mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

keystone: test cases, refactoring and cleanup

pull/1374/head
joannano 7 years ago committed by Krzysztof Balka
parent
a965365a2b
commit
88d1e2b041
10 changed files with 474 additions and 470 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      .travis.yml
  2. 9
      Dockerfile
  3. 1
      connector/connector.go
  4. 257
      connector/keystone/keystone.go
  5. 467
      connector/keystone/keystone_test.go
  6. 139
      connector/keystone/types.go
  7. 55
      examples/config-keystone.yaml
  8. 6
      server/handlers.go
  9. 4
      server/server.go
  10. 1
      storage/static.go

5
.travis.yml
Unescape View File

@ -13,13 +13,14 @@ services:
- docker - docker
env: env:
- DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive - DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive DEX_KEYSTONE_URL=http://localhost:5000 DEX_KEYSTONE_ADMIN_URL=http://localhost:35357
install: install:
- sudo -E apt-get install -y --force-yes slapd time ldap-utils - sudo -E apt-get install -y --force-yes slapd time ldap-utils
- sudo /etc/init.d/slapd stop - sudo /etc/init.d/slapd stop
- docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9 - docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9
- docker run -d -p 0.0.0.0:5000:5000 -p 0.0.0.0:35357:35357 openio/openstack-keystone
- sleep 60s
script: script:
- make testall - make testall

9
Dockerfile
Unescape View File

@ -11,12 +11,15 @@ FROM alpine:3.8
# experience when this doesn't work out of the box. # experience when this doesn't work out of the box.
# #
# OpenSSL is required so wget can query HTTPS endpoints for health checking. # OpenSSL is required so wget can query HTTPS endpoints for health checking.
RUN apk add --update ca-certificates openssl bash RUN apk add --update ca-certificates openssl
COPY --from=0 /go/bin/dex /usr/local/bin/dex
# Import frontend assets and set the correct CWD directory so the assets # Import frontend assets and set the correct CWD directory so the assets
# are in the default path. # are in the default path.
COPY web /web COPY web /web
WORKDIR / WORKDIR /
EXPOSE 5500-5600 ENTRYPOINT ["dex"]
CMD ["bash"]
CMD ["version"]

1
connector/connector.go
Unescape View File

@ -35,7 +35,6 @@ type Identity struct {
// //
// This data is never shared with end users, OAuth clients, or through the API. // This data is never shared with end users, OAuth clients, or through the API.
ConnectorData []byte ConnectorData []byte
Password string
} }
// PasswordConnector is an interface implemented by connectors which take a // PasswordConnector is an interface implemented by connectors which take a

