Allow multiple IDPs config to be passed via struct (#2167)

* Allow multiple IDPs config to be passed via struct * This removes support for ENV based IDP configuration for console * Ensure default scopes are used if none are given * Add display name field for provider config
2022-07-14 07:27:45 -07:00
parent abb668633b
commit 118cf97e1d
9 changed files with 119 additions and 20 deletions
--- a/restapi/admin_arns_test.go
+++ b/restapi/admin_arns_test.go
@@ -69,7 +69,7 @@ func TestRegisterAdminArnsHandlers(t *testing.T) {
 	if err != nil {
 		assert.Fail("Error")
 	}
-	api := operations.NewConsoleAPI(swaggerSpec)
+	api := operations.NewConsoleAPI(swaggerSpec, nil)
 	api.SystemArnListHandler = nil
 	registerAdminArnsHandlers(api)
 	if api.SystemArnListHandler == nil {
--- a/restapi/operations/console_api.go
+++ b/restapi/operations/console_api.go
@@ -38,6 +38,7 @@ import (
 	"github.com/go-openapi/swag"

 	"github.com/minio/console/models"
+	"github.com/minio/console/pkg/auth/idp/oauth2"
 	"github.com/minio/console/restapi/operations/account"
 	"github.com/minio/console/restapi/operations/auth"
 	"github.com/minio/console/restapi/operations/bucket"
@@ -58,7 +59,7 @@ import (
 )

 // NewConsoleAPI creates a new Console instance
-func NewConsoleAPI(spec *loads.Document) *ConsoleAPI {
+func NewConsoleAPI(spec *loads.Document, openIDProviders oauth2.OpenIDPCfg) *ConsoleAPI {
 	return &ConsoleAPI{
 		handlers:            make(map[string]map[string]http.Handler),
 		formats:             strfmt.Default,
@@ -75,6 +76,8 @@ func NewConsoleAPI(spec *loads.Document) *ConsoleAPI {
 		APIKeyAuthenticator: security.APIKeyAuth,
 		BearerAuthenticator: security.BearerAuth,

+		OpenIDProviders: openIDProviders,
+
 		JSONConsumer:          runtime.JSONConsumer(),
 		MultipartformConsumer: runtime.DiscardConsumer,

@@ -478,6 +481,9 @@ type ConsoleAPI struct {
 	Middleware      func(middleware.Builder) http.Handler
 	useSwaggerUI    bool

+	// Configuration passed in from MinIO for MinIO console.
+	OpenIDProviders oauth2.OpenIDPCfg
+
 	// BasicAuthenticator generates a runtime.Authenticator from the supplied basic auth function.
 	// It has a default implementation in the security package, however you can replace it for your particular usage.
 	BasicAuthenticator func(security.UserPassAuthentication) runtime.Authenticator
--- a/restapi/user_login.go
+++ b/restapi/user_login.go
@@ -35,7 +35,7 @@ import (
 func registerLoginHandlers(api *operations.ConsoleAPI) {
 	// GET login strategy
 	api.AuthLoginDetailHandler = authApi.LoginDetailHandlerFunc(func(params authApi.LoginDetailParams) middleware.Responder {
-		loginDetails, err := getLoginDetailsResponse(params)
+		loginDetails, err := getLoginDetailsResponse(params, api.OpenIDProviders, oauth2.DefaultIDPConfig)
 		if err != nil {
 			return authApi.NewLoginDetailDefault(int(err.Code)).WithPayload(err)
 		}
@@ -56,7 +56,7 @@ func registerLoginHandlers(api *operations.ConsoleAPI) {
 	})
 	// POST login using external IDP
 	api.AuthLoginOauth2AuthHandler = authApi.LoginOauth2AuthHandlerFunc(func(params authApi.LoginOauth2AuthParams) middleware.Responder {
-		loginResponse, err := getLoginOauth2AuthResponse(params)
+		loginResponse, err := getLoginOauth2AuthResponse(params, api.OpenIDProviders, oauth2.DefaultIDPConfig)
 		if err != nil {
 			return authApi.NewLoginOauth2AuthDefault(int(err.Code)).WithPayload(err)
 		}
@@ -145,16 +145,16 @@ func getLoginResponse(params authApi.LoginParams) (*models.LoginResponse, *model
 }

 // getLoginDetailsResponse returns information regarding the Console authentication mechanism.
-func getLoginDetailsResponse(params authApi.LoginDetailParams) (*models.LoginDetails, *models.Error) {
+func getLoginDetailsResponse(params authApi.LoginDetailParams, openIDProviders oauth2.OpenIDPCfg, idpName string) (*models.LoginDetails, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
 	defer cancel()
 	loginStrategy := models.LoginDetailsLoginStrategyForm
 	redirectURL := ""
 	r := params.HTTPRequest
-	if oauth2.IsIDPEnabled() {
+	if openIDProviders != nil {
 		loginStrategy = models.LoginDetailsLoginStrategyRedirect
 		// initialize new oauth2 client
-		oauth2Client, err := oauth2.NewOauth2ProviderClient(nil, r, GetConsoleHTTPClient())
+		oauth2Client, err := openIDProviders.NewOauth2ProviderClient(idpName, nil, r, GetConsoleHTTPClient())
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err, ErrOauth2Provider)
 		}
@@ -180,14 +180,14 @@ func verifyUserAgainstIDP(ctx context.Context, provider auth.IdentityProviderI,
 	return userCredentials, nil
 }

-func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams) (*models.LoginResponse, *models.Error) {
+func getLoginOauth2AuthResponse(params authApi.LoginOauth2AuthParams, openIDProviders oauth2.OpenIDPCfg, idpName string) (*models.LoginResponse, *models.Error) {
 	ctx, cancel := context.WithCancel(params.HTTPRequest.Context())
 	defer cancel()
 	r := params.HTTPRequest
 	lr := params.Body
-	if oauth2.IsIDPEnabled() {
+	if openIDProviders != nil {
 		// initialize new oauth2 client
-		oauth2Client, err := oauth2.NewOauth2ProviderClient(nil, r, GetConsoleHTTPClient())
+		oauth2Client, err := openIDProviders.NewOauth2ProviderClient(idpName, nil, r, GetConsoleHTTPClient())
 		if err != nil {
 			return nil, ErrorWithContext(ctx, err)
 		}