Update IAS config: Domain -> Domains (#15)

SAP · Jun 29, 2021 · 009f116 · 009f116
1 parent 01ca9f6
commit 009f116
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 17 deletions.
diff --git a/auth/middleware.go b/auth/middleware.go
@@ -39,7 +39,7 @@ type OAuthConfig interface {
 	GetClientID() string             // Returns the client id of the oAuth client.
 	GetClientSecret() string         // Returns the client secret. Optional
 	GetURL() string                  // Returns the url to the Identity tenant. E.g. https://abcdefgh.accounts.ondemand.com
-	GetDomain() string               // Returns the domain of the Identity service. E.g. accounts.ondemand.com
+	GetDomains() []string            // Returns the domains of the Identity service. E.g. ["accounts.ondemand.com"]
 	GetZoneUUID() uuid.UUID          // Returns the zone uuid. Optional
 	GetProofTokenURL() string        // Returns the proof token url. Optional
 	GetCertificate() string          // Returns the client certificate. Optional

diff --git a/auth/middleware_test.go b/auth/middleware_test.go
@@ -6,14 +6,15 @@ package auth
 
 import (
 	"context"
-	"github.com/lestrrat-go/jwx/jwa"
-	"github.com/sap/cloud-security-client-go/mocks"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/sap/cloud-security-client-go/mocks"
 )
 
 func TestEnd2End(t *testing.T) {

diff --git a/auth/validator.go b/auth/validator.go
@@ -118,8 +118,17 @@ func (m *Middleware) verifyIssuer(issuer string) (issURI *url.URL, err error) {
 		return nil, fmt.Errorf("unable to parse Issuer URI: %s", issuer)
 	}
 
-	if !strings.HasSuffix(issURI.Host, m.oAuthConfig.GetDomain()) {
+	if !matchesDomain(issURI.Host, m.oAuthConfig.GetDomains()) {
 		return nil, fmt.Errorf("token is unverifiable: unknown server (domain doesn't match)")
 	}
 	return issURI, nil
 }
+
+func matchesDomain(hostname string, domains []string) bool {
+	for _, domain := range domains {
+		if strings.HasSuffix(hostname, domain) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/auth/validator_test.go b/auth/validator_test.go
@@ -12,6 +12,31 @@ import (
 	"time"
 )
 
+func TestAdditionalDomain(t *testing.T) {
+	oidcMockServer, err := mocks.NewOIDCMockServer()
+	if err != nil {
+		t.Errorf("error creating test setup: %v", err)
+	}
+	m := NewMiddleware(env.Identity{
+		ClientID:     oidcMockServer.Config.ClientID,
+		ClientSecret: oidcMockServer.Config.ClientSecret,
+		URL:          oidcMockServer.Config.URL,
+		Domains:      append([]string{"my.primary.domain"}, oidcMockServer.Config.Domains...),
+	}, Options{
+		HTTPClient: oidcMockServer.Server.Client(),
+	})
+
+	rawToken, err := oidcMockServer.SignToken(oidcMockServer.DefaultClaims(), oidcMockServer.DefaultHeaders())
+	if err != nil {
+		t.Errorf("unable to sign provided test token: %v", err)
+	}
+
+	_, err = m.parseAndValidateJWT(rawToken)
+	if err != nil {
+		t.Error("unexpected error: ", err.Error())
+	}
+}
+
 func TestAuthMiddleware_getOIDCTenant(t *testing.T) {
 	oidcMockServer, err := mocks.NewOIDCMockServer()
 	if err != nil {
@@ -21,7 +46,7 @@ func TestAuthMiddleware_getOIDCTenant(t *testing.T) {
 		ClientID:     oidcMockServer.Config.ClientID,
 		ClientSecret: oidcMockServer.Config.ClientSecret,
 		URL:          oidcMockServer.Config.URL,
-		Domain:       oidcMockServer.Config.Domain,
+		Domains:      oidcMockServer.Config.Domains,
 	}, Options{
 		HTTPClient: oidcMockServer.Server.Client(),
 	})

diff --git a/env/iasConfig.go b/env/iasConfig.go
@@ -25,7 +25,7 @@ type VCAPServices struct {
 type Identity struct {
 	ClientID             string    `json:"clientid"`
 	ClientSecret         string    `json:"clientsecret"`
-	Domain               string    `json:"domain"`
+	Domains              []string  `json:"domains"`
 	URL                  string    `json:"url"`
 	ZoneUUID             uuid.UUID `json:"zone_uuid"`
 	ProofTokenURL        string    `json:"prooftoken_url"`
@@ -74,9 +74,9 @@ func (c Identity) GetURL() string {
 	return c.URL
 }
 
