k-space/dex
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

keystone: test cases, refactoring and cleanup

Browse Source
This commit is contained in:
joannano 2018-12-13 12:22:53 +01:00 committed by Krzysztof Balka
parent a965365a2b
commit 88d1e2b041
10 changed files with 487 additions and 483 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.travis.yml
View File

@ -13,13 +13,14 @@ services:
- docker - docker
env: env:
- DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive - DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive DEX_KEYSTONE_URL=http://localhost:5000 DEX_KEYSTONE_ADMIN_URL=http://localhost:35357
install: install:
- sudo -E apt-get install -y --force-yes slapd time ldap-utils - sudo -E apt-get install -y --force-yes slapd time ldap-utils
- sudo /etc/init.d/slapd stop - sudo /etc/init.d/slapd stop
- docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9 - docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9
- docker run -d -p 0.0.0.0:5000:5000 -p 0.0.0.0:35357:35357 openio/openstack-keystone
- sleep 60s
script: script:
- make testall - make testall

9
Dockerfile
View File

@ -11,12 +11,15 @@ FROM alpine:3.8
# experience when this doesn't work out of the box. # experience when this doesn't work out of the box.
# #
# OpenSSL is required so wget can query HTTPS endpoints for health checking. # OpenSSL is required so wget can query HTTPS endpoints for health checking.
RUN apk add --update ca-certificates openssl bash RUN apk add --update ca-certificates openssl
COPY --from=0 /go/bin/dex /usr/local/bin/dex
# Import frontend assets and set the correct CWD directory so the assets # Import frontend assets and set the correct CWD directory so the assets
# are in the default path. # are in the default path.
COPY web /web COPY web /web
WORKDIR / WORKDIR /
EXPOSE 5500-5600 ENTRYPOINT ["dex"]
CMD ["bash"]
CMD ["version"]

1
connector/connector.go
View File

@ -35,7 +35,6 @@ type Identity struct {
// //
// This data is never shared with end users, OAuth clients, or through the API. // This data is never shared with end users, OAuth clients, or through the API.
ConnectorData []byte ConnectorData []byte
Password string
} }
// PasswordConnector is an interface implemented by connectors which take a // PasswordConnector is an interface implemented by connectors which take a

