gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 13:41:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2d9110b0c4fa6c25b9ddabc03e6fc9be4dcbb029
certctl/internal/auth/oidc/doc.go
T
shankar0123 2d9110b0c4 auth-bundle-2 Phase 0: dependency-add + oidc auth-type literal + runtime guard 
Bundle 2 Phase 0 stages the dependencies + auth-type discriminator
literal that later phases consume. No handler chain wired yet; an
operator who sets CERTCTL_AUTH_TYPE=oidc on this commit gets a clear
refuse-to-start error rather than a silent fallback to api-key (the
G-1 failure mode that drove "jwt" out of the allowed set).

Deliverables:

* go.mod: github.com/coreos/go-oidc/v3 v3.18.0 added as a direct
  require. Per the pre-bundle dependency audit (Apache-2.0, zero CVEs
  ever per OSV.dev, 2,400+ stars, used by Hashicorp Vault + Dex +
  Hydra + Authentik + every Kubernetes OIDC integration), this is the
  ecosystem-standard Go OIDC client. Pinned to a specific minor
  (v3.18.0) per the prompt's "no bare latest" rule.
* go.mod: golang.org/x/oauth2 promoted from // indirect to direct,
  bumped from v0.34.0 to v0.36.0 by go mod tidy. Both versions are
  OSV-clean. Maintained by the Go team.
* No JSON-path library added (forbidden by the dependency audit; the
  group-claim resolver is hand-rolled in Phase 3).
* internal/config/config.go: AuthTypeOIDC constant added with a
  load-bearing comment explaining (a) this is the AUTH-TYPE literal,
  not a JWT alg literal, so the G-1 closure invariant is preserved
  ("jwt" stays out of ValidAuthTypes forever); (b) the runtime guard
  in cmd/server/main.go intentionally refuses-to-start when oidc is
  set pre-Phase-6 to avoid the silent-downgrade failure mode.
  ValidAuthTypes() now returns {api-key, none, oidc}.
* internal/config/config_test.go: TestValidAuthTypesIsExactly_APIKey_None
  renamed to TestValidAuthTypesIsExactly_APIKey_None_OIDC and now pins
  the 3-entry set. TestValidAuthTypesDoesNotContainJWT (G-1 closure
  test) still passes because "jwt" is never added back.
  TestValidate_GenericInvalidAuthType's bad-types list updated:
  "oidc" removed (now valid), "saml" added (correctly rejected per
  Decision 5's SAML deferral).
* cmd/server/main.go: defense-in-depth runtime auth-type guard now
  has an explicit AuthTypeOIDC case that exit(1)s with an actionable
  message: "the OIDC auth chain is not yet wired in this build (Auth
  Bundle 2 Phase 6 ships the session middleware that consumes this
  auth-type literal)." This closes the lying-field gap the literal
  would otherwise create. Phase 6 of Bundle 2 relaxes this case to
  fall through alongside api-key + none.
* api/openapi.yaml: /v1/auth/info auth_type enum extended from
  [api-key, none] to [api-key, none, oidc] with an in-line comment
  explaining the Phase-0-vs-Phase-6 timing so an OpenAPI consumer
  isn't surprised by "oidc" appearing here pre-Bundle-2-merge.
* deploy/helm/certctl/templates/_helpers.tpl::certctl.validateAuthType:
  valid set extended to include "oidc". Chart-time validation now
  passes for type=oidc; the binary's runtime guard takes over to
  refuse the start. Once Bundle 2 ships, the runtime guard relaxes
  and OIDC works end-to-end with no further chart edits.
* .env.example: CERTCTL_AUTH_TYPE comment block updated to document
  the three valid values + the Phase-0-vs-Phase-6 timing.
* internal/auth/oidc/doc.go: new package directory with package doc
  + transitional blank imports for coreos/go-oidc/v3 + x/oauth2 so
  go mod tidy keeps both deps as direct requires until Phase 3's
  service.go replaces the blanks with real symbol use. Doc explains
  the package layout (oidc/ + oidc/domain/ + oidc/groupclaim/ +
  oidc/testfixtures/) so the post-Bundle-2 reader can navigate.

