Bunch of RBAC Fixes (#17)

Sorts out token verification on remote servers with a userinfo endpoint
that we can (ab)use to propagate RBAC information.  Turns on
authorization which I totally forgot!

charts/identity/Chart.yaml

@@ -4,7 +4,7 @@ description: A Helm chart for deploying Unikorn's IdP
 
 type: application
 
-version: v0.1.13
-appVersion: v0.1.13
+version: v0.1.14
+appVersion: v0.1.14
 
 icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.1
 	github.com/google/uuid v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/unikorn-cloud/core v0.1.11
+	github.com/unikorn-cloud/core v0.1.12
 	go.opentelemetry.io/otel v1.24.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0
 	go.opentelemetry.io/otel/sdk v1.22.0

go.sum

@@ -261,26 +261,8 @@ github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
 github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
-github.com/unikorn-cloud/core v0.1.7 h1:I2Xu9gYlRnkG0TjY+qbTIWY+kHCv76mCOVFkLL1dsaY=
-github.com/unikorn-cloud/core v0.1.7/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.8 h1:JJAfUgCP2hAAAMcfWjE0hmyDOmlg9fxNlWSyJs7gT3k=
-github.com/unikorn-cloud/core v0.1.8/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.10-0.20240314110053-42e6a0300b53 h1:vQYiOBQoUBpuu8XnHskUe8ypnK4M9TnwlrvoO84f4F0=
-github.com/unikorn-cloud/core v0.1.10-0.20240314110053-42e6a0300b53/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.10-0.20240314111057-273eb5d18310 h1:xKFgb2hVz7sLzFk+KI7POiaaniibvkuiclR3pMlUOSs=
-github.com/unikorn-cloud/core v0.1.10-0.20240314111057-273eb5d18310/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.10 h1:8D5+CSbBi0ziutAoaWnQq/t1mtfV0IQ1uD6Dg7HfAqY=
-github.com/unikorn-cloud/core v0.1.10/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.11-0.20240318115215-dd098dc6660f h1:GjKy9KPgmE9nEjWWNQPd618DtA2iPYs3y/va+bguJkM=
-github.com/unikorn-cloud/core v0.1.11-0.20240318115215-dd098dc6660f/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.11-0.20240318115636-080be30450ad h1:XG37xE1IcaoFTkxz2VGf080MWZL14Vx+hlhw9q1wXRA=
-github.com/unikorn-cloud/core v0.1.11-0.20240318115636-080be30450ad/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.11-0.20240318115749-a8a1f2f6529e h1:7zgjKGO62ySk9xkDTiwNbUJYY84ozJPvJZOpeDDxaqA=
-github.com/unikorn-cloud/core v0.1.11-0.20240318115749-a8a1f2f6529e/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.11-0.20240318120347-1b4b6562b1df h1:pdz790l1OaGCfq5cXKxESmYKMpOjQDvpSNcFWbpOb2M=
-github.com/unikorn-cloud/core v0.1.11-0.20240318120347-1b4b6562b1df/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
-github.com/unikorn-cloud/core v0.1.11 h1:6OkdztkzNR6K2CPJU5l3c1yR4UfFztaS8BpiyaKa54M=
-github.com/unikorn-cloud/core v0.1.11/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
+github.com/unikorn-cloud/core v0.1.12 h1:I78A9dNMCMtth1WGrEEPhktyNOtQ33W52TIRuw2R4XA=
+github.com/unikorn-cloud/core v0.1.12/go.mod h1:G45rJ0e5LOdoFcD9C00wSuhe/AMeBC+tczmQSsS+0/Q=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+qRAEEKiv+SiQ=