185
connector/keystone/keystone.go
View File

@ -2,163 +2,186 @@
package keystone package keystone
import ( import (
"context"
"fmt"
"github.com/dexidp/dex/connector"
"github.com/sirupsen/logrus"
"encoding/json"
"net/http"
"bytes" "bytes"
"context"
"encoding/json"
"fmt"
"io/ioutil" "io/ioutil"
"net/http"
"github.com/sirupsen/logrus"
"github.com/dexidp/dex/connector"
) )
var ( var (
_ connector.PasswordConnector = &Connector{} _ connector.PasswordConnector = &keystoneConnector{}
_ connector.RefreshConnector = &Connector{} _ connector.RefreshConnector = &keystoneConnector{}
) )
// Open returns an authentication strategy using Keystone. // Open returns an authentication strategy using Keystone.
func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) { func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
return &Connector{c.Domain, c.KeystoneHost, return &keystoneConnector{c.Domain, c.KeystoneHost,
c.KeystoneUsername, c.KeystonePassword, logger}, nil c.KeystoneUsername, c.KeystonePassword, logger}, nil
} }
func (p Connector) Close() error { return nil } func (p *keystoneConnector) Close() error { return nil }
func (p Connector) Login(ctx context.Context, s connector.Scopes, username, password string) ( func (p *keystoneConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (
identity connector.Identity, validPassword bool, err error) { identity connector.Identity, validPassword bool, err error) {
response, err := p.getTokenResponse(username, password) resp, err := p.getTokenResponse(ctx, username, password)
if err != nil {
return identity, false, fmt.Errorf("keystone: error %v", err)
}
// Providing wrong password or wrong keystone URI throws error // Providing wrong password or wrong keystone URI throws error
if err == nil && response.StatusCode == 201 { if resp.StatusCode == 201 {
token := response.Header["X-Subject-Token"][0] token := resp.Header.Get("X-Subject-Token")
data, _ := ioutil.ReadAll(response.Body) data, err := ioutil.ReadAll(resp.Body)
var tokenResponse = new(TokenResponse)
err := json.Unmarshal(data, &tokenResponse)
if err != nil { if err != nil {
fmt.Printf("keystone: invalid token response: %v", err)
return identity, false, err return identity, false, err
} }
groups, err := p.getUserGroups(tokenResponse.Token.User.ID, token) defer resp.Body.Close()
var tokenResp = new(tokenResponse)
err = json.Unmarshal(data, &tokenResp)
if err != nil {
return identity, false, fmt.Errorf("keystone: invalid token response: %v", err)
}
groups, err := p.getUserGroups(ctx, tokenResp.Token.User.ID, token)
if err != nil { if err != nil {
return identity, false, err return identity, false, err
} }
identity.Username = username identity.Username = username
identity.UserID = tokenResponse.Token.User.ID identity.UserID = tokenResp.Token.User.ID
identity.Groups = groups identity.Groups = groups
return identity, true, nil return identity, true, nil
} else if err != nil {
fmt.Printf("keystone: error %v", err)
return identity, false, err
} else {
data, _ := ioutil.ReadAll(response.Body)
fmt.Println(string(data))
return identity, false, err
} }
return identity, false, nil return identity, false, nil
} }
func (p Connector) Prompt() string { return "username" } func (p *keystoneConnector) Prompt() string { return "username" }
func (p Connector) Refresh( func (p *keystoneConnector) Refresh(
ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) { ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {
if len(identity.ConnectorData) == 0 { token, err := p.getAdminToken(ctx)
return identity, nil if err != nil {
return identity, fmt.Errorf("keystone: failed to obtain admin token: %v", err)
} }
token, err := p.getAdminToken() ok, err := p.checkIfUserExists(ctx, identity.UserID, token)
if err != nil { if err != nil {
fmt.Printf("keystone: failed to obtain admin token")
return identity, err return identity, err
} }
ok := p.checkIfUserExists(identity.UserID, token)
if !ok { if !ok {
fmt.Printf("keystone: user %q does not exist\n", identity.UserID)
return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID) return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
} }
groups, err := p.getUserGroups(identity.UserID, token) groups, err := p.getUserGroups(ctx, identity.UserID, token)
