2022-04-25 23:41:55 +00:00
|
|
|
// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
2020-10-06 14:11:57 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package oidc contains common OIDC functionality needed by Pinniped.
|
|
|
|
package oidc
|
|
|
|
|
2020-11-04 23:04:50 +00:00
|
|
|
import (
|
2022-04-26 22:30:39 +00:00
|
|
|
"crypto/subtle"
|
2022-04-29 23:01:51 +00:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2022-04-26 22:30:39 +00:00
|
|
|
"net/http"
|
2020-11-20 20:45:29 +00:00
|
|
|
"time"
|
|
|
|
|
2021-01-20 17:54:44 +00:00
|
|
|
coreosoidc "github.com/coreos/go-oidc/v3/oidc"
|
2022-04-29 23:01:51 +00:00
|
|
|
"github.com/felixge/httpsnoop"
|
2020-11-04 23:04:50 +00:00
|
|
|
"github.com/ory/fosite"
|
|
|
|
"github.com/ory/fosite/compose"
|
2022-04-29 23:01:51 +00:00
|
|
|
errorsx "github.com/pkg/errors"
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2022-04-29 23:01:51 +00:00
|
|
|
"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
|
2022-04-26 22:30:39 +00:00
|
|
|
"go.pinniped.dev/internal/httputil/httperr"
|
2020-11-16 19:41:00 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/csrftoken"
|
2020-12-03 20:34:58 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/jwks"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2021-06-30 16:50:01 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider/formposthtml"
|
2022-04-29 23:01:51 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
|
|
|
"go.pinniped.dev/internal/psession"
|
2020-11-20 23:13:25 +00:00
|
|
|
"go.pinniped.dev/pkg/oidcclient/nonce"
|
|
|
|
"go.pinniped.dev/pkg/oidcclient/pkce"
|
2020-11-04 23:04:50 +00:00
|
|
|
)
|
|
|
|
|
2020-10-06 14:11:57 +00:00
|
|
|
const (
|
2020-10-08 18:28:21 +00:00
|
|
|
WellKnownEndpointPath = "/.well-known/openid-configuration"
|
|
|
|
AuthorizationEndpointPath = "/oauth2/authorize"
|
|
|
|
TokenEndpointPath = "/oauth2/token" //nolint:gosec // ignore lint warning that this is a credential
|
2020-11-20 15:42:43 +00:00
|
|
|
CallbackEndpointPath = "/callback"
|
2020-10-08 18:28:21 +00:00
|
|
|
JWKSEndpointPath = "/jwks.json"
|
2021-05-13 17:05:56 +00:00
|
|
|
PinnipedIDPsPathV1Alpha1 = "/v1alpha1/pinniped_identity_providers"
|
2022-04-25 23:41:55 +00:00
|
|
|
PinnipedLoginPath = "/login"
|
2020-10-06 14:11:57 +00:00
|
|
|
)
|
2020-11-04 23:04:50 +00:00
|
|
|
|
2020-11-16 16:47:49 +00:00
|
|
|
const (
|
2020-11-16 19:41:00 +00:00
|
|
|
// Just in case we need to make a breaking change to the format of the upstream state param,
|
|
|
|
// we are including a format version number. This gives the opportunity for a future version of Pinniped
|
|
|
|
// to have the consumer of this format decide to reject versions that it doesn't understand.
|
2022-05-19 23:02:08 +00:00
|
|
|
//
|
|
|
|
// Version 1 was the original version.
|
|
|
|
// Version 2 added the UpstreamType field to the UpstreamStateParamData struct.
|
2022-04-25 23:41:55 +00:00
|
|
|
UpstreamStateParamFormatVersion = "2"
|
2020-11-16 19:41:00 +00:00
|
|
|
|
|
|
|
// The `name` passed to the encoder for encoding the upstream state param value. This name is short
|
|
|
|
// because it will be encoded into the upstream state param value and we're trying to keep that small.
|
|
|
|
UpstreamStateParamEncodingName = "s"
|
|
|
|
|
2020-11-16 16:47:49 +00:00
|
|
|
// CSRFCookieName is the name of the browser cookie which shall hold our CSRF value.
