keystone: test cases, refactoring and cleanup

This commit is contained in:
joannano 2018-12-13 12:22:53 +01:00 committed by Krzysztof Balka
parent a965365a2b
commit 88d1e2b041
10 changed files with 487 additions and 483 deletions

View file

@ -13,13 +13,14 @@ services:
- docker - docker
env: env:
- DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive - DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive DEX_KEYSTONE_URL=http://localhost:5000 DEX_KEYSTONE_ADMIN_URL=http://localhost:35357
install: install:
- sudo -E apt-get install -y --force-yes slapd time ldap-utils - sudo -E apt-get install -y --force-yes slapd time ldap-utils
- sudo /etc/init.d/slapd stop - sudo /etc/init.d/slapd stop
- docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9 - docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9
- docker run -d -p 0.0.0.0:5000:5000 -p 0.0.0.0:35357:35357 openio/openstack-keystone
- sleep 60s
script: script:
- make testall - make testall

View file

@ -11,12 +11,15 @@ FROM alpine:3.8
# experience when this doesn't work out of the box. # experience when this doesn't work out of the box.
# #
# OpenSSL is required so wget can query HTTPS endpoints for health checking. # OpenSSL is required so wget can query HTTPS endpoints for health checking.
RUN apk add --update ca-certificates openssl bash RUN apk add --update ca-certificates openssl
COPY --from=0 /go/bin/dex /usr/local/bin/dex
# Import frontend assets and set the correct CWD directory so the assets # Import frontend assets and set the correct CWD directory so the assets
# are in the default path. # are in the default path.
COPY web /web COPY web /web
WORKDIR / WORKDIR /
EXPOSE 5500-5600 ENTRYPOINT ["dex"]
CMD ["bash"]
CMD ["version"]

View file

@ -35,7 +35,6 @@ type Identity struct {
// //
// This data is never shared with end users, OAuth clients, or through the API. // This data is never shared with end users, OAuth clients, or through the API.
ConnectorData []byte ConnectorData []byte
Password string
} }
// PasswordConnector is an interface implemented by connectors which take a // PasswordConnector is an interface implemented by connectors which take a

