[ARVADOS] updated: 1.3.0-2614-g075b0bca2
Git user
git at public.arvados.org
Thu Jun 4 15:45:26 UTC 2020
Summary of changes:
lib/config/config.default.yml | 12 +++++
lib/config/generated_config.go | 12 +++++
lib/controller/localdb/login.go | 22 ++++++++-
lib/controller/localdb/login_oidc.go | 79 ++++++++++++++++---------------
lib/controller/localdb/login_oidc_test.go | 47 ++++++++++++++++--
5 files changed, 130 insertions(+), 42 deletions(-)
via 075b0bca20ddbbde3210949ebf8012e49e5317f4 (commit)
via c53df2193d573bec0c534a7bf80af578d4d57502 (commit)
via 18de6db7e6f2336d69aad9dad7691ed123bec509 (commit)
from 15dbaf151a72d5cfc00b4ea4b4bcb64c7ed9ac14 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 075b0bca20ddbbde3210949ebf8012e49e5317f4
Author: Tom Clegg <tom at tomclegg.ca>
Date: Thu Jun 4 11:44:29 2020 -0400
16171: Warn about OIDC issuer URL spelling sensitivity.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index d1c47f4a2..be0123574 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -556,6 +556,18 @@ Clusters:
Enable: false
# Issuer URL, e.g., "https://login.example.com".
+ #
+ # This must be exactly equal to the URL returned by the issuer
+ # itself in its config response ("isser" key). If the
+ # configured value is "https://example" and the provider
+ # returns "https://example:443" then login will fail, even
+ # though those URLs are equivalent (RFC3986).
+ #
+ # If the configured URL's path component is just "/" then it
+ # is stripped. Therefore, an issuer advertising itself as
+ # "https://example/" cannot be used -- but "https://example",
+ # "https://example/foo", and "https://example/foo/" are
+ # supported.
Issuer: ""
# Your client ID and client secret (supplied by the provider).
diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go
index 0dda58db0..49d86c77f 100644
--- a/lib/config/generated_config.go
+++ b/lib/config/generated_config.go
@@ -562,6 +562,18 @@ Clusters:
Enable: false
# Issuer URL, e.g., "https://login.example.com".
+ #
+ # This must be exactly equal to the URL returned by the issuer
+ # itself in its config response ("isser" key). If the
+ # configured value is "https://example" and the provider
+ # returns "https://example:443" then login will fail, even
+ # though those URLs are equivalent (RFC3986).
+ #
+ # If the configured URL's path component is just "/" then it
+ # is stripped. Therefore, an issuer advertising itself as
+ # "https://example/" cannot be used -- but "https://example",
+ # "https://example/foo", and "https://example/foo/" are
+ # supported.
Issuer: ""
# Your client ID and client secret (supplied by the provider).
commit c53df2193d573bec0c534a7bf80af578d4d57502
Author: Tom Clegg <tom at tomclegg.ca>
Date: Thu Jun 4 11:21:43 2020 -0400
16171: Test non-Google OIDC login with fake issuer.
Ensures the proper credentials are used.
Exposes go-oidc's sensitivity to different spellings of equivalent
issuer URLs.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 5231bcb19..04fb82bd5 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -39,10 +39,30 @@ func chooseLoginController(cluster *arvados.Cluster, railsProxy *railsProxy) log
UseGooglePeopleAPI: cluster.Login.Google.AlternateEmailAddresses,
}
case !wantGoogle && wantOpenIDConnect && !wantSSO && !wantPAM && !wantLDAP:
+ issuer := cluster.Login.OpenIDConnect.Issuer
+ if issuer.Path == "/" {
+ // The OIDC library returns an error if the
+ // config says "https://example/" and the
+ // issuer identifies itself as
+ // "https://example", even though those URLs
+ // are equivalent
+ // (https://tools.ietf.org/html/rfc3986#section-6.2.3).
+ //
+ // Our config loader adds "/" to URLs with
+ // empty path, so we strip it off here and
+ // count on the issuer to do the same when
+ // identifying itself, as Google does.
