ContainerImage.Pinniped/internal/fositestorage/pkce/pkce.go

// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package pkce

import (
	"context"
	"fmt"
	"time"

	"github.com/ory/fosite"
	"github.com/ory/fosite/handler/pkce"
	"k8s.io/apimachinery/pkg/api/errors"
	corev1client "k8s.io/client-go/kubernetes/typed/core/v1"

	"go.pinniped.dev/internal/constable"
	"go.pinniped.dev/internal/crud"
	"go.pinniped.dev/internal/fositestorage"
	"go.pinniped.dev/internal/oidc/clientregistry"
	"go.pinniped.dev/internal/psession"
)

const (
	TypeLabelValue = "pkce"

	ErrInvalidPKCERequestVersion = constable.Error("pkce request data has wrong version")
	ErrInvalidPKCERequestData    = constable.Error("pkce request data must be present")

	// Version 1 was the initial release of storage.
	// Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request.
	// Version 3 is when we added the Username field to the psession.CustomSessionData.
	// Version 4 is when fosite added json tags to their openid.DefaultSession struct.
	pkceStorageVersion = "4"
)

var _ pkce.PKCERequestStorage = &pkceStorage{}

type pkceStorage struct {
	storage crud.Storage
}

type session struct {
	Request *fosite.Request `json:"request"`
	Version string          `json:"version"`
}

func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime time.Duration) pkce.PKCERequestStorage {
	return &pkceStorage{storage: crud.New(TypeLabelValue, secrets, clock, sessionStorageLifetime)}
}

func (a *pkceStorage) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error {
	request, err := fositestorage.ValidateAndExtractAuthorizeRequest(requester)
	if err != nil {
		return err
	}

	_, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil, nil)
	return err
}

func (a *pkceStorage) GetPKCERequestSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
	session, _, err := a.getSession(ctx, signature)

	if err != nil {
		return nil, err
	}

	return session.Request, err
}

func (a *pkceStorage) DeletePKCERequestSession(ctx context.Context, signature string) error {
	return a.storage.Delete(ctx, signature)
}

func (a *pkceStorage) getSession(ctx context.Context, signature string) (*session, string, error) {
	session := newValidEmptyPKCESession()
	rv, err := a.storage.Get(ctx, signature, session)

	if errors.IsNotFound(err) {
		return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())
	}

	if err != nil {
		return nil, "", fmt.Errorf("failed to get pkce session for %s: %w", signature, err)
	}

	if version := session.Version; version != pkceStorageVersion {
		return nil, "", fmt.Errorf("%w: pkce session for %s has version %s instead of %s",
			ErrInvalidPKCERequestVersion, signature, version, pkceStorageVersion)
	}

	if session.Request.ID == "" {
		return nil, "", fmt.Errorf("malformed pkce session for %s: %w", signature, ErrInvalidPKCERequestData)
	}

	return session, rv, nil
}

func newValidEmptyPKCESession() *session {
	return &session{
		Request: &fosite.Request{
			Client:  &clientregistry.Client{},
			Session: &psession.PinnipedSession{},
		},
	}
}
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc" 2022-08-08 23:29:22 +00:00			`// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package pkce`

			`import (`
			`"context"`
			`"fmt"`
KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-10 22:47:58 +00:00			`"time"`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00
			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/handler/pkce"`
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`"k8s.io/apimachinery/pkg/api/errors"`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`corev1client "k8s.io/client-go/kubernetes/typed/core/v1"`

			`"go.pinniped.dev/internal/constable"`
			`"go.pinniped.dev/internal/crud"`
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`"go.pinniped.dev/internal/fositestorage"`
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-06-15 16:27:30 +00:00			`"go.pinniped.dev/internal/oidc/clientregistry"`
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-10-06 22:28:13 +00:00			`"go.pinniped.dev/internal/psession"`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`)`

			`const (`
Make assertions about how many secrets were stored by fosite in tests In both callback_handler_test.go and token_handler_test.go Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-04 23:40:17 +00:00			`TypeLabelValue = "pkce"`

Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`ErrInvalidPKCERequestVersion = constable.Error("pkce request data has wrong version")`
			`ErrInvalidPKCERequestData = constable.Error("pkce request data must be present")`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00
Lots of small updates based on PR feedback 2021-10-20 22:53:25 +00:00			`// Version 1 was the initial release of storage.`
			`// Version 2 is when we switched to storing psession.PinnipedSession inside the fosite request.`
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc" 2022-08-08 23:29:22 +00:00			`// Version 3 is when we added the Username field to the psession.CustomSessionData.`
Upgrade project Go dependencies Most of the changes in this commit are because of these fosite PRs which changed behavior and/or APIs in fosite: - https://github.com/ory/fosite/pull/667 - https://github.com/ory/fosite/pull/679 (from me!) - https://github.com/ory/fosite/pull/675 - https://github.com/ory/fosite/pull/688 Due to the changes in fosite PR #688, we need to bump our storage version for anything which stores the DefaultSession struct as JSON. 2022-12-14 00:18:51 +00:00			`// Version 4 is when fosite added json tags to their openid.DefaultSession struct.`
			`pkceStorageVersion = "4"`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`)`

			`var _ pkce.PKCERequestStorage = &pkceStorage{}`

			`type pkceStorage struct {`
			`storage crud.Storage`
			`}`

			`type session struct {`
			Request *fosite.Request `json:"request"`
			Version string `json:"version"`
			`}`

KubeStorage annotates every Secret with garbage-collect-after timestamp Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-10 22:47:58 +00:00			`func New(secrets corev1client.SecretInterface, clock func() time.Time, sessionStorageLifetime time.Duration) pkce.PKCERequestStorage {`
			`return &pkceStorage{storage: crud.New(TypeLabelValue, secrets, clock, sessionStorageLifetime)}`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`}`

			`func (a *pkceStorage) CreatePKCERequestSession(ctx context.Context, signature string, requester fosite.Requester) error {`
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`request, err := fositestorage.ValidateAndExtractAuthorizeRequest(requester)`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`if err != nil {`
			`return err`
			`}`

Implement the OIDCClientSecretRequest API This commit is a WIP commit because it doesn't include many tests for the new feature. Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Benjamin A. Petersen <ben@benjaminapetersen.me> 2022-08-26 17:57:45 +00:00			`_, err = a.storage.Create(ctx, signature, &session{Request: request, Version: pkceStorageVersion}, nil, nil)`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`return err`
			`}`

			`func (a *pkceStorage) GetPKCERequestSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {`
			`session, _, err := a.getSession(ctx, signature)`

			`if err != nil {`
			`return nil, err`
			`}`

			`return session.Request, err`
			`}`

			`func (a *pkceStorage) DeletePKCERequestSession(ctx context.Context, signature string) error {`
			`return a.storage.Delete(ctx, signature)`
			`}`

			`func (a pkceStorage) getSession(ctx context.Context, signature string) (session, string, error) {`
			`session := newValidEmptyPKCESession()`
			`rv, err := a.storage.Get(ctx, signature, session)`

Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`if errors.IsNotFound(err) {`
Update fosite error usage. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-17 20:09:19 +00:00			`return nil, "", fosite.ErrNotFound.WithWrap(err).WithDebug(err.Error())`
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`}`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00
			`if err != nil {`
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`return nil, "", fmt.Errorf("failed to get pkce session for %s: %w", signature, err)`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`}`

Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`if version := session.Version; version != pkceStorageVersion {`
			`return nil, "", fmt.Errorf("%w: pkce session for %s has version %s instead of %s",`
			`ErrInvalidPKCERequestVersion, signature, version, pkceStorageVersion)`
			`}`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00
Finished tests for pkce storage and added it to kubestorage - Also fixed some lint errors with v1.33.0 of the linter Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-01 22:53:22 +00:00			`if session.Request.ID == "" {`
			`return nil, "", fmt.Errorf("malformed pkce session for %s: %w", signature, ErrInvalidPKCERequestData)`
			`}`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00
			`return session, rv, nil`
			`}`

			`func newValidEmptyPKCESession() *session {`
			`return &session{`
			`Request: &fosite.Request{`
Use a custom type for our static CLI client (smaller change). Before this change, we used the `fosite.DefaultOpenIDConnectClient{}` struct, which implements the `fosite.Client` and `fosite.OpenIDConnectClient` interfaces. For a future change, we also need to implement some additional optional interfaces, so we can no longer use the provided default types. Instead, we now use a custom `clientregistry.Client{}` struct, which implements all the requisite interfaces and can be extended to handle the new functionality (in a future change). There is also a new `clientregistry.StaticRegistry{}` struct, which implements the `fosite.ClientManager` and looks up our single static client. We could potentially extend this in the future with a registry backed by Kubernetes API, for example. This should be 100% refactor, with no user-observable change. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2021-06-15 16:27:30 +00:00			`Client: &clientregistry.Client{},`
Use PinnipedSession type instead of fosite's DefaultSesssion type This will allow us to store custom data inside the fosite session storage for all downstream OIDC sessions. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2021-10-06 22:28:13 +00:00			`Session: &psession.PinnipedSession{},`
WIP towards using k8s fosite storage in the supervisor's callback endpoint - Note that this WIP commit includes a failing unit test, which will be addressed in the next commit Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-01 19:01:23 +00:00			`},`
			`}`
			`}`