Adds OIDC code workflow #2595
Adds OIDC code workflow #2595
Conversation
jvanderhoof
force-pushed
the
adds-oidc-code-workflow
branch
from
f18eec8 to
0553203
Compare
![codeclimate[bot]](https://avatars.githubusercontent.com/in/9403?s=60&v=4){kind=small}
| ) | ||
| end | ||
|
|
||
| def log_audit_failure(account, service_id, client_ip, type, error) |
There was a problem hiding this comment.
Method log_audit_failure has 5 arguments (exceeds 4 allowed). Consider refactoring.
| ) | ||
| end | ||
|
|
||
| def call(parameters:, request_ip:) |
There was a problem hiding this comment.
Method call has a Cognitive Complexity of 15 (exceeds 5 allowed). Consider refactoring.
| ) | ||
| end | ||
|
|
||
| def call(parameters:, request_ip:) |
There was a problem hiding this comment.
Method call has 35 lines of code (exceeds 25 allowed). Consider refactoring.
| handle_error(e) | ||
| end | ||
|
|
||
| def handle_error(err) |
There was a problem hiding this comment.
Method handle_error has 30 lines of code (exceeds 25 allowed). Consider refactoring.
| module AuthnOidc | ||
| module V2 | ||
| class ResolveIdentity | ||
| def call(identity:, account:, allowed_roles:) |
There was a problem hiding this comment.
Method call has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
jvanderhoof
force-pushed
the
adds-oidc-code-workflow
branch
2 times, most recently
from
edab389 to
e2c0ecc
Compare
| @@ -4,6 +4,25 @@ class AuthenticateController < ApplicationController | |||
| include BasicAuthenticator | |||
| include AuthorizeResource | |||
|
|
|||
| def authenticate_okta | |||
There was a problem hiding this comment.
Should this be named something closer to authenticate_oidc_v2 as we use it for other services as well?
| webservice = @resource_repository.where( | ||
| Sequel.like( | ||
| :resource_id, | ||
| "#{account}:webservice:conjur/#{type}/#{service_id}%" |
There was a problem hiding this comment.
It looks like this function is trying to find a specific webservice but wouldn't the % at the end allow it to pickup other rows from the db we don't necessarily want? Or am I missing something with this function?
There was a problem hiding this comment.
good catch @telday!
| ).all | ||
| ) | ||
|
|
||
| # TODO: Add an error message |
There was a problem hiding this comment.
Do we want to address this before merging or leave for later
| @logger.warn(@authentication_error.new(err)) | ||
| case err | ||
| when Errors::Authentication::Security::RoleNotAuthorizedOnResource | ||
| puts "Errors::Authentication::Security::RoleNotAuthorizedOnResource" |
There was a problem hiding this comment.
Out of curiosity why are we printing the error class here?
We could we have a puts err.class before the switch statement to eliminate most of the print statements
jvanderhoof
force-pushed
the
adds-oidc-code-workflow
branch
from
4e85584 to
dc77aa3
Compare
| end | ||
| end | ||
|
|
||
| def callback(code:) |
There was a problem hiding this comment.
Method callback has a Cognitive Complexity of 12 (exceeds 5 allowed). Consider refactoring.
| end | ||
| end | ||
|
|
||
| def callback(code:) |
There was a problem hiding this comment.
Method callback has 31 lines of code (exceeds 25 allowed). Consider refactoring.
|
|
||
| private | ||
|
|
||
| def load_authenticator(type:, account:, id:) |
There was a problem hiding this comment.
Method load_authenticator has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
| require 'cucumber/policy/features/support/client' | ||
| require 'json' | ||
|
|
||
| Then('the list of authenticators contains the service-id {string}') do |service_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
| end | ||
|
|
||
|
|
||
| Then('the list of authenticators does not contain the service-id {string}') do |service_id| |
There was a problem hiding this comment.
Similar blocks of code found in 2 locations. Consider refactoring.
jvanderhoof
force-pushed
the
adds-oidc-code-workflow
branch
5 times, most recently
from
2c99ef1 to
171eb1f
Compare
| def oidc_authenticate_code_redirect | ||
| # TODO: need a mechanism for an authenticator strategy to define the required | ||
| # params. This will likely need to be done via the Handler. | ||
| params.permit! |
There was a problem hiding this comment.
