From 67f22c4214b283f3c1108ee682b7770343b2d14a Mon Sep 17 00:00:00 2001 From: Jim Date: Tue, 22 Oct 2024 13:48:49 -0400 Subject: [PATCH] feat (oidc): add WithVerifier (#141) * feat (oidc): add WithVerifier This commit adds the WithVerifier option to the oidc package. This option allows the user to specify a custom verifier for the PKCE code challenge. * chore (changelog): add PR #141 to changelog --- CHANGELOG.md | 14 ++++++- oidc/pkce_verifier.go | 84 +++++++++++++++++++++++++++++++++++--- oidc/pkce_verifier_test.go | 35 +++++++++++++++- 3 files changed, 125 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d2a7b5c..0559dbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,10 +2,22 @@ Canonical reference for changes, improvements, and bugfixes for cap. +## Next + +* feat (oidc): add WithVerifier ([PR #141](https://github.com/hashicorp/cap/pull/141)) + +## 0.7.0 + +* Add ability to the SAML test provider to create signed SAML responses by + @hcjulz ([PR: 135](https://github.com/hashicorp/cap/pull/135)) +* Bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot ([PR #136](https://github.com/hashicorp/cap/pull/136)) +* feat (config): add support for a http.RoundTripper by @jimlambrt ([PR #137](https://github.com/hashicorp/cap/pull/137)) +* chore: update deps by @jimlambrt ([PR #138](https://github.com/hashicorp/cap/pull/138)) + ## 0.6.0 * Add case insensitive user attribute keys configs for LDAP by @jasonodonnell in https://github.com/hashicorp/cap/pull/132 -* chore (oidc, jwt, ldap): update deps by @jimlambrt in https://github.com/hashicorp/cap/pull/133 +* chore (oidc, jwt, ldap): update deps by @jimlambrt in **https**://github.com/hashicorp/cap/pull/133 * Add empty anonymous group search configs by @jasonodonnell in https://github.com/hashicorp/cap/pull/134 ## 0.5.0 diff --git a/oidc/pkce_verifier.go b/oidc/pkce_verifier.go index 04d3490..bf20341 100644 --- a/oidc/pkce_verifier.go +++ b/oidc/pkce_verifier.go @@ -7,6 +7,7 @@ import ( "crypto/sha256" "encoding/base64" "fmt" + "regexp" "github.com/hashicorp/cap/oidc/internal/base62" ) @@ -51,19 +52,39 @@ type S256Verifier struct { } // min len of 43 chars per https://tools.ietf.org/html/rfc7636#section-4.1 -const verifierLen = 43 +const ( + // min len of 43 chars per https://tools.ietf.org/html/rfc7636#section-4.1 + minVerifierLen = 43 + // max len of 128 chars per https://tools.ietf.org/html/rfc7636#section-4.1 + maxVerifierLen = 128 +) // NewCodeVerifier creates a new CodeVerifier (*S256Verifier). +// Supported options: WithVerifier // // See: https://tools.ietf.org/html/rfc7636#section-4.1 -func NewCodeVerifier() (*S256Verifier, error) { +func NewCodeVerifier(opt ...Option) (*S256Verifier, error) { const op = "NewCodeVerifier" - data, err := base62.Random(verifierLen) - if err != nil { - return nil, fmt.Errorf("%s: unable to create verifier data %w", op, err) + var ( + err error + verifierData string + ) + opts := getPKCEOpts(opt...) + switch { + case opts.withVerifier != "": + verifierData = opts.withVerifier + default: + var err error + verifierData, err = base62.Random(minVerifierLen) + if err != nil { + return nil, fmt.Errorf("%s: unable to create verifier data %w", op, err) + } + } + if err := verifierIsValid(verifierData); err != nil { + return nil, fmt.Errorf("%s: %w", op, err) } v := &S256Verifier{ - verifier: data, // no need to encode it, since bas62.Random uses a limited set of characters. + verifier: verifierData, // no need to encode it, since bas62.Random uses a limited set of characters. method: S256, } if v.challenge, err = CreateCodeChallenge(v); err != nil { @@ -72,6 +93,25 @@ func NewCodeVerifier() (*S256Verifier, error) { return v, nil } +func verifierIsValid(v string) error { + const op = "verifierIsValid" + switch { + case len(v) < minVerifierLen: + return fmt.Errorf("%s: verifier length is less than %d", op, minVerifierLen) + case len(v) > maxVerifierLen: + return fmt.Errorf("%s: verifier length is greater than %d", op, maxVerifierLen) + default: + // check that the verifier is valid based on + // https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 + // Check for valid characters: A-Z, a-z, 0-9, -, _, ., ~ + validChars := regexp.MustCompile(`^[A-Za-z0-9\-\._~]+$`) + if !validChars.MatchString(v) { + return fmt.Errorf("%s: verifier contains invalid characters", op) + } + } + return nil +} + func (v *S256Verifier) Verifier() string { return v.verifier } // Verifier implements the CodeVerifier.Verifier() interface function. func (v *S256Verifier) Challenge() string { return v.challenge } // Challenge implements the CodeVerifier.Challenge() interface function. func (v *S256Verifier) Method() ChallengeMethod { return v.method } // Method implements the CodeVerifier.Method() interface function. @@ -99,3 +139,35 @@ func CreateCodeChallenge(v CodeVerifier) (string, error) { sum := h.Sum(nil) return base64.RawURLEncoding.EncodeToString(sum), nil } + +// pkceOptions is the set of available options. +type pkceOptions struct { + withVerifier string +} + +// pkceDefaults is a handy way to get the defaults at runtime and +// during unit tests. +func pkceDefaults() pkceOptions { + return pkceOptions{} +} + +// getPKCEOpts gets the defaults and applies the opt overrides passed in. +func getPKCEOpts(opt ...Option) pkceOptions { + opts := pkceDefaults() + ApplyOpts(&opts, opt...) + return opts +} + +// WithVerifier provides an optional verifier for the code verifier. When this +// option is provided, NewCodeVerifier will use the provided verifier. Note the +// verifier must use the base62 character set. +// See: https://datatracker.ietf.org/doc/html/rfc7636#section-4.1 +// +// Valid for: NewVerifier +func WithVerifier(verifier string) Option { + return func(o interface{}) { + if o, ok := o.(*pkceOptions); ok { + o.withVerifier = verifier + } + } +} diff --git a/oidc/pkce_verifier_test.go b/oidc/pkce_verifier_test.go index a406a89..e8e2853 100644 --- a/oidc/pkce_verifier_test.go +++ b/oidc/pkce_verifier_test.go @@ -9,6 +9,7 @@ import ( "errors" "testing" + "github.com/hashicorp/cap/oidc/internal/base62" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -18,7 +19,7 @@ func TestNewCodeVerifier(t *testing.T) { assert, require := assert.New(t), require.New(t) got, err := NewCodeVerifier() require.NoError(err) - assert.Equal(verifierLen, len(got.verifier)) + assert.Equal(minVerifierLen, len(got.verifier)) assert.Equal(S256, got.Method()) challenge, err := CreateCodeChallenge(got) @@ -53,3 +54,35 @@ func TestCreateCodeChallenge(t *testing.T) { assert.True(errors.Is(err, ErrUnsupportedChallengeMethod)) }) } + +func Test_WithVerifier(t *testing.T) { + t.Parallel() + assert, require := assert.New(t), require.New(t) + v, err := base62.Random(43) + require.NoError(err) + got, err := NewCodeVerifier(WithVerifier(v)) + require.NoError(err) + assert.Equal(v, got.Verifier()) + + // Test that the verifier is too short + v, err = base62.Random(42) + require.NoError(err) + _, err = NewCodeVerifier(WithVerifier(v)) + require.Error(err) + assert.Contains(err.Error(), "verifier length is less than 43") + + // Test that the verifier is too long + v, err = base62.Random(129) + require.NoError(err) + _, err = NewCodeVerifier(WithVerifier(v)) + require.Error(err) + assert.Contains(err.Error(), "verifier length is greater than 128") + + // Test that the verifier contains invalid characters + v, err = base62.Random(43) + require.NoError(err) + v = v + "!" + _, err = NewCodeVerifier(WithVerifier(v)) + require.Error(err) + assert.Contains(err.Error(), "verifier contains invalid characters") +}