Wrap discovery and callback calls

cyberark · Aug 31, 2023 · dffad96 · dffad96
1 parent 4c9b632
commit dffad96
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 6 deletions.
diff --git a/app/domain/authentication/authn_oidc/v2/client.rb b/app/domain/authentication/authn_oidc/v2/client.rb
@@ -160,7 +160,10 @@ def discovery_information(invalidate: false)
             force: invalidate,
             skip_nil: true
           ) do
-            @discovery_configuration.discover!(@authenticator.provider_uri)
+            self.discover(
+              provider_uri: @authenticator.provider_uri,
+              cert_string: @authenticator.ca_cert
+            )
           rescue Errno::ETIMEDOUT => e
             raise Errors::Authentication::OAuth::ProviderDiscoveryTimeout.new(@authenticator.provider_uri, e.message)
           rescue => e

diff --git a/app/domain/authentication/authn_oidc/v2/strategy.rb b/app/domain/authentication/authn_oidc/v2/strategy.rb
@@ -21,10 +21,11 @@ def callback(args)
           end
 
           identity = resolve_identity(
-            jwt: @client.callback(
+            jwt: @client.callback_with_temporary_cert(
               code: args[:code],
               nonce: args[:nonce],
-              code_verifier: args[:code_verifier]
+              code_verifier: args[:code_verifier],
+              ca_cert: @authenticator.ca_cert
             )
           )
           unless identity.present?

diff --git a/app/domain/authentication/o_auth/discover_identity_provider.rb b/app/domain/authentication/o_auth/discover_identity_provider.rb
@@ -28,7 +28,10 @@ def log_provider_uri
       # is used is inside of FetchProviderKeys.  This is unlikely change, and hence
       # unlikely to be a problem
       def discover_provider
-        @discovered_provider = @open_id_discovery_service.discover!(@provider_uri)
+        @discovered_provider = Authentication::AuthnOidc::V2::Client.discover(
+          provider_uri: @provider_uri,
+          cert_string: @ca_cert
+        )
         @logger.debug(
           LogMessages::Authentication::OAuth::IdentityProviderDiscoverySuccess.new
         )

diff --git a/ci/oauth/keycloak/fetch_certificate b/ci/oauth/keycloak/fetch_certificate
@@ -13,5 +13,6 @@ openssl s_client \
     -outform PEM \
     >/etc/ssl/certs/keycloak.pem
 
-hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
-ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0" || true
+# Skip this step so we can test the 'ca-cert' variable configuration
+# hash=$(openssl x509 -hash -in /etc/ssl/certs/keycloak.pem -out /dev/null)
+# ln -s /etc/ssl/certs/keycloak.pem "/etc/ssl/certs/${hash}.0" || true