mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 17:22:07 +00:00
shankar0123
fefeccfa59
Phase-10 live-IdP smoke (Keycloak 26.x via testcontainers-go) revealed
the IdP-bind alg-downgrade check was too strict for real-world IdPs.
6 of the integration tests in internal/auth/oidc/integration_keycloak*_test.go
were failing with:
oidc: IdP advertises weak signing algorithms (HS*/none);
refusing to use as defense against downgrade attacks: HS256
Keycloak 26.x (and several other real-world IdPs — Auth0 when HS-mode is
enabled, some Authentik configs) advertise EVERY alg they're capable of
in the discovery doc's id_token_signing_alg_values_supported field, even
when the realm only signs with RS256 in practice. Pre-fix the IdP-bind
check refused on ANY HS* or 'none' advertisement → no real Keycloak deploy
could ever bind a provider row, hence the integration-test failures.
The strict-deny check was defense-in-depth on top of the load-bearing
per-token alg-pin at sig-verify time (isDisallowedAlg, service.go L1177):
that check rejects every ID token whose JWS header carries an alg outside
DefaultAllowedAlgs, regardless of what the discovery doc advertises.
A forged HS256 token signed with the IdP's RS256 pubkey as HMAC secret
is rejected at sig-verify time → the actual algorithm-confusion attack
is closed by the per-token pin, NOT by the discovery-doc check.
Fix: relax the IdP-bind check to refuse only when the intersection of
advertised vs DefaultAllowedAlgs is EMPTY (the pathological all-weak-alg
IdP case). Keycloak (RS256 + HS256 advertised) now binds successfully;
an HS-only IdP still fails closed.
Changes:
- internal/auth/oidc/service.go: rewrite the alg-check loop at L1067 in
getOrLoad / RefreshKeys to compute the intersection set; refuse only
when no acceptable alg is advertised. ErrIdPDowngradeAdvertised
docstring updated to reflect new contract. DefaultAllowedAlgs
docstring + the package-level design-comment block at L40-72 updated
with v2.1.0-relaxed semantics callouts.
- internal/auth/oidc/test_discovery.go: TestDiscovery dry-run validator
rewritten to surface HS*/none alongside RS* as an informational note
('note: IdP advertises weak algorithms %v alongside acceptable ones')
rather than a hard-fail error. HS-only / none-only still hard-fails.
- internal/auth/oidc/service_test.go: TestService_IdPDowngradeDefense_*
tests updated. Renamed:
- RejectsHSAdvertised → RS256PlusHS256_BindsSuccessfully (positive)
- RejectsNoneAdvertised → RejectsHSOnlyAdvertised (intersection-empty)
- RefreshKeys_CatchesPostLoadDowngrade rotated to HS-only post-load
- internal/auth/oidc/coverage_fill_test.go: TestTestDiscovery_AlgDowngradeDetected
split into _HS256AlongsideRS256_BindsWithNote (positive, asserts note
but no hard-fail) + _HSOnly_StillTrips_HardFail (intersection-empty).
- docs/operator/auth-threat-model.md: OIDC token-validation alg-allow-list
section rewritten to call out the load-bearing-defense hierarchy
(per-token pin first, IdP-bind check defense-in-depth) and document
the v2.1.0 relaxation rationale.
- CHANGELOG.md: ### Security entry under Unreleased.
Verify: go test ./internal/auth/oidc/ -short PASS; gofmt clean; go vet
clean. The Keycloak integration tests should now pass when the operator
re-runs 'make keycloak-integration-test'.
292 lines
10 KiB
Go
292 lines
10 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
// Coverage fill — v2.1.0 release gate Phase 3.
|
|
//
|
|
// Targets two service-level functions added by post-merge fixes that
|
|
// shipped without unit tests:
|
|
//
|
|
// - Service.JWKSStatus — added in audit 2026-05-10 MED-7 closure
|
|
// (per-provider JWKS counters + cache state).
|
|
// - Service.TestDiscovery — added in audit 2026-05-10 MED-5 closure
|
|
// (dry-run /api/v1/auth/oidc/test endpoint).
