lxc · tych0 · Nov 1, 2023 · Oct 31, 2023 · Oct 31, 2023 · Oct 31, 2023
@@ -17,6 +17,8 @@ cmd/incus-migrate/incus-migrate
 cmd/incus-user/incus-user
 test/dev_incus-client/dev_incus-client
 test/syscall/sysinfo/sysinfo
+test/mini-oidc/mini-oidc
+test/mini-oidc/user.data
 
 # Sphinx
 doc/html/

@@ -99,6 +99,9 @@ endif
 
 	cd cmd/lxd-to-incus && $(GO) get -t -v -d -u ./...
 	cd cmd/lxd-to-incus && $(GO) mod tidy --go=1.20
+
+	cd test/mini-oidc && $(GO) get -t -v -d -u ./...
+	cd test/mini-oidc && $(GO) mod tidy --go=1.20
 	@echo "Dependencies updated"
 
 .PHONY: update-protobuf

@@ -218,14 +218,12 @@ func (o *oidcClient) authenticate(issuer string, clientID string, audience strin
 		return err
 	}
 
-	fmt.Printf("Code: %s\n\n", resp.UserCode)
-
 	u, _ := url.Parse(resp.VerificationURIComplete)
 
-	err = openBrowser(u.String())
-	if err != nil {
-		return err
-	}
+	fmt.Printf("URL: %s\n", u.String())
+	fmt.Printf("Code: %s\n\n", resp.UserCode)
+
+	_ = openBrowser(u.String())
 
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGINT)
 	defer stop()

@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"os"
 	"os/exec"
 	"runtime"
 	"strings"
@@ -256,6 +257,16 @@ type HTTPTransporter interface {
 func openBrowser(url string) error {
 	var err error
 
+	browser := os.Getenv("BROWSER")
+	if browser != "" {
+		if browser == "none" {
+			return nil
+		}
+
+		err = exec.Command(browser, url).Start()
+		return err
+	}
+
 	switch runtime.GOOS {
 	case "linux":
 		err = exec.Command("xdg-open", url).Start()

@@ -196,7 +196,7 @@ func getClient(CID uint32, port int, serverCertificate string) (*http.Client, er
 func startHTTPServer(d *Daemon, debug bool) error {
 	const CIDAny uint32 = 4294967295 // Equivalent to VMADDR_CID_ANY.
 
-	// Setup the listener on wildcard CID for inbound connections from LXD.
+	// Setup the listener on wildcard CID for inbound connections from Incus.
 	// We use the VMADDR_CID_ANY CID so that if the VM's CID changes in the future the listener still works.
 	// A CID change can occur when restoring a stateful VM that was previously using one CID but is
 	// subsequently restored using a different one.

@@ -5,10 +5,11 @@ replace github.com/lxc/incus => ../../
 go 1.20
 
 require (
-	github.com/canonical/lxd v0.0.0-20231027142446-db2afaa873fc
-	github.com/lxc/incus v0.0.0-20231027143506-03aed12a8aee
+	github.com/canonical/lxd v0.0.0-20231029190415-18b3c3f349ab
+	github.com/lxc/incus v0.0.0-20231030213510-385b6509cfce
 	github.com/pierrec/lz4/v4 v4.1.18
 	github.com/spf13/cobra v1.7.0
+	golang.org/x/sys v0.13.0
 )
 
 require (
@@ -41,7 +42,6 @@ require (
 	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/term v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect

@@ -1,7 +1,7 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/canonical/lxd v0.0.0-20231027142446-db2afaa873fc h1:iUujb6QrfavX46/qBXl0Jk/aQEJYCRlgon4iAcFOAVI=
-github.com/canonical/lxd v0.0.0-20231027142446-db2afaa873fc/go.mod h1:Ae5ZOPef5H2C2Tr3jQuz46x3Pejbm7atWC+t/X7hGdI=
+github.com/canonical/lxd v0.0.0-20231029190415-18b3c3f349ab h1:XCFZ/Rd0FEH7IP5/rrDfaWl6nvzR1tqPZP/653ZmiwY=
+github.com/canonical/lxd v0.0.0-20231029190415-18b3c3f349ab/go.mod h1:Ae5ZOPef5H2C2Tr3jQuz46x3Pejbm7atWC+t/X7hGdI=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=

@@ -18,7 +18,7 @@ require (
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/gosexy/gettext v0.0.0-20160830220431-74466a0a0c4a
-	github.com/grafana/dskit v0.0.0-20231027084524-7d6449420899
+	github.com/grafana/dskit v0.0.0-20231030143953-cd0341d354c7
 	github.com/j-keck/arping v1.0.3
 	github.com/jaypipes/pcidb v1.0.0
 	github.com/jochenvg/go-udev v0.0.0-20171110120927-d6b62d56d37b
@@ -131,7 +131,7 @@ require (
 	golang.org/x/net v0.17.0 // indirect
 	golang.org/x/tools v0.14.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect

@@ -215,8 +215,8 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gosexy/gettext v0.0.0-20160830220431-74466a0a0c4a h1:N2b2mb4Gki1SlF3WuhR9P1YHOpl7oy/b+xxX4A3iM2E=
 github.com/gosexy/gettext v0.0.0-20160830220431-74466a0a0c4a/go.mod h1:IEJaV4/6J0VpoQ33kFCUUP6umRjrcBVEbOva6XCub/Q=
-github.com/grafana/dskit v0.0.0-20231027084524-7d6449420899 h1:JwcdkgeHMfqXYN8NvlEkYb7SsY9hMROI1yvv5oar/vU=
-github.com/grafana/dskit v0.0.0-20231027084524-7d6449420899/go.mod h1:8dsy5tQOkeNQyjXpm5mQsbCu3H5uzeBD35MzRQFznKU=
+github.com/grafana/dskit v0.0.0-20231030143953-cd0341d354c7 h1:N6/jEkWJsKb1kWSOx8AlgVIMmsVDnfVSEEIlwHnuKf4=
+github.com/grafana/dskit v0.0.0-20231030143953-cd0341d354c7/go.mod h1:8dsy5tQOkeNQyjXpm5mQsbCu3H5uzeBD35MzRQFznKU=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
@@ -835,8 +835,8 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b h1:ZlWIi1wSK56/8hn4QcBp/j9M7Gt3U/3hZw3mC7vDICo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b/go.mod h1:swOH3j0KzcDDgGUWr+SNpyTen5YrXjS3eyPzFYKc6lc=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405 h1:AB/lmRny7e2pLhFEYIbl5qkDAUt2h0ZRO4wGPhZf+ik=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20231030173426-d783a09b4405/go.mod h1:67X1fPuzjcrkymZzZV1vvkFeTn2Rvc6lYF9MYFGCcwE=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

@@ -218,7 +218,7 @@ func ObjectUser(userName string) Object {
 }
 
 func ObjectServer() Object {
-	object, _ := NewObject(ObjectTypeServer, "", "lxd")
+	object, _ := NewObject(ObjectTypeServer, "", "incus")
 	return object
 }
 

@@ -85,7 +85,7 @@ func (s *objectSuite) TestObjectProject() {
 func (s *objectSuite) TestObjectServer() {
 	s.Assert().NotPanics(func() {
 		o := ObjectServer()
-		s.Equal("server:lxd", string(o))
+		s.Equal("server:incus", string(o))
 	})
 }
 
@@ -124,8 +124,8 @@ func (s *objectSuite) TestObjectFromString() {
 		err error
 	}{
 		{
-			in:  "server:lxd",
-			out: Object("server:lxd"),
+			in:  "server:incus",
+			out: Object("server:incus"),
 		},
 		{
 			in:  "certificate:weaowiejfoiawefpajewfpoawjfepojawef",

@@ -42,7 +42,7 @@ const (
 	EntitlementCanManageBackups   Entitlement = "can_manage_backups"
 )
 
-// ObjectType is a type of resource within LXD.
+// ObjectType is a type of resource within Incus.
 type ObjectType string
 
 const (
@@ -62,7 +62,7 @@ const (
 	ObjectTypeStorageVolume ObjectType = "storage_volume"
 )
 
