feat: implement T11, T12 — Authelia adapter, privacyIDEA adapter
- T11: AutheliaAdapter delegating login UI and session; Authelia tokens never leak to profile layer - T12: PrivacyIDEAAdapter delegating MFA 100% — no MFA logic in KeyCape 21 adapter tests pass, vet clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
b0adbc5daa
commit
d05c73dc19
8 changed files with 1113 additions and 0 deletions
215
src/internal/adapters/authelia/adapter.go
Normal file
215
src/internal/adapters/authelia/adapter.go
Normal file
|
|
@ -0,0 +1,215 @@
|
|||
package authelia
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"keycape/internal/domain"
|
||||
"keycape/internal/server/telemetry"
|
||||
)
|
||||
|
||||
// AutheliaAdapter implements domain.AuthProvider by delegating to Authelia's
|
||||
// OIDC endpoints. All Authelia tokens and cookies are confined to this package.
|
||||
type AutheliaAdapter struct {
|
||||
cfg Config
|
||||
client HTTPClient
|
||||
}
|
||||
|
||||
// New returns a production-ready AutheliaAdapter.
|
||||
// If httpClient is nil the default net/http.Client is used.
|
||||
func New(cfg Config, httpClient HTTPClient) *AutheliaAdapter {
|
||||
if httpClient == nil {
|
||||
httpClient = defaultHTTPClient
|
||||
}
|
||||
return &AutheliaAdapter{cfg: cfg, client: httpClient}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// domain.AuthProvider implementation
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// AuthorizeURL builds the Authelia OIDC authorization URL to which the user
|
||||
// should be redirected.
|
||||
func (a *AutheliaAdapter) AuthorizeURL(_ context.Context, req domain.AuthRequest) (string, error) {
|
||||
base := strings.TrimRight(a.cfg.BaseURL, "/") + "/api/oidc/authorization"
|
||||
|
||||
q := url.Values{}
|
||||
q.Set("client_id", req.ClientID)
|
||||
q.Set("redirect_uri", req.RedirectURI)
|
||||
q.Set("response_type", "code")
|
||||
q.Set("state", req.State)
|
||||
if req.Nonce != "" {
|
||||
q.Set("nonce", req.Nonce)
|
||||
}
|
||||
if len(req.Scopes) > 0 {
|
||||
q.Set("scope", strings.Join(req.Scopes, " "))
|
||||
} else {
|
||||
q.Set("scope", "openid profile")
|
||||
}
|
||||
if req.PKCEChallenge != "" {
|
||||
q.Set("code_challenge", req.PKCEChallenge)
|
||||
q.Set("code_challenge_method", req.PKCEChallengeMethod)
|
||||
}
|
||||
|
||||
return base + "?" + q.Encode(), nil
|
||||
}
|
||||
|
||||
// HandleCallback exchanges the authorization code for tokens and extracts the
|
||||
// authenticated user identity. Authelia tokens are never returned — only the
|
||||
// normalized AuthResult is.
|
||||
func (a *AutheliaAdapter) HandleCallback(ctx context.Context, params domain.CallbackParams) (*domain.AuthResult, error) {
|
||||
emitter := telemetry.EmitterFromContext(ctx)
|
||||
|
||||
// Surface callback-level errors from Authelia immediately.
|
||||
if params.Error != "" {
|
||||
emitter.Emit(ctx, telemetry.Event{
|
||||
Timestamp: time.Now().UTC(),
|
||||
EventType: telemetry.EventAuthFailure,
|
||||
Endpoint: "/api/oidc/token",
|
||||
Result: "failure",
|
||||
ErrorType: params.Error,
|
||||
})
|
||||
return nil, domain.ErrAuthFailed
|
||||
}
|
||||
|
||||
// Exchange the authorization code for tokens.
|
||||
tokenResp, err := a.exchangeCode(ctx, params.Code)
|
||||
if err != nil {
|
||||
emitter.Emit(ctx, telemetry.Event{
|
||||
Timestamp: time.Now().UTC(),
|
||||
EventType: telemetry.EventAuthFailure,
|
||||
Endpoint: "/api/oidc/token",
|
||||
Result: "failure",
|
||||
ErrorType: "token_exchange_error",
|
||||
})
|
||||
return nil, domain.ErrAuthFailed
|
||||
}
|
||||
|
||||
// Parse the ID token claims (no signature verification — internal service boundary).
