mirror of
https://github.com/coder/coder.git
synced 2025-07-03 16:13:58 +00:00
feat: implement disabling oidc issuer checks (#13991)
* use DANGEROUS prefix and drop a warning log
This commit is contained in:
Steven Masley
GitHub
@ -97,6 +97,9 @@ type FakeIDP struct {
|
||||
deviceCode *syncmap.Map[string, deviceFlow]
|
||||
|
||||
// hooks
|
||||
// hookWellKnown allows mutating the returned .well-known/configuration JSON.
|
||||
// Using this can break the IDP configuration, so be careful.
|
||||
hookWellKnown func(r *http.Request, j *ProviderJSON) error
|
||||
// hookValidRedirectURL can be used to reject a redirect url from the
|
||||
// IDP -> Application. Almost all IDPs have the concept of
|
||||
// "Authorized Redirect URLs". This can be used to emulate that.
|
||||
@ -151,6 +154,12 @@ func WithMiddlewares(mws ...func(http.Handler) http.Handler) func(*FakeIDP) {
|
||||
}
|
||||
}
|
||||
|
||||
func WithHookWellKnown(hook func(r *http.Request, j *ProviderJSON) error) func(*FakeIDP) {
|
||||
return func(f *FakeIDP) {
|
||||
f.hookWellKnown = hook
|
||||
}
|
||||
}
|
||||
|
||||
// WithRefresh is called when a refresh token is used. The email is
|
||||
// the email of the user that is being refreshed assuming the claims are correct.
|
||||
func WithRefresh(hook func(email string) error) func(*FakeIDP) {
|
||||
@ -753,7 +762,16 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
|
||||
mux.Get("/.well-known/openid-configuration", func(rw http.ResponseWriter, r *http.Request) {
|
||||
f.logger.Info(r.Context(), "http OIDC config", slogRequestFields(r)...)
|
||||
|
||||
_ = json.NewEncoder(rw).Encode(f.provider)
|
||||
cpy := f.provider
|
||||
if f.hookWellKnown != nil {
|
||||
err := f.hookWellKnown(r, &cpy)
|
||||
if err != nil {
|
||||
http.Error(rw, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
_ = json.NewEncoder(rw).Encode(cpy)
|
||||
})
|
||||
|
||||
// Authorize is called when the user is redirected to the IDP to login.
|
||||
@ -1371,8 +1389,11 @@ func (f *FakeIDP) AppCredentials() (clientID string, clientSecret string) {
|
||||
return f.clientID, f.clientSecret
|
||||
}
|
||||
|
||||
// OIDCConfig returns the OIDC config to use for Coderd.
|
||||
func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
|
||||
func (f *FakeIDP) PublicKey() crypto.PublicKey {
|
||||
return f.key.Public()
|
||||
}
|
||||
|
||||
func (f *FakeIDP) OauthConfig(t testing.TB, scopes []string) *oauth2.Config {
|
||||
t.Helper()
|
||||
|
||||
if len(scopes) == 0 {
|
||||
@ -1391,22 +1412,50 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
|
||||
RedirectURL: "https://redirect.com",
|
||||
Scopes: scopes,
|
||||
}
|
||||
f.cfg = oauthCfg
|
||||
|
||||
ctx := oidc.ClientContext(context.Background(), f.HTTPClient(nil))
|
||||
return oauthCfg
|
||||
}
|
||||
|
||||
func (f *FakeIDP) OIDCConfigSkipIssuerChecks(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
|
||||
ctx := oidc.InsecureIssuerURLContext(context.Background(), f.issuer)
|
||||
|
||||
return f.internalOIDCConfig(ctx, t, scopes, func(config *oidc.Config) {
|
||||
config.SkipIssuerCheck = true
|
||||
}, opts...)
|
||||
}
|
||||
|
||||
func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
|
||||
return f.internalOIDCConfig(context.Background(), t, scopes, nil, opts...)
|
||||
}
|
||||
|
||||
// OIDCConfig returns the OIDC config to use for Coderd.
|
||||
func (f *FakeIDP) internalOIDCConfig(ctx context.Context, t testing.TB, scopes []string, verifierOpt func(config *oidc.Config), opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
|
||||
t.Helper()
|
||||
|
||||
oauthCfg := f.OauthConfig(t, scopes)
|
||||
|
||||
ctx = oidc.ClientContext(ctx, f.HTTPClient(nil))
|
||||
p, err := oidc.NewProvider(ctx, f.provider.Issuer)
|
||||
require.NoError(t, err, "failed to create OIDC provider")
|
||||
|
||||
verifierConfig := &oidc.Config{
|
||||
ClientID: oauthCfg.ClientID,
|
||||
SupportedSigningAlgs: []string{
|
||||
"RS256",
|
||||
},
|
||||
// Todo: add support for Now()
|
||||
}
|
||||
if verifierOpt != nil {
|
||||
verifierOpt(verifierConfig)
|
||||
}
|
||||
|
||||
cfg := &coderd.OIDCConfig{
|
||||
OAuth2Config: oauthCfg,
|
||||
Provider: p,
|
||||
Verifier: oidc.NewVerifier(f.provider.Issuer, &oidc.StaticKeySet{
|
||||
PublicKeys: []crypto.PublicKey{f.key.Public()},
|
||||
}, &oidc.Config{
|
||||
ClientID: oauthCfg.ClientID,
|
||||
SupportedSigningAlgs: []string{
|
||||
"RS256",
|
||||
},
|
||||
// Todo: add support for Now()
|
||||
}),
|
||||
}, verifierConfig),
|
||||
UsernameField: "preferred_username",
|
||||
EmailField: "email",
|
||||
AuthURLParams: map[string]string{"access_type": "offline"},
|
||||
@ -1419,13 +1468,12 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
|
||||
opt(cfg)
|
||||
}
|
||||
|
||||
f.cfg = oauthCfg
|
||||
return cfg
|
||||
}
|
||||
|
||||
func (f *FakeIDP) getClaims(m *syncmap.Map[string, jwt.MapClaims], key string) (jwt.MapClaims, bool) {
|
||||
v, ok := m.Load(key)
|
||||
if !ok {
|
||||
if !ok || v == nil {
|
||||
if f.defaultIDClaims != nil {
|
||||
return f.defaultIDClaims, true
|
||||
}
|
||||
|
||||
@ -2,19 +2,22 @@ package oidctest_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"golang.org/x/xerrors"
|
||||
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
"github.com/stretchr/testify/require"
|
||||
"golang.org/x/oauth2"
|
||||
|
||||
"github.com/coder/coder/v2/coderd"
|
||||
"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
|
||||
"github.com/coder/coder/v2/testutil"
|
||||
)
|
||||
|
||||
// TestFakeIDPBasicFlow tests the basic flow of the fake IDP.
