lib/controller/localdb/login_oidc_test.go

   1 // Copyright (C) The Arvados Authors. All rights reserved.
   2 //
   3 // SPDX-License-Identifier: AGPL-3.0
   4
   5 package localdb
   6
   7 import (
   8         "bytes"
   9         "context"
  10         "crypto/rand"
  11         "crypto/rsa"
  12         "encoding/json"
  13         "fmt"
  14         "net/http"
  15         "net/http/httptest"
  16         "net/url"
  17         "sort"
  18         "strings"
  19         "testing"
  20         "time"
  21
  22         "git.arvados.org/arvados.git/lib/config"
  23         "git.arvados.org/arvados.git/lib/controller/rpc"
  24         "git.arvados.org/arvados.git/sdk/go/arvados"
  25         "git.arvados.org/arvados.git/sdk/go/arvadostest"
  26         "git.arvados.org/arvados.git/sdk/go/auth"
  27         "git.arvados.org/arvados.git/sdk/go/ctxlog"
  28         check "gopkg.in/check.v1"
  29         jose "gopkg.in/square/go-jose.v2"
  30 )
  31
  32 // Gocheck boilerplate
  33 func Test(t *testing.T) {
  34         check.TestingT(t)
  35 }
  36
  37 var _ = check.Suite(&OIDCLoginSuite{})
  38
  39 type OIDCLoginSuite struct {
  40         cluster               *arvados.Cluster
  41         ctx                   context.Context
  42         localdb               *Conn
  43         railsSpy              *arvadostest.Proxy
  44         fakeIssuer            *httptest.Server
  45         fakePeopleAPI         *httptest.Server
  46         fakePeopleAPIResponse map[string]interface{}
  47         issuerKey             *rsa.PrivateKey
  48
  49         // expected token request
  50         validCode string
  51         // desired response from token endpoint
  52         authEmail         string
  53         authEmailVerified bool
  54         authName          string
  55 }
  56
  57 func (s *OIDCLoginSuite) TearDownSuite(c *check.C) {
  58         // Undo any changes/additions to the user database so they
  59         // don't affect subsequent tests.
  60         arvadostest.ResetEnv()
  61         c.Check(arvados.NewClientFromEnv().RequestAndDecode(nil, "POST", "database/reset", nil, nil), check.IsNil)
  62 }
  63
  64 func (s *OIDCLoginSuite) SetUpTest(c *check.C) {
  65         var err error
  66         s.issuerKey, err = rsa.GenerateKey(rand.Reader, 2048)
  67         c.Assert(err, check.IsNil)
  68
  69         s.authEmail = "active-user@arvados.local"
  70         s.authEmailVerified = true
  71         s.authName = "Fake User Name"
  72         s.fakeIssuer = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
  73                 req.ParseForm()
  74                 c.Logf("fakeIssuer: got req: %s %s %s", req.Method, req.URL, req.Form)
  75                 w.Header().Set("Content-Type", "application/json")
  76                 switch req.URL.Path {
  77                 case "/.well-known/openid-configuration":
  78                         json.NewEncoder(w).Encode(map[string]interface{}{
  79                                 "issuer":                 s.fakeIssuer.URL,
  80                                 "authorization_endpoint": s.fakeIssuer.URL + "/auth",
  81                                 "token_endpoint":         s.fakeIssuer.URL + "/token",
  82                                 "jwks_uri":               s.fakeIssuer.URL + "/jwks",
  83                                 "userinfo_endpoint":      s.fakeIssuer.URL + "/userinfo",
  84                         })
  85                 case "/token":
  86                         if req.Form.Get("code") != s.validCode || s.validCode == "" {
  87                                 w.WriteHeader(http.StatusUnauthorized)
  88                                 return
  89                         }
  90                         idToken, _ := json.Marshal(map[string]interface{}{
  91                                 "iss":            s.fakeIssuer.URL,
  92                                 "aud":            []string{"test%client$id"},
