fix(oauth): analyze id_token for Azure [EE-2984] (#7000)

2025-07-22 06:49:40 +02:00 · 2022-07-06 13:22:57 +12:00 · 2022-07-06 13:22:57 +12:00 · fd4b515350
commit fd4b515350
parent 0cd2a4558b
7 changed files with 428 additions and 46 deletions
--- a/api/oauth/oauthtest/oauth_server.go
+++ b/api/oauth/oauthtest/oauth_server.go
@ -0,0 +1,96 @@
+package oauthtest
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+
+	"github.com/gorilla/mux"
+	portainer "github.com/portainer/portainer/api"
+)
+
+const (
+	AccessToken = "test-token"
+)
+
+// OAuthRoutes is an OAuth 2.0 compliant handler
+func OAuthRoutes(code string, config *portainer.OAuthSettings) http.Handler {
+	router := mux.NewRouter()
+
+	router.HandleFunc(
+		"/authorize",
+		func(w http.ResponseWriter, req *http.Request) {
+			location := fmt.Sprintf("%s?code=%s&state=%s", config.RedirectURI, code, "anything")
+			// w.Header().Set("Location", location)
+			// w.WriteHeader(http.StatusFound)
+			http.Redirect(w, req, location, http.StatusFound)
+		},
+	).Methods(http.MethodGet)
+
+	router.HandleFunc(
+		"/access_token",
+		func(w http.ResponseWriter, req *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+
+			if err := req.ParseForm(); err != nil {
+				fmt.Fprintf(w, "ParseForm() err: %v", err)
+				return
+			}
+
+			reqCode := req.FormValue("code")
+			if reqCode != code {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"token_type":   "Bearer",
+				"expires_in":   86400,
+				"access_token": AccessToken,
+				"scope":        "groups",
+			})
+		},
+	).Methods(http.MethodPost)
+
+	router.HandleFunc(
+		"/user",
+		func(w http.ResponseWriter, req *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+
+			authHeader := req.Header.Get("Authorization")
+			splitToken := strings.Split(authHeader, "Bearer ")
+			if len(splitToken) < 2 || splitToken[1] != AccessToken {
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			}
+
+			w.WriteHeader(http.StatusOK)
+			json.NewEncoder(w).Encode(map[string]interface{}{
+				"username": "test-oauth-user",
+				"groups":   "testing",
+			})
+		},
+	).Methods(http.MethodGet)
+
+	return router
+}
+
+// RunOAuthServer is a barebones OAuth 2.0 compliant test server which can be used to test OAuth 2 functionality
+func RunOAuthServer(code string, config *portainer.OAuthSettings) (*httptest.Server, *portainer.OAuthSettings) {
+	srv := httptest.NewUnstartedServer(http.DefaultServeMux)
+
+	addr := srv.Listener.Addr()
+
+	config.AuthorizationURI = fmt.Sprintf("http://%s/authorize", addr)
+	config.AccessTokenURI = fmt.Sprintf("http://%s/access_token", addr)
+	config.ResourceURI = fmt.Sprintf("http://%s/user", addr)
+	config.RedirectURI = fmt.Sprintf("http://%s/", addr)
+
+	srv.Config.Handler = OAuthRoutes(code, config)
+	srv.Start()
+
+	return srv, config
+}