Add password grant for oidc provider

Author: Pavol Ipoth

pkg/libs/oidc-provider/plugin.go

@@ -2,7 +2,9 @@ package oidcprovider
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"sync"
 	"time"
@@ -44,36 +46,32 @@ type TokenProviderOptions struct {
 	TargetAudience   string
 }
 
+type GrantType struct {
+	Name string `json:"grant_type"`
+}
+
 // NewTokenProvider - Generate new OIDC token provider
 func NewTokenProvider(options TokenProviderOptions) (*TokenProvider, error) {
 	os.Setenv("OIDC_CREDENTIALS", options.CredentialsFile)
 	stopChannel := make(chan bool, 1)
 	var idTokenSource idTokenSource
 
-	serviceAccountSource, err := NewServiceAccountSource(
-		options.CredentialsFile,
-		options.TargetAudience)
-
-	idTokenSource = serviceAccountSource
+	idTokenSource, err := getTokenSource(options.CredentialsFile, options.TargetAudience)
 
 	if err != nil {
-		return nil, errors.Wrap(err, "creation of service account source failed")
+		return nil, err
 	}
 
 	if options.CredentialsWatch {
 		action := func() {
 			logrus.Infof("reloading credential file %s", options.CredentialsFile)
 
-			newConfig, errServ := oidc.NewServiceAccountTokenSource(
-				options.CredentialsFile,
-				options.TargetAudience)
+			idTokenSource, err = getTokenSource(options.CredentialsFile, options.TargetAudience)
 
-			if errServ != nil {
+			if err != nil {
 				logrus.Errorf("error while reloading credentials files: %s", err)
 				return
 			}
-
-			serviceAccountSource.setServiceAccountTokenSource(newConfig)
 		}
 
 		err = util.WatchForUpdates(options.CredentialsFile, stopChannel, action)
@@ -211,6 +209,45 @@ func getTokenResponse(token string, status int) (apis.TokenResponse, error) {
 	return apis.TokenResponse{Success: success, Status: int32(status), Token: token}, nil
 }
 
+func getTokenSource(credentialsFilePath string, targetAud string) (idTokenSource, error) {
+	data, err := ioutil.ReadFile(credentialsFilePath)
+
+	if err != nil {
+		return nil, err
+	}
+
+	grantType := &GrantType{}
+
+	err = json.Unmarshal(data, grantType)
+
+	if err != nil {
+		return nil, err
+	}
+
+	switch grantType.Name {
+	case "password":
+		passwordGrantSource, err := NewPasswordGrantSource(
+			credentialsFilePath,
+			targetAud)
+
+		if err != nil {
+			return nil, errors.Wrap(err, "creation of password grant source failed")
+		}
+
+		return passwordGrantSource, nil
+	default:
+		serviceAccountSource, err := NewServiceAccountSource(
+			credentialsFilePath,
+			targetAud)
+
+		if err != nil {
+			return nil, errors.Wrap(err, "creation of service account source failed")
+		}
+
+		return serviceAccountSource, nil
+	}
+}
+
 type idTokenSource interface {
 	GetIDToken(ctx context.Context) (string, error)
 }
@@ -249,3 +286,38 @@ func NewServiceAccountSource(credentialsFile string, targetAudience string) (*se
 func (s *serviceAccountSource) GetIDToken(parent context.Context) (string, error) {
 	return s.getServiceAccountTokenSource().GetIDToken(parent)
 }
+
+type passwordGrantSource struct {
+	source *oidc.PasswordGrantTokenSource
+	l      sync.RWMutex
+}
+
+func (p *passwordGrantSource) getPasswordGrantTokenSource() *oidc.PasswordGrantTokenSource {
+	p.l.RLock()
+	defer p.l.RUnlock()
+
+	return p.source
+}
+
+func (p *passwordGrantSource) setPasswordGrantTokenSource(source *oidc.PasswordGrantTokenSource) {
+	p.l.Lock()
+	defer p.l.Unlock()
+
+	p.source = source
+}
+
+func NewPasswordGrantSource(credentialsFile string, targetAudience string) (*passwordGrantSource, error) {
+	source, err := oidc.NewPasswordGrantTokenSource(credentialsFile, targetAudience)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &passwordGrantSource{
+		source: source,
+	}, nil
+}
+
+func (s *passwordGrantSource) GetIDToken(parent context.Context) (string, error) {
+	return s.getPasswordGrantTokenSource().GetIDToken(parent)
+}

pkg/libs/oidc-provider/plugint_test.go pkg/libs/oidc-provider/plugin_test.gopkg/libs/oidc-provider/plugint_test.go renamed to pkg/libs/oidc-provider/plugin_test.go

@@ -0,0 +1,78 @@
+package oidc
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+
+	"github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
+)
+
+type PasswordGrantTokenSource struct {
+	ClientID string `json:"client_id"`
+
+	ClientSecret string `json:"client_secret"`
+
+	Username string `json:"username"`
+
+	Password string `json:"password"`
+
+	// TokenURL is the resource server's token endpoint
+	// URL. This is a constant specific to each server.
+	TokenURL string `json:"token_url"`
+
+	// Scope specifies optional requested permissions.
+	Scopes []string `json:"scopes"`
+}
+
+func NewPasswordGrantTokenSource(credentialsFile string, targetAudience string) (*PasswordGrantTokenSource, error) {
+	data, err := ioutil.ReadFile(credentialsFile)
+	source := &PasswordGrantTokenSource{}
+
+	if err != nil {
+		return nil, err
+	}
+
+	err = json.Unmarshal(data, source)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return source, nil
+}
+
+// GetIDToken - retrieve token from endpoint
+func (s *PasswordGrantTokenSource) GetIDToken(parent context.Context) (string, error) {
+	conf := &oauth2.Config{
+		Scopes:       s.Scopes,
+		ClientID:     s.ClientID,
+		ClientSecret: s.ClientSecret,
+		Endpoint: oauth2.Endpoint{
+			TokenURL: s.TokenURL,
+		},
+	}
+
+	logrus.Debugf("Configuration is %v", conf)
+
+	token, err := conf.PasswordCredentialsToken(parent, s.Username, s.Password)
+
+	if err != nil {
+		logrus.Errorf("Retrieving oidc token failed %v", err)
+		return "", err
+	}
+
+	var idTokenRes struct {
+		IDToken string `json:"id_token"`
+	}
+
+	if token.AccessToken == "" {
+		return "", errors.New("oidc access_token is missing")
+	}
+
+	idTokenRes.IDToken = token.AccessToken
+
+	return idTokenRes.IDToken, nil
+}