257
connector/keystone/keystone.go
Unescape View File

@ -2,163 +2,186 @@
package keystone package keystone
import ( import (
"bytes"
"context" "context"
"fmt"
"github.com/dexidp/dex/connector"
"github.com/sirupsen/logrus"
"encoding/json" "encoding/json"
"net/http" "fmt"
"bytes"
"io/ioutil" "io/ioutil"
"net/http"
"github.com/sirupsen/logrus"
"github.com/dexidp/dex/connector"
) )
var ( var (
_ connector.PasswordConnector = &Connector{} _ connector.PasswordConnector = &keystoneConnector{}
_ connector.RefreshConnector = &Connector{} _ connector.RefreshConnector = &keystoneConnector{}
) )
// Open returns an authentication strategy using Keystone. // Open returns an authentication strategy using Keystone.
func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) { func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
return &Connector{c.Domain, c.KeystoneHost, return &keystoneConnector{c.Domain, c.KeystoneHost,
c.KeystoneUsername, c.KeystonePassword, logger}, nil c.KeystoneUsername, c.KeystonePassword, logger}, nil
} }
func (p Connector) Close() error { return nil } func (p *keystoneConnector) Close() error { return nil }
func (p Connector) Login(ctx context.Context, s connector.Scopes, username, password string) ( func (p *keystoneConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (
identity connector.Identity, validPassword bool, err error) { identity connector.Identity, validPassword bool, err error) {
response, err := p.getTokenResponse(username, password) resp, err := p.getTokenResponse(ctx, username, password)
if err != nil {
return identity, false, fmt.Errorf("keystone: error %v", err)
}
// Providing wrong password or wrong keystone URI throws error // Providing wrong password or wrong keystone URI throws error
if err == nil && response.StatusCode == 201 { if resp.StatusCode == 201 {
token := response.Header["X-Subject-Token"][0] token := resp.Header.Get("X-Subject-Token")
data, _ := ioutil.ReadAll(response.Body) data, err := ioutil.ReadAll(resp.Body)
if err != nil {
var tokenResponse = new(TokenResponse) return identity, false, err
err := json.Unmarshal(data, &tokenResponse) }
defer resp.Body.Close()
if err != nil {
fmt.Printf("keystone: invalid token response: %v", err) var tokenResp = new(tokenResponse)
return identity, false, err err = json.Unmarshal(data, &tokenResp)
} if err != nil {
groups, err := p.getUserGroups(tokenResponse.Token.User.ID, token) return identity, false, fmt.Errorf("keystone: invalid token response: %v", err)
}
if err != nil { groups, err := p.getUserGroups(ctx, tokenResp.Token.User.ID, token)
return identity, false, err if err != nil {
} return identity, false, err
}
identity.Username = username
identity.UserID = tokenResponse.Token.User.ID identity.Username = username
identity.Groups = groups identity.UserID = tokenResp.Token.User.ID
identity.Groups = groups
return identity, true, nil return identity, true, nil
} else if err != nil {
fmt.Printf("keystone: error %v", err)
return identity, false, err
} else {
data, _ := ioutil.ReadAll(response.Body)
fmt.Println(string(data))
return identity, false, err
} }
return identity, false, nil return identity, false, nil
} }
func (p Connector) Prompt() string { return "username" } func (p *keystoneConnector) Prompt() string { return "username" }
func (p Connector) Refresh( func (p *keystoneConnector) Refresh(
ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) { ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
if len(identity.ConnectorData) == 0 { token, err := p.getAdminToken(ctx)
return identity, nil if err != nil {
return identity, fmt.Errorf("keystone: failed to obtain admin token: %v", err)
} }
token, err := p.getAdminToken() ok, err := p.checkIfUserExists(ctx, identity.UserID, token)
if err != nil {
if err != nil { return identity, err
fmt.Printf("keystone: failed to obtain admin token") }
return identity, err if !ok {
} return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
}
ok := p.checkIfUserExists(identity.UserID, token)
if !ok {
fmt.Printf("keystone: user %q does not exist\n", identity.UserID)
return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
}
groups, err := p.getUserGroups(identity.UserID, token) groups, err := p.getUserGroups(ctx, identity.UserID, token)