+ //
+ // (Non-empty paths as in
+ // "https://example/foo/" are preserved by the
+ // config loader so the config just has to
+ // match the issuer's response.)
+ issuer.Path = ""
+ }
return &oidcLoginController{
Cluster: cluster,
RailsProxy: railsProxy,
- Issuer: cluster.Login.OpenIDConnect.Issuer.String(),
+ Issuer: issuer.String(),
ClientID: cluster.Login.OpenIDConnect.ClientID,
ClientSecret: cluster.Login.OpenIDConnect.ClientSecret,
}
diff --git a/lib/controller/localdb/login_oidc_test.go b/lib/controller/localdb/login_oidc_test.go
index 4a3a2a5ee..52b45dced 100644
--- a/lib/controller/localdb/login_oidc_test.go
+++ b/lib/controller/localdb/login_oidc_test.go
@@ -9,6 +9,7 @@ import (
"context"
"crypto/rand"
"crypto/rsa"
+ "encoding/base64"
"encoding/json"
"fmt"
"net/http"
@@ -47,7 +48,9 @@ type OIDCLoginSuite struct {
issuerKey *rsa.PrivateKey
// expected token request
- validCode string
+ validCode string
+ validClientID string
+ validClientSecret string
// desired response from token endpoint
authEmail string
authEmailVerified bool
@@ -83,13 +86,26 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
"userinfo_endpoint": s.fakeIssuer.URL + "/userinfo",
})
case "/token":
+ var clientID, clientSecret string
+ auth, _ := base64.StdEncoding.DecodeString(strings.TrimPrefix(req.Header.Get("Authorization"), "Basic "))
+ authsplit := strings.Split(string(auth), ":")
+ if len(authsplit) == 2 {
+ clientID, _ = url.QueryUnescape(authsplit[0])
+ clientSecret, _ = url.QueryUnescape(authsplit[1])
+ }
+ if clientID != s.validClientID || clientSecret != s.validClientSecret {
+ c.Logf("fakeIssuer: expected (%q, %q) got (%q, %q)", s.validClientID, s.validClientSecret, clientID, clientSecret)
+ w.WriteHeader(http.StatusUnauthorized)
+ return
+ }
+
if req.Form.Get("code") != s.validCode || s.validCode == "" {
w.WriteHeader(http.StatusUnauthorized)
return
}
idToken, _ := json.Marshal(map[string]interface{}{
"iss": s.fakeIssuer.URL,
- "aud": []string{"test%client$id"},
+ "aud": []string{clientID},
"sub": "fake-user-id",
"exp": time.Now().UTC().Add(time.Minute).Unix(),
"iat": time.Now().UTC().Unix(),
@@ -145,13 +161,16 @@ func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
s.fakePeopleAPIResponse = map[string]interface{}{}
cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
+ c.Assert(err, check.IsNil)
s.cluster, err = cfg.GetCluster("")
+ c.Assert(err, check.IsNil)
s.cluster.Login.SSO.Enable = false
s.cluster.Login.Google.Enable = true
s.cluster.Login.Google.ClientID = "test%client$id"
s.cluster.Login.Google.ClientSecret = "test#client/secret"
s.cluster.Users.PreferDomainForUsername = "PreferDomainForUsername.example.com"
- c.Assert(err, check.IsNil)
+ s.validClientID = "test%client$id"
+ s.validClientSecret = "test#client/secret"
s.localdb = NewConn(s.cluster)
c.Assert(s.localdb.loginController, check.FitsTypeOf, (*oidcLoginController)(nil))
@@ -280,6 +299,28 @@ func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIError(c *check.C) {
c.Check(resp.RedirectLocation, check.Equals, "")
}
+func (s *OIDCLoginSuite) TestOIDCLogin_Success(c *check.C) {
+ s.cluster.Login.Google.Enable = false
+ s.cluster.Login.OpenIDConnect.Enable = true
+ json.Unmarshal([]byte(fmt.Sprintf("%q", s.fakeIssuer.URL)), &s.cluster.Login.OpenIDConnect.Issuer)
+ s.cluster.Login.OpenIDConnect.ClientID = "oidc#client#id"
+ s.cluster.Login.OpenIDConnect.ClientSecret = "oidc#client#secret"
+ s.validClientID = "oidc#client#id"
+ s.validClientSecret = "oidc#client#secret"
+ s.localdb = NewConn(s.cluster)
+ state := s.startLogin(c)
+ resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
+ Code: s.validCode,
+ State: state,
+ })
+ c.Assert(err, check.IsNil)
+ c.Check(resp.HTML.String(), check.Equals, "")
+ target, err := url.Parse(resp.RedirectLocation)
+ c.Assert(err, check.IsNil)
+ token := target.Query().Get("api_token")
+ c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
+}
+
func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
state := s.startLogin(c)
resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
commit 18de6db7e6f2336d69aad9dad7691ed123bec509
Author: Tom Clegg <tom at tomclegg.ca>
Date: Thu Jun 4 09:54:35 2020 -0400
16171: Move more code to one-time setup func.
Fix Google credentials used for non-Google OIDC provider.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at tomclegg.ca>
diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index b0458a7ad..f42b8f8be 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -38,22 +38,45 @@ type oidcLoginController struct {
ClientSecret string
UseGooglePeopleAPI bool // Use Google People API to look up alternate email addresses
- peopleAPIBasePath string // override Google People API base URL (normally empty, set by google pkg to https://people.googleapis.com/)
- provider *oidc.Provider
- mu sync.Mutex
+ // override Google People API base URL for testing purposes
+ // (normally empty, set by google pkg to
+ // https://people.googleapis.com/)
+ peopleAPIBasePath string
+
+ provider *oidc.Provider // initialized by setup()
+ oauth2conf *oauth2.Config // initialized by setup()
+ verifier *oidc.IDTokenVerifier // initialized by setup()
+ mu sync.Mutex // protects setup()
}
-func (ctrl *oidcLoginController) getProvider() (*oidc.Provider, error) {
+// Initialize ctrl.provider and ctrl.oauth2conf.
+func (ctrl *oidcLoginController) setup() error {
ctrl.mu.Lock()
defer ctrl.mu.Unlock()
- if ctrl.provider == nil {
- provider, err := oidc.NewProvider(context.Background(), ctrl.Issuer)
- if err != nil {
- return nil, err
- }
- ctrl.provider = provider
+ if ctrl.provider != nil {
+ // already set up
+ return nil
+ }
+ redirURL, err := (*url.URL)(&ctrl.Cluster.Services.Controller.ExternalURL).Parse("/" + arvados.EndpointLogin.Path)
+ if err != nil {
+ return fmt.Errorf("error making redirect URL: %s", err)
+ }
+ provider, err := oidc.NewProvider(context.Background(), ctrl.Issuer)
+ if err != nil {
+ return err
+ }
+ ctrl.oauth2conf = &oauth2.Config{
+ ClientID: ctrl.ClientID,
+ ClientSecret: ctrl.ClientSecret,
+ Endpoint: provider.Endpoint(),
+ Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+ RedirectURL: redirURL.String(),
}
- return ctrl.provider, nil
+ ctrl.verifier = provider.Verifier(&oidc.Config{
+ ClientID: ctrl.ClientID,
+ })
+ ctrl.provider = provider
+ return nil
}
func (ctrl *oidcLoginController) Logout(ctx context.Context, opts arvados.LogoutOptions) (arvados.LogoutResponse, error) {
@@ -61,38 +84,18 @@ func (ctrl *oidcLoginController) Logout(ctx context.Context, opts arvados.Logout
}
func (ctrl *oidcLoginController) Login(ctx context.Context, opts arvados.LoginOptions) (arvados.LoginResponse, error) {
- provider, err := ctrl.getProvider()
+ err := ctrl.setup()
if err != nil {
return loginError(fmt.Errorf("error setting up OpenID Connect provider: %s", err))
}
- redirURL, err := (*url.URL)(&ctrl.Cluster.Services.Controller.ExternalURL).Parse("/login")
- if err != nil {
- return loginError(fmt.Errorf("error making redirect URL: %s", err))
- }
- conf := &oauth2.Config{
- ClientID: ctrl.Cluster.Login.Google.ClientID,
- ClientSecret: ctrl.Cluster.Login.Google.ClientSecret,
- Endpoint: provider.Endpoint(),
- Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
- RedirectURL: redirURL.String(),
- }
- verifier := provider.Verifier(&oidc.Config{
- ClientID: conf.ClientID,
- })
if opts.State == "" {
// Initiate OIDC sign-in.
