add guest mode

539655a5 · Gabriel Zachmann · 3dea02a5 · 539655a5 · 539655a5 · 539655a5
Verified Commit 539655a5 authored 1 year ago by Gabriel Zachmann
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@
 ### Features

 - Added experimental support for OpenID Connect federations
+- Added "Guest mode" to try mytoken out without using a real OP

 ### API


--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -8,6 +8,7 @@ import (

 	"github.com/lestrrat-go/jwx/jwa"
 	"github.com/oidc-mytoken/utils/context"
+	utils2 "github.com/oidc-mytoken/utils/utils"
 	"github.com/oidc-mytoken/utils/utils/fileutil"
 	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
@@ -16,6 +17,7 @@ import (
 	"gopkg.in/yaml.v3"

 	"github.com/oidc-mytoken/server/internal/model"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 	"github.com/oidc-mytoken/server/internal/utils"
 	"github.com/oidc-mytoken/server/internal/utils/errorfmt"

@@ -161,6 +163,7 @@ type featuresConf struct {
 	SSH                     sshConf                 `yaml:"ssh"`
 	ServerProfiles          serverProfilesConf      `yaml:"server_profiles"`
 	Federation              federationConf          `yaml:"federation"`
+	GuestMode               onlyEnable              `yaml:"guest_mode"`
 }

 func (c *featuresConf) validate() error {
@@ -542,6 +545,19 @@ func validate() error {
 		}
 		conf.Providers[i] = p
 	}
+	if conf.Features.GuestMode.Enabled {
+		iss := utils2.CombineURLPath(conf.IssuerURL, paths.GetCurrentAPIPaths().GuestModeOP)
+		p := ProviderConf{
+			Issuer: iss,
+			Name:   "Guest Mode",
+			Scopes: []string{"openid"},
+			Endpoints: &oauth2x.Endpoints{
+				Authorization: utils2.CombineURLPath(iss, "auth"),
+				Token:         utils2.CombineURLPath(iss, "token"),
+			},
+		}
+		conf.Providers = append(conf.Providers, p)
+	}
 	if conf.IssuerURL == "" {
 		return errors.New("invalid config: issuer_url not set")
 	}

--- a/internal/endpoints/configuration/configurationEndpoint.go
+++ b/internal/endpoints/configuration/configurationEndpoint.go
@@ -11,7 +11,7 @@ import (
 	"github.com/oidc-mytoken/server/internal/model"
 	"github.com/oidc-mytoken/server/internal/model/version"
 	"github.com/oidc-mytoken/server/internal/oidc/oidcfed"
-	"github.com/oidc-mytoken/server/internal/server/routes"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 )

 func SupportedProviders() []api.SupportedProviderConfig {
@@ -67,8 +67,8 @@ func Init() {
 }

 func basicConfiguration() *pkg.MytokenConfiguration {
-	apiPaths := routes.GetCurrentAPIPaths()
-	otherPaths := routes.GetGeneralPaths()
+	apiPaths := paths.GetCurrentAPIPaths()
+	otherPaths := paths.GetGeneralPaths()
 	return &pkg.MytokenConfiguration{
 		MytokenConfiguration: api.MytokenConfiguration{
 			Issuer:               config.Get().IssuerURL,
@@ -101,7 +101,7 @@ func addTokenRevocation(mytokenConfig *pkg.MytokenConfiguration) {
 	if config.Get().Features.TokenRevocation.Enabled {
 		mytokenConfig.RevocationEndpoint = utils.CombineURLPath(
 			config.Get().IssuerURL,
-			routes.GetCurrentAPIPaths().RevocationEndpoint,
+			paths.GetCurrentAPIPaths().RevocationEndpoint,
 		)
 	}
 }
@@ -114,7 +114,7 @@ func addTransferCodes(mytokenConfig *pkg.MytokenConfiguration) {
 	if config.Get().Features.TransferCodes.Enabled {
 		mytokenConfig.TokenTransferEndpoint = utils.CombineURLPath(
 			config.Get().IssuerURL,
-			routes.GetCurrentAPIPaths().TokenTransferEndpoint,
+			paths.GetCurrentAPIPaths().TokenTransferEndpoint,
 		)
 		model.GrantTypeTransferCode.AddToSliceIfNotFound(&mytokenConfig.MytokenEndpointGrantTypesSupported)
 		model.ResponseTypeTransferCode.AddToSliceIfNotFound(&mytokenConfig.ResponseTypesSupported)

--- a/internal/endpoints/federation/entityStatement.go
+++ b/internal/endpoints/federation/entityStatement.go
@@ -12,14 +12,14 @@ import (
 	"github.com/oidc-mytoken/server/internal/jws"
 	"github.com/oidc-mytoken/server/internal/model"
 	"github.com/oidc-mytoken/server/internal/model/version"
-	"github.com/oidc-mytoken/server/internal/server/routes"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 )

 func InitEntityConfiguration() {
 	if config.Get().Features.Federation.Entity != nil {
 		return
 	}
-	otherPaths := routes.GetGeneralPaths()
+	otherPaths := paths.GetGeneralPaths()
 	privacyURI := utils.CombineURLPath(config.Get().IssuerURL, otherPaths.Privacy)
 	var err error
 	config.Get().Features.Federation.Entity, err = oidcfed.NewFederationLeaf(

--- a/internal/endpoints/guestmode/guestmode.go
+++ b/internal/endpoints/guestmode/guestmode.go
+package guestmode
+
+import (
+	"github.com/gofiber/fiber/v2"
+	"github.com/oidc-mytoken/utils/utils"
+
+	"github.com/oidc-mytoken/server/internal/config"
+	"github.com/oidc-mytoken/server/internal/server/paths"
+	"github.com/oidc-mytoken/server/internal/server/routes"
+)
+
+func Init(s fiber.Router) {
+	if !config.Get().Features.GuestMode.Enabled {
+		return
+	}
+	baseURL := paths.GetCurrentAPIPaths().GuestModeOP
+	conf = map[string]any{
+		"token_endpoint":         utils.CombineURLPath(config.Get().IssuerURL, baseURL, "token"),
+		"authorization_endpoint": utils.CombineURLPath(config.Get().IssuerURL, baseURL, "auth"),
+	}
+	router := s.Group(baseURL)
+	router.Get(paths.WellknownOpenIDConfiguration, handleConfig)
+	router.Get("auth", handleAuth)
+	router.Post("token", handleToken)
+}
+
+var conf map[string]any
+
+func handleConfig(ctx *fiber.Ctx) error {
+	return ctx.JSON(conf)
+}
+
+func handleAuth(ctx *fiber.Ctx) error {
+	state := ctx.Query("state")
+	return ctx.Redirect(routes.RedirectURI + "?state=" + state + "&code=code")
+}
+
+func handleToken(ctx *fiber.Ctx) error {
+	return ctx.JSON(
+		map[string]any{
+			"access_token":  utils.RandASCIIString(64),
+			"refresh_token": utils.RandASCIIString(64),
+			"id_token": `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJndWVzdCJ9.
+OI5skE5VAlQjI4rqAFUjqwGyEnmmQNXBTOvO7pukZoo`,
+			"expires_in": 600,
+		},
+	)
+}
--- a/internal/endpoints/settings/settings.go
+++ b/internal/endpoints/settings/settings.go
@@ -17,7 +17,7 @@ import (
 	mytoken "github.com/oidc-mytoken/server/internal/mytoken/pkg"
 	"github.com/oidc-mytoken/server/internal/mytoken/rotation"
 	"github.com/oidc-mytoken/server/internal/mytoken/universalmytoken"
-	"github.com/oidc-mytoken/server/internal/server/routes"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 	"github.com/oidc-mytoken/server/internal/utils/auth"
 	"github.com/oidc-mytoken/server/internal/utils/cookies"
 	"github.com/oidc-mytoken/server/internal/utils/ctxutils"
@@ -27,7 +27,7 @@ import (

 // InitSettings initializes the settings metadata
 func InitSettings() {
-	apiPaths := routes.GetCurrentAPIPaths()
+	apiPaths := paths.GetCurrentAPIPaths()
 	settingsMetadata.GrantTypeEndpoint = utils.CombineURLPath(
 		config.Get().IssuerURL, apiPaths.UserSettingEndpoint, "grants",
 	)

--- a/internal/server/api.go
+++ b/internal/server/api.go
@@ -5,6 +5,7 @@ import (
 	"github.com/oidc-mytoken/utils/utils"

