1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: Apache-2.0
20 "gopkg.in/square/go-jose.v2"
21 "gopkg.in/square/go-jose.v2/jwt"
24 type OIDCProvider struct {
25 // expected token request
28 ValidClientSecret string
29 // desired response from token endpoint
31 AuthEmailVerified bool
35 AccessTokenPayload map[string]interface{}
37 PeopleAPIResponse map[string]interface{}
39 // send incoming /userinfo requests to HoldUserInfo (if not
40 // nil), then receive from ReleaseUserInfo (if not nil),
41 // before responding (these are used to set up races)
42 HoldUserInfo chan *http.Request
43 ReleaseUserInfo chan struct{}
44 UserInfoErrorStatus int // if non-zero, return this http status (probably 5xx)
47 Issuer *httptest.Server
48 PeopleAPI *httptest.Server
52 func NewOIDCProvider(c *check.C) *OIDCProvider {
53 p := &OIDCProvider{c: c}
55 p.key, err = rsa.GenerateKey(rand.Reader, 2048)
56 c.Assert(err, check.IsNil)
57 p.Issuer = httptest.NewServer(http.HandlerFunc(p.serveOIDC))
58 p.PeopleAPI = httptest.NewServer(http.HandlerFunc(p.servePeopleAPI))
59 p.AccessTokenPayload = map[string]interface{}{"sub": "example"}
63 func (p *OIDCProvider) ValidAccessToken() string {
64 buf, _ := json.Marshal(p.AccessTokenPayload)
65 return p.fakeToken(buf)
68 func (p *OIDCProvider) serveOIDC(w http.ResponseWriter, req *http.Request) {
70 p.c.Logf("serveOIDC: got req: %s %s %s", req.Method, req.URL, req.Form)
71 w.Header().Set("Content-Type", "application/json")
73 case "/.well-known/openid-configuration":
74 json.NewEncoder(w).Encode(map[string]interface{}{
75 "issuer": p.Issuer.URL,
76 "authorization_endpoint": p.Issuer.URL + "/auth",
77 "token_endpoint": p.Issuer.URL + "/token",
78 "jwks_uri": p.Issuer.URL + "/jwks",
79 "userinfo_endpoint": p.Issuer.URL + "/userinfo",
82 var clientID, clientSecret string
83 auth, _ := base64.StdEncoding.DecodeString(strings.TrimPrefix(req.Header.Get("Authorization"), "Basic "))
84 authsplit := strings.Split(string(auth), ":")
85 if len(authsplit) == 2 {
86 clientID, _ = url.QueryUnescape(authsplit[0])
87 clientSecret, _ = url.QueryUnescape(authsplit[1])
89 if clientID != p.ValidClientID || clientSecret != p.ValidClientSecret {
90 p.c.Logf("OIDCProvider: expected (%q, %q) got (%q, %q)", p.ValidClientID, p.ValidClientSecret, clientID, clientSecret)
91 w.WriteHeader(http.StatusUnauthorized)
95 if req.Form.Get("code") != p.ValidCode || p.ValidCode == "" {
96 w.WriteHeader(http.StatusUnauthorized)
99 idToken, _ := json.Marshal(map[string]interface{}{
101 "aud": []string{clientID},
102 "sub": "fake-user-id",
103 "exp": time.Now().UTC().Add(time.Minute).Unix(),
104 "iat": time.Now().UTC().Unix(),
105 "nonce": "fake-nonce",
106 "email": p.AuthEmail,
107 "email_verified": p.AuthEmailVerified,
109 "given_name": p.AuthGivenName,
110 "family_name": p.AuthFamilyName,
111 "alt_verified": true, // for custom claim tests
112 "alt_email": "alt_email@example.com", // for custom claim tests
113 "alt_username": "desired-username", // for custom claim tests
115 json.NewEncoder(w).Encode(struct {
116 AccessToken string `json:"access_token"`
117 TokenType string `json:"token_type"`
118 RefreshToken string `json:"refresh_token"`
119 ExpiresIn int32 `json:"expires_in"`
120 IDToken string `json:"id_token"`
122 AccessToken: p.ValidAccessToken(),
124 RefreshToken: "test-refresh-token",
126 IDToken: p.fakeToken(idToken),
129 json.NewEncoder(w).Encode(jose.JSONWebKeySet{
130 Keys: []jose.JSONWebKey{
131 {Key: p.key.Public(), Algorithm: string(jose.RS256), KeyID: ""},
135 w.WriteHeader(http.StatusInternalServerError)
137 if p.HoldUserInfo != nil {
138 p.HoldUserInfo <- req
140 if p.ReleaseUserInfo != nil {
143 if p.UserInfoErrorStatus > 0 {
144 w.WriteHeader(p.UserInfoErrorStatus)
145 fmt.Fprintf(w, "%T error body", p)
148 authhdr := req.Header.Get("Authorization")
149 if _, err := jwt.ParseSigned(strings.TrimPrefix(authhdr, "Bearer ")); err != nil {
150 p.c.Logf("OIDCProvider: bad auth %q", authhdr)
151 w.WriteHeader(http.StatusUnauthorized)
154 json.NewEncoder(w).Encode(map[string]interface{}{
155 "sub": "fake-user-id",
157 "given_name": p.AuthGivenName,
158 "family_name": p.AuthFamilyName,
159 "alt_username": "desired-username",
160 "email": p.AuthEmail,
161 "email_verified": p.AuthEmailVerified,
164 w.WriteHeader(http.StatusNotFound)
168 func (p *OIDCProvider) servePeopleAPI(w http.ResponseWriter, req *http.Request) {
170 p.c.Logf("servePeopleAPI: got req: %s %s %s", req.Method, req.URL, req.Form)
171 w.Header().Set("Content-Type", "application/json")
172 switch req.URL.Path {
173 case "/v1/people/me":
174 if f := req.Form.Get("personFields"); f != "emailAddresses,names" {
175 w.WriteHeader(http.StatusBadRequest)
178 json.NewEncoder(w).Encode(p.PeopleAPIResponse)
180 w.WriteHeader(http.StatusNotFound)
184 func (p *OIDCProvider) fakeToken(payload []byte) string {
185 signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: p.key}, nil)
190 object, err := signer.Sign(payload)
195 t, err := object.CompactSerialize()
200 p.c.Logf("fakeToken(%q) == %q", payload, t)