[iam] basic state param encoding

AlexTugarev · AlexTugarev · commit 1a637cae12c4 · 2022-12-19T12:58:37.000Z
diff --git a/components/iam/pkg/oidc/oauth2.go b/components/iam/pkg/oidc/oauth2.go
@@ -13,8 +13,16 @@ import (
 )
 
 type OAuth2Result struct {
+	ClientID    string
 	OAuth2Token *oauth2.Token
-	Redirect    string
+	RedirectURL string
+}
+
+type StateParam struct {
+	// Internal client ID
+	ClientId string `json:"clientId"`
+
+	RedirectURL string `json:"redirectUrl"`
 }
 
 type keyOAuth2Result struct{}
@@ -47,6 +55,12 @@ func OAuth2Middleware(next http.Handler) http.Handler {
 			return
 		}
 
+		state, err := decodeStateParam(stateParam)
+		if err != nil {
+			http.Error(rw, "bad state param", http.StatusBadRequest)
+			return
+		}
+
 		code := r.URL.Query().Get("code")
 		if code == "" {
 			http.Error(rw, "code param not found", http.StatusBadRequest)
@@ -61,6 +75,8 @@ func OAuth2Middleware(next http.Handler) http.Handler {
 
 		ctx = context.WithValue(ctx, keyOAuth2Result{}, OAuth2Result{
 			OAuth2Token: oauth2Token,
+			RedirectURL: state.RedirectURL,
+			ClientID:    state.ClientId,
 		})
 		next.ServeHTTP(rw, r.WithContext(ctx))
 	})
diff --git a/components/iam/pkg/oidc/service.go b/components/iam/pkg/oidc/service.go
@@ -5,15 +5,17 @@
 package oidc
 
 import (
+	"bytes"
 	"context"
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/json"
 	"errors"
 	"io"
 	"net/http"
+	"strings"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gitpod-io/gitpod/common-go/log"
 	"github.com/go-chi/chi/v5"
 	"golang.org/x/oauth2"
 )
@@ -67,13 +69,18 @@ func (service *OIDCService) AddClientConfig(config *OIDCClientConfig) error {
 }
 
 func (service *OIDCService) GetStartParams(config *OIDCClientConfig) (*OIDCStartParams, error) {
-	// TODO(at) state should be a JWT encoding a redirect location
-	// Using a random string to get the flow running.
-	state, err := randString(32)
+	// state is supposed to a) be present on client request as cookie header
+	// and b) to be mirrored by the IdP on callback requests.
+	stateParam := StateParam{
+		ClientId:    config.ID,
+		RedirectURL: config.OAuth2Config.RedirectURL,
+	}
+	state, err := encodeStateParam(stateParam)
 	if err != nil {
-		return nil, errors.New("failed to create state")
+		return nil, errors.New("failed to encode state")
 	}
 
+	// number used once
 	nonce, err := randString(32)
 	if err != nil {
 		return nil, errors.New("failed to create nonce")
@@ -89,6 +96,25 @@ func (service *OIDCService) GetStartParams(config *OIDCClientConfig) (*OIDCStart
 	}, nil
 }
 
+// TODO(at) state should be a JWT encoding a redirect location
+// For now, just use base64
+func encodeStateParam(state StateParam) (string, error) {
+	var buf bytes.Buffer
+	encoder := base64.NewEncoder(base64.StdEncoding, &buf)
+	err := json.NewEncoder(encoder).Encode(state)
+	if err != nil {
+		return "", err
+	}
+	encoder.Close()
+	return buf.String(), nil
+}
+
+func decodeStateParam(encoded string) (StateParam, error) {
+	var result StateParam
+	err := json.NewDecoder(base64.NewDecoder(base64.StdEncoding, strings.NewReader(encoded))).Decode(&result)
+	return result, err
+}
+
 func randString(size int) (string, error) {
 	b := make([]byte, size)
 	if _, err := io.ReadFull(rand.Reader, b); err != nil {
@@ -99,18 +125,30 @@ func randString(size int) (string, error) {
 
 func (service *OIDCService) GetClientConfigFromRequest(r *http.Request) (*OIDCClientConfig, error) {
 	issuerParam := r.URL.Query().Get("issuer")
-	if issuerParam == "" {
-		return nil, errors.New("issuer param not specified")
+	stateParam := r.URL.Query().Get("state")
+	if issuerParam == "" && stateParam == "" {
+		return nil, errors.New("missing request parameters")
 	}
-	log.WithField("issuerParam", issuerParam).Trace("GetClientConfigFromRequest")
-	log.WithField("issuer", issuerParam).Trace("at GetClientConfigFromRequest")
 
-	for id, value := range service.configsById {
-		log.WithField("issuer", value.Issuer).WithField("id", id).Trace("GetClientConfigFromRequest (candidate)")
-		if value.Issuer == issuerParam {
-			return value, nil
+	if issuerParam != "" {
+		for _, value := range service.configsById {
+			if value.Issuer == issuerParam {
+				return value, nil
+			}
 		}
 	}
+
+	if stateParam != "" {
+		state, err := decodeStateParam(stateParam)
+		if err != nil {
+			return nil, errors.New("bad state param")
+		}
+		config := service.configsById[state.ClientId]
+		if config != nil {
+			return config, nil
+		}
+	}
+
 	return nil, errors.New("failed to find OIDC config for request")
 }
 
diff --git a/components/iam/pkg/oidc/service_test.go b/components/iam/pkg/oidc/service_test.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	"github.com/coreos/go-oidc/v3/oidc"
@@ -52,13 +53,29 @@ func TestGetStartParams(t *testing.T) {
 	require.NotNil(t, params.AuthCodeURL)
 	require.Contains(t, params.AuthCodeURL, issuerG)
 	require.Contains(t, params.AuthCodeURL, clientID)
-	require.Contains(t, params.AuthCodeURL, params.Nonce)
-	require.Contains(t, params.AuthCodeURL, params.State)
+	require.Contains(t, params.AuthCodeURL, url.QueryEscape(params.Nonce))
+	require.Contains(t, params.AuthCodeURL, url.QueryEscape(params.State))
 }
 
 func TestGetClientConfigFromRequest(t *testing.T) {
 	issuer := newFakeIdP(t)
 
+	const (
+		clientID = "google-1"
+	)
+
+	state, err := encodeStateParam(StateParam{
+		ClientId:    clientID,
+		RedirectURL: "",
+	})
+	require.NoError(t, err, "failed encode state param")
+
+	state_unknown, err := encodeStateParam(StateParam{
+		ClientId:    "UNKNOWN",
+		RedirectURL: "",
+	})
+	require.NoError(t, err, "failed encode state param")
+
 	testCases := []struct {
 		Location      string
 		ExpectedError bool
@@ -72,18 +89,33 @@ func TestGetClientConfigFromRequest(t *testing.T) {
 		{
 			Location:      "/start?issuer=" + issuer,
 			ExpectedError: false,
-			ExpectedId:    "google-1",
+			ExpectedId:    clientID,
 		},
 		{
 			Location:      "/start?issuer=UNKNOWN",
 			ExpectedError: true,
 			ExpectedId:    "",
 		},
+		{
+			Location:      "/callback?state=BAD",
+			ExpectedError: true,
+			ExpectedId:    "",
+		},
+		{
+			Location:      "/callback?state=" + state_unknown,
+			ExpectedError: true,
+			ExpectedId:    "",
+		},
+		{
+			Location:      "/callback?state=" + state,
+			ExpectedError: false,
+			ExpectedId:    clientID,
+		},
 	}
 
 	service := NewOIDCService()
-	err := service.AddClientConfig(&OIDCClientConfig{
-		ID:           "google-1",
+	err = service.AddClientConfig(&OIDCClientConfig{
+		ID:           clientID,
 		Issuer:       issuer,
 		OIDCConfig:   &oidc.Config{},
 		OAuth2Config: &oauth2.Config{},
