From 8d11ba02d33113686ad0d254884ef97ab761cbb4 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Thu, 30 Jun 2022 15:56:00 +0200 Subject: [PATCH] Remove unused OpenID connect middleware The proxy comes with it's own middleware. This implementation was used by the graph service at some point but that went away with commit 5070941dc4056ce. --- ocis-pkg/middleware/openidconnect.go | 107 --------------------------- 1 file changed, 107 deletions(-) delete mode 100644 ocis-pkg/middleware/openidconnect.go diff --git a/ocis-pkg/middleware/openidconnect.go b/ocis-pkg/middleware/openidconnect.go deleted file mode 100644 index 2d48bad64..000000000 --- a/ocis-pkg/middleware/openidconnect.go +++ /dev/null @@ -1,107 +0,0 @@ -package middleware - -import ( - "context" - "crypto/tls" - "fmt" - "net/http" - "strings" - "time" - - oidc "github.com/coreos/go-oidc/v3/oidc" - ocisoidc "github.com/owncloud/ocis/v2/ocis-pkg/oidc" - "golang.org/x/oauth2" -) - -// newOIDCOptions initializes the available default options. -func newOIDCOptions(opts ...ocisoidc.Option) ocisoidc.Options { - opt := ocisoidc.Options{} - - for _, o := range opts { - o(&opt) - } - - return opt -} - -// OpenIDConnect provides a middleware to check access secured by a static token. -func OpenIDConnect(opts ...ocisoidc.Option) func(http.Handler) http.Handler { - opt := newOIDCOptions(opts...) - - // set defaults - if opt.Realm == "" { - opt.Realm = opt.Endpoint - } - if len(opt.SigningAlgs) < 1 { - opt.SigningAlgs = []string{"RS256", "PS256"} - } - - var oidcProvider *oidc.Provider - - return func(next http.Handler) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - header := r.Header.Get("Authorization") - - if header == "" || !strings.HasPrefix(header, "Bearer ") { - w.Header().Add("WWW-Authenticate", fmt.Sprintf(`Bearer realm="%s"`, opt.Realm)) - http.Error(w, ErrInvalidToken.Error(), http.StatusUnauthorized) - return - } - - token := header[7:] - - tr := &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: opt.Insecure, //nolint:gosec - }, - } - customHTTPClient := &http.Client{ - Transport: tr, - Timeout: time.Second * 10, - } - customCtx := context.WithValue(r.Context(), oauth2.HTTPClient, customHTTPClient) - - // use cached provider - if oidcProvider == nil { - // Initialize a provider by specifying the issuer URL. - // provider needs to be cached as when it is created - // it will fetch the keys from the issuer using the .well-known - // endpoint - provider, err := oidc.NewProvider(customCtx, opt.Endpoint) - if err != nil { - opt.Logger.Error().Err(err).Msg("could not initialize oidc provider") - w.WriteHeader(http.StatusInternalServerError) - return - } - oidcProvider = provider - } - - // The claims we want to have - var claims map[string]interface{} - - // TODO cache userinfo for access token if we can determine the expiry (which works in case it is a jwt based access token) - oauth2Token := &oauth2.Token{ - AccessToken: token, - } - userInfo, err := oidcProvider.UserInfo(customCtx, oauth2.StaticTokenSource(oauth2Token)) - if err != nil { - opt.Logger.Error().Err(err).Msg("Failed to get userinfo") - http.Error(w, ErrInvalidToken.Error(), http.StatusUnauthorized) - return - } - - // parse claims - if err := userInfo.Claims(&claims); err != nil { - opt.Logger.Error().Err(err).Interface("userinfo", userInfo).Msg("failed to unmarshal userinfo claims") - w.WriteHeader(http.StatusInternalServerError) - return - } - opt.Logger.Debug().Interface("claims", claims).Interface("userInfo", userInfo).Msg("unmarshalled userinfo") - // store claims in context - // uses the original context, not the one with probably reduced security - nr := r.WithContext(ocisoidc.NewContext(r.Context(), claims)) - - next.ServeHTTP(w, nr) - }) - } -}