ContainerImage.Pinniped/internal/upstreamoidc/upstreamoidc.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

// Package upstreamoidc implements an abstraction of upstream OIDC provider interactions.
package upstreamoidc

import (
	"context"
	"net/http"
	"net/url"

	"github.com/coreos/go-oidc"
	"golang.org/x/oauth2"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	"go.pinniped.dev/internal/httputil/httperr"
	"go.pinniped.dev/internal/oidc/provider"
	"go.pinniped.dev/pkg/oidcclient/nonce"
	"go.pinniped.dev/pkg/oidcclient/oidctypes"
	"go.pinniped.dev/pkg/oidcclient/pkce"
)

func New(config *oauth2.Config, provider *oidc.Provider, client *http.Client) provider.UpstreamOIDCIdentityProviderI {
	return &ProviderConfig{Config: config, Provider: provider, Client: client}
}

// ProviderConfig holds the active configuration of an upstream OIDC provider.
type ProviderConfig struct {
	Name          string
	UsernameClaim string
	GroupsClaim   string
	Config        *oauth2.Config
	Provider      interface {
		Verifier(*oidc.Config) *oidc.IDTokenVerifier
	}
	Client *http.Client
}

func (p *ProviderConfig) GetName() string {
	return p.Name
}

func (p *ProviderConfig) GetClientID() string {
	return p.Config.ClientID
}

func (p *ProviderConfig) GetAuthorizationURL() *url.URL {
	result, _ := url.Parse(p.Config.Endpoint.AuthURL)
	return result
}

func (p *ProviderConfig) GetScopes() []string {
	return p.Config.Scopes
}

func (p *ProviderConfig) GetUsernameClaim() string {
	return p.UsernameClaim
}

func (p *ProviderConfig) GetGroupsClaim() string {
	return p.GroupsClaim
}

func (p *ProviderConfig) ExchangeAuthcodeAndValidateTokens(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce, redirectURI string) (*oidctypes.Token, error) {
	tok, err := p.Config.Exchange(
		oidc.ClientContext(ctx, p.Client),
		authcode,
		pkceCodeVerifier.Verifier(),
		oauth2.SetAuthURLParam("redirect_uri", redirectURI),
	)
	if err != nil {
		return nil, err
	}

	return p.ValidateToken(ctx, tok, expectedIDTokenNonce)
}

func (p *ProviderConfig) ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {
	idTok, hasIDTok := tok.Extra("id_token").(string)
	if !hasIDTok {
		return nil, httperr.New(http.StatusBadRequest, "received response missing ID token")
	}
	validated, err := p.Provider.Verifier(&oidc.Config{ClientID: p.GetClientID()}).Verify(oidc.ClientContext(ctx, p.Client), idTok)
	if err != nil {
		return nil, httperr.Wrap(http.StatusBadRequest, "received invalid ID token", err)
	}
	if validated.AccessTokenHash != "" {
		if err := validated.VerifyAccessToken(tok.AccessToken); err != nil {
			return nil, httperr.Wrap(http.StatusBadRequest, "received invalid ID token", err)
		}
	}
	if expectedIDTokenNonce != "" {
		if err := expectedIDTokenNonce.Validate(validated); err != nil {
			return nil, httperr.Wrap(http.StatusBadRequest, "received ID token with invalid nonce", err)
		}
	}

	var validatedClaims map[string]interface{}
	if err := validated.Claims(&validatedClaims); err != nil {
		return nil, httperr.Wrap(http.StatusInternalServerError, "could not unmarshal claims", err)
	}

	return &oidctypes.Token{
		AccessToken: &oidctypes.AccessToken{
			Token:  tok.AccessToken,
			Type:   tok.TokenType,
			Expiry: metav1.NewTime(tok.Expiry),
		},
		RefreshToken: &oidctypes.RefreshToken{
			Token: tok.RefreshToken,
		},
		IDToken: &oidctypes.IDToken{
			Token:  idTok,
			Expiry: metav1.NewTime(validated.Expiry),
			Claims: validatedClaims,
		},
	}, nil
}
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`// Package upstreamoidc implements an abstraction of upstream OIDC provider interactions.`
			`package upstreamoidc`

			`import (`
			`"context"`
			`"net/http"`
			`"net/url"`

			`"github.com/coreos/go-oidc"`
			`"golang.org/x/oauth2"`
			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`

			`"go.pinniped.dev/internal/httputil/httperr"`
			`"go.pinniped.dev/internal/oidc/provider"`
			`"go.pinniped.dev/pkg/oidcclient/nonce"`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`"go.pinniped.dev/pkg/oidcclient/oidctypes"`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`"go.pinniped.dev/pkg/oidcclient/pkce"`
			`)`

