lib/controller/localdb/login_oidc_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "bytes"
   9         "context"
  10         "crypto/rand"
  11         "crypto/rsa"
  12         "encoding/json"
  13         "fmt"
  14         "net/http"
  15         "net/http/httptest"
  16         "net/url"
  17         "sort"
  18         "strings"
  19         "testing"
  20         "time"
  21
  22         "git.arvados.org/arvados.git/lib/config"
  23         "git.arvados.org/arvados.git/lib/controller/rpc"
  24         "git.arvados.org/arvados.git/sdk/go/arvados"
  25         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  26         "git.arvados.org/arvados.git/sdk/go/auth"
  27         "git.arvados.org/arvados.git/sdk/go/ctxlog"
  28         check "gopkg.in/check.v1"
  29         jose "gopkg.in/square/go-jose.v2"
  30 )
  31
  32 // Gocheck boilerplate
  33 func Test(t *testing.T) {
  34         check.TestingT(t)
  35 }
  36
  37 var _ = check.Suite(&OIDCLoginSuite{})
  38
  39 type OIDCLoginSuite struct {
  40         cluster               *arvados.Cluster
  41         ctx                   context.Context
  42         localdb               *Conn
  43         railsSpy              *arvadostest.Proxy
  44         fakeIssuer            *httptest.Server
  45         fakePeopleAPI         *httptest.Server
  46         fakePeopleAPIResponse map[string]interface{}
  47         issuerKey             *rsa.PrivateKey
  48
  49         // expected token request
  50         validCode string
  51         // desired response from token endpoint
  52         authEmail         string
  53         authEmailVerified bool
  54         authName          string
  55 }
  56
  57 func (s *OIDCLoginSuite) TearDownSuite(c *check.C) {
  58         // Undo any changes/additions to the user database so they
  59         // don't affect subsequent tests.
  60         arvadostest.ResetEnv()
  61         c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
  62 }
  63
  64 func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
  65         var err error
  66         s.issuerKey, err = rsa.GenerateKey(rand.Reader, 2048)
  67         c.Assert(err, check.IsNil)
  68
  69         s.authEmail = "active-user@arvados.local"
  70         s.authEmailVerified = true
  71         s.authName = "Fake User Name"
  72         s.fakeIssuer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
  73                 req.ParseForm()
  74                 c.Logf("fakeIssuer: got req: %s %s %s", req.Method, req.URL, req.Form)
  75                 w.Header().Set("Content-Type", "application/json")
  76                 switch req.URL.Path {
  77                 case "/.well-known/openid-configuration":
  78                         json.NewEncoder(w).Encode(map[string]interface{}{
  79                                 "issuer":                 s.fakeIssuer.URL,
  80                                 "authorization_endpoint": s.fakeIssuer.URL + "/auth",
  81                                 "token_endpoint":         s.fakeIssuer.URL + "/token",
  82                                 "jwks_uri":               s.fakeIssuer.URL + "/jwks",
  83                                 "userinfo_endpoint":      s.fakeIssuer.URL + "/userinfo",
  84                         })
  85                 case "/token":
  86                         if req.Form.Get("code") != s.validCode || s.validCode == "" {
  87                                 w.WriteHeader(http.StatusUnauthorized)
  88                                 return
  89                         }
  90                         idToken, _ := json.Marshal(map[string]interface{}{
  91                                 "iss":            s.fakeIssuer.URL,
  92                                 "aud":            []string{"test%client$id"},
  93                                 "sub":            "fake-user-id",
  94                                 "exp":            time.Now().UTC().Add(time.Minute).Unix(),
  95                                 "iat":            time.Now().UTC().Unix(),
  96                                 "nonce":          "fake-nonce",
  97                                 "email":          s.authEmail,
  98                                 "email_verified": s.authEmailVerified,
  99                                 "name":           s.authName,
 100                         })
 101                         json.NewEncoder(w).Encode(struct {
 102                                 AccessToken  string `json:"access_token"`
 103                                 TokenType    string `json:"token_type"`
 104                                 RefreshToken string `json:"refresh_token"`
 105                                 ExpiresIn    int32  `json:"expires_in"`
 106                                 IDToken      string `json:"id_token"`
 107                         }{
 108                                 AccessToken:  s.fakeToken(c, []byte("fake access token")),
 109                                 TokenType:    "Bearer",
 110                                 RefreshToken: "test-refresh-token",
