Add scope flag to idp commands (#19727)

* Add `scope` flag to idp commands * fix flag inherit
gitpod-io · May 15, 2024 · 5ff4535 · 5ff4535
1 parent 2aaa732
commit 5ff4535
Show file tree

Hide file tree

Showing 11 changed files with 124 additions and 23 deletions.
diff --git a/components/gitpod-cli/cmd/idp-gcloud-token.go b/components/gitpod-cli/cmd/idp-gcloud-token.go
@@ -43,7 +43,7 @@ var idpGCloudTokenCmd = &cobra.Command{
 			}
 		}()
 
-		tkn, err := idpToken(ctx, idpGCloudTokenOpts.Audience)
+		tkn, err := idpToken(ctx, idpGCloudTokenOpts.Audience, "")
 		if err != nil {
 			return err
 		}

diff --git a/components/gitpod-cli/cmd/idp-login-aws.go b/components/gitpod-cli/cmd/idp-login-aws.go
@@ -43,7 +43,7 @@ var idpLoginAwsCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, idpLoginAwsOpts.Audience)
+		tkn, err := idpToken(ctx, idpLoginAwsOpts.Audience, idpLoginOpts.Scope)
 		if err != nil {
 			return err
 		}

diff --git a/components/gitpod-cli/cmd/idp-login-vault.go b/components/gitpod-cli/cmd/idp-login-vault.go
@@ -33,7 +33,7 @@ var idpLoginVaultCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, idpLoginVaultOpts.Audience)
+		tkn, err := idpToken(ctx, idpLoginVaultOpts.Audience, idpLoginOpts.Scope)
 		if err != nil {
 			return err
 		}

diff --git a/components/gitpod-cli/cmd/idp-login.go b/components/gitpod-cli/cmd/idp-login.go
@@ -8,11 +8,17 @@ import (
 	"github.com/spf13/cobra"
 )
 
+var idpLoginOpts struct {
+	Scope string
+}
+
 var idpLoginCmd = &cobra.Command{
 	Use:   "login",
 	Short: "Login to a service for which trust has been established",
 }
 
 func init() {
 	idpCmd.AddCommand(idpLoginCmd)
+
+	idpLoginCmd.PersistentFlags().StringVar(&idpLoginOpts.Scope, "scope", "", "scopes string of the ID token")
 }
diff --git a/components/gitpod-cli/cmd/idp-token.go b/components/gitpod-cli/cmd/idp-token.go
@@ -26,6 +26,7 @@ import (
 var idpTokenOpts struct {
 	Audience []string
 	Decode   bool
+	Scope    string
 }
 
 var idpTokenCmd = &cobra.Command{
@@ -37,7 +38,7 @@ var idpTokenCmd = &cobra.Command{
 		ctx, cancel := context.WithTimeout(cmd.Context(), 5*time.Second)
 		defer cancel()
 
-		tkn, err := idpToken(ctx, idpTokenOpts.Audience)
+		tkn, err := idpToken(ctx, idpTokenOpts.Audience, idpTokenOpts.Scope)
 
 		token, _, err := jwt.NewParser().ParseUnverified(tkn, jwt.MapClaims{})
 		if err != nil {
@@ -66,7 +67,7 @@ var idpTokenCmd = &cobra.Command{
 	},
 }
 
-func idpToken(ctx context.Context, audience []string) (idToken string, err error) {
+func idpToken(ctx context.Context, audience []string, scope string) (idToken string, err error) {
 	wsInfo, err := gitpod.GetWSInfo(ctx)
 	if err != nil {
 		return "", err
@@ -95,6 +96,7 @@ func idpToken(ctx context.Context, audience []string) (idToken string, err error
 		Msg: &v1.GetIDTokenRequest{
 			Audience:    audience,
 			WorkspaceId: wsInfo.WorkspaceId,
+			Scope:       scope,
 		},
 	})
 	if err != nil {
@@ -110,4 +112,5 @@ func init() {
 	_ = idpTokenCmd.MarkFlagRequired("audience")
 
 	idpTokenCmd.Flags().BoolVar(&idpTokenOpts.Decode, "decode", false, "decode token to JSON")
+	idpTokenCmd.Flags().StringVar(&idpTokenOpts.Scope, "scope", "", "scopes string of the ID token")
 }
diff --git a/components/public-api-server/pkg/apiv1/identityprovider.go b/components/public-api-server/pkg/apiv1/identityprovider.go
@@ -96,6 +96,10 @@ func (srv *IdentityProviderService) GetIDToken(ctx context.Context, req *connect
 	userInfo.AppendClaims("context", workspace.Workspace.ContextURL)
 	userInfo.AppendClaims("workspace_id", workspaceID)
 
