Merge branch 'pr/martindb/298'

Author: bnfinet

.defaults.yml

@@ -42,8 +42,9 @@ vouch:
     redirect: X-Vouch-Requested-URI
     # claims:
     claimheader: X-Vouch-IdP-Claims-
-    accesstoken: X-Vouch-IdP-AccessToken
-    idtoken: X-Vouch-IdP-IdToken
+    # https://github.com/vouch/vouch-proxy/issues/287
+    # accesstoken: X-Vouch-IdP-AccessToken
+    # idtoken: X-Vouch-IdP-IdToken
   # test_url:
   # post_logout_redirect_uris:
 # oauth:

config/testing/jwtmanager_has_idp_token_claims.yml

@@ -0,0 +1,31 @@
+vouch:
+  testing: true
+  logLevel: debug
+  listen: 0.0.0.0
+  port: 9090
+
+  allowAllUsers: true
+
+  headers:
+    claims:
+      - groups
+      - boolean_claim
+      - family_name
+      - http://www.example.com/favorite_color
+    accesstoken: X-Vouch-IdP-AccessToken
+    idtoken: X-Vouch-IdP-IdToken
+
+  cookie:
+    name: vouchTestingCookie
+
+  session:
+    name: VouchTestingSession
+
+  jwt:
+    secret: testing
+
+oauth:
+  provider: indieauth
+  client_id: http://vouch.github.io
+  auth_url: https://indielogin.com/auth
+  callback_url: http://vouch.github.io:9090/auth

handlers/handlers_test.go

@@ -11,6 +11,7 @@ OR CONDITIONS OF ANY KIND, either express or implied.
 package handlers
 
 import (
+	"encoding/json"
 	"os"
 	"path/filepath"
 	"testing"
@@ -30,17 +31,12 @@ var (
 	token = &oauth2.Token{AccessToken: "123"}
 )
 
+// setUp load config file and then call Configure() for dependent packages
 func setUp(configFile string) {
 	os.Setenv("VOUCH_CONFIG", filepath.Join(os.Getenv("VOUCH_ROOT"), configFile))
 	cfg.InitForTestPurposes()
 
-	// cfg.Cfg.AllowAllUsers = false
-	// cfg.Cfg.WhiteList = make([]string, 0)
-	// cfg.Cfg.TeamWhiteList = make([]string, 0)
-	// cfg.Cfg.Domains = []string{"domain1"}
-
 	Configure()
-
 	domains.Configure()
 	jwtmanager.Configure()
 	cookie.Configure()
@@ -115,3 +111,73 @@ func TestVerifyUserNegative(t *testing.T) {
 	assert.False(t, ok)
 	assert.NotNil(t, err)
 }
+
+// copied from jwtmanager_test.go
+// it should live there but circular imports are resolved if it lives here
+var (
+	u1 = structs.User{
+		Username: "test@testing.com",
+		Name:     "Test Name",
+	}
+	t1 = structs.PTokens{
+		PAccessToken: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRvaXU4In0.eyJzdWIiOiJuZnlmZSIsImF1ZCI6ImltX29pY19jbGllbnQiLCJqdGkiOiJUOU4xUklkRkVzUE45enU3ZWw2eng2IiwiaXNzIjoiaHR0cHM6XC9cL3Nzby5tZXljbG91ZC5uZXQ6OTAzMSIsImlhdCI6MTM5MzczNzA3MSwiZXhwIjoxMzkzNzM3MzcxLCJub25jZSI6ImNiYTU2NjY2LTRiMTItNDU2YS04NDA3LTNkMzAyM2ZhMTAwMiIsImF0X2hhc2giOiJrdHFvZVBhc2praVY5b2Z0X3o5NnJBIn0.g1Jc9DohWFfFG3ppWfvW16ib6YBaONC5VMs8J61i5j5QLieY-mBEeVi1D3vr5IFWCfivY4hZcHtoJHgZk1qCumkAMDymsLGX-IGA7yFU8LOjUdR4IlCPlZxZ_vhqr_0gQ9pCFKDkiOv1LVv5x3YgAdhHhpZhxK6rWxojg2RddzvZ9Xi5u2V1UZ0jukwyG2d4PRzDn7WoRNDGwYOEt4qY7lv_NO2TY2eAklP-xYBWu0b9FBElapnstqbZgAXdndNs-Wqp4gyQG5D0owLzxPErR9MnpQfgNcai-PlWI_UrvoopKNbX0ai2zfkuQ-qh6Xn8zgkiaYDHzq4gzwRfwazaqA",
+		PIdToken:     "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRvaXU4In0.eyJzdWIiOiJuZnlmZSIsImF1ZCI6ImltX29pY19jbGllbnQiLCJqdGkiOiJUOU4xUklkRkVzUE45enU3ZWw2eng2IiwiaXNzIjoiaHR0cHM6XC9cL3Nzby5tZXljbG91ZC5uZXQ6OTAzMSIsImlhdCI6MTM5MzczNzA3MSwiZXhwIjoxMzkzNzM3MzcxLCJub25jZSI6ImNiYTU2NjY2LTRiMTItNDU2YS04NDA3LTNkMzAyM2ZhMTAwMiIsImF0X2hhc2giOiJrdHFvZVBhc2praVY5b2Z0X3o5NnJBIn0.g1Jc9DohWFfFG3ppWfvW16ib6YBaONC5VMs8J61i5j5QLieY-mBEeVi1D3vr5IFWCfivY4hZcHtoJHgZk1qCumkAMDymsLGX-IGA7yFU8LOjUdR4IlCPlZxZ_vhqr_0gQ9pCFKDkiOv1LVv5x3YgAdhHhpZhxK6rWxojg2RddzvZ9Xi5u2V1UZ0jukwyG2d4PRzDn7WoRNDGwYOEt4qY7lv_NO2TY2eAklP-xYBWu0b9FBElapnstqbZgAXdndNs-Wqp4gyQG5D0owLzxPErR9MnpQfgNcai-PlWI_UrvoopKNbX0ai2zfkuQ-qh6Xn8zgkiaYDHzq4gzwRfwazaqA",
+	}
+
+	lc jwtmanager.VouchClaims
+
+	claimjson = `{
+		"sub": "f:a95afe53-60ba-4ac6-af15-fab870e72f3d:mrtester",
+		"groups": ["Website Users", "Test Group"],
+		"given_name": "Mister",
+		"family_name": "Tester",
+		"email": "mrtester@test.int"
+	}`
+	customClaims = structs.CustomClaims{}
+)
+
+// copied from jwtmanager_test.go
+func init() {
+	// log.SetLevel(log.DebugLevel)
+
+	lc = jwtmanager.VouchClaims{
+		u1.Username,
+		jwtmanager.Sites,
+		customClaims.Claims,
+		t1.PAccessToken,
+		t1.PIdToken,
+		jwtmanager.StandardClaims,
+	}
+	json.Unmarshal([]byte(claimjson), &customClaims.Claims)
+}
+
+func TestParsedIdPTokens(t *testing.T) {
+	tests := []struct {
+		name          string
+		configFile    string
+		wantIDPTokens bool
+	}{
+		{"no IdP tokens", "/config/testing/handler_claims.yml", false},
+		{"wants IdP tokens", "/config/testing/jwtmanager_has_idp_token_claims.yml", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			setUp(tt.configFile)
+			uts := jwtmanager.CreateUserTokenString(u1, customClaims, t1)
+			utsParsed, _ := jwtmanager.ParseTokenString(uts)
+			utsPtokens, _ := jwtmanager.PTokenClaims(utsParsed)
+
+			if tt.wantIDPTokens {
+				if t1.PIdToken != utsPtokens.PIdToken || t1.PAccessToken != utsPtokens.PAccessToken {
+					t.Errorf("got PIdToken = %s, PAccessToken = %s, \nwant %s , %s", utsPtokens.PIdToken, utsPtokens.PAccessToken, t1.PIdToken, t1.PAccessToken)
+				}
+			} else {
+				if utsPtokens.PIdToken != "" || utsPtokens.PAccessToken != "" {
+					t.Errorf("PIdToken and PAccessToken = should be '' got '%s', '%s'", utsPtokens.PIdToken, utsPtokens.PAccessToken)
+				}
+			}
+		})
+	}
+
+}

