Skip to content
Snippets Groups Projects
Verified Commit 539655a5 authored by Gabriel Zachmann's avatar Gabriel Zachmann
Browse files

add guest mode

parent 3dea02a5
No related branches found
No related tags found
No related merge requests found
Pipeline #323820 passed
......@@ -22,6 +22,7 @@
### Features
- Added experimental support for OpenID Connect federations
- Added "Guest mode" to try mytoken out without using a real OP
### API
......
......@@ -8,6 +8,7 @@ import (
"github.com/lestrrat-go/jwx/jwa"
"github.com/oidc-mytoken/utils/context"
utils2 "github.com/oidc-mytoken/utils/utils"
"github.com/oidc-mytoken/utils/utils/fileutil"
"github.com/pkg/errors"
log "github.com/sirupsen/logrus"
......@@ -16,6 +17,7 @@ import (
"gopkg.in/yaml.v3"
"github.com/oidc-mytoken/server/internal/model"
"github.com/oidc-mytoken/server/internal/server/paths"
"github.com/oidc-mytoken/server/internal/utils"
"github.com/oidc-mytoken/server/internal/utils/errorfmt"
......@@ -161,6 +163,7 @@ type featuresConf struct {
SSH sshConf `yaml:"ssh"`
ServerProfiles serverProfilesConf `yaml:"server_profiles"`
Federation federationConf `yaml:"federation"`
GuestMode onlyEnable `yaml:"guest_mode"`
}
func (c *featuresConf) validate() error {
......@@ -542,6 +545,19 @@ func validate() error {
}
conf.Providers[i] = p
}
if conf.Features.GuestMode.Enabled {
iss := utils2.CombineURLPath(conf.IssuerURL, paths.GetCurrentAPIPaths().GuestModeOP)
p := ProviderConf{
Issuer: iss,
Name: "Guest Mode",
Scopes: []string{"openid"},
Endpoints: &oauth2x.Endpoints{
Authorization: utils2.CombineURLPath(iss, "auth"),
Token: utils2.CombineURLPath(iss, "token"),
},
}
conf.Providers = append(conf.Providers, p)
}
if conf.IssuerURL == "" {
return errors.New("invalid config: issuer_url not set")
}
......
......@@ -11,7 +11,7 @@ import (
"github.com/oidc-mytoken/server/internal/model"
"github.com/oidc-mytoken/server/internal/model/version"
"github.com/oidc-mytoken/server/internal/oidc/oidcfed"
"github.com/oidc-mytoken/server/internal/server/routes"
"github.com/oidc-mytoken/server/internal/server/paths"
)
func SupportedProviders() []api.SupportedProviderConfig {
......@@ -67,8 +67,8 @@ func Init() {
}
func basicConfiguration() *pkg.MytokenConfiguration {
apiPaths := routes.GetCurrentAPIPaths()
otherPaths := routes.GetGeneralPaths()
apiPaths := paths.GetCurrentAPIPaths()
otherPaths := paths.GetGeneralPaths()
return &pkg.MytokenConfiguration{
MytokenConfiguration: api.MytokenConfiguration{
Issuer: config.Get().IssuerURL,
......@@ -101,7 +101,7 @@ func addTokenRevocation(mytokenConfig *pkg.MytokenConfiguration) {
if config.Get().Features.TokenRevocation.Enabled {
mytokenConfig.RevocationEndpoint = utils.CombineURLPath(
config.Get().IssuerURL,
routes.GetCurrentAPIPaths().RevocationEndpoint,
paths.GetCurrentAPIPaths().RevocationEndpoint,
)
}
}
......@@ -114,7 +114,7 @@ func addTransferCodes(mytokenConfig *pkg.MytokenConfiguration) {
if config.Get().Features.TransferCodes.Enabled {
mytokenConfig.TokenTransferEndpoint = utils.CombineURLPath(
config.Get().IssuerURL,
routes.GetCurrentAPIPaths().TokenTransferEndpoint,
paths.GetCurrentAPIPaths().TokenTransferEndpoint,
)
model.GrantTypeTransferCode.AddToSliceIfNotFound(&mytokenConfig.MytokenEndpointGrantTypesSupported)
model.ResponseTypeTransferCode.AddToSliceIfNotFound(&mytokenConfig.ResponseTypesSupported)
......
......@@ -12,14 +12,14 @@ import (
"github.com/oidc-mytoken/server/internal/jws"
"github.com/oidc-mytoken/server/internal/model"
"github.com/oidc-mytoken/server/internal/model/version"
"github.com/oidc-mytoken/server/internal/server/routes"
"github.com/oidc-mytoken/server/internal/server/paths"
)
func InitEntityConfiguration() {
if config.Get().Features.Federation.Entity != nil {
return
}
otherPaths := routes.GetGeneralPaths()
otherPaths := paths.GetGeneralPaths()
privacyURI := utils.CombineURLPath(config.Get().IssuerURL, otherPaths.Privacy)
var err error
config.Get().Features.Federation.Entity, err = oidcfed.NewFederationLeaf(
......
package guestmode
import (
"github.com/gofiber/fiber/v2"
"github.com/oidc-mytoken/utils/utils"
"github.com/oidc-mytoken/server/internal/config"
"github.com/oidc-mytoken/server/internal/server/paths"
"github.com/oidc-mytoken/server/internal/server/routes"
)
func Init(s fiber.Router) {
if !config.Get().Features.GuestMode.Enabled {
return
}
baseURL := paths.GetCurrentAPIPaths().GuestModeOP
conf = map[string]any{
"token_endpoint": utils.CombineURLPath(config.Get().IssuerURL, baseURL, "token"),
"authorization_endpoint": utils.CombineURLPath(config.Get().IssuerURL, baseURL, "auth"),
}
router := s.Group(baseURL)
router.Get(paths.WellknownOpenIDConfiguration, handleConfig)
router.Get("auth", handleAuth)
router.Post("token", handleToken)
}
var conf map[string]any
func handleConfig(ctx *fiber.Ctx) error {
return ctx.JSON(conf)
}
func handleAuth(ctx *fiber.Ctx) error {
state := ctx.Query("state")
return ctx.Redirect(routes.RedirectURI + "?state=" + state + "&code=code")
}
func handleToken(ctx *fiber.Ctx) error {
return ctx.JSON(
map[string]any{
"access_token": utils.RandASCIIString(64),
"refresh_token": utils.RandASCIIString(64),
"id_token": `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJndWVzdCJ9.
OI5skE5VAlQjI4rqAFUjqwGyEnmmQNXBTOvO7pukZoo`,
"expires_in": 600,
},
)
}
......@@ -17,7 +17,7 @@ import (
mytoken "github.com/oidc-mytoken/server/internal/mytoken/pkg"
"github.com/oidc-mytoken/server/internal/mytoken/rotation"
"github.com/oidc-mytoken/server/internal/mytoken/universalmytoken"
"github.com/oidc-mytoken/server/internal/server/routes"
"github.com/oidc-mytoken/server/internal/server/paths"
"github.com/oidc-mytoken/server/internal/utils/auth"
"github.com/oidc-mytoken/server/internal/utils/cookies"
"github.com/oidc-mytoken/server/internal/utils/ctxutils"
......@@ -27,7 +27,7 @@ import (
// InitSettings initializes the settings metadata
func InitSettings() {
apiPaths := routes.GetCurrentAPIPaths()
apiPaths := paths.GetCurrentAPIPaths()
settingsMetadata.GrantTypeEndpoint = utils.CombineURLPath(
config.Get().IssuerURL, apiPaths.UserSettingEndpoint, "grants",
)
......
