hashicorp · mikeokner · Mar 27, 2017 · Mar 27, 2017 · Mar 30, 2017 · Mar 31, 2017
diff --git a/builtin/credential/oauth2/backend.go b/builtin/credential/oauth2/backend.go
@@ -0,0 +1,170 @@
+package oauth2
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+	goauth2 "golang.org/x/oauth2"
+)
+
+func Factory(conf *logical.BackendConfig) (logical.Backend, error) {
+	return Backend().Setup(conf)
+}
+
+func Backend() *backend {
+	var b backend
+	b.Backend = &framework.Backend{
+		Help: backendHelp,
+
+		PathsSpecial: &logical.Paths{
+			Unauthenticated: []string{
+				"login/*",
+			},
+		},
+
+		Paths: append([]*framework.Path{
+			pathConfig(&b),
+			pathUsers(&b),
+			pathGroups(&b),
+			pathUsersList(&b),
+			pathGroupsList(&b),
+			pathLogin(&b),
+		}),
+
+		AuthRenew: b.pathLoginRenew,
+	}
+
+	return &b
+}
+
+type backend struct {
+	*framework.Backend
+}
+
+func (b *backend) Login(req *logical.Request, username string, password string) ([]string, *logical.Response, error) {
+	cfg, err := b.Config(req.Storage)
+	if err != nil {
+		return nil, nil, err
+	}
+	if cfg == nil {
+		return nil, logical.ErrorResponse("Oauth2 backend not configured"), nil
+	}
+
+	oauthConfig := cfg.OauthConfig()
+	token, err := oauthConfig.PasswordCredentialsToken(goauth2.NoContext, username, password)
+	if err != nil {
+		return nil, logical.ErrorResponse(fmt.Sprintf("Oauth2 auth failed: %v", err)), nil
+	}
+	if token == nil {
+		return nil, logical.ErrorResponse("Oauth2 auth backend unexpected failure"), nil
+	}
+
+	// Get groups assigned by oauth provider from UserInfoURL
+	oauthGroups, err := b.getOauthGroups(cfg, oauthConfig, token)
+	if err != nil {
+		return nil, logical.ErrorResponse(err.Error()), nil
+	}
+	if b.Logger().IsDebug() {
+		b.Logger().Debug("auth/oauth2: Groups fetched", "num_groups", len(oauthGroups),
+			"groups", oauthGroups)
+	}
+
+	oauthResponse := &logical.Response{
+		Data: map[string]interface{}{},
+	}
+	if len(oauthGroups) == 0 {
+		errString := fmt.Sprintf(
+			"no groups found; only policies from locally-defined groups available")
+		oauthResponse.AddWarning(errString)
+	}
+
+	var allGroups []string
+	// Get locally-assigned group memberships
+	user, err := b.User(req.Storage, username)
+	if err == nil && user != nil && user.Groups != nil {
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("auth/oauth2: adding local groups", "num_local_groups",
+				len(user.Groups), "local_groups", user.Groups)
+		}
+		allGroups = append(allGroups, user.Groups...)
+	}
+	// Merge local and oauth groups
+	allGroups = append(allGroups, oauthGroups...)
+
+	// Retrieve policies for given groups
+	var policies []string
+	for _, groupName := range allGroups {
+		group, err := b.Group(req.Storage, groupName)
+		if err == nil && group != nil && group.Policies != nil {
+			policies = append(policies, group.Policies...)
+		}
+	}
+
+	// Merge individually-assigned user policies into group policies
+	if user != nil && user.Policies != nil {
+		policies = append(policies, user.Policies...)
