common: add issuer URI to OAuthProviderPrincipal

Motivation: The OAuthProviderPrincipal carries information about which issuer issued the OIDC token. Currently, it carries only the dCache alias for that issuer. Downstream gPlazma plugins may wish to know the corresponding issuer URI; i.e., the value of the 'iss' claim. Modification: Update the OAuthProviderPrincipal to carry the issuer URI. Update places where the principal is created to include the issuer URI. Some unit-tests need to be updated. Result: No user- or admin observable changes; however, downstream gPlazma plugins can learn the issuer URI after a successful 'oidc' plugin invocation. Target: master Requires-notes: no Requires-book: no
paulmillar · Jul 31, 2024 · 110017e · 110017e
1 parent 725b3a6
commit 110017e
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 4 deletions.
diff --git a/modules/common/src/main/java/org/dcache/auth/OAuthProviderPrincipal.java b/modules/common/src/main/java/org/dcache/auth/OAuthProviderPrincipal.java
@@ -18,6 +18,7 @@
  */
 package org.dcache.auth;
 
+import java.net.URI;
 import static java.util.Objects.requireNonNull;
 
 import java.security.Principal;
@@ -29,16 +30,22 @@
 public class OAuthProviderPrincipal implements Principal {
 
     private final String name;
+    private final URI issuer;
 
-    public OAuthProviderPrincipal(String name) {
+    public OAuthProviderPrincipal(String name, URI issuer) {
         this.name = requireNonNull(name);
+        this.issuer = requireNonNull(issuer);
     }
 
     @Override
     public String getName() {
         return name;
     }
 
+    public URI getIssuer() {
+        return issuer;
+    }
+
     @Override
     public boolean equals(Object other) {
         return other instanceof OAuthProviderPrincipal

diff --git a/modules/gplazma2-oidc/src/main/java/org/dcache/gplazma/oidc/OidcAuthPlugin.java b/modules/gplazma2-oidc/src/main/java/org/dcache/gplazma/oidc/OidcAuthPlugin.java
@@ -199,7 +199,7 @@ public void authenticate(Set<Object> publicCredentials, Set<Object> privateCrede
             checkAudience(result, identifiedPrincipals);
 
             var idp = result.idp();
-            identifiedPrincipals.add(new OAuthProviderPrincipal(idp.getName()));
+            identifiedPrincipals.add(new OAuthProviderPrincipal(idp.getName(), idp.getIssuerEndpoint()));
 
             Profile profile = idp.getProfile();
             var profileResult = profile.processClaims(idp, result.claims());

diff --git a/modules/gplazma2-oidc/src/test/java/org/dcache/gplazma/oidc/MockIdentityProviderBuilder.java b/modules/gplazma2-oidc/src/test/java/org/dcache/gplazma/oidc/MockIdentityProviderBuilder.java
@@ -32,6 +32,7 @@
  */
 public class MockIdentityProviderBuilder {
     private final IdentityProvider provider = mock(IdentityProvider.class);
+    private boolean hasEndpoint;
 
     static public MockIdentityProviderBuilder anIp(String name) {
         return new MockIdentityProviderBuilder(name);
@@ -44,6 +45,7 @@ public MockIdentityProviderBuilder(String name) {
     public MockIdentityProviderBuilder withEndpoint(String endpoint) {
         URI url = URI.create(endpoint);
         BDDMockito.given(provider.getIssuerEndpoint()).willReturn(url);
+        hasEndpoint = true;
         return this;
     }
 
@@ -86,6 +88,9 @@ public MockIdentityProviderBuilder withSuppress(String keyword) {
     }
 
     public IdentityProvider build() {
+        if (!hasEndpoint) {
+            withEndpoint("https://example.org/");
+        }
         return provider;
     }
 }
diff --git a/modules/gplazma2-scitoken/src/main/java/org/dcache/gplazma/scitoken/Issuer.java b/modules/gplazma2-scitoken/src/main/java/org/dcache/gplazma/scitoken/Issuer.java
@@ -88,7 +88,7 @@ public Issuer(HttpClient client, String id, String endpoint, FsPath prefix,
         String configEndpoint = sb.toString();
 
         userIdentity = Set.copyOf(identity);
-        opIdentity = new OAuthProviderPrincipal(id);
+        opIdentity = new OAuthProviderPrincipal(id, URI.create(endpoint));
 
         this.configuration = new HttpJsonNode(client, configEndpoint,
               Duration.ofHours(1), Duration.ofSeconds(10));

diff --git a/modules/gplazma2-scitoken/src/test/java/org/dcache/gplazma/scitoken/SciTokenPluginTest.java b/modules/gplazma2-scitoken/src/test/java/org/dcache/gplazma/scitoken/SciTokenPluginTest.java
@@ -1481,7 +1481,7 @@ public void shouldAcceptWlcgProfileWithoutScope() throws Exception {
                 .issuedBy("OP1").usingKey("key1"));
 
         assertThat(identifiedPrincipals, hasItems(new JwtSubPrincipal("EXAMPLE", sub),
-                new OidcSubjectPrincipal(sub, "EXAMPLE"), new OAuthProviderPrincipal("EXAMPLE"),
+                new OidcSubjectPrincipal(sub, "EXAMPLE"), new OAuthProviderPrincipal("EXAMPLE", URI.create("https://example.org")),
                 new JwtJtiPrincipal("EXAMPLE", jti)));
         assertThat(identifiedPrincipals, not(hasItems(new UidPrincipal(1000), new GidPrincipal(1000, true))));
     }