-// Permission is a type representation of general permission levels in LXD. Used with TLS and RBAC drivers.
+// Permission is a type representation of general permission levels in Incus. Used with TLS and RBAC drivers.
 type Permission string
 
 const (

@@ -0,0 +1,26 @@
+# mini-oidc related test helpers.
+
+spawn_oidc() {
+  (
+    cd mini-oidc || return
+    # Use -buildvcs=false here to prevent git complaining about untrusted directory when tests are run as root.
+    go build -v -buildvcs=false ./
+
+    PORT="$(local_tcp_port)"
+    echo "${PORT}" > "${TEST_DIR}/oidc.port"
+    ./mini-oidc "${PORT}" "${TEST_DIR}/oidc.user" &
+    echo $! > "${TEST_DIR}/oidc.pid"
+
+    sleep 3
+  )
+}
+
+kill_oidc() {
+  [ ! -e "${TEST_DIR}/oidc.pid" ] && return
+
+  kill -9 "$(cat "${TEST_DIR}/oidc.pid")"
+}
+
+set_oidc() {
+  echo "${1}" > "${TEST_DIR}/oidc.user"
+}
@@ -3,7 +3,7 @@
 echo "Checking that functional blocks are followed by newlines..."
 
 # Check all .go files except the protobuf bindings (.pb.go)
-files=$(git ls-files --cached --modified --others '*.go' ':!:*.pb.go')
+files=$(git ls-files --cached --modified --others '*.go' ':!:*.pb.go' ':!:test/mini-oidc/storage/*.go')
 
 exit_code=0
 for file in $files

@@ -3,4 +3,4 @@
 echo "Checking for oneline assign & test..."
 
 # Recursively grep go files for if statements that contain assignments.
-! git grep --untracked -P -n '^\s+if.*:=.*;.*{\s*$' -- '*.go'
+! git grep --untracked -P -n '^\s+if.*:=.*;.*{\s*$' -- '*.go' ':!:test/mini-oidc/storage/*.go'
@@ -2,7 +2,7 @@
 
 echo "Checking for short form imports..."
 
-OUT=$(git grep --untracked -n -P '^\s*import\s+"' '*.go' | grep -v ':import "C"$' || true)
+OUT=$(git grep --untracked -n -P '^\s*import\s+"' '*.go' ':!:test/mini-oidc/storage/*.go' | grep -v ':import "C"$' || true)
 if [ -n "${OUT}" ]; then
   echo "ERROR: found short form imports: ${OUT}"
   exit 1

@@ -200,6 +200,7 @@ if [ "${1:-"all"}" != "cluster" ]; then
     run_test test_database_no_disk_space "database out of disk space"
     run_test test_sql "SQL"
     run_test test_tls_restrictions "TLS restrictions"
+    run_test test_oidc "OpenID Connect"
     run_test test_openfga "OpenFGA"
     run_test test_certificate_edit "Certificate edit"
     run_test test_basic_usage "basic usage"

@@ -0,0 +1,7 @@
+`mini-oidc` is an extremely basic OIDC provider which can be used with the `incus` command line.
+It doesn't use web authentication and instead just automatically approves any authentication request.
+
+By default, it will authenticate everyone as `unknown`, but this can be overriden by writing the username to be returned in the `user.data` file.
+This effectively allows scripting a variety of users without having to deal with actual login.
+
+The `storage` sub-package is a copy of https://github.com/zitadel/oidc/tree/main/example/server/storage with the exception of the added IncusDeviceClient.
@@ -0,0 +1,33 @@
+module github.com/lxc/incus/test/mini-oidc
+
+go 1.20
+
+require (
+	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-jose/go-jose/v3 v3.0.0
+	github.com/google/uuid v1.4.0
+	github.com/zitadel/oidc/v3 v3.1.1
+	golang.org/x/exp v0.0.0-20231006140011-7918f672742d
+	golang.org/x/text v0.13.0
+)
+
+require (
+	github.com/go-logr/logr v1.3.0 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/muhlemmer/gu v0.3.1 // indirect
+	github.com/muhlemmer/httpforwarded v0.1.0 // indirect
+	github.com/rs/cors v1.10.1 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/zitadel/logging v0.5.0 // indirect
+	github.com/zitadel/schema v1.3.0 // indirect
+	go.opentelemetry.io/otel v1.19.0 // indirect
+	go.opentelemetry.io/otel/metric v1.19.0 // indirect
+	go.opentelemetry.io/otel/trace v1.19.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
+	golang.org/x/oauth2 v0.13.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+)