......@@ -5,6 +5,7 @@ import (
"github.com/oidc-mytoken/utils/utils"
"github.com/oidc-mytoken/server/internal/config"
"github.com/oidc-mytoken/server/internal/endpoints/guestmode"
"github.com/oidc-mytoken/server/internal/endpoints/profiles"
"github.com/oidc-mytoken/server/internal/endpoints/revocation"
"github.com/oidc-mytoken/server/internal/endpoints/settings"
......@@ -14,17 +15,18 @@ import (
"github.com/oidc-mytoken/server/internal/endpoints/token/mytoken"
"github.com/oidc-mytoken/server/internal/endpoints/tokeninfo"
"github.com/oidc-mytoken/server/internal/model/version"
"github.com/oidc-mytoken/server/internal/server/routes"
"github.com/oidc-mytoken/server/internal/server/paths"
)
func addAPIRoutes(s fiber.Router) {
for v := config.Get().API.MinVersion; v <= version.MAJOR; v++ {
addAPIvXRoutes(s, v)
}
guestmode.Init(s)
}
func addAPIvXRoutes(s fiber.Router, version int) {
apiPaths := routes.GetAPIPaths(version)
apiPaths := paths.GetAPIPaths(version)
s.Post(apiPaths.MytokenEndpoint, mytoken.HandleMytokenEndpoint)
s.Post(apiPaths.AccessTokenEndpoint, access.HandleAccessTokenEndpoint)
if config.Get().Features.TokenRevocation.Enabled {
......@@ -50,7 +52,7 @@ func addAPIvXRoutes(s fiber.Router, version int) {
addProfileEndpointRoutes(s, apiPaths)
}
func addProfileEndpointRoutes(r fiber.Router, apiPaths routes.APIPaths) {
func addProfileEndpointRoutes(r fiber.Router, apiPaths paths.APIPaths) {
if !config.Get().Features.ServerProfiles.Enabled {
return
}
......@@ -73,12 +75,12 @@ func addProfileEndpointRoutes(r fiber.Router, apiPaths routes.APIPaths) {
addProfileDeleteRoute(r, apiPaths, "rotation", profiles.HandleDeleteRotation)
}
func addProfileGetRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
func addProfileGetRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
r.Get(utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath), handler)
r.Get(utils.CombineURLPath(apiPaths.ProfilesEndpoint, ":group", profileTypePath), handler)
}
func addProfileDeleteRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
func addProfileDeleteRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
r.Delete(
utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath, ":id?"),
returnGroupBasicMiddleware(), userIsGroupMiddleware, handler,
......@@ -89,7 +91,7 @@ func addProfileDeleteRoute(r fiber.Router, apiPaths routes.APIPaths, profileType
)
}
func addProfileAddRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
func addProfileAddRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
r.Post(
utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath),
returnGroupBasicMiddleware(), userIsGroupMiddleware, handler,
......@@ -100,7 +102,7 @@ func addProfileAddRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePat
)
}
func addProfileUpdateRoute(r fiber.Router, apiPaths routes.APIPaths, profileTypePath string, handler fiber.Handler) {
func addProfileUpdateRoute(r fiber.Router, apiPaths paths.APIPaths, profileTypePath string, handler fiber.Handler) {
r.Put(
utils.CombineURLPath(apiPaths.ProfilesEndpoint, profileTypePath, ":id?"),
returnGroupBasicMiddleware(), userIsGroupMiddleware, handler,
......
......@@ -22,7 +22,7 @@ import (
"github.com/oidc-mytoken/server/internal/config"
"github.com/oidc-mytoken/server/internal/server/apipath"
"github.com/oidc-mytoken/server/internal/server/routes"
"github.com/oidc-mytoken/server/internal/server/paths"
"github.com/oidc-mytoken/server/internal/utils/fileio"
"github.com/oidc-mytoken/server/internal/utils/iputils"
loggerUtils "github.com/oidc-mytoken/server/internal/utils/logger"
......@@ -138,9 +138,9 @@ func addRequestIDMiddleware(s fiber.Router) {
func addCorsMiddleware(s fiber.Router) {
allowedPaths := []string{
routes.WellknownMytokenConfiguration,
routes.WellknownOpenIDConfiguration,
routes.GetGeneralPaths().JWKSEndpoint,
paths.WellknownMytokenConfiguration,
paths.WellknownOpenIDConfiguration,
paths.GetGeneralPaths().JWKSEndpoint,
}
allowedPrefixes := []string{
apipath.Prefix,
......
