luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

OIDC Login Bug (#14916) 

* fixes issue logging in with oidc from listed auth path tab

* adds changelog entry

* adds more tests for oidc auth workflow

* updates oidc auth method test to use non-standard path
This commit is contained in:
Jordan Reimer 2022-04-07 08:30:29 -06:00 committed by GitHub
parent 2f7635efe3
commit 4b48fefc53
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 107 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/14916.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
ui: Fixes issue logging in with OIDC from a listed auth mounts tab
```

9
ui/app/components/auth-form.js
View File

@ -117,7 +117,8 @@ export default Component.extend(DEFAULTS, {
if (!methods && !wrappedToken) { if (!methods && !wrappedToken) {
return {}; return {};
} }
if (keyIsPath) { // if type is provided we can ignore path since we are attempting to lookup a specific backend by type
if (keyIsPath && !type) {
return methods.findBy('path', selected); return methods.findBy('path', selected);
} }
return BACKENDS.findBy('type', selected); return BACKENDS.findBy('type', selected);
@ -227,7 +228,7 @@ export default Component.extend(DEFAULTS, {
}); });
this.onSuccess(authResponse, backendType, data); this.onSuccess(authResponse, backendType, data);
} catch (e) { } catch (e) {
this.set('loading', false); this.set('isLoading', false);
if (!this.auth.mfaError) { if (!this.auth.mfaError) {
this.set('error', `Authentication failed: ${this.auth.handleError(e)}`); this.set('error', `Authentication failed: ${this.auth.handleError(e)}`);
} }
@ -260,7 +261,7 @@ export default Component.extend(DEFAULTS, {
error: null, error: null,
}); });
// if callback from oidc or jwt we have a token at this point // if callback from oidc or jwt we have a token at this point
let backend = ['oidc', 'jwt'].includes(this.selectedAuth) let backend = ['oidc', 'jwt'].includes(this.providerName)
? this.getAuthBackend('token') ? this.getAuthBackend('token')
: this.selectedAuthBackend || {}; : this.selectedAuthBackend || {};
let backendMeta = BACKENDS.find( let backendMeta = BACKENDS.find(
@ -279,7 +280,7 @@ export default Component.extend(DEFAULTS, {
}, },
handleError(e) { handleError(e) {
this.setProperties({ this.setProperties({
loading: false, isLoading: false,
error: e ? this.auth.handleError(e) : null, error: e ? this.auth.handleError(e) : null,
}); });
}, },

8
ui/app/components/auth-jwt.js
View File

@ -178,8 +178,14 @@ export default Component.extend({
if (!this.isOIDC || !this.role || !this.role.authUrl) { if (!this.isOIDC || !this.role || !this.role.authUrl) {
return; return;
} }
try {
await this.fetchRole.perform(this.roleName, { debounce: false }); await this.fetchRole.perform(this.roleName, { debounce: false });
} catch (error) {
// this task could be cancelled if the instances in didReceiveAttrs resolve after this was started
if (error?.name !== 'TaskCancelation') {
throw error;
}
}
let win = this.getWindow(); let win = this.getWindow();
const POPUP_WIDTH = 500; const POPUP_WIDTH = 500;

43
ui/tests/acceptance/logout-auth-method-test.js
View File

@ -1,43 +0,0 @@
import { module, test } from 'qunit';
import { setupApplicationTest } from 'ember-qunit';
import { click, visit, fillIn } from '@ember/test-helpers';
import { setupMirage } from 'ember-cli-mirage/test-support';
import { fakeWindow, buildMessage } from '../helpers/oidc-window-stub';
import sinon from 'sinon';
import { later, _cancelTimers as cancelTimers } from '@ember/runloop';
module('Acceptance | logout auth method', function (hooks) {
setupApplicationTest(hooks);
setupMirage(hooks);
hooks.beforeEach(function () {
this.openStub = sinon.stub(window, 'open').callsFake(() => fakeWindow.create());
});
hooks.afterEach(function () {
this.openStub.restore();
});
// coverage for bug where token was selected as auth method for oidc and jwt
test('it should populate oidc auth method on logout', async function (assert) {
this.server.post('/auth/oidc/oidc/auth_url', () => ({
data: { auth_url: 'http://example.com' },
}));
this.server.get('/auth/foo/oidc/callback', () => ({
auth: { client_token: 'root' },
}));
// ensure clean state
sessionStorage.removeItem('selectedAuth');
await visit('/vault/auth');
await fillIn('[data-test-select="auth-method"]', 'oidc');
later(() => {
window.postMessage(buildMessage().data, window.origin);
cancelTimers();
}, 50);
await click('[data-test-auth-submit]');
await click('.nav-user-button button');
await click('#logout');
assert
.dom('[data-test-select="auth-method"]')
.hasValue('oidc', 'Previous auth method selected on logout');
});
});

91
ui/tests/acceptance/oidc-auth-method-test.js Normal file
View File

@ -0,0 +1,91 @@
import { module, test } from 'qunit';
import { setupApplicationTest } from 'ember-qunit';
import { click, visit, fillIn } from '@ember/test-helpers';
import { setupMirage } from 'ember-cli-mirage/test-support';
import { fakeWindow, buildMessage } from '../helpers/oidc-window-stub';
import sinon from 'sinon';
import { later, _cancelTimers as cancelTimers } from '@ember/runloop';
module('Acceptance | oidc auth method', function (hooks) {
setupApplicationTest(hooks);
setupMirage(hooks);
hooks.beforeEach(function () {
this.openStub = sinon.stub(window, 'open').callsFake(() => fakeWindow.create());
this.server.post('/auth/oidc/oidc/auth_url', () => ({
data: { auth_url: 'http://example.com' },
}));
this.server.get('/auth/foo/oidc/callback', () => ({
auth: { client_token: 'root' },
}));
// ensure clean state
sessionStorage.removeItem('selectedAuth');
});
hooks.afterEach(function () {
this.openStub.restore();
});
const login = async (select) => {
await visit('/vault/auth');
// select from dropdown or click auth path tab
if (select) {
await fillIn('[data-test-select="auth-method"]', 'oidc');
} else {
await click('[data-test-auth-method-link="oidc"]');
}
later(() => {
window.postMessage(buildMessage().data, window.origin);
cancelTimers();
}, 50);
await click('[data-test-auth-submit]');
};
test('it should login with oidc when selected from auth methods dropdown', async function (assert) {
assert.expect(1);
this.server.get('/auth/token/lookup-self', (schema, req) => {
assert.ok(true, 'request made to auth/token/lookup-self after oidc callback');
req.passthrough();
});
await login(true);
});
test('it should login with oidc from listed auth mount tab', async function (assert) {
assert.expect(2);
this.server.get('/sys/internal/ui/mounts', () => ({
data: {
auth: {
'test-path/': { description: '', options: {}, type: 'oidc' },
},
},
}));
let didAssert;
this.server.post('/auth/test-path/oidc/auth_url', () => {
// request may be fired more than once -- we are only concerned if the endpoint is hit, not how many times
if (!didAssert) {
assert.ok(true, 'auth_url request made to correct non-standard mount path');
didAssert = true;
}
return { data: { auth_url: 'http://example.com' } };
});
// there was a bug that would result in the /auth/:path/login endpoint hit with an empty payload rather than lookup-self
// ensure that the correct endpoint is hit after the oidc callback
this.server.get('/auth/token/lookup-self', (schema, req) => {
assert.ok(true, 'request made to auth/token/lookup-self after oidc callback');
req.passthrough();
});
await login();
});
// coverage for bug where token was selected as auth method for oidc and jwt
test('it should populate oidc auth method on logout', async function (assert) {
await login(true);
await click('.nav-user-button button');
await click('#logout');
assert
.dom('[data-test-select="auth-method"]')
.hasValue('oidc', 'Previous auth method selected on logout');
});
});