[OIDC] Check issuer URL for reachability #16331
Conversation
|
started the job as gitpod-build-at-check-issuer.1 because the annotations in the pull request description changed |
| }, | ||
| } | ||
|
|
||
| resp, err := client.Get(host) |
There was a problem hiding this comment.
You could use the HEAD request here. It better communicates that you only want to know if it's reachable, rather than actually needing the payload.
There was a problem hiding this comment.
Let's change to Head, I've no preferences.
| @@ -318,3 +326,28 @@ func toDbOIDCSpec(oauth2Config *v1.OAuth2Config, oidcConfig *v1.OIDCConfig) db.O | |||
| Scopes: append([]string{goidc.ScopeOpenID, "profile", "email"}, oauth2Config.GetScopes()...), | |||
| } | |||
| } | |||
|
|
|||
| func assertIssuerIsReachable(host string) error { | |||
There was a problem hiding this comment.
This should accept the context and construct the request with context (http.NewRequest().WithContext()). This ensures that if the caller cancels, we also cancel.
There was a problem hiding this comment.
In general, anything crossing a network boundary should accept context, and propagate it.
|
|
||
| func assertIssuerIsReachable(host string) error { | ||
| tr := &http.Transport{ | ||
| TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, |
There was a problem hiding this comment.
Why are we disabling TLS? If necessary, a comment would help.
| func assertIssuerIsReachable(host string) error { | ||
| tr := &http.Transport{ | ||
| TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, | ||
| Proxy: http.ProxyFromEnvironment, |
There was a problem hiding this comment.
Do we need this? The environment this runs is in controlled by us, and we don't have a system level proxy configured.
There was a problem hiding this comment.
Took this from a k8s reachability probe.
we don't have a system level proxy configured.
Since #12726 we have an option to set it on the installation level.
The environment this runs is in controlled by us
I'm not sure this is the question. If the Org only provides a proxy to reach internal Git, which was several times the case with self-hosted, it might still be relevant.
| @@ -50,6 +53,11 @@ func (s *OIDCService) CreateClientConfig(ctx context.Context, req *connect.Reque | |||
| return nil, err | |||
| } | |||
|
|
|||
| err = assertIssuerIsReachable(req.Msg.GetConfig().GetOidcConfig().GetIssuer()) | |||
There was a problem hiding this comment.
Does it make sense to check the URL actually parses as a URL, before we make this request?
How do we make sure this doesn't get used as a way to DDOS third party systems? If I supply a https://my-victim.org, we'd hit those endpoints on behalf of the attacker.
One way to guard would be to rate-limit the create itself.
There was a problem hiding this comment.
+1 for rate-limiting.
| @@ -96,13 +99,13 @@ func TestOIDCService_CreateClientConfig_FeatureFlagEnabled(t *testing.T) { | |||
| }) | |||
|
|
|||
| t.Run("creates oidc client config", func(t *testing.T) { | |||
| serverMock, client, dbConn := setupOIDCService(t, withOIDCFeatureEnabled) | |||
| serverMock, client, dbConn, issuer := setupOIDCService(t, withOIDCFeatureEnabled) | |||
There was a problem hiding this comment.
It took me quite a while to wrap my head around the fact that we're using our server, which has our API handlers, as the issuer, for the validation check during create.
Perhaps it would make sense to start a second server, and return it as part of setupOIDCService which is the issuer server. That would also give us the ability to test for the case when the check fails, which we're currently not covering AFAIK.
There was a problem hiding this comment.
🙈 indeed, this was a shortcut to have a known to be reachable host.
💯 will touch on this in follow-up to extract it. As mentioned a while ago, the mocked OIDC services should become proper mocks to get full coverage of the handlers of ours.
| } | ||
| resp.Body.Close() | ||
| if resp.StatusCode > 499 { | ||
| return fmt.Errorf("returned status %d", resp.StatusCode) |
There was a problem hiding this comment.
| return fmt.Errorf("returned status %d", resp.StatusCode) | |
| return fmt.Errorf("OIDC reachability check returned status %d", resp.StatusCode) |
There was a problem hiding this comment.
This ends up being the public facing error message, so we should communicate as much detail as possible.
roboquat
added
deployed: webapp
Description
As part of #15960, this should help to identify issues with entered OIDC client config and/or the service an Org admin wants to connect with. Non reachable services are a common source of errors when connecting to 3rd party services. An early check helps to identify problems early on.
Related Issue(s)
Part of #15960
How to test
see there is an error logged on JS console and network tab, e.g.
https://accounts.google.com) works.Release Notes
Documentation
Build Options:
Experimental feature to run the build with GitHub Actions (and not in Werft).
leeway-target=components:all
Run Leeway with
--dont-testPublish Options
Installer Options
Add desired feature flags to the end of the line above, space separated
Preview Environment Options:
If enabled this will build
install/previewIf enabled this will create the environment on GCE infra
Valid options are
all,workspace,webapp,ide,jetbrains,vscode,ssh