feat: finished up oidc auth management

Infisical · Jul 3, 2024 · fc93262 · fc93262
1 parent c90e423
commit fc93262
Show file tree

Hide file tree

Showing 11 changed files with 778 additions and 83 deletions.
diff --git a/backend/src/@types/fastify.d.ts b/backend/src/@types/fastify.d.ts
@@ -41,6 +41,7 @@ import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
 import { TIntegrationServiceFactory } from "@app/services/integration/integration-service";
@@ -132,6 +133,7 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOidcAuth: TIdentityOidcAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;

diff --git a/backend/src/db/schemas/models.ts b/backend/src/db/schemas/models.ts
@@ -166,5 +166,6 @@ export enum IdentityAuthMethod {
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
-  AZURE_AUTH = "azure-auth"
+  AZURE_AUTH = "azure-auth",
+  OIDC_AUTH = "oidc-auth"
 }
diff --git a/backend/src/server/routes/index.ts b/backend/src/server/routes/index.ts
@@ -102,6 +102,8 @@ import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/ident
 import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-dal";
+import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -238,6 +240,7 @@ export const registerRoutes = async (
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
   const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
   const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+  const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
   const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
@@ -874,6 +877,16 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const identityOidcAuthService = identityOidcAuthServiceFactory({
+    identityOidcAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService,
+    orgBotDAL
+  });
+
   const dynamicSecretProviders = buildDynamicSecretProviders();
   const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
     queueService,
@@ -972,6 +985,7 @@ export const registerRoutes = async (
     identityGcpAuth: identityGcpAuthService,
     identityAwsAuth: identityAwsAuthService,
     identityAzureAuth: identityAzureAuthService,
+    identityOidcAuth: identityOidcAuthService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,
     secretApprovalPolicy: secretApprovalPolicyService,

diff --git a/backend/src/server/routes/v1/identity-oidc-auth-router.ts b/backend/src/server/routes/v1/identity-oidc-auth-router.ts
@@ -1,11 +1,19 @@
 import { z } from "zod";
 
 import { IdentityOidcAuthsSchema } from "@app/db/schemas";
-import { writeLimit } from "@app/server/config/rateLimiter";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { validateOidcAuthAudiencesField } from "@app/services/identity-oidc-auth/identity-oidc-auth-validators";
 
+const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.omit({
+  encryptedCaCert: true,
+  caCertIV: true,
+  caCertTag: true
+}).extend({
+  caCert: z.string()
+});
+
 export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "POST",
@@ -53,14 +61,133 @@ export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider)
         boundIssuer: z.string().min(1),
         boundAudiences: validateOidcAuthAudiencesField,
         boundClaims: z.record(z.string()),
-        boundSubject: z.string().optional()
+        boundSubject: z.string().optional().default("")
       }),
       response: {
         200: z.object({
-          identityOidcAuth: IdentityOidcAuthsSchema
+          identityOidcAuth: IdentityOidcAuthResponseSchema
         })
       }
     },
-    handler: async () => {}
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.attachOidcAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      return {
+        identityOidcAuth
+      };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/oidc-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update OIDC Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim()
+      }),
+      body: z
+        .object({
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(1)
+            .refine((value) => value !== 0, {
+              message: "accessTokenTTL must have a non zero number"
+            })
+            .default(2592000),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .refine((value) => value !== 0, {
+              message: "accessTokenMaxTTL must have a non zero number"
+            })
+            .default(2592000),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0),
+          oidcDiscoveryUrl: z.string().url().min(1),
+          caCert: z.string().trim().default(""),
+          boundIssuer: z.string().min(1),
+          boundAudiences: validateOidcAuthAudiencesField,
+          boundClaims: z.record(z.string()),
+          boundSubject: z.string().optional().default("")
+        })
+        .partial(),
+      response: {
+        200: z.object({
+          identityOidcAuth: IdentityOidcAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.updateOidcAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      return { identityOidcAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/oidc-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve OIDC Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string()
+      }),
+      response: {
+        200: z.object({
+          identityOidcAuth: IdentityOidcAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.getOidcAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      return { identityOidcAuth };
+    }
   });
 };