ContainerImage.Pinniped/internal/oidc/provider/dynamic_upstream_idp_provid...

// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package provider

import (
	"context"
	"net/url"
	"sync"

	"golang.org/x/oauth2"

	"go.pinniped.dev/internal/authenticators"
	"go.pinniped.dev/pkg/oidcclient/nonce"
	"go.pinniped.dev/pkg/oidcclient/oidctypes"
	"go.pinniped.dev/pkg/oidcclient/pkce"
)

type UpstreamOIDCIdentityProviderI interface {
	// A name for this upstream provider, which will be used as a component of the path for the callback endpoint
	// hosted by the Supervisor.
	GetName() string

	// The Oauth client ID registered with the upstream provider to be used in the authorization code flow.
	GetClientID() string

	// The Authorization Endpoint fetched from discovery.
	GetAuthorizationURL() *url.URL

	// Scopes to request in authorization flow.
	GetScopes() []string

	// ID Token username claim name. May return empty string, in which case we will use some reasonable defaults.
	GetUsernameClaim() string

	// ID Token groups claim name. May return empty string, in which case we won't try to read groups from the upstream provider.
	GetGroupsClaim() string

	// Performs upstream OIDC authorization code exchange and token validation.
	// Returns the validated raw tokens as well as the parsed claims of the ID token.
	ExchangeAuthcodeAndValidateTokens(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
		redirectURI string,
	) (*oidctypes.Token, error)

	ValidateToken(ctx context.Context, tok *oauth2.Token, expectedIDTokenNonce nonce.Nonce) (*oidctypes.Token, error)
}

type UpstreamLDAPIdentityProviderI interface {
	// A name for this upstream provider.
	GetName() string

	// Return a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234".
	// This URL is not used for connecting to the provider, but rather is used for creating a globally unique user
	// identifier by being combined with the user's UID, since user UIDs are only unique within one provider.
	GetURL() *url.URL

	// A method for performing user authentication against the upstream LDAP provider.
	authenticators.UserAuthenticator
}

type DynamicUpstreamIDPProvider interface {
	SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI)
	GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI
	SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI)
	GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI
}

type dynamicUpstreamIDPProvider struct {
	oidcUpstreams []UpstreamOIDCIdentityProviderI
	ldapUpstreams []UpstreamLDAPIdentityProviderI
	mutex         sync.RWMutex
}

func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider {
	return &dynamicUpstreamIDPProvider{
		oidcUpstreams: []UpstreamOIDCIdentityProviderI{},
		ldapUpstreams: []UpstreamLDAPIdentityProviderI{},
	}
}

func (p *dynamicUpstreamIDPProvider) SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI) {
	p.mutex.Lock() // acquire a write lock
	defer p.mutex.Unlock()
	p.oidcUpstreams = oidcIDPs
}

func (p *dynamicUpstreamIDPProvider) GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI {
	p.mutex.RLock() // acquire a read lock
	defer p.mutex.RUnlock()
	return p.oidcUpstreams
}

func (p *dynamicUpstreamIDPProvider) SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI) {
	p.mutex.Lock() // acquire a write lock
	defer p.mutex.Unlock()
	p.ldapUpstreams = ldapIDPs
}

func (p *dynamicUpstreamIDPProvider) GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI {
	p.mutex.RLock() // acquire a read lock
	defer p.mutex.RUnlock()
	return p.ldapUpstreams
}
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved.`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`// SPDX-License-Identifier: Apache-2.0`

			`package provider`

			`import (`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`"context"`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`"net/url"`
			`"sync"`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00			`"golang.org/x/oauth2"`

More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress. 2021-04-10 01:49:43 +00:00			`"go.pinniped.dev/internal/authenticators"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/nonce"`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`"go.pinniped.dev/pkg/oidcclient/oidctypes"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/pkce"`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`)`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`type UpstreamOIDCIdentityProviderI interface {`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`// A name for this upstream provider, which will be used as a component of the path for the callback endpoint`
			`// hosted by the Supervisor.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`GetName() string`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`// The Oauth client ID registered with the upstream provider to be used in the authorization code flow.`
			`GetClientID() string`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00
			`// The Authorization Endpoint fetched from discovery.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`GetAuthorizationURL() *url.URL`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00
			`// Scopes to request in authorization flow.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`GetScopes() []string`

			`// ID Token username claim name. May return empty string, in which case we will use some reasonable defaults.`
			`GetUsernameClaim() string`

			`// ID Token groups claim name. May return empty string, in which case we won't try to read groups from the upstream provider.`
			`GetGroupsClaim() string`

Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`// Performs upstream OIDC authorization code exchange and token validation.`
			`// Returns the validated raw tokens as well as the parsed claims of the ID token.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`ExchangeAuthcodeAndValidateTokens(`
			`ctx context.Context,`
			`authcode string,`
			`pkceCodeVerifier pkce.Code,`
			`expectedIDTokenNonce nonce.Nonce,`
Add a `redirectURI` parameter to ExchangeAuthcodeAndValidateTokens() method. We missed this in the original interface specification, but the `grant_type=authorization_code` requires it, per RFC6749 (https://tools.ietf.org/html/rfc6749#section-4.1.3). Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-02 16:36:07 +00:00			`redirectURI string,`
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`) (*oidctypes.Token, error)`
Add ValidateToken method to UpstreamOIDCIdentityProviderI interface. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:08:27 +00:00
Refactor UpstreamOIDCIdentityProviderI claim handling. This refactors the `UpstreamOIDCIdentityProviderI` interface and its implementations to pass ID token claims through a `*oidctypes.Token` return parameter rather than as a third return parameter. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-12-04 21:33:36 +00:00			`ValidateToken(ctx context.Context, tok oauth2.Token, expectedIDTokenNonce nonce.Nonce) (oidctypes.Token, error)`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`}`

Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`type UpstreamLDAPIdentityProviderI interface {`
			`// A name for this upstream provider.`
			`GetName() string`

Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-09 00:28:01 +00:00			`// Return a URL which uniquely identifies this LDAP provider, e.g. "ldaps://host.example.com:1234".`
			`// This URL is not used for connecting to the provider, but rather is used for creating a globally unique user`
			`// identifier by being combined with the user's UID, since user UIDs are only unique within one provider.`
Add user search base to downstream subject for upstream LDAP - Also add some tests about UTF-8 characters in LDAP attributes 2021-05-27 00:04:20 +00:00			`GetURL() *url.URL`
Implement upstream LDAP support in auth_handler.go - When the upstream IDP is an LDAP IDP and the user's LDAP username and password are received as new custom headers, then authenticate the user and, if authentication was successful, return a redirect with an authcode. Handle errors according to the OAuth/OIDC specs. - Still does not support having multiple upstream IDPs defined at the same time, which was an existing limitation of this endpoint. - Does not yet include the actual LDAP authentication, which is hidden behind an interface from the point of view of auth_handler.go - Move the oidctestutil package to the testutil directory. - Add an interface for Fosite storage to avoid a cyclical test dependency. - Add GetURL() to the UpstreamLDAPIdentityProviderI interface. - Extract test helpers to be shared between callback_handler_test.go and auth_handler_test.go because the authcode and fosite storage assertions should be identical. - Backfill Content-Type assertions in callback_handler_test.go. Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2021-04-09 00:28:01 +00:00
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`// A method for performing user authentication against the upstream LDAP provider.`
More LDAP WIP: started controller and LDAP server connection code Both are unfinished works in progress. 2021-04-10 01:49:43 +00:00			`authenticators.UserAuthenticator`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`}`

Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`type DynamicUpstreamIDPProvider interface {`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI)`
			`GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI`
			`SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI)`
			`GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`

			`type dynamicUpstreamIDPProvider struct {`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`oidcUpstreams []UpstreamOIDCIdentityProviderI`
			`ldapUpstreams []UpstreamLDAPIdentityProviderI`
			`mutex sync.RWMutex`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`

			`func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider {`
			`return &dynamicUpstreamIDPProvider{`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`oidcUpstreams: []UpstreamOIDCIdentityProviderI{},`
			`ldapUpstreams: []UpstreamLDAPIdentityProviderI{},`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`
			`}`

Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`func (p *dynamicUpstreamIDPProvider) SetOIDCIdentityProviders(oidcIDPs []UpstreamOIDCIdentityProviderI) {`
			`p.mutex.Lock() // acquire a write lock`
			`defer p.mutex.Unlock()`
			`p.oidcUpstreams = oidcIDPs`
			`}`

			`func (p *dynamicUpstreamIDPProvider) GetOIDCIdentityProviders() []UpstreamOIDCIdentityProviderI {`
			`p.mutex.RLock() // acquire a read lock`
			`defer p.mutex.RUnlock()`
			`return p.oidcUpstreams`
			`}`

			`func (p *dynamicUpstreamIDPProvider) SetLDAPIdentityProviders(ldapIDPs []UpstreamLDAPIdentityProviderI) {`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`p.mutex.Lock() // acquire a write lock`
			`defer p.mutex.Unlock()`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`p.ldapUpstreams = ldapIDPs`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`

Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`func (p *dynamicUpstreamIDPProvider) GetLDAPIdentityProviders() []UpstreamLDAPIdentityProviderI {`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`p.mutex.RLock() // acquire a read lock`
			`defer p.mutex.RUnlock()`
Supervisor pre-factor to make room for upstream LDAP identity providers 2021-04-07 23:12:13 +00:00			`return p.ldapUpstreams`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`