Save an http.Client with each upstreamoidc.ProviderConfig object. This allows the token exchange request to be performed with the correct TLS configuration. We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:27:20 +00:00			`func New(config oauth2.Config, provider oidc.Provider, client *http.Client) provider.UpstreamOIDCIdentityProviderI {`
			`return &ProviderConfig{Config: config, Provider: provider, Client: client}`
Refactor oidcclient.Login to use new upstreamoidc package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:14:57 +00:00			`}`

Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`// ProviderConfig holds the active configuration of an upstream OIDC provider.`
			`type ProviderConfig struct {`
			`Name string`
			`UsernameClaim string`
			`GroupsClaim string`
			`Config *oauth2.Config`
			`Provider interface {`
			`Verifier(oidc.Config) oidc.IDTokenVerifier`
			`}`
Save an http.Client with each upstreamoidc.ProviderConfig object. This allows the token exchange request to be performed with the correct TLS configuration. We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:27:20 +00:00			`Client *http.Client`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`

			`func (p *ProviderConfig) GetName() string {`
			`return p.Name`
			`}`

			`func (p *ProviderConfig) GetClientID() string {`
			`return p.Config.ClientID`
			`}`

			`func (p ProviderConfig) GetAuthorizationURL() url.URL {`
			`result, _ := url.Parse(p.Config.Endpoint.AuthURL)`
			`return result`
			`}`

			`func (p *ProviderConfig) GetScopes() []string {`
			`return p.Config.Scopes`
			`}`

			`func (p *ProviderConfig) GetUsernameClaim() string {`
			`return p.UsernameClaim`
			`}`

			`func (p *ProviderConfig) GetGroupsClaim() string {`
			`return p.GroupsClaim`
			`}`

Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`func (p ProviderConfig) ExchangeAuthcodeAndValidateTokens(ctx context.Context, authcode string, pkceCodeVerifier pkce.Code, expectedIDTokenNonce nonce.Nonce, redirectURI string) (oidctypes.Token, error) {`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`tok, err := p.Config.Exchange(`
			`oidc.ClientContext(ctx, p.Client),`
			`authcode,`
			`pkceCodeVerifier.Verifier(),`
			`oauth2.SetAuthURLParam("redirect_uri", redirectURI),`
			`)`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`if err != nil {`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return nil, err`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`

Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00			`return p.ValidateToken(ctx, tok, expectedIDTokenNonce)`
			`}`

Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`func (p ProviderConfig) ValidateToken(ctx context.Context, tok oauth2.Token, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error) {`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`idTok, hasIDTok := tok.Extra("id_token").(string)`
			`if !hasIDTok {`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return nil, httperr.New(http.StatusBadRequest, "received response missing ID token")`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`
Save an http.Client with each upstreamoidc.ProviderConfig object. This allows the token exchange request to be performed with the correct TLS configuration. We go to a bit of extra work to make sure the `http.Client` object is cached between reconcile operations so that connection pooling works as expected. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:27:20 +00:00			`validated, err := p.Provider.Verifier(&oidc.Config{ClientID: p.GetClientID()}).Verify(oidc.ClientContext(ctx, p.Client), idTok)`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`if err != nil {`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return nil, httperr.Wrap(http.StatusBadRequest, "received invalid ID token", err)`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`
			`if validated.AccessTokenHash != "" {`
			`if err := validated.VerifyAccessToken(tok.AccessToken); err != nil {`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return nil, httperr.Wrap(http.StatusBadRequest, "received invalid ID token", err)`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`
			`}`
			`if expectedIDTokenNonce != "" {`
			`if err := expectedIDTokenNonce.Validate(validated); err != nil {`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return nil, httperr.Wrap(http.StatusBadRequest, "received ID token with invalid nonce", err)`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`
			`}`

			`var validatedClaims map[string]interface{}`
			`if err := validated.Claims(&validatedClaims); err != nil {`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return nil, httperr.Wrap(http.StatusInternalServerError, "could not unmarshal claims", err)`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`

Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`return &oidctypes.Token{`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`AccessToken: &oidctypes.AccessToken{`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`Token: tok.AccessToken,`
			`Type: tok.TokenType,`
			`Expiry: metav1.NewTime(tok.Expiry),`
			`},`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`RefreshToken: &oidctypes.RefreshToken{`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`Token: tok.RefreshToken,`
			`},`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`IDToken: &oidctypes.IDToken{`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`Token: idTok,`
			`Expiry: metav1.NewTime(validated.Expiry),`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`Claims: validatedClaims,`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`},`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`}, nil`
Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`}`