|
2020-12-01 22:53:22 +00:00
|
|
|
// The `__Host` prefix has a special meaning. See:
|
2020-11-16 16:47:49 +00:00
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Cookie_prefixes.
|
|
|
|
CSRFCookieName = "__Host-pinniped-csrf"
|
|
|
|
|
|
|
|
// CSRFCookieEncodingName is the `name` passed to the encoder for encoding and decoding the CSRF
|
|
|
|
// cookie contents.
|
|
|
|
CSRFCookieEncodingName = "csrf"
|
2020-12-15 02:27:14 +00:00
|
|
|
|
|
|
|
// The name of the issuer claim specified in the OIDC spec.
|
|
|
|
IDTokenIssuerClaim = "iss"
|
|
|
|
|
|
|
|
// The name of the subject claim specified in the OIDC spec.
|
|
|
|
IDTokenSubjectClaim = "sub"
|
|
|
|
|
|
|
|
// DownstreamUsernameClaim is a custom claim in the downstream ID token
|
|
|
|
// whose value is mapped from a claim in the upstream token.
|
|
|
|
// By default the value is the same as the downstream subject claim's.
|
|
|
|
DownstreamUsernameClaim = "username"
|
|
|
|
|
|
|
|
// DownstreamGroupsClaim is what we will use to encode the groups in the downstream OIDC ID token
|
|
|
|
// information.
|
|
|
|
DownstreamGroupsClaim = "groups"
|
2020-12-16 21:23:19 +00:00
|
|
|
|
2020-12-11 16:11:10 +00:00
|
|
|
// CSRFCookieLifespan is the length of time that the CSRF cookie is valid. After this time, the
|
|
|
|
// Supervisor's authorization endpoint should give the browser a new CSRF cookie. We set it to
|
|
|
|
// a week so that it is unlikely to expire during a login.
|
|
|
|
CSRFCookieLifespan = time.Hour * 24 * 7
|
2020-11-16 16:47:49 +00:00
|
|
|
)
|
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
// Encoder is the encoding side of the securecookie.Codec interface.
|
|
|
|
type Encoder interface {
|
|
|
|
Encode(name string, value interface{}) (string, error)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decoder is the decoding side of the securecookie.Codec interface.
|
|
|
|
type Decoder interface {
|
|
|
|
Decode(name, value string, into interface{}) error
|
|
|
|
}
|
|
|
|
|
|
|
|
// Codec is both the encoding and decoding sides of the securecookie.Codec interface. It is
|
|
|
|
// interface'd here so that we properly wrap the securecookie dependency.
|
|
|
|
type Codec interface {
|
|
|
|
Encoder
|
|
|
|
Decoder
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpstreamStateParamData is the format of the state parameter that we use when we communicate to an
|
|
|
|
// upstream OIDC provider.
|
|
|
|
//
|
|
|
|
// Keep the JSON to a minimal size because the upstream provider could impose size limitations on
|
|
|
|
// the state param.
|
|
|
|
type UpstreamStateParamData struct {
|
|
|
|
AuthParams string `json:"p"`
|
2020-11-20 21:14:45 +00:00
|
|
|
UpstreamName string `json:"u"`
|
2022-04-25 23:41:55 +00:00
|
|
|
UpstreamType string `json:"t"`
|
2020-11-16 19:41:00 +00:00
|
|
|
Nonce nonce.Nonce `json:"n"`
|
|
|
|
CSRFToken csrftoken.CSRFToken `json:"c"`
|
|
|
|
PKCECode pkce.Code `json:"k"`
|
|
|
|
FormatVersion string `json:"v"`
|
|
|
|
}
|
|
|
|
|
2020-12-10 18:14:54 +00:00
|
|
|
type TimeoutsConfiguration struct {
|
|
|
|
// The length of time that our state param that we encrypt and pass to the upstream OIDC IDP should be considered
|
|
|
|
// valid. If a state param generated by the authorize endpoint is sent to the callback endpoint after this much
|
|
|
|
// time has passed, then the callback endpoint should reject it. This allows us to set a limit on how long
|
|
|
|
// the end user has to finish their login with the upstream IDP, including the time that it takes to fumble
|
|
|
|
// with password manager and two-factor authenticator apps, and also accounting for taking a coffee break while
|
|
|
|
// the browser is sitting at the upstream IDP's login page.