View file

@ -2,163 +2,186 @@
package keystone package keystone
import ( import (
"context"
"fmt"
"github.com/dexidp/dex/connector"
"github.com/sirupsen/logrus"
"encoding/json"
"net/http"
"bytes" "bytes"
"context"
"encoding/json"
"fmt"
"io/ioutil" "io/ioutil"
"net/http"
"github.com/sirupsen/logrus"
"github.com/dexidp/dex/connector"
) )
var ( var (
_ connector.PasswordConnector = &Connector{} _ connector.PasswordConnector = &keystoneConnector{}
_ connector.RefreshConnector = &Connector{} _ connector.RefreshConnector = &keystoneConnector{}
) )
// Open returns an authentication strategy using Keystone. // Open returns an authentication strategy using Keystone.
func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) { func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
return &Connector{c.Domain, c.KeystoneHost, return &keystoneConnector{c.Domain, c.KeystoneHost,
c.KeystoneUsername, c.KeystonePassword, logger}, nil c.KeystoneUsername, c.KeystonePassword, logger}, nil
} }
func (p Connector) Close() error { return nil } func (p *keystoneConnector) Close() error { return nil }
func (p Connector) Login(ctx context.Context, s connector.Scopes, username, password string) ( func (p *keystoneConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (
identity connector.Identity, validPassword bool, err error) { identity connector.Identity, validPassword bool, err error) {
response, err := p.getTokenResponse(username, password) resp, err := p.getTokenResponse(ctx, username, password)
if err != nil {
return identity, false, fmt.Errorf("keystone: error %v", err)
}
// Providing wrong password or wrong keystone URI throws error // Providing wrong password or wrong keystone URI throws error
if err == nil && response.StatusCode == 201 { if resp.StatusCode == 201 {
token := response.Header["X-Subject-Token"][0] token := resp.Header.Get("X-Subject-Token")
data, _ := ioutil.ReadAll(response.Body) data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return identity, false, err
}
defer resp.Body.Close()
var tokenResponse = new(TokenResponse) var tokenResp = new(tokenResponse)
err := json.Unmarshal(data, &tokenResponse) err = json.Unmarshal(data, &tokenResp)
if err != nil {
return identity, false, fmt.Errorf("keystone: invalid token response: %v", err)
}
groups, err := p.getUserGroups(ctx, tokenResp.Token.User.ID, token)
if err != nil {
return identity, false, err
}
if err != nil { identity.Username = username
fmt.Printf("keystone: invalid token response: %v", err) identity.UserID = tokenResp.Token.User.ID
return identity, false, err identity.Groups = groups
}
groups, err := p.getUserGroups(tokenResponse.Token.User.ID, token)
if err != nil {
return identity, false, err
}
identity.Username = username
identity.UserID = tokenResponse.Token.User.ID
identity.Groups = groups
return identity, true, nil return identity, true, nil
} else if err != nil {
fmt.Printf("keystone: error %v", err)
return identity, false, err
} else {
data, _ := ioutil.ReadAll(response.Body)
fmt.Println(string(data))
return identity, false, err
} }
return identity, false, nil return identity, false, nil
} }
func (p Connector) Prompt() string { return "username" } func (p *keystoneConnector) Prompt() string { return "username" }
func (p Connector) Refresh( func (p *keystoneConnector) Refresh(
ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) { ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
if len(identity.ConnectorData) == 0 { token, err := p.getAdminToken(ctx)
return identity, nil if err != nil {
return identity, fmt.Errorf("keystone: failed to obtain admin token: %v", err)
} }
token, err := p.getAdminToken() ok, err := p.checkIfUserExists(ctx, identity.UserID, token)
if err != nil {
return identity, err
}
if !ok {
return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
}
if err != nil { groups, err := p.getUserGroups(ctx, identity.UserID, token)
fmt.Printf("keystone: failed to obtain admin token") if err != nil {
return identity, err return identity, err
} }
ok := p.checkIfUserExists(identity.UserID, token) identity.Groups = groups
if !ok {
fmt.Printf("keystone: user %q does not exist\n", identity.UserID)
return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
}