 111                                 ExpiresIn:    30,
 112                                 IDToken:      s.fakeToken(c, idToken),
 113                         })
 114                 case "/jwks":
 115                         json.NewEncoder(w).Encode(jose.JSONWebKeySet{
 116                                 Keys: []jose.JSONWebKey{
 117                                         {Key: s.issuerKey.Public(), Algorithm: string(jose.RS256), KeyID: ""},
 118                                 },
 119                         })
 120                 case "/auth":
 121                         w.WriteHeader(http.StatusInternalServerError)
 122                 case "/userinfo":
 123                         w.WriteHeader(http.StatusInternalServerError)
 124                 default:
 125                         w.WriteHeader(http.StatusNotFound)
 126                 }
 127         }))
 128         s.validCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
 129
 130         s.fakePeopleAPI = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 131                 req.ParseForm()
 132                 c.Logf("fakePeopleAPI: got req: %s %s %s", req.Method, req.URL, req.Form)
 133                 w.Header().Set("Content-Type", "application/json")
 134                 switch req.URL.Path {
 135                 case "/v1/people/me":
 136                         if f := req.Form.Get("personFields"); f != "emailAddresses,names" {
 137                                 w.WriteHeader(http.StatusBadRequest)
 138                                 break
 139                         }
 140                         json.NewEncoder(w).Encode(s.fakePeopleAPIResponse)
 141                 default:
 142                         w.WriteHeader(http.StatusNotFound)
 143                 }
 144         }))
 145         s.fakePeopleAPIResponse = map[string]interface{}{}
 146
 147         cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
 148         s.cluster, err = cfg.GetCluster("")
 149         s.cluster.Login.SSO.Enable = false
 150         s.cluster.Login.Google.Enable = true
 151         s.cluster.Login.Google.ClientID = "test%client$id"
 152         s.cluster.Login.Google.ClientSecret = "test#client/secret"
 153         s.cluster.Users.PreferDomainForUsername = "PreferDomainForUsername.example.com"
 154         c.Assert(err, check.IsNil)
 155
 156         s.localdb = NewConn(s.cluster)
 157         c.Assert(s.localdb.loginController, check.FitsTypeOf, (*oidcLoginController)(nil))
 158         c.Check(s.localdb.loginController.(*oidcLoginController).Issuer, check.Equals, "https://accounts.google.com")
 159         c.Check(s.localdb.loginController.(*oidcLoginController).ClientID, check.Equals, "test%client$id")
 160         c.Check(s.localdb.loginController.(*oidcLoginController).ClientSecret, check.Equals, "test#client/secret")
 161         s.localdb.loginController.(*oidcLoginController).Issuer = s.fakeIssuer.URL
 162         s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
 163
 164         s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
 165         *s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
 166 }
 167
 168 func (s *OIDCLoginSuite) TearDownTest(c *check.C) {
 169         s.railsSpy.Close()
 170 }
 171
 172 func (s *OIDCLoginSuite) TestGoogleLogout(c *check.C) {
 173         resp, err := s.localdb.Logout(context.Background(), arvados.LogoutOptions{ReturnTo: "https://foo.example.com/bar"})
 174         c.Check(err, check.IsNil)
 175         c.Check(resp.RedirectLocation, check.Equals, "https://foo.example.com/bar")
 176 }
 177
 178 func (s *OIDCLoginSuite) TestGoogleLogin_Start_Bogus(c *check.C) {
 179         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{})
 180         c.Check(err, check.IsNil)
 181         c.Check(resp.RedirectLocation, check.Equals, "")
 182         c.Check(resp.HTML.String(), check.Matches, `.*missing return_to parameter.*`)
 183 }
 184
 185 func (s *OIDCLoginSuite) TestGoogleLogin_Start(c *check.C) {
 186         for _, remote := range []string{"", "zzzzz"} {
 187                 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{Remote: remote, ReturnTo: "https://app.example.com/foo?bar"})
 188                 c.Check(err, check.IsNil)
 189                 target, err := url.Parse(resp.RedirectLocation)
 190                 c.Check(err, check.IsNil)
 191                 issuerURL, _ := url.Parse(s.fakeIssuer.URL)
 192                 c.Check(target.Host, check.Equals, issuerURL.Host)
 193                 q := target.Query()
 194                 c.Check(q.Get("client_id"), check.Equals, "test%client$id")
 195                 state := s.localdb.loginController.(*oidcLoginController).parseOAuth2State(q.Get("state"))
 196                 c.Check(state.verify([]byte(s.cluster.SystemRootToken)), check.Equals, true)
 197                 c.Check(state.Time, check.Not(check.Equals), 0)
 198                 c.Check(state.Remote, check.Equals, remote)
 199                 c.Check(state.ReturnTo, check.Equals, "https://app.example.com/foo?bar")
