From 3575be774288be433fc2b94f12162a5b167f4c47 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Wed, 18 Nov 2020 23:30:05 -0500 Subject: [PATCH] Add authorization code storage Signed-off-by: Monis Khan --- go.mod | 1 + .../authorizationcode/authorizationcode.go | 382 ++++++++++++++++++ .../authorizationcode_test.go | 335 +++++++++++++++ test/integration/storage_test.go | 105 +++++ 4 files changed, 823 insertions(+) create mode 100644 internal/fosite/authorizationcode/authorizationcode.go create mode 100644 internal/fosite/authorizationcode/authorizationcode_test.go create mode 100644 test/integration/storage_test.go diff --git a/go.mod b/go.mod index fae73095..4277bd9b 100644 --- a/go.mod +++ b/go.mod @@ -14,6 +14,7 @@ require ( github.com/golang/mock v1.4.4 github.com/golangci/golangci-lint v1.31.0 github.com/google/go-cmp v0.5.2 + github.com/google/gofuzz v1.1.0 github.com/gorilla/securecookie v1.1.1 github.com/ory/fosite v0.35.1 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4 diff --git a/internal/fosite/authorizationcode/authorizationcode.go b/internal/fosite/authorizationcode/authorizationcode.go new file mode 100644 index 00000000..a661eac9 --- /dev/null +++ b/internal/fosite/authorizationcode/authorizationcode.go @@ -0,0 +1,382 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package authorizationcode + +import ( + "context" + stderrors "errors" + "fmt" + + "github.com/ory/fosite" + "github.com/ory/fosite/handler/oauth2" + "github.com/ory/fosite/handler/openid" + "k8s.io/apimachinery/pkg/api/errors" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" + + "go.pinniped.dev/internal/constable" + "go.pinniped.dev/internal/crud" +) + +const ( + ErrInvalidAuthorizeRequestType = constable.Error("authorization request must be of type fosite.AuthorizeRequest") + ErrInvalidAuthorizeRequestData = constable.Error("authorization request data must not be nil") + ErrInvalidAuthorizeRequestVersion = constable.Error("authorization request data has wrong version") + + authorizeCodeStorageVersion = "1" +) + +var _ oauth2.AuthorizeCodeStorage = &authorizeCodeStorage{} + +type authorizeCodeStorage struct { + storage crud.Storage +} + +type AuthorizeCodeSession struct { + Active bool `json:"active"` + Request *fosite.AuthorizeRequest `json:"request"` + Version string `json:"version"` +} + +func New(secrets corev1client.SecretInterface) oauth2.AuthorizeCodeStorage { + return &authorizeCodeStorage{storage: crud.New("authorization-codes", secrets)} +} + +func (a *authorizeCodeStorage) CreateAuthorizeCodeSession(ctx context.Context, signature string, requester fosite.Requester) error { + // this conversion assumes that we do not wrap the default type in any way + // i.e. we use the default fosite.OAuth2Provider.NewAuthorizeRequest implementation + // note that because this type is serialized and stored in Kube, we cannot easily change the implementation later + // TODO hydra uses the fosite.Request struct and ignores the extra fields in fosite.AuthorizeRequest + request, err := validateAndExtractAuthorizeRequest(requester) + if err != nil { + return err + } + + // TODO hydra stores specific fields from the requester + // request ID + // requestedAt + // OAuth client ID + // requested scopes, granted scopes + // requested audience, granted audience + // url encoded request form + // session as JSON bytes with (optional) encryption + // session