globuzma/canaille-globuzma
1
0
Fork 0
forked from Github-Mirrors/canaille
Code Pull requests Activity

Creates a OIDC configuration section for all the OIDC related entries

Browse source
This commit is contained in:
Éloi Rivard 2023-04-10 16:24:43 +02:00
parent 8b0dbf2d55
commit 61f5d25f2f
16 changed files with 136 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
canaille/__init__.py
View file

@ -36,7 +36,7 @@ def setup_config(app, config=None, validate=True):
"Either create conf/config.toml or set the 'CONFIG' variable environment."
)
if app.debug and "JWT" in app.config: # pragma: no cover
if app.debug and "OIDC" in app.config: # pragma: no cover
import canaille.oidc.installation
canaille.oidc.installation.setup_keypair(app.config)

16
canaille/app/configuration.py
View file

@ -23,14 +23,22 @@ def validate(config, validate_remote=False):
def validate_keypair(config):
if "JWT" in config and not os.path.exists(config["JWT"]["PUBLIC_KEY"]):
if (
"OIDC" in config
and "JWT" in config["OIDC"]
and not os.path.exists(config["OIDC"]["JWT"]["PUBLIC_KEY"])
):
raise ConfigurationException(
f'Public key does not exist {config["JWT"]["PUBLIC_KEY"]}'
f'Public key does not exist {config["OIDC"]["JWT"]["PUBLIC_KEY"]}'
)
if "JWT" in config and not os.path.exists(config["JWT"]["PRIVATE_KEY"]):
if (
"OIDC" in config
and "JWT" in config["OIDC"]
and not os.path.exists(config["OIDC"]["JWT"]["PRIVATE_KEY"])
):
raise ConfigurationException(
f'Private key does not exist {config["JWT"]["PRIVATE_KEY"]}'
f'Private key does not exist {config["OIDC"]["JWT"]["PRIVATE_KEY"]}'
)

28
canaille/conf/config.sample.toml
View file

@ -25,17 +25,6 @@ SECRET_KEY = "change me before you go in production"
# If unset, language is detected
# LANGUAGE = "en"
# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS
# OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN = false
# A list of tokens that can be used for dynamic client registration
# OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
# "xxxxxxx-yyyyyyy-zzzzzz",
# ]
# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
@ -163,10 +152,23 @@ PERMISSIONS = [
]
WRITE = ["groups"]
[OIDC]
# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in DYNAMIC_CLIENT_REGISTRATION_TOKENS
# DYNAMIC_CLIENT_REGISTRATION_OPEN = false
# A list of tokens that can be used for dynamic client registration
# DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
# "xxxxxxx-yyyyyyy-zzzzzz",
# ]
# The jwt configuration. You can generate a RSA keypair with:
# openssl genrsa -out private.pem 4096
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
[OIDC.JWT]
# The path to the private key.
PRIVATE_KEY = "canaille/conf/private.pem"
# The path to the public key.
@ -180,7 +182,7 @@ PUBLIC_KEY = "canaille/conf/public.pem"
# The time the JWT will be valid, in seconds
# EXP = 3600
[JWT.MAPPING]
[OIDC.JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass.
# {attribute} will be replaced by the user ldap attribute value.

6
canaille/oidc/endpoints.py
View file

@ -44,7 +44,7 @@ bp = Blueprint("endpoints", __name__, url_prefix="/oauth")
def get_public_key():
with open(current_app.config["JWT"]["PUBLIC_KEY"]) as fd:
with open(current_app.config["OIDC"]["JWT"]["PUBLIC_KEY"]) as fd:
return fd.read()
@ -229,8 +229,8 @@ def client_registration_management(client_id):
@bp.route("/jwks.json")
def jwks():
kty = current_app.config["JWT"].get("KTY", DEFAULT_JWT_KTY)
alg = current_app.config["JWT"].get("ALG", DEFAULT_JWT_ALG)
kty = current_app.config["OIDC"]["JWT"].get("KTY", DEFAULT_JWT_KTY)
alg = current_app.config["OIDC"]["JWT"].get("ALG", DEFAULT_JWT_ALG)
jwk = JsonWebKey.import_key(get_public_key(), {"kty": kty})
return jsonify(
{