package paths
import (
"github.com/oidc-mytoken/utils/utils"
"github.com/oidc-mytoken/server/internal/model/version"
"github.com/oidc-mytoken/server/internal/server/apipath"
)
var routes *paths
// WellknownMytokenConfiguration is the mytoken configuration path suffix
const WellknownMytokenConfiguration = "/.well-known/mytoken-configuration"
// WellknownOpenIDConfiguration is the openid configuration path suffix
const WellknownOpenIDConfiguration = "/.well-known/openid-configuration"
// WellknownOpenIDFederation is the openid federation path suffix
const WellknownOpenIDFederation = "/.well-known/openid-federation"
func defaultAPIPaths(api string) APIPaths {
return APIPaths{
MytokenEndpoint: utils.CombineURLPath(api, "/token/my"),
AccessTokenEndpoint: utils.CombineURLPath(api, "/token/access"),
TokenInfoEndpoint: utils.CombineURLPath(api, "/tokeninfo"),
RevocationEndpoint: utils.CombineURLPath(api, "/token/revoke"),
TokenTransferEndpoint: utils.CombineURLPath(api, "/token/transfer"),
UserSettingEndpoint: utils.CombineURLPath(api, "/settings"),
ProfilesEndpoint: utils.CombineURLPath(api, "/pt"),
GuestModeOP: utils.CombineURLPath(api, "/guests"),
}
}
// init initializes the server route paths
func init() {
routes = &paths{
api: map[int]APIPaths{
0: defaultAPIPaths(apipath.V0),
},
other: GeneralPaths{
ConfigurationEndpoint: WellknownMytokenConfiguration,
FederationEndpoint: WellknownOpenIDFederation,
OIDCRedirectEndpoint: "/redirect",
JWKSEndpoint: "/jwks",
ConsentEndpoint: "/c",
Privacy: "/privacy",
},
}
}
type paths struct {
api map[int]APIPaths
other GeneralPaths
}
// GeneralPaths holds all non-api route paths
type GeneralPaths struct {
ConfigurationEndpoint string
FederationEndpoint string
OIDCRedirectEndpoint string
JWKSEndpoint string
ConsentEndpoint string
Privacy string
}
// APIPaths holds all api route paths
type APIPaths struct {
MytokenEndpoint string
AccessTokenEndpoint string
TokenInfoEndpoint string
RevocationEndpoint string
TokenTransferEndpoint string
UserSettingEndpoint string
ProfilesEndpoint string
GuestModeOP string
}
// GetCurrentAPIPaths returns the api paths for the most recent major version
func GetCurrentAPIPaths() APIPaths {
return GetAPIPaths(version.MAJOR)
}
// GetAPIPaths returns the api paths for the passed major version
func GetAPIPaths(apiVersion int) APIPaths {
return routes.api[apiVersion]
}
// GetGeneralPaths returns the non-API paths
func GetGeneralPaths() GeneralPaths {
return routes.other
}
......@@ -4,97 +4,15 @@ import (
"github.com/oidc-mytoken/utils/utils"
"github.com/oidc-mytoken/server/internal/config"
"github.com/oidc-mytoken/server/internal/model/version"
"github.com/oidc-mytoken/server/internal/server/apipath"
"github.com/oidc-mytoken/server/internal/server/paths"
)
var routes *paths
// WellknownMytokenConfiguration is the mytoken configuration path suffix
const WellknownMytokenConfiguration = "/.well-known/mytoken-configuration"
// WellknownOpenIDConfiguration is the openid configuration path suffix
const WellknownOpenIDConfiguration = "/.well-known/openid-configuration"
// WellknownOpenIDFederation is the openid federation path suffix
const WellknownOpenIDFederation = "/.well-known/openid-federation"
func defaultAPIPaths(api string) APIPaths {
return APIPaths{
MytokenEndpoint: utils.CombineURLPath(api, "/token/my"),
AccessTokenEndpoint: utils.CombineURLPath(api, "/token/access"),
TokenInfoEndpoint: utils.CombineURLPath(api, "/tokeninfo"),
RevocationEndpoint: utils.CombineURLPath(api, "/token/revoke"),
TokenTransferEndpoint: utils.CombineURLPath(api, "/token/transfer"),
