feat: test integration with OIDC provider and few protocol changes

Author: beltram

acme/src/account.rs

@@ -1,4 +1,3 @@
-use crate::jws::AcmeJws;
 use crate::prelude::*;
 use rusty_jwt_tools::prelude::*;
 

acme/src/authz.rs

@@ -1,9 +1,5 @@
-use crate::{
-    account::AcmeAccount,
-    chall::{AcmeChallenge, AcmeChallengeType},
-    jws::AcmeJws,
-    prelude::*,
-};
+use crate::chall::AcmeChallengeType;
+use crate::prelude::*;
 use rusty_jwt_tools::prelude::*;
 
 impl RustyAcme {
@@ -37,7 +33,7 @@ impl RustyAcme {
             AuthzStatus::Expired => return Err(AcmeAuthzError::Expired)?,
             AuthzStatus::Valid => {
                 return Err(RustyAcmeError::ClientImplementationError(
-                    "An authorization is not supposed to be valid at this point. \
+                    "an authorization is not supposed to be valid at this point. \
                     You should only use this method to parse the response of an authorization creation.",
                 ))
             }
@@ -64,8 +60,7 @@ pub enum AcmeAuthzError {
 
 /// Result of an authorization creation
 /// see [RFC 8555 Section 7.5](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5)
-#[derive(Debug, serde::Serialize, serde::Deserialize)]
-#[cfg_attr(test, derive(Clone))]
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct AcmeAuthz {
     /// Should be pending for a newly created authorization

acme/src/certificate.rs

@@ -1,4 +1,4 @@
-use crate::{account::AcmeAccount, finalize::AcmeFinalize, jws::AcmeJws, prelude::*};
+use crate::prelude::*;
 use rusty_jwt_tools::prelude::*;
 
 impl RustyAcme {
@@ -29,7 +29,6 @@ impl RustyAcme {
             .split(Self::CERTIFICATE_BEGIN)
             .filter(|c| !c.is_empty())
             .map(|c| c.trim().trim_end_matches(Self::CERTIFICATE_END).trim())
-            .into_iter()
             .try_fold(vec![], |mut acc, cert_pem| -> RustyAcmeResult<Vec<String>> {
                 Self::parse_x509_and_validate(cert_pem)?;
                 acc.push(cert_pem.to_string());

acme/src/chall.rs

@@ -1,6 +1,5 @@
-use crate::account::AcmeAccount;
-use crate::jws::AcmeJws;
 use crate::prelude::*;
+use jwt_simple::prelude::*;
 use rusty_jwt_tools::prelude::*;
 
 impl RustyAcme {
@@ -27,19 +26,27 @@ impl RustyAcme {
 
     /// oidc challenge request to `POST /acme/challenge/{token}`
     /// see [RFC 8555 Section 7.5.1](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1)
+    #[allow(clippy::too_many_arguments)]
     pub fn oidc_chall_request(
         id_token: String,
         oidc_chall: AcmeChallenge,
         account: &AcmeAccount,
         alg: JwsAlgorithm,
+        hash_alg: HashAlgorithm,
         kp: &Pem,
+        jwk: &Jwk,
         previous_nonce: String,
     ) -> RustyAcmeResult<AcmeJws> {
         // Extract the account URL from previous response which created a new account
         let acct_url = account.acct_url()?;
 
+        let thumbprint = JwkThumbprint::generate(jwk, hash_alg)?.kid;
+        let chall_token = oidc_chall.token;
+        let keyauth = format!("{chall_token}.{thumbprint}");
+
         let payload = Some(serde_json::json!({
             "id_token": id_token,
+            "keyauth": keyauth,
         }));
         let req = AcmeJws::new(alg, previous_nonce, &oidc_chall.url, Some(&acct_url), payload, kp)?;
         Ok(req)
@@ -55,13 +62,13 @@ impl RustyAcme {
             Some(AcmeChallengeStatus::Invalid) => return Err(AcmeChallError::Invalid)?,
             Some(AcmeChallengeStatus::Pending) => {
                 return Err(RustyAcmeError::ClientImplementationError(
-                    "A challenge is not supposed to be pending at this point. \
+                    "a challenge is not supposed to be pending at this point. \
                     It must either be 'valid' or 'processing'.",
                 ))
             }
             None => {
                 return Err(RustyAcmeError::ClientImplementationError(
-                    "At this point a challenge is supposed to have a status",
+                    "at this point a challenge is supposed to have a status",
                 ))
             }
         }

acme/src/directory.rs

@@ -11,8 +11,7 @@ impl RustyAcme {
     }
 }
 
-#[derive(Debug, serde::Serialize, serde::Deserialize)]
-#[cfg_attr(test, derive(Clone))]
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
 #[serde(rename_all = "camelCase")]
 /// See [RFC 8555 Section 7.1.1](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1)
 pub struct AcmeDirectory {

acme/src/docker/dex.rs

@@ -1,24 +1,57 @@
-use std::collections::HashMap;
+use std::{collections::HashMap, net::SocketAddr, path::PathBuf};
+
 use testcontainers::{clients::Cli, core::WaitFor, Container, Image, RunnableImage};
 
