[CLOUDTRUST-2107] Add a method to retrieve OIDC token

6 years ago · 01eb0fdf5d
3 changed files with 205 additions and 6 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@ -3,14 +3,15 @@

 [[projects]]
  branch = "master"
-  digest = "1:c3e6e91aafe6e3a12e3669b77f8fd608ddf8e61a727858ce50811daabc9600ea"
+  digest = "1:9cd919baadd8b77a9af99f59b3240f7296f58acd88c7ceb4fe812649be8ae176"
  name = "github.com/cloudtrust/common-service"
  packages = [
    ".",
    "errors",
+    "log",
  ]
  pruneopts = ""
-  revision = "bda3eb6af01813931780dc33b49aabd0f878be19"
+  revision = "739cff91a05f8dbcf3a0c4e6e57b95089f2a052b"

 [[projects]]
  digest = "1:379d34d9efc755fab444199f007819fe99718640f9ccfbdd3f0430340bb02b07"
@ -37,17 +38,17 @@
  version = "v2.0.0"

 [[projects]]
-  digest = "1:183b1cb81b770d8033281c5629a4847a2ed7614068bb33c5a9a159d1226b23f0"
+  digest = "1:48e65aaf8ce34ffb3e8d56daa9417826db162afbc2040705db331e9a2e9eebe3"
  name = "github.com/go-kit/kit"
  packages = [
    "endpoint",
    "log",
-    "transport",
+    "log/level",
    "transport/http",
  ]
  pruneopts = ""
-  revision = "150a65a7ec6156b4b640c1fd55f26fd3d475d656"
-  version = "v0.9.0"
+  revision = "12210fb6ace19e0496167bb3e667dcd91fa9f69b"
+  version = "v0.8.0"