|
||||
@ -27,12 +30,6 @@ func TestFakeIDPBasicFlow(t *testing.T) {
|
||||
oidctest.WithLogging(t, nil),
|
||||
)
|
||||
|
||||
var handler http.Handler
|
||||
srv := httptest.NewServer(http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
handler.ServeHTTP(w, r)
|
||||
})))
|
||||
defer srv.Close()
|
||||
|
||||
cfg := fake.OIDCConfig(t, nil)
|
||||
cli := fake.HTTPClient(nil)
|
||||
ctx := oidc.ClientContext(context.Background(), cli)
|
||||
@ -71,3 +68,84 @@ func TestFakeIDPBasicFlow(t *testing.T) {
|
||||
require.NoError(t, err, "failed to refresh token")
|
||||
require.NotEmpty(t, refreshed.AccessToken, "access token is empty on refresh")
|
||||
}
|
||||
|
||||
// TestIDPIssuerMismatch emulates a situation where the IDP issuer url does
|
||||
// not match the one in the well-known config and claims.
|
||||
// This can happen in some edge cases and in some azure configurations.
|
||||
//
|
||||
// This test just makes sure a fake IDP can set up this scenario.
|
||||
func TestIDPIssuerMismatch(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
const proxyURL = "https://proxy.com"
|
||||
const primaryURL = "https://primary.com"
|
||||
|
||||
fake := oidctest.NewFakeIDP(t,
|
||||
oidctest.WithIssuer(proxyURL),
|
||||
oidctest.WithDefaultIDClaims(jwt.MapClaims{
|
||||
"iss": primaryURL,
|
||||
}),
|
||||
oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error {
|
||||
// host should be proxy.com, but we return the primaryURL
|
||||
if r.Host != "proxy.com" {
|
||||
return xerrors.Errorf("unexpected host: %s", r.Host)
|
||||
}
|
||||
j.Issuer = primaryURL
|
||||
return nil
|
||||
}),
|
||||
oidctest.WithLogging(t, nil),
|
||||
)
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
// Do not use real network requests
|
||||
cli := fake.HTTPClient(nil)
|
||||
ctx = oidc.ClientContext(ctx, cli)
|
||||
|
||||
// Allow the issuer mismatch
|
||||
verifierContext := oidc.InsecureIssuerURLContext(ctx, "this field does not matter")
|
||||
p, err := oidc.NewProvider(verifierContext, "https://proxy.com")
|
||||
require.NoError(t, err, "failed to create OIDC provider")
|
||||
|
||||
oauthConfig := fake.OauthConfig(t, nil)
|
||||
cfg := &coderd.OIDCConfig{
|
||||
OAuth2Config: oauthConfig,
|
||||
Provider: p,
|
||||
Verifier: oidc.NewVerifier(fake.WellknownConfig().Issuer, &oidc.StaticKeySet{
|
||||
PublicKeys: []crypto.PublicKey{fake.PublicKey()},
|
||||
}, &oidc.Config{
|
||||
SkipIssuerCheck: true,
|
||||
ClientID: oauthConfig.ClientID,
|
||||
SupportedSigningAlgs: []string{
|
||||
"RS256",
|
||||
},
|
||||
}),
|
||||
UsernameField: "preferred_username",
|
||||
EmailField: "email",
|
||||
AuthURLParams: map[string]string{"access_type": "offline"},
|
||||
}
|
||||
|
||||
const expectedState = "random-state"
|
||||
var token *oauth2.Token
|
||||
|
||||
fake.SetCoderdCallbackHandler(func(w http.ResponseWriter, r *http.Request) {
|
||||
// Emulate OIDC flow
|
||||
code := r.URL.Query().Get("code")
|
||||
state := r.URL.Query().Get("state")
|
||||
assert.Equal(t, expectedState, state, "state mismatch")
|
||||
|
||||
oauthToken, err := cfg.Exchange(ctx, code)
|
||||
if assert.NoError(t, err, "failed to exchange code") {
|
||||
assert.NotEmpty(t, oauthToken.AccessToken, "access token is empty")
|
||||
assert.NotEmpty(t, oauthToken.RefreshToken, "refresh token is empty")
|
||||
}
|
||||
token = oauthToken
|
||||
})
|
||||
|
||||
//nolint:bodyclose
|
||||
resp := fake.OIDCCallback(t, expectedState, nil) // Use default claims
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
idToken, err := cfg.Verifier.Verify(ctx, token.Extra("id_token").(string))
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, primaryURL, idToken.Issuer)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user