if opts.ReturnTo == "" {
return loginError(errors.New("missing return_to parameter"))
}
- me := url.URL(ctrl.Cluster.Services.Controller.ExternalURL)
- callback, err := me.Parse("/" + arvados.EndpointLogin.Path)
- if err != nil {
- return loginError(err)
- }
- conf.RedirectURL = callback.String()
state := ctrl.newOAuth2State([]byte(ctrl.Cluster.SystemRootToken), opts.Remote, opts.ReturnTo)
return arvados.LoginResponse{
- RedirectLocation: conf.AuthCodeURL(state.String(),
+ RedirectLocation: ctrl.oauth2conf.AuthCodeURL(state.String(),
// prompt=select_account tells Google
// to show the "choose which Google
// account" page, even if the client
@@ -106,7 +109,7 @@ func (ctrl *oidcLoginController) Login(ctx context.Context, opts arvados.LoginOp
if !state.verify([]byte(ctrl.Cluster.SystemRootToken)) {
return loginError(errors.New("invalid OAuth2 state"))
}
- oauth2Token, err := conf.Exchange(ctx, opts.Code)
+ oauth2Token, err := ctrl.oauth2conf.Exchange(ctx, opts.Code)
if err != nil {
return loginError(fmt.Errorf("error in OAuth2 exchange: %s", err))
}
@@ -114,11 +117,11 @@ func (ctrl *oidcLoginController) Login(ctx context.Context, opts arvados.LoginOp
if !ok {
return loginError(errors.New("error in OAuth2 exchange: no ID token in OAuth2 token"))
}
- idToken, err := verifier.Verify(ctx, rawIDToken)
+ idToken, err := ctrl.verifier.Verify(ctx, rawIDToken)
if err != nil {
return loginError(fmt.Errorf("error verifying ID token: %s", err))
}
- authinfo, err := ctrl.getAuthInfo(ctx, ctrl.Cluster, conf, oauth2Token, idToken)
+ authinfo, err := ctrl.getAuthInfo(ctx, oauth2Token, idToken)
if err != nil {
return loginError(err)
}
@@ -138,7 +141,7 @@ func (ctrl *oidcLoginController) UserAuthenticate(ctx context.Context, opts arva
// primary address at index 0. The provided defaultAddr is always
// included in the returned slice, and is used as the primary if the
// Google API does not indicate one.
-func (ctrl *oidcLoginController) getAuthInfo(ctx context.Context, cluster *arvados.Cluster, conf *oauth2.Config, token *oauth2.Token, idToken *oidc.IDToken) (*rpc.UserSessionAuthInfo, error) {
+func (ctrl *oidcLoginController) getAuthInfo(ctx context.Context, token *oauth2.Token, idToken *oidc.IDToken) (*rpc.UserSessionAuthInfo, error) {
var ret rpc.UserSessionAuthInfo
defer ctxlog.FromContext(ctx).WithField("ret", &ret).Debug("getAuthInfo returned")
@@ -168,7 +171,7 @@ func (ctrl *oidcLoginController) getAuthInfo(ctx context.Context, cluster *arvad
return &ret, nil
}
- svc, err := people.NewService(ctx, option.WithTokenSource(conf.TokenSource(ctx, token)), option.WithScopes(people.UserEmailsReadScope))
+ svc, err := people.NewService(ctx, option.WithTokenSource(ctrl.oauth2conf.TokenSource(ctx, token)), option.WithScopes(people.UserEmailsReadScope))
if err != nil {
return nil, fmt.Errorf("error setting up People API: %s", err)
}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list