|
|
|
|
UpstreamStateParamLifespan time.Duration
|
|
|
|
|
|
|
|
// How long an authcode issued by the callback endpoint is valid. This determines how much time the end user
|
|
|
|
// has to come back to exchange the authcode for tokens at the token endpoint.
|
|
|
|
AuthorizeCodeLifespan time.Duration
|
|
|
|
|
|
|
|
// The lifetime of an downstream access token issued by the token endpoint. Access tokens should generally
|
|
|
|
// be fairly short-lived.
|
|
|
|
AccessTokenLifespan time.Duration
|
|
|
|
|
|
|
|
// The lifetime of an downstream ID token issued by the token endpoint. This should generally be the same
|
|
|
|
// as the AccessTokenLifespan, or longer if it would be useful for the user's proof of identity to be valid
|
|
|
|
// for longer than their proof of authorization.
|
|
|
|
IDTokenLifespan time.Duration
|
|
|
|
|
|
|
|
// The lifetime of an downstream refresh token issued by the token endpoint. This should generally be
|
|
|
|
// significantly longer than the access token lifetime, so it can be used to refresh the access token
|
|
|
|
// multiple times. Once the refresh token expires, the user's session is over and they will need
|
|
|
|
// to start a new authorization request, which will require them to log in again with the upstream IDP
|
|
|
|
// in their web browser.
|
|
|
|
RefreshTokenLifespan time.Duration
|
|
|
|
|
|
|
|
// AuthorizationCodeSessionStorageLifetime is the length of time after which an authcode is allowed to be garbage
|
|
|
|
// collected from storage. Authcodes are kept in storage after they are redeemed to allow the system to mark the
|
|
|
|
// authcode as already used, so it can reject any future uses of the same authcode with special case handling which
|
|
|
|
// include revoking the access and refresh tokens associated with the session. Therefore, this should be
|
|
|
|
// significantly longer than the AuthorizeCodeLifespan, and there is probably no reason to make it longer than
|
|
|
|
// the sum of the AuthorizeCodeLifespan and the RefreshTokenLifespan.
|
|
|
|
AuthorizationCodeSessionStorageLifetime time.Duration
|
|
|
|
|
|
|
|
// PKCESessionStorageLifetime is the length of time after which PKCE data is allowed to be garbage collected from
|
|
|
|
// storage. PKCE sessions are closely related to authorization code sessions. After the authcode is successfully
|
|
|
|
// redeemed, the PKCE session is explicitly deleted. After the authcode expires, the PKCE session is no longer needed,
|
|
|
|
// but it is not explicitly deleted. Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll
|
|
|
|
// avoid making it exactly the same as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it
|
|
|
|
// while it is being used.
|
|
|
|
PKCESessionStorageLifetime time.Duration
|
|
|
|
|
|
|
|
// OIDCSessionStorageLifetime is the length of time after which the OIDC session data related to an authcode
|
|
|
|
// is allowed to be garbage collected from storage. Due to a bug in an underlying library, these are not explicitly
|
|
|
|
// deleted. Similar to the PKCE session, they are not needed anymore after the corresponding authcode has expired.
|
|
|
|
// Therefore, this can be just slightly longer than the AuthorizeCodeLifespan. We'll avoid making it exactly the same
|
|
|
|
// as AuthorizeCodeLifespan to avoid any chance of the garbage collector deleting it while it is being used.
|
|
|
|
OIDCSessionStorageLifetime time.Duration
|
|
|
|
|
|
|
|
// AccessTokenSessionStorageLifetime is the length of time after which an access token's session data is allowed
|
2021-05-06 18:53:41 +00:00
|
|
|
// to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid
|
|
|
|
// or else the refresh flow will not work properly. So this must be longer than RefreshTokenLifespan.
|
2020-12-10 18:14:54 +00:00
|
|
|
AccessTokenSessionStorageLifetime time.Duration
|
|
|
|
|
|
|
|
// RefreshTokenSessionStorageLifetime is the length of time after which a refresh token's session data is allowed
|
|
|
|
// to be garbage collected from storage. These must exist in storage for as long as the refresh token is valid.