if err != nil { if err != nil {
fmt.Printf("keystone: Failed to fetch user %q groups", identity.UserID) return identity, err
return identity, fmt.Errorf("keystone: failed to fetch user %q groups", identity.UserID)
} }
identity.Groups = groups identity.Groups = groups
fmt.Printf("Identity data after use of refresh token: %v", identity)
return identity, nil return identity, nil
} }
func (p *keystoneConnector) getTokenResponse(ctx context.Context, username, pass string) (response *http.Response, err error) {
func (p Connector) getTokenResponse(username, password string) (response *http.Response, err error) { client := &http.Client{}
jsonData := LoginRequestData{ jsonData := loginRequestData{
Auth: Auth{ auth: auth{
Identity: Identity{ Identity: identity{
Methods:[]string{"password"}, Methods: []string{"password"},
Password: Password{ Password: password{
User: User{ User: user{
Name: username, Name: username,
Domain: Domain{ID:p.Domain}, Domain: domain{ID: p.Domain},
Password: password, Password: pass,
}, },
}, },
}, },
}, },
} }
jsonValue, _ := json.Marshal(jsonData) jsonValue, err := json.Marshal(jsonData)
loginURI := p.KeystoneHost + "/v3/auth/tokens" if err != nil {
return http.Post(loginURI, "application/json", bytes.NewBuffer(jsonValue)) return nil, err
}
authTokenURL := p.KeystoneHost + "/v3/auth/tokens/"
req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(jsonValue))
if err != nil {
return nil, err
}
req.Header.Set("Content-Type", "application/json")
req = req.WithContext(ctx)
return client.Do(req)
} }
func (p Connector) getAdminToken()(string, error) { func (p *keystoneConnector) getAdminToken(ctx context.Context) (string, error) {
response, err := p.getTokenResponse(p.KeystoneUsername, p.KeystonePassword) resp, err := p.getTokenResponse(ctx, p.KeystoneUsername, p.KeystonePassword)
if err!= nil { if err != nil {
return "", err return "", err
} }
token := response.Header["X-Subject-Token"][0] token := resp.Header.Get("X-Subject-Token")
return token, nil return token, nil
} }
func (p Connector) checkIfUserExists(userID string, token string) (bool) { func (p *keystoneConnector) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
groupsURI := p.KeystoneHost + "/v3/users/" + userID userURL := p.KeystoneHost + "/v3/users/" + userID
client := &http.Client{} client := &http.Client{}
req, _ := http.NewRequest("GET", groupsURI, nil) req, err := http.NewRequest("GET", userURL, nil)
req.Header.Set("X-Auth-Token", token) if err != nil {
response, err := client.Do(req) return false, err
if err == nil && response.StatusCode == 200 {
return true
} }
return false
req.Header.Set("X-Auth-Token", token)
req = req.WithContext(ctx)
resp, err := client.Do(req)
if err != nil {
return false, err
}
if resp.StatusCode == 200 {
return true, nil
}
return false, err
} }
func (p Connector) getUserGroups(userID string, token string) ([]string, error) { func (p *keystoneConnector) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {
groupsURI := p.KeystoneHost + "/v3/users/" + userID + "/groups"
client := &http.Client{} client := &http.Client{}
req, _ := http.NewRequest("GET", groupsURI, nil) groupsURL := p.KeystoneHost + "/v3/users/" + userID + "/groups"
req.Header.Set("X-Auth-Token", token)
response, err := client.Do(req)
req, err := http.NewRequest("GET", groupsURL, nil)
req.Header.Set("X-Auth-Token", token)
req = req.WithContext(ctx)
resp, err := client.Do(req)
if err != nil { if err != nil {
fmt.Printf("keystone: error while fetching user %q groups\n", userID) p.Logger.Errorf("keystone: error while fetching user %q groups\n", userID)
return nil, err return nil, err
} }
data, _ := ioutil.ReadAll(response.Body)
var groupsResponse = new(GroupsResponse) data, err := ioutil.ReadAll(resp.Body)
err = json.Unmarshal(data, &groupsResponse)
if err != nil { if err != nil {
return nil, err return nil, err
} }
groups := []string{} defer resp.Body.Close()
for _, group := range groupsResponse.Groups {
groups = append(groups, group.Name) var groupsResp = new(groupsResponse)
err = json.Unmarshal(data, &groupsResp)
if err != nil {
return nil, err
}
groups := make([]string, len(groupsResp.Groups))
for i, group := range groupsResp.Groups {
groups[i] = group.Name
} }
return groups, nil return groups, nil
} }