+use crate::{docker::ldap::LdapCfg, docker::rand_str};
+
+pub struct DexServer<'a> {
+    pub uri: String,
+    pub node: Container<'a, DexImage>,
+    pub socket: SocketAddr,
+}
+
 #[derive(Debug)]
 pub struct DexImage {
     pub volumes: HashMap<String, String>,
     pub env_vars: HashMap<String, String>,
+    pub cfg_file: PathBuf,
 }
 
 impl DexImage {
     const NAME: &'static str = "dexidp/dex";
-    const TAG: &'static str = "latest";
+    const TAG: &'static str = "v2.35.3";
     pub const PORT: u16 = 5556;
 
-    pub fn run<'a>(docker: &'a Cli, host: &str) -> (u16, Container<'a, DexImage>) {
-        let instance = Self::default();
+    pub fn run(docker: &Cli, cfg: DexCfg, redirect_uri: String) -> DexServer {
+        let instance = Self::new(&cfg, &redirect_uri);
         let image: RunnableImage<Self> = instance.into();
-        let image = image.with_container_name(host).with_network(super::NETWORK);
+        let image = image
+            .with_container_name(&cfg.host)
+            .with_network(super::NETWORK)
+            .with_mapped_port((cfg.host_port, Self::PORT));
         let node = docker.run(image);
         let port = node.get_host_port_ipv4(Self::PORT);
-        (port, node)
+        let uri = format!("http://{}:{port}", cfg.host);
+
+        let ip = std::net::IpAddr::V4("127.0.0.1".parse().unwrap());
+        let socket = SocketAddr::new(ip, port);
+
+        DexServer { uri, socket, node }
+    }
+
+    pub fn new(cfg: &DexCfg, redirect_uri: &str) -> Self {
+        let host_vol = std::env::temp_dir().join(rand_str());
+        std::fs::create_dir(&host_vol).unwrap();
+        let host_cfg_file = host_vol.join("config.docker.yaml");
+
+        std::fs::write(&host_cfg_file, cfg.to_yaml(redirect_uri)).unwrap();
+
+        let host_vol_str = host_cfg_file.as_os_str().to_str().unwrap().to_string();
+        Self {
+            volumes: HashMap::from_iter(vec![(host_vol_str, "/etc/dex/config.docker.yaml".to_string())]),
+            env_vars: HashMap::new(),
+            cfg_file: host_cfg_file,
+        }
     }
 }
 
@@ -34,7 +67,8 @@ impl Image for DexImage {
     }
 
     fn ready_conditions(&self) -> Vec<WaitFor> {
-        vec![WaitFor::message_on_stderr("listening (http) on 0.0.0.0:5556")]
+        let msg = format!("listening (http) on 0.0.0.0:{}", Self::PORT);
+        vec![WaitFor::message_on_stderr(msg)]
     }
 
     fn volumes(&self) -> Box<dyn Iterator<Item = (&String, &String)> + '_> {
@@ -46,23 +80,78 @@ impl Image for DexImage {
     }
 }
 
-impl Default for DexImage {
-    fn default() -> Self {
-        Self {
-            volumes: HashMap::from_iter(vec![]),
-            env_vars: HashMap::default(),
-        }
-    }
+#[derive(Debug, Clone)]
+pub struct DexCfg {
+    pub client_id: String,
+    pub client_secret: String,
+    pub issuer: String,
+    pub ldap_host: String,
+    pub domain: String,
+    pub host_port: u16,
+    pub host: String,
 }
 
-#[test]
-fn test_dex() {
-    let docker = Cli::docker();
-    let (port, _dex) = DexImage::run(&docker, "dex");
+impl DexCfg {
+    pub fn to_yaml(&self, redirect_uri: &str) -> String {
+        let Self {
+            client_id,
+            client_secret,
+            issuer,
+            ldap_host,
+            domain,
+            ..
+        } = self;
+        let domain = LdapCfg::domain_to_ldif(domain);
+        format!(
+            r#"
+issuer: {issuer}
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556
+logger:
+  level: "debug"
+  format: "text"
 
-    let uri = format!("http://localhost:{port}/dex/.well-known/openid-configuration");
+oauth2:
+  skipApprovalScreen: false
+  alwaysShowLoginScreen: false
 
-    let response = reqwest::blocking::get(uri).unwrap();
-    let body = response.json::<serde_json::Value>().unwrap();
-    println!("{}", serde_json::to_string_pretty(&body).unwrap());
+# expiry:
+#   deviceRequests: "5m"
+#   signingKeys: "6h"
+#   idTokens: "24h"
+#   refreshTokens:
+#     reuseInterval: "3s"
+#     validIfNotUsedFor: "2160h" # 90 days
+#     absoluteLifetime: "3960h" # 165 days
+
+connectors:
+- type: ldap
+  name: OpenLDAP
+  id: ldap
+  config:
+    host: {ldap_host}:389
+    insecureNoSSL: true
+    insecureSkipVerify: true
+    bindDN: cn=admin,{domain}
+    bindPW: admin
+    usernamePrompt: Email Address
+    userSearch:
+      baseDN: ou=People,{domain}
+      filter: "(objectClass=person)"
+      username: mail
+      idAttr: uid
+      emailAttr: mail
+      nameAttr: cn
+      preferredUsernameAttr: sn
+staticClients:
+- id: {client_id}
+  redirectURIs:
+  - '{redirect_uri}'
+  name: 'Example App'
+  secret: {client_secret}
+"#
+        )
+    }
 }