OIDC Login Bug (#14916)

* fixes issue logging in with oidc from listed auth path tab * adds changelog entry * adds more tests for oidc auth workflow * updates oidc auth method test to use non-standard path
2022-04-07 08:30:29 -06:00 · 2022-04-07 08:30:29 -06:00 · 4b48fefc53
parent 2f7635efe3
commit 4b48fefc53
5 changed files with 107 additions and 49 deletions
--- a/changelog/14916.txt
+++ b/changelog/14916.txt
@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fixes issue logging in with OIDC from a listed auth mounts tab
+```
--- a/ui/app/components/auth-form.js
+++ b/ui/app/components/auth-form.js
@ -117,7 +117,8 @@ export default Component.extend(DEFAULTS, {
    if (!methods && !wrappedToken) {
      return {};
    }
-    if (keyIsPath) {
+    // if type is provided we can ignore path since we are attempting to lookup a specific backend by type
+    if (keyIsPath && !type) {
      return methods.findBy('path', selected);
    }
    return BACKENDS.findBy('type', selected);
@ -227,7 +228,7 @@ export default Component.extend(DEFAULTS, {
        });
        this.onSuccess(authResponse, backendType, data);
      } catch (e) {
-        this.set('loading', false);
+        this.set('isLoading', false);
        if (!this.auth.mfaError) {
          this.set('error', `Authentication failed: ${this.auth.handleError(e)}`);
        }
@ -260,7 +261,7 @@ export default Component.extend(DEFAULTS, {
        error: null,
      });
      // if callback from oidc or jwt we have a token at this point
-      let backend = ['oidc', 'jwt'].includes(this.selectedAuth)
+      let backend = ['oidc', 'jwt'].includes(this.providerName)
        ? this.getAuthBackend('token')
        : this.selectedAuthBackend || {};
      let backendMeta = BACKENDS.find(
@ -279,7 +280,7 @@ export default Component.extend(DEFAULTS, {
    },
    handleError(e) {
      this.setProperties({
-        loading: false,
+        isLoading: false,
        error: e ? this.auth.handleError(e) : null,
      });
    },
--- a/ui/app/components/auth-jwt.js
+++ b/ui/app/components/auth-jwt.js
@ -178,8 +178,14 @@ export default Component.extend({
      if (!this.isOIDC || !this.role || !this.role.authUrl) {
        return;
      }
-
-      await this.fetchRole.perform(this.roleName, { debounce: false });
+      try {
+        await this.fetchRole.perform(this.roleName, { debounce: false });
+      } catch (error) {
+        // this task could be cancelled if the instances in didReceiveAttrs resolve after this was started
+        if (error?.name !== 'TaskCancelation') {
+          throw error;
+        }
+      }
      let win = this.getWindow();

      const POPUP_WIDTH = 500;
--- a/ui/tests/acceptance/logout-auth-method-test.js
+++ b/ui/tests/acceptance/logout-auth-method-test.js
@ -1,43 +0,0 @@
-import { module, test } from 'qunit';
-import { setupApplicationTest } from 'ember-qunit';
-import { click, visit, fillIn } from '@ember/test-helpers';
-import { setupMirage } from 'ember-cli-mirage/test-support';
-import { fakeWindow, buildMessage } from '../helpers/oidc-window-stub';
-import sinon from 'sinon';
-import { later, _cancelTimers as cancelTimers } from '@ember/runloop';
-
-module('Acceptance | logout auth method', function (hooks) {
-  setupApplicationTest(hooks);
-  setupMirage(hooks);
-
-  hooks.beforeEach(function () {
-    this.openStub = sinon.stub(window, 'open').callsFake(() => fakeWindow.create());
-  });
-  hooks.afterEach(function () {
-    this.openStub.restore();
-  });
-
-  // coverage for bug where token was selected as auth method for oidc and jwt
-  test('it should populate oidc auth method on logout', async function (assert) {
-    this.server.post('/auth/oidc/oidc/auth_url', () => ({
-      data: { auth_url: 'http://example.com' },
-    }));
-    this.server.get('/auth/foo/oidc/callback', () => ({
-      auth: { client_token: 'root' },
-    }));
-    // ensure clean state
-    sessionStorage.removeItem('selectedAuth');
-    await visit('/vault/auth');
-    await fillIn('[data-test-select="auth-method"]', 'oidc');
-    later(() => {
-      window.postMessage(buildMessage().data, window.origin);
-      cancelTimers();
-    }, 50);
-    await click('[data-test-auth-submit]');
-    await click('.nav-user-button button');
-    await click('#logout');
-    assert
-      .dom('[data-test-select="auth-method"]')
-      .hasValue('oidc', 'Previous auth method selected on logout');
-  });
-});
--- a/ui/tests/acceptance/oidc-auth-method-test.js
+++ b/ui/tests/acceptance/oidc-auth-method-test.js
@ -0,0 +1,91 @@
+import { module, test } from 'qunit';
+import { setupApplicationTest } from 'ember-qunit';
+import { click, visit, fillIn } from '@ember/test-helpers';
+import { setupMirage } from 'ember-cli-mirage/test-support';
+import { fakeWindow, buildMessage } from '../helpers/oidc-window-stub';
+import sinon from 'sinon';
+import { later, _cancelTimers as cancelTimers } from '@ember/runloop';
+
+module('Acceptance | oidc auth method', function (hooks) {
+  setupApplicationTest(hooks);
+  setupMirage(hooks);
+
+  hooks.beforeEach(function () {
+    this.openStub = sinon.stub(window, 'open').callsFake(() => fakeWindow.create());
+    this.server.post('/auth/oidc/oidc/auth_url', () => ({
+      data: { auth_url: 'http://example.com' },
+    }));
+    this.server.get('/auth/foo/oidc/callback', () => ({
+      auth: { client_token: 'root' },
+    }));
+    // ensure clean state
+    sessionStorage.removeItem('selectedAuth');
+  });
+  hooks.afterEach(function () {
+    this.openStub.restore();
+  });
+
+  const login = async (select) => {
+    await visit('/vault/auth');
+    // select from dropdown or click auth path tab
+    if (select) {
+      await fillIn('[data-test-select="auth-method"]', 'oidc');
+    } else {
+      await click('[data-test-auth-method-link="oidc"]');
+    }
+    later(() => {
+      window.postMessage(buildMessage().data, window.origin);
+      cancelTimers();
+    }, 50);
+    await click('[data-test-auth-submit]');
+  };
+
+  test('it should login with oidc when selected from auth methods dropdown', async function (assert) {
+    assert.expect(1);
+
+    this.server.get('/auth/token/lookup-self', (schema, req) => {
+      assert.ok(true, 'request made to auth/token/lookup-self after oidc callback');
+      req.passthrough();
+    });
+
+    await login(true);
+  });
+
+  test('it should login with oidc from listed auth mount tab', async function (assert) {
+    assert.expect(2);
+
+    this.server.get('/sys/internal/ui/mounts', () => ({
+      data: {
+        auth: {
+          'test-path/': { description: '', options: {}, type: 'oidc' },
+        },
+      },
+    }));
+    let didAssert;
+    this.server.post('/auth/test-path/oidc/auth_url', () => {
+      // request may be fired more than once -- we are only concerned if the endpoint is hit, not how many times
+      if (!didAssert) {
+        assert.ok(true, 'auth_url request made to correct non-standard mount path');
+        didAssert = true;
+      }
+      return { data: { auth_url: 'http://example.com' } };
+    });
+    // there was a bug that would result in the /auth/:path/login endpoint hit with an empty payload rather than lookup-self
+    // ensure that the correct endpoint is hit after the oidc callback
+    this.server.get('/auth/token/lookup-self', (schema, req) => {
+      assert.ok(true, 'request made to auth/token/lookup-self after oidc callback');
+      req.passthrough();
+    });
+    await login();
+  });
+
+  // coverage for bug where token was selected as auth method for oidc and jwt
+  test('it should populate oidc auth method on logout', async function (assert) {
+    await login(true);
+    await click('.nav-user-button button');
+    await click('#logout');
+    assert
+      .dom('[data-test-select="auth-method"]')
+      .hasValue('oidc', 'Previous auth method selected on logout');
+  });
+});