-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathfederation.go
More file actions
366 lines (332 loc) · 11.4 KB
/
federation.go
File metadata and controls
366 lines (332 loc) · 11.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
package oidfed
import (
"time"
"github.com/lestrrat-go/jwx/v3/jws"
"github.com/pkg/errors"
"github.com/go-oidfed/lib/apimodel"
"github.com/go-oidfed/lib/cache"
"github.com/go-oidfed/lib/internal"
"github.com/go-oidfed/lib/jwx"
"github.com/go-oidfed/lib/unixtime"
)
// FederationEntity defines the common behavior for federation entities,
// implemented by both StaticFederationEntity and DynamicFederationEntity.
type FederationEntity interface {
EntityID() string
// EntityConfigurationPayload returns the payload for the entity configuration
EntityConfigurationPayload() (*EntityStatementPayload, error)
// EntityConfigurationJWT returns the signed entity configuration as a JWT
EntityConfigurationJWT() ([]byte, error)
// SignEntityStatement signs the provided entity configuration payload
SignEntityStatement(payload EntityStatementPayload) ([]byte, error)
// SignEntityStatementWithHeaders signs the provided entity configuration payload and adds the passed jws.Headers
SignEntityStatementWithHeaders(payload EntityStatementPayload, headers jws.Headers) ([]byte, error)
}
// RequestURIGenerator is a function that takes a request object and returns a request_uri at which the passed
// request object will be available
type RequestURIGenerator func([]byte) (string, error)
// FederationLeaf is a type for a leaf entity and holds all relevant information about it; it can also be used to
// create an EntityConfiguration about it or to start OIDC flows
type FederationLeaf struct {
FederationEntity
TrustAnchors TrustAnchors
oidcROProducer *RequestObjectProducer
RequestURIGenerator RequestURIGenerator
}
// DynamicFederationEntity mirrors FederationEntity but exposes all properties
// (except EntityID) as functions of time, enabling time-dependent values.
type DynamicFederationEntity struct {
ID string
Metadata func() (*Metadata, error)
AuthorityHints func() ([]string, error)
TrustAnchorHints func() ([]string, error)
ConfigurationLifetime func() (time.Duration, error)
EntityStatementSigner func() (*jwx.EntityStatementSigner, error)
TrustMarks func() ([]*EntityConfigurationTrustMarkConfig, error)
TrustMarkIssuers func() (AllowedTrustMarkIssuers, error)
TrustMarkOwners func() (TrustMarkOwners, error)
Extra func() (map[string]any, []string, error)
}
// EntityID returns the entity ID of the DynamicFederationEntity
func (f DynamicFederationEntity) EntityID() string {
return f.ID
}
// EntityConfigurationPayload returns an EntityStatementPayload for this DynamicFederationEntity
// resolving all dynamic properties at time.Now().
func (f DynamicFederationEntity) EntityConfigurationPayload() (*EntityStatementPayload, error) {
now := time.Now()
var err error
// Resolve dynamic fields
metadata := (*Metadata)(nil)
if f.Metadata != nil {
metadata, err = f.Metadata()
if err != nil {
return nil, err
}
}
var authorityHints []string
if f.AuthorityHints != nil {
authorityHints, err = f.AuthorityHints()
if err != nil {
return nil, err
}
}
var trustAnchorHints []string
if f.TrustAnchorHints != nil {
trustAnchorHints, err = f.TrustAnchorHints()
if err != nil {
return nil, err
}
}
lifetime := time.Duration(0)
if f.ConfigurationLifetime != nil {
lifetime, err = f.ConfigurationLifetime()
if err != nil {
return nil, err
}
}
if lifetime <= 0 {
lifetime = defaultEntityConfigurationLifetime
}
exp := unixtime.Unixtime{Time: now.Add(lifetime)}
signer := (*jwx.EntityStatementSigner)(nil)
if f.EntityStatementSigner != nil {
signer, err = f.EntityStatementSigner()
if err != nil {
return nil, err
}
}
var tms []TrustMarkInfo
if f.TrustMarks != nil {
trustMarkConfigs, err := f.TrustMarks()
if err != nil {
return nil, err
}