|
|
|
|
// Therefore, this can be just slightly longer than the RefreshTokenLifespan. We'll avoid making it exactly the same
|
|
|
|
// as RefreshTokenLifespan to avoid any chance of the garbage collector deleting it while it is being used.
|
|
|
|
// If an expired token is still stored when the user tries to refresh it, then they will get a more specific
|
|
|
|
// error message telling them that the token is expired, rather than a more generic error that is returned
|
|
|
|
// when the token does not exist. If this is desirable, then the RefreshTokenSessionStorageLifetime can be made
|
|
|
|
// to be significantly larger than RefreshTokenLifespan, at the cost of slower cleanup.
|
|
|
|
RefreshTokenSessionStorageLifetime time.Duration
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the defaults for the Supervisor server.
|
|
|
|
func DefaultOIDCTimeoutsConfiguration() TimeoutsConfiguration {
|
2021-05-06 18:53:41 +00:00
|
|
|
accessTokenLifespan := 2 * time.Minute
|
2020-12-10 18:14:54 +00:00
|
|
|
authorizationCodeLifespan := 10 * time.Minute
|
|
|
|
refreshTokenLifespan := 9 * time.Hour
|
|
|
|
|
|
|
|
return TimeoutsConfiguration{
|
|
|
|
UpstreamStateParamLifespan: 90 * time.Minute,
|
|
|
|
AuthorizeCodeLifespan: authorizationCodeLifespan,
|
|
|
|
AccessTokenLifespan: accessTokenLifespan,
|
|
|
|
IDTokenLifespan: accessTokenLifespan,
|
|
|
|
RefreshTokenLifespan: refreshTokenLifespan,
|
|
|
|
AuthorizationCodeSessionStorageLifetime: authorizationCodeLifespan + refreshTokenLifespan,
|
|
|
|
PKCESessionStorageLifetime: authorizationCodeLifespan + (1 * time.Minute),
|
|
|
|
OIDCSessionStorageLifetime: authorizationCodeLifespan + (1 * time.Minute),
|
2021-05-06 18:53:41 +00:00
|
|
|
AccessTokenSessionStorageLifetime: refreshTokenLifespan + accessTokenLifespan,
|
2020-12-10 18:44:27 +00:00
|
|
|
RefreshTokenSessionStorageLifetime: refreshTokenLifespan + accessTokenLifespan,
|
2020-12-10 18:14:54 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-12-01 21:25:12 +00:00
|
|
|
func FositeOauth2Helper(
|
2020-12-03 16:14:37 +00:00
|
|
|
oauthStore interface{},
|
|
|
|
issuer string,
|
2020-12-11 16:01:07 +00:00
|
|
|
hmacSecretOfLengthAtLeast32Func func() []byte,
|
2020-12-03 20:34:58 +00:00
|
|
|
jwksProvider jwks.DynamicJWKSProvider,
|
2020-12-10 18:14:54 +00:00
|
|
|
timeoutsConfiguration TimeoutsConfiguration,
|
2020-12-01 21:25:12 +00:00
|
|
|
) fosite.OAuth2Provider {
|
2020-11-04 23:04:50 +00:00
|
|
|
oauthConfig := &compose.Config{
|
2020-11-20 23:50:26 +00:00
|
|
|
IDTokenIssuer: issuer,
|
2020-11-20 20:45:29 +00:00
|
|
|
|
2020-12-10 18:14:54 +00:00
|
|
|
AuthorizeCodeLifespan: timeoutsConfiguration.AuthorizeCodeLifespan,
|
|
|
|
IDTokenLifespan: timeoutsConfiguration.IDTokenLifespan,
|
|
|
|
AccessTokenLifespan: timeoutsConfiguration.AccessTokenLifespan,
|
|
|
|
RefreshTokenLifespan: timeoutsConfiguration.RefreshTokenLifespan,
|
|
|
|
|
2020-12-12 00:15:50 +00:00
|
|
|
ScopeStrategy: fosite.ExactScopeStrategy,
|
|
|
|
EnforcePKCE: true,
|
|
|
|
|
|
|
|
// "offline_access" as per https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
|
|
|
|
RefreshTokenScopes: []string{coreosoidc.ScopeOfflineAccess},
|
|
|
|
|
|
|
|
// The default is to support all prompt values from the spec.
