ContainerImage.Pinniped/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package oidc

import (
	"context"
	"crypto/ecdsa"
	"reflect"

	"github.com/ory/fosite"
	"github.com/ory/fosite/compose"
	"github.com/ory/fosite/handler/openid"

	"go.pinniped.dev/internal/constable"
	"go.pinniped.dev/internal/oidc/jwks"
	"go.pinniped.dev/internal/plog"
)

// dynamicOpenIDConnectECDSAStrategy is an openid.OpenIDConnectTokenStrategy that can dynamically
// load a signing key to issue ID tokens. We want this dynamic capability since our controllers for
// loading FederationDomain's and signing keys run in parallel, and thus the signing key might not be
// ready when an FederationDomain is otherwise ready.
//
// If we ever update FederationDomain's to hold their signing key, we might not need this type, since we
// could have an invariant that routes to an FederationDomain's endpoints are only wired up if an
// FederationDomain has a valid signing key.
type dynamicOpenIDConnectECDSAStrategy struct {
	fositeConfig *compose.Config
	jwksProvider jwks.DynamicJWKSProvider
}

var _ openid.OpenIDConnectTokenStrategy = &dynamicOpenIDConnectECDSAStrategy{}

func newDynamicOpenIDConnectECDSAStrategy(
	fositeConfig *compose.Config,
	jwksProvider jwks.DynamicJWKSProvider,
) *dynamicOpenIDConnectECDSAStrategy {
	return &dynamicOpenIDConnectECDSAStrategy{
		fositeConfig: fositeConfig,
		jwksProvider: jwksProvider,
	}
}

func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
	ctx context.Context,
	requester fosite.Requester,
) (string, error) {
	_, activeJwk := s.jwksProvider.GetJWKS(s.fositeConfig.IDTokenIssuer)
	if activeJwk == nil {
		plog.Debug("no JWK found for issuer", "issuer", s.fositeConfig.IDTokenIssuer)
		return "", fosite.ErrTemporarilyUnavailable.WithWrap(constable.Error("no JWK found for issuer"))
	}
	key, ok := activeJwk.Key.(*ecdsa.PrivateKey)
	if !ok {
		actualType := "nil"
		if t := reflect.TypeOf(activeJwk.Key); t != nil {
			actualType = t.String()
		}
		plog.Debug(
			"JWK must be of type ecdsa",
			"issuer",
			s.fositeConfig.IDTokenIssuer,
			"actualType",
			actualType,
		)
		return "", fosite.ErrServerError.WithWrap(constable.Error("JWK must be of type ecdsa"))
	}

	return compose.NewOpenIDConnectECDSAStrategy(s.fositeConfig, key).GenerateIDToken(ctx, requester)
}
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-09 00:28:01 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-03 20:34:58 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package oidc`

			`import (`
			`"context"`
Passing signing key through to the token endpoint 2020-12-04 01:16:08 +00:00			`"crypto/ecdsa"`
Add logging in dynamic OIDC ECDSA strategy I'm worried that these errors are going to be really burried from the user, so add some log statements to try to make them a tiny bit more observable. Also follow some of our error message convetions by using lowercase error messages. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 14:05:39 +00:00			`"reflect"`
Passing signing key through to the token endpoint 2020-12-04 01:16:08 +00:00
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-03 20:34:58 +00:00			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/compose"`
			`"github.com/ory/fosite/handler/openid"`

Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-09 00:28:01 +00:00			`"go.pinniped.dev/internal/constable"`
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-03 20:34:58 +00:00			`"go.pinniped.dev/internal/oidc/jwks"`
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-09 00:28:01 +00:00			`"go.pinniped.dev/internal/plog"`
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-03 20:34:58 +00:00			`)`

Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`// dynamicOpenIDConnectECDSAStrategy is an openid.OpenIDConnectTokenStrategy that can dynamically`
			`// load a signing key to issue ID tokens. We want this dynamic capability since our controllers for`
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-16 22:27:09 +00:00			`// loading FederationDomain's and signing keys run in parallel, and thus the signing key might not be`
			`// ready when an FederationDomain is otherwise ready.`
Cleanup code via TODOs accumulated during token endpoint work We opened https://github.com/vmware-tanzu/pinniped/issues/254 for the TODO in dynamicOpenIDConnectECDSAStrategy.GenerateToken(). This commit also ensures that linting and unit tests are passing again. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 15:06:55 +00:00			`//`
Rename off of main Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-12-16 22:27:09 +00:00			`// If we ever update FederationDomain's to hold their signing key, we might not need this type, since we`
			`// could have an invariant that routes to an FederationDomain's endpoints are only wired up if an`
			`// FederationDomain has a valid signing key.`
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-03 20:34:58 +00:00			`type dynamicOpenIDConnectECDSAStrategy struct {`
			`fositeConfig *compose.Config`
			`jwksProvider jwks.DynamicJWKSProvider`
			`}`

			`var _ openid.OpenIDConnectTokenStrategy = &dynamicOpenIDConnectECDSAStrategy{}`

			`func newDynamicOpenIDConnectECDSAStrategy(`
			`fositeConfig *compose.Config,`
			`jwksProvider jwks.DynamicJWKSProvider,`
			`) *dynamicOpenIDConnectECDSAStrategy {`
			`return &dynamicOpenIDConnectECDSAStrategy{`
			`fositeConfig: fositeConfig,`
			`jwksProvider: jwksProvider,`
			`}`
			`}`

			`func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(`
			`ctx context.Context,`
			`requester fosite.Requester,`
			`) (string, error) {`
Passing signing key through to the token endpoint 2020-12-04 01:16:08 +00:00			`_, activeJwk := s.jwksProvider.GetJWKS(s.fositeConfig.IDTokenIssuer)`
			`if activeJwk == nil {`
Add logging in dynamic OIDC ECDSA strategy I'm worried that these errors are going to be really burried from the user, so add some log statements to try to make them a tiny bit more observable. Also follow some of our error message convetions by using lowercase error messages. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 14:05:39 +00:00			`plog.Debug("no JWK found for issuer", "issuer", s.fositeConfig.IDTokenIssuer)`
Update fosite error usage. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-17 20:09:19 +00:00			`return "", fosite.ErrTemporarilyUnavailable.WithWrap(constable.Error("no JWK found for issuer"))`
Passing signing key through to the token endpoint 2020-12-04 01:16:08 +00:00			`}`
			`key, ok := activeJwk.Key.(*ecdsa.PrivateKey)`
			`if !ok {`
Add logging in dynamic OIDC ECDSA strategy I'm worried that these errors are going to be really burried from the user, so add some log statements to try to make them a tiny bit more observable. Also follow some of our error message convetions by using lowercase error messages. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-12-04 14:05:39 +00:00			`actualType := "nil"`
			`if t := reflect.TypeOf(activeJwk.Key); t != nil {`
			`actualType = t.String()`
			`}`
			`plog.Debug(`
			`"JWK must be of type ecdsa",`
			`"issuer",`
			`s.fositeConfig.IDTokenIssuer,`
			`"actualType",`
			`actualType,`
			`)`
Update fosite error usage. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-17 20:09:19 +00:00			`return "", fosite.ErrServerError.WithWrap(constable.Error("JWK must be of type ecdsa"))`
Passing signing key through to the token endpoint 2020-12-04 01:16:08 +00:00			`}`

			`return compose.NewOpenIDConnectECDSAStrategy(s.fositeConfig, key).GenerateIDToken(ctx, requester)`
WIP: start to wire signing key into token handler This commit includes a failing test (amongst other compiler failures) for the dynamic signing key fetcher that we will inject into fosite. We are checking it in so that we can pass the WIP off. Signed-off-by: Margo Crawford <margaretc@vmware.com> 2020-12-03 20:34:58 +00:00			`}`