|
|
|
|
// TestJWKSStatus_ReturnsLoadError_WhenProviderUnknown asserts that
|
|
// JWKSStatus forwards the getOrLoad error verbatim when the requested
|
|
// providerID is not in the repo. This is the entry-point fail-closed
|
|
// branch.
|
|
func TestJWKSStatus_ReturnsLoadError_WhenProviderUnknown(t *testing.T) {
|
|
svc := newServiceForUnitTest(t)
|
|
snap, err := svc.JWKSStatus(context.Background(), "rp-does-not-exist")
|
|
if err == nil {
|
|
t.Fatalf("expected error for unknown provider, got nil")
|
|
}
|
|
if snap != nil {
|
|
t.Errorf("expected nil snapshot on error, got %+v", snap)
|
|
}
|
|
}
|
|
|
|
// TestJWKSStatus_ReturnsSnapshot_AfterAuthRequestPopulatesEntry pre-
|
|
// warms the provider cache via HandleAuthRequest (which calls
|
|
// getOrLoad → populates s.cache) and then asserts JWKSStatus returns
|
|
// a non-nil snapshot reflecting the entry's stats.
|
|
func TestJWKSStatus_ReturnsSnapshot_AfterAuthRequestPopulatesEntry(t *testing.T) {
|
|
idp := newMockIdP(t)
|
|
svc, _ := newServiceWithProviderAndPL(t, idp.URL(), "rp-jwks-status")
|
|
// Pre-warm the cache.
|
|
if _, _, _, err := svc.HandleAuthRequest(context.Background(), "rp-jwks-status", "10.0.0.1", "test/1.0"); err != nil {
|
|
t.Fatalf("HandleAuthRequest: %v", err)
|
|
}
|
|
snap, err := svc.JWKSStatus(context.Background(), "rp-jwks-status")
|
|
if err != nil {
|
|
t.Fatalf("JWKSStatus: %v", err)
|
|
}
|
|
if snap == nil {
|
|
t.Fatalf("expected non-nil snapshot")
|
|
}
|
|
// CurrentKIDs is intentionally empty (go-oidc doesn't expose its
|
|
// JWKS cache). Test the shape rather than the kids.
|
|
if snap.CurrentKIDs == nil {
|
|
t.Errorf("CurrentKIDs must be non-nil (empty slice OK)")
|
|
}
|
|
}
|
|
|
|
// TestTestDiscovery_DiscoveryFailure_ReturnsErrorsSlice points
|
|
// TestDiscovery at a URL that doesn't serve a discovery doc; the
|
|
// function MUST return res with DiscoverySucceeded=false and a
|
|
// non-empty Errors slice, and a nil err (per the documented "non-
|
|
// fatal at this layer; per-leg failure carried in res.Errors"
|
|
// contract).
|
|
func TestTestDiscovery_DiscoveryFailure_ReturnsErrorsSlice(t *testing.T) {
|
|
svc := newServiceForUnitTest(t)
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
http.NotFound(w, r)
|
|
}))
|
|
defer srv.Close()
|
|
|
|
res, err := svc.TestDiscovery(context.Background(), srv.URL)
|
|
if err != nil {
|
|
t.Fatalf("TestDiscovery (non-fatal): %v", err)
|
|
}
|
|
if res == nil {
|
|
t.Fatalf("expected non-nil result")
|
|
}
|
|
if res.DiscoverySucceeded {
|
|
t.Errorf("expected DiscoverySucceeded=false when discovery doc is missing")
|
|
}
|
|
if len(res.Errors) == 0 {
|
|
t.Errorf("expected non-empty Errors slice")
|
|
}
|
|
if !strings.Contains(strings.Join(res.Errors, "|"), "discovery fetch failed") {
|
|
t.Errorf("expected 'discovery fetch failed' in errors; got %v", res.Errors)
|
|
}
|
|
}
|
|
|
|
// TestTestDiscovery_HappyPath_AgainstMockIdP exercises the
|
|
// success path: discovery doc fetch, claims parse, alg-downgrade
|
|
// check (RS256 → not denied), JWKS reachability.