|
|
|
|
// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
|
|
AllowedPromptValues: nil,
|
|
|
|
|
|
|
|
// Use the fosite default to make it more likely that off the shelf OIDC clients can work with the supervisor.
|
|
|
|
MinParameterEntropy: fosite.MinParameterEntropy,
|
2020-11-04 23:04:50 +00:00
|
|
|
}
|
|
|
|
|
2021-06-30 16:50:01 +00:00
|
|
|
provider := compose.Compose(
|
2020-11-04 23:04:50 +00:00
|
|
|
oauthConfig,
|
|
|
|
oauthStore,
|
|
|
|
&compose.CommonStrategy{
|
2020-11-05 01:06:47 +00:00
|
|
|
// Note that Fosite requires the HMAC secret to be at least 32 bytes.
|
2020-12-11 16:01:07 +00:00
|
|
|
CoreStrategy: newDynamicOauth2HMACStrategy(oauthConfig, hmacSecretOfLengthAtLeast32Func),
|
2020-12-04 01:16:08 +00:00
|
|
|
OpenIDConnectTokenStrategy: newDynamicOpenIDConnectECDSAStrategy(oauthConfig, jwksProvider),
|
2020-11-04 23:04:50 +00:00
|
|
|
},
|
|
|
|
nil, // hasher, defaults to using BCrypt when nil. Used for hashing client secrets.
|
|
|
|
compose.OAuth2AuthorizeExplicitFactory,
|
2020-12-09 20:12:59 +00:00
|
|
|
compose.OAuth2RefreshTokenGrantFactory,
|
2020-11-06 22:44:58 +00:00
|
|
|
compose.OpenIDConnectExplicitFactory,
|
2020-12-09 20:12:59 +00:00
|
|
|
compose.OpenIDConnectRefreshFactory,
|
2020-11-04 23:04:50 +00:00
|
|
|
compose.OAuth2PKCEFactory,
|
2021-10-13 19:31:20 +00:00
|
|
|
TokenExchangeFactory, // handle the "urn:ietf:params:oauth:grant-type:token-exchange" grant type
|
2020-11-04 23:04:50 +00:00
|
|
|
)
|
2021-06-30 16:50:01 +00:00
|
|
|
provider.(*fosite.Fosite).FormPostHTMLTemplate = formposthtml.Template()
|
|
|
|
return provider
|
2020-11-04 23:04:50 +00:00
|
|
|
}
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-12-04 15:06:55 +00:00
|
|
|
// FositeErrorForLog generates a list of information about the provided Fosite error that can be
|
|
|
|
// passed to a plog function (e.g., plog.Info()).
|
|
|
|
//
|
|
|
|
// Sample usage:
|
2022-08-24 21:45:55 +00:00
|
|
|
//
|
|
|
|
// err := someFositeLibraryFunction()
|
|
|
|
// if err != nil {
|
|
|
|
// plog.Info("some error", FositeErrorForLog(err)...)
|
|
|
|
// ...
