Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DDO-3785] OIDC #608

Merged
merged 25 commits into from
Jul 25, 2024
Merged

[DDO-3785] OIDC #608

merged 25 commits into from
Jul 25, 2024

Conversation

jack-r-warren
Copy link
Contributor

@jack-r-warren jack-r-warren commented Jul 15, 2024
edited
Loading

  • Implements OIDC for "authorization service" usage, with /oidc as the issuer and /login as the "login" page that just validates auth requests based on middleware
  • Adds configuration option to have Sherlock never report an empty/null RequiredRole and instead default to a static string. This is a request from appsec as its easier to have downstream consumers use it verbatim than say that they properly implement some logic like environment.requiredRole ?? "all-users"

Testing

I've added tests for our implementation of the OIDC library we're using and the login page. Appsec has tested this in concert with ArgoCD and it got the thumb from them.

Risk

Low at this point due to testing.

@github-actions GitHub Actions
Copy link

No API changes detected

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 15, 2024
edited
Loading

Published image from 8a6f023 (merge deccad2):

us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:v1.5.22-deccad2
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:v1.5.22-deccad2

@codecov Codecov
Copy link

codecov bot commented Jul 15, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 48.41499% with 358 lines in your changes missing coverage. Please review.

Project coverage is 69.62%. Comparing base (ac76150) to head (8a6f023).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #608      +/-   ##
==========================================
- Coverage   76.26%   69.62%   -6.65%     
==========================================
  Files         211      272      +61     
  Lines       10031    12370    +2339     
==========================================
+ Hits         7650     8612     +962     
- Misses       1704     2880    +1176     
- Partials      677      878     +201
Files Coverage Δ
sherlock/internal/api/sherlock/clusters_v3.go 76.47% <100.00%> (+0.96%) ⬆️
sherlock/internal/api/sherlock/environments_v3.go 92.14% <100.00%> (+0.11%) ⬆️
sherlock/internal/config/config.go 29.31% <100.00%> (+1.24%) ⬆️
sherlock/internal/models/user.go 84.15% <100.00%> (ø)
sherlock/internal/boot/application.go 59.34% <66.66%> (+0.37%) ⬆️
...bility_synchronization/suspend_role_assignments.go 62.66% <50.00%> (ø)
sherlock/internal/oidc_models/token.go 33.33% <33.33%> (ø)
sherlock/internal/oidc_models/test_helper.go 82.85% <82.85%> (ø)
sherlock/internal/api/login/login.go 69.56% <69.56%> (ø)
sherlock/internal/boot/router.go 63.63% <46.15%> (-7.80%) ⬇️
... and 7 more

... and 51 files with indirect coverage changes

@jack-r-warren jack-r-warren marked this pull request as ready for review July 24, 2024 20:45
@jack-r-warren jack-r-warren requested a review from a team as a code owner July 24, 2024 20:45
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
43 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
7.1% Duplication on New Code

See analysis details on SonarCloud

mikeflinn
mikeflinn approved these changes Jul 25, 2024
View reviewed changes
Copy link
Contributor

@mikeflinn mikeflinn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non blocking comments, other wise cool stuff.

sherlock/internal/api/login/handler_test.go
@@ -0,0 +1,37 @@
package login
Copy link
Contributor

@mikeflinn mikeflinn Jul 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this suite testing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

handler_test is sorta borrowing the convention from the other (more multi-endpoint) api packages -- this hosts the suite and the other test files (login_test.go here) use it.

sherlock/internal/oidc_models/auth_request.go
)

// "AuthRequest implements the op.AuthRequest interface"
var _ op.AuthRequest = &AuthRequest{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this pattern is an easily visible compile time validation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it's convenient because if you write this as the first step GoLand will offer to generate stubs for all the methods

@jack-r-warren jack-r-warren mentioned this pull request Jul 25, 2024
Merged
@jack-r-warren jack-r-warren merged commit 123f9a8 into main Jul 25, 2024
18 checks passed
@jack-r-warren jack-r-warren deleted the DDO-3785-oidc branch July 25, 2024 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jyang-broad jyang-broad jyang-broad approved these changes

@mikeflinn mikeflinn mikeflinn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jack-r-warren @mikeflinn @jyang-broad