From 5fa0eef3a02388c36e87421413e099c7b399cab0 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Thu, 15 Aug 2019 09:46:39 -0700 Subject: [PATCH] Add common token fields to OIDC login response (#67) This PR also reduces the chance of "too many open files" errors during tests by closing httptest servers. Fixes #66 --- path_login_test.go | 20 ++++++++++++++++++-- path_oidc.go | 40 ++++++++++++++++++++++------------------ path_oidc_test.go | 8 +++++--- 3 files changed, 45 insertions(+), 23 deletions(-) diff --git a/path_login_test.go b/path_login_test.go index 8c923796..9c4017ad 100644 --- a/path_login_test.go +++ b/path_login_test.go @@ -32,7 +32,17 @@ type testConfig struct { groupsClaim string } -func setupBackend(t *testing.T, cfg testConfig) (logical.Backend, logical.Storage) { +type closeableBackend struct { + logical.Backend + + closeServerFunc func() +} + +func setupBackend(t *testing.T, cfg testConfig) (closeableBackend, logical.Storage) { + cb := closeableBackend{ + closeServerFunc: func() {}, + } + b, storage := getBackend(t) if cfg.groupsClaim == "" { @@ -53,6 +63,8 @@ func setupBackend(t *testing.T, cfg testConfig) (logical.Backend, logical.Storag } } else { p := newOIDCProvider(t) + cb.closeServerFunc = p.server.Close + cert, err := p.getTLSCert() if err != nil { t.Fatal(err) @@ -124,7 +136,9 @@ func setupBackend(t *testing.T, cfg testConfig) (logical.Backend, logical.Storag t.Fatalf("err:%s resp:%#v\n", err, resp) } - return b, storage + cb.Backend = b + + return cb, storage } func getTestJWT(t *testing.T, privKey string, cl jwt.Claims, privateCl interface{}) (string, *ecdsa.PrivateKey) { @@ -852,6 +866,7 @@ func testLogin_ExpiryClaims(t *testing.T, jwks bool) { } else if !tt.Valid && !resp.IsError() { t.Fatalf("[test %d: %s jws: %v] expected token expired error, got : %v", i, tt.Context, tt.JWKS, *resp) } + b.closeServerFunc() } } @@ -929,6 +944,7 @@ func testLogin_NotBeforeClaims(t *testing.T, jwks bool) { } else if !tt.Valid && !resp.IsError() { t.Fatalf("[test %d: %s jws: %v] expected token not valid yet error, got : %v", i, tt.Context, *resp, tt.JWKS) } + b.closeServerFunc() } } diff --git a/path_oidc.go b/path_oidc.go index ab1f18c7..0d1e96eb 100644 --- a/path_oidc.go +++ b/path_oidc.go @@ -199,25 +199,29 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request, tokenMetadata[k] = v } - resp := &logical.Response{ - Auth: &logical.Auth{ - Policies: role.Policies, - DisplayName: alias.Name, - Period: role.Period, - NumUses: role.NumUses, - Alias: alias, - GroupAliases: groupAliases, - InternalData: map[string]interface{}{ - "role": roleName, - }, - Metadata: tokenMetadata, - LeaseOptions: logical.LeaseOptions{ - Renewable: true, - TTL: role.TTL, - MaxTTL: role.MaxTTL, - }, - BoundCIDRs: role.BoundCIDRs, + auth := &logical.Auth{ + Policies: role.Policies, + DisplayName: alias.Name, + Period: role.Period, + NumUses: role.NumUses, + Alias: alias, + GroupAliases: groupAliases, + InternalData: map[string]interface{}{ + "role": roleName, + }, + Metadata: tokenMetadata, + LeaseOptions: logical.LeaseOptions{ + Renewable: true, + TTL: role.TTL, + MaxTTL: role.MaxTTL, }, + BoundCIDRs: role.BoundCIDRs, + } + + role.PopulateTokenAuth(auth) + + resp := &logical.Response{ + Auth: auth, } return resp, nil diff --git a/path_oidc_test.go b/path_oidc_test.go index d18e828f..a67bef06 100644 --- a/path_oidc_test.go +++ b/path_oidc_test.go @@ -290,6 +290,7 @@ func TestOIDC_Callback(t *testing.T) { "color": "green", "size": "medium", }, + NumUses: 10, } if useBoundCIDRs { sock, err := sockaddr.NewSockAddr("127.0.0.42") @@ -896,9 +897,10 @@ func getBackendAndServer(t *testing.T, boundCIDRs bool) (logical.Backend, logica "COLOR": "color", "/nested/Size": "size", }, - "groups_claim": "/nested/Groups", - "ttl": "3m", - "max_ttl": "5m", + "groups_claim": "/nested/Groups", + "token_ttl": "3m", + "token_num_uses": 10, + "max_ttl": "5m", "bound_claims": map[string]interface{}{ "password": "foo", "sk": "42",