Merge pull request #2695 from coreos-inc/oidc-internal-auth

OIDC internal auth support
2017-10-02 16:51:17 -04:00 · 2017-10-02 16:51:17 -04:00 · 3bef21253d
commit 3bef21253d
parent 491b9c8278 f51a863158
29 changed files with 341 additions and 38 deletions
--- a/endpoints/api/suconfig.py
+++ b/endpoints/api/suconfig.py
@ -217,9 +217,10 @@ class SuperUserConfig(ApiResource):
      # Write the configuration changes to the config override file.
      config_provider.save_config(config_object)

-      # If the authentication system is not the database, link the superuser account to the
+      # If the authentication system is federated, link the superuser account to the
      # the authentication system chosen.
-      if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
+      service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
+      if service_name is not None:
        current_user = get_authenticated_user()
        if current_user is None:
          abort(401)
--- a/endpoints/api/user.py
+++ b/endpoints/api/user.py
@ -529,6 +529,9 @@ class ClientKey(ApiResource):
  @validate_json_request('GenerateClientKey')
  def post(self):
    """  Return's the user's private client key. """
+    if not authentication.supports_encrypted_credentials:
+      raise NotFound()
+
    username = get_authenticated_user().username
    password = request.get_json()['password']
    (result, error_message) = authentication.confirm_existing_user(username, password)
@ -744,7 +747,7 @@ class ExternalLoginInformation(ApiResource):
        'kind': {
          'type': 'string',
          'description': 'The kind of URL',
-          'enum': ['login', 'attach'],
+          'enum': ['login', 'attach', 'cli'],
        },
      },
    },
@ -762,7 +765,7 @@ class ExternalLoginInformation(ApiResource):

    csrf_token = generate_csrf_token(OAUTH_CSRF_TOKEN_NAME)
    kind = request.get_json()['kind']
-    redirect_suffix = '/attach' if kind == 'attach' else ''
+    redirect_suffix = '' if kind == 'login' else '/' + kind

    try:
      login_scopes = login_service.get_login_scopes()
--- a/endpoints/oauth/login.py
+++ b/endpoints/oauth/login.py
@ -252,6 +252,24 @@ def _register_service(login_service):
    auth_url = login_service.get_auth_url(app.config, '', csrf_token, login_scopes)
    return redirect(auth_url)

+  @require_session_login
+  @oauthlogin_csrf_protect
+  def cli_token_func():
+    # Check for a callback error.
+    error = request.args.get('error', None)
+    if error:
+      return _render_ologin_error(login_service.service_name(), error)
+
+    # Exchange the OAuth code for the ID token.
+    code = request.args.get('code')
+    try:
+      idtoken, _ = login_service.exchange_code_for_tokens(app.config, client, code, '/cli')
+    except OAuthLoginException as ole:
+      return _render_ologin_error(login_service.service_name(), ole.message)
+
+    user_obj = get_authenticated_user()
+    return redirect(url_for('web.user_view', path=user_obj.username, tab='settings',
+                            idtoken=idtoken))

  oauthlogin.add_url_rule('/%s/callback/captcha' % login_service.service_id(),
                          '%s_oauth_captcha' % login_service.service_id(),
@ -268,6 +286,11 @@ def _register_service(login_service):
                          attach_func,
                          methods=['GET'])

+  oauthlogin.add_url_rule('/%s/callback/cli' % login_service.service_id(),
+                          '%s_oauth_cli' % login_service.service_id(),
+                          cli_token_func,
+                          methods=['GET'])
+
 # Register the routes for each of the login services.
 for current_service in oauth_login.services:
  _register_service(current_service)