Verifications:
* gofmt clean on every changed file.
* go vet clean on internal/config + cmd/server + internal/auth/oidc.
* go test -short -count=1 green on internal/config (including the
  G-1 closure + new validation tests), cmd/server, internal/auth (all
  Bundle 1 packages), internal/service/auth.
* govulncheck ./... clean (M-024 hard CI gate).
* All 24 ci-guards pass locally.

Phase 0 exit criteria from cowork/auth-bundle-2-prompt.md:
* go.mod shows coreos/go-oidc/v3 as direct: yes.
* golang.org/x/oauth2 is direct (not indirect): yes.
* govulncheck ./... clean: yes.
* No JSON-path library in go.mod / go.sum deltas: confirmed (only
  v3 of go-oidc + the x/oauth2 bump landed).
* make verify green: gofmt + vet + go test pass; full make verify
  (which would invoke golangci-lint) deferred to CI since the
  sandbox doesn't have golangci-lint installed; the operator runs
  make verify locally before pushing per CLAUDE.md operating rule.
2026-05-10 03:31:51 +00:00

48 lines
2.4 KiB
Go
Raw Blame History

// Package oidc is the Bundle 2 OpenID Connect integration: server-side
// validation of ID tokens issued by an enterprise IdP (Okta / Azure AD /
// Google Workspace / Keycloak / Authentik / Auth0), JWKS rotation,
// configurable group-claim parsing, and the HTTP handlers under
// /auth/oidc/* that wire to the session middleware.
//
// Package layout (post-Bundle-2):
//
// - internal/auth/oidc/ - this package (Phase 3 ships service.go).
// - internal/auth/oidc/domain/ - Phase 1 ships OIDCProvider + GroupRoleMapping.
// - internal/auth/oidc/groupclaim/ - Phase 3 ships the hand-rolled group-claim resolver
// (no JSON-path library; ~40 LOC walking dot-paths through map[string]interface{}).
// - internal/auth/oidc/testfixtures/ - Phase 10 ships the `//go:build integration`
// Keycloak harness backing the multi-IdP test surface.
//
// Phase 0 (this commit) reserves the package directory and pins
// coreos/go-oidc/v3 + golang.org/x/oauth2 as direct go.mod requires
// via the blank imports below. Without these blanks, `go mod tidy`
// would demote both back to // indirect because no Go file under this
// tree imports them yet (the actual imports land in Phase 3's
// service.go). The blank imports are deliberate Phase-0 transitional
// scaffolding; Phase 3 replaces them with real symbol use and these
// blanks are removed.
//
// Audit context (do not lose):
// - Apache-2.0 license, OSV.dev shows zero advisories ever on
// coreos/go-oidc/v3 at audit time. Used by Hashicorp Vault, Dex,
// Hydra, Authentik, every Kubernetes OIDC integration. The
// ecosystem-standard Go OIDC client.
// - golang.org/x/oauth2 maintained by the Go team itself; v0.36.0 (the
// pinned version) is OSV-clean. Two historical CVEs both fixed in
// earlier versions.
// - No JSON-path library is added. Phase 3's group-claim resolver is
// hand-rolled; the dependency audit explicitly forbids
// PaesslerAG/jsonpath, ohler55/ojg, tidwall/gjson, or any sibling
// transitive bloat for what is a 40-line problem.
package oidc
import (
// Phase 0: lift coreos/go-oidc/v3 + golang.org/x/oauth2 to direct
// go.mod requires so a future `go mod tidy` keeps them out of the
// // indirect block. Phase 3 replaces these blank imports with real
// symbol use (oidc.Provider, oauth2.Config, etc.) at which point
// these lines are removed.
_ "github.com/coreos/go-oidc/v3/oidc"
_ "golang.org/x/oauth2"
)
Reference in New Issue View Git Blame Copy Permalink