pkg/cfg/cfg.go

@@ -130,11 +130,15 @@ const (
 	minBase64Length = 44
 	base64Bytes     = 32
 
-	// ErrCtx set or check the http request context to see if it has errored
+	// ErrCtxKey set or check the http request context to see if it has errored
 	// see `responses.Error401` and `jwtmanager.JWTCacheHandler` for example
-	ErrCtx = "isErr"
+	ErrCtxKey ctxKey = 0
 )
 
+// use a typed ctxKey to avoid context key collission
+// https://blog.golang.org/context#TOC_3.2.
+type ctxKey int
+
 // Configure called at the very top of main()
 // the order of config follows the Viper conventions...
 //

pkg/jwtmanager/jwtcache.go

@@ -77,7 +77,9 @@ func JWTCacheHandler(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 
 		if jwt != "" &&
-			r.Context().Err() == nil { // r.Context().Done() is still open
+			r.Context().Err() == nil {
+			// see responses.addErrandCancelRequest()
+			// r.Context().Done() is still open
 			// cache the response headers for this jwt
 			// log.Debug("setting cache for %+v", w.Header().Clone())
 			Cache.SetDefault(jwt, w.Header().Clone())

pkg/jwtmanager/jwtmanager.go

@@ -86,6 +86,15 @@ func CreateUserTokenString(u structs.User, customClaims structs.CustomClaims, pt
 		StandardClaims,
 	}
 
+	// https://github.com/vouch/vouch-proxy/issues/287
+	if cfg.Cfg.Headers.AccessToken == "" {
+		claims.PAccessToken = ""
+	} 
+
+	if cfg.Cfg.Headers.IDToken == "" {
+		claims.PIdToken = ""
+	}
+
 	claims.StandardClaims.ExpiresAt = time.Now().Add(time.Minute * time.Duration(cfg.Cfg.JWT.MaxAge)).Unix()
 
 	// https://godoc.org/github.com/dgrijalva/jwt-go#NewWithClaims

pkg/responses/responses.go

@@ -117,7 +117,7 @@ func Error403(w http.ResponseWriter, r *http.Request, e error) {
 // cfg.ErrCtx is tested by `jwtmanager.JWTCacheHandler`
 func addErrandCancelRequest(r *http.Request) {
 	ctx, cancel := context.WithCancel(r.Context())
-	ctx = context.WithValue(ctx, cfg.ErrCtx, true)
+	ctx = context.WithValue(ctx, cfg.ErrCtxKey, true)
 	*r = *r.Clone(ctx)
 	cancel() // we're done
 	return

pkg/structs/structs.go

@@ -51,6 +51,7 @@ type AzureUser struct {
 	UPN string `json:"upn"`
 }
 
+// PrepareUserData implement PersonalData interface
 func (u *AzureUser) PrepareUserData() {
 	// AzureAD uses the 'upn' (UserPrincipleName) field to store the email address of the user
 	// See https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-userprincipalname