ContainerImage.Pinniped/internal/oidc/login/post_login_handler.go

// Copyright 2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0

package login

import (
	"net/http"
	"net/url"

	"github.com/ory/fosite"

	"go.pinniped.dev/internal/httputil/httperr"
	"go.pinniped.dev/internal/oidc"
	"go.pinniped.dev/internal/oidc/downstreamsession"
	"go.pinniped.dev/internal/plog"
)

func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvidersLister, oauthHelper fosite.OAuth2Provider) HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request, encodedState string, decodedState *oidc.UpstreamStateParamData) error {
		// Note that the login handler prevents this handler from being called with OIDC upstreams.
		_, ldapUpstream, idpType, err := oidc.FindUpstreamIDPByNameAndType(upstreamIDPs, decodedState.UpstreamName, decodedState.UpstreamType)
		if err != nil {
			// This shouldn't normally happen because the authorization endpoint ensured that this provider existed
			// at that time. It would be possible in the unlikely event that the provider was deleted during the login.
			plog.Error("error finding upstream provider", err)
			return httperr.Wrap(http.StatusUnprocessableEntity, "error finding upstream provider", err)
		}

		// Get the original params that were used at the authorization endpoint.
		downstreamAuthParams, err := url.ParseQuery(decodedState.AuthParams)
		if err != nil {
			// This shouldn't really happen because the authorization endpoint encoded these query params correctly.
			plog.Error("error reading state downstream auth params", err)
			return httperr.New(http.StatusBadRequest, "error reading state downstream auth params")
		}

		// Recreate enough of the original authorize request so we can pass it to NewAuthorizeRequest().
		reconstitutedAuthRequest := &http.Request{Form: downstreamAuthParams}
		authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest)
		if err != nil {
			// This shouldn't really happen because the authorization endpoint has already validated these params
			// by calling NewAuthorizeRequest() itself.
			plog.Error("error using state downstream auth params", err,
				"fositeErr", oidc.FositeErrorForLog(err))
			return httperr.New(http.StatusBadRequest, "error using state downstream auth params")
		}

		// Automatically grant certain scopes, but only if they were requested.
		// This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned
		// an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here.
		downstreamsession.AutoApproveScopes(authorizeRequester)

		// Get the username and password form params from the POST body.
		username := r.PostFormValue(usernameParamName)
		password := r.PostFormValue(passwordParamName)

		// Treat blank username or password as a bad username/password combination, as opposed to an internal error.
		if username == "" || password == "" {
			// User forgot to enter one of the required fields.
			// The user may try to log in again if they'd like, so redirect back to the login page with an error.
			return RedirectToLoginPage(r, w, issuerURL, encodedState, ShowBadUserPassErr)
		}

		// Attempt to authenticate the user with the upstream IDP.
		authenticateResponse, authenticated, err := ldapUpstream.AuthenticateUser(r.Context(), username, password, authorizeRequester.GetGrantedScopes())
		if err != nil {
			plog.WarningErr("unexpected error during upstream LDAP authentication", err, "upstreamName", ldapUpstream.GetName())
			// There was some problem during authentication with the upstream, aside from bad username/password.
			// The user may try to log in again if they'd like, so redirect back to the login page with an error.
			return RedirectToLoginPage(r, w, issuerURL, encodedState, ShowInternalError)
		}
		if !authenticated {
			// The upstream did not accept the username/password combination.
			// The user may try to log in again if they'd like, so redirect back to the login page with an error.
			return RedirectToLoginPage(r, w, issuerURL, encodedState, ShowBadUserPassErr)
		}

		// We had previously interrupted the regular steps of the OIDC authcode flow to show the login page UI.
		// Now the upstream IDP has authenticated the user, so now we're back into the regular OIDC authcode flow steps.
		// Both success and error responses from this point onwards should look like the usual fosite redirect
		// responses, and a happy redirect response will include a downstream authcode.
		subject := downstreamsession.DownstreamSubjectFromUpstreamLDAP(ldapUpstream, authenticateResponse)
		username = authenticateResponse.User.GetName()
		groups := authenticateResponse.User.GetGroups()
		customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)
		openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,
			authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})
		oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false)

		return nil
	}
}
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared. 2022-04-26 22:30:39 +00:00			`// Copyright 2022 the Pinniped contributors. All Rights Reserved.`
			`// SPDX-License-Identifier: Apache-2.0`

			`package login`

			`import (`
			`"net/http"`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`"net/url"`
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared. 2022-04-26 22:30:39 +00:00
			`"github.com/ory/fosite"`

Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`"go.pinniped.dev/internal/httputil/httperr"`
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared. 2022-04-26 22:30:39 +00:00			`"go.pinniped.dev/internal/oidc"`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`"go.pinniped.dev/internal/oidc/downstreamsession"`
			`"go.pinniped.dev/internal/plog"`
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared. 2022-04-26 22:30:39 +00:00			`)`

Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`func NewPostHandler(issuerURL string, upstreamIDPs oidc.UpstreamIdentityProvidersLister, oauthHelper fosite.OAuth2Provider) HandlerFunc {`
Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared. 2022-04-26 22:30:39 +00:00			`return func(w http.ResponseWriter, r http.Request, encodedState string, decodedState oidc.UpstreamStateParamData) error {`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`// Note that the login handler prevents this handler from being called with OIDC upstreams.`
			`_, ldapUpstream, idpType, err := oidc.FindUpstreamIDPByNameAndType(upstreamIDPs, decodedState.UpstreamName, decodedState.UpstreamType)`
			`if err != nil {`
			`// This shouldn't normally happen because the authorization endpoint ensured that this provider existed`
			`// at that time. It would be possible in the unlikely event that the provider was deleted during the login.`
			`plog.Error("error finding upstream provider", err)`
			`return httperr.Wrap(http.StatusUnprocessableEntity, "error finding upstream provider", err)`
			`}`

			`// Get the original params that were used at the authorization endpoint.`
			`downstreamAuthParams, err := url.ParseQuery(decodedState.AuthParams)`
			`if err != nil {`
			`// This shouldn't really happen because the authorization endpoint encoded these query params correctly.`
			`plog.Error("error reading state downstream auth params", err)`
			`return httperr.New(http.StatusBadRequest, "error reading state downstream auth params")`
			`}`

			`// Recreate enough of the original authorize request so we can pass it to NewAuthorizeRequest().`
			`reconstitutedAuthRequest := &http.Request{Form: downstreamAuthParams}`
			`authorizeRequester, err := oauthHelper.NewAuthorizeRequest(r.Context(), reconstitutedAuthRequest)`
			`if err != nil {`
			`// This shouldn't really happen because the authorization endpoint has already validated these params`
			`// by calling NewAuthorizeRequest() itself.`
More unit tests for dynamic clients - Add dynamic client unit tests for the upstream OIDC callback and POST login endpoints. - Enhance a few log statements to print the full fosite error messages into the logs where they were previously only printing the name of the error type. 2022-07-21 16:26:00 +00:00			`plog.Error("error using state downstream auth params", err,`
			`"fositeErr", oidc.FositeErrorForLog(err))`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`return httperr.New(http.StatusBadRequest, "error using state downstream auth params")`
			`}`

Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc" 2022-08-08 23:29:22 +00:00			`// Automatically grant certain scopes, but only if they were requested.`
Allow dynamic clients to be used in downstream OIDC flows This is only a first commit towards making this feature work. - Hook dynamic clients into fosite by returning them from the storage interface (after finding and validating them) - In the auth endpoint, prevent the use of the username and password headers for dynamic clients to force them to use the browser-based login flows for all the upstream types - Add happy path integration tests in supervisor_login_test.go - Add lots of comments (and some small refactors) in supervisor_login_test.go to make it much easier to understand - Add lots of unit tests for the auth endpoint regarding dynamic clients (more unit tests to be added for other endpoints in follow-up commits) - Enhance crud.go to make lifetime=0 mean never garbage collect, since we want client secret storage Secrets to last forever - Move the OIDCClient validation code to a package where it can be shared between the controller and the fosite storage interface - Make shared test helpers for tests that need to create OIDC client secret storage Secrets - Create a public const for "pinniped-cli" now that we are using that string in several places in the production code 2022-07-14 16:51:11 +00:00			// This is instead of asking the user to approve these scopes. Note that `NewAuthorizeRequest` would have returned
			`// an error if the client requested a scope that they are not allowed to request, so we don't need to worry about that here.`
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc" 2022-08-08 23:29:22 +00:00			`downstreamsession.AutoApproveScopes(authorizeRequester)`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00
			`// Get the username and password form params from the POST body.`
			`username := r.PostFormValue(usernameParamName)`
			`password := r.PostFormValue(passwordParamName)`

			`// Treat blank username or password as a bad username/password combination, as opposed to an internal error.`
			`if username == "" \|\| password == "" {`
			`// User forgot to enter one of the required fields.`
			`// The user may try to log in again if they'd like, so redirect back to the login page with an error.`
			`return RedirectToLoginPage(r, w, issuerURL, encodedState, ShowBadUserPassErr)`
			`}`

			`// Attempt to authenticate the user with the upstream IDP.`
Don't do ldap group search when group scope not specified Signed-off-by: Margo Crawford <margaretc@vmware.com> 2022-06-22 17:58:08 +00:00			`authenticateResponse, authenticated, err := ldapUpstream.AuthenticateUser(r.Context(), username, password, authorizeRequester.GetGrantedScopes())`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`if err != nil {`
			`plog.WarningErr("unexpected error during upstream LDAP authentication", err, "upstreamName", ldapUpstream.GetName())`
			`// There was some problem during authentication with the upstream, aside from bad username/password.`
			`// The user may try to log in again if they'd like, so redirect back to the login page with an error.`
			`return RedirectToLoginPage(r, w, issuerURL, encodedState, ShowInternalError)`
			`}`
			`if !authenticated {`
			`// The upstream did not accept the username/password combination.`
			`// The user may try to log in again if they'd like, so redirect back to the login page with an error.`
			`return RedirectToLoginPage(r, w, issuerURL, encodedState, ShowBadUserPassErr)`
			`}`

			`// We had previously interrupted the regular steps of the OIDC authcode flow to show the login page UI.`
			`// Now the upstream IDP has authenticated the user, so now we're back into the regular OIDC authcode flow steps.`
			`// Both success and error responses from this point onwards should look like the usual fosite redirect`
			`// responses, and a happy redirect response will include a downstream authcode.`
			`subject := downstreamsession.DownstreamSubjectFromUpstreamLDAP(ldapUpstream, authenticateResponse)`
			`username = authenticateResponse.User.GetName()`
			`groups := authenticateResponse.User.GetGroups()`
Create username scope, required for clients to get username in ID token - For backwards compatibility with older Pinniped CLIs, the pinniped-cli client does not need to request the username or groups scopes for them to be granted. For dynamic clients, the usual OAuth2 rules apply: the client must be allowed to request the scopes according to its configuration, and the client must actually request the scopes in the authorization request. - If the username scope was not granted, then there will be no username in the ID token, and the cluster-scoped token exchange will fail since there would be no username in the resulting cluster-scoped ID token. - The OIDC well-known discovery endpoint lists the username and groups scopes in the scopes_supported list, and lists the username and groups claims in the claims_supported list. - Add username and groups scopes to the default list of scopes put into kubeconfig files by "pinniped get kubeconfig" CLI command, and the default list of scopes used by "pinniped login oidc" when no list of scopes is specified in the kubeconfig file - The warning header about group memberships changing during upstream refresh will only be sent to the pinniped-cli client, since it is only intended for kubectl and it could leak the username to the client (which may not have the username scope granted) through the warning message text. - Add the user's username to the session storage as a new field, so that during upstream refresh we can compare the original username from the initial authorization to the refreshed username, even in the case when the username scope was not granted (and therefore the username is not stored in the ID token claims of the session storage) - Bump the Supervisor session storage format version from 2 to 3 due to the username field being added to the session struct - Extract commonly used string constants related to OIDC flows to api package. - Change some import names to make them consistent: - Always import github.com/coreos/go-oidc/v3/oidc as "coreosoidc" - Always import go.pinniped.dev/generated/latest/apis/supervisor/oidc as "oidcapi" - Always import go.pinniped.dev/internal/oidc as "oidc" 2022-08-08 23:29:22 +00:00			`customSessionData := downstreamsession.MakeDownstreamLDAPOrADCustomSessionData(ldapUpstream, idpType, authenticateResponse, username)`
Always add the `azp` claim to ID tokens to show the original client ID When the token exchange grant type is used to get a cluster-scoped ID token, the returned token has a new audience value. The client ID of the client which performed the authorization was lost. This didn't matter before, since the only client was `pinniped-cli`, but now that dynamic clients can be registered, the information would be lost in the cluster-scoped ID token. It could be useful for logging, tracing, or auditing, so preserve the information by putting the client ID into the `azp` claim in every ID token (authcode exchange, clsuter-scoped, and refreshed ID tokens). 2022-08-09 23:07:23 +00:00			`openIDSession := downstreamsession.MakeDownstreamSession(subject, username, groups,`
Allow additional claims to map into an ID token issued by the supervisor - Specify mappings on OIDCIdentityProvider.spec.claims.additionalClaimMappings - Advertise additionalClaims in the OIDC discovery endpoint under claims_supported Co-authored-by: Ryan Richard <richardry@vmware.com> Co-authored-by: Joshua Casey <joshuatcasey@gmail.com> 2022-09-20 21:54:10 +00:00			`authorizeRequester.GetGrantedScopes(), authorizeRequester.GetClient().GetID(), customSessionData, map[string]interface{}{})`
Implement post_login_handler.go to accept form post and auth to LDAP/AD Also extract some helpers from auth_handler.go so they can be shared with the new handler. 2022-04-29 23:01:51 +00:00			`oidc.PerformAuthcodeRedirect(r, w, oauthHelper, authorizeRequester, openIDSession, false)`

Implement login_handler.go to defer to other handlers The other handlers for GET and POST requests are not yet implemented in this commit. The shared handler code in login_handler.go takes care of things checking the method, checking the CSRF cookie, decoding the state param, and adding security headers on behalf of both the GET and POST handlers. Some code has been extracted from callback_handler.go to be shared. 2022-04-26 22:30:39 +00:00			`return nil`
			`}`
			`}`