Added OpenShift connector

2019-12-10 10:51:09 -03:00 · 2019-12-10 10:51:09 -03:00 · 92e63771ac
parent 664fdf76ca
commit 92e63771ac
4 changed files with 527 additions and 0 deletions
--- a/Documentation/connectors/openshift.md
+++ b/Documentation/connectors/openshift.md
@ -0,0 +1,50 @@
+# Authentication using OpenShift
+
+## Overview
+
+Dex can make use of users and groups defined within OpenShift by querying the platform provided OAuth server.
+
+## Configuration
+
+Create a new OAuth Client by following the steps described in the documentation for [Registering Additional OAuth Clients[(https://docs.openshift.com/container-platform/latest/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth)
+
+This involves creating a resource similar the following
+
+```yaml
+kind: OAuthClient
+apiVersion: oauth.openshift.io/v1
+metadata:
+ name: dex
+# The value that should be utilized as the `client_secret`
+secret: "<clientSecret>" 
+# List of valid addresses for the callback. Ensure one of the values that are provided is `(dex issuer)/callback` 
+redirectURIs:
+ - "https:///<dex_url>/callback" 
+grantMethod: prompt
+```
+
+The following is an example of a configuration for `examples/config-dev.yaml`:
+
+```yaml
+connectors:
+  - type: openshift
+    # Required field for connector id.
+    id: openshift
+    # Required field for connector name.
+    name: OppenShift
+    config:
+      # OpenShift API
+      baseURL: https://api.mycluster.example.com:6443
+      # Credentials can be string literals or pulled from the environment.
+      clientID: $OPENSHIFT_OAUTH_CLIENT_ID
+      clientSecret: $OPENSHIFT_OAUTH_CLIENT_SECRET
+      redirectURI: http://127.0.0.1:5556/dex/
+      # Optional: Specify whether to communicate to OpenShift without validating SSL ceertificates
+      insecureCA: false
+      # Optional: The location of file containing SSL certificates to commmunicate to OpenShift
+      rootCA: /etc/ssl/openshift.pem
+      # Optional list of required groups a user mmust be a member of
+      groups:
+        - users
+
+```
--- a/connector/openshift/openshift.go
+++ b/connector/openshift/openshift.go
@ -0,0 +1,252 @@
+package openshift
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/pkg/groups"
+	"github.com/dexidp/dex/pkg/log"
+	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"golang.org/x/oauth2"
+)
+
+// Config holds configuration options for OpenShift login
+type Config struct {
+	Issuer       string   `json:"issuer"`
+	ClientID     string   `json:"clientID"`
+	ClientSecret string   `json:"clientSecret"`
+	RedirectURI  string   `json:"redirectURI"`
+	Groups       []string `json:"groups"`
+	InsecureCA   bool     `json:"insecureCA"`
+	RootCA       string   `json:"rootCA"`
+}
+
+var (
+	_ connector.CallbackConnector = (*openshiftConnector)(nil)
+)
+
+type openshiftConnector struct {
+	apiURL       string
+	redirectURI  string
+	clientID     string
+	clientSecret string
+	cancel       context.CancelFunc
+	logger       log.Logger
+	httpClient   *http.Client
+	oauth2Config *oauth2.Config
+	insecureCA   bool
+	rootCA       string
+	groups       []string
+}
+
+type user struct {
+	k8sapi.TypeMeta   `json:",inline"`
+	k8sapi.ObjectMeta `json:"metadata,omitempty"`
+	Identities        []string `json:"identities" protobuf:"bytes,3,rep,name=identities"`
+	FullName          string   `json:"fullName,omitempty" protobuf:"bytes,2,opt,name=fullName"`
+	Groups            []string `json:"groups" protobuf:"bytes,4,rep,name=groups"`
+}
+
+// Open returns a connector which can be used to login users through an upstream
+// OpenShift OAuth2 provider.
