viaprog/seaweedfs
1
0
Fork 0
mirror of https://github.com/seaweedfs/seaweedfs.git synced 2026-06-13 23:36:45 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d951a8df5a72a02fb8029c4f340b6be346899afa
seaweedfs/weed/iam/oidc/oidc_discovery_test.go
T
Chris Lu d951a8df5a feat(iam): STS web-identity AWS-fidelity polish (Phase 1) (#9318) 
* feat(iam): STS web-identity AWS-fidelity polish

- OIDC discovery via .well-known/openid-configuration; falls back to
  /.well-known/jwks.json when discovery is absent. Reject discovery docs
  whose issuer claim does not match the configured issuer to defend
  against issuer-substitution.
- ComputeParentUser derives a stable per-identity hash from (sub, iss).
  Surface as aws:userid in the request context and as a parent_user
  claim in the session JWT so per-user state survives token rotation.
- Per-role MaxSessionDuration (3600..43200) clamps requested
  DurationSeconds before the STS service applies its own caps.
- Tighten RoleSessionName to the AWS contract: 2..64 chars from
  [\w+=,.@-].
- Populate PackedPolicySize in AssumeRole / AssumeRoleWithWebIdentity /
  AssumeRoleWithLDAPIdentity responses as a percentage of the 2048-byte
  inline session policy budget.

* fix(iam): leave omitted DurationSeconds nil so STS default applies

capDurationByRole was substituting the role's MaxSessionDuration
when the caller omitted DurationSeconds entirely. AWS returns the
configured default (typically 1 hour) in that case, not the role's
upper bound — a 12h MaxSessionDuration shouldn't silently make every
no-duration assume-role mint a 12h session.

Return nil when requested is nil; let the downstream
calculateSessionDuration in the STS service apply its TokenDuration
default. The role-max upper bound still clamps when the request
arrives with a concrete value above the cap.

Addresses gemini high-priority review on PR #9318.

* fix(iam): synchronize OIDCProvider JWKS cache fields

jwksCache, jwksFetchedAt, resolvedJWKSUri, and discoveryFailed are
mutated lazily on the first token-validate call and refreshed
afterwards on TTL expiry. Multiple S3 requests can land here in
parallel, so the writes were racing against subsequent reads on
every other goroutine. resolvedJWKSUri/discoveryFailed inherited
the same un-protected pattern when discovery shipped.

Add sync.RWMutex; getPublicKey takes the read lock for the
common cache-hit path and promotes to the write lock for misses
+ refreshes. fetchJWKSLocked / resolveJWKSUriLocked assume the
write lock is held by the caller; fetchJWKS keeps the
test-friendly entry point that acquires the lock itself.

Addresses gemini high-priority review on PR #9318.

* fix(iam): trim trailing slash + retry discovery after transient failure

Two OIDC discovery edge cases reviewers flagged:

1. Issuer comparison was sensitive to trailing slashes. resolveJWKSUri
   trims them when building the discovery URL, but the doc.Issuer ↔
   p.config.Issuer check did not, so an IDP whose issuer claim drops or
   adds the slash relative to the configured value would be falsely
   rejected. Trim a single trailing slash on each side before comparing.

2. discoveryFailed flipped to true on any error and stayed there for the
   process lifetime. A transient 5xx at startup permanently locked the
   provider into the /.well-known/jwks.json fallback. Reset the flag at
   the top of fetchJWKSLocked when no URI has been cached yet, so each
   JWKS refresh (typically once per TTL = 1h) reattempts discovery.
   Successful discovery remains cached via resolvedJWKSUri so we don't
   pay the discovery RTT on every refresh.

Addresses gemini security-medium + medium reviews on PR #9318.

* fix(iam): require non-empty issuer in OIDC discovery doc

The previous "doc.Issuer != "" && ..." guard let a discovery document
that omitted the issuer field bypass the issuer-mismatch check
entirely, letting the doc steer fetchJWKS at any URL it provided.
OIDC Discovery 1.0 §3 mandates the issuer field; treat missing as a
hard failure same as mismatched. Trailing-slash equivalence still
applies.

Adds TestDiscoveryRejectsMissingIssuer alongside the existing
TestDiscoveryRejectsIssuerMismatch via a new omitDiscoveryIssuer
toggle on fakeIDP.
2026-05-04 22:10:49 -07:00