 	"github.com/oidc-mytoken/server/internal/config"
+	"github.com/oidc-mytoken/server/internal/endpoints/guestmode"
 	"github.com/oidc-mytoken/server/internal/endpoints/profiles"
 	"github.com/oidc-mytoken/server/internal/endpoints/revocation"
 	"github.com/oidc-mytoken/server/internal/endpoints/settings"
@@ -14,17 +15,18 @@ import (
 	"github.com/oidc-mytoken/server/internal/endpoints/token/mytoken"
 	"github.com/oidc-mytoken/server/internal/endpoints/tokeninfo"
 	"github.com/oidc-mytoken/server/internal/model/version"
-	"github.com/oidc-mytoken/server/internal/server/routes"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 )

 func addAPIRoutes(s fiber.Router) {
 	for v := config.Get().API.MinVersion; v <= version.MAJOR; v++ {
 		addAPIvXRoutes(s, v)
 	}
+	guestmode.Init(s)
 }

 func addAPIvXRoutes(s fiber.Router, version int) {
-	apiPaths := routes.GetAPIPaths(version)
+	apiPaths := paths.GetAPIPaths(version)
 	s.Post(apiPaths.MytokenEndpoint, mytoken.HandleMytokenEndpoint)
 	s.Post(apiPaths.AccessTokenEndpoint, access.HandleAccessTokenEndpoint)
 	if config.Get().Features.TokenRevocation.Enabled {
@@ -50,7 +52,7 @@ func addAPIvXRoutes(s fiber.Router, version int) {
 	addProfileEndpointRoutes(s, apiPaths)
 }

-func addProfileEndpointRoutes(r fiber.Router, apiPaths routes.APIPaths) {
+func addProfileEndpointRoutes(r fiber.Router, apiPaths paths.APIPaths) {
 	if !config.Get().Features.ServerProfiles.Enabled {
 		return
 	}
@@ -73,12 +75,12 @@ func addProfileEndpointRoutes(r fiber.Router, apiPaths routes.APIPaths) {
 	addProfileDeleteRoute(r, apiPaths, "rotation", profiles.HandleDeleteRotation)
 }

-func addProfileGetRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
+func addProfileGetRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
 	r.Get(utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath), handler)
 	r.Get(utils.CombineURLPath(apiPaths.ProfilesEndpoint, ":group", profileTypePath), handler)
 }

-func addProfileDeleteRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
+func addProfileDeleteRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
 	r.Delete(
 		utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath, ":id?"),
 		returnGroupBasicMiddleware(), userIsGroupMiddleware, handler,
@@ -89,7 +91,7 @@ func addProfileDeleteRoute(r fiber.Router, apiPaths routes.APIPaths, profileType
 	)
 }

-func addProfileAddRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
+func addProfileAddRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
 	r.Post(
 		utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath),
 		returnGroupBasicMiddleware(), userIsGroupMiddleware, handler,
@@ -100,7 +102,7 @@ func addProfileAddRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePat
 	)
 }

-func addProfileUpdateRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
+func addProfileUpdateRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
 	r.Put(
 		utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath, ":id?"),
 		returnGroupBasicMiddleware(), userIsGroupMiddleware, handler,

--- a/internal/server/middlerwares.go
+++ b/internal/server/middlerwares.go
@@ -22,7 +22,7 @@ import (

 	"github.com/oidc-mytoken/server/internal/config"
 	"github.com/oidc-mytoken/server/internal/server/apipath"
-	"github.com/oidc-mytoken/server/internal/server/routes"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 	"github.com/oidc-mytoken/server/internal/utils/fileio"
 	"github.com/oidc-mytoken/server/internal/utils/iputils"
 	loggerUtils "github.com/oidc-mytoken/server/internal/utils/logger"
@@ -138,9 +138,9 @@ func addRequestIDMiddleware(s fiber.Router) {

 func addCorsMiddleware(s fiber.Router) {
 	allowedPaths := []string{
-		routes.WellknownMytokenConfiguration,
-		routes.WellknownOpenIDConfiguration,
-		routes.GetGeneralPaths().JWKSEndpoint,
+		paths.WellknownMytokenConfiguration,
+		paths.WellknownOpenIDConfiguration,
+		paths.GetGeneralPaths().JWKSEndpoint,
 	}
 	allowedPrefixes := []string{
 		apipath.Prefix,

--- a/internal/server/paths/paths.go
+++ b/internal/server/paths/paths.go
+package paths
+
+import (
+	"github.com/oidc-mytoken/utils/utils"
+
+	"github.com/oidc-mytoken/server/internal/model/version"
+	"github.com/oidc-mytoken/server/internal/server/apipath"
+)
+
+var routes *paths
+
+// WellknownMytokenConfiguration is the mytoken configuration path suffix
+const WellknownMytokenConfiguration = "/.well-known/mytoken-configuration"
+
+// WellknownOpenIDConfiguration is the openid configuration path suffix
+const WellknownOpenIDConfiguration = "/.well-known/openid-configuration"
+
+// WellknownOpenIDFederation is the openid federation path suffix
+const WellknownOpenIDFederation = "/.well-known/openid-federation"
+
+func defaultAPIPaths(api string) APIPaths {
+	return APIPaths{
+		MytokenEndpoint:       utils.CombineURLPath(api, "/token/my"),
+		AccessTokenEndpoint:   utils.CombineURLPath(api, "/token/access"),
+		TokenInfoEndpoint:     utils.CombineURLPath(api, "/tokeninfo"),
+		RevocationEndpoint:    utils.CombineURLPath(api, "/token/revoke"),
+		TokenTransferEndpoint: utils.CombineURLPath(api, "/token/transfer"),
+		UserSettingEndpoint:   utils.CombineURLPath(api, "/settings"),
+		ProfilesEndpoint:      utils.CombineURLPath(api, "/pt"),
+		GuestModeOP:           utils.CombineURLPath(api, "/guests"),
+	}
+}
+
+// init initializes the server route paths
+func init() {
+	routes = &paths{
+		api: map[int]APIPaths{
+			0: defaultAPIPaths(apipath.V0),
+		},
+		other: GeneralPaths{
+			ConfigurationEndpoint: WellknownMytokenConfiguration,
+			FederationEndpoint:    WellknownOpenIDFederation,
+			OIDCRedirectEndpoint:  "/redirect",
+			JWKSEndpoint:          "/jwks",
+			ConsentEndpoint:       "/c",
+			Privacy:               "/privacy",
+		},
+	}
+}
+
+type paths struct {
+	api   map[int]APIPaths
+	other GeneralPaths
+}
+
+// GeneralPaths holds all non-api route paths
+type GeneralPaths struct {
+	ConfigurationEndpoint string
+	FederationEndpoint    string
+	OIDCRedirectEndpoint  string
+	JWKSEndpoint          string
+	ConsentEndpoint       string
+	Privacy               string
+}
+
+// APIPaths holds all api route paths
+type APIPaths struct {
+	MytokenEndpoint       string
+	AccessTokenEndpoint   string
+	TokenInfoEndpoint     string
+	RevocationEndpoint    string
+	TokenTransferEndpoint string
+	UserSettingEndpoint   string
+	ProfilesEndpoint      string
+	GuestModeOP           string
+}
+
+// GetCurrentAPIPaths returns the api paths for the most recent major version
+func GetCurrentAPIPaths() APIPaths {
+	return GetAPIPaths(version.MAJOR)
+}
+
+// GetAPIPaths returns the api paths for the passed major version
+func GetAPIPaths(apiVersion int) APIPaths {
+	return routes.api[apiVersion]
+}
+
+// GetGeneralPaths returns the non-API paths
+func GetGeneralPaths() GeneralPaths {
+	return routes.other
+}
--- a/internal/server/routes/routes.go
+++ b/internal/server/routes/routes.go
@@ -4,97 +4,15 @@ import (
 	"github.com/oidc-mytoken/utils/utils"

 	"github.com/oidc-mytoken/server/internal/config"
-	"github.com/oidc-mytoken/server/internal/model/version"
-	"github.com/oidc-mytoken/server/internal/server/apipath"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 )