  93                                 "sub":            "fake-user-id",
  94                                 "exp":            time.Now().UTC().Add(time.Minute).Unix(),
  95                                 "iat":            time.Now().UTC().Unix(),
  96                                 "nonce":          "fake-nonce",
  97                                 "email":          s.authEmail,
  98                                 "email_verified": s.authEmailVerified,
  99                                 "name":           s.authName,
 100                         })
 101                         json.NewEncoder(w).Encode(struct {
 102                                 AccessToken  string `json:"access_token"`
 103                                 TokenType    string `json:"token_type"`
 104                                 RefreshToken string `json:"refresh_token"`
 105                                 ExpiresIn    int32  `json:"expires_in"`
 106                                 IDToken      string `json:"id_token"`
 107                         }{
 108                                 AccessToken:  s.fakeToken(c, []byte("fake access token")),
 109                                 TokenType:    "Bearer",
 110                                 RefreshToken: "test-refresh-token",
 111                                 ExpiresIn:    30,
 112                                 IDToken:      s.fakeToken(c, idToken),
 113                         })
 114                 case "/jwks":
 115                         json.NewEncoder(w).Encode(jose.JSONWebKeySet{
 116                                 Keys: []jose.JSONWebKey{
 117                                         {Key: s.issuerKey.Public(), Algorithm: string(jose.RS256), KeyID: ""},
 118                                 },
 119                         })
 120                 case "/auth":
 121                         w.WriteHeader(http.StatusInternalServerError)
 122                 case "/userinfo":
 123                         w.WriteHeader(http.StatusInternalServerError)
 124                 default:
 125                         w.WriteHeader(http.StatusNotFound)
 126                 }
 127         }))
 128         s.validCode = fmt.Sprintf("abcdefgh-%d", time.Now().Unix())
 129
 130         s.fakePeopleAPI = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 131                 req.ParseForm()
 132                 c.Logf("fakePeopleAPI: got req: %s %s %s", req.Method, req.URL, req.Form)
 133                 w.Header().Set("Content-Type", "application/json")
 134                 switch req.URL.Path {
 135                 case "/v1/people/me":
 136                         if f := req.Form.Get("personFields"); f != "emailAddresses,names" {
 137                                 w.WriteHeader(http.StatusBadRequest)
 138                                 break
 139                         }
 140                         json.NewEncoder(w).Encode(s.fakePeopleAPIResponse)
 141                 default:
 142                         w.WriteHeader(http.StatusNotFound)
 143                 }
 144         }))
 145         s.fakePeopleAPIResponse = map[string]interface{}{}
 146
 147         cfg, err := config.NewLoader(nil, ctxlog.TestLogger(c)).Load()
 148         s.cluster, err = cfg.GetCluster("")
 149         s.cluster.Login.SSO.Enable = false
 150         s.cluster.Login.Google.Enable = true
 151         s.cluster.Login.Google.ClientID = "test%client$id"
 152         s.cluster.Login.Google.ClientSecret = "test#client/secret"
 153         s.cluster.Users.PreferDomainForUsername = "PreferDomainForUsername.example.com"
 154         c.Assert(err, check.IsNil)
 155
 156         s.localdb = NewConn(s.cluster)
 157         c.Assert(s.localdb.loginController, check.FitsTypeOf, (*oidcLoginController)(nil))
 158         s.localdb.loginController.(*oidcLoginController).Issuer = s.fakeIssuer.URL
 159         s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
 160
 161         s.railsSpy = arvadostest.NewProxy(c, s.cluster.Services.RailsAPI)
 162         *s.localdb.railsProxy = *rpc.NewConn(s.cluster.ClusterID, s.railsSpy.URL, true, rpc.PassthroughTokenProvider)
 163 }
 164
 165 func (s *OIDCLoginSuite) TearDownTest(c *check.C) {
 166         s.railsSpy.Close()
 167 }
 168
 169 func (s *OIDCLoginSuite) TestGoogleLogout(c *check.C) {
 170         resp, err := s.localdb.Logout(context.Background(), arvados.LogoutOptions{ReturnTo: "https://foo.example.com/bar"})
 171         c.Check(err, check.IsNil)
 172         c.Check(resp.RedirectLocation, check.Equals, "https://foo.example.com/bar")
 173 }
 174
 175 func (s *OIDCLoginSuite) TestGoogleLogin_Start_Bogus(c *check.C) {
 176         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{})
 177         c.Check(err, check.IsNil)
 178         c.Check(resp.RedirectLocation, check.Equals, "")
 179         c.Check(resp.HTML.String(), check.Matches, `.*missing return_to parameter.*`)
 180 }
 181
 182 func (s *OIDCLoginSuite) TestGoogleLogin_Start(c *check.C) {
 183         for _, remote := range []string{"", "zzzzz"} {
 184                 resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{Remote: remote, ReturnTo: "https://app.example.com/foo?bar"})
 185                 c.Check(err, check.IsNil)
 186                 target, err := url.Parse(resp.RedirectLocation)
 187                 c.Check(err, check.IsNil)
 188                 issuerURL, _ := url.Parse(s.fakeIssuer.URL)
 189                 c.Check(target.Host, check.Equals, issuerURL.Host)
 190                 q := target.Query()
 191                 c.Check(q.Get("client_id"), check.Equals, "test%client$id")
 192                 state := s.localdb.loginController.(*oidcLoginController).parseOAuth2State(q.Get("state"))
 193                 c.Check(state.verify([]byte(s.cluster.SystemRootToken)), check.Equals, true)
 194                 c.Check(state.Time, check.Not(check.Equals), 0)
 195                 c.Check(state.Remote, check.Equals, remote)
 196                 c.Check(state.ReturnTo, check.Equals, "https://app.example.com/foo?bar")
 197         }
 198 }
 199
 200 func (s *OIDCLoginSuite) TestGoogleLogin_InvalidCode(c *check.C) {
 201         state := s.startLogin(c)
 202         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 203                 Code:  "first-try-a-bogus-code",
 204                 State: state,
 205         })
 206         c.Check(err, check.IsNil)
 207         c.Check(resp.RedirectLocation, check.Equals, "")
 208         c.Check(resp.HTML.String(), check.Matches, `(?ms).*error in OAuth2 exchange.*cannot fetch token.*`)
 209 }
 210
 211 func (s *OIDCLoginSuite) TestGoogleLogin_InvalidState(c *check.C) {
 212         s.startLogin(c)
 213         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 214                 Code:  s.validCode,
 215                 State: "bogus-state",
 216         })
 217         c.Check(err, check.IsNil)
 218         c.Check(resp.RedirectLocation, check.Equals, "")
 219         c.Check(resp.HTML.String(), check.Matches, `(?ms).*invalid OAuth2 state.*`)
 220 }
 221
 222 func (s *OIDCLoginSuite) setupPeopleAPIError(c *check.C) {
 223         s.fakePeopleAPI = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 224                 w.WriteHeader(http.StatusForbidden)
 225                 fmt.Fprintln(w, `Error 403: accessNotConfigured`)
 226         }))
 227         s.localdb.loginController.(*oidcLoginController).peopleAPIBasePath = s.fakePeopleAPI.URL
 228 }
 229
 230 func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIDisabled(c *check.C) {
 231         s.localdb.loginController.(*oidcLoginController).UseGooglePeopleAPI = false
 232         s.authEmail = "joe.smith@primary.example.com"
 233         s.setupPeopleAPIError(c)
 234         state := s.startLogin(c)
 235         _, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 236                 Code:  s.validCode,
 237                 State: state,
 238         })