+func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, err error) {
+
+	ctx, cancel := context.WithCancel(context.Background())
+
+	wellKnownURL := strings.TrimSuffix(c.Issuer, "/") + "/.well-known/oauth-authorization-server"
+	req, err := http.NewRequest(http.MethodGet, wellKnownURL, nil)
+
+	openshiftConnector := openshiftConnector{
+		apiURL:       c.Issuer,
+		cancel:       cancel,
+		clientID:     c.ClientID,
+		clientSecret: c.ClientSecret,
+		insecureCA:   c.InsecureCA,
+		logger:       logger,
+		redirectURI:  c.RedirectURI,
+		rootCA:       c.RootCA,
+		groups:       c.Groups,
+	}
+
+	if openshiftConnector.httpClient, err = newHTTPClient(c.InsecureCA, c.RootCA); err != nil {
+		cancel()
+		return nil, fmt.Errorf("failed to create HTTP client: %v", err)
+	}
+
+	var metadata struct {
+		Auth  string `json:"authorization_endpoint"`
+		Token string `json:"token_endpoint"`
+	}
+
+	resp, err := openshiftConnector.httpClient.Do(req.WithContext(ctx))
+
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("Failed to query OpenShift Endpoint %v", err)
+	}
+
+	defer resp.Body.Close()
+
+	if err := json.NewDecoder(resp.Body).Decode(&metadata); err != nil {
+		cancel()
+		return nil, fmt.Errorf("discovery through endpoint %s failed to decode body: %v",
+			wellKnownURL, err)
+	}
+
+	openshiftConnector.oauth2Config = &oauth2.Config{
+		ClientID:     c.ClientID,
+		ClientSecret: c.ClientSecret,
+		Endpoint: oauth2.Endpoint{
+			AuthURL: metadata.Auth, TokenURL: metadata.Token,
+		},
+		Scopes:      []string{"user:info", "user:check-access", "user:full"},
+		RedirectURL: c.RedirectURI,
+	}
+	return &openshiftConnector, nil
+}
+
+func (c *openshiftConnector) Close() error {
+	c.cancel()
+	return nil
+}
+
+// LoginURL returns the URL to redirect the user to login with.
+func (c *openshiftConnector) LoginURL(scopes connector.Scopes, callbackURL, state string) (string, error) {
+	if c.redirectURI != callbackURL {
+		return "", fmt.Errorf("expected callback URL %q did not match the URL in the config %q", callbackURL, c.redirectURI)
+	}
+	return c.oauth2Config.AuthCodeURL(state), nil
+}
+
+type oauth2Error struct {
+	error            string
+	errorDescription string
+}
+
+func (e *oauth2Error) Error() string {
+	if e.errorDescription == "" {
+		return e.error
+	}
+	return e.error + ": " + e.errorDescription
+}
+
+// HandleCallback parses the request and returns the user's identity
+func (c *openshiftConnector) HandleCallback(s connector.Scopes, r *http.Request) (identity connector.Identity, err error) {
+	q := r.URL.Query()
+	if errType := q.Get("error"); errType != "" {
+		return identity, &oauth2Error{errType, q.Get("error_description")}
+	}
+
+	ctx := r.Context()
+	if c.httpClient != nil {
+		ctx = context.WithValue(r.Context(), oauth2.HTTPClient, c.httpClient)
+	}
+
+	token, err := c.oauth2Config.Exchange(ctx, q.Get("code"))
+	if err != nil {
+		return identity, fmt.Errorf("oidc: failed to get token: %v", err)
+	}
+
+	client := c.oauth2Config.Client(ctx, token)
+
+	user, err := c.user(ctx, client)
+
+	if err != nil {
+		return identity, fmt.Errorf("openshift: get user: %v", err)
+	}
+
+	validGroups := validateRequiredGroups(user.Groups, c.groups)
+
+	if !validGroups {
+		return identity, fmt.Errorf("openshift: user %q is not in any of the required teams", user.Name)
+	}
+
+	identity = connector.Identity{
+		UserID:            user.UID,
+		Username:          user.Name,
+		PreferredUsername: user.Name,
+		Groups:            user.Groups,
+	}
+
+	return identity, nil
+}
+
+// user function returns the OpenShift user associated with the authenticated user
+func (c *openshiftConnector) user(ctx context.Context, client *http.Client) (u user, err error) {
+	url := c.apiURL + "/apis/user.openshift.io/v1/users/~"
+
+	req, err := http.NewRequest("GET", url, nil)
+	if err != nil {
+		return u, fmt.Errorf("new req: %v", err)
+	}
+
+	resp, err := client.Do(req.WithContext(ctx))
+	if err != nil {
+		return u, fmt.Errorf("get URL %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return u, fmt.Errorf("read body: %v", err)
+		}
+		return u, fmt.Errorf("%s: %s", resp.Status, body)
+	}
+
+	if err := json.NewDecoder(resp.Body).Decode(&u); err != nil {
+		return u, fmt.Errorf("JSON decode: %v", err)
+	}
+
+	return u, err
+}
+
+func validateRequiredGroups(userGroups, requiredGroups []string) bool {
+
+	matchingGroups := groups.Filter(userGroups, requiredGroups)
+
+	return len(requiredGroups) == len(matchingGroups)
+}
+
+// newHTTPClient returns a new HTTP client
+func newHTTPClient(insecureCA bool, rootCA string) (*http.Client, error) {
+	tlsConfig := tls.Config{}
+
+	if insecureCA {
+		tlsConfig = tls.Config{InsecureSkipVerify: true}
+	} else if rootCA != "" {
+		tlsConfig := tls.Config{RootCAs: x509.NewCertPool()}
+		rootCABytes, err := ioutil.ReadFile(rootCA)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read root-ca: %v", err)
+		}
+		if !tlsConfig.RootCAs.AppendCertsFromPEM(rootCABytes) {
+			return nil, fmt.Errorf("no certs found in root CA file %q", rootCA)
+		}
+	}
+
+	return &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tlsConfig,
+			Proxy:           http.ProxyFromEnvironment,
+			DialContext: (&net.Dialer{
+				Timeout:   30 * time.Second,
+				KeepAlive: 30 * time.Second,
+				DualStack: true,
+			}).DialContext,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+		},
+	}, nil
+}
--- a/connector/openshift/openshift_test.go
+++ b/connector/openshift/openshift_test.go
@ -0,0 +1,223 @@
+package openshift
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"reflect"
+	"testing"
+
+	"github.com/dexidp/dex/connector"
+	"github.com/dexidp/dex/storage/kubernetes/k8sapi"
+	"golang.org/x/oauth2"
+
+	"github.com/sirupsen/logrus"
+)
+
+func TestOpen(t *testing.T) {
+
+	s := newTestServer(map[string]interface{}{})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	_, err = http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	c := Config{
+		Issuer:       s.URL,
+		ClientID:     "testClientId",
+		ClientSecret: "testClientSecret",
+		RedirectURI:  "https://localhost/callback",
+		InsecureCA:   true,
+	}
+
+	logger := logrus.New()
+
+	oconfig, err := c.Open("id", logger)
+
+	oc, ok := oconfig.(*openshiftConnector)
+
+	expectNil(t, err)
+	expectEquals(t, ok, true)
+	expectEquals(t, oc.apiURL, s.URL)
+	expectEquals(t, oc.clientID, "testClientId")
+	expectEquals(t, oc.clientSecret, "testClientSecret")
+	expectEquals(t, oc.redirectURI, "https://localhost/callback")
+	expectEquals(t, oc.oauth2Config.Endpoint.AuthURL, fmt.Sprintf("%s/oauth/authorize", s.URL))
+	expectEquals(t, oc.oauth2Config.Endpoint.TokenURL, fmt.Sprintf("%s/oauth/token", s.URL))
+}
+
+func TestGetUser(t *testing.T) {
+
+	s := newTestServer(map[string]interface{}{
+		"/apis/user.openshift.io/v1/users/~": user{
+			ObjectMeta: k8sapi.ObjectMeta{
+				Name: "jdoe",
+			},
+			FullName: "John Doe",
+			Groups:   []string{"users"},
+		},
+	})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	_, err = http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	h, err := newHTTPClient(true, "")
+
+	expectNil(t, err)
+
+	oc := openshiftConnector{apiURL: s.URL, httpClient: h}
+	u, err := oc.user(context.Background(), h)
+
+	expectNil(t, err)
+	expectEquals(t, u.Name, "jdoe")
+	expectEquals(t, u.FullName, "John Doe")
+	expectEquals(t, len(u.Groups), 1)
+
+}
+
+func TestVerifyGroupFn(t *testing.T) {
+
+	requiredGroups := []string{"users"}
+	groupMembership := []string{"users","org1"}
+
+	validGroupMembership := validateRequiredGroups(groupMembership, requiredGroups)
+
+	expectEquals(t, validGroupMembership, true)
+
+}
+
+func TestVerifyGroup(t *testing.T) {
+
+	s := newTestServer(map[string]interface{}{
+		"/apis/user.openshift.io/v1/users/~": user{
+			ObjectMeta: k8sapi.ObjectMeta{
+				Name: "jdoe",
+			},
+			FullName: "John Doe",
+			Groups:   []string{"users"},
+		},
+	})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	_, err = http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	h, err := newHTTPClient(true, "")
+
+	expectNil(t, err)
+
+	oc := openshiftConnector{apiURL: s.URL, httpClient: h}
+	u, err := oc.user(context.Background(), h)
+
+	expectNil(t, err)
+	expectEquals(t, u.Name, "jdoe")
+	expectEquals(t, u.FullName, "John Doe")
+	expectEquals(t, len(u.Groups), 1)
+
+}
+
+func TestCallbackIdentity(t *testing.T) {
+
+	s := newTestServer(map[string]interface{}{
+		"/apis/user.openshift.io/v1/users/~": user{
+			ObjectMeta: k8sapi.ObjectMeta{
+				Name: "jdoe",
+				UID:  "12345",
+			},
+			FullName: "John Doe",
+			Groups:   []string{"users"},
+		},
+		"/oauth/token": map[string]interface{}{
+			"access_token": "oRzxVjCnohYRHEYEhZshkmakKmoyVoTjfUGC",
+			"expires_in":   "30",
+		},
+	})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	req, err := http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	h, err := newHTTPClient(true, "")
+
+	expectNil(t, err)
+
+	oc := openshiftConnector{apiURL: s.URL, httpClient: h, oauth2Config: &oauth2.Config{
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  fmt.Sprintf("%s/oauth/authorize", s.URL),
+			TokenURL: fmt.Sprintf("%s/oauth/token", s.URL),
+		},
+	}}
+	identity, err := oc.HandleCallback(connector.Scopes{Groups: true}, req)
+
+	expectNil(t, err)
+	expectEquals(t, identity.UserID, "12345")
+	expectEquals(t, identity.Username, "jdoe")
+	expectEquals(t, identity.PreferredUsername, "jdoe")
+	expectEquals(t, len(identity.Groups), 1)
+	expectEquals(t, identity.Groups[0], "users")
+}
+
+func newTestServer(responses map[string]interface{}) *httptest.Server {
+
+	var s *httptest.Server
+	s = httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		responses["/.well-known/oauth-authorization-server"] = map[string]interface{}{
+			"issuer":                           fmt.Sprintf("%s", s.URL),
+			"authorization_endpoint":           fmt.Sprintf("%s/oauth/authorize", s.URL),
+			"token_endpoint":                   fmt.Sprintf("%s/oauth/token", s.URL),
+			"scopes_supported":                 []string{"user:full", "user:info", "user:check-access", "user:list-scoped-projects", "user:list-projects"},
+			"response_types_supported":         []string{"token", "code"},
+			"grant_types_supported":            []string{"authorization_code", "implicit"},
+			"code_challenge_methods_supported": []string{"plain", "S256"},
+		}
+
+		response := responses[r.RequestURI]
+		w.Header().Add("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(response)
+	}))
+
+	return s
+}
+
+func newClient() *http.Client {
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	return &http.Client{Transport: tr}
+}
+
+func expectNil(t *testing.T, a interface{}) {
+	if a != nil {
+		t.Errorf("Expected %+v to equal nil", a)
+	}
+}
+
+func expectNotNil(t *testing.T, a interface{}, msg string) {
+	if a == nil {
+		t.Errorf("Expected %+v to not to be nil", msg)
+	}
+}
+
+func expectEquals(t *testing.T, a interface{}, b interface{}) {
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("Expected %+v to equal %+v", a, b)
+	}
+}
--- a/server/server.go
+++ b/server/server.go
@ -32,6 +32,7 @@ import (
 	"github.com/dexidp/dex/connector/microsoft"
 	"github.com/dexidp/dex/connector/mock"
 	"github.com/dexidp/dex/connector/oidc"
+	"github.com/dexidp/dex/connector/openshift"
 	"github.com/dexidp/dex/connector/saml"
 	"github.com/dexidp/dex/pkg/log"
 	"github.com/dexidp/dex/storage"
@ -461,6 +462,7 @@ var ConnectorsConfig = map[string]func() ConnectorConfig{
 	"linkedin":        func() ConnectorConfig { return new(linkedin.Config) },
 	"microsoft":       func() ConnectorConfig { return new(microsoft.Config) },
 	"bitbucket-cloud": func() ConnectorConfig { return new(bitbucketcloud.Config) },
+	"openshift":       func() ConnectorConfig { return new(openshift.Config) },
 	// Keep around for backwards compatibility.
 	"samlExperimental": func() ConnectorConfig { return new(saml.Config) },
 }