2020-11-13 17:31:39 +00:00
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
// Package callback provides a handler for the OIDC callback endpoint.
|
|
|
|
|
package callback
|
|
|
|
|
|
|
|
|
|
import (
|
2020-11-16 22:07:34 +00:00
|
|
|
"fmt"
|
2020-11-13 17:31:39 +00:00
|
|
|
"net/http"
|
2020-11-16 22:07:34 +00:00
|
|
|
"net/url"
|
2020-11-13 23:59:51 +00:00
|
|
|
"path"
|
2020-11-13 17:31:39 +00:00
|
|
|
|
|
|
|
|
"go.pinniped.dev/internal/httputil/httperr"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc"
|
2020-11-16 16:47:49 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/csrftoken"
|
2020-11-13 23:59:51 +00:00
|
|
|
"go.pinniped.dev/internal/oidc/provider"
|
2020-11-16 19:41:00 +00:00
|
|
|
"go.pinniped.dev/internal/plog"
|
2020-11-13 17:31:39 +00:00
|
|
|
)
|
|
|
|
|
|
2020-11-13 23:59:51 +00:00
|
|
|
func NewHandler(
|
|
|
|
|
idpListGetter oidc.IDPListGetter,
|
2020-11-16 19:41:00 +00:00
|
|
|
stateDecoder, cookieDecoder oidc.Decoder,
|
2020-11-13 23:59:51 +00:00
|
|
|
) http.Handler {
|
2020-11-13 17:31:39 +00:00
|
|
|
return httperr.HandlerFunc(func(w http.ResponseWriter, r *http.Request) error {
|
2020-11-16 22:07:34 +00:00
|
|
|
state, err := validateRequest(r, stateDecoder, cookieDecoder)
|
|
|
|
|
if err != nil {
|
2020-11-16 16:47:49 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-13 23:59:51 +00:00
|
|
|
if findUpstreamIDPConfig(r, idpListGetter) == nil {
|
2020-11-16 19:41:00 +00:00
|
|
|
plog.Warning("upstream provider not found")
|
2020-11-13 23:59:51 +00:00
|
|
|
return httperr.New(http.StatusUnprocessableEntity, "upstream provider not found")
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
downstreamAuthParams, err := url.ParseQuery(state.AuthParams)
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
downstreamCallbackURL := fmt.Sprintf(
|
|
|
|
|
"%s?code=%s&state=%s",
|
|
|
|
|
downstreamAuthParams.Get("redirect_uri"),
|
|
|
|
|
url.QueryEscape("some-code"),
|
|
|
|
|
url.QueryEscape(downstreamAuthParams.Get("state")),
|
|
|
|
|
)
|
|
|
|
|
http.Redirect(w, r, downstreamCallbackURL, 302)
|
|
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
return nil
|
2020-11-13 17:31:39 +00:00
|
|
|
})
|
|
|
|
|
}
|
2020-11-13 23:59:51 +00:00
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
func validateRequest(r *http.Request, stateDecoder, cookieDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
|
2020-11-16 19:41:00 +00:00
|
|
|
if r.Method != http.MethodGet {
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.Newf(http.StatusMethodNotAllowed, "%s (try GET)", r.Method)
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
csrfValue, err := readCSRFCookie(r, cookieDecoder)
|
|
|
|
|
if err != nil {
|
|
|
|
|
plog.InfoErr("error reading CSRF cookie", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, err
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if r.FormValue("code") == "" {
|
|
|
|
|
plog.Info("code param not found")
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.New(http.StatusBadRequest, "code param not found")
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if r.FormValue("state") == "" {
|
|
|
|
|
plog.Info("state param not found")
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.New(http.StatusBadRequest, "state param not found")
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
state, err := readState(r, stateDecoder)
|
|
|
|
|
if err != nil {
|
|
|
|
|
plog.InfoErr("error reading state", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, err
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if state.CSRFToken != csrfValue {
|
|
|
|
|
plog.InfoErr("CSRF value does not match", err)
|
2020-11-16 22:07:34 +00:00
|
|
|
return nil, httperr.Wrap(http.StatusForbidden, "CSRF value does not match", err)
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
2020-11-16 22:07:34 +00:00
|
|
|
return state, nil
|
2020-11-16 19:41:00 +00:00
|
|
|
}
|
|
|
|
|
|
2020-11-13 23:59:51 +00:00
|
|
|
func findUpstreamIDPConfig(r *http.Request, idpListGetter oidc.IDPListGetter) *provider.UpstreamOIDCIdentityProvider {
|
|
|
|
|
_, lastPathComponent := path.Split(r.URL.Path)
|
|
|
|
|
for _, p := range idpListGetter.GetIDPList() {
|
|
|
|
|
if p.Name == lastPathComponent {
|
|
|
|
|
return &p
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-11-16 16:47:49 +00:00
|
|
|
|
2020-11-16 19:41:00 +00:00
|
|
|
func readCSRFCookie(r *http.Request, cookieDecoder oidc.Decoder) (csrftoken.CSRFToken, error) {
|
2020-11-16 16:47:49 +00:00
|
|
|
receivedCSRFCookie, err := r.Cookie(oidc.CSRFCookieName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Error means that the cookie was not found
|
2020-11-16 19:41:00 +00:00
|
|
|
return "", httperr.Wrap(http.StatusForbidden, "CSRF cookie is missing", err)
|
2020-11-16 16:47:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var csrfFromCookie csrftoken.CSRFToken
|
|
|
|
|
err = cookieDecoder.Decode(oidc.CSRFCookieEncodingName, receivedCSRFCookie.Value, &csrfFromCookie)
|
|
|
|
|
if err != nil {
|
2020-11-16 19:41:00 +00:00
|
|
|
return "", httperr.Wrap(http.StatusForbidden, "error reading CSRF cookie", err)
|
2020-11-16 16:47:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return csrfFromCookie, nil
|
|
|
|
|
}
|
2020-11-16 19:41:00 +00:00
|
|
|
|
|
|
|
|
func readState(r *http.Request, stateDecoder oidc.Decoder) (*oidc.UpstreamStateParamData, error) {
|
|
|
|
|
var state oidc.UpstreamStateParamData
|
|
|
|
|
if err := stateDecoder.Decode(
|
|
|
|
|
oidc.UpstreamStateParamEncodingName,
|
|
|
|
|
r.FormValue("state"),
|
|
|
|
|
&state,
|
|
|
|
|
); err != nil {
|
|
|
|
|
return nil, httperr.New(http.StatusBadRequest, "error reading state")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if state.FormatVersion != oidc.UpstreamStateParamFormatVersion {
|
|
|
|
|
return nil, httperr.New(http.StatusUnprocessableEntity, "state format version is invalid")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &state, nil
|
|
|
|
|
}
|