469
connector/keystone/keystone_test.go
View File

@ -1,227 +1,225 @@
package keystone package keystone
import ( import (
"testing"
"github.com/dexidp/dex/connector"
"fmt"
"io"
"os"
"time"
"net/http"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/client"
networktypes "github.com/docker/docker/api/types/network"
"github.com/docker/go-connections/nat"
"golang.org/x/net/context"
"bytes" "bytes"
"context"
"encoding/json" "encoding/json"
"fmt"
"io/ioutil" "io/ioutil"
"net/http"
"os"
"reflect"
"strings"
"testing"
"github.com/dexidp/dex/connector"
) )
const dockerCliVersion = "1.37" const (
adminUser = "demo"
adminPass = "DEMO_PASS"
invalidPass = "WRONG_PASS"
const exposedKeystonePort = "5000" testUser = "test_user"
const exposedKeystonePortAdmin = "35357" testPass = "test_pass"
testEmail = "test@example.com"
testGroup = "test_group"
testDomain = "default"
)
const keystoneHost = "http://localhost" var (
const keystoneURL = keystoneHost + ":" + exposedKeystonePort keystoneURL = ""
const keystoneAdminURL = keystoneHost + ":" + exposedKeystonePortAdmin keystoneAdminURL = ""
const authTokenURL = keystoneURL + "/v3/auth/tokens/" authTokenURL = ""
const userURL = keystoneAdminURL + "/v3/users/" usersURL = ""
const groupURL = keystoneAdminURL + "/v3/groups/" groupsURL = ""
)
func startKeystoneContainer() string { type userResponse struct {
ctx := context.Background() User struct {
cli, err := client.NewClientWithOpts(client.WithVersion(dockerCliVersion)) ID string `json:"id"`
} `json:"user"`
if err != nil {
fmt.Printf("Error %v", err)
return ""
}
imageName := "openio/openstack-keystone"
out, err := cli.ImagePull(ctx, imageName, types.ImagePullOptions{})
if err != nil {
fmt.Printf("Error %v", err)
return ""
}
io.Copy(os.Stdout, out)
resp, err := cli.ContainerCreate(ctx, &container.Config{
Image: imageName,
}, &container.HostConfig{
PortBindings: nat.PortMap{
"5000/tcp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: exposedKeystonePort,
},
},
"35357/tcp": []nat.PortBinding{
{
HostIP: "0.0.0.0",
HostPort: exposedKeystonePortAdmin,
},
},
},
}, &networktypes.NetworkingConfig{}, "dex_keystone_test")
if err != nil {
fmt.Printf("Error %v", err)
return ""
}
if err := cli.ContainerStart(ctx, resp.ID, types.ContainerStartOptions{}); err != nil {
panic(err)
}
fmt.Println(resp.ID)
return resp.ID
} }
func cleanKeystoneContainer(ID string) { type groupResponse struct {
ctx := context.Background() Group struct {
cli, err := client.NewClientWithOpts(client.WithVersion(dockerCliVersion)) ID string `json:"id"`
if err != nil { } `json:"group"`
fmt.Printf("Error %v", err)
return
}
duration := time.Duration(1)
if err:= cli.ContainerStop(ctx, ID, &duration); err != nil {
fmt.Printf("Error %v", err)
return
}
if err:= cli.ContainerRemove(ctx, ID, types.ContainerRemoveOptions{}); err != nil {
fmt.Printf("Error %v", err)
}
} }
func getAdminToken(admin_name, admin_pass string) (token string) { func getAdminToken(t *testing.T, adminName, adminPass string) (token, id string) {
t.Helper()
client := &http.Client{} client := &http.Client{}
jsonData := LoginRequestData{ jsonData := loginRequestData{
Auth: Auth{ auth: auth{
Identity: Identity{ Identity: identity{
Methods:[]string{"password"}, Methods: []string{"password"},
Password: Password{ Password: password{
User: User{ User: user{
Name: admin_name, Name: adminName,
Domain: Domain{ID: "default"}, Domain: domain{ID: testDomain},
Password: admin_pass, Password: adminPass,
}, },
}, },
}, },
}, },
} }
body, _ := json.Marshal(jsonData) body, err := json.Marshal(jsonData)
if err != nil {
t.Fatal(err)
}
req, _ := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(body)) req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(body))
if err != nil {
t.Fatalf("keystone: failed to obtain admin token: %v\n", err)
}
req.Header.Set("Content-Type", "application/json") req.Header.Set("Content-Type", "application/json")
resp, _ := client.Do(req) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
token = resp.Header["X-Subject-Token"][0] token = resp.Header.Get("X-Subject-Token")
return token
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var tokenResp = new(tokenResponse)
err = json.Unmarshal(data, &tokenResp)
if err != nil {
t.Fatal(err)
}
return token, tokenResp.Token.User.ID
} }
func createUser(token, user_name, user_email, user_pass string) (string){ func createUser(t *testing.T, token, userName, userEmail, userPass string) string {
t.Helper()
client := &http.Client{} client := &http.Client{}
createUserData := CreateUserRequest{ createUserData := map[string]interface{}{
CreateUser: CreateUserForm{ "user": map[string]interface{}{
Name: user_name, "name": userName,
Email: user_email, "email": userEmail,
Enabled: true, "enabled": true,
Password: user_pass, "password": userPass,
Roles: []string{"admin"}, "roles": []string{"admin"},
}, },
} }
body, _ := json.Marshal(createUserData) body, err := json.Marshal(createUserData)
req, _ := http.NewRequest("POST", userURL, bytes.NewBuffer(body))
req.Header.Set("X-Auth-Token", token)
req.Header.Add("Content-Type", "application/json")
resp, _ := client.Do(req)
data, _ := ioutil.ReadAll(resp.Body)
var userResponse = new(UserResponse)
err := json.Unmarshal(data, &userResponse)
if err != nil { if err != nil {
fmt.Println(err) t.Fatal(err)
} }
fmt.Println(userResponse.User.ID) req, err := http.NewRequest("POST", usersURL, bytes.NewBuffer(body))
return userResponse.User.ID if err != nil {
t.Fatal(err)
} }
func deleteUser(token, id string) {
client := &http.Client{}
deleteUserURI := userURL + id
fmt.Println(deleteUserURI)
req, _ := http.NewRequest("DELETE", deleteUserURI, nil)
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
resp, _ := client.Do(req) req.Header.Add("Content-Type", "application/json")
fmt.Println(resp) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var userResp = new(userResponse)
err = json.Unmarshal(data, &userResp)
if err != nil {
t.Fatal(err)
}
return userResp.User.ID
} }
func createGroup(token, description, name string) string{ // delete group or user
func delete(t *testing.T, token, id, uri string) {
t.Helper()
client := &http.Client{} client := &http.Client{}
createGroupData := CreateGroup{ deleteURI := uri + id
CreateGroupForm{ req, err := http.NewRequest("DELETE", deleteURI, nil)
Description: description, if err != nil {
Name: name, t.Fatalf("error: %v", err)
}
req.Header.Set("X-Auth-Token", token)
client.Do(req)
}
func createGroup(t *testing.T, token, description, name string) string {
t.Helper()
client := &http.Client{}
createGroupData := map[string]interface{}{
"group": map[string]interface{}{
"name": name,
"description": description,
}, },
} }
body, _ := json.Marshal(createGroupData) body, err := json.Marshal(createGroupData)
req, _ := http.NewRequest("POST", groupURL, bytes.NewBuffer(body))
req.Header.Set("X-Auth-Token", token)
req.Header.Add("Content-Type", "application/json")
resp, _ := client.Do(req)
data, _ := ioutil.ReadAll(resp.Body)
var groupResponse = new(GroupID)
err := json.Unmarshal(data, &groupResponse)
if err != nil { if err != nil {
fmt.Println(err) t.Fatal(err)
} }
return groupResponse.Group.ID req, err := http.NewRequest("POST", groupsURL, bytes.NewBuffer(body))
} if err != nil {
t.Fatal(err)
func addUserToGroup(token, groupId, userId string) { }
uri := groupURL + groupId + "/users/" + userId
client := &http.Client{}
req, _ := http.NewRequest("PUT", uri, nil)
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
resp, _ := client.Do(req) req.Header.Add("Content-Type", "application/json")
fmt.Println(resp) resp, err := client.Do(req)
if err != nil {
t.Fatal(err)
}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
var groupResp = new(groupResponse)
err = json.Unmarshal(data, &groupResp)
if err != nil {
t.Fatal(err)
}
return groupResp.Group.ID
} }
const adminUser = "demo" func addUserToGroup(t *testing.T, token, groupID, userID string) error {
const adminPass = "DEMO_PASS" t.Helper()
const invalidPass = "WRONG_PASS" uri := groupsURL + groupID + "/users/" + userID
client := &http.Client{}
const testUser = "test_user" req, err := http.NewRequest("PUT", uri, nil)
const testPass = "test_pass" if err != nil {
const testEmail = "test@example.com" return err
}
const domain = "default" req.Header.Set("X-Auth-Token", token)
client.Do(req)
return nil
}
func TestIncorrectCredentialsLogin(t *testing.T) { func TestIncorrectCredentialsLogin(t *testing.T) {
c := Connector{KeystoneHost: keystoneURL, Domain: domain, c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass} KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true} s := connector.Scopes{OfflineAccess: true, Groups: true}
_, validPW, _ := c.Login(context.Background(), s, adminUser, invalidPass) _, validPW, err := c.Login(context.Background(), s, adminUser, invalidPass)
if err != nil {
t.Fatal(err.Error())
}
if validPW { if validPW {
t.Fail() t.Fail()
@ -229,47 +227,132 @@ func TestIncorrectCredentialsLogin(t *testing.T) {
} }
func TestValidUserLogin(t *testing.T) { func TestValidUserLogin(t *testing.T) {
token := getAdminToken(adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
c := Connector{KeystoneHost: keystoneURL, Domain: domain, c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass} KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true} s := connector.Scopes{OfflineAccess: true, Groups: true}
_, validPW, _ := c.Login(context.Background(), s, testUser, testPass) identity, validPW, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
t.Log(identity)
if !validPW { if !validPW {
t.Fail() t.Fail()
} }
deleteUser(token, userID) delete(t, token, userID, usersURL)
} }
func TestUseRefreshToken(t *testing.T) { func TestUseRefreshToken(t *testing.T) {
t.Fatal("Not implemented") token, adminID := getAdminToken(t, adminUser, adminPass)
groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, adminID)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, adminUser, adminPass)
if err != nil {
t.Fatal(err.Error())
}
identityRefresh, err := c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, groupID, groupsURL)
expectEquals(t, 1, len(identityRefresh.Groups))
expectEquals(t, testGroup, string(identityRefresh.Groups[0]))
} }
func TestUseRefreshTokenUserDeleted(t *testing.T){ func TestUseRefreshTokenUserDeleted(t *testing.T) {
t.Fatal("Not implemented") token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
_, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, userID, usersURL)
_, err = c.Refresh(context.Background(), s, identityLogin)
if !strings.Contains(err.Error(), "does not exist") {
t.Errorf("unexpected error: %s", err.Error())
}
} }
func TestUseRefreshTokenGroupsChanged(t *testing.T){ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
t.Fatal("Not implemented") token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := keystoneConnector{KeystoneHost: keystoneURL, Domain: testDomain,
KeystoneUsername: adminUser, KeystonePassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil {
t.Fatal(err.Error())
}
identityRefresh, err := c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
expectEquals(t, 0, len(identityRefresh.Groups))
groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, userID)
identityRefresh, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil {
t.Fatal(err.Error())
}
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
expectEquals(t, 1, len(identityRefresh.Groups))
} }
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
dockerID := startKeystoneContainer() keystoneURLEnv := "DEX_KEYSTONE_URL"
repeats := 10 keystoneAdminURLEnv := "DEX_KEYSTONE_ADMIN_URL"
running := false keystoneURL = os.Getenv(keystoneURLEnv)
for i := 0; i < repeats; i++ { if keystoneURL == "" {
_, err := http.Get(keystoneURL) fmt.Printf("variable %q not set, skipping keystone connector tests\n", keystoneURLEnv)
if err == nil { return
running = true
break
} }
time.Sleep(10 * time.Second) keystoneAdminURL := os.Getenv(keystoneAdminURLEnv)
if keystoneAdminURL == "" {
fmt.Printf("variable %q not set, skipping keystone connector tests\n", keystoneAdminURLEnv)
return
} }
if !running { authTokenURL = keystoneURL + "/v3/auth/tokens/"
fmt.Printf("Failed to start keystone container") fmt.Printf("Auth token url %q\n", authTokenURL)
os.Exit(1) fmt.Printf("Keystone URL %q\n", keystoneURL)
} usersURL = keystoneAdminURL + "/v3/users/"
defer cleanKeystoneContainer(dockerID) groupsURL = keystoneAdminURL + "/v3/groups/"
// run all tests // run all tests
m.Run() m.Run()
} }
func expectEquals(t *testing.T, a interface{}, b interface{}) {
if !reflect.DeepEqual(a, b) {
t.Errorf("Expected %v to be equal %v", a, b)
}
}

