GODRIVER-3246: Support human flow for OIDC #1713
Conversation
…not go live, I'm sure
…r OIDC that is probably, maybe, possibly correct
… need to get down to Handshake instead of creating the Authenticator in Handshake as we do now
…o I'm sure it's right
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
API Change Report./x/mongo/driver/authincompatible changesSaslClient.Next: changed from func([]byte) ([]byte, error) to func(context.Context, []byte) ([]byte, error) |
I originally just stuck the context in the two step struct, but I know everyone says that's "bad form". I never agreed with that, but I definitely don't want to argue over idiomatic go 😂 |
…about hardcoded credentials)
blink1073
added
priority-2-medium
|
This build failure looks relevant: |
| @@ -19,7 +19,7 @@ import ( | |||
| // SaslClient is the client piece of a sasl conversation. | |||
| type SaslClient interface { | |||
| Start() (string, []byte, error) | |||
| Next(challenge []byte) ([]byte, error) | |||
| Next(ctx context.Context, challenge []byte) ([]byte, error) | |||
There was a problem hiding this comment.
The build for "gssapi" fails because Next needs to be updated in sspi.go and gss.go. Those files use build constraints, so are easy to miss because the compiler ignores them unless specific build tags are used.
Here's the build failure:
x/mongo/driver/auth/gssapi.go:60:56: cannot use client (variable of type *gssapi.SaslClient) as SaslClient value in argument to ConductSaslConversation: *gssapi.SaslClient does not implement SaslClient (wrong type for method Next)
have Next([]byte) ([]byte, error)
want Next(context.Context, []byte) ([]byte, error)
| return nil, fmt.Errorf("error unmarshaling BSON document: %w", err) | ||
| } | ||
|
|
||
| accessToken, err := ots.oa.getAccessToken(ctx, |
There was a problem hiding this comment.
err is never checked here.
x/mongo/driver/auth/oidc.go
Outdated
| ret = createAllowedHostsPatterns(ret) | ||
| oa.allowedHosts = &ret |
There was a problem hiding this comment.
Optional: Consider initializing allowedHosts in newOIDCAuthenticator, which would allow compiling the ALLOWED_HOSTS patterns as a slice of *regexp.Regexp there. That would also allow pre-compiling the default allowed hosts patterns, avoiding the CodeQL warnings and catching any regex compilation errors at initialization time.
For example:
func newOIDCAuthenticator(...) (Authenticator, error) {
// ...
var allowedHosts []*regexp.Regexp
if v, ok := cred.Props[allowedHostsProp]; ok {
patterns := strings.Split(v, ",")
for _, pattern := range patterns {
r, err := regexp.Compile(pattern)
if err != nil {
return nil, err
}
allowedHosts = append(allowedHosts, r)
}
} else {
allowedHosts = defaultAllowedHosts
}
oa := &OIDCAuthenticator{
userName: cred.Username,
httpClient: httpClient,
AuthMechanismProperties: cred.Props,
OIDCMachineCallback: cred.OIDCMachineCallback,
OIDCHumanCallback: cred.OIDCHumanCallback,
allowedHosts: allowedHosts,
}
return oa, nil
}Then defaultAllowedHosts becomes:
var defaultAllowedHosts = []*regexp.Regexp{
regexp.MustCompile("^.*[.]mongodb[.]net(:\\d+)?$"),
regexp.MustCompile("^.*[.]mongodb-qa[.]net(:\\d+)?$"),
regexp.MustCompile("^.*[.]mongodb-dev[.]net(:\\d+)?$"),
regexp.MustCompile("^.*[.]mongodbgov[.]net(:\\d+)?$"),
regexp.MustCompile("^localhost(:\\d+)?$"),
regexp.MustCompile("^127[.]0[.]0[.]1(:\\d+)?$"),
regexp.MustCompile("^::1(:\\d+)?$"),
}There was a problem hiding this comment.
Ok, I've adapted most of this, but kept the logic abstracted to a separate method.
Co-authored-by: Matt Dale <[email protected]>
Co-authored-by: Matt Dale <[email protected]> (cherry picked from commit f0af593)
Co-authored-by: Patrick Meredith <[email protected]>
GODRIVER-3246
Summary
Implements OIDC Human Flow
Background & Motivation
Needed for OIDC epic