if err != nil { if err != nil {
fmt.Printf("keystone: Failed to fetch user %q groups", identity.UserID) return identity, err
return identity, fmt.Errorf("keystone: failed to fetch user %q groups", identity.UserID) }
}
identity.Groups = groups identity.Groups = groups
fmt.Printf("Identity data after use of refresh token: %v", identity)
return identity, nil return identity, nil
} }
func (p *keystoneConnector) getTokenResponse(ctx context.Context, username, pass string) (response *http.Response, err error) {
func (p Connector) getTokenResponse(username, password string) (response *http.Response, err error) { client := &http.Client{}
jsonData := LoginRequestData{ jsonData := loginRequestData{
Auth: Auth{ auth: auth{
Identity: Identity{ Identity: identity{
Methods:[]string{"password"}, Methods: []string{"password"},
Password: Password{ Password: password{
User: User{ User: user{
Name: username, Name: username,
Domain: Domain{ID:p.Domain}, Domain: domain{ID: p.Domain},
Password: password, Password: pass,
}, },
}, },
}, },
}, },
} }
jsonValue, _ := json.Marshal(jsonData) jsonValue, err := json.Marshal(jsonData)
loginURI := p.KeystoneHost + "/v3/auth/tokens" if err != nil {
return http.Post(loginURI, "application/json", bytes.NewBuffer(jsonValue)) return nil, err
}
authTokenURL := p.KeystoneHost + "/v3/auth/tokens/"
req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(jsonValue))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/json")
req = req.WithContext(ctx)
return client.Do(req)
} }
func (p Connector) getAdminToken()(string, error) { func (p *keystoneConnector) getAdminToken(ctx context.Context) (string, error) {
response, err := p.getTokenResponse(p.KeystoneUsername, p.KeystonePassword) resp, err := p.getTokenResponse(ctx, p.KeystoneUsername, p.KeystonePassword)
if err!= nil { if err != nil {
return "", err return "", err
} }
token := response.Header["X-Subject-Token"][0] token := resp.Header.Get("X-Subject-Token")
return token, nil return token, nil
} }
func (p Connector) checkIfUserExists(userID string, token string) (bool) { func (p *keystoneConnector) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
groupsURI := p.KeystoneHost + "/v3/users/" + userID userURL := p.KeystoneHost + "/v3/users/" + userID
client := &http.Client{} client := &http.Client{}
req, _ := http.NewRequest("GET", groupsURI, nil) req, err := http.NewRequest("GET", userURL, nil)
req.Header.Set("X-Auth-Token", token) if err != nil {
response, err := client.Do(req) return false, err
if err == nil && response.StatusCode == 200 { }
return true
} req.Header.Set("X-Auth-Token", token)
return false req = req.WithContext(ctx)
resp, err := client.Do(req)
if err != nil {
return false, err
}
if resp.StatusCode == 200 {
return true, nil
}
return false, err
} }
func (p Connector) getUserGroups(userID string, token string) ([]string, error) { func (p *keystoneConnector) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {
groupsURI := p.KeystoneHost + "/v3/users/" + userID + "/groups" client := &http.Client{}
client := &http.Client{} groupsURL := p.KeystoneHost + "/v3/users/" + userID + "/groups"
req, _ := http.NewRequest("GET", groupsURI, nil)
req.Header.Set("X-Auth-Token", token) req, err := http.NewRequest("GET", groupsURL, nil)
response, err := client.Do(req) req.Header.Set("X-Auth-Token", token)
req = req.WithContext(ctx)
if err != nil { resp, err := client.Do(req)
fmt.Printf("keystone: error while fetching user %q groups\n", userID) if err != nil {
return nil, err p.Logger.Errorf("keystone: error while fetching user %q groups\n", userID)
} return nil, err
data, _ := ioutil.ReadAll(response.Body) }
var groupsResponse = new(GroupsResponse)
err = json.Unmarshal(data, &groupsResponse) data, err := ioutil.ReadAll(resp.Body)
if err != nil { if err != nil {
return nil, err return nil, err
} }
groups := []string{} defer resp.Body.Close()
for _, group := range groupsResponse.Groups {
groups = append(groups, group.Name) var groupsResp = new(groupsResponse)
}
return groups, nil err = json.Unmarshal(data, &groupsResp)
if err != nil {
return nil, err
}
groups := make([]string, len(groupsResp.Groups))
for i, group := range groupsResp.Groups {
groups[i] = group.Name
}
return groups, nil
} }

