http: GET /auth/oidc/login — generate state/PKCE, redirect to IdP

internal/server/http/oidc_handlers.go

@@ -0,0 +1,35 @@
+// oidc_handlers.go — OIDC sign-in handlers. Public routes when oidc
+// is configured (s.deps.OIDC != nil), otherwise not mounted.
+package http
+
+import (
+	"log/slog"
+	stdhttp "net/http"
+	"time"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc"
+)
+
+// handleOIDCLogin generates state + PKCE pair, persists them, and
+// redirects to the IdP authorization endpoint.
+func (s *Server) handleOIDCLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	state, err := oidc.RandomState()
+	if err != nil {
+		slog.Error("oidc login: state", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	verifier, challenge, err := oidc.PKCEPair()
+	if err != nil {
+		slog.Error("oidc login: pkce", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	if err := s.deps.Store.PutOIDCState(r.Context(),
+		oidc.HashState(state), verifier, time.Now().UTC()); err != nil {
+		slog.Error("oidc login: persist state", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	stdhttp.Redirect(w, r, s.deps.OIDC.AuthURL(state, challenge), stdhttp.StatusSeeOther)
+}

internal/server/http/oidc_handlers_test.go

@@ -0,0 +1,86 @@
+package http
+
+import (
+	"context"
+	stdhttp "net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/config"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc/oidctest"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
+)
+
+// newTestServerWithOIDC returns a Server wired to a stub IdP.
+// Returned ts is the httptest.Server fronting the actual server;
+// stub is the IdP for minting codes / configuring claims.
+func newTestServerWithOIDC(t *testing.T) (*Server, *httptest.Server, *oidctest.StubIdP) {
+	t.Helper()
+	dir := t.TempDir()
+	st, err := store.Open(context.Background(), filepath.Join(dir, "rm.db"))
+	if err != nil {
+		t.Fatalf("store: %v", err)
+	}
+	t.Cleanup(func() { _ = st.Close() })
+
+	keyPath := filepath.Join(dir, "secret.key")
+	if err := crypto.GenerateKeyFile(keyPath); err != nil {
+		t.Fatalf("genkey: %v", err)
+	}
+	key, _ := crypto.LoadKeyFromFile(keyPath)
+	aead, _ := crypto.NewAEAD(key)
+
+	stub := oidctest.New(t)
+	cfg := &config.OIDCConfig{
+		Issuer: stub.URL(), ClientID: "test-client", ClientSecret: "x",
+		Scopes: []string{"openid"}, RoleClaim: "groups",
+		RoleMapping: map[string]string{
+			"rm-admins":    "admin",
+			"rm-operators": "operator",
+			"rm-viewers":   "viewer",
+		},
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	oidcClient, err := oidc.New(ctx, cfg, "http://test")
+	if err != nil {
+		t.Fatalf("oidc client: %v", err)
+	}
+
+	deps := Deps{
+		Cfg:   config.Config{Listen: ":0", DataDir: dir, SecretKeyFile: keyPath, BaseURL: "http://test"},
+		Store: st,
+		AEAD:  aead,
+		OIDC:  oidcClient,
+	}
+	s := New(deps)
+	ts := httptest.NewServer(s.srv.Handler)
+	t.Cleanup(ts.Close)
+	return s, ts, stub
+}
+
+func TestOIDCLoginRedirectsToIdP(t *testing.T) {
+	t.Parallel()
+	srv, ts, _ := newTestServerWithOIDC(t)
+	c := &stdhttp.Client{CheckRedirect: func(*stdhttp.Request, []*stdhttp.Request) error {
+		return stdhttp.ErrUseLastResponse
+	}}
+	res, err := c.Get(ts.URL + "/auth/oidc/login")
+	if err != nil {
+		t.Fatalf("get: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusSeeOther {
+		t.Errorf("status: got %d want 303", res.StatusCode)
+	}
+	loc := res.Header.Get("Location")
+	if !strings.Contains(loc, "code_challenge=") || !strings.Contains(loc, "state=") {
+		t.Errorf("location: %q", loc)
+	}
+	_ = srv
+}

internal/server/http/server.go

@@ -17,6 +17,7 @@ import (
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/crypto"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/notification"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/config"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/oidc"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ws"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
@@ -45,6 +46,9 @@ type Deps struct {
 	// admin-bootstrap token printed in the server logs. While set, the
 	// /bootstrap endpoint accepts it to create the first admin user.
 	BootstrapToken string
+	// OIDC (optional). Non-nil when the operator has configured an
+	// IdP — handlers under /auth/oidc/* are mounted only when set.
+	OIDC *oidc.Client
 }
 
 // Server is the running HTTP server.
@@ -140,6 +144,10 @@ func (s *Server) routes(r chi.Router) {
 		r.Get("/setup", s.handleUISetupGet)
 		r.Post("/setup", s.handleUISetupPost)
 	}
+	if s.deps.OIDC != nil {
+		r.Get("/auth/oidc/login", s.handleOIDCLogin)
+		// /auth/oidc/callback registered in D2
+	}
 
 	// Viewer band — anyone authenticated can read.
 	r.Group(func(r chi.Router) {