UserSettingEndpoint: utils.CombineURLPath(api, "/settings"),
ProfilesEndpoint: utils.CombineURLPath(api, "/pt"),
}
}
// init initializes the server route paths
func init() {
routes = &paths{
api: map[int]APIPaths{
0: defaultAPIPaths(apipath.V0),
},
other: GeneralPaths{
ConfigurationEndpoint: WellknownMytokenConfiguration,
FederationEndpoint: WellknownOpenIDFederation,
OIDCRedirectEndpoint: "/redirect",
JWKSEndpoint: "/jwks",
ConsentEndpoint: "/c",
Privacy: "/privacy",
},
}
}
type paths struct {
api map[int]APIPaths
other GeneralPaths
}
// GeneralPaths holds all non-api route paths
type GeneralPaths struct {
ConfigurationEndpoint string
FederationEndpoint string
OIDCRedirectEndpoint string
JWKSEndpoint string
ConsentEndpoint string
Privacy string
}
// APIPaths holds all api route paths
type APIPaths struct {
MytokenEndpoint string
AccessTokenEndpoint string
TokenInfoEndpoint string
RevocationEndpoint string
TokenTransferEndpoint string
UserSettingEndpoint string
ProfilesEndpoint string
}
// GetCurrentAPIPaths returns the api paths for the most recent major version
func GetCurrentAPIPaths() APIPaths {
return GetAPIPaths(version.MAJOR)
}
// GetAPIPaths returns the api paths for the passed major version
func GetAPIPaths(apiVersion int) APIPaths {
return routes.api[apiVersion]
}
// GetGeneralPaths returns the non-API paths
func GetGeneralPaths() GeneralPaths {
return routes.other
}
var RedirectURI string
var ConsentEndpoint string
// Init initializes the authcode component
func Init() {
generalPaths := GetGeneralPaths()
generalPaths := paths.GetGeneralPaths()
RedirectURI = utils.CombineURLPath(config.Get().IssuerURL, generalPaths.OIDCRedirectEndpoint)
ConsentEndpoint = utils.CombineURLPath(config.Get().IssuerURL, generalPaths.ConsentEndpoint)
}
......@@ -22,7 +22,7 @@ import (
"github.com/oidc-mytoken/server/internal/endpoints/redirect"
"github.com/oidc-mytoken/server/internal/model"
"github.com/oidc-mytoken/server/internal/server/apipath"
"github.com/oidc-mytoken/server/internal/server/routes"
"github.com/oidc-mytoken/server/internal/server/paths"
"github.com/oidc-mytoken/server/internal/server/ssh"
"github.com/oidc-mytoken/server/internal/utils/fileio"
)
......@@ -104,19 +104,19 @@ func Init() {
func addRoutes(s fiber.Router) {
addWebRoutes(s)
s.Get(routes.GetGeneralPaths().ConfigurationEndpoint, configuration.HandleConfiguration)
s.Get(routes.WellknownOpenIDConfiguration, configuration.HandleConfiguration)
s.Get(paths.GetGeneralPaths().ConfigurationEndpoint, configuration.HandleConfiguration)
s.Get(paths.WellknownOpenIDConfiguration, configuration.HandleConfiguration)
if config.Get().Features.Federation.Enabled {
s.Get(routes.GetGeneralPaths().FederationEndpoint, federation.HandleEntityConfiguration)
s.Get(paths.GetGeneralPaths().FederationEndpoint, federation.HandleEntityConfiguration)
}
s.Get(routes.GetGeneralPaths().JWKSEndpoint, endpoints.HandleJWKS)
s.Get(routes.GetGeneralPaths().OIDCRedirectEndpoint, redirect.HandleOIDCRedirect)
s.Get(paths.GetGeneralPaths().JWKSEndpoint, endpoints.HandleJWKS)
s.Get(paths.GetGeneralPaths().OIDCRedirectEndpoint, redirect.HandleOIDCRedirect)
s.Get("/c/:consent_code", consent.HandleConsent)
s.Post("/c/:consent_code", consent.HandleConsentPost)
s.Post("/c", consent.HandleCreateConsent)
s.Get("/native", handleNativeCallback)
s.Get("/native/abort", handleNativeConsentAbortCallback)
s.Get(routes.GetGeneralPaths().Privacy, handlePrivacy)
s.Get(paths.GetGeneralPaths().Privacy, handlePrivacy)
s.Get("/settings", handleSettings)
addAPIRoutes(s)
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment