Add NullStorage for the authorize endpoint to use

We want to run all of the fosite validations in the authorize
endpoint, but we don't need to store anything yet because
we are storing what we need for later in the upstream state
parameter.

Signed-off-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Monis Khan 2020-11-11 14:49:24 -08:00 committed by Ryan Richard
parent 4b8c1de647
commit db6fc234b7
4 changed files with 143 additions and 20 deletions

View File

@ -14,8 +14,6 @@ import (
"testing" "testing"
"github.com/gorilla/securecookie" "github.com/gorilla/securecookie"
"github.com/ory/fosite"
"github.com/ory/fosite/storage"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"go.pinniped.dev/internal/here" "go.pinniped.dev/internal/here"
@ -123,12 +121,7 @@ func TestAuthorizationEndpoint(t *testing.T) {
issuer := "https://my-issuer.com/some-path" issuer := "https://my-issuer.com/some-path"
// Configure fosite the same way that the production code would, except use in-memory storage. // Configure fosite the same way that the production code would, except use in-memory storage.
oauthStore := &storage.MemoryStore{ oauthStore := oidc.NullStorage{}
Clients: map[string]fosite.Client{oidc.PinnipedCLIOIDCClient().ID: oidc.PinnipedCLIOIDCClient()},
AuthorizeCodes: map[string]storage.StoreAuthorizeCode{},
PKCES: map[string]fosite.Requester{},
IDSessions: map[string]fosite.Requester{},
}
hmacSecret := []byte("some secret - must have at least 32 bytes") hmacSecret := []byte("some secret - must have at least 32 bytes")
require.GreaterOrEqual(t, len(hmacSecret), 32, "fosite requires that hmac secrets have at least 32 bytes") require.GreaterOrEqual(t, len(hmacSecret), 32, "fosite requires that hmac secrets have at least 32 bytes")
oauthHelper := oidc.FositeOauth2Helper(oauthStore, hmacSecret) oauthHelper := oidc.FositeOauth2Helper(oauthStore, hmacSecret)

View File

@ -0,0 +1,101 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package oidc
import (
"context"
"time"
"github.com/ory/fosite"
"go.pinniped.dev/internal/constable"
)
const errNotImplemented = constable.Error("NullStorage does not implement this method. It should not have been called.")
type NullStorage struct{}
func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error {
return errNotImplemented
}
func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error {
return errNotImplemented
}
func (NullStorage) CreateRefreshTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
return nil
}
func (NullStorage) GetRefreshTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
return nil, errNotImplemented
}
func (NullStorage) DeleteRefreshTokenSession(_ context.Context, _ string) (err error) {
return errNotImplemented
}
func (NullStorage) CreateAccessTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
return nil
}
func (NullStorage) GetAccessTokenSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
return nil, errNotImplemented
}
func (NullStorage) DeleteAccessTokenSession(_ context.Context, _ string) (err error) {
return errNotImplemented
}
func (NullStorage) CreateOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) error {
return nil
}
func (NullStorage) GetOpenIDConnectSession(_ context.Context, _ string, _ fosite.Requester) (fosite.Requester, error) {
return nil, errNotImplemented
}
func (NullStorage) DeleteOpenIDConnectSession(_ context.Context, _ string) error {
return errNotImplemented
}
func (NullStorage) GetPKCERequestSession(_ context.Context, _ string, _ fosite.Session) (fosite.Requester, error) {
return nil, errNotImplemented
}
func (NullStorage) CreatePKCERequestSession(_ context.Context, _ string, _ fosite.Requester) error {
return nil
}
func (NullStorage) DeletePKCERequestSession(_ context.Context, _ string) error {
return errNotImplemented
}
func (NullStorage) CreateAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
return nil
}
func (NullStorage) GetAuthorizeCodeSession(_ context.Context, _ string, _ fosite.Session) (request fosite.Requester, err error) {
return nil, errNotImplemented
}
func (NullStorage) InvalidateAuthorizeCodeSession(_ context.Context, _ string) (err error) {
return errNotImplemented
}
func (NullStorage) GetClient(_ context.Context, id string) (fosite.Client, error) {
client := PinnipedCLIOIDCClient()
if client.ID == id {
return client, nil
}
return nil, fosite.ErrNotFound
}
func (NullStorage) ClientAssertionJWTValid(_ context.Context, _ string) error {
return errNotImplemented
}
func (NullStorage) SetClientAssertionJWT(_ context.Context, _ string, _ time.Time) error {
return errNotImplemented
}

View File

@ -0,0 +1,36 @@
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
package oidc
import (
"context"
"testing"
"github.com/ory/fosite"
"github.com/stretchr/testify/require"
)
func TestNullStorage_GetClient(t *testing.T) {
storage := NullStorage{}
client, err := storage.GetClient(context.Background(), "some-other-client")
require.Equal(t, fosite.ErrNotFound, err)
require.Zero(t, client)
client, err = storage.GetClient(context.Background(), "pinniped-cli")
require.NoError(t, err)
require.Equal(t,
&fosite.DefaultOpenIDConnectClient{
DefaultClient: &fosite.DefaultClient{
ID: "pinniped-cli",
Public: true,
RedirectURIs: []string{"http://127.0.0.1/callback"},
ResponseTypes: []string{"code"},
GrantTypes: []string{"authorization_code"},
Scopes: []string{"openid", "profile", "email"},
},
},
client,
)
}

View File

@ -9,8 +9,6 @@ import (
"sync" "sync"
"github.com/gorilla/securecookie" "github.com/gorilla/securecookie"
"github.com/ory/fosite"
"github.com/ory/fosite/storage"
"go.pinniped.dev/internal/oidc" "go.pinniped.dev/internal/oidc"
"go.pinniped.dev/internal/oidc/auth" "go.pinniped.dev/internal/oidc/auth"
@ -70,17 +68,12 @@ func (m *Manager) SetProviders(oidcProviders ...*provider.OIDCProvider) {
jwksURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.JWKSEndpointPath jwksURL := strings.ToLower(incomingProvider.IssuerHost()) + "/" + incomingProvider.IssuerPath() + oidc.JWKSEndpointPath
m.providerHandlers[jwksURL] = jwks.NewHandler(incomingProvider.Issuer(), m.dynamicJWKSProvider) m.providerHandlers[jwksURL] = jwks.NewHandler(incomingProvider.Issuer(), m.dynamicJWKSProvider)
// Each OIDC provider gets its own storage. // Use NullStorage for the authorize endpoint because we do not actually want to store anything until
oauthStore := &storage.MemoryStore{ // the upstream callback endpoint is called later.
Clients: map[string]fosite.Client{oidc.PinnipedCLIOIDCClient().ID: oidc.PinnipedCLIOIDCClient()}, oauthHelper := oidc.FositeOauth2Helper(oidc.NullStorage{}, []byte("some secret - must have at least 32 bytes")) // TODO replace this secret
AuthorizeCodes: map[string]storage.StoreAuthorizeCode{},
PKCES: map[string]fosite.Requester{},
IDSessions: map[string]fosite.Requester{},
}
oauthHelper := oidc.FositeOauth2Helper(oauthStore, []byte("some secret - must have at least 32 bytes")) // TODO replace this secret
var encoderHashKey = []byte("fake-hash-secret") // TODO fix this var encoderHashKey = []byte("fake-hash-secret") // TODO replace this secret
var encoderBlockKey = []byte("16-bytes-aaaaaaa") // TODO fix this var encoderBlockKey = []byte("16-bytes-aaaaaaa") // TODO replace this secret
var encoder = securecookie.New(encoderHashKey, encoderBlockKey) var encoder = securecookie.New(encoderHashKey, encoderBlockKey)
encoder.SetSerializer(securecookie.JSONEncoder{}) encoder.SetSerializer(securecookie.JSONEncoder{})