManager returns an empty Manager.
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
// nextHandler will be invoked for any requests that could not be handled by this manager's providers.
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
// dynamicJWKSProvider will be used as an in-memory cache for per-issuer JWKS data.
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-05 01:06:47 +00:00
// idpListGetter will be used as an in-memory cache of currently configured upstream IDPs.
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
func NewManager(
nextHandler http.Handler,
dynamicJWKSProvider jwks.DynamicJWKSProvider,
idpListGetter oidc.IDPListGetter,
secretsClient corev1client.SecretInterface,
) *Manager {
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
return &Manager{
providerHandlers: make(map[string]http.Handler),
nextHandler: nextHandler,
dynamicJWKSProvider: dynamicJWKSProvider,
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-05 01:06:47 +00:00
idpListGetter: idpListGetter,
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
secretsClient: secretsClient,
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
}
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
// SetProviders adds or updates all the given providerHandlers using each provider's issuer string
// as the name of the provider to decide if it is an add or update operation.
//
// It also removes any providerHandlers that were previously added but were not passed in to
// the current invocation.
//
// This method assumes that all of the OIDCProvider arguments have already been validated
// by someone else before they are passed to this method.
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 21:40:56 +00:00
func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
m.mu.Lock()
defer m.mu.Unlock()
m.providers = oidcProviders
m.providerHandlers = make(map[string]http.Handler)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
for _, incomingProvider := range oidcProviders {
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
issuer := incomingProvider.Issuer()
issuerHostWithPath := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath()
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
fositeHMACSecretForThisProvider := []byte("some secret - must have at least 32 bytes") // TODO replace this secret
Implement per-issuer OIDC JWKS endpoint
2020-10-17 00:51:40 +00:00
Add NullStorage for the authorize endpoint to use We want to run all of the fosite validations in the authorize endpoint, but we don't need to store anything yet because we are storing what we need for later in the upstream state parameter. Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 22:49:24 +00:00
// Use NullStorage for the authorize endpoint because we do not actually want to store anything until
// the upstream callback endpoint is called later.
Merge remote-tracking branch 'upstream/callback-endpoint' into token-endpoint
2020-12-03 16:14:37 +00:00
oauthHelperWithNullStorage := oidc.FositeOauth2Helper(oidc.NullStorage{}, issuer, fositeHMACSecretForThisProvider, nil)
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
// For all the other endpoints, make another oauth helper with exactly the same settings except use real storage.
Passing signing key through to the token endpoint
2020-12-04 01:16:08 +00:00
oauthHelperWithKubeStorage := oidc.FositeOauth2Helper(oidc.NewKubeStorage(m.secretsClient), issuer, fositeHMACSecretForThisProvider, m.dynamicJWKSProvider)
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-05 01:06:47 +00:00
Supervisor authorize endpoint reuses existing CSRF cookies and signs new ones - To better support having multiple downstream providers configured, the authorize endpoint will share a CSRF cookie between all downstream providers' authorize endpoints. The first time a user's browser hits the authorize endpoint of any downstream provider, that endpoint will set the cookie. Then if the user starts an authorize flow with that same downstream provider or with any other downstream provider which shares the same domain name (i.e. differentiated by issuer path), then the same cookie will be submitted and respected. - Just in case we are sharing the domain name with some other app, we sign the value of any new CSRF cookie and check the signature when we receive the cookie. This wasn't strictly necessary since we probably won't share a domain name with other apps, but it wasn't hard to add this cookie signing. Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-12 23:36:59 +00:00
// TODO use different codecs for the state and the cookie, because:
// 1. we would like to state to have an embedded expiration date while the cookie does not need that
// 2. we would like each downstream provider to use different secrets for signing/encrypting the upstream state, not share secrets
// 3. we would like *all* downstream providers to use the *same* signing key for the CSRF cookie (which doesn't need to be encrypted) because cookies are sent per-domain and our issuers can share a domain name (but have different paths)
Add NullStorage for the authorize endpoint to use We want to run all of the fosite validations in the authorize endpoint, but we don't need to store anything yet because we are storing what we need for later in the upstream state parameter. Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 22:49:24 +00:00
var encoderHashKey = []byte("fake-hash-secret") // TODO replace this secret
var encoderBlockKey = []byte("16-bytes-aaaaaaa") // TODO replace this secret
Use distinct `Encoder` for state and csrf data
2020-12-10 01:24:12 +00:00
var upstreamStateEncoder = securecookie.New(encoderHashKey, encoderBlockKey)
upstreamStateEncoder.SetSerializer(securecookie.JSONEncoder{})
var csrfCookieEncoder = securecookie.New(encoderHashKey, encoderBlockKey)
csrfCookieEncoder.SetSerializer(securecookie.JSONEncoder{})
WIP for saving authorize endpoint state into upstream state param Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-11-11 01:58:00 +00:00
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
m.providerHandlers[(issuerHostWithPath + oidc.WellKnownEndpointPath)] = discovery.NewHandler(issuer)
m.providerHandlers[(issuerHostWithPath + oidc.JWKSEndpointPath)] = jwks.NewHandler(issuer, m.dynamicJWKSProvider)
m.providerHandlers[(issuerHostWithPath + oidc.AuthorizationEndpointPath)] = auth.NewHandler(
issuer,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
m.idpListGetter,
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
oauthHelperWithNullStorage,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
csrftoken.Generate,
pkce.Generate,
nonce.Generate,
Use distinct `Encoder` for state and csrf data
2020-12-10 01:24:12 +00:00
upstreamStateEncoder,
csrfCookieEncoder,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
)
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-05 01:06:47 +00:00
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
m.providerHandlers[(issuerHostWithPath + oidc.CallbackEndpointPath)] = callback.NewHandler(
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
m.idpListGetter,
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
oauthHelperWithKubeStorage,
Use distinct `Encoder` for state and csrf data
2020-12-10 01:24:12 +00:00
upstreamStateEncoder,
csrfCookieEncoder,
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
issuer+oidc.CallbackEndpointPath,
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-02 16:36:07 +00:00
)
Expose the Supervisor OIDC authorization endpoint to the public
2020-11-05 01:06:47 +00:00
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com>
2020-12-03 20:34:58 +00:00
m.providerHandlers[(issuerHostWithPath + oidc.TokenEndpointPath)] = token.NewHandler(
oauthHelperWithKubeStorage,
)
Use kube storage for the supervisor callback endpoint's fosite sessions
2020-12-03 01:39:45 +00:00
plog.Debug("oidc provider manager added or updated issuer", "issuer", issuer)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
}
// ServeHTTP implements the http.Handler interface.
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 21:40:56 +00:00
func (m *Manager) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
requestHandler := m.findHandler(req)
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com>
2020-11-10 15:22:16 +00:00
plog.Debug(
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 21:40:56 +00:00
"oidc provider manager examining request",
"method", req.Method,
"host", req.Host,
"path", req.URL.Path,
"foundMatchingIssuer", requestHandler != nil,
)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 21:40:56 +00:00
if requestHandler == nil {
requestHandler = m.nextHandler // couldn't find an issuer to handle the request
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 21:40:56 +00:00
requestHandler.ServeHTTP(resp, req)
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com>
2020-10-08 21:40:56 +00:00
func (m *Manager) findHandler(req *http.Request) http.Handler {
m.mu.RLock()
defer m.mu.RUnlock()
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic.
2020-10-23 23:25:44 +00:00
return m.providerHandlers[strings.ToLower(req.Host)+"/"+req.URL.Path]
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still
2020-10-08 02:18:34 +00:00
}