+	if req.Msg.GetScope() != "" {
+		userInfo.AppendClaims("scope", req.Msg.GetScope())
+	}
+
 	if workspace.Workspace.Context != nil && workspace.Workspace.Context.Repository != nil && workspace.Workspace.Context.Repository.CloneURL != "" {
 		userInfo.AppendClaims("repository", workspace.Workspace.Context.Repository.CloneURL)
 	}

diff --git a/components/public-api-server/pkg/apiv1/identityprovider_test.go b/components/public-api-server/pkg/apiv1/identityprovider_test.go
@@ -205,6 +205,56 @@ func TestGetIDToken(t *testing.T) {
 				Error: connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("Must have at least one audience entry")).Error(),
 			},
 		},
+		{
+			Name: "include scope",
+			TokenSource: func(t *testing.T) IDTokenSource {
+				return functionIDTokenSource(func(ctx context.Context, org string, audience []string, userInfo oidc.UserInfo) (string, error) {
+					require.Equal(t, "correct@gitpod.io", userInfo.GetEmail())
+					require.True(t, userInfo.IsEmailVerified())
+					require.Equal(t, "foo", userInfo.GetClaim("scope"))
+
+					return "foobar", nil
+				})
+			},
+			ServerSetup: func(ma *protocol.MockAPIInterface) {
+				ma.EXPECT().GetIDToken(gomock.Any()).MinTimes(1).Return(nil)
+				ma.EXPECT().GetWorkspace(gomock.Any(), workspaceID).MinTimes(1).Return(
+					&protocol.WorkspaceInfo{
+						Workspace: &protocol.Workspace{
+							ContextURL: "https://github.com/gitpod-io/gitpod",
+							Context: &protocol.WorkspaceContext{
+								Repository: &protocol.Repository{
+									CloneURL: "https://github.com/gitpod-io/gitpod.git",
+								},
+							},
+						},
+					},
+					nil,
+				)
+				ma.EXPECT().GetLoggedInUser(gomock.Any()).Return(
+					&protocol.User{
+						Name: "foobar",
+						Identities: []*protocol.Identity{
+							nil,
+							{Deleted: true, PrimaryEmail: "nonsense@gitpod.io"},
+							{Deleted: false, PrimaryEmail: "correct@gitpod.io"},
+						},
+						OrganizationId: "test",
+					},
+					nil,
+				)
+			},
+			Request: &v1.GetIDTokenRequest{
+				WorkspaceId: workspaceID,
+				Audience:    []string{"some.audience.com"},
+				Scope:       "foo",
+			},
+			Expectation: Expectation{
+				Response: &v1.GetIDTokenResponse{
+					Token: "foobar",
+				},
+			},
+		},
 		{
 			Name: "token source error",
 			TokenSource: func(t *testing.T) IDTokenSource {

diff --git a/components/public-api-server/pkg/identityprovider/idp_test.go b/components/public-api-server/pkg/identityprovider/idp_test.go
@@ -146,6 +146,28 @@ func TestIDToken(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name:     "with custom claims",
+			Audience: []string{"some.audience.com"},
+			UserInfo: func() oidc.UserInfo {
+				userInfo := oidc.NewUserInfo()
+				userInfo.AppendClaims("scope", "foobar")
+				return userInfo
+			}(),
+			Expectation: Expectation{
+				Token: &jwt.Token{
+					Method: &jwt.SigningMethodRSA{Name: "RS256", Hash: crypto.SHA256},
+					Header: map[string]interface{}{"alg": string(jose.RS256)},
+					Claims: jwt.MapClaims{
+						"aud":   []any{string("some.audience.com")},
+						"azp":   string("some.audience.com"),
+						"iss":   string("https://api.gitpod.io/idp"),
+						"scope": "foobar",
+					},
+					Valid: true,
+				},
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/components/public-api/gitpod/experimental/v1/identityprovider.proto b/components/public-api/gitpod/experimental/v1/identityprovider.proto
@@ -12,6 +12,7 @@ service IdentityProviderService {
 message GetIDTokenRequest {
   string workspace_id = 1;
   repeated string audience = 2;
+  string scope = 3;
 }
 
 message GetIDTokenResponse {

diff --git a/components/public-api/go/experimental/v1/identityprovider.pb.go b/components/public-api/go/experimental/v1/identityprovider.pb.go
diff --git a/components/public-api/typescript/src/gitpod/experimental/v1/identityprovider_pb.ts b/components/public-api/typescript/src/gitpod/experimental/v1/identityprovider_pb.ts