|
|
|
|
// }
|
2020-12-04 15:06:55 +00:00
|
|
|
func FositeErrorForLog(err error) []interface{} {
|
|
|
|
rfc6749Error := fosite.ErrorToRFC6749Error(err)
|
|
|
|
keysAndValues := make([]interface{}, 0)
|
|
|
|
keysAndValues = append(keysAndValues, "name")
|
2021-08-16 21:27:40 +00:00
|
|
|
keysAndValues = append(keysAndValues, rfc6749Error.Error()) // Error() returns the ErrorField
|
2020-12-04 15:06:55 +00:00
|
|
|
keysAndValues = append(keysAndValues, "status")
|
2021-08-16 21:27:40 +00:00
|
|
|
keysAndValues = append(keysAndValues, rfc6749Error.Status()) // Status() encodes the CodeField as a string
|
2020-12-04 15:06:55 +00:00
|
|
|
keysAndValues = append(keysAndValues, "description")
|
2021-08-16 21:27:40 +00:00
|
|
|
keysAndValues = append(keysAndValues, rfc6749Error.GetDescription()) // GetDescription() returns the DescriptionField and the HintField
|
|
|
|
keysAndValues = append(keysAndValues, "debug")
|
|
|
|
keysAndValues = append(keysAndValues, rfc6749Error.Debug()) // Debug() returns the DebugField
|
|
|
|
if cause := rfc6749Error.Cause(); cause != nil { // Cause() returns the underlying error, or nil
|
|
|
|
keysAndValues = append(keysAndValues, "cause")
|
|
|
|
keysAndValues = append(keysAndValues, cause.Error())
|
|
|
|
}
|
2020-12-04 15:06:55 +00:00
|
|
|
return keysAndValues
|
|
|
|
}
|
|
|
|
|
2021-04-07 23:12:13 +00:00
|
|
|
type UpstreamOIDCIdentityProvidersLister interface {
|
|
|
|
GetOIDCIdentityProviders() []provider.UpstreamOIDCIdentityProviderI
|
|
|
|
}
|
|
|
|
|
|
|
|
type UpstreamLDAPIdentityProvidersLister interface {
|
|
|
|
GetLDAPIdentityProviders() []provider.UpstreamLDAPIdentityProviderI
|
|
|
|
}
|
|
|
|
|
2021-07-02 22:30:27 +00:00
|
|
|
type UpstreamActiveDirectoryIdentityProviderLister interface {
|
|
|
|
GetActiveDirectoryIdentityProviders() []provider.UpstreamLDAPIdentityProviderI
|
|
|
|
}
|
|
|
|
|
2021-04-07 23:12:13 +00:00
|
|
|
type UpstreamIdentityProvidersLister interface {
|
|
|
|
UpstreamOIDCIdentityProvidersLister
|
|
|
|
UpstreamLDAPIdentityProvidersLister
|
2021-07-02 22:30:27 +00:00
|
|
|
UpstreamActiveDirectoryIdentityProviderLister
|
2020-11-13 23:59:51 +00:00
|
|
|
}
|
2020-12-08 01:22:34 +00:00
|
|
|
|
|
|
|
func GrantScopeIfRequested(authorizeRequester fosite.AuthorizeRequester, scopeName string) {
|
2020-12-12 01:13:27 +00:00
|
|
|
if ScopeWasRequested(authorizeRequester, scopeName) {
|
|
|
|
authorizeRequester.GrantScope(scopeName)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func ScopeWasRequested(authorizeRequester fosite.AuthorizeRequester, scopeName string) bool {
|
2020-12-08 01:22:34 +00:00
|
|
|
for _, scope := range authorizeRequester.GetRequestedScopes() {
|
|
|
|
if scope == scopeName {
|
2020-12-12 01:13:27 +00:00
|
|
|
return true
|
2020-12-08 01:22:34 +00:00
|
|
|
}
|
|
|
|
}
|
2020-12-12 01:13:27 +00:00
|
|
|
return false
|
2020-12-08 01:22:34 +00:00
|
|
|
}
|
2022-04-26 22:30:39 +00:00
|
|
|
|
|
|
|
func ReadStateParamAndValidateCSRFCookie(r *http.Request, cookieDecoder Decoder, stateDecoder Decoder) (string, *UpstreamStateParamData, error) {
|
|
|
|
csrfValue, err := readCSRFCookie(r, cookieDecoder)
|
|
|
|
if err != nil {
|
|
|
|
return "", nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
encodedState, decodedState, err := readStateParam(r, stateDecoder)
|
|
|
|
if err != nil {
|
|
|
|
return "", nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = validateCSRFValue(decodedState, csrfValue)
|
|
|
|
if err != nil {
|
|
|
|
return "", nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return encodedState, decodedState, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func readCSRFCookie(r *http.Request, cookieDecoder Decoder) (csrftoken.CSRFToken, error) {
|
|
|
|
receivedCSRFCookie, err := r.Cookie(CSRFCookieName)