 200         }
 201 }
 202
 203 func (s *OIDCLoginSuite) TestGoogleLogin_InvalidCode(c *check.C) {
 204         state := s.startLogin(c)
 205         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 206                 Code:  "first-try-a-bogus-code",
 207                 State: state,
 208         })
 209         c.Check(err, check.IsNil)
 210         c.Check(resp.RedirectLocation, check.Equals, "")
 211         c.Check(resp.HTML.String(), check.Matches, `(?ms).*error in OAuth2 exchange.*cannot fetch token.*`)
 212 }
 213
 214 func (s *OIDCLoginSuite) TestGoogleLogin_InvalidState(c *check.C) {
 215         s.startLogin(c)
 216         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 217                 Code:  s.validCode,
 218                 State: "bogus-state",
 219         })
 220         c.Check(err, check.IsNil)
 221         c.Check(resp.RedirectLocation, check.Equals, "")
 222         c.Check(resp.HTML.String(), check.Matches, `(?ms).*invalid OAuth2 state.*`)
 223 }
 224
 225 func (s *OIDCLoginSuite) setupPeopleAPIError(c *check.C) {
 226         s.fakePeopleAPI = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 227                 w.WriteHeader(http.StatusForbidden)
 228                 fmt.Fprintln(w, `Error 403: accessNotConfigured`)
 229         }))
 230         s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
 231 }
 232
 233 func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIDisabled(c *check.C) {
 234         s.localdb.loginController.(*oidcLoginController).UseGooglePeopleAPI = false
 235         s.authEmail = "joe.smith@primary.example.com"
 236         s.setupPeopleAPIError(c)
 237         state := s.startLogin(c)
 238         _, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 239                 Code:  s.validCode,
 240                 State: state,
 241         })
 242         c.Check(err, check.IsNil)
 243         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 244         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 245 }
 246
 247 func (s *OIDCLoginSuite) TestConfig(c *check.C) {
 248         // Ensure the UseGooglePeopleAPI flag follows the
 249         // AlternateEmailAddresses config.
 250         for _, v := range []bool{false, true} {
 251                 s.cluster.Login.Google.AlternateEmailAddresses = v
 252                 localdb := NewConn(s.cluster)
 253                 c.Check(localdb.loginController.(*oidcLoginController).UseGooglePeopleAPI, check.Equals, v)
 254         }
 255
 256         s.cluster.Login.Google.Enable = false
 257         s.cluster.Login.OpenIDConnect.Enable = true
 258         s.cluster.Login.OpenIDConnect.Issuer = arvados.URL{Scheme: "https", Host: "accounts.example.com", Path: "/"}
 259         s.cluster.Login.OpenIDConnect.ClientID = "oidc-client-id"
 260         s.cluster.Login.OpenIDConnect.ClientSecret = "oidc-client-secret"
 261         localdb := NewConn(s.cluster)
 262         c.Assert(localdb.loginController, check.FitsTypeOf, (*oidcLoginController)(nil))
 263         c.Check(localdb.loginController.(*oidcLoginController).Issuer, check.Equals, "https://accounts.example.com/")
 264         c.Check(localdb.loginController.(*oidcLoginController).ClientID, check.Equals, "oidc-client-id")
 265         c.Check(localdb.loginController.(*oidcLoginController).ClientSecret, check.Equals, "oidc-client-secret")
 266         c.Check(localdb.loginController.(*oidcLoginController).UseGooglePeopleAPI, check.Equals, false)
 267 }
 268
 269 func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIError(c *check.C) {
 270         s.setupPeopleAPIError(c)
 271         state := s.startLogin(c)
 272         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 273                 Code:  s.validCode,
 274                 State: state,
 275         })
 276         c.Check(err, check.IsNil)
 277         c.Check(resp.RedirectLocation, check.Equals, "")
 278 }
 279
 280 func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
 281         state := s.startLogin(c)
 282         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 283                 Code:  s.validCode,
 284                 State: state,
 285         })
 286         c.Check(err, check.IsNil)
 287         c.Check(resp.HTML.String(), check.Equals, "")
 288         target, err := url.Parse(resp.RedirectLocation)
 289         c.Check(err, check.IsNil)
 290         c.Check(target.Host, check.Equals, "app.example.com")
 291         c.Check(target.Path, check.Equals, "/foo")
 292         token := target.Query().Get("api_token")
 293         c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 294
 295         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 296         c.Check(authinfo.FirstName, check.Equals, "Fake User")
 297         c.Check(authinfo.LastName, check.Equals, "Name")
 298         c.Check(authinfo.Email, check.Equals, "active-user@arvados.local")
 299         c.Check(authinfo.AlternateEmails, check.HasLen, 0)
 300
 301         // Try using the returned Arvados token.