8
canaille/oidc/installation.py
View file

@ -26,8 +26,8 @@ def setup_ldap_tree(config):
def setup_keypair(config):
if os.path.exists(config["JWT"]["PUBLIC_KEY"]) or os.path.exists(
config["JWT"]["PRIVATE_KEY"]
if os.path.exists(config["OIDC"]["JWT"]["PUBLIC_KEY"]) or os.path.exists(
config["OIDC"]["JWT"]["PRIVATE_KEY"]
):
return
@ -43,10 +43,10 @@ def setup_keypair(config):
crypto_serialization.Encoding.OpenSSH, crypto_serialization.PublicFormat.OpenSSH
)
with open(config["JWT"]["PUBLIC_KEY"], "wb") as fd:
with open(config["OIDC"]["JWT"]["PUBLIC_KEY"], "wb") as fd:
fd.write(public_key)
with open(config["JWT"]["PRIVATE_KEY"], "wb") as fd:
with open(config["OIDC"]["JWT"]["PRIVATE_KEY"], "wb") as fd:
fd.write(private_key)

20
canaille/oidc/oauth.py
View file

@ -48,8 +48,8 @@ def exists_nonce(nonce, req):
def get_issuer():
if current_app.config["JWT"].get("ISS"):
return current_app.config["JWT"].get("ISS")
if current_app.config["OIDC"]["JWT"].get("ISS"):
return current_app.config["OIDC"]["JWT"].get("ISS")
if current_app.config.get("SERVER_NAME"):
return current_app.config.get("SERVER_NAME")
@ -58,12 +58,12 @@ def get_issuer():
def get_jwt_config(grant):
with open(current_app.config["JWT"]["PRIVATE_KEY"]) as pk:
with open(current_app.config["OIDC"]["JWT"]["PRIVATE_KEY"]) as pk:
return {
"key": pk.read(),
"alg": current_app.config["JWT"].get("ALG", DEFAULT_JWT_ALG),
"alg": current_app.config["OIDC"]["JWT"].get("ALG", DEFAULT_JWT_ALG),
"iss": get_issuer(),
"exp": current_app.config["JWT"].get("EXP", DEFAULT_JWT_EXP),
"exp": current_app.config["OIDC"]["JWT"].get("EXP", DEFAULT_JWT_EXP),
}
@ -103,7 +103,9 @@ def generate_user_info(user, scope):
def generate_user_claims(user, claims, jwt_mapping_config=None):
jwt_mapping_config = jwt_mapping_config or current_app.config["JWT"]["MAPPING"]
jwt_mapping_config = (
jwt_mapping_config or current_app.config["OIDC"]["JWT"]["MAPPING"]
)
data = {}
for claim in claims:
@ -306,7 +308,7 @@ class IntrospectionEndpoint(_IntrospectionEndpoint):
class ClientManagementMixin:
def authenticate_token(self, request):
if current_app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN", False):
if current_app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN", False):
return True
auth_header = request.headers.get("Authorization")
@ -315,7 +317,7 @@ class ClientManagementMixin:
bearer_token = auth_header.split()[1]
if bearer_token not in current_app.config.get(
"OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS", []
"DYNAMIC_CLIENT_REGISTRATION_TOKENS", []
):
return None
@ -330,7 +332,7 @@ class ClientManagementMixin:
def resolve_public_key(self, request):
# At the moment the only keypair accepted in software statement
# is the one used to isues JWTs. This might change somedays.
with open(current_app.config["JWT"]["PUBLIC_KEY"], "rb") as fd:
with open(current_app.config["OIDC"]["JWT"]["PUBLIC_KEY"], "rb") as fd:
return fd.read()

27
demo/conf-docker/canaille.toml
View file

@ -25,17 +25,6 @@ FAVICON = "/static/img/canaille-c.png"
# If unset, language is detected
# LANGUAGE = "en"
# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS
OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN = true
# A list of tokens that can be used for dynamic client registration
OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
"xxxxxxx-yyyyyyy-zzzzzz",
]
# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
@ -169,10 +158,22 @@ FILTER = "memberof=cn=moderators,ou=groups,dc=mydomain,dc=tld"
PERMISSIONS = ["manage_users", "manage_groups", "delete_account"]
WRITE = ["groups"]
[OIDC]
# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in DYNAMIC_CLIENT_REGISTRATION_TOKENS
DYNAMIC_CLIENT_REGISTRATION_OPEN = true
# A list of tokens that can be used for dynamic client registration
DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
"xxxxxxx-yyyyyyy-zzzzzz",
]
# The jwt configuration. You can generate a RSA keypair with:
# openssl genrsa -out private.pem 4096
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
[OIDC.JWT]
# The path to the private key.
PRIVATE_KEY = "conf/private.pem"
# The path to the public key.
@ -186,7 +187,7 @@ PUBLIC_KEY = "conf/public.pem"
# The time the JWT will be valid, in seconds
# EXP = 3600
[JWT.MAPPING]
[OIDC.JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass.
# {attribute} will be replaced by the user ldap attribute value.

28
demo/conf/canaille.toml
View file

@ -25,17 +25,6 @@ FAVICON = "/static/img/canaille-c.png"
# If unset, language is detected
# LANGUAGE = "en"
# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS
OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN = true
# A list of tokens that can be used for dynamic client registration
OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
"xxxxxxx-yyyyyyy-zzzzzz",
]
# If you have a sentry instance, you can set its dsn here:
# SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
@ -172,7 +161,20 @@ WRITE = ["groups"]
# The jwt configuration. You can generate a RSA keypair with:
# openssl genrsa -out private.pem 4096
# openssl rsa -in private.pem -pubout -outform PEM -out public.pem
[JWT]
[OIDC]
# Wether a token is needed for the RFC7591 dynamical client registration.
# If true, no token is needed to register a client.
# If false, dynamical client registration needs a token defined
# in DYNAMIC_CLIENT_REGISTRATION_TOKENS
DYNAMIC_CLIENT_REGISTRATION_OPEN = true
# A list of tokens that can be used for dynamic client registration
DYNAMIC_CLIENT_REGISTRATION_TOKENS = [
"xxxxxxx-yyyyyyy-zzzzzz",
]
[OIDC.JWT]
# The path to the private key.
PRIVATE_KEY = "conf/private.pem"
# The path to the public key.
@ -186,7 +188,7 @@ PUBLIC_KEY = "conf/public.pem"
# The time the JWT will be valid, in seconds
# EXP = 3600
[JWT.MAPPING]
[OIDC.JWT.MAPPING]
# Mapping between JWT fields and LDAP attributes from your
# User objectClass.
# {attribute} will be replaced by the user ldap attribute value.

20
doc/configuration.rst
View file

@ -159,9 +159,21 @@ object that users will be able to read and/or write.
If the users has the ``manage_users`` permission, they will be able to edit those fields on other users profile.
If the list containts the special ``groups`` field, the user will be able to edit the groups he belongs to.
OIDC
----
JWT
---
:DYNAMIC_CLIENT_REGISTRATION_OPEN:
*Optional.* Wether a token is needed for the RFC7591 dynamical client registration.
If true, no token is needed to register a client.
If false, dynamical client registration needs a token defined
in `DYNAMIC_CLIENT_REGISTRATION_TOKENS``
Defaults to ``False``
:DYNAMIC_CLIENT_REGISTRATION_TOKENS:
*Optional.* A list of tokens that can be used for dynamic client registration
OIDC.JWT
--------
Canaille needs a key pair to sign the JWT. The installation command will generate a key pair for you, but you can also do it manually.
:PRIVATE_KEY:
@ -189,8 +201,8 @@ Canaille needs a key pair to sign the JWT. The installation command will generat
*Optional.* The time the JWT will be valid, in seconds.
Defaults to ``3600``
JWT.MAPPINGS
------------
OIDC.JWT.MAPPINGS
-----------------
A mapping where keys are JWT claims, and values are LDAP user object attributes.
Attributes are rendered using jinja2, and can use a ``user`` variable.

12
tests/oidc/commands/test_install.py
View file

@ -45,19 +45,19 @@ def test_setup_ldap_tree(slapd_server, configuration):
def test_install_keypair(configuration, tmpdir):
keys_dir = os.path.join(tmpdir, "keys")
os.makedirs(keys_dir)
configuration["JWT"]["PRIVATE_KEY"] = os.path.join(keys_dir, "private.pem")
configuration["JWT"]["PUBLIC_KEY"] = os.path.join(keys_dir, "public.pem")
configuration["OIDC"]["JWT"]["PRIVATE_KEY"] = os.path.join(keys_dir, "private.pem")
configuration["OIDC"]["JWT"]["PUBLIC_KEY"] = os.path.join(keys_dir, "public.pem")
assert not os.path.exists(configuration["JWT"]["PRIVATE_KEY"])
assert not os.path.exists(configuration["JWT"]["PUBLIC_KEY"])
assert not os.path.exists(configuration["OIDC"]["JWT"]["PRIVATE_KEY"])
assert not os.path.exists(configuration["OIDC"]["JWT"]["PUBLIC_KEY"])
testclient = TestApp(create_app(configuration, validate=False))
runner = testclient.app.test_cli_runner()
res = runner.invoke(cli, ["install"])
assert res.exit_code == 0, res.stdout
assert os.path.exists(configuration["JWT"]["PRIVATE_KEY"])
assert os.path.exists(configuration["JWT"]["PUBLIC_KEY"])
assert os.path.exists(configuration["OIDC"]["JWT"]["PRIVATE_KEY"])
assert os.path.exists(configuration["OIDC"]["JWT"]["PUBLIC_KEY"])
def test_install_schemas(configuration, slapd_server):

2
tests/oidc/conftest.py
View file

@ -58,6 +58,7 @@ def configuration(configuration, keypair_path):
private_key_path, public_key_path = keypair_path
conf = {
**configuration,
"OIDC": {
"JWT": {
"PUBLIC_KEY": public_key_path,
"PRIVATE_KEY": private_key_path,
@ -75,6 +76,7 @@ def configuration(configuration, keypair_path):
"ADDRESS": "{{ user.formatted_address[0] }}",
"WEBSITE": "{{ user.profile_url[0] }}",
},
}
},
}
return conf

2
tests/oidc/test_authorization_code_flow.py
View file

@ -978,7 +978,7 @@ def test_token_custom_expiration_date(testclient, logged_user, client, keypair):
"client_credentials": 4000,
"urn:ietf:params:oauth:grant-type:jwt-bearer": 5000,
}
testclient.app.config["JWT"]["EXP"] = 6000
testclient.app.config["OIDC"]["JWT"]["EXP"] = 6000
setup_oauth(testclient.app)
res = testclient.get(