|
|
|
|
if err != nil {
|
|
|
|
// Error means that the cookie was not found
|
|
|
|
return "", httperr.Wrap(http.StatusForbidden, "CSRF cookie is missing", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var csrfFromCookie csrftoken.CSRFToken
|
|
|
|
err = cookieDecoder.Decode(CSRFCookieEncodingName, receivedCSRFCookie.Value, &csrfFromCookie)
|
|
|
|
if err != nil {
|
|
|
|
return "", httperr.Wrap(http.StatusForbidden, "error reading CSRF cookie", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return csrfFromCookie, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func readStateParam(r *http.Request, stateDecoder Decoder) (string, *UpstreamStateParamData, error) {
|
|
|
|
encodedState := r.FormValue("state")
|
|
|
|
|
|
|
|
if encodedState == "" {
|
|
|
|
return "", nil, httperr.New(http.StatusBadRequest, "state param not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
var state UpstreamStateParamData
|
|
|
|
if err := stateDecoder.Decode(
|
|
|
|
UpstreamStateParamEncodingName,
|
|
|
|
r.FormValue("state"),
|
|
|
|
&state,
|
|
|
|
); err != nil {
|
|
|
|
return "", nil, httperr.New(http.StatusBadRequest, "error reading state")
|
|
|
|
}
|
|
|
|
|
|
|
|
if state.FormatVersion != UpstreamStateParamFormatVersion {
|
|
|
|
return "", nil, httperr.New(http.StatusUnprocessableEntity, "state format version is invalid")
|
|
|
|
}
|
|
|
|
|
|
|
|
return encodedState, &state, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func validateCSRFValue(state *UpstreamStateParamData, csrfCookieValue csrftoken.CSRFToken) error {
|
|
|
|
if subtle.ConstantTimeCompare([]byte(state.CSRFToken), []byte(csrfCookieValue)) != 1 {
|
|
|
|
return httperr.New(http.StatusForbidden, "CSRF value does not match")
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2022-04-29 23:01:51 +00:00
|
|
|
|
|
|
|
// FindUpstreamIDPByNameAndType finds the requested IDP by name and type, or returns an error.
|
|
|
|
// Note that AD and LDAP IDPs both return the same interface type, but different ProviderTypes values.
|
|
|
|
func FindUpstreamIDPByNameAndType(
|
|
|
|
idpLister UpstreamIdentityProvidersLister,
|
|
|
|
upstreamName string,
|
|
|
|
upstreamType string,
|
|
|
|
) (
|
|
|
|
provider.UpstreamOIDCIdentityProviderI,
|
|
|
|
provider.UpstreamLDAPIdentityProviderI,
|
|
|
|
psession.ProviderType,
|
|
|
|
error,
|
|
|
|
) {
|
|
|
|
switch upstreamType {
|
|
|
|
case string(v1alpha1.IDPTypeOIDC):
|
|
|
|
for _, p := range idpLister.GetOIDCIdentityProviders() {
|
|
|
|
if p.GetName() == upstreamName {
|
|
|
|
return p, nil, psession.ProviderTypeOIDC, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
case string(v1alpha1.IDPTypeLDAP):
|
|
|
|
for _, p := range idpLister.GetLDAPIdentityProviders() {
|
|
|
|
if p.GetName() == upstreamName {
|
|
|
|
return nil, p, psession.ProviderTypeLDAP, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
case string(v1alpha1.IDPTypeActiveDirectory):
|
|
|
|
for _, p := range idpLister.GetActiveDirectoryIdentityProviders() {
|
|
|
|
if p.GetName() == upstreamName {
|
|
|
|
return nil, p, psession.ProviderTypeActiveDirectory, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil, nil, "", errors.New("provider not found")
|
|
|
|
}
|
|
|
|
|
|
|
|
// WriteAuthorizeError writes an authorization error as it should be returned by the authorization endpoint and other
|
|
|
|
// similar endpoints that are the end of the downstream authcode flow. Errors responses are written in the usual fosite style.
|
|
|
|
func WriteAuthorizeError(w http.ResponseWriter, oauthHelper fosite.OAuth2Provider, authorizeRequester fosite.AuthorizeRequester, err error, isBrowserless bool) {
|
|
|
|
if plog.Enabled(plog.LevelTrace) {
|
|
|
|
// When trace level logging is enabled, include the stack trace in the log message.