 302         c.Logf("trying an API call with new token %q", token)
 303         ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{token}})
 304         cl, err := s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
 305         c.Check(cl.ItemsAvailable, check.Not(check.Equals), 0)
 306         c.Check(cl.Items, check.Not(check.HasLen), 0)
 307         c.Check(err, check.IsNil)
 308
 309         // Might as well check that bogus tokens aren't accepted.
 310         badtoken := token + "plussomeboguschars"
 311         c.Logf("trying an API call with mangled token %q", badtoken)
 312         ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{badtoken}})
 313         cl, err = s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
 314         c.Check(cl.Items, check.HasLen, 0)
 315         c.Check(err, check.NotNil)
 316         c.Check(err, check.ErrorMatches, `.*401 Unauthorized: Not logged in.*`)
 317 }
 318
 319 func (s *OIDCLoginSuite) TestGoogleLogin_RealName(c *check.C) {
 320         s.authEmail = "joe.smith@primary.example.com"
 321         s.fakePeopleAPIResponse = map[string]interface{}{
 322                 "names": []map[string]interface{}{
 323                         {
 324                                 "metadata":   map[string]interface{}{"primary": false},
 325                                 "givenName":  "Joe",
 326                                 "familyName": "Smith",
 327                         },
 328                         {
 329                                 "metadata":   map[string]interface{}{"primary": true},
 330                                 "givenName":  "Joseph",
 331                                 "familyName": "Psmith",
 332                         },
 333                 },
 334         }
 335         state := s.startLogin(c)
 336         s.localdb.Login(context.Background(), arvados.LoginOptions{
 337                 Code:  s.validCode,
 338                 State: state,
 339         })
 340
 341         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 342         c.Check(authinfo.FirstName, check.Equals, "Joseph")
 343         c.Check(authinfo.LastName, check.Equals, "Psmith")
 344 }
 345
 346 func (s *OIDCLoginSuite) TestGoogleLogin_OIDCRealName(c *check.C) {
 347         s.authName = "Joe P. Smith"
 348         s.authEmail = "joe.smith@primary.example.com"
 349         state := s.startLogin(c)
 350         s.localdb.Login(context.Background(), arvados.LoginOptions{
 351                 Code:  s.validCode,
 352                 State: state,
 353         })
 354
 355         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 356         c.Check(authinfo.FirstName, check.Equals, "Joe P.")
 357         c.Check(authinfo.LastName, check.Equals, "Smith")
 358 }
 359
 360 // People API returns some additional email addresses.
 361 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses(c *check.C) {
 362         s.authEmail = "joe.smith@primary.example.com"
 363         s.fakePeopleAPIResponse = map[string]interface{}{
 364                 "emailAddresses": []map[string]interface{}{
 365                         {
 366                                 "metadata": map[string]interface{}{"verified": true},
 367                                 "value":    "joe.smith@work.example.com",
 368                         },
 369                         {
 370                                 "value": "joe.smith@unverified.example.com", // unverified, so this one will be ignored
 371                         },
 372                         {
 373                                 "metadata": map[string]interface{}{"verified": true},
 374                                 "value":    "joe.smith@home.example.com",
 375                         },
 376                 },
 377         }
 378         state := s.startLogin(c)
 379         s.localdb.Login(context.Background(), arvados.LoginOptions{
 380                 Code:  s.validCode,
 381                 State: state,
 382         })
 383
 384         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 385         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 386         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com", "joe.smith@work.example.com"})
 387 }
 388
 389 // Primary address is not the one initially returned by oidc.