 [[projects]]
  digest = "1:aa9a6ccd5fd7d29804a27cb0666bc4ac5eb4b73439b7edd54f4b377e5ef8bb47"
@ -242,6 +243,7 @@
  input-imports = [
    "github.com/cloudtrust/common-service",
    "github.com/cloudtrust/common-service/errors",
+    "github.com/cloudtrust/common-service/log",
    "github.com/coreos/go-oidc",
    "github.com/gbrlsnchs/jwt",
    "github.com/go-kit/kit/transport/http",
--- a/oidc_connect.go
+++ b/oidc_connect.go
@ -0,0 +1,99 @@
+package keycloak
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	errorhandler "github.com/cloudtrust/common-service/errors"
+	"github.com/cloudtrust/common-service/log"
+)
+
+// OidcTokenProvider provides OIDC tokens
+type OidcTokenProvider interface {
+	ProvideToken(ctx context.Context) (string, error)
+}
+
+type oidcToken struct {
+	AccessToken      string `json:"access_token,omitempty"`
+	ExpiresIn        int64  `json:"expires_in,omitempty"`
+	RefreshToken     string `json:"refresh_token,omitempty"`
+	RefreshExpiresIn int64  `json:"refresh_expires_in,omitempty"`
+	TokenType        string `json:"token_type,omitempty"`
+	NotBeforePolicy  int    `json:"not-before-policy,omitempty"`
+	SessionState     string `json:"session_state,omitempty"`
+	Scope            string `json:"scope,omitempty"`
+}
+
+type oidcTokenProvider struct {
+	timeout    time.Duration
+	tokenURL   string
+	reqBody    string
+	logger     log.Logger
+	oidcToken  oidcToken
+	validUntil int64
+}
+
+const (
+	// Max processing delay: let's assume that the user of OidcTokenProvider will have a maximum of 5 seconds to use the provided OIDC token
+	maxProcessingDelay = int64(5)
+)
+
+// NewOidcTokenProvider creates an OidcTokenProvider
+func NewOidcTokenProvider(config Config, realm, username, password, clientID string, logger log.Logger) OidcTokenProvider {
+	var tokenURL = fmt.Sprintf("%s/auth/realms/%s/protocol/openid-connect/token", config.AddrAPI, realm)
+	// If needed, can add &client_secret={secret}
+	var body = fmt.Sprintf("grant_type=password&client_id=%s&username=%s&password=%s",
+		url.QueryEscape(clientID), url.QueryEscape(username), url.QueryEscape(password))
+
+	return &oidcTokenProvider{
+		timeout:  config.Timeout,
+		tokenURL: tokenURL,
+		reqBody:  body,
+		logger:   logger,
+	}
+}
+
+func (o *oidcTokenProvider) ProvideToken(ctx context.Context) (string, error) {
+	if o.validUntil+maxProcessingDelay > time.Now().Unix() {
+		return o.oidcToken.AccessToken, nil
+	}
+
+	var mimeType = "application/x-www-form-urlencoded"
+	var httpClient = http.Client{
+		Timeout: o.timeout,
+	}
+	var resp, err = httpClient.Post(o.tokenURL, mimeType, strings.NewReader(o.reqBody))
+	if err != nil {
+		o.logger.Warn(ctx, "msg", err.Error())
+		return "", errorhandler.CreateInternalServerError("unexpected.httpResponse")
+	}
+	if err == nil && resp.StatusCode == http.StatusUnauthorized {
+		o.logger.Warn(ctx, "msg", "Technical user credentials are invalid")
+		return "", errorhandler.Error{
+			Status:  http.StatusUnauthorized,
+			Message: errorhandler.GetEmitter() + ".unauthorized",
+		}
+	}
+	if resp.StatusCode >= 400 || resp.Body == http.NoBody || resp.Body == nil {
+		o.logger.Warn(ctx, "msg", fmt.Sprintf("Unexpected behavior: unexpected http status (%d) or response has no body", resp.StatusCode))
+		return "", errorhandler.CreateInternalServerError("unexpected.httpResponse")
+	}
+
+	buf := new(bytes.Buffer)
+	buf.ReadFrom(resp.Body)
+
+	err = json.Unmarshal(buf.Bytes(), &o.oidcToken)
+	if err != nil {
+		o.logger.Warn(ctx, "msg", fmt.Sprintf("Can't deserialize token. JSON: %s", buf.String()))
+		return "", errorhandler.CreateInternalServerError("unexpected.oidcToken")
+	}
+	o.validUntil = time.Now().Unix() + o.oidcToken.ExpiresIn
+
+	return o.oidcToken.AccessToken, nil
+}
--- a/oidc_connect_test.go
+++ b/oidc_connect_test.go
@ -0,0 +1,98 @@
+package keycloak
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/cloudtrust/common-service/log"
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+)
+
+type TestResponse struct {
+	StatusCode   int
+	NoBody       bool
+	ResponseBody string
+}
+
+func (t *TestResponse) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(t.StatusCode)
+	if !t.NoBody {
+		w.Write([]byte(t.ResponseBody))
+	}
+	time.Sleep(20 * time.Millisecond)
+}
+
+func TestCreateToken(t *testing.T) {
+	var oidcToken = oidcToken{