467
connector/keystone/keystone_test.go
Unescape View File

@ -1,275 +1,358 @@
package keystone package keystone
import ( import (
"testing"
"github.com/dexidp/dex/connector"
"fmt"
"io"
"os"
"time"
"net/http"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/client"
networktypes "github.com/docker/docker/api/types/network"
"github.com/docker/go-connections/nat"
"golang.org/x/net/context"
"bytes" "bytes"
"context"
"encoding/json" "encoding/json"
"fmt"
"io/ioutil" "io/ioutil"
) "net/http"
"os"
const dockerCliVersion = "1.37" "reflect"
"strings"
const exposedKeystonePort = "5000" "testing"
const exposedKeystonePortAdmin = "35357"
const keystoneHost = "http://localhost"
const keystoneURL = keystoneHost + ":" + exposedKeystonePort
const keystoneAdminURL = keystoneHost + ":" + exposedKeystonePortAdmin
const authTokenURL = keystoneURL + "/v3/auth/tokens/"
const userURL = keystoneAdminURL + "/v3/users/"
const groupURL = keystoneAdminURL + "/v3/groups/"
func startKeystoneContainer() string {
ctx := context.Background()
cli, err := client.NewClientWithOpts(client.WithVersion(dockerCliVersion))
if err != nil { "github.com/dexidp/dex/connector"
fmt.Printf("Error %v", err) )
return ""
}
imageName := "openio/openstack-keystone" const (
out, err := cli.ImagePull(ctx, imageName, types.ImagePullOptions{}) adminUser = "demo"
if err != nil { adminPass = "DEMO_PASS"
fmt.Printf("Error %v", err) invalidPass = "WRONG_PASS"
return ""
}
io.Copy(os.Stdout, out)
resp, err := cli.ContainerCreate(ctx, &container.Config{
Image: imageName,
}, &container.HostConfig{
PortBindings: nat.PortMap{
"5000/tcp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: exposedKeystonePort,
},
},
"35357/tcp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: exposedKeystonePortAdmin,
},
},
},
}, &networktypes.NetworkingConfig{}, "dex_keystone_test")
if err != nil { testUser = "test_user"
fmt.Printf("Error %v", err) testPass = "test_pass"
return "" testEmail = "test@example.com"
} testGroup = "test_group"
testDomain = "default"
)
if err := cli.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{}); err != nil { var (
panic(err) keystoneURL = ""
} keystoneAdminURL = ""
authTokenURL = ""
usersURL = ""
groupsURL = ""
)
fmt.Println(resp.ID) type userResponse struct {
return resp.ID User struct {
ID string `json:"id"`
} `json:"user"`
} }
func cleanKeystoneContainer(ID string) { type groupResponse struct {
ctx := context.Background() Group struct {
cli, err := client.NewClientWithOpts(client.WithVersion(dockerCliVersion)) ID string `json:"id"`
if err != nil { } `json:"group"`
fmt.Printf("Error %v", err)
return
}
duration := time.Duration(1)
if err:= cli.ContainerStop(ctx, ID, &duration); err != nil {
fmt.Printf("Error %v", err)
return
}
if err:= cli.ContainerRemove(ctx, ID, types.ContainerRemoveOptions{}); err != nil {
fmt.Printf("Error %v", err)
}
} }
func getAdminToken(admin_name, admin_pass string) (token string) { func getAdminToken(t *testing.T, adminName, adminPass string) (token, id string) {
t.Helper()
client := &http.Client{} client := &http.Client{}
jsonData := LoginRequestData{ jsonData := loginRequestData{
Auth: Auth{ auth: auth{
Identity: Identity{ Identity: identity{
Methods:[]string{"password"}, Methods: []string{"password"},
Password: Password{ Password: password{
User: User{ User: user{
Name: admin_name, Name: adminName,
Domain: Domain{ID: "default"}, Domain: domain{ID: testDomain},
Password: admin_pass, Password: adminPass,
}, },
}, },
}, },
}, },
} }
body, _ := json.Marshal(jsonData) body, err := json.Marshal(jsonData)
if err != nil {
t.Fatal(err)
}
req, _ := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(body)) req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(body))
if err != nil {
t.Fatalf("keystone: failed to obtain admin token: %v\n", err)
}
req.Header.Set("Content-Type", "application/json") req.Header.Set("Content-Type", "application/json")
resp, _ := client.Do(req) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
token = resp.Header["X-Subject-Token"][0] token = resp.Header.Get("X-Subject-Token")
return token
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var tokenResp = new(tokenResponse)
err = json.Unmarshal(data, &tokenResp)
if err != nil {
t.Fatal(err)
}
return token, tokenResp.Token.User.ID
} }
func createUser(token, user_name, user_email, user_pass string) (string){ func createUser(t *testing.T, token, userName, userEmail, userPass string) string {
t.Helper()
client := &http.Client{} client := &http.Client{}
createUserData := CreateUserRequest{ createUserData := map[string]interface{}{
CreateUser: CreateUserForm{ "user": map[string]interface{}{
Name: user_name, "name": userName,
Email: user_email, "email": userEmail,
Enabled: true, "enabled": true,
Password: user_pass, "password": userPass,
Roles: []string{"admin"}, "roles": []string{"admin"},
}, },
} }
body, _ := json.Marshal(createUserData) body, err := json.Marshal(createUserData)
if err != nil {
t.Fatal(err)
}
req, _ := http.NewRequest("POST", userURL, bytes.NewBuffer(body)) req, err := http.NewRequest("POST", usersURL, bytes.NewBuffer(body))
if err != nil {
t.Fatal(err)
}
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
req.Header.Add("Content-Type", "application/json") req.Header.Add("Content-Type", "application/json")
resp, _ := client.Do(req) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
data, _ := ioutil.ReadAll(resp.Body) data, err := ioutil.ReadAll(resp.Body)
var userResponse = new(UserResponse)
err := json.Unmarshal(data, &userResponse)
if err != nil { if err != nil {
fmt.Println(err) t.Fatal(err)
} }
defer resp.Body.Close()
fmt.Println(userResponse.User.ID) var userResp = new(userResponse)
return userResponse.User.ID err = json.Unmarshal(data, &userResp)
if err != nil {
t.Fatal(err)
}
return userResp.User.ID
} }
func deleteUser(token, id string) { // delete group or user
func delete(t *testing.T, token, id, uri string) {
t.Helper()
client := &http.Client{} client := &http.Client{}
deleteUserURI := userURL + id deleteURI := uri + id
fmt.Println(deleteUserURI) req, err := http.NewRequest("DELETE", deleteURI, nil)
req, _ := http.NewRequest("DELETE", deleteUserURI, nil) if err != nil {
t.Fatalf("error: %v", err)
}
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
resp, _ := client.Do(req) client.Do(req)
fmt.Println(resp)
} }
func createGroup(token, description, name string) string{ func createGroup(t *testing.T, token, description, name string) string {
t.Helper()
client := &http.Client{} client := &http.Client{}
createGroupData := CreateGroup{ createGroupData := map[string]interface{}{
CreateGroupForm{ "group": map[string]interface{}{
Description: description, "name": name,
Name: name, "description": description,
}, },
} }
body, _ := json.Marshal(createGroupData) body, err := json.Marshal(createGroupData)
if err != nil {
t.Fatal(err)
}
req, _ := http.NewRequest("POST", groupURL, bytes.NewBuffer(body)) req, err := http.NewRequest("POST", groupsURL, bytes.NewBuffer(body))
if err != nil {
t.Fatal(err)
}
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
req.Header.Add("Content-Type", "application/json") req.Header.Add("Content-Type", "application/json")
resp, _ := client.Do(req) resp, err := client.Do(req)
data, _ := ioutil.ReadAll(resp.Body) if err != nil {
t.Fatal(err)
}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var groupResponse = new(GroupID) var groupResp = new(groupResponse)
err := json.Unmarshal(data, &groupResponse) err = json.Unmarshal(data, &groupResp)
if err != nil { if err != nil {
fmt.Println(err) t.Fatal(err)
} }
return groupResponse.Group.ID return groupResp.Group.ID
} }
func addUserToGroup(token, groupId, userId string) { func addUserToGroup(t *testing.T, token, groupID, userID string) error {
uri := groupURL + groupId + "/users/" + userId t.Helper()
uri := groupsURL + groupID + "/users/" + userID
client := &http.Client{} client := &http.Client{}
req, _ := http.NewRequest("PUT", uri, nil) req, err := http.NewRequest("PUT", uri, nil)
if err != nil {
return err
}
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
resp, _ := client.Do(req) client.Do(req)
fmt.Println(resp) return nil
} }
const adminUser = "demo"
const adminPass = "DEMO_PASS"
const invalidPass = "WRONG_PASS"
const testUser = "test_user"
const testPass = "test_pass"
const testEmail = "test@example.com"
const domain = "default"
func TestIncorrectCredentialsLogin(t *testing.T) { func TestIncorrectCredentialsLogin(t *testing.T) {
c := Connector{KeystoneHost: keystoneURL, Domain: domain, c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass} KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true} s := connector.Scopes{OfflineAccess: true, Groups: true}
_, validPW, _ := c.Login(context.Background(), s, adminUser, invalidPass) _, validPW, err := c.Login(context.Background(), s, adminUser, invalidPass)
if err != nil {
if validPW { t.Fatal(err.Error())
t.Fail() }
}
if validPW {
t.Fail()
}
} }
func TestValidUserLogin(t *testing.T) { func TestValidUserLogin(t *testing.T) {
token := getAdminToken(adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
c := Connector{KeystoneHost: keystoneURL, Domain: domain, c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass} KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true} s := connector.Scopes{OfflineAccess: true, Groups: true}
_, validPW, _ := c.Login(context.Background(), s, testUser, testPass) identity, validPW, err := c.Login(context.Background(), s, testUser, testPass)
if !validPW { if err != nil {
t.Fail() t.Fatal(err.Error())
} }
deleteUser(token, userID) t.Log(identity)
if !validPW {
t.Fail()
}
delete(t, token, userID, usersURL)
} }
func TestUseRefreshToken(t *testing.T) { func TestUseRefreshToken(t *testing.T) {
t.Fatal("Not implemented") token, adminID := getAdminToken(t, adminUser, adminPass)
groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, adminID)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, adminUser, adminPass)
if err != nil {
t.Fatal(err.Error())
}
identityRefresh, err := c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, groupID, groupsURL)
expectEquals(t, 1, len(identityRefresh.Groups))
expectEquals(t, testGroup, string(identityRefresh.Groups[0]))
} }
func TestUseRefreshTokenUserDeleted(t *testing.T){ func TestUseRefreshTokenUserDeleted(t *testing.T) {
t.Fatal("Not implemented") token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
_, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, userID, usersURL)
_, err = c.Refresh(context.Background(), s, identityLogin)
if !strings.Contains(err.Error(), "does not exist") {
t.Errorf("unexpected error: %s", err.Error())
}
} }
func TestUseRefreshTokenGroupsChanged(t *testing.T){ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
t.Fatal("Not implemented") token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
identityRefresh, err := c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
expectEquals(t, 0, len(identityRefresh.Groups))
groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, userID)
identityRefresh, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
expectEquals(t, 1, len(identityRefresh.Groups))
} }
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
dockerID := startKeystoneContainer() keystoneURLEnv := "DEX_KEYSTONE_URL"
repeats := 10 keystoneAdminURLEnv := "DEX_KEYSTONE_ADMIN_URL"
running := false keystoneURL = os.Getenv(keystoneURLEnv)
for i := 0; i < repeats; i++ { if keystoneURL == "" {
_, err := http.Get(keystoneURL) fmt.Printf("variable %q not set, skipping keystone connector tests\n", keystoneURLEnv)
if err == nil { return
running = true }
break keystoneAdminURL := os.Getenv(keystoneAdminURLEnv)
} if keystoneAdminURL == "" {
time.Sleep(10 * time.Second) fmt.Printf("variable %q not set, skipping keystone connector tests\n", keystoneAdminURLEnv)
} return
if !running { }
fmt.Printf("Failed to start keystone container") authTokenURL = keystoneURL + "/v3/auth/tokens/"
os.Exit(1) fmt.Printf("Auth token url %q\n", authTokenURL)
} fmt.Printf("Keystone URL %q\n", keystoneURL)
defer cleanKeystoneContainer(dockerID) usersURL = keystoneAdminURL + "/v3/users/"
// run all tests groupsURL = keystoneAdminURL + "/v3/groups/"
// run all tests
m.Run() m.Run()
} }
func expectEquals(t *testing.T, a interface{}, b interface{}) {
if !reflect.DeepEqual(a, b) {
t.Errorf("Expected %v to be equal %v", a, b)
}
}

139
connector/keystone/types.go
Unescape View File

@ -4,133 +4,84 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
type Connector struct { type keystoneConnector struct {
Domain string Domain string
KeystoneHost string KeystoneHost string
KeystoneUsername string KeystoneUsername string
KeystonePassword string KeystonePassword string
Logger logrus.FieldLogger Logger logrus.FieldLogger
} }
type ConnectorData struct { type userKeystone struct {
AccessToken string `json:"accessToken"` Domain domainKeystone `json:"domain"`
ID string `json:"id"`
Name string `json:"name"`
} }
type KeystoneUser struct { type domainKeystone struct {
Domain KeystoneDomain `json:"domain"` ID string `json:"id"`
ID string `json:"id"`
Name string `json:"name"`
}
type KeystoneDomain struct {
ID string `json:"id"`
Name string `json:"name"` Name string `json:"name"`
} }
// Config holds the configuration parameters for Keystone connector.
// Keystone should expose API v3
// An example config:
// connectors:
// type: keystone
// id: keystone
// name: Keystone
// config:
// keystoneHost: http://example:5000
// domain: default
// keystoneUsername: demo
// keystonePassword: DEMO_PASS
type Config struct { type Config struct {
Domain string `json:"domain"` Domain string `json:"domain"`
KeystoneHost string `json:"keystoneHost"` KeystoneHost string `json:"keystoneHost"`
KeystoneUsername string `json:"keystoneUsername"` KeystoneUsername string `json:"keystoneUsername"`
KeystonePassword string `json:"keystonePassword"` KeystonePassword string `json:"keystonePassword"`
} }
type LoginRequestData struct { type loginRequestData struct {
Auth `json:"auth"` auth `json:"auth"`
} }
type Auth struct { type auth struct {
Identity `json:"identity"` Identity identity `json:"identity"`
} }
type Identity struct { type identity struct {
Methods []string `json:"methods"` Methods []string `json:"methods"`
Password `json:"password"` Password password `json:"password"`
} }
type Password struct { type password struct {
User `json:"user"` User user `json:"user"`
} }
type User struct { type user struct {
Name string `json:"name"`
Domain `json:"domain"`
Password string `json:"password"`
}
type Domain struct {
ID string `json:"id"`
}
type Token struct {
IssuedAt string `json:"issued_at"`
Extras map[string]interface{} `json:"extras"`
Methods []string `json:"methods"`
ExpiresAt string `json:"expires_at"`
User KeystoneUser `json:"user"`
}
type TokenResponse struct {
Token Token `json:"token"`
}
type CreateUserRequest struct {
CreateUser CreateUserForm `json:"user"`
}
type CreateUserForm struct {
Name string `json:"name"` Name string `json:"name"`
Email string `json:"email"` Domain domain `json:"domain"`
Enabled bool `json:"enabled"`
Password string `json:"password"` Password string `json:"password"`
Roles []string `json:"roles"`
}
type UserResponse struct {
User CreateUserResponse `json:"user"`
}
type CreateUserResponse struct {
Username string `json:"username"`
Name string `json:"name"`
Roles []string `json:"roles"`
Enabled bool `json:"enabled"`
Options string `json:"options"`
ID string `json:"id"`
Email string `json:"email"`
}
type CreateGroup struct {
Group CreateGroupForm `json:"group"`
}
type CreateGroupForm struct {
Description string `json:"description"`
Name string `json:"name"`
} }
type GroupID struct { type domain struct {
Group GroupIDForm `json:"group"` ID string `json:"id"`
} }
type GroupIDForm struct { type token struct {
ID string `json:"id"` User userKeystone `json:"user"`
} }
type Links struct { type tokenResponse struct {
Self string `json:"self"` Token token `json:"token"`
Previous string `json:"previous"`
Next string `json:"next"`
} }
type Group struct { type group struct {
DomainID string `json:"domain_id` ID string `json:"id"`
Description string `json:"description"` Name string `json:"name"`
ID string `json:"id"`
Links Links `json:"links"`
Name string `json:"name"`
} }
type GroupsResponse struct { type groupsResponse struct {
Links Links `json:"links"` Groups []group `json:"groups"`
Groups []Group `json:"groups"`
} }

55
examples/config-keystone.yaml
Unescape View File

@ -1,55 +0,0 @@
# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://0.0.0.0:5556/dex
# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the storage document at Documentation/storage.md for further information.
storage:
type: sqlite3
config:
file: examples/dex.db #be in the dex directory, else change path here
# Configuration for the HTTP endpoints.
web:
https: 0.0.0.0:5556
# Uncomment for HTTPS options.
# https: 127.0.0.1:5554
tlsCert: ./ssl/dex.crt
tlsKey: ./ssl/dex.key
# Configuration for telemetry
telemetry:
http: 0.0.0.0:5558
oauth2:
responseTypes: ["id_token"]
# Instead of reading from an external storage, use this list of clients.
staticClients:
- id: example-app
redirectURIs:
- 'http://127.0.0.1:5555/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#Provide Keystone connector and its config here
# /v3/auth/tokens
connectors:
- type: keystone
id: keystone
name: Keystone
config:
keystoneHost: http://localhost:5000
domain: default
keystoneUsername: demo
keystonePassword: DEMO_PASS
# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true
oauth2:
skipApprovalScreen: true

6
server/handlers.go
Unescape View File

@ -211,7 +211,6 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
} }
authReqID := r.FormValue("req") authReqID := r.FormValue("req")
s.logger.Errorf("Auth req id %v", authReqID)
authReq, err := s.storage.GetAuthRequest(authReqID) authReq, err := s.storage.GetAuthRequest(authReqID)
if err != nil { if err != nil {
@ -346,7 +345,7 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.") s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
return return
} }
s.logger.Errorf("2Failed to get auth request: %v", err) s.logger.Errorf("Failed to get auth request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Database error.") s.renderError(w, http.StatusInternalServerError, "Database error.")
return return
} }
@ -358,7 +357,6 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
} }
conn, err := s.getConnector(authReq.ConnectorID) conn, err := s.getConnector(authReq.ConnectorID)
s.logger.Errorf("X Connector %v", conn)
if err != nil { if err != nil {
s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err) s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.") s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
@ -437,7 +435,7 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) { func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
authReq, err := s.storage.GetAuthRequest(r.FormValue("req")) authReq, err := s.storage.GetAuthRequest(r.FormValue("req"))
if err != nil { if err != nil {
s.logger.Errorf("3Failed to get auth request: %v", err) s.logger.Errorf("Failed to get auth request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Database error.") s.renderError(w, http.StatusInternalServerError, "Database error.")
return return
} }

4
server/server.go
Unescape View File

@ -27,6 +27,7 @@ import (
"github.com/dexidp/dex/connector/bitbucketcloud" "github.com/dexidp/dex/connector/bitbucketcloud"
"github.com/dexidp/dex/connector/github" "github.com/dexidp/dex/connector/github"
"github.com/dexidp/dex/connector/gitlab" "github.com/dexidp/dex/connector/gitlab"
"github.com/dexidp/dex/connector/keystone"
"github.com/dexidp/dex/connector/ldap" "github.com/dexidp/dex/connector/ldap"
"github.com/dexidp/dex/connector/linkedin" "github.com/dexidp/dex/connector/linkedin"
"github.com/dexidp/dex/connector/microsoft" "github.com/dexidp/dex/connector/microsoft"
@ -34,7 +35,6 @@ import (
"github.com/dexidp/dex/connector/oidc" "github.com/dexidp/dex/connector/oidc"
"github.com/dexidp/dex/connector/saml" "github.com/dexidp/dex/connector/saml"
"github.com/dexidp/dex/storage" "github.com/dexidp/dex/storage"
"github.com/dexidp/dex/connector/keystone"
) )
// LocalConnector is the local passwordDB connector which is an internal // LocalConnector is the local passwordDB connector which is an internal
@ -456,7 +456,7 @@ func openConnector(logger logrus.FieldLogger, conn storage.Connector) (connector
f, ok := ConnectorsConfig[conn.Type] f, ok := ConnectorsConfig[conn.Type]
if !ok { if !ok {
return c, fmt.Errorf("xunknown connector type %q", conn.Type) return c, fmt.Errorf("unknown connector type %q", conn.Type)
} }
connConfig := f() connConfig := f()

1
storage/static.go
Unescape View File

@ -3,6 +3,7 @@ package storage
import ( import (
"errors" "errors"
"strings" "strings"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )

Write Preview
Loading…
Cancel
Save