groups, err := p.getUserGroups(identity.UserID, token)
if err != nil {
fmt.Printf("keystone: Failed to fetch user %q groups", identity.UserID)
return identity, fmt.Errorf("keystone: failed to fetch user %q groups", identity.UserID)
}
identity.Groups = groups
fmt.Printf("Identity data after use of refresh token: %v", identity)
return identity, nil return identity, nil
} }
func (p *keystoneConnector) getTokenResponse(ctx context.Context, username, pass string) (response *http.Response, err error) {
func (p Connector) getTokenResponse(username, password string) (response *http.Response, err error) { client := &http.Client{}
jsonData := LoginRequestData{ jsonData := loginRequestData{
Auth: Auth{ auth: auth{
Identity: Identity{ Identity: identity{
Methods:[]string{"password"}, Methods: []string{"password"},
Password: Password{ Password: password{
User: User{ User: user{
Name: username, Name: username,
Domain: Domain{ID:p.Domain}, Domain: domain{ID: p.Domain},
Password: password, Password: pass,
}, },
}, },
}, },
}, },
} }
jsonValue, _ := json.Marshal(jsonData) jsonValue, err := json.Marshal(jsonData)
loginURI := p.KeystoneHost + "/v3/auth/tokens" if err != nil {
return http.Post(loginURI, "application/json", bytes.NewBuffer(jsonValue)) return nil, err
}
authTokenURL := p.KeystoneHost + "/v3/auth/tokens/"
req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(jsonValue))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/json")
req = req.WithContext(ctx)
return client.Do(req)
} }
func (p Connector) getAdminToken()(string, error) { func (p *keystoneConnector) getAdminToken(ctx context.Context) (string, error) {
response, err := p.getTokenResponse(p.KeystoneUsername, p.KeystonePassword) resp, err := p.getTokenResponse(ctx, p.KeystoneUsername, p.KeystonePassword)
if err!= nil { if err != nil {
return "", err return "", err
} }
token := response.Header["X-Subject-Token"][0] token := resp.Header.Get("X-Subject-Token")
return token, nil return token, nil
} }
func (p Connector) checkIfUserExists(userID string, token string) (bool) { func (p *keystoneConnector) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
groupsURI := p.KeystoneHost + "/v3/users/" + userID userURL := p.KeystoneHost + "/v3/users/" + userID
client := &http.Client{} client := &http.Client{}
req, _ := http.NewRequest("GET", groupsURI, nil) req, err := http.NewRequest("GET", userURL, nil)
req.Header.Set("X-Auth-Token", token) if err != nil {
response, err := client.Do(req) return false, err
if err == nil && response.StatusCode == 200 { }
return true
} req.Header.Set("X-Auth-Token", token)
return false req = req.WithContext(ctx)
resp, err := client.Do(req)
if err != nil {
return false, err
}
if resp.StatusCode == 200 {
return true, nil
}
return false, err
} }
func (p Connector) getUserGroups(userID string, token string) ([]string, error) { func (p *keystoneConnector) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {
groupsURI := p.KeystoneHost + "/v3/users/" + userID + "/groups" client := &http.Client{}
client := &http.Client{} groupsURL := p.KeystoneHost + "/v3/users/" + userID + "/groups"
req, _ := http.NewRequest("GET", groupsURI, nil)
req.Header.Set("X-Auth-Token", token)
response, err := client.Do(req)
if err != nil { req, err := http.NewRequest("GET", groupsURL, nil)
fmt.Printf("keystone: error while fetching user %q groups\n", userID) req.Header.Set("X-Auth-Token", token)
return nil, err req = req.WithContext(ctx)
} resp, err := client.Do(req)
data, _ := ioutil.ReadAll(response.Body) if err != nil {
var groupsResponse = new(GroupsResponse) p.Logger.Errorf("keystone: error while fetching user %q groups\n", userID)
err = json.Unmarshal(data, &groupsResponse) return nil, err
if err != nil { }
return nil, err
} data, err := ioutil.ReadAll(resp.Body)
groups := []string{} if err != nil {
for _, group := range groupsResponse.Groups { return nil, err
groups = append(groups, group.Name) }
} defer resp.Body.Close()
return groups, nil
var groupsResp = new(groupsResponse)
err = json.Unmarshal(data, &groupsResp)
if err != nil {
return nil, err
}
groups := make([]string, len(groupsResp.Groups))
for i, group := range groupsResp.Groups {
groups[i] = group.Name
}
return groups, nil
} }

View file

@ -1,275 +1,358 @@
package keystone package keystone
import ( import (
"testing"
"github.com/dexidp/dex/connector"
"fmt"
"io"
"os"
"time"
"net/http"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/client"
networktypes "github.com/docker/docker/api/types/network"
"github.com/docker/go-connections/nat"
"golang.org/x/net/context"
"bytes" "bytes"
"context"
"encoding/json" "encoding/json"
"fmt"
"io/ioutil" "io/ioutil"
"net/http"
"os"
"reflect"
"strings"
"testing"
"github.com/dexidp/dex/connector"
) )
const dockerCliVersion = "1.37" const (
adminUser = "demo"
adminPass = "DEMO_PASS"
invalidPass = "WRONG_PASS"
const exposedKeystonePort = "5000" testUser = "test_user"
const exposedKeystonePortAdmin = "35357" testPass = "test_pass"
testEmail = "test@example.com"
testGroup = "test_group"
testDomain = "default"
)
const keystoneHost = "http://localhost" var (
const keystoneURL = keystoneHost + ":" + exposedKeystonePort keystoneURL = ""
const keystoneAdminURL = keystoneHost + ":" + exposedKeystonePortAdmin keystoneAdminURL = ""
const authTokenURL = keystoneURL + "/v3/auth/tokens/" authTokenURL = ""
const userURL = keystoneAdminURL + "/v3/users/" usersURL = ""
const groupURL = keystoneAdminURL + "/v3/groups/" groupsURL = ""
)
func startKeystoneContainer() string { type userResponse struct {
ctx := context.Background() User struct {
cli, err := client.NewClientWithOpts(client.WithVersion(dockerCliVersion)) ID string `json:"id"`
} `json:"user"`
if err != nil {
fmt.Printf("Error %v", err)
return ""
}
imageName := "openio/openstack-keystone"
out, err := cli.ImagePull(ctx, imageName, types.ImagePullOptions{})
if err != nil {
fmt.Printf("Error %v", err)
return ""
}
io.Copy(os.Stdout, out)
resp, err := cli.ContainerCreate(ctx, &container.Config{
Image: imageName,
}, &container.HostConfig{
PortBindings: nat.PortMap{
"5000/tcp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: exposedKeystonePort,
},
},
"35357/tcp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: exposedKeystonePortAdmin,
},
},
},
}, &networktypes.NetworkingConfig{}, "dex_keystone_test")
if err != nil {
fmt.Printf("Error %v", err)
return ""
}
if err := cli.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{}); err != nil {
panic(err)
}
fmt.Println(resp.ID)
return resp.ID
} }
func cleanKeystoneContainer(ID string) { type groupResponse struct {
ctx := context.Background() Group struct {
cli, err := client.NewClientWithOpts(client.WithVersion(dockerCliVersion)) ID string `json:"id"`
if err != nil { } `json:"group"`
fmt.Printf("Error %v", err)
return
}
duration := time.Duration(1)
if err:= cli.ContainerStop(ctx, ID, &duration); err != nil {
fmt.Printf("Error %v", err)
return
}
if err:= cli.ContainerRemove(ctx, ID, types.ContainerRemoveOptions{}); err != nil {
fmt.Printf("Error %v", err)
}
} }
func getAdminToken(admin_name, admin_pass string) (token string) { func getAdminToken(t *testing.T, adminName, adminPass string) (token, id string) {
t.Helper()
client := &http.Client{} client := &http.Client{}
jsonData := LoginRequestData{ jsonData := loginRequestData{
Auth: Auth{ auth: auth{
Identity: Identity{ Identity: identity{
Methods:[]string{"password"}, Methods: []string{"password"},
Password: Password{ Password: password{
User: User{ User: user{
Name: admin_name, Name: adminName,
Domain: Domain{ID: "default"}, Domain: domain{ID: testDomain},
Password: admin_pass, Password: adminPass,
}, },
}, },
}, },
}, },
} }
body, _ := json.Marshal(jsonData) body, err := json.Marshal(jsonData)
if err != nil {
t.Fatal(err)
}
req, _ := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(body)) req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(body))
if err != nil {
t.Fatalf("keystone: failed to obtain admin token: %v\n", err)
}
req.Header.Set("Content-Type", "application/json") req.Header.Set("Content-Type", "application/json")
resp, _ := client.Do(req) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
token = resp.Header["X-Subject-Token"][0] token = resp.Header.Get("X-Subject-Token")
return token
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var tokenResp = new(tokenResponse)
err = json.Unmarshal(data, &tokenResp)
if err != nil {
t.Fatal(err)
}
return token, tokenResp.Token.User.ID
} }
func createUser(token, user_name, user_email, user_pass string) (string){ func createUser(t *testing.T, token, userName, userEmail, userPass string) string {
t.Helper()
client := &http.Client{} client := &http.Client{}
createUserData := CreateUserRequest{ createUserData := map[string]interface{}{
CreateUser: CreateUserForm{ "user": map[string]interface{}{
Name: user_name, "name": userName,
Email: user_email, "email": userEmail,
Enabled: true, "enabled": true,
Password: user_pass, "password": userPass,
Roles: []string{"admin"}, "roles": []string{"admin"},
}, },
} }
body, _ := json.Marshal(createUserData) body, err := json.Marshal(createUserData)
req, _ := http.NewRequest("POST", userURL, bytes.NewBuffer(body))
req.Header.Set("X-Auth-Token", token)
req.Header.Add("Content-Type", "application/json")
resp, _ := client.Do(req)
data, _ := ioutil.ReadAll(resp.Body)
var userResponse = new(UserResponse)
err := json.Unmarshal(data, &userResponse)
if err != nil { if err != nil {
fmt.Println(err) t.Fatal(err)
} }
fmt.Println(userResponse.User.ID) req, err := http.NewRequest("POST", usersURL, bytes.NewBuffer(body))
return userResponse.User.ID if err != nil {
t.Fatal(err)
} }
func deleteUser(token, id string) {
client := &http.Client{}
deleteUserURI := userURL + id
fmt.Println(deleteUserURI)
req, _ := http.NewRequest("DELETE", deleteUserURI, nil)
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
resp, _ := client.Do(req) req.Header.Add("Content-Type", "application/json")
fmt.Println(resp) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var userResp = new(userResponse)
err = json.Unmarshal(data, &userResp)
if err != nil {
t.Fatal(err)
}
return userResp.User.ID
} }
func createGroup(token, description, name string) string{ // delete group or user
func delete(t *testing.T, token, id, uri string) {
t.Helper()
client := &http.Client{} client := &http.Client{}
createGroupData := CreateGroup{ deleteURI := uri + id
CreateGroupForm{ req, err := http.NewRequest("DELETE", deleteURI, nil)
Description: description, if err != nil {
Name: name, t.Fatalf("error: %v", err)
}
req.Header.Set("X-Auth-Token", token)
client.Do(req)
}
func createGroup(t *testing.T, token, description, name string) string {
t.Helper()
client := &http.Client{}
createGroupData := map[string]interface{}{
"group": map[string]interface{}{
"name": name,
"description": description,
}, },
} }
body, _ := json.Marshal(createGroupData) body, err := json.Marshal(createGroupData)
req, _ := http.NewRequest("POST", groupURL, bytes.NewBuffer(body))
req.Header.Set("X-Auth-Token", token)
req.Header.Add("Content-Type", "application/json")
resp, _ := client.Do(req)
data, _ := ioutil.ReadAll(resp.Body)
var groupResponse = new(GroupID)
err := json.Unmarshal(data, &groupResponse)
if err != nil { if err != nil {
fmt.Println(err) t.Fatal(err)
} }
return groupResponse.Group.ID req, err := http.NewRequest("POST", groupsURL, bytes.NewBuffer(body))
} if err != nil {
t.Fatal(err)
func addUserToGroup(token, groupId, userId string) { }
uri := groupURL + groupId + "/users/" + userId
client := &http.Client{}
req, _ := http.NewRequest("PUT", uri, nil)
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
resp, _ := client.Do(req) req.Header.Add("Content-Type", "application/json")
fmt.Println(resp) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var groupResp = new(groupResponse)
err = json.Unmarshal(data, &groupResp)
if err != nil {
t.Fatal(err)
}
return groupResp.Group.ID
} }
const adminUser = "demo" func addUserToGroup(t *testing.T, token, groupID, userID string) error {
const adminPass = "DEMO_PASS" t.Helper()
const invalidPass = "WRONG_PASS" uri := groupsURL + groupID + "/users/" + userID
client := &http.Client{}
const testUser = "test_user" req, err := http.NewRequest("PUT", uri, nil)
const testPass = "test_pass" if err != nil {
const testEmail = "test@example.com" return err
}