tms = make([]TrustMarkInfo, 0, len(trustMarkConfigs))
for _, tmc := range trustMarkConfigs {
tmInfo, err := tmc.TrustMarkInfo()
if err != nil {
internal.Log(err.Error())
continue
}
if tmcExp := tmc.Expiration(); !tmcExp.IsZero() && tmcExp.Before(exp.Time) {
exp = tmcExp
}
tms = append(tms, tmInfo)
}
}
var trustMarkIssuers AllowedTrustMarkIssuers
if f.TrustMarkIssuers != nil {
trustMarkIssuers, err = f.TrustMarkIssuers()
if err != nil {
return nil, err
}
}
var trustMarkOwners TrustMarkOwners
if f.TrustMarkOwners != nil {
trustMarkOwners, err = f.TrustMarkOwners()
if err != nil {
return nil, err
}
}
var extra map[string]any
var crits []string
if f.Extra != nil {
extra, crits, err = f.Extra()
if err != nil {
return nil, err
}
}
if metadata != nil {
metadata.ApplyInformationalClaimsToFederationEntity()
}
var jwks jwx.JWKS
if signer != nil {
jwks, err = signer.JWKS()
if err != nil {
return nil, err
}
}
if jwks.Set != nil {
if jwksExp := jwks.MaximalExpirationTime(); !jwksExp.IsZero() && jwksExp.Before(exp.Time) {
exp = jwksExp
}
}
return &EntityStatementPayload{
Issuer: f.ID,
Subject: f.ID,
IssuedAt: unixtime.Unixtime{Time: now},
ExpiresAt: exp,
JWKS: jwks,
AuthorityHints: authorityHints,
TrustAnchorHints: trustAnchorHints,
Metadata: metadata,
TrustMarks: tms,
TrustMarkIssuers: trustMarkIssuers,
TrustMarkOwners: trustMarkOwners,
CriticalExtensions: crits,
Extra: extra,
}, nil
}
// EntityConfigurationJWT creates and returns the signed jwt for the dynamic entity configuration
func (f DynamicFederationEntity) EntityConfigurationJWT() ([]byte, error) {
payload, err := f.EntityConfigurationPayload()
if err != nil {
return nil, err
}
return f.SignEntityStatement(*payload)
}
// SignEntityStatement creates a signed JWT for the given EntityStatementPayload
func (f DynamicFederationEntity) SignEntityStatement(payload EntityStatementPayload) ([]byte, error) {
return f.SignEntityStatementWithHeaders(payload, nil)
}
// SignEntityStatementWithHeaders creates a signed JWT for the given EntityStatementPayload and jws.Headers
func (f DynamicFederationEntity) SignEntityStatementWithHeaders(
payload EntityStatementPayload, headers jws.Headers,
) ([]byte, error) {
if f.EntityStatementSigner == nil {
return nil, errors.New("no signer function configured")
}
signer, err := f.EntityStatementSigner()
if signer == nil {
return nil, errors.New("no signer available at current time")
}
if err != nil {
return nil, err
}
return signer.JWTWithHeaders(payload, headers)
}
// NewFederationEntity creates a new StaticFederationEntity with the passed properties
func NewFederationEntity(
entityID string, authorityHints, trustAnchorHints []string, metadata *Metadata,
signer *jwx.EntityStatementSigner, configurationLifetime time.Duration, extra map[string]any,
) (*StaticFederationEntity, error) {
if configurationLifetime <= 0 {
configurationLifetime = defaultEntityConfigurationLifetime
}
return &StaticFederationEntity{
ID: entityID,
Metadata: metadata,
AuthorityHints: authorityHints,
TrustAnchorHints: trustAnchorHints,
EntityStatementSigner: signer,
ConfigurationLifetime: configurationLifetime,
Extra: extra,
}, nil
}
// NewFederationLeaf creates a new FederationLeaf with the passed properties
func NewFederationLeaf(
entityID string, authorityHints []string, trustAnchors TrustAnchors, metadata *Metadata,
signer *jwx.EntityStatementSigner, configurationLifetime time.Duration,
oidcSigner jwx.VersatileSigner, extra map[string]any,
) (*FederationLeaf, error) {
fed, err := NewFederationEntity(
entityID, authorityHints, trustAnchors.EntityIDs(), metadata, signer,
configurationLifetime, extra,
)
if err != nil {
return nil, err
}
return &FederationLeaf{
FederationEntity: *fed,
TrustAnchors: trustAnchors,
oidcROProducer: NewRequestObjectProducer(entityID, oidcSigner, time.Minute),
}, nil
}
// StaticFederationEntity is a type for an entity participating in federations.
