Bed-4851 OIDC API Provider Registration

cmd/api/src/api/registration/v2.go

@@ -62,7 +62,7 @@ func registerV2Auth(cfg config.Configuration, db database.Database, permissions
 		routerInst.DELETE(fmt.Sprintf("/api/v2/saml/providers/{%s}", api.URIPathVariableSAMLProviderID), managementResource.DeleteSAMLProvider).RequirePermissions(permissions.AuthManageProviders),
 
 		// SSO
-		routerInst.POST("/api/v2/sso/providers/oidc", managementResource.CreateOIDCProvider).CheckFeatureFlag(db, appcfg.FeatureOIDCSupport).RequirePermissions(permissions.AuthManageProviders),
+		routerInst.POST("/api/v2/sso-providers/oidc", managementResource.CreateOIDCProvider).CheckFeatureFlag(db, appcfg.FeatureOIDCSupport).RequirePermissions(permissions.AuthManageProviders),
 
 		// Permissions
 		routerInst.GET("/api/v2/permissions", managementResource.ListPermissions).RequirePermissions(permissions.AuthManageSelf),

cmd/api/src/api/v2/auth/oidc.go

@@ -42,17 +42,15 @@ func (s ManagementResource) CreateOIDCProvider(response http.ResponseWriter, req
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, err.Error(), request), response)
 	} else if validated := validation.Validate(createRequest); validated != nil {
 		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, validated.Error(), request), response)
-	} else if strings.Contains(createRequest.Name, " ") {
-		api.WriteErrorResponse(request.Context(), api.BuildErrorResponse(http.StatusBadRequest, "invalid name formatting, ensure there are no spaces in the provided name", request), response)
 	} else {
 		var (
-			formattedName = strings.ToLower(createRequest.Name)
+			formattedName = strings.ToLower(strings.ReplaceAll(createRequest.Name, " ", "-"))
 		)
 
-		if provider, err := s.db.CreateOIDCProvider(request.Context(), formattedName, createRequest.Issuer, createRequest.ClientID); err != nil {
+		if oidcProvider, err := s.db.CreateOIDCProvider(request.Context(), createRequest.Name, formattedName, createRequest.Issuer, createRequest.ClientID); err != nil {
 			api.HandleDatabaseError(request, response, err)
 		} else {
-			api.WriteBasicResponse(request.Context(), provider, http.StatusCreated, response)
+			api.WriteBasicResponse(request.Context(), oidcProvider, http.StatusCreated, response)
 		}
 	}
 }

cmd/api/src/api/v2/auth/oidc_test.go

@@ -19,16 +19,12 @@ package auth_test
 import (
 	"fmt"
 	"net/http"
-
-	"github.com/specterops/bloodhound/src/model"
-
-	"github.com/specterops/bloodhound/src/api/v2/auth"
+	"testing"
 
 	"github.com/specterops/bloodhound/src/api/v2/apitest"
+	"github.com/specterops/bloodhound/src/api/v2/auth"
+	"github.com/specterops/bloodhound/src/model"
 	"github.com/specterops/bloodhound/src/utils/test"
-
-	"testing"
-
 	"go.uber.org/mock/gomock"
 )
 
@@ -43,19 +39,17 @@ func TestManagementResource_CreateOIDCProvider(t *testing.T) {
 	defer mockCtrl.Finish()
 
 	t.Run("successfully create a new OIDCProvider", func(t *testing.T) {
-		mockDB.EXPECT().CreateOIDCProvider(gomock.Any(), "test", "https://localhost/auth", "bloodhound").Return(model.OIDCProvider{
-			Name:     "",
-			ClientID: "",
-			Issuer:   "",
+		mockDB.EXPECT().CreateOIDCProvider(gomock.Any(), "Bloodhound gang", "bloodhound-gang", "https://localhost/auth", "bloodhound").Return(model.OIDCProvider{
+			ClientID: "bloodhound",
+			Issuer:   "https://localhost/auth",
 		}, nil)
 
 		test.Request(t).
 			WithMethod(http.MethodPost).
 			WithURL(url).
 			WithBody(auth.CreateOIDCProviderRequest{
-				Name:   "test",
-				Issuer: "https://localhost/auth",
-
+				Name:     "Bloodhound gang",
+				Issuer:   "https://localhost/auth",
 				ClientID: "bloodhound",
 			}).
 			OnHandlerFunc(resources.CreateOIDCProvider).
@@ -78,8 +72,9 @@ func TestManagementResource_CreateOIDCProvider(t *testing.T) {
 			WithMethod(http.MethodPost).
 			WithURL(url).
 			WithBody(auth.CreateOIDCProviderRequest{
-				Name:   "test",
-				Issuer: "",
+				Name:     "test",
+				Issuer:   "1234:not:a:url",
+				ClientID: "bloodhound",
 			}).
 			OnHandlerFunc(resources.CreateOIDCProvider).
 			Require().
@@ -100,15 +95,14 @@ func TestManagementResource_CreateOIDCProvider(t *testing.T) {
 	})
 
 	t.Run("error creating oidc provider db entry", func(t *testing.T) {
-		mockDB.EXPECT().CreateOIDCProvider(gomock.Any(), "test", "https://localhost/auth", "bloodhound").Return(model.OIDCProvider{}, fmt.Errorf("error"))
+		mockDB.EXPECT().CreateOIDCProvider(gomock.Any(), "test", "test", "https://localhost/auth", "bloodhound").Return(model.OIDCProvider{}, fmt.Errorf("error"))
 
 		test.Request(t).
 			WithMethod(http.MethodPost).
 			WithURL(url).
 			WithBody(auth.CreateOIDCProviderRequest{
-				Name:   "test",
-				Issuer: "https://localhost/auth",
-
+				Name:     "test",
+				Issuer:   "https://localhost/auth",
 				ClientID: "bloodhound",
 			}).
 			OnHandlerFunc(resources.CreateOIDCProvider).

cmd/api/src/database/db.go

@@ -134,6 +134,7 @@ type Database interface {
 	DeleteSAMLProvider(ctx context.Context, samlProvider model.SAMLProvider) error
 
 	// SSO
+	SSOProviderData
 	OIDCProviderData
 
 	// Sessions

cmd/api/src/database/migration/migrations/v6.1.0.sql

@@ -1,13 +1,49 @@
+-- Copyright 2024 Specter Ops, Inc.
+--
+-- Licensed under the Apache License, Version 2.0
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- SPDX-License-Identifier: Apache-2.0
+
+-- SSO Provider
+CREATE TABLE IF NOT EXISTS sso_providers
+(
+    id         SERIAL PRIMARY KEY,
+    name       TEXT NOT NULL,
+    slug       TEXT NOT NULL,
+    type       int  NOT NULL,
+
+    updated_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+    created_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+
+    UNIQUE (name),
+    UNIQUE (slug)
+);
+
 -- OIDC Provider
 CREATE TABLE IF NOT EXISTS oidc_providers
 (
-  id         BIGSERIAL PRIMARY KEY,
-  name       TEXT NOT NULL,
-  client_id  TEXT NOT NULL,
-  issuer     TEXT NOT NULL,
+    id              SERIAL PRIMARY KEY,
+    client_id       TEXT NOT NULL,
+    issuer          TEXT NOT NULL,
+    sso_provider_id INTEGER REFERENCES sso_providers (id) ON DELETE CASCADE NULL,
+
+    updated_at      TIMESTAMP WITH TIME ZONE DEFAULT now(),
+    created_at      TIMESTAMP WITH TIME ZONE DEFAULT now()
+);
 
-  updated_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
-  created_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+-- Create the reference from saml_providers to sso_providers
+ALTER TABLE ONLY saml_providers
+    ADD COLUMN IF NOT EXISTS sso_provider_id INTEGER NULL;
+ALTER TABLE ONLY saml_providers
+    ADD CONSTRAINT fk_saml_provider_sso_provider FOREIGN KEY (sso_provider_id) REFERENCES sso_providers (id) ON DELETE CASCADE;
 
-  UNIQUE (name)
-)

cmd/api/src/database/oidc.go

@@ -20,20 +20,35 @@ import (
 	"context"
 
 	"github.com/specterops/bloodhound/src/model"
+	"gorm.io/gorm"
+)
+
+const (
+	oidcProvidersTableName = "oidc_providers"
 )
 
 // OIDCProviderData defines the interface required to interact with the oidc_providers table
 type OIDCProviderData interface {
-	CreateOIDCProvider(ctx context.Context, name, issuer, clientID string) (model.OIDCProvider, error)
+	CreateOIDCProvider(ctx context.Context, name, slug, issuer, clientID string) (model.OIDCProvider, error)
 }
 
-// CreateOIDCProvider creates a new entry for an OIDC provider
-func (s *BloodhoundDB) CreateOIDCProvider(ctx context.Context, name, issuer, clientID string) (model.OIDCProvider, error) {
-	provider := model.OIDCProvider{
-		Name:     name,
+// CreateOIDCProvider creates a new entry for an OIDC provider as well as the associated SSO provider
+func (s *BloodhoundDB) CreateOIDCProvider(ctx context.Context, name, slug, issuer, clientID string) (model.OIDCProvider, error) {
+	oidcProvider := model.OIDCProvider{
 		ClientID: clientID,
 		Issuer:   issuer,
 	}
 
-	return provider, CheckError(s.db.WithContext(ctx).Table("oidc_providers").Create(&provider))
+	// Create both the sso_providers and oidc_providers rows in a single transaction
+	// If one of these requests errors, both changes will be rolled back
+	err := s.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		if ssoProvider, err := s.CreateSSOProviderWithTransaction(ctx, tx, name, slug, model.SessionAuthProviderOIDC); err != nil {
+			return err
+		} else {
+			oidcProvider.SSOProviderID = int(ssoProvider.ID)
+			return CheckError(tx.WithContext(ctx).Table(oidcProvidersTableName).Create(&oidcProvider))
+		}
+	})
+
+	return oidcProvider, err
 }

cmd/api/src/database/oidc_test.go

@@ -37,10 +37,9 @@ func TestBloodhoundDB_CreateOIDCProvider(t *testing.T) {
 	defer dbInst.Close(testCtx)
 
 	t.Run("successfully create an OIDC provider", func(t *testing.T) {
-		provider, err := dbInst.CreateOIDCProvider(testCtx, "test", "https://test.localhost.com/auth", "bloodhound")
+		provider, err := dbInst.CreateOIDCProvider(testCtx, "test", "test", "https://test.localhost.com/auth", "bloodhound")
 		require.NoError(t, err)
 
-		assert.Equal(t, "test", provider.Name)
 		assert.Equal(t, "https://test.localhost.com/auth", provider.Issuer)
 		assert.Equal(t, "bloodhound", provider.ClientID)
 	})

cmd/api/src/database/sso.go

@@ -0,0 +1,56 @@
+// Copyright 2024 Specter Ops, Inc.
+//
+// Licensed under the Apache License, Version 2.0
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package database
+
+import (
+	"context"
+
+	"github.com/specterops/bloodhound/src/model"
+	"gorm.io/gorm"
+)
+
+const (
+	ssoProviderTableName = "sso_providers"
+)
+
+// SSOProviderData defines the methods required to interact with the sso_providers table
+type SSOProviderData interface {
+	CreateSSOProvider(ctx context.Context, name, slug string, authType model.SessionAuthProvider) (model.SSOProvider, error)
+	CreateSSOProviderWithTransaction(ctx context.Context, tx *gorm.DB, name, slug string, authType model.SessionAuthProvider) (model.SSOProvider, error)
+}
+
+// CreateSSOProvider creates an entry in the sso_providers table
+func (s *BloodhoundDB) CreateSSOProvider(ctx context.Context, name, slug string, authType model.SessionAuthProvider) (model.SSOProvider, error) {
+	provider := model.SSOProvider{
+		Name: name,
+		Slug: slug,
+		Type: authType,
+	}
+
+	return provider, CheckError(s.db.WithContext(ctx).Table(ssoProviderTableName).Create(&provider))
+}
+
+// CreateSSOProviderWithTransaction uses a db transaction to create an entry in the sso_providers table
+func (s *BloodhoundDB) CreateSSOProviderWithTransaction(ctx context.Context, tx *gorm.DB, name, slug string, authType model.SessionAuthProvider) (model.SSOProvider, error) {
+	provider := model.SSOProvider{
+		Name: name,
+		Slug: slug,
+		Type: authType,
+	}
+
+	return provider, CheckError(tx.WithContext(ctx).Table(ssoProviderTableName).Create(&provider))
+}