const domain = "default" req.Header.Set("X-Auth-Token", token)
client.Do(req)
return nil
}
func TestIncorrectCredentialsLogin(t *testing.T) { func TestIncorrectCredentialsLogin(t *testing.T) {
c := Connector{KeystoneHost: keystoneURL, Domain: domain, c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass} KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true} s := connector.Scopes{OfflineAccess: true, Groups: true}
_, validPW, _ := c.Login(context.Background(), s, adminUser, invalidPass) _, validPW, err := c.Login(context.Background(), s, adminUser, invalidPass)
if err != nil {
t.Fatal(err.Error())
}
if validPW { if validPW {
t.Fail() t.Fail()
} }
} }
func TestValidUserLogin(t *testing.T) { func TestValidUserLogin(t *testing.T) {
token := getAdminToken(adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
c := Connector{KeystoneHost: keystoneURL, Domain: domain, c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass} KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true} s := connector.Scopes{OfflineAccess: true, Groups: true}
_, validPW, _ := c.Login(context.Background(), s, testUser, testPass) identity, validPW, err := c.Login(context.Background(), s, testUser, testPass)
if !validPW { if err != nil {
t.Fail() t.Fatal(err.Error())
} }
deleteUser(token, userID) t.Log(identity)
if !validPW {
t.Fail()
}
delete(t, token, userID, usersURL)
} }
func TestUseRefreshToken(t *testing.T) { func TestUseRefreshToken(t *testing.T) {
t.Fatal("Not implemented") token, adminID := getAdminToken(t, adminUser, adminPass)
groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, adminID)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, adminUser, adminPass)
if err != nil {
t.Fatal(err.Error())
}
identityRefresh, err := c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, groupID, groupsURL)
expectEquals(t, 1, len(identityRefresh.Groups))
expectEquals(t, testGroup, string(identityRefresh.Groups[0]))
} }
func TestUseRefreshTokenUserDeleted(t *testing.T){ func TestUseRefreshTokenUserDeleted(t *testing.T) {
t.Fatal("Not implemented") token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
_, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, userID, usersURL)
_, err = c.Refresh(context.Background(), s, identityLogin)
if !strings.Contains(err.Error(), "does not exist") {
t.Errorf("unexpected error: %s", err.Error())
}
} }
func TestUseRefreshTokenGroupsChanged(t *testing.T){ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
t.Fatal("Not implemented") token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
identityRefresh, err := c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
expectEquals(t, 0, len(identityRefresh.Groups))
groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, userID)
identityRefresh, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
expectEquals(t, 1, len(identityRefresh.Groups))
} }
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
dockerID := startKeystoneContainer() keystoneURLEnv := "DEX_KEYSTONE_URL"
repeats := 10 keystoneAdminURLEnv := "DEX_KEYSTONE_ADMIN_URL"
running := false keystoneURL = os.Getenv(keystoneURLEnv)
for i := 0; i < repeats; i++ { if keystoneURL == "" {
_, err := http.Get(keystoneURL) fmt.Printf("variable %q not set, skipping keystone connector tests\n", keystoneURLEnv)
if err == nil { return
running = true }
break keystoneAdminURL := os.Getenv(keystoneAdminURLEnv)
} if keystoneAdminURL == "" {
time.Sleep(10 * time.Second) fmt.Printf("variable %q not set, skipping keystone connector tests\n", keystoneAdminURLEnv)
} return
if !running { }
fmt.Printf("Failed to start keystone container") authTokenURL = keystoneURL + "/v3/auth/tokens/"
os.Exit(1) fmt.Printf("Auth token url %q\n", authTokenURL)
} fmt.Printf("Keystone URL %q\n", keystoneURL)
defer cleanKeystoneContainer(dockerID) usersURL = keystoneAdminURL + "/v3/users/"
// run all tests groupsURL = keystoneAdminURL + "/v3/groups/"
// run all tests
m.Run() m.Run()
} }
func expectEquals(t *testing.T, a interface{}, b interface{}) {
if !reflect.DeepEqual(a, b) {
t.Errorf("Expected %v to be equal %v", a, b)
}
}

View file

@ -4,133 +4,84 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
type Connector struct { type keystoneConnector struct {
Domain string Domain string
KeystoneHost string KeystoneHost string
KeystoneUsername string KeystoneUsername string
KeystonePassword string KeystonePassword string
Logger logrus.FieldLogger Logger logrus.FieldLogger
} }
type ConnectorData struct { type userKeystone struct {
AccessToken string `json:"accessToken"` Domain domainKeystone `json:"domain"`
ID string `json:"id"`
Name string `json:"name"`
} }
type KeystoneUser struct { type domainKeystone struct {
Domain KeystoneDomain `json:"domain"` ID string `json:"id"`
ID string `json:"id"`
Name string `json:"name"`
}
type KeystoneDomain struct {
ID string `json:"id"`
Name string `json:"name"` Name string `json:"name"`
} }
// Config holds the configuration parameters for Keystone connector.
// Keystone should expose API v3
// An example config:
// connectors:
// type: keystone
// id: keystone
// name: Keystone
// config:
// keystoneHost: http://example:5000
// domain: default
// keystoneUsername: demo
// keystonePassword: DEMO_PASS
type Config struct { type Config struct {
Domain string `json:"domain"` Domain string `json:"domain"`
KeystoneHost string `json:"keystoneHost"` KeystoneHost string `json:"keystoneHost"`
KeystoneUsername string `json:"keystoneUsername"` KeystoneUsername string `json:"keystoneUsername"`
KeystonePassword string `json:"keystonePassword"` KeystonePassword string `json:"keystonePassword"`
} }
type LoginRequestData struct { type loginRequestData struct {
Auth `json:"auth"` auth `json:"auth"`
} }
type Auth struct { type auth struct {
Identity `json:"identity"` Identity identity `json:"identity"`
} }
type Identity struct { type identity struct {
Methods []string `json:"methods"` Methods []string `json:"methods"`
Password `json:"password"` Password password `json:"password"`
} }
type Password struct { type password struct {
User `json:"user"` User user `json:"user"`
} }
type User struct { type user struct {
Name string `json:"name"`
Domain `json:"domain"`
Password string `json:"password"`
}
type Domain struct {
ID string `json:"id"`
}
type Token struct {
IssuedAt string `json:"issued_at"`
Extras map[string]interface{} `json:"extras"`
Methods []string `json:"methods"`
ExpiresAt string `json:"expires_at"`
User KeystoneUser `json:"user"`
}
type TokenResponse struct {
Token Token `json:"token"`
}
type CreateUserRequest struct {
CreateUser CreateUserForm `json:"user"`
}
type CreateUserForm struct {
Name string `json:"name"` Name string `json:"name"`
Email string `json:"email"` Domain domain `json:"domain"`
Enabled bool `json:"enabled"`
Password string `json:"password"` Password string `json:"password"`
Roles []string `json:"roles"`
} }
type UserResponse struct { type domain struct {
User CreateUserResponse `json:"user"`
}
type CreateUserResponse struct {
Username string `json:"username"`
Name string `json:"name"`
Roles []string `json:"roles"`
Enabled bool `json:"enabled"`
Options string `json:"options"`
ID string `json:"id"`
Email string `json:"email"`
}
type CreateGroup struct {
Group CreateGroupForm `json:"group"`
}
type CreateGroupForm struct {
Description string `json:"description"`
Name string `json:"name"`
}
type GroupID struct {
Group GroupIDForm `json:"group"`
}
type GroupIDForm struct {
ID string `json:"id"` ID string `json:"id"`
} }
type Links struct { type token struct {
Self string `json:"self"` User userKeystone `json:"user"`
Previous string `json:"previous"`
Next string `json:"next"`
} }
type Group struct { type tokenResponse struct {
DomainID string `json:"domain_id` Token token `json:"token"`
Description string `json:"description"`
ID string `json:"id"`
Links Links `json:"links"`
Name string `json:"name"`
} }
type GroupsResponse struct { type group struct {
Links Links `json:"links"` ID string `json:"id"`
Groups []Group `json:"groups"` Name string `json:"name"`
}
type groupsResponse struct {
Groups []group `json:"groups"`
} }