8
tests/oidc/test_configuration.py
View file

@ -8,12 +8,12 @@ from canaille.oidc.oauth import get_issuer
def test_issuer(testclient):
with warnings.catch_warnings(record=True):
testclient.app.config["JWT"]["ISS"] = "https://anyauth.mydomain.tld"
testclient.app.config["OIDC"]["JWT"]["ISS"] = "https://anyauth.mydomain.tld"
testclient.app.config["SERVER_NAME"] = "https://otherauth.mydomain.tld"
with testclient.app.test_request_context("/"):
assert get_issuer() == "https://anyauth.mydomain.tld"
del testclient.app.config["JWT"]["ISS"]
del testclient.app.config["OIDC"]["JWT"]["ISS"]
with testclient.app.test_request_context("/"):
assert get_issuer() == "https://otherauth.mydomain.tld"
@ -23,7 +23,7 @@ def test_issuer(testclient):
def test_no_private_key(configuration):
configuration["JWT"]["PRIVATE_KEY"] = "invalid-path"
configuration["OIDC"]["JWT"]["PRIVATE_KEY"] = "invalid-path"
with pytest.raises(
ConfigurationException,
match=r"Private key does not exist",
@ -32,7 +32,7 @@ def test_no_private_key(configuration):
def test_no_public_key(configuration):
configuration["JWT"]["PUBLIC_KEY"] = "invalid-path"
configuration["OIDC"]["JWT"]["PUBLIC_KEY"] = "invalid-path"
with pytest.raises(
ConfigurationException,
match=r"Public key does not exist",

12
tests/oidc/test_dynamic_client_registration.py
View file

@ -7,8 +7,8 @@ from canaille.oidc.models import Client
def test_client_registration_with_authentication_static_token(
testclient, slapd_connection, client, user
):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
payload = {
"redirect_uris": [
@ -58,7 +58,7 @@ def test_client_registration_with_authentication_static_token(
def test_client_registration_with_authentication_no_token(
testclient, slapd_connection, client, user
):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
payload = {
"redirect_uris": [
@ -90,7 +90,7 @@ def test_client_registration_with_authentication_no_token(
def test_client_registration_with_authentication_invalid_token(
testclient, slapd_connection, client, user
):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
payload = {
"redirect_uris": [
@ -116,7 +116,7 @@ def test_client_registration_with_software_statement(
testclient, slapd_connection, keypair_path
):
private_key_path, _ = keypair_path
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN"] = True
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_OPEN"] = True
software_statement_payload = {
"software_id": "4NRB1-0XZABZI9E6-5SM3R",
@ -169,7 +169,7 @@ def test_client_registration_with_software_statement(
def test_client_registration_without_authentication_ok(testclient, slapd_connection):
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN"] = True
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_OPEN"] = True
payload = {
"redirect_uris": [

16
tests/oidc/test_dynamic_client_registration_management.py
View file

@ -5,8 +5,8 @@ from canaille.oidc.models import Client
def test_get(testclient, slapd_connection, client, user):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
headers = {"Authorization": "Bearer static-token"}
res = testclient.get(
@ -47,8 +47,8 @@ def test_get(testclient, slapd_connection, client, user):
def test_update(testclient, slapd_connection, client, user):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
assert client.redirect_uris != ["https://newname.example.org/callback"]
assert client.token_endpoint_auth_method != "none"
@ -130,8 +130,8 @@ def test_update(testclient, slapd_connection, client, user):
def test_delete(testclient, slapd_connection, user):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
client = Client(client_id="foobar", client_name="Some client")
client.save()
@ -145,8 +145,8 @@ def test_delete(testclient, slapd_connection, user):
def test_invalid_client(testclient, slapd_connection, user):
assert not testclient.app.config.get("OIDC_DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["OIDC_DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
assert not testclient.app.config.get("DYNAMIC_CLIENT_REGISTRATION_OPEN")
testclient.app.config["DYNAMIC_CLIENT_REGISTRATION_TOKENS"] = ["static-token"]
payload = {
"client_id": "invalid-client-id",

2
tests/oidc/test_end_session.py
View file

@ -240,7 +240,7 @@ def test_no_jwt_no_logout(testclient, slapd_connection, logged_user, client):
def test_jwt_not_issued_here(
testclient, slapd_connection, logged_user, client, id_token
):
testclient.app.config["JWT"]["ISS"] = "https://foo.bar"
testclient.app.config["OIDC"]["JWT"]["ISS"] = "https://foo.bar"
testclient.get(f"/profile/{logged_user.user_name[0]}", status=200)