test: implement unit tests for skipping oidc issuer checks

Emyrk · Emyrk · commit a862bf1c9a89 · 2024-07-23T12:48:15.000-05:00
Unit tests build oidc config differently than production. These
test verify the approach
diff --git a/coderd/coderdtest/oidctest/idp.go b/coderd/coderdtest/oidctest/idp.go
@@ -97,6 +97,9 @@ type FakeIDP struct {
 	deviceCode *syncmap.Map[string, deviceFlow]
 
 	// hooks
+	// hookWellKnown allows mutating the returned .well-known/configuration JSON.
+	// Using this can break the IDP configuration, so be careful.
+	hookWellKnown func(r *http.Request, j *ProviderJSON) error
 	// hookValidRedirectURL can be used to reject a redirect url from the
 	// IDP -> Application. Almost all IDPs have the concept of
 	// "Authorized Redirect URLs". This can be used to emulate that.
@@ -151,6 +154,12 @@ func WithMiddlewares(mws ...func(http.Handler) http.Handler) func(*FakeIDP) {
 	}
 }
 
+func WithHookWellKnown(hook func(r *http.Request, j *ProviderJSON) error) func(*FakeIDP) {
+	return func(f *FakeIDP) {
+		f.hookWellKnown = hook
+	}
+}
+
 // WithRefresh is called when a refresh token is used. The email is
 // the email of the user that is being refreshed assuming the claims are correct.
 func WithRefresh(hook func(email string) error) func(*FakeIDP) {
@@ -753,7 +762,16 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
 	mux.Get("/.well-known/openid-configuration", func(rw http.ResponseWriter, r *http.Request) {
 		f.logger.Info(r.Context(), "http OIDC config", slogRequestFields(r)...)
 
-		_ = json.NewEncoder(rw).Encode(f.provider)
+		cpy := f.provider
+		if f.hookWellKnown != nil {
+			err := f.hookWellKnown(r, &cpy)
+			if err != nil {
+				http.Error(rw, err.Error(), http.StatusInternalServerError)
+				return
+			}
+		}
+
+		_ = json.NewEncoder(rw).Encode(cpy)
 	})
 
 	// Authorize is called when the user is redirected to the IDP to login.
@@ -1371,8 +1389,11 @@ func (f *FakeIDP) AppCredentials() (clientID string, clientSecret string) {
 	return f.clientID, f.clientSecret
 }
 
-// OIDCConfig returns the OIDC config to use for Coderd.
-func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+func (f *FakeIDP) PublicKey() crypto.PublicKey {
+	return f.key.Public()
+}
+
+func (f *FakeIDP) OauthConfig(t testing.TB, scopes []string) *oauth2.Config {
 	t.Helper()
 
 	if len(scopes) == 0 {
@@ -1391,22 +1412,50 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
 		RedirectURL: "https://redirect.com",
 		Scopes:      scopes,
 	}
+	f.cfg = oauthCfg
 
-	ctx := oidc.ClientContext(context.Background(), f.HTTPClient(nil))
+	return oauthCfg
+}
+
+func (f *FakeIDP) OIDCConfigSkipIssuerChecks(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+	ctx := oidc.InsecureIssuerURLContext(context.Background(), f.issuer)
+
+	return f.oidcConfig(ctx, t, scopes, func(config *oidc.Config) {
+		config.SkipIssuerCheck = true
+	}, opts...)
+}
+
+func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+	return f.oidcConfig(context.Background(), t, scopes, nil, opts...)
+}
+
+// OIDCConfig returns the OIDC config to use for Coderd.
+func (f *FakeIDP) oidcConfig(ctx context.Context, t testing.TB, scopes []string, verifierOpt func(config *oidc.Config), opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
+	t.Helper()
+
+	oauthCfg := f.OauthConfig(t, scopes)
+
+	ctx = oidc.ClientContext(ctx, f.HTTPClient(nil))
 	p, err := oidc.NewProvider(ctx, f.provider.Issuer)
 	require.NoError(t, err, "failed to create OIDC provider")
+
+	verifierConfig := &oidc.Config{
+		ClientID: oauthCfg.ClientID,
+		SupportedSigningAlgs: []string{
+			"RS256",
+		},
+		// Todo: add support for Now()
+	}
+	if verifierOpt != nil {
+		verifierOpt(verifierConfig)
+	}
+
 	cfg := &coderd.OIDCConfig{
 		OAuth2Config: oauthCfg,
 		Provider:     p,
 		Verifier: oidc.NewVerifier(f.provider.Issuer, &oidc.StaticKeySet{
 			PublicKeys: []crypto.PublicKey{f.key.Public()},
-		}, &oidc.Config{
-			ClientID: oauthCfg.ClientID,
-			SupportedSigningAlgs: []string{
-				"RS256",
-			},
-			// Todo: add support for Now()
-		}),
+		}, verifierConfig),
 		UsernameField: "preferred_username",
 		EmailField:    "email",
 		AuthURLParams: map[string]string{"access_type": "offline"},
@@ -1419,13 +1468,12 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
 		opt(cfg)
 	}
 
-	f.cfg = oauthCfg
 	return cfg
 }
 
 func (f *FakeIDP) getClaims(m *syncmap.Map[string, jwt.MapClaims], key string) (jwt.MapClaims, bool) {
 	v, ok := m.Load(key)
-	if !ok {
+	if !ok || v == nil {
 		if f.defaultIDClaims != nil {
 			return f.defaultIDClaims, true
 		}
diff --git a/coderd/coderdtest/oidctest/idp_test.go b/coderd/coderdtest/oidctest/idp_test.go
@@ -2,19 +2,22 @@ package oidctest_test
 
 import (
 	"context"
+	"crypto"
 	"net/http"
-	"net/http/httptest"
 	"testing"
 	"time"
 
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/assert"
+	"golang.org/x/xerrors"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/oauth2"
 
+	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
+	"github.com/coder/coder/v2/testutil"
 )
 
 // TestFakeIDPBasicFlow tests the basic flow of the fake IDP.
@@ -27,12 +30,6 @@ func TestFakeIDPBasicFlow(t *testing.T) {
 		oidctest.WithLogging(t, nil),
 	)
 
-	var handler http.Handler
-	srv := httptest.NewServer(http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		handler.ServeHTTP(w, r)
-	})))
-	defer srv.Close()
-
 	cfg := fake.OIDCConfig(t, nil)
 	cli := fake.HTTPClient(nil)
 	ctx := oidc.ClientContext(context.Background(), cli)
@@ -71,3 +68,84 @@ func TestFakeIDPBasicFlow(t *testing.T) {
 	require.NoError(t, err, "failed to refresh token")
 	require.NotEmpty(t, refreshed.AccessToken, "access token is empty on refresh")
 }
+
+// TestIDPIssuerMismatch emulates a situation where the IDP issuer url does
+// not match the one in the well-known config and claims.
+// This can happen in some edge cases and in some azure configurations.
+//
+// This test just makes sure a fake IDP can set up this scenario.
+func TestIDPIssuerMismatch(t *testing.T) {
+	t.Parallel()
+
+	const proxyURL = "https://proxy.com"
+	const primaryURL = "https://primary.com"
+
+	fake := oidctest.NewFakeIDP(t,
+		oidctest.WithIssuer(proxyURL),
+		oidctest.WithDefaultIDClaims(jwt.MapClaims{
+			"iss": primaryURL,
+		}),
+		oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error {
+			// host should be proxy.com, but we return the primaryURL
+			if r.Host != "proxy.com" {
+				return xerrors.Errorf("unexpected host: %s", r.Host)
+			}
+			j.Issuer = primaryURL
+			return nil
+		}),
+		oidctest.WithLogging(t, nil),
+	)
+
+	ctx := testutil.Context(t, testutil.WaitMedium)
+	// Do not use real network requests
+	cli := fake.HTTPClient(nil)
+	ctx = oidc.ClientContext(ctx, cli)
+
+	// Allow the issuer mismatch
+	ctx = oidc.InsecureIssuerURLContext(ctx, "this field does not matter")
+	p, err := oidc.NewProvider(ctx, "https://proxy.com")
+	require.NoError(t, err, "failed to create OIDC provider")
+
+	oauthConfig := fake.OauthConfig(t, nil)
+	cfg := &coderd.OIDCConfig{
+		OAuth2Config: oauthConfig,
+		Provider:     p,
+		Verifier: oidc.NewVerifier(fake.WellknownConfig().Issuer, &oidc.StaticKeySet{
+			PublicKeys: []crypto.PublicKey{fake.PublicKey()},
+		}, &oidc.Config{
+			SkipIssuerCheck: true,
+			ClientID:        oauthConfig.ClientID,
+			SupportedSigningAlgs: []string{
+				"RS256",
+			},
+		}),
+		UsernameField: "preferred_username",
+		EmailField:    "email",
+		AuthURLParams: map[string]string{"access_type": "offline"},
+	}
+
+	const expectedState = "random-state"
+	var token *oauth2.Token
+
+	fake.SetCoderdCallbackHandler(func(w http.ResponseWriter, r *http.Request) {
+		// Emulate OIDC flow
+		code := r.URL.Query().Get("code")
+		state := r.URL.Query().Get("state")
+		assert.Equal(t, expectedState, state, "state mismatch")
+
+		oauthToken, err := cfg.Exchange(ctx, code)
+		if assert.NoError(t, err, "failed to exchange code") {
+			assert.NotEmpty(t, oauthToken.AccessToken, "access token is empty")
+			assert.NotEmpty(t, oauthToken.RefreshToken, "refresh token is empty")
+		}
+		token = oauthToken
+	})
+
+	//nolint:bodyclose
+	resp := fake.OIDCCallback(t, expectedState, nil) // Use default claims
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+
+	idToken, err := cfg.Verifier.Verify(ctx, token.Extra("id_token").(string))
+	require.NoError(t, err)
+	require.Equal(t, primaryURL, idToken.Issuer)
+}
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -1532,6 +1532,42 @@ func TestUserLogout(t *testing.T) {
 	}
 }
 
+// TestOIDCSkipIssuer verifies coderd can run without checking the issuer url
+// in the OIDC exchange. This means the CODER_OIDC_ISSUER_URL does not need
+// to match the id_token `iss` field, or the value returned in the well-known
+// config.
+func TestOIDCSkipIssuer(t *testing.T) {
+	t.Parallel()
+	const primaryURLString = "https://primary.com"
+	primaryURL := must(url.Parse(primaryURLString))
+
+	fake := oidctest.NewFakeIDP(t,
+		oidctest.WithServing(),
+		oidctest.WithDefaultIDClaims(jwt.MapClaims{}),
+		oidctest.WithHookWellKnown(func(r *http.Request, j *oidctest.ProviderJSON) error {
+			assert.NotEqual(t, r.URL.Host, primaryURL.Host, "request went to wrong host")
+			j.Issuer = primaryURLString
+			return nil
+		}),
+	)
+
+	owner := coderdtest.New(t, &coderdtest.Options{
+		OIDCConfig: fake.OIDCConfigSkipIssuerChecks(t, nil, func(cfg *coderd.OIDCConfig) {
+			cfg.AllowSignups = true
+		}),
+	})
+
+	// User can login and use their token.
+	ctx := testutil.Context(t, testutil.WaitShort)
+	userClient, _ := fake.Login(t, owner, jwt.MapClaims{
+		"iss":   primaryURLString,
+		"email": "alice@coder.com",
+	})
+	found, err := userClient.User(ctx, "me")
+	require.NoError(t, err)
+	require.Equal(t, found.LoginType, codersdk.LoginTypeOIDC)
+}
+
 func oauth2Callback(t *testing.T, client *codersdk.Client) *http.Response {
 	client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