View file

@ -1,55 +0,0 @@
# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://0.0.0.0:5556/dex
# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the storage document at Documentation/storage.md for further information.
storage:
type: sqlite3
config:
file: examples/dex.db #be in the dex directory, else change path here
# Configuration for the HTTP endpoints.
web:
https: 0.0.0.0:5556
# Uncomment for HTTPS options.
# https: 127.0.0.1:5554
tlsCert: ./ssl/dex.crt
tlsKey: ./ssl/dex.key
# Configuration for telemetry
telemetry:
http: 0.0.0.0:5558
oauth2:
responseTypes: ["id_token"]
# Instead of reading from an external storage, use this list of clients.
staticClients:
- id: example-app
redirectURIs:
- 'http://127.0.0.1:5555/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#Provide Keystone connector and its config here
# /v3/auth/tokens
connectors:
- type: keystone
id: keystone
name: Keystone
config:
keystoneHost: http://localhost:5000
domain: default
keystoneUsername: demo
keystonePassword: DEMO_PASS
# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true
oauth2:
skipApprovalScreen: true

View file

@ -211,7 +211,6 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
} }
authReqID := r.FormValue("req") authReqID := r.FormValue("req")
s.logger.Errorf("Auth req id %v", authReqID)
authReq, err := s.storage.GetAuthRequest(authReqID) authReq, err := s.storage.GetAuthRequest(authReqID)
if err != nil { if err != nil {
@ -346,7 +345,7 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.") s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
return return
} }
s.logger.Errorf("2Failed to get auth request: %v", err) s.logger.Errorf("Failed to get auth request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Database error.") s.renderError(w, http.StatusInternalServerError, "Database error.")
return return
} }
@ -358,7 +357,6 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
} }
conn, err := s.getConnector(authReq.ConnectorID) conn, err := s.getConnector(authReq.ConnectorID)
s.logger.Errorf("X Connector %v", conn)
if err != nil { if err != nil {
s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err) s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.") s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
@ -437,7 +435,7 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) { func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
authReq, err := s.storage.GetAuthRequest(r.FormValue("req")) authReq, err := s.storage.GetAuthRequest(r.FormValue("req"))
if err != nil { if err != nil {
s.logger.Errorf("3Failed to get auth request: %v", err) s.logger.Errorf("Failed to get auth request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Database error.") s.renderError(w, http.StatusInternalServerError, "Database error.")
return return
} }

View file

@ -27,6 +27,7 @@ import (
"github.com/dexidp/dex/connector/bitbucketcloud" "github.com/dexidp/dex/connector/bitbucketcloud"
"github.com/dexidp/dex/connector/github" "github.com/dexidp/dex/connector/github"
"github.com/dexidp/dex/connector/gitlab" "github.com/dexidp/dex/connector/gitlab"
"github.com/dexidp/dex/connector/keystone"
"github.com/dexidp/dex/connector/ldap" "github.com/dexidp/dex/connector/ldap"
"github.com/dexidp/dex/connector/linkedin" "github.com/dexidp/dex/connector/linkedin"
"github.com/dexidp/dex/connector/microsoft" "github.com/dexidp/dex/connector/microsoft"
@ -34,7 +35,6 @@ import (
"github.com/dexidp/dex/connector/oidc" "github.com/dexidp/dex/connector/oidc"
"github.com/dexidp/dex/connector/saml" "github.com/dexidp/dex/connector/saml"
"github.com/dexidp/dex/storage" "github.com/dexidp/dex/storage"
"github.com/dexidp/dex/connector/keystone"
) )
// LocalConnector is the local passwordDB connector which is an internal // LocalConnector is the local passwordDB connector which is an internal
@ -456,7 +456,7 @@ func openConnector(logger logrus.FieldLogger, conn storage.Connector) (connector
f, ok := ConnectorsConfig[conn.Type] f, ok := ConnectorsConfig[conn.Type]
if !ok { if !ok {
return c, fmt.Errorf("xunknown connector type %q", conn.Type) return c, fmt.Errorf("unknown connector type %q", conn.Type)
} }
connConfig := f() connConfig := f()

View file

@ -3,6 +3,7 @@ package storage
import ( import (
"errors" "errors"
"strings" "strings"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )