Start using go-oidc-middleware (#302)

* remove claimsClient * add oidcHandler * fix error formatting * update tests to work with middleware * update readme
XenitAB · Oct 7, 2021 · aecace7 · aecace7
1 parent fce56e7
commit aecace7
Show file tree

Hide file tree

Showing 10 changed files with 325 additions and 458 deletions.
diff --git a/README.md b/README.md
@@ -292,8 +292,8 @@ metadata:
 type: kubernetes.io/service-account-token
 EOF
 
-kubectl get secret azad-kube-proxy-test-secret --output=jsonpath={.data.ca\\.crt} | base64 -d > tmp/ca.crt
-kubectl get secret azad-kube-proxy-test-secret --output=jsonpath={.data.token} | base64 -d > tmp/token
+kubectl --namespace azad-kube-proxy-test get secret azad-kube-proxy-test-secret --output=jsonpath={.data.ca\\.crt} | base64 -d > tmp/ca.crt
+kubectl --namespace azad-kube-proxy-test get secret azad-kube-proxy-test-secret --output=jsonpath={.data.token} | base64 -d > tmp/token
 
 KUBE_CA_PATH="${PWD}/tmp/ca.crt"
 KUBE_TOKEN_PATH="${PWD}/tmp/token"

diff --git a/go.mod b/go.mod
@@ -24,6 +24,7 @@ require (
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/urfave/cli/v2 v2.3.0
+	github.com/xenitab/go-oidc-middleware v0.0.14
 	go.uber.org/zap v1.19.1
 	golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
@@ -37,15 +38,18 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.1 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
+	github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/evanphx/json-patch v4.11.0+incompatible // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
 	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/goccy/go-json v0.7.8 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -57,6 +61,12 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/juju/ansiterm v0.0.0-20210929141451-8b71cc96ebdc // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
+	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.0 // indirect
+	github.com/lestrrat-go/httpcc v1.0.0 // indirect
+	github.com/lestrrat-go/iter v1.0.1 // indirect
+	github.com/lestrrat-go/jwx v1.2.7 // indirect
+	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
 	github.com/mattn/go-colorable v0.1.11 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
@@ -73,8 +83,10 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/yuin/gopher-lua v0.0.0-20210529063254-f4c35e4016d9 // indirect
+	github.com/zclconf/go-cty v1.9.1 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
+	go.uber.org/ratelimit v0.2.0 // indirect
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
 	golang.org/x/net v0.0.0-20210929193557-e81a3d93ecf6 // indirect
 	golang.org/x/sys v0.0.0-20211003122950-b1ebd4e1001c // indirect

diff --git a/go.sum b/go.sum
diff --git a/pkg/claims/claims.go b/pkg/claims/claims.go
diff --git a/pkg/claims/claims_test.go b/pkg/claims/claims_test.go
diff --git a/pkg/handlers/azure.go b/pkg/handlers/azure.go
@@ -0,0 +1,62 @@
+package handlers
+
+import "fmt"
+
+// azureClaims contains the claims used by the Azure AD Access Token (v2)
+type azureClaims struct {
+	sub      string
+	username string
+	objectID string
+	groups   []string
+}
+
+// toAzureClaims converts the raw claims from context.Value() to azureClaims
+func toAzureClaims(rawClaims map[string]interface{}) (azureClaims, error) {
+	rawSub, ok := rawClaims["sub"]
+	if !ok {
+		return azureClaims{}, fmt.Errorf("unable to find sub claim")
+	}
+
+	sub, ok := rawSub.(string)
+	if !ok {
+		return azureClaims{}, fmt.Errorf("unable to typecast sub to string: %v", rawSub)
+	}
+
+	isServicePrincipal := false
+	rawUsername, ok := rawClaims["preferred_username"]
+	if !ok {
+		isServicePrincipal = true
+	}
+
+	username := ""
+	if !isServicePrincipal {
+		username, ok = rawUsername.(string)
+		if !ok {
+			return azureClaims{}, fmt.Errorf("unable to typecast preferred_username to string: %v", rawUsername)
+		}
+	}
+
+	rawObjectID, ok := rawClaims["oid"]
+	if !ok {
+		return azureClaims{}, fmt.Errorf("unable to find oid claim")
+	}
+
+	objectID, ok := rawObjectID.(string)
+	if !ok {
+		return azureClaims{}, fmt.Errorf("unable to typecast oid to string: %v", rawObjectID)
+	}
+
+	rawGroups := rawClaims["groups"]
+	groups, ok := rawGroups.([]string)
+	if !ok {
+		// if we are unable to typecast, set groups to empty
+		groups = []string{}
+	}
+
+	return azureClaims{
+		sub:      sub,
+		username: username,
+		objectID: objectID,
+		groups:   groups,
+	}, nil
+}