Merge pull request #2393 from coreos-inc/oidc-ui

OIDC configuration support in superuser config panel
2017-03-10 12:13:48 -05:00 · 2017-03-10 12:13:48 -05:00 · 6d6be63ca6
commit 6d6be63ca6
parent 8075460e71 0851c72e30
8 changed files with 363 additions and 129 deletions
--- a/util/config/validator.py
+++ b/util/config/validator.py
@ -18,6 +18,7 @@ from util.config.validators.validate_google_login import GoogleLoginValidator
 from util.config.validators.validate_bitbucket_trigger import BitbucketTriggerValidator
 from util.config.validators.validate_gitlab_trigger import GitLabTriggerValidator
 from util.config.validators.validate_github import GitHubLoginValidator, GitHubTriggerValidator
+from util.config.validators.validate_oidc import OIDCLoginValidator

 logger = logging.getLogger(__name__)

@ -51,6 +52,7 @@ VALIDATORS = {
  SignerValidator.name: SignerValidator.validate,
  SecurityScannerValidator.name: SecurityScannerValidator.validate,
  BittorrentValidator.name: BittorrentValidator.validate,
+  OIDCLoginValidator.name: OIDCLoginValidator.validate,
 }

 def validate_service_for_config(service, config, password=None):
--- a/util/config/validators/test/test_validate_oidc.py
+++ b/util/config/validators/test/test_validate_oidc.py
@ -0,0 +1,38 @@
+import json
+import pytest
+
+from httmock import urlmatch, HTTMock
+
+from oauth.oidc import OIDC_WELLKNOWN
+from util.config.validators import ConfigValidationException
+from util.config.validators.validate_oidc import OIDCLoginValidator
+
+@pytest.mark.parametrize('unvalidated_config', [
+  ({'SOMETHING_LOGIN_CONFIG': {}}),
+])
+def test_validate_invalid_oidc_login_config(unvalidated_config):
+  validator = OIDCLoginValidator()
+
+  with pytest.raises(ConfigValidationException):
+    validator.validate(unvalidated_config, None, None)
+
+def test_validate_oidc_login():
+  url_hit = [False]
+  @urlmatch(netloc=r'someserver', path=r'/\.well-known/openid-configuration')
+  def handler(_, __):
+    url_hit[0] = True
+    data = {
+      'userinfo_endpoint': 'foobar',
+    }
+    return {'status_code': 200, 'content': json.dumps(data)}
+
+  with HTTMock(handler):
+    validator = OIDCLoginValidator()
+    validator.validate({
+      'SOMETHING_LOGIN_CONFIG': {
+        'OIDC_SERVER': 'http://someserver',
+        'DEBUGGING': True, # Allows for HTTP.
+      },
+    }, None, None)
+
+  assert url_hit[0]
--- a/util/config/validators/validate_oidc.py
+++ b/util/config/validators/validate_oidc.py
@ -0,0 +1,27 @@
+from app import app
+from oauth.loginmanager import OAuthLoginManager
+from oauth.oidc import OIDCLoginService, DiscoveryFailureException
+from util.config.validators import BaseValidator, ConfigValidationException
+
+class OIDCLoginValidator(BaseValidator):
+  name = "oidc-login"
+
+  @classmethod
+  def validate(cls, config, user, user_password):
+    client = app.config['HTTPCLIENT']
+    login_manager = OAuthLoginManager(config, client=client)
+    for service in login_manager.services:
+      if not isinstance(service, OIDCLoginService):
+        continue
+
+      if service.config.get('OIDC_SERVER') is None:
+        msg = 'Missing OIDC_SERVER on OIDC service %s' % service.service_id()
+        raise ConfigValidationException(msg)
+
+      try:
+        if not service.validate():
+          msg = 'Could not validate OIDC service %s' % service.service_id()
+          raise ConfigValidationException(msg)
+      except DiscoveryFailureException as dfe:
+        msg = 'Could not validate OIDC service %s: %s' % (service.service_id(), dfe.message)
+        raise ConfigValidationException(msg)