-
Notifications
You must be signed in to change notification settings - Fork 327
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Check for
sub
claim, not username
, when validating
Not all IdPs provide a `username` or `email` claim in the UserInfo response, and many IdPs allow users to change their username or email address. Co-authored-by: Benjamin Foote <[email protected]>
- Loading branch information
Showing
11 changed files
with
104 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -47,6 +47,8 @@ vouch: | |
|
||
# whiteList (optional) allows only the listed usernames - VOUCH_WHITELIST | ||
# usernames are usually email addresses (google, most oidc providers) or login/username for github and github enterprise | ||
# if a user can change their info including email address this might be a bad idea | ||
# see https://github.com/vouch/vouch-proxy/issues/309 and https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability | ||
whiteList: | ||
- [email protected] | ||
- [email protected] | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -45,7 +45,12 @@ func setUp(configFile string) { | |
|
||
func TestVerifyUserPositiveUserInWhiteList(t *testing.T) { | ||
setUp("/config/testing/handler_whitelist.yml") | ||
user := &structs.User{Username: "[email protected]", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "[email protected]", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
ok, err := verifyUser(*user) | ||
assert.True(t, ok) | ||
assert.Nil(t, err) | ||
|
@@ -54,7 +59,12 @@ func TestVerifyUserPositiveUserInWhiteList(t *testing.T) { | |
func TestVerifyUserPositiveAllowAllUsers(t *testing.T) { | ||
setUp("/config/testing/handler_allowallusers.yml") | ||
|
||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
|
||
ok, err := verifyUser(*user) | ||
assert.True(t, ok) | ||
|
@@ -63,7 +73,12 @@ func TestVerifyUserPositiveAllowAllUsers(t *testing.T) { | |
|
||
func TestVerifyUserPositiveByEmail(t *testing.T) { | ||
setUp("/config/testing/handler_email.yml") | ||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
ok, err := verifyUser(*user) | ||
assert.True(t, ok) | ||
assert.Nil(t, err) | ||
|
@@ -73,7 +88,12 @@ func TestVerifyUserPositiveByTeam(t *testing.T) { | |
setUp("/config/testing/handler_teams.yml") | ||
|
||
// cfg.Cfg.TeamWhiteList = append(cfg.Cfg.TeamWhiteList, "org1/team2", "org1/team1") | ||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
user.TeamMemberships = append(user.TeamMemberships, "org1/team3") | ||
user.TeamMemberships = append(user.TeamMemberships, "org1/team1") | ||
ok, err := verifyUser(*user) | ||
|
@@ -83,7 +103,12 @@ func TestVerifyUserPositiveByTeam(t *testing.T) { | |
|
||
func TestVerifyUserNegativeByTeam(t *testing.T) { | ||
setUp("/config/testing/handler_teams.yml") | ||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
// cfg.Cfg.TeamWhiteList = append(cfg.Cfg.TeamWhiteList, "org1/team1") | ||
|
||
ok, err := verifyUser(*user) | ||
|
@@ -94,7 +119,12 @@ func TestVerifyUserNegativeByTeam(t *testing.T) { | |
func TestVerifyUserPositiveNoDomainsConfigured(t *testing.T) { | ||
setUp("/config/testing/handler_nodomains.yml") | ||
|
||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
cfg.Cfg.Domains = make([]string, 0) | ||
ok, err := verifyUser(*user) | ||
|
||
|
@@ -104,7 +134,12 @@ func TestVerifyUserPositiveNoDomainsConfigured(t *testing.T) { | |
|
||
func TestVerifyUserNegative(t *testing.T) { | ||
setUp("/config/testing/test_config.yml") | ||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
ok, err := verifyUser(*user) | ||
|
||
assert.False(t, ok) | ||
|
@@ -115,6 +150,7 @@ func TestVerifyUserNegative(t *testing.T) { | |
// it should live there but circular imports are resolved if it lives here | ||
var ( | ||
u1 = structs.User{ | ||
Sub: "testsub", | ||
Username: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
|
@@ -140,6 +176,7 @@ func init() { | |
// log.SetLevel(log.DebugLevel) | ||
|
||
lc = jwtmanager.VouchClaims{ | ||
Sub: u1.Sub, | ||
Username: u1.Username, | ||
CustomClaims: customClaims.Claims, | ||
PAccessToken: t1.PAccessToken, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,7 +28,12 @@ import ( | |
|
||
func BenchmarkValidateRequestHandler(b *testing.B) { | ||
setUp("/config/testing/handler_email.yml") | ||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
tokens := structs.PTokens{} | ||
customClaims := structs.CustomClaims{} | ||
|
||
|
@@ -67,7 +72,12 @@ func TestValidateRequestHandlerPerf(t *testing.T) { | |
} | ||
|
||
setUp("/config/testing/handler_email.yml") | ||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
tokens := structs.PTokens{} | ||
customClaims := structs.CustomClaims{} | ||
|
||
|
@@ -155,7 +165,12 @@ func TestValidateRequestHandlerWithGroupClaims(t *testing.T) { | |
|
||
tokens := structs.PTokens{} | ||
|
||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
vpjwt, err := jwtmanager.NewVPJWT(*user, customClaims, tokens) | ||
assert.NoError(t, err) | ||
|
||
|
@@ -208,7 +223,12 @@ func TestJWTCacheHandler(t *testing.T) { | |
setUp("/config/testing/handler_logout_url.yml") | ||
handler := jwtmanager.JWTCacheHandler(http.HandlerFunc(ValidateRequestHandler)) | ||
|
||
user := &structs.User{Username: "testuser", Email: "[email protected]", Name: "Test Name"} | ||
user := &structs.User{ | ||
Sub: "testsub", | ||
Username: "testuser", | ||
Email: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
tokens := structs.PTokens{} | ||
customClaims := structs.CustomClaims{} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,6 +24,7 @@ import ( | |
|
||
var ( | ||
u1 = structs.User{ | ||
Sub: "testsub", | ||
Username: "[email protected]", | ||
Name: "Test Name", | ||
} | ||
|
@@ -49,6 +50,7 @@ func init() { | |
Configure() | ||
|
||
lc = VouchClaims{ | ||
u1.Sub, | ||
u1.Username, | ||
customClaims.Claims, | ||
t1.PAccessToken, | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -171,6 +171,7 @@ func TestGetUserInfo(t *testing.T) { | |
{ | ||
"avatar_url": "avatar-url", | ||
"email": "[email protected]", | ||
"id": 123456789, | ||
"login": "myusername", | ||
"name": "name" | ||
} | ||
|
@@ -188,6 +189,7 @@ func TestGetUserInfo(t *testing.T) { | |
err := provider.GetUserInfo(nil, user, &structs.CustomClaims{}, &structs.PTokens{}) | ||
|
||
assert.Nil(t, err) | ||
assert.Equal(t, "123456789", user.Sub) | ||
assert.Equal(t, "myusername", user.Username) | ||
assert.Equal(t, []string{"myOtherOrg", "myorg/myteam"}, user.TeamMemberships) | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters