keystone: test cases, refactoring and cleanup

88d1e2b0 · joannano · Krzysztof Balka · a965365a · 88d1e2b0 · 88d1e2b0
Commit 88d1e2b0 authored Dec 13, 2018 by joannano Committed by Krzysztof Balka Jan 11, 2019
10 changed files
--- a/.travis.yml
+++ b/.travis.yml
@@ -13,13 +13,14 @@ services:
  - docker

 env:
-  - DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive
+  - DEX_POSTGRES_DATABASE=postgres DEX_POSTGRES_USER=postgres DEX_POSTGRES_HOST="localhost" DEX_ETCD_ENDPOINTS=http://localhost:2379 DEX_LDAP_TESTS=1 DEBIAN_FRONTEND=noninteractive DEX_KEYSTONE_URL=http://localhost:5000 DEX_KEYSTONE_ADMIN_URL=http://localhost:35357

 install:
  - sudo -E apt-get install -y --force-yes slapd time ldap-utils
  - sudo /etc/init.d/slapd stop
  - docker run -d --net=host gcr.io/etcd-development/etcd:v3.2.9
-
+  - docker run -d -p 0.0.0.0:5000:5000 -p 0.0.0.0:35357:35357 openio/openstack-keystone
+  - sleep 60s

 script:
  - make testall

--- a/Dockerfile
+++ b/Dockerfile
@@ -11,12 +11,15 @@ FROM alpine:3.8
 # experience when this doesn't work out of the box.
 #
 # OpenSSL is required so wget can query HTTPS endpoints for health checking.
-RUN apk add --update ca-certificates openssl bash
+RUN apk add --update ca-certificates openssl
+
+COPY --from=0 /go/bin/dex /usr/local/bin/dex

 # Import frontend assets and set the correct CWD directory so the assets
 # are in the default path.
 COPY web /web
 WORKDIR /

-EXPOSE 5500-5600
-CMD ["bash"]
+ENTRYPOINT ["dex"]
+
+CMD ["version"]
--- a/connector/connector.go
+++ b/connector/connector.go
@@ -35,7 +35,6 @@ type Identity struct {
 	//
 	// This data is never shared with end users, OAuth clients, or through the API.
 	ConnectorData []byte
-	Password string
 }

 // PasswordConnector is an interface implemented by connectors which take a

--- a/connector/keystone/keystone.go
+++ b/connector/keystone/keystone.go
@@ -2,163 +2,186 @@
 package keystone

 import (
+	"bytes"
 	"context"
-	"fmt"
-	"github.com/dexidp/dex/connector"
-	"github.com/sirupsen/logrus"
 	"encoding/json"
-	"net/http"
-	"bytes"
+	"fmt"
 	"io/ioutil"
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/dexidp/dex/connector"
 )

 var (
-	_ connector.PasswordConnector = &Connector{}
-  	_ connector.RefreshConnector = &Connector{}
+	_ connector.PasswordConnector = &keystoneConnector{}
+	_ connector.RefreshConnector  = &keystoneConnector{}
 )

 // Open returns an authentication strategy using Keystone.
 func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
-	return &Connector{c.Domain, c.KeystoneHost,
-	c.KeystoneUsername, c.KeystonePassword, logger}, nil
+	return &keystoneConnector{c.Domain, c.KeystoneHost,
+		c.KeystoneUsername, c.KeystonePassword, logger}, nil
 }

-func (p Connector) Close() error { return nil }
+func (p *keystoneConnector) Close() error { return nil }

-func (p Connector) Login(ctx context.Context, s connector.Scopes, username, password string) (
-		identity connector.Identity, validPassword bool, err error) {
-	response, err := p.getTokenResponse(username, password)
+func (p *keystoneConnector) Login(ctx context.Context, s connector.Scopes, username, password string) (
+	identity connector.Identity, validPassword bool, err error) {
+	resp, err := p.getTokenResponse(ctx, username, password)
+	if err != nil {
+		return identity, false, fmt.Errorf("keystone: error %v", err)
+	}

 	// Providing wrong password or wrong keystone URI throws error
-	if err == nil && response.StatusCode == 201 {
-    	token := response.Header["X-Subject-Token"][0]
-		data, _ := ioutil.ReadAll(response.Body)
-
-    	var tokenResponse = new(TokenResponse)
-    	err := json.Unmarshal(data, &tokenResponse)
-
-    	if err != nil {
-      		fmt.Printf("keystone: invalid token response: %v", err)
-      		return identity, false, err
-    	}
-    	groups, err := p.getUserGroups(tokenResponse.Token.User.ID, token)
-
-    	if err != nil {
-      		return identity, false, err
-    	}
-
-		identity.Username =	username
-    	identity.UserID = tokenResponse.Token.User.ID
-   	 	identity.Groups = groups
+	if resp.StatusCode == 201 {
+		token := resp.Header.Get("X-Subject-Token")
+		data, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return identity, false, err
+		}
+		defer resp.Body.Close()
+
+		var tokenResp = new(tokenResponse)
+		err = json.Unmarshal(data, &tokenResp)
+		if err != nil {
+			return identity, false, fmt.Errorf("keystone: invalid token response: %v", err)
+		}
+		groups, err := p.getUserGroups(ctx, tokenResp.Token.User.ID, token)
+		if err != nil {
+			return identity, false, err
+		}
+
+		identity.Username = username
+		identity.UserID = tokenResp.Token.User.ID
+		identity.Groups = groups
 		return identity, true, nil

-	} else if err != nil {
-    	fmt.Printf("keystone: error %v", err)
-		return identity, false, err
-
-	} else {
-		data, _ := ioutil.ReadAll(response.Body)
-		fmt.Println(string(data))
-		return identity, false, err
 	}
+
 	return identity, false, nil
 }

-func (p Connector) Prompt() string { return "username" }
+func (p *keystoneConnector) Prompt() string { return "username" }

-func (p Connector) Refresh(
+func (p *keystoneConnector) Refresh(
 	ctx context.Context, s connector.Scopes, identity connector.Identity) (connector.Identity, error) {

-  	if len(identity.ConnectorData) == 0 {
-  		return identity, nil
+	token, err := p.getAdminToken(ctx)
+	if err != nil {
+		return identity, fmt.Errorf("keystone: failed to obtain admin token: %v", err)
 	}

-	token, err := p.getAdminToken()
-
-  	if err != nil {
-    	fmt.Printf("keystone: failed to obtain admin token")
-    	return identity, err
-  	}
-
-  	ok := p.checkIfUserExists(identity.UserID, token)
-  	if !ok {
-  		fmt.Printf("keystone: user %q does not exist\n", identity.UserID)
-     	return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
-  	}
+	ok, err := p.checkIfUserExists(ctx, identity.UserID, token)
+	if err != nil {
+		return identity, err
+	}
+	if !ok {
+		return identity, fmt.Errorf("keystone: user %q does not exist", identity.UserID)
+	}

-  	groups, err := p.getUserGroups(identity.UserID, token)
-  	if err != nil {
-    	fmt.Printf("keystone: Failed to fetch user %q groups", identity.UserID)
-    	return identity, fmt.Errorf("keystone: failed to fetch user %q groups", identity.UserID)
-  	}
+	groups, err := p.getUserGroups(ctx, identity.UserID, token)
+	if err != nil {
+		return identity, err
+	}

-  	identity.Groups = groups
-  	fmt.Printf("Identity data after use of refresh token: %v", identity)
+	identity.Groups = groups
 	return identity, nil
 }

-
-func (p Connector) getTokenResponse(username, password string) (response *http.Response, err error) {
-	jsonData := LoginRequestData{
-		Auth: Auth{
-			Identity: Identity{
-				Methods:[]string{"password"},
-				Password: Password{
-					User: User{
-						Name: username,
-						Domain: Domain{ID:p.Domain},
-						Password: password,
+func (p *keystoneConnector) getTokenResponse(ctx context.Context, username, pass string) (response *http.Response, err error) {
+	client := &http.Client{}
+	jsonData := loginRequestData{
+		auth: auth{
+			Identity: identity{
+				Methods: []string{"password"},
+				Password: password{
+					User: user{
+						Name:     username,
+						Domain:   domain{ID: p.Domain},
+						Password: pass,
 					},
 				},
 			},
 		},
 	}
-	jsonValue, _ := json.Marshal(jsonData)
-  	loginURI := p.KeystoneHost + "/v3/auth/tokens"
-	return http.Post(loginURI, "application/json", bytes.NewBuffer(jsonValue))
+	jsonValue, err := json.Marshal(jsonData)
+	if err != nil {
+		return nil, err
+	}
+
+	authTokenURL := p.KeystoneHost + "/v3/auth/tokens/"
+	req, err := http.NewRequest("POST", authTokenURL, bytes.NewBuffer(jsonValue))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req = req.WithContext(ctx)
+
+	return client.Do(req)
 }

-func (p Connector) getAdminToken()(string, error) {
-  	response, err := p.getTokenResponse(p.KeystoneUsername, p.KeystonePassword)
-  	if err!= nil {
-    	return "", err
-  	}
-  	token := response.Header["X-Subject-Token"][0]
-  	return token, nil
+func (p *keystoneConnector) getAdminToken(ctx context.Context) (string, error) {
+	resp, err := p.getTokenResponse(ctx, p.KeystoneUsername, p.KeystonePassword)
+	if err != nil {
+		return "", err
+	}
+	token := resp.Header.Get("X-Subject-Token")
+	return token, nil
 }

-func (p Connector) checkIfUserExists(userID string, token string) (bool) {
-  	groupsURI := p.KeystoneHost + "/v3/users/" + userID
-  	client := &http.Client{}
-  	req, _ := http.NewRequest("GET", groupsURI, nil)
-  	req.Header.Set("X-Auth-Token", token)
-  	response, err :=  client.Do(req)
-  	if err == nil && response.StatusCode == 200 {
-    	return true
-  	}
-  	return false
+func (p *keystoneConnector) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
+	userURL := p.KeystoneHost + "/v3/users/" + userID
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", userURL, nil)
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Set("X-Auth-Token", token)
+	req = req.WithContext(ctx)
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+
+	if resp.StatusCode == 200 {
+		return true, nil
+	}
+	return false, err
 }

-func (p Connector) getUserGroups(userID string, token string) ([]string, error) {
-  	groupsURI := p.KeystoneHost + "/v3/users/" + userID + "/groups"
-  	client := &http.Client{}
-  	req, _ := http.NewRequest("GET", groupsURI, nil)
-  	req.Header.Set("X-Auth-Token", token)
-  	response, err :=  client.Do(req)
-
-  	if err != nil {
-    	fmt.Printf("keystone: error while fetching user %q groups\n", userID)
-    	return nil, err
-  	}
-  	data, _ := ioutil.ReadAll(response.Body)
-  	var groupsResponse = new(GroupsResponse)
-  	err = json.Unmarshal(data, &groupsResponse)
-  	if err != nil {
-    	return nil, err
-  	}
-  	groups := []string{}
-  	for _, group := range groupsResponse.Groups {
-  		groups = append(groups, group.Name)
-  	}
-  	return groups, nil
+func (p *keystoneConnector) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {
+	client := &http.Client{}
+	groupsURL := p.KeystoneHost + "/v3/users/" + userID + "/groups"
+
+	req, err := http.NewRequest("GET", groupsURL, nil)
+	req.Header.Set("X-Auth-Token", token)
+	req = req.WithContext(ctx)
+	resp, err := client.Do(req)
+	if err != nil {
+		p.Logger.Errorf("keystone: error while fetching user %q groups\n", userID)
+		return nil, err
+	}
+
+	data, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var groupsResp = new(groupsResponse)
+
+	err = json.Unmarshal(data, &groupsResp)
+	if err != nil {
+		return nil, err
+	}
+
+	groups := make([]string, len(groupsResp.Groups))
+	for i, group := range groupsResp.Groups {
+		groups[i] = group.Name
+	}
+	return groups, nil
 }
--- a/connector/keystone/keystone_test.go
+++ b/connector/keystone/keystone_test.go
--- a/connector/keystone/types.go
+++ b/connector/keystone/types.go
@@ -4,133 +4,84 @@ import (
 	"github.com/sirupsen/logrus"
 )

-type Connector struct {
-	Domain 			 string
-	KeystoneHost 	 string
+type keystoneConnector struct {
+	Domain           string
+	KeystoneHost     string
 	KeystoneUsername string
 	KeystonePassword string
-	Logger 			 logrus.FieldLogger
+	Logger           logrus.FieldLogger
 }

-type ConnectorData struct {
-	AccessToken string `json:"accessToken"`
+type userKeystone struct {
+	Domain domainKeystone `json:"domain"`
+	ID     string         `json:"id"`
+	Name   string         `json:"name"`
 }

-type KeystoneUser struct {
-	Domain KeystoneDomain `json:"domain"`
-	ID 	   string 		  `json:"id"`
-	Name   string 		  `json:"name"`
-}
-
-type KeystoneDomain struct {
-	ID string   `json:"id"`
+type domainKeystone struct {
+	ID   string `json:"id"`
 	Name string `json:"name"`
 }

+// Config holds the configuration parameters for Keystone connector.
+// Keystone should expose API v3
+// An example config:
+//	connectors:
+//		type: keystone
+//		id: keystone
+//		name: Keystone
+//		config:
+//			keystoneHost: http://example:5000
+//			domain: default
+//      keystoneUsername: demo
+//      keystonePassword: DEMO_PASS
 type Config struct {
-	Domain 			 string `json:"domain"`
-	KeystoneHost 	 string `json:"keystoneHost"`
+	Domain           string `json:"domain"`
+	KeystoneHost     string `json:"keystoneHost"`
 	KeystoneUsername string `json:"keystoneUsername"`
 	KeystonePassword string `json:"keystonePassword"`
 }

-type LoginRequestData struct {
-	Auth `json:"auth"`
+type loginRequestData struct {
+	auth `json:"auth"`
 }

-type Auth struct {
-	Identity `json:"identity"`
+type auth struct {
+	Identity identity `json:"identity"`
 }

-type Identity struct {
+type identity struct {
 	Methods  []string `json:"methods"`
-	Password 		  `json:"password"`
+	Password password `json:"password"`
 }

-type Password struct {
-	User `json:"user"`
+type password struct {
+	User user `json:"user"`
 }

-type User struct {
-	Name   string 	`json:"name"`
-	Domain 			`json:"domain"`
-	Password string `json:"password"`
-}
-
-type Domain struct {
-	ID string `json:"id"`
-}
-
-type Token struct {
-	IssuedAt  string 	   			 `json:"issued_at"`
-	Extras 	  map[string]interface{} `json:"extras"`
-	Methods   []string 	   			 `json:"methods"`
-	ExpiresAt string 	   			 `json:"expires_at"`
-	User 	  KeystoneUser 			 `json:"user"`
-}
-
-type TokenResponse struct {
-	Token Token `json:"token"`
-}
-
-type CreateUserRequest struct {
-	CreateUser CreateUserForm  `json:"user"`
-}
-
-type CreateUserForm struct {
+type user struct {
 	Name     string `json:"name"`
-	Email    string `json:"email"`
-	Enabled  bool   `json:"enabled"`
+	Domain   domain `json:"domain"`
 	Password string `json:"password"`
-	Roles  []string `json:"roles"`
-}
-
-type UserResponse struct {
-	User CreateUserResponse `json:"user"`
-}
-
-type CreateUserResponse struct {
-	Username string   `json:"username"`
-	Name 	 string   `json:"name"`
-	Roles 	 []string `json:"roles"`
-	Enabled  bool     `json:"enabled"`
-	Options  string   `json:"options"`
-	ID 		 string   `json:"id"`
-	Email 	 string   `json:"email"`
-}
-
-type CreateGroup struct {
-	Group CreateGroupForm `json:"group"`
-}
-
-type CreateGroupForm struct {
-	Description string `json:"description"`
-	Name 		string `json:"name"`
 }

-type GroupID struct {
-	Group GroupIDForm `json:"group"`
+type domain struct {
+	ID string `json:"id"`
 }

-type GroupIDForm struct {
-	ID string `json:"id"`
+type token struct {
+	User userKeystone `json:"user"`
 }

-type Links struct {
-	Self string `json:"self"`
-	Previous string `json:"previous"`
-	Next string `json:"next"`
+type tokenResponse struct {
+	Token token `json:"token"`
 }

-type Group struct {
-	DomainID 	string `json:"domain_id`
-	Description string `json:"description"`
-	ID 			string `json:"id"`
-	Links 		Links  `json:"links"`
-	Name 		string `json:"name"`
+type group struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
 }