-var routes *paths
-
-// WellknownMytokenConfiguration is the mytoken configuration path suffix
-const WellknownMytokenConfiguration = "/.well-known/mytoken-configuration"
-
-// WellknownOpenIDConfiguration is the openid configuration path suffix
-const WellknownOpenIDConfiguration = "/.well-known/openid-configuration"
-
-// WellknownOpenIDFederation is the openid federation path suffix
-const WellknownOpenIDFederation = "/.well-known/openid-federation"
-
-func defaultAPIPaths(api string) APIPaths {
-	return APIPaths{
-		MytokenEndpoint:       utils.CombineURLPath(api, "/token/my"),
-		AccessTokenEndpoint:   utils.CombineURLPath(api, "/token/access"),
-		TokenInfoEndpoint:     utils.CombineURLPath(api, "/tokeninfo"),
-		RevocationEndpoint:    utils.CombineURLPath(api, "/token/revoke"),
-		TokenTransferEndpoint: utils.CombineURLPath(api, "/token/transfer"),
-		UserSettingEndpoint:   utils.CombineURLPath(api, "/settings"),
-		ProfilesEndpoint:      utils.CombineURLPath(api, "/pt"),
-	}
-}
-
-// init initializes the server route paths
-func init() {
-	routes = &paths{
-		api: map[int]APIPaths{
-			0: defaultAPIPaths(apipath.V0),
-		},
-		other: GeneralPaths{
-			ConfigurationEndpoint: WellknownMytokenConfiguration,
-			FederationEndpoint:    WellknownOpenIDFederation,
-			OIDCRedirectEndpoint:  "/redirect",
-			JWKSEndpoint:          "/jwks",
-			ConsentEndpoint:       "/c",
-			Privacy:               "/privacy",
-		},
-	}
-}
-
-type paths struct {
-	api   map[int]APIPaths
-	other GeneralPaths
-}
-
-// GeneralPaths holds all non-api route paths
-type GeneralPaths struct {
-	ConfigurationEndpoint string
-	FederationEndpoint    string
-	OIDCRedirectEndpoint  string
-	JWKSEndpoint          string
-	ConsentEndpoint       string
-	Privacy               string
-}
-
-// APIPaths holds all api route paths
-type APIPaths struct {
-	MytokenEndpoint       string
-	AccessTokenEndpoint   string
-	TokenInfoEndpoint     string
-	RevocationEndpoint    string
-	TokenTransferEndpoint string
-	UserSettingEndpoint   string
-	ProfilesEndpoint      string
-}
-
-// GetCurrentAPIPaths returns the api paths for the most recent major version
-func GetCurrentAPIPaths() APIPaths {
-	return GetAPIPaths(version.MAJOR)
-}
-
-// GetAPIPaths returns the api paths for the passed major version
-func GetAPIPaths(apiVersion int) APIPaths {
-	return routes.api[apiVersion]
-}
-
-// GetGeneralPaths returns the non-API paths
-func GetGeneralPaths() GeneralPaths {
-	return routes.other
-}
-
 var RedirectURI string
 var ConsentEndpoint string

 // Init initializes the authcode component
 func Init() {
-	generalPaths := GetGeneralPaths()
+	generalPaths := paths.GetGeneralPaths()
 	RedirectURI = utils.CombineURLPath(config.Get().IssuerURL, generalPaths.OIDCRedirectEndpoint)
 	ConsentEndpoint = utils.CombineURLPath(config.Get().IssuerURL, generalPaths.ConsentEndpoint)
 }
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -22,7 +22,7 @@ import (
 	"github.com/oidc-mytoken/server/internal/endpoints/redirect"
 	"github.com/oidc-mytoken/server/internal/model"
 	"github.com/oidc-mytoken/server/internal/server/apipath"
-	"github.com/oidc-mytoken/server/internal/server/routes"
+	"github.com/oidc-mytoken/server/internal/server/paths"
 	"github.com/oidc-mytoken/server/internal/server/ssh"
 	"github.com/oidc-mytoken/server/internal/utils/fileio"
 )
@@ -104,19 +104,19 @@ func Init() {

 func addRoutes(s fiber.Router) {
 	addWebRoutes(s)
-	s.Get(routes.GetGeneralPaths().ConfigurationEndpoint, configuration.HandleConfiguration)
-	s.Get(routes.WellknownOpenIDConfiguration, configuration.HandleConfiguration)
+	s.Get(paths.GetGeneralPaths().ConfigurationEndpoint, configuration.HandleConfiguration)
+	s.Get(paths.WellknownOpenIDConfiguration, configuration.HandleConfiguration)
 	if config.Get().Features.Federation.Enabled {
-		s.Get(routes.GetGeneralPaths().FederationEndpoint, federation.HandleEntityConfiguration)
+		s.Get(paths.GetGeneralPaths().FederationEndpoint, federation.HandleEntityConfiguration)
 	}
-	s.Get(routes.GetGeneralPaths().JWKSEndpoint, endpoints.HandleJWKS)
-	s.Get(routes.GetGeneralPaths().OIDCRedirectEndpoint, redirect.HandleOIDCRedirect)
+	s.Get(paths.GetGeneralPaths().JWKSEndpoint, endpoints.HandleJWKS)
+	s.Get(paths.GetGeneralPaths().OIDCRedirectEndpoint, redirect.HandleOIDCRedirect)
 	s.Get("/c/:consent_code", consent.HandleConsent)
 	s.Post("/c/:consent_code", consent.HandleConsentPost)
 	s.Post("/c", consent.HandleCreateConsent)
 	s.Get("/native", handleNativeCallback)
 	s.Get("/native/abort", handleNativeConsentAbortCallback)
-	s.Get(routes.GetGeneralPaths().Privacy, handlePrivacy)
+	s.Get(paths.GetGeneralPaths().Privacy, handlePrivacy)
 	s.Get("/settings", handleSettings)
 	addAPIRoutes(s)
 }