-// GetDomain implements the auth.OAuthConfig interface.
-func (c Identity) GetDomain() string {
-	return c.Domain
+// GetDomains implements the auth.OAuthConfig interface.
+func (c Identity) GetDomains() []string {
+	return c.Domains
 }
 
 // GetZoneUUID implements the auth.OAuthConfig interface.

diff --git a/env/iasConfig_test.go b/env/iasConfig_test.go
@@ -14,7 +14,7 @@ import (
 var testConfig *Identity = &Identity{
 	ClientID:     "cef76757-de57-480f-be92-1d8c1c7abf16",
 	ClientSecret: "the_CLIENT.secret:3[/abc",
-	Domain:       "accounts400.ondemand.com",
+	Domains:      []string{"accounts400.ondemand.com", "my.arbitrary.domain"},
 	URL:          "https://mytenant.accounts400.ondemand.com",
 }
 
@@ -27,13 +27,13 @@ func TestGetIASConfig(t *testing.T) {
 	}{
 		{
 			name:    "all present",
-			env:     "{\"identity\":[{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"the_CLIENT.secret:3[/abc\",\"domain\":\"accounts400.ondemand.com\",\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]}]}",
+			env:     "{\"identity\":[{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"the_CLIENT.secret:3[/abc\",\"domains\":[\"accounts400.ondemand.com\",\"my.arbitrary.domain\"],\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]}]}",
 			want:    testConfig,
 			wantErr: false,
 		},
 		{
 			name:    "multiple bindings",
-			env:     "{\"identity\":[{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"the_CLIENT.secret:3[/abc\",\"domain\":\"accounts400.ondemand.com\",\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]},{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"the_CLIENT.secret:3[/abc\",\"domain\":\"accounts400.ondemand.com\",\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]}]}",
+			env:     "{\"identity\":[{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"the_CLIENT.secret:3[/abc\",\"domains\":[\"accounts400.ondemand.com\",\"my.arbitrary.domain\"],\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]},{\"binding_name\":null,\"credentials\":{\"clientid\":\"cef76757-de57-480f-be92-1d8c1c7abf16\",\"clientsecret\":\"the_CLIENT.secret:3[/abc\",\"domain\":\"accounts400.ondemand.com\",\"token_url\":\"https://mytenant.accounts400.ondemand.com/oauth2/token\",\"url\":\"https://mytenant.accounts400.ondemand.com\"},\"instance_name\":\"my-ams-instance\",\"label\":\"identity\",\"name\":\"my-ams-instance\",\"plan\":\"application\",\"provider\":null,\"syslog_drain_url\":null,\"tags\":[\"ias\"],\"volume_mounts\":[]}]}",
 			want:    nil,
 			wantErr: true,
 		},

diff --git a/mocks/mockServer.go b/mocks/mockServer.go
@@ -54,7 +54,7 @@ func NewOIDCMockServer() (*MockServer, error) {
 			ClientID:     "clientid",
 			ClientSecret: "clientsecret",
 			URL:          server.URL,
-			Domain:       domain.Host,
+			Domains:      []string{domain.Host},
 		},
 		RSAKey: rsaKey,
 	}
@@ -235,7 +235,7 @@ type MockConfig struct {
 	ClientID             string
 	ClientSecret         string
 	URL                  string
-	Domain               string
+	Domains              []string
 	ZoneUUID             uuid.UUID
 	ProofTokenURL        string
 	OsbURL               string
@@ -259,9 +259,9 @@ func (c MockConfig) GetURL() string {
 	return c.URL
 }
 
-// GetDomain implements the auth.OAuthConfig interface.
-func (c MockConfig) GetDomain() string {
-	return c.Domain
+// GetDomains implements the auth.OAuthConfig interface.
+func (c MockConfig) GetDomains() []string {
+	return c.Domains
 }
 
 // GetZoneUUID implements the auth.OAuthConfig interface.