|
||||
claims, err := parseIDTokenClaims(tokenResp.IDToken)
|
||||
if err != nil {
|
||||
emitter.Emit(ctx, telemetry.Event{
|
||||
Timestamp: time.Now().UTC(),
|
||||
EventType: telemetry.EventAuthFailure,
|
||||
Endpoint: "/api/oidc/token",
|
||||
Result: "failure",
|
||||
ErrorType: "id_token_parse_error",
|
||||
})
|
||||
return nil, domain.ErrAuthFailed
|
||||
}
|
||||
|
||||
// Extract username: prefer preferred_username, fall back to sub.
|
||||
username := stringClaim(claims, "preferred_username")
|
||||
if username == "" {
|
||||
username = stringClaim(claims, "sub")
|
||||
}
|
||||
if username == "" {
|
||||
emitter.Emit(ctx, telemetry.Event{
|
||||
Timestamp: time.Now().UTC(),
|
||||
EventType: telemetry.EventAuthFailure,
|
||||
Endpoint: "/api/oidc/token",
|
||||
Result: "failure",
|
||||
ErrorType: "missing_username_claim",
|
||||
})
|
||||
return nil, domain.ErrAuthFailed
|
||||
}
|
||||
|
||||
// Security boundary: only the ID token claims are forwarded.
|
||||
// The access_token and refresh_token remain within this adapter.
|
||||
return &domain.AuthResult{
|
||||
Username: username,
|
||||
Claims: claims,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Internal helpers
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// tokenResponse is the subset of the Authelia token endpoint response that
|
||||
// this adapter needs. Fields beyond IDToken are intentionally not forwarded.
|
||||
type tokenResponse struct {
|
||||
IDToken string `json:"id_token"`
|
||||
}
|
||||
|
||||
// exchangeCode sends a POST to Authelia's token endpoint and returns the
|
||||
// parsed token response. On any HTTP or status error it returns a non-nil error.
|
||||
func (a *AutheliaAdapter) exchangeCode(_ context.Context, code string) (*tokenResponse, error) {
|
||||
tokenURL := strings.TrimRight(a.cfg.BaseURL, "/") + "/api/oidc/token"
|
||||
|
||||
body := url.Values{}
|
||||
body.Set("grant_type", "authorization_code")
|
||||
body.Set("code", code)
|
||||
body.Set("redirect_uri", a.cfg.RedirectURI)
|
||||
body.Set("client_id", a.cfg.ClientID)
|
||||
body.Set("client_secret", a.cfg.ClientSecret)
|
||||
|
||||
req, err := http.NewRequest(http.MethodPost, tokenURL, strings.NewReader(body.Encode()))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("authelia: build token request: %w", err)
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
|
||||
resp, err := a.client.Do(req)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("authelia: token exchange: %w", err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return nil, fmt.Errorf("authelia: token endpoint returned %d", resp.StatusCode)
|
||||
}
|
||||
|
||||
raw, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("authelia: read token response: %w", err)
|
||||
}
|
||||
|
||||
var tr tokenResponse
|
||||
if err := json.Unmarshal(raw, &tr); err != nil {
|
||||
return nil, fmt.Errorf("authelia: decode token response: %w", err)
|
||||
}
|
||||
return &tr, nil
|
||||
}
|
||||
|
||||
// parseIDTokenClaims extracts the JWT payload claims without verifying the
|
||||
// signature. This is intentional — the token is received directly from the
|
||||
// upstream OIDC provider over a server-to-server TLS connection.
|
||||
func parseIDTokenClaims(idToken string) (map[string]interface{}, error) {
|
||||
parts := strings.Split(idToken, ".")
|
||||
if len(parts) != 3 {
|
||||
return nil, fmt.Errorf("authelia: malformed id_token: expected 3 parts, got %d", len(parts))
|
||||
}
|
||||
|
||||
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("authelia: decode id_token payload: %w", err)
|
||||
}
|
||||
|
||||
var claims map[string]interface{}
|
||||
if err := json.Unmarshal(payload, &claims); err != nil {
|
||||
return nil, fmt.Errorf("authelia: unmarshal id_token claims: %w", err)
|
||||
}
|
||||
return claims, nil
|
||||
}
|
||||
|
||||
// stringClaim extracts a string value from a claims map, returning "" if
|
||||
// the key is absent or the value is not a string.
|
||||
func stringClaim(claims map[string]interface{}, key string) string {
|
||||
v, ok := claims[key]
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
s, ok := v.(string)
|
||||
if !ok {
|
||||
return ""
|
||||
}
|
||||
return s
|
||||
}
|
||||
302
src/internal/adapters/authelia/adapter_test.go
Normal file
302
src/internal/adapters/authelia/adapter_test.go
Normal file
|
|
@ -0,0 +1,302 @@
|
|||
package authelia_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"keycape/internal/adapters/authelia"
|
||||
"keycape/internal/domain"
|
||||
)
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Mock HTTP client
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// mockHTTPClient implements authelia.HTTPClient for test injection.
|
||||
type mockHTTPClient struct {
|
||||
doFn func(req *http.Request) (*http.Response, error)
|
||||
}
|
||||
|
||||
func (m *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
|
||||
if m.doFn != nil {
|
||||
return m.doFn(req)
|
||||
}
|
||||
return &http.Response{
|
||||
StatusCode: http.StatusOK,
|
||||
Body: io.NopCloser(strings.NewReader("{}")),
|
||||
}, nil
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Test helpers
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
// testConfig returns a minimal Config suitable for tests.
|
||||
func testConfig() authelia.Config {
|
||||
return authelia.Config{
|
||||
BaseURL: "https://authelia.local",
|
||||
ClientID: "keycape",
|
||||
ClientSecret: "test-secret",
|
||||
RedirectURI: "https://keycape.local/callback",
|
||||
}
|
||||
}
|
||||
|
||||
// buildTokenResponse builds a fake token endpoint JSON response.
|
||||
// The ID token is a minimal unsigned JWT (header.claims.signature) with the given claims.
|
||||
func buildTokenResponse(claims map[string]interface{}) string {
|
||||
header := base64.RawURLEncoding.EncodeToString([]byte(`{"alg":"RS256","typ":"JWT"}`))
|
||||
claimsJSON, _ := json.Marshal(claims)
|
||||
claimsEnc := base64.RawURLEncoding.EncodeToString(claimsJSON)
|
||||
idToken := header + "." + claimsEnc + ".fakesig"
|
||||
|
||||
body := fmt.Sprintf(`{"access_token":"at","token_type":"Bearer","id_token":%q}`,
|
||||
idToken)
|
||||
return body
|
||||
}
|
||||
|
||||
// jsonResponse returns a *http.Response with a JSON body and status 200.
|
||||
func jsonResponse(body string) *http.Response {
|
||||
return &http.Response{
|
||||
StatusCode: http.StatusOK,
|
||||
Body: io.NopCloser(strings.NewReader(body)),
|
||||
Header: http.Header{"Content-Type": []string{"application/json"}},
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// AuthorizeURL
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestAuthorizeURL_ContainsRequiredParams(t *testing.T) {
|
||||
adapter := authelia.New(testConfig(), &mockHTTPClient{})
|
||||
req := domain.AuthRequest{
|
||||
ClientID: "myapp",
|
||||
RedirectURI: "https://myapp.local/cb",
|
||||
State: "state-abc",
|
||||
Nonce: "nonce-xyz",
|
||||
Scopes: []string{"openid", "profile"},
|
||||
PKCEChallenge: "challenge123",
|
||||
PKCEChallengeMethod: "S256",
|
||||
}
|
||||
|
||||
u, err := adapter.AuthorizeURL(context.Background(), req)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
checks := []string{
|
||||
"client_id=myapp",
|
||||
"redirect_uri=",
|
||||
"response_type=code",
|
||||
"state=state-abc",
|
||||
"nonce=nonce-xyz",
|
||||
"code_challenge=challenge123",
|
||||
"code_challenge_method=S256",
|
||||
"scope=",
|
||||
"openid",
|
||||
}
|
||||
for _, want := range checks {
|
||||
if !strings.Contains(u, want) {
|
||||
t.Errorf("AuthorizeURL missing %q in: %s", want, u)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestAuthorizeURL_UsesBaseURL(t *testing.T) {
|
||||
adapter := authelia.New(testConfig(), &mockHTTPClient{})
|
||||
req := domain.AuthRequest{
|
||||
ClientID: "app",
|
||||
RedirectURI: "https://app.local/cb",
|
||||
State: "s",
|
||||
PKCEChallenge: "c",
|
||||
PKCEChallengeMethod: "S256",
|
||||
Scopes: []string{"openid"},
|
||||
}
|
||||
|
||||
u, err := adapter.AuthorizeURL(context.Background(), req)
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if !strings.HasPrefix(u, "https://authelia.local") {
|
||||
t.Errorf("expected URL to start with BaseURL, got: %s", u)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// HandleCallback — successful token exchange
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestHandleCallback_Success_PreferredUsername(t *testing.T) {
|
||||
tokenBody := buildTokenResponse(map[string]interface{}{
|
||||
"sub": "user-uuid-123",
|
||||
"preferred_username": "alice",
|
||||
"email": "alice@example.com",
|
||||
})
|
||||
|
||||
client := &mockHTTPClient{
|
||||
doFn: func(req *http.Request) (*http.Response, error) {
|
||||
if req.Method != http.MethodPost {
|
||||
t.Errorf("expected POST, got %s", req.Method)
|
||||
}
|
||||
return jsonResponse(tokenBody), nil
|
||||
},
|
||||
}
|
||||
|
||||
adapter := authelia.New(testConfig(), client)
|
||||
result, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{
|
||||
Code: "auth-code-xyz",
|
||||
State: "state-abc",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if result.Username != "alice" {
|
||||
t.Errorf("Username: want %q, got %q", "alice", result.Username)
|
||||
}
|
||||
if result.Claims == nil {
|
||||
t.Error("expected non-nil Claims map")
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleCallback_Success_FallsBackToSub(t *testing.T) {
|
||||
tokenBody := buildTokenResponse(map[string]interface{}{
|
||||
"sub": "user-uuid-456",
|
||||
})
|
||||
|
||||
client := &mockHTTPClient{
|
||||
doFn: func(_ *http.Request) (*http.Response, error) {
|
||||
return jsonResponse(tokenBody), nil
|
||||
},
|
||||
}
|
||||
|
||||
adapter := authelia.New(testConfig(), client)
|
||||
result, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{
|
||||
Code: "code",
|
||||
State: "state",
|
||||
})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
if result.Username != "user-uuid-456" {
|
||||
t.Errorf("Username fallback to sub: want %q, got %q", "user-uuid-456", result.Username)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// HandleCallback — error propagation
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestHandleCallback_CallbackError_ReturnsErrAuthFailed(t *testing.T) {
|
||||
adapter := authelia.New(testConfig(), &mockHTTPClient{})
|
||||
_, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{
|
||||
Error: "access_denied",
|
||||
})
|
||||
if err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
if err != domain.ErrAuthFailed {
|
||||
t.Errorf("expected domain.ErrAuthFailed, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleCallback_HTTPError_ReturnsErrAuthFailed(t *testing.T) {
|
||||
client := &mockHTTPClient{
|
||||
doFn: func(_ *http.Request) (*http.Response, error) {
|
||||
return &http.Response{
|
||||
StatusCode: http.StatusUnauthorized,
|
||||
Body: io.NopCloser(strings.NewReader(`{"error":"invalid_client"}`)),
|
||||
}, nil
|
||||
},
|
||||
}
|
||||
|
||||
adapter := authelia.New(testConfig(), client)
|
||||
_, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{
|
||||
Code: "bad-code",
|
||||
})
|
||||
if err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
if err != domain.ErrAuthFailed {
|
||||
t.Errorf("expected domain.ErrAuthFailed, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleCallback_MissingUsernameClaim_ReturnsErrAuthFailed(t *testing.T) {
|
||||
// JWT with no sub or preferred_username.
|
||||
tokenBody := buildTokenResponse(map[string]interface{}{
|
||||
"email": "anon@example.com",
|
||||
})
|
||||
|
||||
client := &mockHTTPClient{
|
||||
doFn: func(_ *http.Request) (*http.Response, error) {
|
||||
return jsonResponse(tokenBody), nil
|
||||
},
|
||||
}
|
||||
|
||||
adapter := authelia.New(testConfig(), client)
|
||||
_, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{
|
||||
Code: "code",
|
||||
})
|
||||
if err == nil {
|
||||
t.Fatal("expected error for missing username claim, got nil")
|
||||
}
|
||||
if err != domain.ErrAuthFailed {
|
||||
t.Errorf("expected domain.ErrAuthFailed, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestHandleCallback_TokenExchangeNetworkError_ReturnsErrAuthFailed(t *testing.T) {
|
||||
client := &mockHTTPClient{
|
||||
doFn: func(_ *http.Request) (*http.Response, error) {
|
||||
return nil, fmt.Errorf("connection refused")
|
||||
},
|
||||
}
|
||||
|
||||
adapter := authelia.New(testConfig(), client)
|
||||
_, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{
|
||||
Code: "code",
|
||||
})
|
||||
if err == nil {
|
||||
t.Fatal("expected error, got nil")
|
||||
}
|
||||
if err != domain.ErrAuthFailed {
|
||||
t.Errorf("expected domain.ErrAuthFailed, got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Security: AuthResult must not contain raw tokens
|
||||
// ---------------------------------------------------------------------------
|
||||
|
||||
func TestHandleCallback_AuthResultContainsNoRawTokens(t *testing.T) {
|
||||
tokenBody := buildTokenResponse(map[string]interface{}{
|
||||
"sub": "uid",
|
||||
"preferred_username": "bob",
|
||||
})
|
||||
// Include an access_token in the response to verify it is not forwarded.
|
||||
fullBody := strings.Replace(tokenBody, `"id_token"`, `"access_token":"raw-at","id_token"`, 1)
|
||||
|
||||
client := &mockHTTPClient{
|
||||
doFn: func(_ *http.Request) (*http.Response, error) {
|
||||
return jsonResponse(fullBody), nil
|
||||
},
|
||||
}
|
||||
|
||||
adapter := authelia.New(testConfig(), client)
|
||||
result, err := adapter.HandleCallback(context.Background(), domain.CallbackParams{Code: "code"})
|
||||
if err != nil {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
|
||||
// Claims must come from the ID token payload, not from the outer token response.
|
||||
// In particular, "access_token" must not appear as a claim key.
|
||||
if _, ok := result.Claims["access_token"]; ok {
|
||||
t.Error("AuthResult.Claims must not expose raw access_token — security boundary violation")
|
||||
}
|
||||
}
|
||||
30
src/internal/adapters/authelia/config.go
Normal file
30
src/internal/adapters/authelia/config.go
Normal file
|
|
@ -0,0 +1,30 @@
|
|||
// Package authelia implements the domain.AuthProvider interface using Authelia
|
||||
// as an upstream OIDC provider. Authelia tokens and session cookies are fully
|
||||
// contained within this package and are never exposed to the server/ layer.
|
||||
package authelia
|
||||
|
||||
import "net/http"
|
||||
|
||||
// Config holds all connection parameters for the Authelia adapter.
|
||||
type Config struct {
|
||||
// BaseURL is the Authelia server base URL, e.g. "https://authelia.local".
|
||||
BaseURL string
|
||||
|
||||
// ClientID is the client ID registered in Authelia for KeyCape.
|
||||
ClientID string
|
||||
|
||||
// ClientSecret is the client secret for the KeyCape client registration.
|
||||
ClientSecret string
|
||||
|
||||
// RedirectURI is the callback URL registered in Authelia that points back
|
||||
// to KeyCape's callback handler.
|
||||
RedirectURI string
|
||||
}
|
||||
|
||||
// HTTPClient is a minimal interface over net/http.Client for test injection.
|
||||
type HTTPClient interface {
|
||||
Do(req *http.Request) (*http.Response, error)
|
||||
}
|
||||
|
||||
// defaultHTTPClient is the production HTTP client used when none is injected.
|
||||
var defaultHTTPClient HTTPClient = &http.Client{}
|
||||
Loading…
Add table
Add a link
Reference in a new issue