ContainerImage.Pinniped/internal/oidc/provider/dynamic_upstream_idp_provider.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package provider

import (
	"context"
	"net/url"
	"sync"

	"go.pinniped.dev/pkg/oidcclient/nonce"
	"go.pinniped.dev/pkg/oidcclient/oidctypes"
	"go.pinniped.dev/pkg/oidcclient/pkce"
)

type UpstreamOIDCIdentityProviderI interface {
	// A name for this upstream provider, which will be used as a component of the path for the callback endpoint
	// hosted by the Supervisor.
	GetName() string

	// The Oauth client ID registered with the upstream provider to be used in the authorization code flow.
	GetClientID() string

	// The Authorization Endpoint fetched from discovery.
	GetAuthorizationURL() *url.URL

	// Scopes to request in authorization flow.
	GetScopes() []string

	// ID Token username claim name. May return empty string, in which case we will use some reasonable defaults.
	GetUsernameClaim() string

	// ID Token groups claim name. May return empty string, in which case we won't try to read groups from the upstream provider.
	GetGroupsClaim() string

	// Performs upstream OIDC authorization code exchange and token validation.
	// Returns the validated raw tokens as well as the parsed claims of the ID token.
	ExchangeAuthcodeAndValidateTokens(
		ctx context.Context,
		authcode string,
		pkceCodeVerifier pkce.Code,
		expectedIDTokenNonce nonce.Nonce,
	) (tokens oidctypes.Token, parsedIDTokenClaims map[string]interface{}, err error)
}

type DynamicUpstreamIDPProvider interface {
	SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI)
	GetIDPList() []UpstreamOIDCIdentityProviderI
}

type dynamicUpstreamIDPProvider struct {
	oidcProviders []UpstreamOIDCIdentityProviderI
	mutex         sync.RWMutex
}

func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider {
	return &dynamicUpstreamIDPProvider{
		oidcProviders: []UpstreamOIDCIdentityProviderI{},
	}
}

func (p *dynamicUpstreamIDPProvider) SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI) {
	p.mutex.Lock() // acquire a write lock
	defer p.mutex.Unlock()
	p.oidcProviders = oidcIDPs
}

func (p *dynamicUpstreamIDPProvider) GetIDPList() []UpstreamOIDCIdentityProviderI {
	p.mutex.RLock() // acquire a read lock
	defer p.mutex.RUnlock()
	return p.oidcProviders
}
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package provider`

			`import (`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`"context"`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`"net/url"`
			`"sync"`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/nonce"`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`"go.pinniped.dev/pkg/oidcclient/oidctypes"`
Merge branch 'main' into callback-endpoint 2020-11-20 23:13:25 +00:00			`"go.pinniped.dev/pkg/oidcclient/pkce"`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`)`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`type UpstreamOIDCIdentityProviderI interface {`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`// A name for this upstream provider, which will be used as a component of the path for the callback endpoint`
			`// hosted by the Supervisor.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`GetName() string`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`// The Oauth client ID registered with the upstream provider to be used in the authorization code flow.`
			`GetClientID() string`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00
			`// The Authorization Endpoint fetched from discovery.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`GetAuthorizationURL() *url.URL`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00
			`// Scopes to request in authorization flow.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`GetScopes() []string`

			`// ID Token username claim name. May return empty string, in which case we will use some reasonable defaults.`
			`GetUsernameClaim() string`

			`// ID Token groups claim name. May return empty string, in which case we won't try to read groups from the upstream provider.`
			`GetGroupsClaim() string`

Add upstreamoidc.ProviderConfig type implementing provider.UpstreamOIDCIdentityProviderI. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 20:54:11 +00:00			`// Performs upstream OIDC authorization code exchange and token validation.`
			`// Returns the validated raw tokens as well as the parsed claims of the ID token.`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`ExchangeAuthcodeAndValidateTokens(`
			`ctx context.Context,`
			`authcode string,`
			`pkceCodeVerifier pkce.Code,`
			`expectedIDTokenNonce nonce.Nonce,`
Move OIDC Token structs into a new `oidctypes` package. Signed-off-by: Matt Moyer <moyerm@vmware.com> 2020-11-30 23:02:03 +00:00			`) (tokens oidctypes.Token, parsedIDTokenClaims map[string]interface{}, err error)`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`}`

Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`type DynamicUpstreamIDPProvider interface {`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI)`
			`GetIDPList() []UpstreamOIDCIdentityProviderI`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`

			`type dynamicUpstreamIDPProvider struct {`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`oidcProviders []UpstreamOIDCIdentityProviderI`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`mutex sync.RWMutex`
			`}`

			`func NewDynamicUpstreamIDPProvider() DynamicUpstreamIDPProvider {`
			`return &dynamicUpstreamIDPProvider{`
Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`oidcProviders: []UpstreamOIDCIdentityProviderI{},`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`}`
			`}`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`func (p *dynamicUpstreamIDPProvider) SetIDPList(oidcIDPs []UpstreamOIDCIdentityProviderI) {`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`p.mutex.Lock() // acquire a write lock`
			`defer p.mutex.Unlock()`
			`p.oidcProviders = oidcIDPs`
			`}`

Use an interface instead of a concrete type for UpstreamOIDCIdentityProvider Because we want it to implement an AuthcodeExchanger interface and do it in a way that will be more unit test-friendly than the underlying library that we intend to use inside its implementation. 2020-11-18 21:38:13 +00:00			`func (p *dynamicUpstreamIDPProvider) GetIDPList() []UpstreamOIDCIdentityProviderI {`
Add a type for in-memory caching of upstream OIDC Identity Providers Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-03 20:06:07 +00:00			`p.mutex.RLock() // acquire a read lock`
			`defer p.mutex.RUnlock()`
			`return p.oidcProviders`
			`}`