subject + // consent challenge from session which is the identifier ("authorization challenge") + // of the consent authorization request. It is used to identify the session. + // signature for lookup in the DB + + _, err = a.storage.Create(ctx, signature, &AuthorizeCodeSession{Active: true, Request: request, Version: authorizeCodeStorageVersion}) + return err +} + +func (a *authorizeCodeStorage) GetAuthorizeCodeSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) { + // TODO hydra uses the incoming fosite.Session to provide the type needed to json.Unmarshal their session bytes + + // TODO hydra gets the client from its DB as a concrete type via client ID, + // the hydra memory client just validates that the client ID exists + + // TODO hydra uses the sha512.Sum384 hash of signature when using JWT as access token to reduce length + + session, _, err := a.getSession(ctx, signature) + + // we need to always pass both the request and error back + if session == nil { + return nil, err + } + + return session.Request, err +} + +func (a *authorizeCodeStorage) InvalidateAuthorizeCodeSession(ctx context.Context, signature string) error { + // TODO write garbage collector for these codes + + session, rv, err := a.getSession(ctx, signature) + if err != nil { + return err + } + + session.Active = false + if _, err := a.storage.Update(ctx, signature, rv, session); err != nil { + if errors.IsConflict(err) { + return &errSerializationFailureWithCause{cause: err} + } + return err + } + + return nil +} + +func (a *authorizeCodeStorage) getSession(ctx context.Context, signature string) (*AuthorizeCodeSession, string, error) { + session := NewValidEmptyAuthorizeCodeSession() + rv, err := a.storage.Get(ctx, signature, session) + + if errors.IsNotFound(err) { + return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error()) + } + + if err != nil { + return nil, "", fmt.Errorf("failed to get authorization code session for %s: %w", signature, err) + } + + if version := session.Version; version != authorizeCodeStorageVersion { + return nil, "", fmt.Errorf("%w: authorization code session for %s has version %s instead of %s", + ErrInvalidAuthorizeRequestVersion, signature, version, authorizeCodeStorageVersion) + } + + if session.Request == nil { + return nil, "", fmt.Errorf("malformed authorization code session for %s: %w", signature, ErrInvalidAuthorizeRequestData) + } + + // we must return the session in this case to allow fosite to revoke the associated tokens + if !session.Active { + return session, rv, fmt.Errorf("authorization code session for %s has already been used: %w", signature, fosite.ErrInvalidatedAuthorizeCode) + } + + return session, rv, nil +} + +func NewValidEmptyAuthorizeCodeSession() *AuthorizeCodeSession { + return &AuthorizeCodeSession{ + Request: &fosite.AuthorizeRequest{ + Request: fosite.Request{ + Client: &fosite.DefaultOpenIDConnectClient{}, + Session: &openid.DefaultSession{}, + }, + }, + } +} + +func validateAndExtractAuthorizeRequest(requester fosite.Requester) (*fosite.AuthorizeRequest, error) { + request, ok1 := requester.(*fosite.AuthorizeRequest) + if !ok1 { + return nil, ErrInvalidAuthorizeRequestType + } + _, ok2 := request.Client.(*fosite.DefaultOpenIDConnectClient) + _, ok3 := request.Session.(*openid.DefaultSession) + + valid := ok2 && ok3 + if !valid { + return nil, ErrInvalidAuthorizeRequestType + } + + return request, nil +} + +var _ interface { + Is(error) bool + Unwrap() error + error +} = &errSerializationFailureWithCause{} + +type errSerializationFailureWithCause struct { + cause error +} + +func (e *errSerializationFailureWithCause) Is(err error) bool { + return stderrors.Is(fosite.ErrSerializationFailure, err) +} + +func (e *errSerializationFailureWithCause) Unwrap() error { + return e.cause +} + +func (e *errSerializationFailureWithCause) Error() string { + return fmt.Sprintf("%s: %s", fosite.ErrSerializationFailure, e.cause) +} + +// ExpectedAuthorizeCodeSessionJSONFromFuzzing is used for round tripping tests. +// It is exported to allow integration tests to use it. +const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{ + "active": true, + "request": { + "responseTypes": [ + "¥Îʒ襧.ɕ7崛瀇莒AȒ[ɠ牐7#$ɭ", + ".5ȿELj9ûF済(D疻翋膗", + "螤Yɫüeɯ紤邥翔勋\\RBʒ;-" + ], + "redirectUri": { + "Scheme": "ħesƻU赒M喦_ģ", + "Opaque": "Ġ/_章Ņ缘T蝟NJ儱礹燃ɢ", + "User": {}, + "Host": "ȳ4螘Wo", + "Path": "}i{", + "RawPath": "5Dža丝eF0eė鱊hǒx蔼Q", + "ForceQuery": true, + "RawQuery": "熤1bbWV", + "Fragment": "ȋc剠鏯ɽÿ¸", + "RawFragment": "qƤ" + }, + "state": "@n,x竘Şǥ嗾稀'ã击漰怼禝穞梠Ǫs", + "handledResponseTypes": [ + "m\"e尚鬞ƻɼ抹d誉y鿜Ķ" + ], + "id": "ō澩ć|3U2Ǜl霨ǦǵpƉ", + "requestedAt": "1989-11-05T17:02:31.105295894-05:00", + "client": { + "id": "[:c顎疻紵D", + "client_secret": "mQ==", + "redirect_uris": [ + "恣S@T嵇LJV,Æ櫔袆鋹奘菲", + "ãƻʚ肈ą8O+a駣Ʉɼk瘸'鴵y" + ], + "grant_types": [ + ".湆ê\"唐", + "曎餄FxD溪躲珫ÈşɜȨû臓嬣\"ǃŤz" + ], + "response_types": [ + "Ņʘʟ車sʊ儓JǐŪɺǣy|耑ʄ" + ], + "scopes": [ + "Ą", + "萙Į(潶饏熞ĝƌĆ1", + "əȤ4Į筦p煖鵄$睱奐耡q" + ], + "audience": [ + "Ʃǣ鿫/Ò敫ƤV" + ], + "public": true, + "jwks_uri": "ȩđ[嬧鱒Ȁ彆媚杨嶒ĤG", + "jwks": { + "keys": [ + { + "kty": "OKP", + "crv": "Ed25519", + "x": "JmA-6KpjzqKu0lq9OiB6ORL4s2UzBFPsE1hm6vESeXM", + "x5u": { + "Scheme": "", + "Opaque": "", + "User": null, + "Host": "", + "Path": "", + "RawPath": "", + "ForceQuery": false, + "RawQuery": "", + "Fragment": "", + "RawFragment": "" + } + }, + { + "kty": "OKP", + "crv": "Ed25519", + "x": "LbRC1_3HEe5o7Japk9jFp3_7Ou7Gi2gpqrVrIi0eLDQ", + "x5u": { + "Scheme": "", + "Opaque": "", + "User": null, + "Host": "", + "Path": "", + "RawPath": "", + "ForceQuery": false, + "RawQuery": "", + "Fragment": "", + "RawFragment": "" + } + }, + { + "kty": "OKP", + "crv": "Ed25519", + "x": "Ovk4DF8Yn3mkULuTqnlGJxFnKGu9EL6Xcf2Nql9lK3c", + "x5u": { + "Scheme": "", + "Opaque": "", + "User": null, + "Host": "", + "Path": "", + "RawPath": "", + "ForceQuery": false, + "RawQuery": "", + "Fragment": "", + "RawFragment": "" + } + } + ] + }, + "token_endpoint_auth_method": "\u0026(K鵢Kj ŏ9Q韉Ķ%嶑輫ǘ(", + "request_uris": [ + ":", + "6ě#嫀^xz Ū胧r" + ], + "request_object_signing_alg": "^¡!犃ĹĐJí¿ō擫ų懫砰¿", + "token_endpoint_auth_signing_alg": "ƈŮå" + }, + "scopes": [ + "阃.Ù頀ʌGa皶竇瞍涘¹", + "ȽŮ切衖庀ŰŒ矠", + "楓)馻řĝǕ菸Tĕ1伞柲\u003c\"ʗȆ\\雤" + ], + "grantedScopes": [ + "ơ鮫R嫁ɍUƞ9+u!Ȱ", + "}Ă岜" + ], + "form": { + "旸Ť/Õ薝隧;綡,鼞纂=": [ + "[滮]憀", + "3\u003eÙœ蓄UK嗤眇疟Țƒ1v¸KĶ" + ] + }, + "session": { + "Claims": { + "JTI": "};Ų斻遟a衪荖舃", + "Issuer": "芠顋敀拲h蝺$!", + "Subject": "}j%(=ſ氆]垲莲顇", + "Audience": [ + "彑V\\廳蟕Țǡ蔯ʠ浵Ī龉磈螖畭5", + "渇Ȯʕc" + ], + "Nonce": "Ǖ=rlƆ褡{ǏS", + "ExpiresAt": "1975-11-17T09:21:34.205609651-05:00", + "IssuedAt": "2104-07-03T11:40:03.66710966-04:00", + "RequestedAt": "2031-05-18T01:14:19.449350555-04:00", + "AuthTime": "2018-01-27T02:55:06.056862114-05:00", + "AccessTokenHash": "鹰肁躧", + "AuthenticationContextClassReference": "}Ɇ", + "AuthenticationMethodsReference": "DQh:uȣ", + "CodeHash": "ɘȏıȒ諃龟", + "Extra": { + "a": { + "^i臏f恡ƨ彮": { + "DĘ敨ýÏʥZq7烱藌\\": null, + "V": { + "őŧQĝ微'X焌襱ǭɕņ殥!_n": false + } + }, + "Ż猁": [ + 1706822246 + ] + }, + "Ò椪)ɫqň2搞Ŀ高摠鲒鿮禗O": 1233332227 + } + }, + "Headers": { + "Extra": { + "?戋璖$9\u0026": { + "µcɕ餦ÑEǰ哤癨浦浏1R": [ + 3761201123 + ], + "頓ć§蚲6rǦ\u003cqċ": { + "Łʀ§ȏœɽDz斡冭ȸěaʜD捛?½ʀ+": null, + "ɒúIJ誠ƉyÖ.峷1藍殙菥趏": { + "jHȬȆ#)\u003cX": true + } + } + }, + "U": 1354158262 + } + }, + "ExpiresAt": { + "\"嘬ȹĹaó剺撱Ȱ": "1985-09-09T00:35:40.533197189-04:00", + "ʆ\u003e": "1998-08-07T01:37:11.759718906-04:00", + "柏ʒ鴙*鸆偡Ȓ肯Ûx": "2036-12-19T01:36:14.414805124-05:00" + }, + "Username": "qmʎaðƠ绗ʢ緦Hū", + "Subject": "屾Ê窢ɋ鄊qɠ谫ǯǵƕ牀1鞊\\ȹ)" + }, + "requestedAudience": [ + "鉍商OɄƣ圔,xĪɏV鵅砍" + ], + "grantedAudience": [ + "C笜嚯\u003cǐšɚĀĥʋ6鉅\\þc涎漄Ɨ腼" + ] + }, + "version": "1" +}` diff --git a/internal/fosite/authorizationcode/authorizationcode_test.go b/internal/fosite/authorizationcode/authorizationcode_test.go new file mode 100644 index 00000000..beb433bf --- /dev/null +++ b/internal/fosite/authorizationcode/authorizationcode_test.go @@ -0,0 +1,335 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package authorizationcode + +import ( + "context" + "crypto/ed25519" + "crypto/x509" + "encoding/json" + "math/rand" + "net/url" + "strings" + "testing" + "time" + + fuzz "github.com/google/gofuzz" + "github.com/ory/fosite" + "github.com/ory/fosite/handler/oauth2" + "github.com/ory/fosite/handler/openid" + "github.com/stretchr/testify/require" + "gopkg.in/square/go-jose.v2" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/kubernetes/fake" + coretesting "k8s.io/client-go/testing" +) + +func TestAuthorizeCodeStorage(t *testing.T) { + ctx := context.Background() + secretsGVR := schema.GroupVersionResource{ + Group: "", + Version: "v1", + Resource: "secrets", + } + + const namespace = "test-ns" + + type mocker interface { + AddReactor(verb, resource string, reaction coretesting.ReactionFunc) + PrependReactor(verb, resource string, reaction coretesting.ReactionFunc) + Tracker() coretesting.ObjectTracker + } + + tests := []struct { + name string + mocks func(*testing.T, mocker) + run func(*testing.T, oauth2.AuthorizeCodeStorage) error + wantActions []coretesting.Action + wantSecrets []corev1.Secret + wantErr string + }{ + { + name: "create, get, invalidate standard flow", + mocks: nil, + run: func(t *testing.T, storage oauth2.AuthorizeCodeStorage) error { + request := &fosite.AuthorizeRequest{ + ResponseTypes: fosite.Arguments{"not-code"}, + RedirectURI: &url.URL{ + Scheme: "", + Opaque: "weee", + User: &url.Userinfo{}, + Host: "", + Path: "/callback", + RawPath: "", + ForceQuery: false, + RawQuery: "", + Fragment: "", + RawFragment: "", + }, + State: "stated", + HandledResponseTypes: fosite.Arguments{"not-type"}, + Request: fosite.Request{ + ID: "abcd-1", + RequestedAt: time.Time{}, + Client: &fosite.DefaultOpenIDConnectClient{ + DefaultClient: &fosite.DefaultClient{ + ID: "pinny", + Secret: nil, + RedirectURIs: nil, + GrantTypes: nil, + ResponseTypes: nil, + Scopes: nil, + Audience: nil, + Public: true, + }, + JSONWebKeysURI: "where", + JSONWebKeys: nil, + TokenEndpointAuthMethod: "something", + RequestURIs: nil, + RequestObjectSigningAlgorithm: "", + TokenEndpointAuthSigningAlgorithm: "", + }, + RequestedScope: nil, + GrantedScope: nil, + Form: url.Values{"key": []string{"val"}}, + Session: &openid.DefaultSession{ + Claims: nil, + Headers: nil, + ExpiresAt: nil, + Username: "snorlax", + Subject: "panda", + }, + RequestedAudience: nil, + GrantedAudience: nil, + }, + } + err := storage.CreateAuthorizeCodeSession(ctx, "fancy-signature", request) + require.NoError(t, err) + + newRequest, err := storage.GetAuthorizeCodeSession(ctx, "fancy-signature", nil) + require.NoError(t, err) + require.Equal(t, request, newRequest) + + return storage.InvalidateAuthorizeCodeSession(ctx, "fancy-signature") + }, + wantActions: []coretesting.Action{ + coretesting.NewCreateAction(secretsGVR, namespace, &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-authorization-codes-pwu5zs7lekbhnln2w4", + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev": "authorization-codes", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"active":true,"request":{"responseTypes":["not-code"],"redirectUri":{"Scheme":"","Opaque":"weee","User":{},"Host":"","Path":"/callback","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"state":"stated","handledResponseTypes":["not-type"],"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"requestedAudience":null,"grantedAudience":null},"version":"1"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/authorization-codes", + }), + coretesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authorization-codes-pwu5zs7lekbhnln2w4"), + coretesting.NewGetAction(secretsGVR, namespace, "pinniped-storage-authorization-codes-pwu5zs7lekbhnln2w4"), + coretesting.NewUpdateAction(secretsGVR, namespace, &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-authorization-codes-pwu5zs7lekbhnln2w4", + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev": "authorization-codes", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"active":false,"request":{"responseTypes":["not-code"],"redirectUri":{"Scheme":"","Opaque":"weee","User":{},"Host":"","Path":"/callback","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"state":"stated","handledResponseTypes":["not-type"],"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"requestedAudience":null,"grantedAudience":null},"version":"1"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/authorization-codes", + }), + }, + wantSecrets: []corev1.Secret{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "pinniped-storage-authorization-codes-pwu5zs7lekbhnln2w4", + Namespace: namespace, + ResourceVersion: "", + Labels: map[string]string{ + "storage.pinniped.dev": "authorization-codes", + }, + }, + Data: map[string][]byte{ + "pinniped-storage-data": []byte(`{"active":false,"request":{"responseTypes":["not-code"],"redirectUri":{"Scheme":"","Opaque":"weee","User":{},"Host":"","Path":"/callback","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"state":"stated","handledResponseTypes":["not-type"],"id":"abcd-1","requestedAt":"0001-01-01T00:00:00Z","client":{"id":"pinny","redirect_uris":null,"grant_types":null,"response_types":null,"scopes":null,"audience":null,"public":true,"jwks_uri":"where","jwks":null,"token_endpoint_auth_method":"something","request_uris":null,"request_object_signing_alg":"","token_endpoint_auth_signing_alg":""},"scopes":null,"grantedScopes":null,"form":{"key":["val"]},"session":{"Claims":null,"Headers":null,"ExpiresAt":null,"Username":"snorlax","Subject":"panda"},"requestedAudience":null,"grantedAudience":null},"version":"1"}`), + "pinniped-storage-version": []byte("1"), + }, + Type: "storage.pinniped.dev/authorization-codes", + }, + }, + wantErr: "", + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + client := fake.NewSimpleClientset() + if tt.mocks != nil { + tt.mocks(t, client) + } + secrets := client.CoreV1().Secrets(namespace) + storage := New(secrets) + + err := tt.run(t, storage) + + require.Equal(t, tt.wantErr, errString(err)) + require.Equal(t, tt.wantActions, client.Actions()) + + actualSecrets, err := secrets.List(ctx, metav1.ListOptions{}) + require.NoError(t, err) + require.Equal(t, tt.wantSecrets, actualSecrets.Items) + }) + } +} + +func errString(err error) string { + if err == nil { + return "" + } + + return err.Error() +} + +// TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession asserts that we can correctly round trip our authorize code session. +// It will detect any changes to fosite.AuthorizeRequest and guarantees that all interface types have concrete implementations. +func TestFuzzAndJSONNewValidEmptyAuthorizeCodeSession(t *testing.T) { + validSession := NewValidEmptyAuthorizeCodeSession() + + // sanity check our valid session + extractedRequest, err := validateAndExtractAuthorizeRequest(validSession.Request) + require.NoError(t, err) + require.Equal(t, validSession.Request, extractedRequest) + + // checked above + defaultClient := validSession.Request.Request.Client.(*fosite.DefaultOpenIDConnectClient) + defaultSession := validSession.Request.Request.Session.(*openid.DefaultSession) + + // makes it easier to use a raw string + replacer := strings.NewReplacer("`", "a") + randString := func(c fuzz.Continue) string { + for { + s := c.RandString() + if len(s) == 0 { + continue // skip empty string + } + return replacer.Replace(s) + } + } + + // deterministic fuzzing of fosite.AuthorizeRequest + f := fuzz.New().RandSource(rand.NewSource(1)).NilChance(0).NumElements(1, 3).Funcs( + // these functions guarantee that these are the only interface types we need to fill out + // if fosite.AuthorizeRequest changes to add more, the fuzzer will panic + func(fc *fosite.Client, c fuzz.Continue) { + c.Fuzz(defaultClient) + *fc = defaultClient + }, + func(fs *fosite.Session, c fuzz.Continue) { + c.Fuzz(defaultSession) + *fs = defaultSession + }, + + // these types contain an interface{} that we need to handle + // this is safe because we explicitly provide the openid.DefaultSession concrete type + func(value *map[string]interface{}, c fuzz.Continue) { + // cover all the JSON data types just in case + *value = map[string]interface{}{ + randString(c): float64(c.Intn(1 << 32)), + randString(c): map[string]interface{}{ + randString(c): []interface{}{float64(c.Intn(1 << 32))}, + randString(c): map[string]interface{}{ + randString(c): nil, + randString(c): map[string]interface{}{ + randString(c): c.RandBool(), + }, + }, + }, + } + }, + // JWK contains an interface{} Key that we need to handle + // this is safe because JWK explicitly implements JSON marshalling and unmarshalling + func(jwk *jose.JSONWebKey, c fuzz.Continue) { + key, _, err := ed25519.GenerateKey(c) + require.NoError(t, err) + jwk.Key = key + + // set these fields to make the .Equal comparison work + jwk.Certificates = []*x509.Certificate{} + jwk.CertificatesURL = &url.URL{} + jwk.CertificateThumbprintSHA1 = []byte{} + jwk.CertificateThumbprintSHA256 = []byte{} + }, + + // set this to make the .Equal comparison work + // this is safe because Time explicitly implements JSON marshalling and unmarshalling + func(tp *time.Time, c fuzz.Continue) { + *tp = time.Unix(c.Int63n(1<<32), c.Int63n(1<<32)) + }, + + // make random strings that do not contain any ` characters + func(s *string, c fuzz.Continue) { + *s = randString(c) + }, + // handle string type alias + func(s *fosite.TokenType, c fuzz.Continue) { + *s = fosite.TokenType(randString(c)) + }, + // handle string type alias + func(s *fosite.Arguments, c fuzz.Continue) { + n := c.Intn(3) + 1 // 1 to 3 items + arguments := make(fosite.Arguments, n) + for i := range arguments { + arguments[i] = randString(c) + } + *s = arguments + }, + ) + + f.Fuzz(validSession) + + const name = "fuzz" // value is irrelevant + ctx := context.Background() + secrets := fake.NewSimpleClientset().CoreV1().Secrets(name) + storage := New(secrets) + + // issue a create using the fuzzed request to confirm that marshalling works + err = storage.CreateAuthorizeCodeSession(ctx, name, validSession.Request) + require.NoError(t, err) + + // retrieve a copy of the fuzzed request from storage to confirm that unmarshalling works + newRequest, err := storage.GetAuthorizeCodeSession(ctx, name, nil) + require.NoError(t, err) + + // the fuzzed request and the copy from storage should be exactly the same + require.Equal(t, validSession.Request, newRequest) + + secretList, err := secrets.List(ctx, metav1.ListOptions{}) + require.NoError(t, err) + require.Len(t, secretList.Items, 1) + authorizeCodeSessionJSONFromStorage := string(secretList.Items[0].Data["pinniped-storage-data"]) + + // set these to match CreateAuthorizeCodeSession so that .JSONEq works + validSession.Active = true + validSession.Version = "1" + + validSessionJSONBytes, err := json.MarshalIndent(validSession, "", "\t") + require.NoError(t, err) + authorizeCodeSessionJSONFromFuzzing := string(validSessionJSONBytes) + + // the fuzzed session and storage session should have identical JSON + require.JSONEq(t, authorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromStorage) + + // while the fuzzer will panic if AuthorizeRequest changes in a way that cannot be fuzzed, + // if it adds a new field that can be fuzzed, this check will fail + // thus if AuthorizeRequest changes, we will detect it here (though we could possibly miss an omitempty field) + require.Equal(t, ExpectedAuthorizeCodeSessionJSONFromFuzzing, authorizeCodeSessionJSONFromFuzzing) +} diff --git a/test/integration/storage_test.go b/test/integration/storage_test.go new file mode 100644 index 00000000..e2f3bdf2 --- /dev/null +++ b/test/integration/storage_test.go @@ -0,0 +1,105 @@ +// Copyright 2020 the Pinniped contributors. All Rights Reserved. +// SPDX-License-Identifier: Apache-2.0 + +package integration + +import ( + "context" + "encoding/json" + stderrors "errors" + "strings" + "testing" + "time" + + "github.com/ory/fosite" + "github.com/ory/fosite/compose" + "github.com/stretchr/testify/require" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "go.pinniped.dev/internal/fosite/authorizationcode" + "go.pinniped.dev/test/library" +) + +func TestAuthorizeCodeStorage(t *testing.T) { + env := library.IntegrationEnv(t) + client := library.NewClientset(t) + + const ( + // randomly generated HMAC authorization code (see below) + code = "TQ72B8YjdEOZyxridYbTLE-pzoK4hpdkZxym5j4EmSc.TKRTgQG41IBQ16FDKTthRdhXfLlNaErcMd9Fy47uXAw" + // name of the secret that will be created in Kube + name = "pinniped-storage-authorization-codes-jssfhaibxdkiaugxufbsso3bixmfo7fzjvuevxbr35c4xdxolqga" + ) + + hmac := compose.NewOAuth2HMACStrategy(&compose.Config{}, []byte("super-secret-32-byte-for-testing"), nil) + // test data generation via: + // code, signature, err := hmac.GenerateAuthorizeCode(ctx, nil) + signature := hmac.AuthorizeCodeSignature(code) + + secrets := client.CoreV1().Secrets(env.SupervisorNamespace) + + t.Cleanup(func() { + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + err := secrets.Delete(ctx, name, metav1.DeleteOptions{}) + require.NoError(t, err) + }) + + ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) + defer cancel() + + // get a session with most of the data filled out + session := authorizationcode.NewValidEmptyAuthorizeCodeSession() + err := json.Unmarshal([]byte(authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing), session) + require.NoError(t, err) + + storage := authorizationcode.New(secrets) + + // the session for this signature should not exist yet + notFoundRequest, err := storage.GetAuthorizeCodeSession(ctx, signature, nil) + require.Error(t, err) + require.True(t, stderrors.Is(err, fosite.ErrNotFound)) + require.Nil(t, notFoundRequest) + + err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request) + require.NoError(t, err) + + // trying to create the session again fails because it already exists + err = storage.CreateAuthorizeCodeSession(ctx, signature, session.Request) + require.Error(t, err) + require.True(t, errors.IsAlreadyExists(err)) + + // check that the data stored in Kube matches what we put in + initialSecret, err := secrets.Get(ctx, name, metav1.GetOptions{}) + require.NoError(t, err) + require.JSONEq(t, authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing, string(initialSecret.Data["pinniped-storage-data"])) + + // we should be able to get the session now and the request should be the same as what we put in + request, err := storage.GetAuthorizeCodeSession(ctx, signature, nil) + require.NoError(t, err) + require.Equal(t, session.Request, request) + + // simulate the authorization code being exchanged + err = storage.InvalidateAuthorizeCodeSession(ctx, signature) + require.NoError(t, err) + + // trying to use the code session more than once should fail + // getting an invalidated session should return an error and the request + invalidatedRequest, err := storage.GetAuthorizeCodeSession(ctx, signature, nil) + require.Error(t, err) + require.True(t, stderrors.Is(err, fosite.ErrInvalidatedAuthorizeCode)) + require.Equal(t, session.Request, invalidatedRequest) + + // trying to use the code session more than once should fail + err = storage.InvalidateAuthorizeCodeSession(ctx, signature) + require.Error(t, err) + require.True(t, stderrors.Is(err, fosite.ErrInvalidatedAuthorizeCode)) + + // the data stored in Kube should be exactly the same but it should be marked as used + invalidatedSecret, err := secrets.Get(ctx, name, metav1.GetOptions{}) + require.NoError(t, err) + expectedInvalidatedJSON := strings.Replace(authorizationcode.ExpectedAuthorizeCodeSessionJSONFromFuzzing, + `"active": true,`, `"active": false,`, 1) + require.JSONEq(t, expectedInvalidatedJSON, string(invalidatedSecret.Data["pinniped-storage-data"])) +}