From 746324e65abe7be65191e2c72dd5db9c44c4d157 Mon Sep 17 00:00:00 2001 From: Steve Cliff Date: Tue, 5 May 2026 13:26:06 +0100 Subject: [PATCH] =?UTF-8?q?http:=20GET=20/auth/oidc/login=20=E2=80=94=20ge?= =?UTF-8?q?nerate=20state/PKCE,=20redirect=20to=20IdP?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- internal/server/http/oidc_handlers.go | 35 +++++++++ internal/server/http/oidc_handlers_test.go | 86 ++++++++++++++++++++++ internal/server/http/server.go | 8 ++ 3 files changed, 129 insertions(+) create mode 100644 internal/server/http/oidc_handlers.go create mode 100644 internal/server/http/oidc_handlers_test.go diff --git a/internal/server/http/oidc_handlers.go b/internal/server/http/oidc_handlers.go new file mode 100644 index 0000000..b29bf22 --- /dev/null +++ b/internal/server/http/oidc_handlers.go @@ -0,0 +1,35 @@ +// oidc_handlers.go — OIDC sign-in handlers. Public routes when oidc +// is configured (s.deps.OIDC != nil), otherwise not mounted. +package http + +import ( + "log/slog" + stdhttp "net/http" + "time" + + "gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc" +) + +// handleOIDCLogin generates state + PKCE pair, persists them, and +// redirects to the IdP authorization endpoint. +func (s *Server) handleOIDCLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) { + state, err := oidc.RandomState() + if err != nil { + slog.Error("oidc login: state", "err", err) + stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError) + return + } + verifier, challenge, err := oidc.PKCEPair() + if err != nil { + slog.Error("oidc login: pkce", "err", err) + stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError) + return + } + if err := s.deps.Store.PutOIDCState(r.Context(), + oidc.HashState(state), verifier, time.Now().UTC()); err != nil { + slog.Error("oidc login: persist state", "err", err) + stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError) + return + } + stdhttp.Redirect(w, r, s.deps.OIDC.AuthURL(state, challenge), stdhttp.StatusSeeOther) +} diff --git a/internal/server/http/oidc_handlers_test.go b/internal/server/http/oidc_handlers_test.go new file mode 100644 index 0000000..7fb40ab --- /dev/null +++ b/internal/server/http/oidc_handlers_test.go @@ -0,0 +1,86 @@ +package http + +import ( + "context" + stdhttp "net/http" + "net/http/httptest" + "path/filepath" + "strings" + "testing" + "time" + + "gitea.dcglab.co.uk/steve/restic-manager/internal/crypto" + "gitea.dcglab.co.uk/steve/restic-manager/internal/server/config" + "gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc" + "gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc/oidctest" + "gitea.dcglab.co.uk/steve/restic-manager/internal/store" +) + +// newTestServerWithOIDC returns a Server wired to a stub IdP. +// Returned ts is the httptest.Server fronting the actual server; +// stub is the IdP for minting codes / configuring claims. +func newTestServerWithOIDC(t *testing.T) (*Server, *httptest.Server, *oidctest.StubIdP) { + t.Helper() + dir := t.TempDir() + st, err := store.Open(context.Background(), filepath.Join(dir, "rm.db")) + if err != nil { + t.Fatalf("store: %v", err) + } + t.Cleanup(func() { _ = st.Close() }) + + keyPath := filepath.Join(dir, "secret.key") + if err := crypto.GenerateKeyFile(keyPath); err != nil { + t.Fatalf("genkey: %v", err) + } + key, _ := crypto.LoadKeyFromFile(keyPath) + aead, _ := crypto.NewAEAD(key) + + stub := oidctest.New(t) + cfg := &config.OIDCConfig{ + Issuer: stub.URL(), ClientID: "test-client", ClientSecret: "x", + Scopes: []string{"openid"}, RoleClaim: "groups", + RoleMapping: map[string]string{ + "rm-admins": "admin", + "rm-operators": "operator", + "rm-viewers": "viewer", + }, + } + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + oidcClient, err := oidc.New(ctx, cfg, "http://test") + if err != nil { + t.Fatalf("oidc client: %v", err) + } + + deps := Deps{ + Cfg: config.Config{Listen: ":0", DataDir: dir, SecretKeyFile: keyPath, BaseURL: "http://test"}, + Store: st, + AEAD: aead, + OIDC: oidcClient, + } + s := New(deps) + ts := httptest.NewServer(s.srv.Handler) + t.Cleanup(ts.Close) + return s, ts, stub +} + +func TestOIDCLoginRedirectsToIdP(t *testing.T) { + t.Parallel() + srv, ts, _ := newTestServerWithOIDC(t) + c := &stdhttp.Client{CheckRedirect: func(*stdhttp.Request, []*stdhttp.Request) error { + return stdhttp.ErrUseLastResponse + }} + res, err := c.Get(ts.URL + "/auth/oidc/login") + if err != nil { + t.Fatalf("get: %v", err) + } + defer res.Body.Close() + if res.StatusCode != stdhttp.StatusSeeOther { + t.Errorf("status: got %d want 303", res.StatusCode) + } + loc := res.Header.Get("Location") + if !strings.Contains(loc, "code_challenge=") || !strings.Contains(loc, "state=") { + t.Errorf("location: %q", loc) + } + _ = srv +} diff --git a/internal/server/http/server.go b/internal/server/http/server.go index ba7c51a..326ad3b 100644 --- a/internal/server/http/server.go +++ b/internal/server/http/server.go @@ -17,6 +17,7 @@ import ( "gitea.dcglab.co.uk/steve/restic-manager/internal/crypto" "gitea.dcglab.co.uk/steve/restic-manager/internal/notification" "gitea.dcglab.co.uk/steve/restic-manager/internal/server/config" + "gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc" "gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui" "gitea.dcglab.co.uk/steve/restic-manager/internal/server/ws" "gitea.dcglab.co.uk/steve/restic-manager/internal/store" @@ -45,6 +46,9 @@ type Deps struct { // admin-bootstrap token printed in the server logs. While set, the // /bootstrap endpoint accepts it to create the first admin user. BootstrapToken string + // OIDC (optional). Non-nil when the operator has configured an + // IdP — handlers under /auth/oidc/* are mounted only when set. + OIDC *oidc.Client } // Server is the running HTTP server. @@ -140,6 +144,10 @@ func (s *Server) routes(r chi.Router) { r.Get("/setup", s.handleUISetupGet) r.Post("/setup", s.handleUISetupPost) } + if s.deps.OIDC != nil { + r.Get("/auth/oidc/login", s.handleOIDCLogin) + // /auth/oidc/callback registered in D2 + } // Viewer band — anyone authenticated can read. r.Group(func(r chi.Router) {