117
connector/keystone/types.go
View File

@ -4,7 +4,7 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
type Connector struct { type keystoneConnector struct {
Domain string Domain string
KeystoneHost string KeystoneHost string
KeystoneUsername string KeystoneUsername string
@ -12,21 +12,29 @@ type Connector struct {
Logger logrus.FieldLogger Logger logrus.FieldLogger
} }
type ConnectorData struct { type userKeystone struct {
AccessToken string `json:"accessToken"` Domain domainKeystone `json:"domain"`
}
type KeystoneUser struct {
Domain KeystoneDomain `json:"domain"`
ID string `json:"id"` ID string `json:"id"`
Name string `json:"name"` Name string `json:"name"`
} }
type KeystoneDomain struct { type domainKeystone struct {
ID string `json:"id"` ID string `json:"id"`
Name string `json:"name"` Name string `json:"name"`
} }
// Config holds the configuration parameters for Keystone connector.
// Keystone should expose API v3
// An example config:
// connectors:
// type: keystone
// id: keystone
// name: Keystone
// config:
// keystoneHost: http://example:5000
// domain: default
// keystoneUsername: demo
// keystonePassword: DEMO_PASS
type Config struct { type Config struct {
Domain string `json:"domain"` Domain string `json:"domain"`
KeystoneHost string `json:"keystoneHost"` KeystoneHost string `json:"keystoneHost"`
@ -34,103 +42,46 @@ type Config struct {
KeystonePassword string `json:"keystonePassword"` KeystonePassword string `json:"keystonePassword"`
} }
type LoginRequestData struct { type loginRequestData struct {
Auth `json:"auth"` auth `json:"auth"`
} }
type Auth struct { type auth struct {
Identity `json:"identity"` Identity identity `json:"identity"`
} }
type Identity struct { type identity struct {
Methods []string `json:"methods"` Methods []string `json:"methods"`
Password `json:"password"` Password password `json:"password"`
} }
type Password struct { type password struct {
User `json:"user"` User user `json:"user"`
} }
type User struct { type user struct {
Name string `json:"name"` Name string `json:"name"`
Domain `json:"domain"` Domain domain `json:"domain"`
Password string `json:"password"` Password string `json:"password"`
} }
type Domain struct { type domain struct {
ID string `json:"id"` ID string `json:"id"`
} }
type Token struct { type token struct {
IssuedAt string `json:"issued_at"` User userKeystone `json:"user"`
Extras map[string]interface{} `json:"extras"`
Methods []string `json:"methods"`
ExpiresAt string `json:"expires_at"`
User KeystoneUser `json:"user"`
} }
type TokenResponse struct { type tokenResponse struct {
Token Token `json:"token"` Token token `json:"token"`
} }
type CreateUserRequest struct { type group struct {
CreateUser CreateUserForm `json:"user"`
}
type CreateUserForm struct {
Name string `json:"name"`
Email string `json:"email"`
Enabled bool `json:"enabled"`
Password string `json:"password"`
Roles []string `json:"roles"`
}
type UserResponse struct {
User CreateUserResponse `json:"user"`
}
type CreateUserResponse struct {
Username string `json:"username"`
Name string `json:"name"`
Roles []string `json:"roles"`
Enabled bool `json:"enabled"`
Options string `json:"options"`
ID string `json:"id"` ID string `json:"id"`
Email string `json:"email"`
}
type CreateGroup struct {
Group CreateGroupForm `json:"group"`
}
type CreateGroupForm struct {
Description string `json:"description"`
Name string `json:"name"` Name string `json:"name"`
} }
type GroupID struct { type groupsResponse struct {
Group GroupIDForm `json:"group"` Groups []group `json:"groups"`
}
type GroupIDForm struct {
ID string `json:"id"`
}
type Links struct {
Self string `json:"self"`
Previous string `json:"previous"`
Next string `json:"next"`
}
type Group struct {
DomainID string `json:"domain_id`
Description string `json:"description"`
ID string `json:"id"`
Links Links `json:"links"`
Name string `json:"name"`
}
type GroupsResponse struct {
Links Links `json:"links"`
Groups []Group `json:"groups"`
} }

