ContainerImage.Pinniped/internal/federationdomain/federationdomainproviders/federation_domain_issuer.go

// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package federationdomainproviders

import (
	"fmt"
	"net/url"
	"strings"

	"go.pinniped.dev/internal/constable"
)

// FederationDomainIssuer is a parsed FederationDomain representing all the settings for a downstream OIDC provider
// and contains configuration representing a set of upstream identity providers.
type FederationDomainIssuer struct {
	issuer     string
	issuerHost string
	issuerPath string

	// identityProviders should be used when they are explicitly specified in the FederationDomain's spec.
	identityProviders []*FederationDomainIdentityProvider
	// defaultIdentityProvider should be used only for the backwards compatibility mode where identity providers
	// are not explicitly specified in the FederationDomain's spec, and there is exactly one IDP CR defined in the
	// Supervisor's namespace.
	defaultIdentityProvider *FederationDomainIdentityProvider
}

// NewFederationDomainIssuer returns a FederationDomainIssuer.
// Performs validation, and returns any error from validation.
func NewFederationDomainIssuer(
	issuer string,
	identityProviders []*FederationDomainIdentityProvider,
) (*FederationDomainIssuer, error) {
	p := FederationDomainIssuer{issuer: issuer, identityProviders: identityProviders}
	err := p.validateURL()
	if err != nil {
		return nil, err
	}
	return &p, nil
}

func NewFederationDomainIssuerWithDefaultIDP(
	issuer string,
	defaultIdentityProvider *FederationDomainIdentityProvider,
) (*FederationDomainIssuer, error) {
	fdi, err := NewFederationDomainIssuer(issuer, []*FederationDomainIdentityProvider{defaultIdentityProvider})
	if err != nil {
		return nil, err
	}
	fdi.defaultIdentityProvider = defaultIdentityProvider
	return fdi, nil
}

func (p *FederationDomainIssuer) validateURL() error {
	if p.issuer == "" {
		return constable.Error("federation domain must have an issuer")
	}

	issuerURL, err := url.Parse(p.issuer)
	if err != nil {
		return fmt.Errorf("could not parse issuer as URL: %w", err)
	}

	if issuerURL.Scheme != "https" {
		return constable.Error(`issuer must have "https" scheme`)
	}

	if issuerURL.Hostname() == "" {
		return constable.Error(`issuer must have a hostname`)
	}

	if issuerURL.User != nil {
		return constable.Error(`issuer must not have username or password`)
	}

	if strings.HasSuffix(issuerURL.Path, "/") {
		return constable.Error(`issuer must not have trailing slash in path`)
	}

	if issuerURL.RawQuery != "" {
		return constable.Error(`issuer must not have query`)
	}

	if issuerURL.Fragment != "" {
		return constable.Error(`issuer must not have fragment`)
	}

	p.issuerHost = issuerURL.Host
	p.issuerPath = issuerURL.Path

	return nil
}

// Issuer returns the issuer.
func (p *FederationDomainIssuer) Issuer() string {
	return p.issuer
}

// IssuerHost returns the issuerHost.
func (p *FederationDomainIssuer) IssuerHost() string {
	return p.issuerHost
}

// IssuerPath returns the issuerPath.
func (p *FederationDomainIssuer) IssuerPath() string {
	return p.issuerPath
}

// IdentityProviders returns the IdentityProviders.
func (p *FederationDomainIssuer) IdentityProviders() []*FederationDomainIdentityProvider {
	return p.identityProviders
}

// DefaultIdentityProvider will return nil when there is no default.
func (p *FederationDomainIssuer) DefaultIdentityProvider() *FederationDomainIdentityProvider {
	return p.defaultIdentityProvider
}
Fix godoc 2023-06-07 23:07:43 +00:00			`// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`// SPDX-License-Identifier: Apache-2.0`

Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com> 2023-06-22 20:12:50 +00:00			`package federationdomainproviders`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00
			`import (`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`"fmt"`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`"net/url"`
			`"strings"`

			`"go.pinniped.dev/internal/constable"`
			`)`

Reorganized FederationDomain packages to avoid circular dependency Co-authored-by: Ryan Richard <richardry@vmware.com> 2023-06-22 20:12:50 +00:00			`// FederationDomainIssuer is a parsed FederationDomain representing all the settings for a downstream OIDC provider`
			`// and contains configuration representing a set of upstream identity providers.`
Rename all "op" and "opc" usages Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 19:34:49 +00:00			`type FederationDomainIssuer struct {`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`issuer string`
			`issuerHost string`
			`issuerPath string`
First draft of implementation of multiple IDPs support 2023-05-08 21:07:38 +00:00
			`// identityProviders should be used when they are explicitly specified in the FederationDomain's spec.`
			`identityProviders []*FederationDomainIdentityProvider`
			`// defaultIdentityProvider should be used only for the backwards compatibility mode where identity providers`
			`// are not explicitly specified in the FederationDomain's spec, and there is exactly one IDP CR defined in the`
			`// Supervisor's namespace.`
			`defaultIdentityProvider *FederationDomainIdentityProvider`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

Fix godoc 2023-06-07 23:07:43 +00:00			`// NewFederationDomainIssuer returns a FederationDomainIssuer.`
			`// Performs validation, and returns any error from validation.`
First draft of implementation of multiple IDPs support 2023-05-08 21:07:38 +00:00			`func NewFederationDomainIssuer(`
			`issuer string,`
			`identityProviders []*FederationDomainIdentityProvider,`
			`) (*FederationDomainIssuer, error) {`
			`p := FederationDomainIssuer{issuer: issuer, identityProviders: identityProviders}`
			`err := p.validateURL()`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return &p, nil`
			`}`

First draft of implementation of multiple IDPs support 2023-05-08 21:07:38 +00:00			`func NewFederationDomainIssuerWithDefaultIDP(`
			`issuer string,`
			`defaultIdentityProvider *FederationDomainIdentityProvider,`
			`) (*FederationDomainIssuer, error) {`
			`fdi, err := NewFederationDomainIssuer(issuer, []*FederationDomainIdentityProvider{defaultIdentityProvider})`
			`if err != nil {`
			`return nil, err`
			`}`
			`fdi.defaultIdentityProvider = defaultIdentityProvider`
			`return fdi, nil`
			`}`

			`func (p *FederationDomainIssuer) validateURL() error {`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`if p.issuer == "" {`
Rename all "op" and "opc" usages Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 19:34:49 +00:00			`return constable.Error("federation domain must have an issuer")`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`issuerURL, err := url.Parse(p.issuer)`
			`if err != nil {`
			`return fmt.Errorf("could not parse issuer as URL: %w", err)`
			`}`

Require `https` scheme for OIDCProviderConfig Issuer field Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-10-28 19:49:41 +00:00			`if issuerURL.Scheme != "https" {`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			return constable.Error(`issuer must have "https" scheme`)
			`}`

Backfill test cases 2023-06-08 02:33:54 +00:00			`if issuerURL.Hostname() == "" {`
			return constable.Error(`issuer must have a hostname`)
			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`if issuerURL.User != nil {`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			return constable.Error(`issuer must not have username or password`)
			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`if strings.HasSuffix(issuerURL.Path, "/") {`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			return constable.Error(`issuer must not have trailing slash in path`)
			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`if issuerURL.RawQuery != "" {`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			return constable.Error(`issuer must not have query`)
			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`if issuerURL.Fragment != "" {`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			return constable.Error(`issuer must not have fragment`)
			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`p.issuerHost = issuerURL.Host`
			`p.issuerPath = issuerURL.Path`

Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`return nil`
			`}`

Fix lint 2023-07-07 16:52:32 +00:00			`// Issuer returns the issuer.`
Rename all "op" and "opc" usages Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 19:34:49 +00:00			`func (p *FederationDomainIssuer) Issuer() string {`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`return p.issuer`
			`}`

Fix lint 2023-07-07 16:52:32 +00:00			`// IssuerHost returns the issuerHost.`
Rename all "op" and "opc" usages Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 19:34:49 +00:00			`func (p *FederationDomainIssuer) IssuerHost() string {`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`return p.issuerHost`
			`}`

Fix lint 2023-07-07 16:52:32 +00:00			`// IssuerPath returns the issuerPath.`
Rename all "op" and "opc" usages Signed-off-by: Aram Price <pricear@vmware.com> 2020-12-17 19:34:49 +00:00			`func (p *FederationDomainIssuer) IssuerPath() string {`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`return p.issuerPath`
			`}`
First draft of implementation of multiple IDPs support 2023-05-08 21:07:38 +00:00
			`// IdentityProviders returns the IdentityProviders.`
			`func (p FederationDomainIssuer) IdentityProviders() []FederationDomainIdentityProvider {`
			`return p.identityProviders`
			`}`

			`// DefaultIdentityProvider will return nil when there is no default.`
			`func (p FederationDomainIssuer) DefaultIdentityProvider() FederationDomainIdentityProvider {`
			`return p.defaultIdentityProvider`
			`}`