+	}
+
+	if len(policies) == 0 {
+		errStr := "user is not a member of any authorized policy"
+		if len(oauthResponse.Warnings()) > 0 {
+			errStr = fmt.Sprintf("%s; additionally, %s", errStr, oauthResponse.Warnings()[0])
+		}
+
+		oauthResponse.Data["error"] = errStr
+		return nil, oauthResponse, nil
+	}
+
+	return policies, oauthResponse, nil
+}
+
+func (b *backend) getOauthGroups(cfg *ConfigEntry, oauthConfig *goauth2.Config, token *goauth2.Token) ([]string, error) {
+	if len(cfg.UserInfoURL) != 0 {
+		client := oauthConfig.Client(goauth2.NoContext, token)
+		res, err := client.Get(cfg.UserInfoURL)
+		if err != nil {
+			return nil, err
+		}
+		defer res.Body.Close()
+
+		var parsed map[string]interface{}
+		err = json.NewDecoder(res.Body).Decode(&parsed)
+		if err != nil {
+			return nil, err
+		}
+
+		// Allow groups to be a JSON array or a CSV list
+		switch parsedGroups := parsed[cfg.UserInfoGroupKey].(type) {
+		case []interface{}:
+			groups := make([]string, len(parsedGroups))
+			for i, group := range parsedGroups {
+				groups[i] = group.(string)
+			}
+			return groups, nil
+		case string:
+			groups := strings.Split(parsedGroups, ",")
+			for i, group := range groups {
+				groups[i] = strings.TrimSpace(group)
+			}
+			return groups, nil
+		default:
+			return nil, errors.New("Failed to parse groups")
+		}
+	}
+	return []string{}, nil
+}
+
+const backendHelp = `
+The Oauth2 backend allows for authenticating users using the 'Resource Owner
+Password Flow'.  It associates policies using data provided along side the
+returned bearer token or by querying a user info endpoint after successful
+authentication.
+
+Configuration of the connection is done through the "config" and "policies"
+endpoints by a user with root access. Authentication is then done
+by suppying the two fields for "login".
+`
diff --git a/builtin/credential/oauth2/backend_test.go b/builtin/credential/oauth2/backend_test.go
@@ -0,0 +1,181 @@
+package oauth2
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/helper/logformat"
+	"github.com/hashicorp/vault/helper/policyutil"
+	log "github.com/mgutz/logxi/v1"
+
+	"github.com/hashicorp/vault/logical"
+	logicaltest "github.com/hashicorp/vault/logical/testing"
+)
+
+func TestBackend_Config(t *testing.T) {
+	t.Logf("Running oauth2 tests...\n")
+	b, err := Factory(&logical.BackendConfig{
+		Logger: logformat.NewVaultLogger(log.LevelTrace),
+		System: &logical.StaticSystemView{},
+	})
+	if err != nil {
+		t.Fatalf("Unable to create backend: %s", err)
+	}
+
+	username := os.Getenv("VT_OAUTH_USERNAME")
+	password := os.Getenv("VT_OAUTH_PASSWORD")
+
+	configData := map[string]interface{}{
+		"client_id":     os.Getenv("VT_OAUTH_CLIENT_ID"),
+		"client_secret": os.Getenv("VT_OAUTH_CLIENT_SECRET"),
+		"provider_url":  os.Getenv("VT_OAUTH_PROVIDER_URL"),
+		"userinfo_url":  os.Getenv("VT_OAUTH_USERINFO_URL"),
+		"scope":         os.Getenv("VT_OAUTH_SCOPE"),
+	}
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		AcceptanceTest: true,
+		PreCheck:       func() { testAccPreCheck(t) },
+		Backend:        b,
+		Steps: []logicaltest.TestStep{
+			// Write config
+			testConfigCreate(t, configData),
+			// Read config back out
+			testConfigRead(t, configData),
+			// Login should fail with bad creds
+			testLoginWrite(t, username, "wrong", "auth failed", nil),
+			// Login should fail with successful creds but no policy assignments
+			testLoginWrite(t, username, password, "user is not a member of any authorized policy", nil),
+			// Update user with local group membership
+			testAccUserGroups(t, username, "local_group,local_group2"),
+			// Add policy to group
+			testAccGroups(t, "local_group", "local_group_policy"),