+		AccessToken: `eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZRTUtNUpBb2NOcG5zeEpEaGRyYVdyWlVCZTBMR2xfanNILUtnb1EwWi1FIn0.eyJqdGkiOiIxYjJkZDY2NS01ZGE1LTRiMzAtODY0MS0wNWQ4ZTk0NTQ2ZWQiLCJleHAiOjE1NzkyMDQ0ODYsIm5iZiI6MCwiaWF0IjoxNTc5MTY4NDg2LCJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwiYXVkIjpbInBhc3NmbG93LXJlYWxtIiwibXlfcmVhbG0tcmVhbG0iLCJDbG91ZHRydXN0LXJlYWxtIiwibWFzdGVyLXJlYWxtIiwiYWNjb3VudCJdLCJzdWIiOiI3OTU5MjhjMy03N2Y1LTRmMjQtOTI0NC02NzBkMGJmMDJhMmQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiI5ZTQ5NDA1MS1kZGQ1LTRhODctYTczZC1hOWU5YjMwYmFlZGEiLCJhY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImNyZWF0ZS1yZWFsbSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InBhc3NmbG93LXJlYWxtIjp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJteV9yZWFsbS1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LXJlYWxtIiwidmlldy1pZGVudGl0eS1wcm92aWRlcnMiLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwiQ2xvdWR0cnVzdC1yZWFsbSI6eyJyb2xlcyI6WyJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsInZpZXctcmVhbG0iLCJtYW5hZ2UtaWRlbnRpdHktcHJvdmlkZXJzIiwiaW1wZXJzb25hdGlvbiIsImNyZWF0ZS1jbGllbnQiLCJtYW5hZ2UtdXNlcnMiLCJxdWVyeS1yZWFsbXMiLCJ2aWV3LWF1dGhvcml6YXRpb24iLCJxdWVyeS1jbGllbnRzIiwicXVlcnktdXNlcnMiLCJtYW5hZ2UtZXZlbnRzIiwibWFuYWdlLXJlYWxtIiwidmlldy1ldmVudHMiLCJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwibWFuYWdlLWF1dGhvcml6YXRpb24iLCJtYW5hZ2UtY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyJdfSwibWFzdGVyLXJlYWxtIjp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBlcnNvbmF0aW9uIiwiY3JlYXRlLWNsaWVudCIsIm1hbmFnZS11c2VycyIsInF1ZXJ5LXJlYWxtcyIsInZpZXctYXV0aG9yaXphdGlvbiIsInF1ZXJ5LWNsaWVudHMiLCJxdWVyeS11c2VycyIsIm1hbmFnZS1ldmVudHMiLCJtYW5hZ2UtcmVhbG0iLCJ2aWV3LWV2ZW50cyIsInZpZXctdXNlcnMiLCJ2aWV3LWNsaWVudHMiLCJtYW5hZ2UtYXV0aG9yaXphdGlvbiIsIm1hbmFnZS1jbGllbnRzIiwicXVlcnktZ3JvdXBzIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUgZ3JvdXBzIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cHMiOlsiL3RvZV9hZG1pbmlzdHJhdG9yIl0sInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.GrPUDdQUID0S38ZSwVqarAuSDXrl5cJju3uq32y6bNGPK9a8jcHBP5FEfMcZ3vieQPtWFeySMycwTEcH6x6lc-9bj1w5veL4yyTA1zk_ERPshfiobk0u94vuljnoz-PW7JvBLOy47Bk5cP9pHPbJMPY0kOFHTpXZHd6KwfcE_X8gizLw4rDhIpK1NEtABQVzUNvP9fDZOm2I1PHJbl0odRE7EFu9Xh5ya8DaUQ2RKUb0E5csnA3DYlFdEhtMV1MAKRzqplDzj8zLQ8f8fflzC9_g4vmnDUEKSBxq1f1qKmzm1-XUuqRYTNWHfOtRR9rXrEzn-6fymFcRHIVGW7kgzg`,
+		ExpiresIn:   3600,
+	}
+	var validJSON, _ = json.Marshal(oidcToken)
+
+	r := mux.NewRouter()
+	r.Handle("/auth/realms/nobody/protocol/openid-connect/token", &TestResponse{StatusCode: http.StatusOK, NoBody: true})
+	r.Handle("/auth/realms/invalid/protocol/openid-connect/token", &TestResponse{StatusCode: http.StatusUnauthorized})
+	r.Handle("/auth/realms/bad-json/protocol/openid-connect/token", &TestResponse{StatusCode: http.StatusOK, ResponseBody: `{"truncated-`})
+	r.Handle("/auth/realms/valid/protocol/openid-connect/token", &TestResponse{StatusCode: http.StatusOK, ResponseBody: string(validJSON)})
+
+	ts := httptest.NewServer(r)
+	defer ts.Close()
+
+	t.Run("No body in HTTP response", func(t *testing.T) {
+		var p = NewOidcTokenProvider(Config{AddrAPI: ts.URL}, "nobody", "user", "passwd", "clientID", log.NewNopLogger())
+		var _, err = p.ProvideToken(context.TODO())
+		assert.NotNil(t, err)
+	})
+
+	t.Run("Invalid credentials", func(t *testing.T) {
+		var p = NewOidcTokenProvider(Config{AddrAPI: ts.URL}, "invalid", "user", "passwd", "clientID", log.NewNopLogger())
+		var _, err = p.ProvideToken(context.TODO())
+		assert.NotNil(t, err)
+	})
+
+	t.Run("Invalid JSON", func(t *testing.T) {
+		var p = NewOidcTokenProvider(Config{AddrAPI: ts.URL}, "bad-json", "user", "passwd", "clientID", log.NewNopLogger())
+		var _, err = p.ProvideToken(context.TODO())
+		assert.NotNil(t, err)
+	})
+
+	t.Run("No HTTP response", func(t *testing.T) {
+		var p = NewOidcTokenProvider(Config{AddrAPI: ts.URL + "0"}, "bad-json", "user", "passwd", "clientID", log.NewNopLogger())
+		var _, err = p.ProvideToken(context.TODO())
+		assert.NotNil(t, err)
+	})
+
+	t.Run("Valid credentials", func(t *testing.T) {
+		var p = NewOidcTokenProvider(Config{AddrAPI: ts.URL}, "valid", "user", "passwd", "clientID", log.NewNopLogger())
+
+		var timeStart = time.Now()
+
+		// First call
+		var token, err = p.ProvideToken(context.TODO())
+		assert.Nil(t, err)
+		assert.NotEqual(t, "", token)
+
+		var timeAfterFirstCall = time.Now()
+
+		// Second call
+		token, err = p.ProvideToken(context.TODO())
+		assert.Nil(t, err)
+		assert.NotEqual(t, "", token)
+
+		var timeAfterSecondCall = time.Now()
+
+		var withHTTPDuration = int64(20 * time.Millisecond)
+		var withoutHTTPDuration = int64(5 * time.Millisecond)
+		var duration1 = timeAfterFirstCall.Sub(timeStart).Nanoseconds()
+		var duration2 = timeAfterSecondCall.Sub(timeAfterFirstCall).Nanoseconds()
+		var msg = fmt.Sprintf("Durations: no valid token loaded yet:%d (expected > %d), token not expired:%d (expected < %d)", duration1, withHTTPDuration, duration2, withoutHTTPDuration)
+		assert.True(t, duration1 > withHTTPDuration, msg)
+		assert.True(t, duration2 < withoutHTTPDuration, msg)
+	})
+}