// It holds all relevant information about the federation entity and can be used to create
// an EntityConfiguration about it
type StaticFederationEntity struct {
ID string
Metadata *Metadata
AuthorityHints []string
TrustAnchorHints []string
ConfigurationLifetime time.Duration
*jwx.EntityStatementSigner
TrustMarks []*EntityConfigurationTrustMarkConfig
TrustMarkIssuers AllowedTrustMarkIssuers
TrustMarkOwners TrustMarkOwners
Extra map[string]any
CriticalClaims []string
}
// EntityID returns the entity ID of the StaticFederationEntity
func (f StaticFederationEntity) EntityID() string {
return f.ID
}
// EntityConfigurationPayload returns an EntityStatementPayload for this
// StaticFederationEntity
func (f StaticFederationEntity) EntityConfigurationPayload() (*EntityStatementPayload, error) {
return DynamicFederationEntity{
ID: f.ID,
Metadata: func() (*Metadata, error) {
return f.Metadata, nil
},
AuthorityHints: func() ([]string, error) {
return f.AuthorityHints, nil
},
TrustAnchorHints: func() ([]string, error) {
return f.TrustAnchorHints, nil
},
ConfigurationLifetime: func() (time.Duration, error) { return f.ConfigurationLifetime, nil },
EntityStatementSigner: func() (*jwx.EntityStatementSigner, error) {
return f.EntityStatementSigner, nil
},
TrustMarks: func() ([]*EntityConfigurationTrustMarkConfig, error) {
return f.TrustMarks, nil
},
TrustMarkIssuers: func() (AllowedTrustMarkIssuers, error) { return f.TrustMarkIssuers, nil },
TrustMarkOwners: func() (TrustMarkOwners, error) {
return f.TrustMarkOwners, nil
},
Extra: func() (map[string]any, []string, error) { return f.Extra, f.CriticalClaims, nil },
}.EntityConfigurationPayload()
}
// EntityConfigurationJWT creates and returns the signed jwt as a []byte for
// the entity's entity configuration
func (f StaticFederationEntity) EntityConfigurationJWT() ([]byte, error) {
payload, err := f.EntityConfigurationPayload()
if err != nil {
return nil, err
}
return f.SignEntityStatement(*payload)
}
// SignEntityStatement creates a signed JWT for the given EntityStatementPayload; this function is intended to be
// used on TA/IA
func (f StaticFederationEntity) SignEntityStatement(payload EntityStatementPayload) ([]byte, error) {
return f.EntityStatementSigner.JWT(payload)
}
// SignEntityStatementWithHeaders creates a signed JWT for the given
// EntityStatementPayload; this function is intended to be
// used on TA/IA
func (f StaticFederationEntity) SignEntityStatementWithHeaders(
payload EntityStatementPayload, headers jws.Headers,
) ([]byte, error) {
return f.EntityStatementSigner.JWTWithHeaders(payload, headers)
}
// RequestObjectProducer returns the entity's RequestObjectProducer
func (f FederationLeaf) RequestObjectProducer() *RequestObjectProducer {
return f.oidcROProducer
}
// ResolveOPMetadata resolves and returns OpenIDProviderMetadata for the
// passed issuer url
func (f FederationLeaf) ResolveOPMetadata(issuer string) (*OpenIDProviderMetadata, error) {
var opm OpenIDProviderMetadata
set, err := cache.Get(cache.Key(cache.KeyOPMetadata, issuer), &opm)
if err != nil {
return nil, err
}
if set {
return &opm, nil
}
metadata, err := DefaultMetadataResolver.Resolve(
apimodel.ResolveRequest{
Subject: issuer,
TrustAnchor: f.TrustAnchors.EntityIDs(),
EntityTypes: []string{"openid_provider"},
},
)
if err != nil {
return nil, errors.Wrap(err, "no trust chain with valid metadata found")
}
return metadata.OpenIDProvider, nil
}