55
examples/config-keystone.yaml
View File

@ -1,55 +0,0 @@
# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://0.0.0.0:5556/dex
# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the storage document at Documentation/storage.md for further information.
storage:
type: sqlite3
config:
file: examples/dex.db #be in the dex directory, else change path here
# Configuration for the HTTP endpoints.
web:
https: 0.0.0.0:5556
# Uncomment for HTTPS options.
# https: 127.0.0.1:5554
tlsCert: ./ssl/dex.crt
tlsKey: ./ssl/dex.key
# Configuration for telemetry
telemetry:
http: 0.0.0.0:5558
oauth2:
responseTypes: ["id_token"]
# Instead of reading from an external storage, use this list of clients.
staticClients:
- id: example-app
redirectURIs:
- 'http://127.0.0.1:5555/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#Provide Keystone connector and its config here
# /v3/auth/tokens
connectors:
- type: keystone
id: keystone
name: Keystone
config:
keystoneHost: http://localhost:5000
domain: default
keystoneUsername: demo
keystonePassword: DEMO_PASS
# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true
oauth2:
skipApprovalScreen: true

6
server/handlers.go
View File

@ -211,7 +211,6 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
} }
authReqID := r.FormValue("req") authReqID := r.FormValue("req")
s.logger.Errorf("Auth req id %v", authReqID)
authReq, err := s.storage.GetAuthRequest(authReqID) authReq, err := s.storage.GetAuthRequest(authReqID)
if err != nil { if err != nil {
@ -346,7 +345,7 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.") s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
return return
} }
s.logger.Errorf("2Failed to get auth request: %v", err) s.logger.Errorf("Failed to get auth request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Database error.") s.renderError(w, http.StatusInternalServerError, "Database error.")
return return
} }
@ -358,7 +357,6 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
} }
conn, err := s.getConnector(authReq.ConnectorID) conn, err := s.getConnector(authReq.ConnectorID)
s.logger.Errorf("X Connector %v", conn)
if err != nil { if err != nil {
s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err) s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.") s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
@ -437,7 +435,7 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) { func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
authReq, err := s.storage.GetAuthRequest(r.FormValue("req")) authReq, err := s.storage.GetAuthRequest(r.FormValue("req"))
if err != nil { if err != nil {
s.logger.Errorf("3Failed to get auth request: %v", err) s.logger.Errorf("Failed to get auth request: %v", err)
s.renderError(w, http.StatusInternalServerError, "Database error.") s.renderError(w, http.StatusInternalServerError, "Database error.")
return return
} }

4
server/server.go
View File

@ -27,6 +27,7 @@ import (
"github.com/dexidp/dex/connector/bitbucketcloud" "github.com/dexidp/dex/connector/bitbucketcloud"
"github.com/dexidp/dex/connector/github" "github.com/dexidp/dex/connector/github"
"github.com/dexidp/dex/connector/gitlab" "github.com/dexidp/dex/connector/gitlab"
"github.com/dexidp/dex/connector/keystone"
"github.com/dexidp/dex/connector/ldap" "github.com/dexidp/dex/connector/ldap"
"github.com/dexidp/dex/connector/linkedin" "github.com/dexidp/dex/connector/linkedin"
"github.com/dexidp/dex/connector/microsoft" "github.com/dexidp/dex/connector/microsoft"
@ -34,7 +35,6 @@ import (
"github.com/dexidp/dex/connector/oidc" "github.com/dexidp/dex/connector/oidc"
"github.com/dexidp/dex/connector/saml" "github.com/dexidp/dex/connector/saml"
"github.com/dexidp/dex/storage" "github.com/dexidp/dex/storage"
"github.com/dexidp/dex/connector/keystone"
) )
// LocalConnector is the local passwordDB connector which is an internal // LocalConnector is the local passwordDB connector which is an internal
@ -456,7 +456,7 @@ func openConnector(logger logrus.FieldLogger, conn storage.Connector) (connector
f, ok := ConnectorsConfig[conn.Type] f, ok := ConnectorsConfig[conn.Type]
if !ok { if !ok {
return c, fmt.Errorf("xunknown connector type %q", conn.Type) return c, fmt.Errorf("unknown connector type %q", conn.Type)
} }
connConfig := f() connConfig := f()

1
storage/static.go
View File

@ -3,6 +3,7 @@ package storage
import ( import (
"errors" "errors"
"strings" "strings"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )