ContainerImage.Pinniped/internal/oidc/provider/manager/manager.go

// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package manager

import (
	"net/http"
	"strings"
	"sync"

	"github.com/gorilla/securecookie"
	"go.pinniped.dev/internal/oidc/csrftoken"

	"github.com/ory/fosite"
	"github.com/ory/fosite/storage"

	"go.pinniped.dev/internal/oidc"
	"go.pinniped.dev/internal/oidc/auth"
	"go.pinniped.dev/internal/oidc/discovery"
	"go.pinniped.dev/internal/oidc/jwks"
	"go.pinniped.dev/internal/oidc/provider"
	"go.pinniped.dev/internal/oidcclient/nonce"
	"go.pinniped.dev/internal/oidcclient/pkce"
	"go.pinniped.dev/internal/plog"
)

// Manager can manage multiple active OIDC providers. It acts as a request router for them.
//
// It is thread-safe.
type Manager struct {
	mu                  sync.RWMutex
	providers           []*provider.OIDCProvider
	providerHandlers    map[string]http.Handler  // map of all routes for all providers
	nextHandler         http.Handler             // the next handler in a chain, called when this manager didn't know how to handle a request
	dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data
	idpListGetter       auth.IDPListGetter       // in-memory cache of upstream IDPs
}

// NewManager returns an empty Manager.
// nextHandler will be invoked for any requests that could not be handled by this manager's providers.
// dynamicJWKSProvider will be used as an in-memory cache for per-issuer JWKS data.
// idpListGetter will be used as an in-memory cache of currently configured upstream IDPs.
func NewManager(nextHandler http.Handler, dynamicJWKSProvider jwks.DynamicJWKSProvider, idpListGetter auth.IDPListGetter) *Manager {
	return &Manager{
		providerHandlers:    make(map[string]http.Handler),
		nextHandler:         nextHandler,
		dynamicJWKSProvider: dynamicJWKSProvider,
		idpListGetter:       idpListGetter,
	}
}

// SetProviders adds or updates all the given providerHandlers using each provider's issuer string
// as the name of the provider to decide if it is an add or update operation.
//
// It also removes any providerHandlers that were previously added but were not passed in to
// the current invocation.
//
// This method assumes that all of the OIDCProvider arguments have already been validated
// by someone else before they are passed to this method.
func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
	m.mu.Lock()
	defer m.mu.Unlock()

	m.providers = oidcProviders
	m.providerHandlers = make(map[string]http.Handler)

	for _, incomingProvider := range oidcProviders {
		wellKnownURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.WellKnownEndpointPath
		m.providerHandlers[wellKnownURL] = discovery.NewHandler(incomingProvider.Issuer())

		jwksURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.JWKSEndpointPath
		m.providerHandlers[jwksURL] = jwks.NewHandler(incomingProvider.Issuer(), m.dynamicJWKSProvider)

		// Each OIDC provider gets its own storage.
		oauthStore := &storage.MemoryStore{
			Clients:        map[string]fosite.Client{oidc.PinnipedCLIOIDCClient().ID: oidc.PinnipedCLIOIDCClient()},
			AuthorizeCodes: map[string]storage.StoreAuthorizeCode{},
			PKCES:          map[string]fosite.Requester{},
			IDSessions:     map[string]fosite.Requester{},
		}
		oauthHelper := oidc.FositeOauth2Helper(oauthStore, []byte("some secret - must have at least 32 bytes")) // TODO replace this secret

		var encoderHashKey = []byte("fake-hash-secret")  // TODO fix this
		var encoderBlockKey = []byte("16-bytes-aaaaaaa") // TODO fix this
		var encoder = securecookie.New(encoderHashKey, encoderBlockKey)
		encoder.SetSerializer(securecookie.JSONEncoder{})

		authURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.AuthorizationEndpointPath
		m.providerHandlers[authURL] = auth.NewHandler(incomingProvider.Issuer(), m.idpListGetter, oauthHelper, csrftoken.Generate, pkce.Generate, nonce.Generate, encoder)

		plog.Debug("oidc provider manager added or updated issuer", "issuer", incomingProvider.Issuer())
	}
}

// ServeHTTP implements the http.Handler interface.
func (m *Manager) ServeHTTP(resp http.ResponseWriter, req *http.Request) {
	requestHandler := m.findHandler(req)

	plog.Debug(
		"oidc provider manager examining request",
		"method", req.Method,
		"host", req.Host,
		"path", req.URL.Path,
		"foundMatchingIssuer", requestHandler != nil,
	)

	if requestHandler == nil {
		requestHandler = m.nextHandler // couldn't find an issuer to handle the request
	}
	requestHandler.ServeHTTP(resp, req)
}

func (m *Manager) findHandler(req *http.Request) http.Handler {
	m.mu.RLock()
	defer m.mu.RUnlock()

	return m.providerHandlers[strings.ToLower(req.Host)+"/"+req.URL.Path]
}
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`// Copyright 2020 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`package manager`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00
			`import (`
			`"net/http"`
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic. 2020-10-23 23:25:44 +00:00			`"strings"`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`"sync"`

WIP for saving authorize endpoint state into upstream state param Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-11 01:58:00 +00:00			`"github.com/gorilla/securecookie"`
			`"go.pinniped.dev/internal/oidc/csrftoken"`

Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/storage"`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00
			`"go.pinniped.dev/internal/oidc"`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`"go.pinniped.dev/internal/oidc/auth"`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`"go.pinniped.dev/internal/oidc/discovery"`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`"go.pinniped.dev/internal/oidc/jwks"`
Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`"go.pinniped.dev/internal/oidc/provider"`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`"go.pinniped.dev/internal/oidcclient/nonce"`
			`"go.pinniped.dev/internal/oidcclient/pkce"`
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-10 15:22:16 +00:00			`"go.pinniped.dev/internal/plog"`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`)`

			`// Manager can manage multiple active OIDC providers. It acts as a request router for them.`
			`//`
			`// It is thread-safe.`
			`type Manager struct {`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`mu sync.RWMutex`
			`providers []*provider.OIDCProvider`
			`providerHandlers map[string]http.Handler // map of all routes for all providers`
			`nextHandler http.Handler // the next handler in a chain, called when this manager didn't know how to handle a request`
			`dynamicJWKSProvider jwks.DynamicJWKSProvider // in-memory cache of per-issuer JWKS data`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`idpListGetter auth.IDPListGetter // in-memory cache of upstream IDPs`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

Several small refactors related to OIDC providers 2020-10-08 18:28:21 +00:00			`// NewManager returns an empty Manager.`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`// nextHandler will be invoked for any requests that could not be handled by this manager's providers.`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`// dynamicJWKSProvider will be used as an in-memory cache for per-issuer JWKS data.`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`// idpListGetter will be used as an in-memory cache of currently configured upstream IDPs.`
			`func NewManager(nextHandler http.Handler, dynamicJWKSProvider jwks.DynamicJWKSProvider, idpListGetter auth.IDPListGetter) *Manager {`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`return &Manager{`
			`providerHandlers: make(map[string]http.Handler),`
			`nextHandler: nextHandler,`
			`dynamicJWKSProvider: dynamicJWKSProvider,`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`idpListGetter: idpListGetter,`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`}`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

			`// SetProviders adds or updates all the given providerHandlers using each provider's issuer string`
			`// as the name of the provider to decide if it is an add or update operation.`
			`//`
			`// It also removes any providerHandlers that were previously added but were not passed in to`
			`// the current invocation.`
			`//`
			`// This method assumes that all of the OIDCProvider arguments have already been validated`
			`// by someone else before they are passed to this method.`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`func (m Manager) SetProviders(oidcProviders ...provider.OIDCProvider) {`
			`m.mu.Lock()`
			`defer m.mu.Unlock()`

			`m.providers = oidcProviders`
			`m.providerHandlers = make(map[string]http.Handler)`

Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`for _, incomingProvider := range oidcProviders {`
Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic. 2020-10-23 23:25:44 +00:00			`wellKnownURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.WellKnownEndpointPath`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`m.providerHandlers[wellKnownURL] = discovery.NewHandler(incomingProvider.Issuer())`

Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic. 2020-10-23 23:25:44 +00:00			`jwksURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.JWKSEndpointPath`
Implement per-issuer OIDC JWKS endpoint 2020-10-17 00:51:40 +00:00			`m.providerHandlers[jwksURL] = jwks.NewHandler(incomingProvider.Issuer(), m.dynamicJWKSProvider)`

Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`// Each OIDC provider gets its own storage.`
			`oauthStore := &storage.MemoryStore{`
			`Clients: map[string]fosite.Client{oidc.PinnipedCLIOIDCClient().ID: oidc.PinnipedCLIOIDCClient()},`
			`AuthorizeCodes: map[string]storage.StoreAuthorizeCode{},`
			`PKCES: map[string]fosite.Requester{},`
Also run OIDC validations in supervisor authorize endpoint Signed-off-by: Andrew Keesler <akeesler@vmware.com> 2020-11-06 22:44:58 +00:00			`IDSessions: map[string]fosite.Requester{},`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`}`
			`oauthHelper := oidc.FositeOauth2Helper(oauthStore, []byte("some secret - must have at least 32 bytes")) // TODO replace this secret`

WIP for saving authorize endpoint state into upstream state param Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-11 01:58:00 +00:00			`var encoderHashKey = []byte("fake-hash-secret") // TODO fix this`
			`var encoderBlockKey = []byte("16-bytes-aaaaaaa") // TODO fix this`
			`var encoder = securecookie.New(encoderHashKey, encoderBlockKey)`
			`encoder.SetSerializer(securecookie.JSONEncoder{})`

Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00			`authURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.AuthorizationEndpointPath`
WIP for saving authorize endpoint state into upstream state param Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-11-11 01:58:00 +00:00			`m.providerHandlers[authURL] = auth.NewHandler(incomingProvider.Issuer(), m.idpListGetter, oauthHelper, csrftoken.Generate, pkce.Generate, nonce.Generate, encoder)`
Expose the Supervisor OIDC authorization endpoint to the public 2020-11-05 01:06:47 +00:00
Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-10 15:22:16 +00:00			`plog.Debug("oidc provider manager added or updated issuer", "issuer", incomingProvider.Issuer())`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`
			`}`

			`// ServeHTTP implements the http.Handler interface.`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`func (m Manager) ServeHTTP(resp http.ResponseWriter, req http.Request) {`
			`requestHandler := m.findHandler(req)`

Reduce log spam Signed-off-by: Monis Khan <mok@vmware.com> 2020-11-10 15:22:16 +00:00			`plog.Debug(`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`"oidc provider manager examining request",`
			`"method", req.Method,`
			`"host", req.Host,`
			`"path", req.URL.Path,`
			`"foundMatchingIssuer", requestHandler != nil,`
			`)`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`if requestHandler == nil {`
			`requestHandler = m.nextHandler // couldn't find an issuer to handle the request`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`
Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`requestHandler.ServeHTTP(resp, req)`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`

Refactor provider.Manager - And also handle when an issuer's path is a subpath of another issuer Signed-off-by: Ryan Richard <richardry@vmware.com> 2020-10-08 21:40:56 +00:00			`func (m Manager) findHandler(req http.Request) http.Handler {`
			`m.mu.RLock()`
			`defer m.mu.RUnlock()`

Add `spec.secretName` to OPC and handle case-insensitive hostnames - When two different Issuers have the same host (i.e. they differ only by path) then they must have the same secretName. This is because it wouldn't make sense for there to be two different TLS certificates for one host. Find any that do not have the same secret name to put an error status on them and to avoid serving OIDC endpoints for them. The host comparison is case-insensitive. - Issuer hostnames should be treated as case-insensitive, because DNS hostnames are case-insensitive. So https://me.com and https://mE.cOm are duplicate issuers. However, paths are case-sensitive, so https://me.com/A and https://me.com/a are different issuers. Fixed this in the issuer validations and in the OIDC Manager's request router logic. 2020-10-23 23:25:44 +00:00			`return m.providerHandlers[strings.ToLower(req.Host)+"/"+req.URL.Path]`
Creation and deletion of OIDC Provider discovery endpoints from config - The OIDCProviderConfigWatcherController synchronizes the OIDCProviderConfig settings to dynamically mount and unmount the OIDC discovery endpoints for each provider - Integration test passes but unit tests need to be added still 2020-10-08 02:18:34 +00:00			`}`