 390 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses_Primary(c *check.C) {
 391         s.authEmail = "joe.smith@alternate.example.com"
 392         s.fakePeopleAPIResponse = map[string]interface{}{
 393                 "emailAddresses": []map[string]interface{}{
 394                         {
 395                                 "metadata": map[string]interface{}{"verified": true, "primary": true},
 396                                 "value":    "joe.smith@primary.example.com",
 397                         },
 398                         {
 399                                 "metadata": map[string]interface{}{"verified": true},
 400                                 "value":    "joe.smith@alternate.example.com",
 401                         },
 402                         {
 403                                 "metadata": map[string]interface{}{"verified": true},
 404                                 "value":    "jsmith+123@preferdomainforusername.example.com",
 405                         },
 406                 },
 407         }
 408         state := s.startLogin(c)
 409         s.localdb.Login(context.Background(), arvados.LoginOptions{
 410                 Code:  s.validCode,
 411                 State: state,
 412         })
 413         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 414         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 415         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@alternate.example.com", "jsmith+123@preferdomainforusername.example.com"})
 416         c.Check(authinfo.Username, check.Equals, "jsmith")
 417 }
 418
 419 func (s *OIDCLoginSuite) TestGoogleLogin_NoPrimaryEmailAddress(c *check.C) {
 420         s.authEmail = "joe.smith@unverified.example.com"
 421         s.authEmailVerified = false
 422         s.fakePeopleAPIResponse = map[string]interface{}{
 423                 "emailAddresses": []map[string]interface{}{
 424                         {
 425                                 "metadata": map[string]interface{}{"verified": true},
 426                                 "value":    "joe.smith@work.example.com",
 427                         },
 428                         {
 429                                 "metadata": map[string]interface{}{"verified": true},
 430                                 "value":    "joe.smith@home.example.com",
 431                         },
 432                 },
 433         }
 434         state := s.startLogin(c)
 435         s.localdb.Login(context.Background(), arvados.LoginOptions{
 436                 Code:  s.validCode,
 437                 State: state,
 438         })
 439
 440         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 441         c.Check(authinfo.Email, check.Equals, "joe.smith@work.example.com") // first verified email in People response
 442         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com"})
 443         c.Check(authinfo.Username, check.Equals, "")
 444 }
 445
 446 func (s *OIDCLoginSuite) startLogin(c *check.C) (state string) {
 447         // Initiate login, but instead of following the redirect to
 448         // the provider, just grab state from the redirect URL.
 449         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{ReturnTo: "https://app.example.com/foo?bar"})
 450         c.Check(err, check.IsNil)
 451         target, err := url.Parse(resp.RedirectLocation)
 452         c.Check(err, check.IsNil)
 453         state = target.Query().Get("state")
 454         c.Check(state, check.Not(check.Equals), "")
 455         return
 456 }
 457
 458 func (s *OIDCLoginSuite) fakeToken(c *check.C, payload []byte) string {
 459         signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: s.issuerKey}, nil)
 460         if err != nil {
 461                 c.Error(err)
 462         }
 463         object, err := signer.Sign(payload)
 464         if err != nil {
 465                 c.Error(err)
 466         }
 467         t, err := object.CompactSerialize()
 468         if err != nil {
 469                 c.Error(err)
 470         }
 471         c.Logf("fakeToken(%q) == %q", payload, t)
 472         return t
 473 }
 474
 475 func getCallbackAuthInfo(c *check.C, railsSpy *arvadostest.Proxy) (authinfo rpc.UserSessionAuthInfo) {
 476         for _, dump := range railsSpy.RequestDumps {
 477                 c.Logf("spied request: %q", dump)
 478                 split := bytes.Split(dump, []byte("\r\n\r\n"))
 479                 c.Assert(split, check.HasLen, 2)
 480                 hdr, body := string(split[0]), string(split[1])
 481                 if strings.Contains(hdr, "POST /auth/controller/callback") {
 482                         vs, err := url.ParseQuery(body)
 483                         c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
 484                         c.Check(err, check.IsNil)
 485                         sort.Strings(authinfo.AlternateEmails)
 486                         return
 487                 }
 488         }
 489         c.Error("callback not found")
 490         return
 491 }