-type GroupsResponse struct {
-	Links  Links   `json:"links"`
-	Groups []Group `json:"groups"`
+type groupsResponse struct {
+	Groups []group `json:"groups"`
 }
--- a/examples/config-keystone.yaml
+++ b/examples/config-keystone.yaml
-# The base path of dex and the external name of the OpenID Connect service.
-# This is the canonical URL that all clients MUST use to refer to dex. If a
-# path is provided, dex's HTTP service will listen at a non-root URL.
-issuer: http://0.0.0.0:5556/dex
-
-# The storage configuration determines where dex stores its state. Supported
-# options include SQL flavors and Kubernetes third party resources.
-#
-# See the storage document at Documentation/storage.md for further information.
-storage:
-  type: sqlite3
-  config:
-    file: examples/dex.db   #be in the dex directory, else change path here
-
-# Configuration for the HTTP endpoints.
-web:
-  https: 0.0.0.0:5556
-  # Uncomment for HTTPS options.
-  # https: 127.0.0.1:5554
-  tlsCert: ./ssl/dex.crt
-  tlsKey: ./ssl/dex.key
-
-# Configuration for telemetry
-telemetry:
-  http: 0.0.0.0:5558
-
-oauth2:
-  responseTypes: ["id_token"]
-
-# Instead of reading from an external storage, use this list of clients.
-staticClients:
- id: example-app
-  redirectURIs:
-  - 'http://127.0.0.1:5555/callback'
-  name: 'Example App'
-  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
-
-#Provide Keystone connector and its config here
-# /v3/auth/tokens
-connectors:
- type: keystone
-  id: keystone
-  name: Keystone
-  config:
-    keystoneHost: http://localhost:5000
-    domain: default
-    keystoneUsername: demo
-    keystonePassword: DEMO_PASS
-
-# Let dex keep a list of passwords which can be used to login to dex.
-enablePasswordDB: true
-
-oauth2:
-  skipApprovalScreen: true
-
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -211,7 +211,6 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
 	}

 	authReqID := r.FormValue("req")
-  s.logger.Errorf("Auth req id %v", authReqID)

 	authReq, err := s.storage.GetAuthRequest(authReqID)
 	if err != nil {
@@ -346,7 +345,7 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
 			s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
 			return
 		}
-		s.logger.Errorf("2Failed to get auth request: %v", err)
+		s.logger.Errorf("Failed to get auth request: %v", err)
 		s.renderError(w, http.StatusInternalServerError, "Database error.")
 		return
 	}
@@ -358,7 +357,6 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
 	}

 	conn, err := s.getConnector(authReq.ConnectorID)
-  s.logger.Errorf("X Connector %v", conn)
 	if err != nil {
 		s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
 		s.renderError(w, http.StatusInternalServerError, "Requested resource does not exist.")
@@ -437,7 +435,7 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
 func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
 	authReq, err := s.storage.GetAuthRequest(r.FormValue("req"))
 	if err != nil {
-		s.logger.Errorf("3Failed to get auth request: %v", err)
+		s.logger.Errorf("Failed to get auth request: %v", err)
 		s.renderError(w, http.StatusInternalServerError, "Database error.")
 		return
 	}

--- a/server/server.go
+++ b/server/server.go
@@ -27,6 +27,7 @@ import (
 	"github.com/dexidp/dex/connector/bitbucketcloud"
 	"github.com/dexidp/dex/connector/github"
 	"github.com/dexidp/dex/connector/gitlab"
+	"github.com/dexidp/dex/connector/keystone"
 	"github.com/dexidp/dex/connector/ldap"
 	"github.com/dexidp/dex/connector/linkedin"
 	"github.com/dexidp/dex/connector/microsoft"
@@ -34,7 +35,6 @@ import (
 	"github.com/dexidp/dex/connector/oidc"
 	"github.com/dexidp/dex/connector/saml"
 	"github.com/dexidp/dex/storage"
-  "github.com/dexidp/dex/connector/keystone"
 )

 // LocalConnector is the local passwordDB connector which is an internal
@@ -456,7 +456,7 @@ func openConnector(logger logrus.FieldLogger, conn storage.Connector) (connector

 	f, ok := ConnectorsConfig[conn.Type]
 	if !ok {
-		return c, fmt.Errorf("xunknown connector type %q", conn.Type)
+		return c, fmt.Errorf("unknown connector type %q", conn.Type)
 	}

 	connConfig := f()

--- a/storage/static.go
+++ b/storage/static.go
@@ -3,6 +3,7 @@ package storage
 import (
 	"errors"
 	"strings"
+
 	"github.com/sirupsen/logrus"
 )