openapi/server.spec.yaml

@@ -74,6 +74,18 @@ paths:
       responses:
         '302':
           description: A redirect to the specified identity provider URI.
+  /oauth2/v2/userinfo:
+    description: |-
+      Returns introspection information about an access token.
+    get:
+      description: Returns introspection information about an access token.
+      security:
+      - oauth2Authentication: []
+      responses:
+        '200':
+          $ref: '#/components/responses/userinfoResponse'
+        '401':
+          $ref: '#/components/responses/unauthorizedResponse'
   /oidc/callback:
     description: |-
       Implements the OIDC response code callback.
@@ -107,6 +119,8 @@ paths:
     get:
       description: |-
         Returns a list of identity providers.
+      security:
+      - oauth2Authentication: []
       responses:
         '200':
           $ref: '#/components/responses/oauth2ProvidersResponse'
@@ -126,6 +140,8 @@ paths:
     get:
       description: |-
         Returns a list of organizations that are owned/managed by the user.
+      security:
+      - oauth2Authentication: []
       responses:
         '200':
           $ref: '#/components/responses/organizationsResponse'
@@ -136,6 +152,8 @@ paths:
     post:
       description: |-
         Allows creation of an organization.
+      security:
+      - oauth2Authentication: []
       requestBody:
         $ref: '#/components/requestBodies/createOrganizationRequest'
       responses:
@@ -161,6 +179,8 @@ paths:
     put:
       description: |-
         Allows an organization to be updated.
+      security:
+      - oauth2Authentication: []
       requestBody:
         $ref: '#/components/requestBodies/updateOrganizationRequest'
       responses:
@@ -190,6 +210,8 @@ paths:
     get:
       description: |-
         Returns a list of groups that are defined for the organization.
+      security:
+      - oauth2Authentication: []
       responses:
         '200':
           description: A list of groups.
@@ -198,6 +220,8 @@ paths:
     post:
       description: |-
         Allows creation of a new group.
+      security:
+      - oauth2Authentication: []
       requestBody:
         $ref: '#/components/requestBodies/createGroupRequest'
       responses:
@@ -221,6 +245,8 @@ paths:
     put:
       description: |-
         Allows a group to be updated.
+      security:
+      - oauth2Authentication: []
       requestBody:
         $ref: '#/components/requestBodies/updateGroupRequest'
       responses:
@@ -235,6 +261,8 @@ paths:
     delete:
       description: |-
           Allows the deletion of an existing group.
+      security:
+      - oauth2Authentication: []
       responses:
         '204':
           description: Group successfully deleted.
@@ -299,6 +327,7 @@ components:
       - issuer
       - authorization_endpoint
       - token_endpoint
+      - userinfo_endpoint
       - jwks_uri
       - scopes_supported
       - claims_supported
@@ -319,6 +348,10 @@ components:
           description: The oauth2 endpoint that is used to exchange an authentication code for tokens.
           type: string
           format: uri
+        userinfo_endpoint:
+          description: The oidc endpoint used to get information about an access token's user.
+          type: string
+          format: uri
         jwks_uri:
           description: The oauth2 endpoint that exposes public signing keys for token validation.
           type: string
@@ -717,6 +750,11 @@ components:
             token_type: Bearer
             id_token: eyJhbGciOiJFUzUxMiJ9.eyJhdF9oYXNoIjoidGJHNlFHek5WZE5fcjZ6Y0EzRlFyQzllNmVPbUpPN3lrSjFsTFBxNUJ0RSIsImF1ZCI6WyI5YTcxOWUxZS1hYTg1LTRhMjEtYTIyMS0zMjRlNzg3ZWZkNzgiXSwiZW1haWwiOiJqb2huLmRvZUBlbWFpbC5jb20iLCJleHAiOjE2OTE1NzM4NzEsImlhdCI6MTY5MTQ4NzQ3MSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmVzY2hlcmNsb3VkLmNvbSIsInBpY3R1cmUiOiJodHRwczovL3d3dy5ncmF2YXRhci5jb20vYXZhdGFyLzhmNmU5NjI3NGMyYWJmNjE3YTM5ODdlNzRlOWU3NTdlIiwic3ViIjoiam9obi5kb2VAZW1haWwuY29tIn0.AYxSoAwkuKfBpp5o1spmAyqzhkSR76hbjF1OCKe4iLS6BCP9ySZYeV-kBCd0t3cd6VxbO5FVQJPRt8k0q88rc21JATyV8kScNnr-1jFmAJuXO6ga021KTRQnG68D8zZN9LwmMSRh3HPFtOq4LCcmQES2adeJysoG998mmtuTwp4fArwa
             expires_in: 3600
+    userinfoResponse:
+      description: |-
+        Information about the user from the access token.
+      content:
+        application/json: {}
     jwksResponse:
       description: |-
         A JSON web key set. This is a set of named public keys that are referenced by JSON
@@ -758,3 +796,12 @@ components:
           - name: acme-corp
             domain: acme.corp
             providerName: google-identity
+  securitySchemes:
+    oauth2Authentication:
+      description: Operation requires OAuth2 bearer token authentication.
+      type: oauth2
+      flows:
+        authorizationCode:
+          authorizationUrl: https://identity.unikorn-cloud.org/oauth2/v2/authorization
+          tokenUrl: https://identity.unikorn-cloud.org/oauth2/v2/token
+          scopes: {}

pkg/authorization/authenticator.go

@@ -18,6 +18,9 @@ limitations under the License.
 package authorization
 
 import (
+	"net/http"
+
+	"github.com/unikorn-cloud/core/pkg/authorization/accesstoken"
 	"github.com/unikorn-cloud/core/pkg/server/errors"
 	"github.com/unikorn-cloud/identity/pkg/jose"
 	"github.com/unikorn-cloud/identity/pkg/oauth2"
@@ -41,6 +44,17 @@ func NewAuthenticator(issuer *jose.JWTIssuer, oauth2 *oauth2.Authenticator) *Aut
 	}
 }
 
+func (a *Authenticator) Userinfo(r *http.Request) (interface{}, error) {
+	token := accesstoken.FromContext(r.Context())
+
+	claims, err := a.OAuth2.Verify(r, token)
+	if err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
 func (a *Authenticator) JWKS() (interface{}, error) {
 	result, err := a.issuer.JWKS()
 	if err != nil {