 239         c.Check(err, check.IsNil)
 240         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 241         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 242 }
 243
 244 func (s *OIDCLoginSuite) TestConfig(c *check.C) {
 245         s.cluster.Login.Google.Enable = false
 246         s.cluster.Login.OpenIDConnect.Enable = true
 247         s.cluster.Login.OpenIDConnect.Issuer = arvados.URL{Scheme: "https", Host: "accounts.example.com", Path: "/"}
 248         s.cluster.Login.OpenIDConnect.ClientID = "oidc-client-id"
 249         s.cluster.Login.OpenIDConnect.ClientSecret = "oidc-client-secret"
 250         localdb := NewConn(s.cluster)
 251         ctrl := localdb.loginController.(*oidcLoginController)
 252         c.Check(ctrl.Issuer, check.Equals, "https://accounts.example.com/")
 253         c.Check(ctrl.ClientID, check.Equals, "oidc-client-id")
 254         c.Check(ctrl.ClientSecret, check.Equals, "oidc-client-secret")
 255         c.Check(ctrl.UseGooglePeopleAPI, check.Equals, false)
 256
 257         for _, enableAltEmails := range []bool{false, true} {
 258                 s.cluster.Login.OpenIDConnect.Enable = false
 259                 s.cluster.Login.Google.Enable = true
 260                 s.cluster.Login.Google.ClientID = "google-client-id"
 261                 s.cluster.Login.Google.ClientSecret = "google-client-secret"
 262                 s.cluster.Login.Google.AlternateEmailAddresses = enableAltEmails
 263                 localdb = NewConn(s.cluster)
 264                 ctrl = localdb.loginController.(*oidcLoginController)
 265                 c.Check(ctrl.Issuer, check.Equals, "https://accounts.google.com")
 266                 c.Check(ctrl.ClientID, check.Equals, "google-client-id")
 267                 c.Check(ctrl.ClientSecret, check.Equals, "google-client-secret")
 268                 c.Check(ctrl.UseGooglePeopleAPI, check.Equals, enableAltEmails)
 269         }
 270 }
 271
 272 func (s *OIDCLoginSuite) TestGoogleLogin_PeopleAPIError(c *check.C) {
 273         s.setupPeopleAPIError(c)
 274         state := s.startLogin(c)
 275         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 276                 Code:  s.validCode,
 277                 State: state,
 278         })
 279         c.Check(err, check.IsNil)
 280         c.Check(resp.RedirectLocation, check.Equals, "")
 281 }
 282
 283 func (s *OIDCLoginSuite) TestGoogleLogin_Success(c *check.C) {
 284         state := s.startLogin(c)
 285         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{
 286                 Code:  s.validCode,
 287                 State: state,
 288         })
 289         c.Check(err, check.IsNil)
 290         c.Check(resp.HTML.String(), check.Equals, "")
 291         target, err := url.Parse(resp.RedirectLocation)
 292         c.Check(err, check.IsNil)
 293         c.Check(target.Host, check.Equals, "app.example.com")
 294         c.Check(target.Path, check.Equals, "/foo")
 295         token := target.Query().Get("api_token")
 296         c.Check(token, check.Matches, `v2/zzzzz-gj3su-.{15}/.{32,50}`)
 297
 298         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 299         c.Check(authinfo.FirstName, check.Equals, "Fake User")
 300         c.Check(authinfo.LastName, check.Equals, "Name")
 301         c.Check(authinfo.Email, check.Equals, "active-user@arvados.local")
 302         c.Check(authinfo.AlternateEmails, check.HasLen, 0)
 303
 304         // Try using the returned Arvados token.
 305         c.Logf("trying an API call with new token %q", token)
 306         ctx := auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{token}})
 307         cl, err := s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
 308         c.Check(cl.ItemsAvailable, check.Not(check.Equals), 0)
 309         c.Check(cl.Items, check.Not(check.HasLen), 0)
 310         c.Check(err, check.IsNil)
 311
 312         // Might as well check that bogus tokens aren't accepted.
 313         badtoken := token + "plussomeboguschars"
 314         c.Logf("trying an API call with mangled token %q", badtoken)
 315         ctx = auth.NewContext(context.Background(), &auth.Credentials{Tokens: []string{badtoken}})
 316         cl, err = s.localdb.CollectionList(ctx, arvados.ListOptions{Limit: -1})
 317         c.Check(cl.Items, check.HasLen, 0)
 318         c.Check(err, check.NotNil)
 319         c.Check(err, check.ErrorMatches, `.*401 Unauthorized: Not logged in.*`)
 320 }
 321
 322 func (s *OIDCLoginSuite) TestGoogleLogin_RealName(c *check.C) {
 323         s.authEmail = "joe.smith@primary.example.com"
 324         s.fakePeopleAPIResponse = map[string]interface{}{
 325                 "names": []map[string]interface{}{
 326                         {
 327                                 "metadata":   map[string]interface{}{"primary": false},
 328                                 "givenName":  "Joe",
 329                                 "familyName": "Smith",
 330                         },
 331                         {
 332                                 "metadata":   map[string]interface{}{"primary": true},
 333                                 "givenName":  "Joseph",
 334                                 "familyName": "Psmith",
 335                         },
 336                 },
 337         }
 338         state := s.startLogin(c)
 339         s.localdb.Login(context.Background(), arvados.LoginOptions{
 340                 Code:  s.validCode,
 341                 State: state,
 342         })
 343
 344         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 345         c.Check(authinfo.FirstName, check.Equals, "Joseph")
 346         c.Check(authinfo.LastName, check.Equals, "Psmith")
 347 }
 348
 349 func (s *OIDCLoginSuite) TestGoogleLogin_OIDCRealName(c *check.C) {
 350         s.authName = "Joe P. Smith"
 351         s.authEmail = "joe.smith@primary.example.com"
 352         state := s.startLogin(c)
 353         s.localdb.Login(context.Background(), arvados.LoginOptions{
 354                 Code:  s.validCode,
 355                 State: state,
 356         })
 357
 358         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 359         c.Check(authinfo.FirstName, check.Equals, "Joe P.")
 360         c.Check(authinfo.LastName, check.Equals, "Smith")
 361 }
 362
 363 // People API returns some additional email addresses.
 364 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses(c *check.C) {
 365         s.authEmail = "joe.smith@primary.example.com"
 366         s.fakePeopleAPIResponse = map[string]interface{}{
 367                 "emailAddresses": []map[string]interface{}{
 368                         {
 369                                 "metadata": map[string]interface{}{"verified": true},
 370                                 "value":    "joe.smith@work.example.com",
 371                         },
 372                         {
 373                                 "value": "joe.smith@unverified.example.com", // unverified, so this one will be ignored
 374                         },
 375                         {
 376                                 "metadata": map[string]interface{}{"verified": true},
 377                                 "value":    "joe.smith@home.example.com",
 378                         },
 379                 },
 380         }
 381         state := s.startLogin(c)
 382         s.localdb.Login(context.Background(), arvados.LoginOptions{
 383                 Code:  s.validCode,
 384                 State: state,
 385         })
 386
 387         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 388         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 389         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com", "joe.smith@work.example.com"})
 390 }
 391
 392 // Primary address is not the one initially returned by oidc.
 393 func (s *OIDCLoginSuite) TestGoogleLogin_AlternateEmailAddresses_Primary(c *check.C) {
 394         s.authEmail = "joe.smith@alternate.example.com"
 395         s.fakePeopleAPIResponse = map[string]interface{}{
 396                 "emailAddresses": []map[string]interface{}{
 397                         {
 398                                 "metadata": map[string]interface{}{"verified": true, "primary": true},
 399                                 "value":    "joe.smith@primary.example.com",
 400                         },
 401                         {
 402                                 "metadata": map[string]interface{}{"verified": true},
 403                                 "value":    "joe.smith@alternate.example.com",
 404                         },
 405                         {
 406                                 "metadata": map[string]interface{}{"verified": true},
 407                                 "value":    "jsmith+123@preferdomainforusername.example.com",
 408                         },
 409                 },
 410         }
 411         state := s.startLogin(c)
 412         s.localdb.Login(context.Background(), arvados.LoginOptions{
 413                 Code:  s.validCode,
 414                 State: state,
 415         })
 416         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 417         c.Check(authinfo.Email, check.Equals, "joe.smith@primary.example.com")
 418         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@alternate.example.com", "jsmith+123@preferdomainforusername.example.com"})
 419         c.Check(authinfo.Username, check.Equals, "jsmith")
 420 }
 421
 422 func (s *OIDCLoginSuite) TestGoogleLogin_NoPrimaryEmailAddress(c *check.C) {
 423         s.authEmail = "joe.smith@unverified.example.com"
 424         s.authEmailVerified = false
 425         s.fakePeopleAPIResponse = map[string]interface{}{
 426                 "emailAddresses": []map[string]interface{}{
 427                         {
 428                                 "metadata": map[string]interface{}{"verified": true},
 429                                 "value":    "joe.smith@work.example.com",
 430                         },
 431                         {
 432                                 "metadata": map[string]interface{}{"verified": true},
 433                                 "value":    "joe.smith@home.example.com",
 434                         },
 435                 },
 436         }
 437         state := s.startLogin(c)
 438         s.localdb.Login(context.Background(), arvados.LoginOptions{
 439                 Code:  s.validCode,
 440                 State: state,
 441         })
 442
 443         authinfo := getCallbackAuthInfo(c, s.railsSpy)
 444         c.Check(authinfo.Email, check.Equals, "joe.smith@work.example.com") // first verified email in People response
 445         c.Check(authinfo.AlternateEmails, check.DeepEquals, []string{"joe.smith@home.example.com"})
 446         c.Check(authinfo.Username, check.Equals, "")
 447 }
 448
 449 func (s *OIDCLoginSuite) startLogin(c *check.C) (state string) {
 450         // Initiate login, but instead of following the redirect to
 451         // the provider, just grab state from the redirect URL.
 452         resp, err := s.localdb.Login(context.Background(), arvados.LoginOptions{ReturnTo: "https://app.example.com/foo?bar"})
 453         c.Check(err, check.IsNil)
 454         target, err := url.Parse(resp.RedirectLocation)
 455         c.Check(err, check.IsNil)
 456         state = target.Query().Get("state")
 457         c.Check(state, check.Not(check.Equals), "")
 458         return
 459 }
 460
 461 func (s *OIDCLoginSuite) fakeToken(c *check.C, payload []byte) string {
 462         signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: s.issuerKey}, nil)
 463         if err != nil {
 464                 c.Error(err)
 465         }
 466         object, err := signer.Sign(payload)
 467         if err != nil {
 468                 c.Error(err)
 469         }
 470         t, err := object.CompactSerialize()
 471         if err != nil {
 472                 c.Error(err)
 473         }
 474         c.Logf("fakeToken(%q) == %q", payload, t)
 475         return t
 476 }
 477
 478 func getCallbackAuthInfo(c *check.C, railsSpy *arvadostest.Proxy) (authinfo rpc.UserSessionAuthInfo) {
 479         for _, dump := range railsSpy.RequestDumps {
 480                 c.Logf("spied request: %q", dump)
 481                 split := bytes.Split(dump, []byte("\r\n\r\n"))
 482                 c.Assert(split, check.HasLen, 2)
 483                 hdr, body := string(split[0]), string(split[1])
 484                 if strings.Contains(hdr, "POST /auth/controller/callback") {
 485                         vs, err := url.ParseQuery(body)
 486                         c.Check(json.Unmarshal([]byte(vs.Get("auth_info")), &authinfo), check.IsNil)
 487                         c.Check(err, check.IsNil)
 488                         sort.Strings(authinfo.AlternateEmails)
 489                         return
 490                 }
 491         }
 492         c.Error("callback not found")
 493         return
 494 }