test oidc setup plural

Author: michaeljguarino

.github/workflows/test-pr.yaml

@@ -0,0 +1,27 @@
+name: CI / Demo PR
+
+env:
+  DOCKER_METADATA_PR_HEAD_SHA: 'true'
+
+on:
+  push:
+    branches:
+    - master
+    - genstage-stack-gs-reconciler
+jobs:
+  pr:
+    permissions:
+      id-token: write
+      contents: read
+    name: Generate PR
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: setup plural
+        uses: pluralsh/setup-plural@535f6523af77c86b90ce118e17b6362576689ba7
+        with:
+          email: [email protected]
+          consoleUrl: https://console.plrldemo.onplural.sh

lib/console/deployments/settings.ex

@@ -7,6 +7,7 @@ defmodule Console.Deployments.Settings do
   alias Console.Services.Users
   alias Console.Deployments.{Clusters, Services}
   alias Console.Schema.{DeploymentSettings, User, Project, BootstrapToken, CloudConnection, FederatedCredential}
+  require Logger
 
   @agent_vsn File.read!("AGENT_VERSION") |> String.trim()
   @kube_vsn File.read!("KUBE_VERSION") |> String.trim()
@@ -327,13 +328,14 @@ defmodule Console.Deployments.Settings do
   """
   @spec exchange_token(binary, binary) :: {:ok, binary} | Console.error()
   def exchange_token(token, email) do
-    user = Users.get_user_by_email!(email)
+    user = Users.cached_user_by_email!(email)
 
-    with {:token, {:ok, %{"iss" => issuer}}} <- {:token, Joken.peek_claims(token)},
+    with {:token, {:ok, %{"iss" => issuer, "aud" => aud}}} <- {:token, Joken.peek_claims(token)},
          {:config, {:ok, {conf, jwks}}} <- {:config, issuer_configuration(issuer)},
          opts = %{client_jwks: JOSE.JWK.generate_key(16)},
          ctx = Oidcc.ClientContext.from_manual(conf, jwks, "dummy_id", "dummy_secret", opts),
-         opts = %{signing_algs: ctx.provider_configuration.id_token_signing_alg_values_supported},
+         opts = %{signing_algs: ctx.provider_configuration.id_token_signing_alg_values_supported,
+                  trusted_audiences: [aud]},
          {:validate, {:ok, claims}} <- {:validate, Oidcc.Token.validate_jwt(token, ctx, opts)} do
       FederatedCredential.for_issuer(issuer)
       |> FederatedCredential.for_user(user.id)
@@ -344,12 +346,16 @@ defmodule Console.Deployments.Settings do
           scopes = Enum.flat_map(credentials, & &1.scopes || [])
                    |> Enum.uniq()
           sign_token(user, scopes)
-        _ -> {:error, "no federated credential for #{email} match jwt claims"}
+        _ -> {:error, "no federated credentials for #{email} match jwt claims"}
       end
     else
       {:token, _} -> {:error, "invalid jwt format"}
-      {:config, _} -> {:error, "invalid issuer url from jwt"}
-      {:validate, _} -> {:error, "could not validate jwt"}
+      {:config, _} = res ->
+        Logger.error("failed to fetch issuer configuration: #{inspect(res)}")
+        {:error, "invalid issuer url from jwt"}
+      {:validate, _} = res ->
+        Logger.error("failed to validate jwt: #{inspect(res)}")
+        {:error, "could not validate jwt"}
     end
   end
 
@@ -360,12 +366,22 @@ defmodule Console.Deployments.Settings do
     end
   end
 
+  @quirks %{
+    quirks: %{
+      allow_issuer_mismatch: true,
+      document_overrides: %{
+        # needed for atypical oidc implementations like Github's
+        "authorization_endpoint" => "https://example.com/ignore/oauth/authorize",
+      }
+    }
+  }
+
   @doc """
   Fetches the issuer configuration from the issuer url
   """
   @decorate cacheable(cache: @cache_adapter, key: {:issuer_configuration, issuer}, opts: [ttl: :timer.minutes(60)])
   def issuer_configuration(issuer) do
-    with {:ok, {conf, _}} <- Oidcc.ProviderConfiguration.load_configuration(issuer, %{quirks: %{allow_issuer_mismatch: true}}),
+    with {:ok, {conf, _}} <- Oidcc.ProviderConfiguration.load_configuration(issuer, @quirks),
          {:ok, {jwks, _}} <- Oidcc.ProviderConfiguration.load_jwks(conf.jwks_uri),
       do: {:ok, {conf, jwks}}
   end

lib/console/services/users.ex

@@ -48,7 +48,7 @@ defmodule Console.Services.Users do
   @decorate cacheable(cache: @cache_adapter, key: :console_bot, opts: [ttl: @ttl])
   def console(), do: Repo.get_by(User, email: "[email protected]")
 
-  @decorate cacheable(cache: Console.Cache, key: {:access, token}, opts: [ttl: @ttl])
+  @decorate cacheable(cache: @cache_adapter, key: {:access, token}, opts: [ttl: @ttl])
   def get_by_token(token) do
     Repo.get_by(AccessToken, token: token)
     |> Repo.preload([:user])
@@ -72,6 +72,9 @@ defmodule Console.Services.Users do
 
   def get_user_by_email!(email), do: Repo.get_by!(User, email: email)
 
+  @decorate cacheable(cache: @cache_adapter, key: {:user_by_email, email}, opts: [ttl: @ttl])
+  def cached_user_by_email!(email), do: get_user_by_email!(email)
+
   @spec get_group!(binary) :: Group.t
   def get_group!(id), do: Repo.get!(Group, id)
 

lib/console_web/router.ex

@@ -16,6 +16,7 @@ defmodule ConsoleWeb.Router do
   scope "/v1", ConsoleWeb do
     pipe_through [:api]
 
+    post "/token/exchange", JWTController, :exchange
     get "/dashboard/cluster", WebhookController, :cluster
   end
 
@@ -79,7 +80,6 @@ defmodule ConsoleWeb.Router do
     pipe_through [:auth]
 
     scope "/v1", ConsoleWeb do
-      post "/token/exchange", JWTController, :exchange
       get "/digests", GitController, :digest
       get "/compliance/report", ComplianceController, :report
       get "/compliance/report/:name", ComplianceController, :report