Skip to content

Commit

Permalink
common: add issuer URI to OAuthProviderPrincipal
Browse files Browse the repository at this point in the history
Motivation:

The OAuthProviderPrincipal carries information about which issuer issued
the OIDC token.  Currently, it carries only the dCache alias for that
issuer.  Downstream gPlazma plugins may wish to know the corresponding
issuer URI; i.e., the value of the 'iss' claim.

Modification:

Update the OAuthProviderPrincipal to carry the issuer URI.

Update places where the principal is created to include the issuer URI.

Some unit-tests need to be updated.

Result:

No user- or admin observable changes; however, downstream gPlazma
plugins can now learn the issuer URI after a successful 'oidc' plugin
invocation.

Target: master
Requires-notes: no
Requires-book: no
Request: 10.1
Request: 10.0
Request: 9.2
  • Loading branch information
paulmillar committed Aug 1, 2024
1 parent 725b3a6 commit 228bcec
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/
package org.dcache.auth;

import java.net.URI;
import static java.util.Objects.requireNonNull;

import java.security.Principal;
Expand All @@ -29,16 +30,22 @@
public class OAuthProviderPrincipal implements Principal {

private final String name;
private final URI issuer;

public OAuthProviderPrincipal(String name) {
public OAuthProviderPrincipal(String name, URI issuer) {
this.name = requireNonNull(name);
this.issuer = requireNonNull(issuer);
}

@Override
public String getName() {
return name;
}

public URI getIssuer() {
return issuer;
}

@Override
public boolean equals(Object other) {
return other instanceof OAuthProviderPrincipal
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ public void authenticate(Set<Object> publicCredentials, Set<Object> privateCrede
checkAudience(result, identifiedPrincipals);

var idp = result.idp();
identifiedPrincipals.add(new OAuthProviderPrincipal(idp.getName()));
identifiedPrincipals.add(new OAuthProviderPrincipal(idp.getName(), idp.getIssuerEndpoint()));

Profile profile = idp.getProfile();
var profileResult = profile.processClaims(idp, result.claims());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
*/
public class MockIdentityProviderBuilder {
private final IdentityProvider provider = mock(IdentityProvider.class);
private boolean hasEndpoint;

static public MockIdentityProviderBuilder anIp(String name) {
return new MockIdentityProviderBuilder(name);
Expand All @@ -44,6 +45,7 @@ public MockIdentityProviderBuilder(String name) {
public MockIdentityProviderBuilder withEndpoint(String endpoint) {
URI url = URI.create(endpoint);
BDDMockito.given(provider.getIssuerEndpoint()).willReturn(url);
hasEndpoint = true;
return this;
}

Expand Down Expand Up @@ -86,6 +88,9 @@ public MockIdentityProviderBuilder withSuppress(String keyword) {
}

public IdentityProvider build() {
if (!hasEndpoint) {
withEndpoint("https://example.org/");
}
return provider;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ public Issuer(HttpClient client, String id, String endpoint, FsPath prefix,
String configEndpoint = sb.toString();

userIdentity = Set.copyOf(identity);
opIdentity = new OAuthProviderPrincipal(id);
opIdentity = new OAuthProviderPrincipal(id, URI.create(endpoint));

this.configuration = new HttpJsonNode(client, configEndpoint,
Duration.ofHours(1), Duration.ofSeconds(10));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1481,7 +1481,7 @@ public void shouldAcceptWlcgProfileWithoutScope() throws Exception {
.issuedBy("OP1").usingKey("key1"));

assertThat(identifiedPrincipals, hasItems(new JwtSubPrincipal("EXAMPLE", sub),
new OidcSubjectPrincipal(sub, "EXAMPLE"), new OAuthProviderPrincipal("EXAMPLE"),
new OidcSubjectPrincipal(sub, "EXAMPLE"), new OAuthProviderPrincipal("EXAMPLE", URI.create("https://example.org")),
new JwtJtiPrincipal("EXAMPLE", jti)));
assertThat(identifiedPrincipals, not(hasItems(new UidPrincipal(1000), new GidPrincipal(1000, true))));
}
Expand Down

0 comments on commit 228bcec

Please sign in to comment.