Parameters should be whitelisted for mass assignment
| gem 'json_spec', '~> 1.1' | ||
| gem 'faye-websocket' |
There was a problem hiding this comment.
Gems should be sorted in an alphabetical order within their section of the Gemfile. Gem faye-websocket should appear before json_spec.
| ::Authentication::LogAuditEvent.new.call( | ||
| authentication_params: | ||
| Authentication::AuthenticatorInput.new( | ||
| authenticator_name: "#{type}", |
There was a problem hiding this comment.
Prefer to_s over string interpolation.
| ::Authentication::LogAuditEvent.new.call( | ||
| authentication_params: | ||
| Authentication::AuthenticatorInput.new( | ||
| authenticator_name: "#{type}", |
There was a problem hiding this comment.
Prefer to_s over string interpolation.
| raise ApplicationController::BadRequest | ||
|
|
||
| when Errors::Conjur::RequestedResourceNotFound | ||
| raise ApplicationController::RecordNotFound.new(err.message) |
There was a problem hiding this comment.
Provide an exception class and message as arguments to raise.
This commit includes all work related to support for the code-based OIDC authentication workflow.
jvanderhoof
force-pushed
the
adds-oidc-code-workflow
branch
from
5c3d401 to
e0d8366
Compare
| @@ -88,6 +88,7 @@ group :development, :test do | |||
| gem 'debase', '~> 0.2.5.beta2' | |||
| gem 'faye-websocket' | |||
| gem 'json_spec', '~> 1.1' | |||
| gem 'faye-websocket' | |||
There was a problem hiding this comment.
Gem faye-websocket requirements already given on line 89 of the Gemfile.
|
|
||
| def call(parameters:, request_ip:) | ||
| raise Errors::Authentication::RequestBody::MissingRequestParam, parameters[:code] unless parameters[:code] | ||
| raise Errors::Authentication::RequestBody::MissingRequestParam, parameters[:state] unless parameters[:state] |
There was a problem hiding this comment.
Add empty line after guard clause.
| @@ -0,0 +1,41 @@ | |||
|
|
|||
| module Authentication | |||
There was a problem hiding this comment.
Unnecessary blank line at the beginning of the source.
| attr_reader :provider_uri, :client_id, :client_secret, :claim_mapping, :nonce, :state, :account | ||
| attr_reader :service_id, :redirect_uri, :response_type | ||
|
|
||
| def initialize( |
There was a problem hiding this comment.
Avoid parameter lists longer than 7 parameters. [12/7]
| id_token, | ||
| discovery_information.jwks | ||
| ) | ||
| rescue Exception => e |
There was a problem hiding this comment.
Avoid rescuing the Exception class. Perhaps you meant to rescue StandardError?
|
Code Climate has analyzed commit e0d8366 and detected 124 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 90.5% (50% is the threshold). This pull request will bring the total coverage in the repository to 89.9% (-1.5% change). View more on Code Climate. |
| @smoke | ||
| Scenario: List readable authenticators | ||
|
|
||
| Given I load a policy: |
There was a problem hiding this comment.
this, and the variable setting should be the background.
| Then I can add a secret to variable resource "conjur/authn-oidc/okta/claim-mapping" | ||
| Then I can add a secret to variable resource "conjur/authn-oidc/okta/nonce" | ||
| Then I can add a secret to variable resource "conjur/authn-oidc/okta/state" | ||
| When I log in as user "admin" |
There was a problem hiding this comment.
these should be separate Scenario
Desired Outcome
This PR adds support for OIDC's code-based authorization flow. This functionality allows Conjur to use an external
OIDC Provider (Okta, Keycloak), to authenticate users and redirect them to Conjur on success. Conjur will resolve the identified user to a Conjur User ID and return and Authorization Token.
Implemented Changes
The architecture of this feature is different from that of the other authenticators. The intention of this architecture is to simplify testing and reduce developer cognitive load.
Planned Future Work
Connected Issue/Story
Jira Epic
Definition of Done
At least 1 todo must be completed in the sections below for the PR to be
merged.
Changelog
CHANGELOG update
Test coverage
changes, or
Documentation
READMEs) were updated in this PRBehavior
Security