|
|
func TestTestDiscovery_HappyPath_AgainstMockIdP(t *testing.T) {
|
|
idp := newMockIdP(t)
|
|
svc := newServiceForUnitTest(t)
|
|
|
|
res, err := svc.TestDiscovery(context.Background(), idp.URL())
|
|
if err != nil {
|
|
t.Fatalf("TestDiscovery: %v", err)
|
|
}
|
|
if !res.DiscoverySucceeded {
|
|
t.Errorf("expected DiscoverySucceeded=true")
|
|
}
|
|
if res.IssuerEcho != idp.URL() {
|
|
t.Errorf("expected IssuerEcho=%q, got %q", idp.URL(), res.IssuerEcho)
|
|
}
|
|
if res.AuthorizationURL == "" || res.TokenURL == "" {
|
|
t.Errorf("expected non-empty AuthorizationURL+TokenURL; got %q / %q", res.AuthorizationURL, res.TokenURL)
|
|
}
|
|
if !res.JWKSReachable {
|
|
t.Errorf("expected JWKSReachable=true; got Errors=%v", res.Errors)
|
|
}
|
|
if len(res.SupportedAlgValues) == 0 {
|
|
t.Errorf("expected non-empty SupportedAlgValues")
|
|
}
|
|
// Mock IdP advertises RS256; no downgrade-defense trip.
|
|
for _, e := range res.Errors {
|
|
if strings.Contains(e, "alg-downgrade defense tripped") {
|
|
t.Errorf("unexpected alg-downgrade trip: %s", e)
|
|
}
|
|
}
|
|
}
|
|
|
|
// TestTestDiscovery_AlgDowngrade_HS256AlongsideRS256_BindsWithNote runs
|
|
// against a stub IdP that advertises both HS256 + RS256 (Keycloak-shape).
|
|
// Under v2.1.0-relaxed semantics this must SUCCEED (DiscoverySucceeded=true,
|
|
// JWKSReachable=true) and surface only an informational note about the
|
|
// weak-alg advertisement — NOT a hard "alg-downgrade defense tripped" error.
|
|
// The per-token alg pin at sig-verify time remains the load-bearing defense.
|
|
func TestTestDiscovery_AlgDowngrade_HS256AlongsideRS256_BindsWithNote(t *testing.T) {
|
|
svc := newServiceForUnitTest(t)
|
|
mux := http.NewServeMux()
|
|
srv := httptest.NewServer(mux)
|
|
defer srv.Close()
|
|
|
|
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"issuer": srv.URL,
|
|
"authorization_endpoint": srv.URL + "/authorize",
|
|
"token_endpoint": srv.URL + "/token",
|
|
"jwks_uri": srv.URL + "/jwks",
|
|
"id_token_signing_alg_values_supported": []string{"HS256", "RS256"},
|
|
})
|
|
})
|
|
mux.HandleFunc("/jwks", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write([]byte(`{"keys":[]}`))
|
|
})
|
|
|
|
res, err := svc.TestDiscovery(context.Background(), srv.URL)
|
|
if err != nil {
|
|
t.Fatalf("TestDiscovery: %v", err)
|
|
}
|
|
if !res.DiscoverySucceeded {
|
|
t.Errorf("expected DiscoverySucceeded=true; got Errors=%v", res.Errors)
|
|
}
|
|
// The Keycloak-shape advertisement must NOT trip the hard fail.
|
|
for _, e := range res.Errors {
|
|
if strings.Contains(e, "alg-downgrade defense tripped") {
|
|
t.Errorf("v2.1.0-relaxed semantics: HS256+RS256 must NOT trip hard fail; got %q", e)
|
|
}
|
|
}
|
|
// Informational note must be present.
|
|
noteFound := false
|
|
for _, e := range res.Errors {
|
|
if strings.Contains(e, "note:") && strings.Contains(e, "HS256") {
|
|
noteFound = true
|
|
}
|
|
}
|
|
if !noteFound {
|
|
t.Errorf("expected informational note about HS256 in errors; got %v", res.Errors)
|
|
}
|
|
}
|
|
|
|
// TestTestDiscovery_AlgDowngrade_HSOnly_StillTrips_HardFail asserts the
|
|
// pathological intersection-empty case still hard-fails.