|
|
|
|
keysAndValues := FositeErrorForLog(err)
|
|
|
|
errWithStack := errorsx.WithStack(err)
|
|
|
|
keysAndValues = append(keysAndValues, "errWithStack")
|
|
|
|
// klog always prints error values using %s, which does not include stack traces,
|
|
|
|
// so convert the error to a string which includes the stack trace here.
|
|
|
|
keysAndValues = append(keysAndValues, fmt.Sprintf("%+v", errWithStack))
|
|
|
|
plog.Trace("authorize response error", keysAndValues...)
|
|
|
|
} else {
|
|
|
|
plog.Info("authorize response error", FositeErrorForLog(err)...)
|
|
|
|
}
|
|
|
|
if isBrowserless {
|
|
|
|
w = rewriteStatusSeeOtherToStatusFoundForBrowserless(w)
|
|
|
|
}
|
|
|
|
// Return an error according to OIDC spec 3.1.2.6 (second paragraph).
|
|
|
|
oauthHelper.WriteAuthorizeError(w, authorizeRequester, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// PerformAuthcodeRedirect successfully completes a downstream login by creating a session and
|
|
|
|
// writing the authcode redirect response as it should be returned by the authorization endpoint and other
|
|
|
|
// similar endpoints that are the end of the downstream authcode flow.
|
|
|
|
func PerformAuthcodeRedirect(
|
|
|
|
r *http.Request,
|
|
|
|
w http.ResponseWriter,
|
|
|
|
oauthHelper fosite.OAuth2Provider,
|
|
|
|
authorizeRequester fosite.AuthorizeRequester,
|
|
|
|
openIDSession *psession.PinnipedSession,
|
|
|
|
isBrowserless bool,
|
|
|
|
) {
|
|
|
|
authorizeResponder, err := oauthHelper.NewAuthorizeResponse(r.Context(), authorizeRequester, openIDSession)
|
|
|
|
if err != nil {
|
|
|
|
plog.WarningErr("error while generating and saving authcode", err)
|
|
|
|
WriteAuthorizeError(w, oauthHelper, authorizeRequester, err, isBrowserless)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if isBrowserless {
|
|
|
|
w = rewriteStatusSeeOtherToStatusFoundForBrowserless(w)
|
|
|
|
}
|
|
|
|
oauthHelper.WriteAuthorizeResponse(w, authorizeRequester, authorizeResponder)
|
|
|
|
}
|
|
|
|
|
|
|
|
func rewriteStatusSeeOtherToStatusFoundForBrowserless(w http.ResponseWriter) http.ResponseWriter {
|
|
|
|
// rewrite http.StatusSeeOther to http.StatusFound for backwards compatibility with old pinniped CLIs.
|
|
|
|
// we can drop this in a few releases once we feel enough time has passed for users to update.
|
|
|
|
//
|
|
|
|
// WriteAuthorizeResponse/WriteAuthorizeError calls used to result in http.StatusFound until
|
|
|
|
// https://github.com/ory/fosite/pull/636 changed it to http.StatusSeeOther to address
|
|
|
|
// https://tools.ietf.org/id/draft-ietf-oauth-security-topics-18.html#section-4.11
|
|
|
|
// Safari has the bad behavior in the case of http.StatusFound and not just http.StatusTemporaryRedirect.
|
|
|
|
//
|
|
|
|
// in the browserless flows, the OAuth client is the pinniped CLI and it already has access to the user's
|
|
|
|
// password. Thus there is no security issue with using http.StatusFound vs. http.StatusSeeOther.
|
|
|
|
return httpsnoop.Wrap(w, httpsnoop.Hooks{
|
|
|
|
WriteHeader: func(delegate httpsnoop.WriteHeaderFunc) httpsnoop.WriteHeaderFunc {
|
|
|
|
return func(code int) {
|
|
|
|
if code == http.StatusSeeOther {
|
|
|
|
code = http.StatusFound
|
|
|
|
}
|
|
|
|
delegate(code)
|
|
|
|
}
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|