+			// Test user has group policy
+			testLoginWrite(t, username, password, "", []string{"local_group_policy"}),
+			// Add policy to second local group
+			testAccGroups(t, "local_group2", "local_group2_policy"),
+			// Test user got policy from second local group
+			testLoginWrite(t, username, password, "", []string{"local_group_policy", "local_group2_policy"}),
+			// Add two policies to the "Everyone" group
+			testAccGroups(t, "local_group3", "local_group3_policy"),
+			// Test user didn't get policies of group3
+			testLoginWrite(t, username, password, "", []string{"local_group_policy", "local_group2_policy"}),
+		},
+	})
+}
+
+func testLoginWrite(t *testing.T, username, password, reason string, policies []string) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "login/" + username,
+		ErrorOk:   true,
+		Data: map[string]interface{}{
+			"username": username,
+			"password": password,
+		},
+		Check: func(resp *logical.Response) error {
+			if resp.IsError() {
+				if reason == "" {
+					return resp.Error()
+				} else if !strings.Contains(resp.Error().Error(), reason) {
+					return fmt.Errorf("expected '%s' but got '%s'", reason, resp.Error().Error())
+				}
+			}
+
+			if resp.Auth != nil {
+				if !policyutil.EquivalentPolicies(resp.Auth.Policies, policies) {
+					return fmt.Errorf("policy mismatch; expected %v but got %v", policies, resp.Auth.Policies)
+				}
+			}
+
+			return nil
+		},
+	}
+}
+
+func testConfigCreate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.CreateOperation,
+		Path:      "config",
+		Data:      d,
+	}
+}
+
+func testConfigUpdate(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "config",
+		Data:      d,
+	}
+}
+
+func testConfigRead(t *testing.T, d map[string]interface{}) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.ReadOperation,
+		Path:      "config",
+		Check: func(resp *logical.Response) error {
+			if resp.IsError() {
+				return resp.Error()
+			}
+
+			if resp.Data["ProviderURL"] != d["provider_url"] {
+				return fmt.Errorf("ProviderURL mismatch expected %s but got %s", d["provider_url"], resp.Data["ProviderURL"])
+			}
+
+			if resp.Data["UserInfoURL"] != d["userinfo_url"] {
+				return fmt.Errorf("UserInfoURL mismatch expected %s but got %s", d["userinfo_url"], resp.Data["UserInfoURL"])
+			}
+
+			if resp.Data["ClientID"] != d["client_id"] {
+				return fmt.Errorf("ClientID mismatch expected %s but got %s", d["client_id"], resp.Data["ClientID"])
+			}
+
+			if resp.Data["Scope"] != d["scope"] {
+				return fmt.Errorf("Scope mismatch expected %s but got %s", d["scope"], resp.Data["Scope"])
+			}
+
+			if _, present := resp.Data["ClientSecret"]; present {
+				return fmt.Errorf("ClientSecret should not be readable")
+			}
+
+			return nil
+		},
+	}
+}
+
+func testAccPreCheck(t *testing.T) {
+	if v := os.Getenv("VT_OAUTH_USERNAME"); v == "" {
+		t.Fatal("VT_OAUTH_USERNAME must be set for acceptance tests")
+	}
+
+	if v := os.Getenv("VT_OAUTH_PASSWORD"); v == "" {
+		t.Fatal("VT_OAUTH_PASSWORD must be set for acceptance tests")
+	}
+
+	if v := os.Getenv("VT_OAUTH_PROVIDER_URL"); v == "" {
+		t.Fatal("VT_OAUTH_PROVIDER_URL must be set for acceptance tests")
+	}
+}
+
+func testAccUserGroups(t *testing.T, user string, groups string) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "users/" + user,
+		Data: map[string]interface{}{
+			"groups": groups,
+		},
+	}
+}
+
+func testAccGroups(t *testing.T, group string, policies string) logicaltest.TestStep {
+	t.Logf("[testAccGroups] - Registering group %s, policy %s", group, policies)
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "groups/" + group,
+		Data: map[string]interface{}{
+			"policies": policies,
+		},
+	}
+}