198 lines
6.5 KiB
Go
Raw Blame History

package oidc
import (
"context"
"encoding/json"
"net/http"
"net/http/httptest"
"sync/atomic"
"testing"
)
// fakeIDP wraps an httptest.Server and counts how many times each well-known
// endpoint is hit. Tests use it to assert discovery vs. fallback behaviour.
type fakeIDP struct {
server *httptest.Server
discoveryHits atomic.Int32
jwksHits atomic.Int32
customJWKSHits atomic.Int32
disableDiscovery bool
discoveryStatusCode int
discoveryIssuer string
omitDiscoveryIssuer bool // when true, the discovery doc omits the "issuer" field entirely
customJWKSPathSuffix string // optional suffix that fakeIDP serves at /custom/<suffix>
jwks JWKS
}
func newFakeIDP(t *testing.T) *fakeIDP {
t.Helper()
idp := &fakeIDP{
discoveryStatusCode: http.StatusOK,
jwks: JWKS{Keys: []JWK{{Kty: "RSA", Kid: "k1", Use: "sig", Alg: "RS256", N: "AQAB", E: "AQAB"}}},
}
mux := http.NewServeMux()
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
idp.discoveryHits.Add(1)
if idp.disableDiscovery {
http.NotFound(w, r)
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(idp.discoveryStatusCode)
issuer := idp.discoveryIssuer
if issuer == "" {
issuer = idp.server.URL
}
jwksURI := idp.server.URL + "/discovered/jwks"
if idp.customJWKSPathSuffix != "" {
jwksURI = idp.server.URL + "/custom/" + idp.customJWKSPathSuffix
}
body := map[string]string{"jwks_uri": jwksURI}
if !idp.omitDiscoveryIssuer {
body["issuer"] = issuer
}
_ = json.NewEncoder(w).Encode(body)
})
mux.HandleFunc("/discovered/jwks", func(w http.ResponseWriter, r *http.Request) {
idp.jwksHits.Add(1)
_ = json.NewEncoder(w).Encode(idp.jwks)
})
mux.HandleFunc("/.well-known/jwks.json", func(w http.ResponseWriter, r *http.Request) {
idp.jwksHits.Add(1)
_ = json.NewEncoder(w).Encode(idp.jwks)
})
mux.HandleFunc("/custom/", func(w http.ResponseWriter, r *http.Request) {
idp.customJWKSHits.Add(1)
_ = json.NewEncoder(w).Encode(idp.jwks)
})
idp.server = httptest.NewServer(mux)
t.Cleanup(idp.server.Close)
return idp
}
func newProviderForIDP(t *testing.T, idp *fakeIDP, jwksURIOverride string) *OIDCProvider {
t.Helper()
p := NewOIDCProvider("test")
cfg := &OIDCConfig{
Issuer: idp.server.URL,
ClientID: "test-client",
JWKSUri: jwksURIOverride,
}
if err := p.Initialize(cfg); err != nil {
t.Fatalf("Initialize: %v", err)
}
return p
}
func TestDiscoveryHappyPath(t *testing.T) {
idp := newFakeIDP(t)
p := newProviderForIDP(t, idp, "")
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS: %v", err)
}
if got := idp.discoveryHits.Load(); got != 1 {
t.Fatalf("expected 1 discovery hit, got %d", got)
}
if got := idp.jwksHits.Load(); got != 1 {
t.Fatalf("expected 1 JWKS hit at discovered uri, got %d", got)
}
// A second fetch reuses the cached jwks_uri without re-discovering.
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS second: %v", err)
}
if got := idp.discoveryHits.Load(); got != 1 {
t.Fatalf("discovery should be cached, got %d hits", got)
}
}
func TestDiscoveryFallback404(t *testing.T) {
idp := newFakeIDP(t)
idp.disableDiscovery = true
p := newProviderForIDP(t, idp, "")
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS: %v", err)
}
if got := idp.discoveryHits.Load(); got != 1 {
t.Fatalf("expected 1 discovery probe, got %d", got)
}
if got := idp.jwksHits.Load(); got != 1 {
t.Fatalf("expected 1 JWKS hit at fallback uri, got %d", got)
}
// Subsequent fetches retry discovery — discoveryFailed resets at the top
// of fetchJWKSLocked when no URI was cached, so a transient 5xx at
// startup doesn't lock the provider into the fallback path forever.
// Retry rate is bounded by the JWKS TTL (one retry per refresh cycle).
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS second: %v", err)
}
if got := idp.discoveryHits.Load(); got != 2 {
t.Fatalf("discovery probe should retry while no URI is cached, got %d hits", got)
}
}
func TestDiscoveryDisabledByExplicitJWKSUri(t *testing.T) {
idp := newFakeIDP(t)
override := idp.server.URL + "/custom/explicit"
idp.customJWKSPathSuffix = "explicit"
p := newProviderForIDP(t, idp, override)
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS: %v", err)
}
if got := idp.discoveryHits.Load(); got != 0 {
t.Fatalf("explicit JWKSUri should bypass discovery, got %d hits", got)
}
if got := idp.customJWKSHits.Load(); got != 1 {
t.Fatalf("expected 1 custom JWKS hit, got %d", got)
}
}
func TestDiscoveryRejectsIssuerMismatch(t *testing.T) {
idp := newFakeIDP(t)
idp.discoveryIssuer = "https://attacker.example/"
p := newProviderForIDP(t, idp, "")
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS should fall back to /.well-known/jwks.json, got error: %v", err)
}
// Discovery probe was tried once, rejected, then fell through to fallback path.
if got := idp.discoveryHits.Load(); got != 1 {
t.Fatalf("expected 1 discovery probe, got %d", got)
}
if got := idp.jwksHits.Load(); got != 1 {
t.Fatalf("expected 1 fallback JWKS hit, got %d", got)
}
}
// TestDiscoveryRejectsMissingIssuer: a discovery document that omits the
// issuer field entirely must be treated the same as one that supplies a
// mismatched issuer. Otherwise an attacker who can intercept the discovery
// response can strip the issuer field and the comparison silently passes,
// letting the document point fetchJWKS at any URL it pleases.
func TestDiscoveryRejectsMissingIssuer(t *testing.T) {
idp := newFakeIDP(t)
idp.omitDiscoveryIssuer = true
p := newProviderForIDP(t, idp, "")
if err := p.fetchJWKS(context.Background()); err != nil {
t.Fatalf("fetchJWKS should fall back to /.well-known/jwks.json on issuer-missing discovery: %v", err)
}
if got := idp.discoveryHits.Load(); got != 1 {
t.Fatalf("expected 1 discovery probe, got %d", got)
}
// The discovery document was rejected; the JWKS that ultimately served
// us must be the fallback one, not the discovered URI. The fakeIDP
// counts both hits under jwksHits since they share a counter; what
// matters is that customJWKSHits stayed zero.
if got := idp.customJWKSHits.Load(); got != 0 {
t.Fatalf("custom JWKS endpoint must not have been used, got %d hits", got)
}
if got := idp.jwksHits.Load(); got != 1 {
t.Fatalf("expected 1 fallback JWKS hit, got %d", got)
}
}
Reference in New Issue View Git Blame Copy Permalink