|
|
func TestTestDiscovery_AlgDowngrade_HSOnly_StillTrips_HardFail(t *testing.T) {
|
|
svc := newServiceForUnitTest(t)
|
|
mux := http.NewServeMux()
|
|
srv := httptest.NewServer(mux)
|
|
defer srv.Close()
|
|
|
|
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"issuer": srv.URL,
|
|
"authorization_endpoint": srv.URL + "/authorize",
|
|
"token_endpoint": srv.URL + "/token",
|
|
"jwks_uri": srv.URL + "/jwks",
|
|
"id_token_signing_alg_values_supported": []string{"HS256", "HS384"}, // no RS
|
|
})
|
|
})
|
|
mux.HandleFunc("/jwks", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write([]byte(`{"keys":[]}`))
|
|
})
|
|
|
|
res, err := svc.TestDiscovery(context.Background(), srv.URL)
|
|
if err != nil {
|
|
t.Fatalf("TestDiscovery: %v", err)
|
|
}
|
|
found := false
|
|
for _, e := range res.Errors {
|
|
if strings.Contains(e, "alg-downgrade defense tripped") && strings.Contains(e, "only weak algorithms") {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
t.Errorf("expected hard-fail for HS-only IdP; got %v", res.Errors)
|
|
}
|
|
}
|
|
|
|
// TestTestDiscovery_MissingJWKSURI surfaces the "discovery doc omits
|
|
// jwks_uri" branch.
|
|
func TestTestDiscovery_MissingJWKSURI(t *testing.T) {
|
|
svc := newServiceForUnitTest(t)
|
|
mux := http.NewServeMux()
|
|
srv := httptest.NewServer(mux)
|
|
defer srv.Close()
|
|
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"issuer": srv.URL,
|
|
"authorization_endpoint": srv.URL + "/authorize",
|
|
"token_endpoint": srv.URL + "/token",
|
|
"id_token_signing_alg_values_supported": []string{"RS256"},
|
|
// jwks_uri intentionally omitted
|
|
})
|
|
})
|
|
|
|
res, err := svc.TestDiscovery(context.Background(), srv.URL)
|
|
if err != nil {
|
|
t.Fatalf("TestDiscovery: %v", err)
|
|
}
|
|
if res.JWKSReachable {
|
|
t.Errorf("expected JWKSReachable=false when jwks_uri is missing")
|
|
}
|
|
found := false
|
|
for _, e := range res.Errors {
|
|
if strings.Contains(e, "omits jwks_uri") {
|
|
found = true
|
|
}
|
|
}
|
|
if !found {
|
|
t.Errorf("expected 'omits jwks_uri' in errors; got %v", res.Errors)
|
|
}
|
|
}
|
|
|
|
// TestTestDiscovery_JWKSFetchFails covers the jwksReachable error
|
|
// branch (non-2xx JWKS response).
|
|
func TestTestDiscovery_JWKSFetchFails(t *testing.T) {
|
|
svc := newServiceForUnitTest(t)
|
|
mux := http.NewServeMux()
|
|
srv := httptest.NewServer(mux)
|
|
defer srv.Close()
|
|
mux.HandleFunc("/.well-known/openid-configuration", func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_ = json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"issuer": srv.URL,
|
|
"authorization_endpoint": srv.URL + "/authorize",
|
|
"token_endpoint": srv.URL + "/token",
|
|
"jwks_uri": srv.URL + "/jwks",
|
|
"id_token_signing_alg_values_supported": []string{"RS256"},
|
|
})
|
|
})
|
|
mux.HandleFunc("/jwks", func(w http.ResponseWriter, r *http.Request) {
|
|
http.Error(w, "internal", http.StatusInternalServerError)
|
|
})
|
|
|
|
res, err := svc.TestDiscovery(context.Background(), srv.URL)
|
|
if err != nil {
|
|
t.Fatalf("TestDiscovery: %v", err)
|
|
}
|
|
if res.JWKSReachable {
|
|
t.Errorf("expected JWKSReachable=false on 500")
|
|
}
|
|
found := false
|
|
for _, e := range res.Errors {
|
|
if strings.Contains(e, "JWKS endpoint returned non-200") {
|
|
found = true
|
|
}
|
|
}
|
|
if !found {
|
|
t.Errorf("expected 'JWKS endpoint returned non-200' in errors; got %v", res.Errors)
|
|
}
|
|
}
|