/** * @return True if any core field in an authentication method has a non-empty value. "Core fields" * are generally required fields to make an authentication method work, such as client ID/secret, * or path to a certficate store. */ private boolean maybeShouldBeEnabled(Authn n) { OAuth2 o = n.getOauth2(); Saml s = n.getSaml(); Ldap l = n.getLdap(); IAP i = n.getIap(); // There isn't a good "core fields" for X509 return StringUtils.isNotEmpty(o.getClient().getClientId()) || StringUtils.isNotEmpty(o.getClient().getClientSecret()) || StringUtils.isNotEmpty(s.getIssuerId()) || StringUtils.isNotEmpty(s.getKeyStore()) || StringUtils.isNotEmpty(l.getUserDnPattern()) || StringUtils.isNotEmpty(l.getUserSearchBase()) || StringUtils.isNotEmpty(l.getUserSearchFilter()) || StringUtils.isNotEmpty(i.getAudience()); } }
Client newClient = new Client() .setClientId(client.getClientId()) .setClientSecret(client.getClientSecret()) .setPreEstablishedRedirectUri(client.getPreEstablishedRedirectUri()) .setUseCurrentUri(client.getUseCurrentUri()); Resource newResource = new Resource(); UserInfoMapping newUserInfoMapping = new UserInfoMapping(); newClient.setAccessTokenUri("https://www.googleapis.com/oauth2/v4/token"); newClient.setUserAuthorizationUri("https://accounts.google.com/o/oauth2/v2/auth"); newClient.setScope("profile email"); break; case GITHUB: newClient.setAccessTokenUri("https://github.com/login/oauth/access_token"); newClient.setUserAuthorizationUri("https://github.com/login/oauth/authorize"); newClient.setScope("user:email"); case ORACLE: final String idcsBaseUrl = "https://idcs-${idcsTenantId}.identity.oraclecloud.com"; newClient.setAccessTokenUri(idcsBaseUrl + "/oauth2/v1/token"); newClient.setUserAuthorizationUri(idcsBaseUrl + "/oauth2/v1/authorize"); newClient.setScope("openid urn:opc:idm:__myscopes__"); break; case AZURE: newClient.setAccessTokenUri("https://login.microsoftonline.com/${azureTenantId}/oauth2/token"); newClient.setUserAuthorizationUri("https://login.microsoftonline.com/${azureTenantId}/oauth2/authorize?resource=https://graph.windows.net"); newClient.setScope("profile");
Client newClient = new Client() .setClientId(client.getClientId()) .setClientSecret(client.getClientSecret()) .setPreEstablishedRedirectUri(client.getPreEstablishedRedirectUri()) .setUseCurrentUri(client.getUseCurrentUri()); Resource newResource = new Resource(); UserInfoMapping newUserInfoMapping = new UserInfoMapping(); newClient.setAccessTokenUri("https://www.googleapis.com/oauth2/v4/token"); newClient.setUserAuthorizationUri("https://accounts.google.com/o/oauth2/v2/auth"); newClient.setScope("profile email"); break; case GITHUB: newClient.setAccessTokenUri("https://github.com/login/oauth/access_token"); newClient.setUserAuthorizationUri("https://github.com/login/oauth/authorize"); newClient.setScope("user:email"); case ORACLE: final String idcsBaseUrl = "https://idcs-${idcsTenantId}.identity.oraclecloud.com"; newClient.setAccessTokenUri(idcsBaseUrl + "/oauth2/v1/token"); newClient.setUserAuthorizationUri(idcsBaseUrl + "/oauth2/v1/authorize"); newClient.setScope("openid urn:opc:idm:__myscopes__"); break; case AZURE: newClient.setAccessTokenUri("https://login.microsoftonline.com/${azureTenantId}/oauth2/token"); newClient.setUserAuthorizationUri("https://login.microsoftonline.com/${azureTenantId}/oauth2/authorize?resource=https://graph.windows.net"); newClient.setScope("profile");
OAuth2.UserInfoMapping userInfoMapping = authnMethod.getUserInfoMapping(); client.setClientId(isSet(clientId) ? clientId : client.getClientId()); client.setClientSecret(isSet(clientSecret) ? clientSecret : client.getClientSecret()); client.setAccessTokenUri(isSet(accessTokenUri) ? accessTokenUri : client.getAccessTokenUri()); client.setUserAuthorizationUri(isSet(userAuthorizationUri) ? userAuthorizationUri : client.getUserAuthorizationUri()); client.setScope(isSet(scope) ? scope : client.getScope()); client.setClientAuthenticationScheme(isSet(clientAuthenticationScheme) ? clientAuthenticationScheme : client.getClientAuthenticationScheme()); client.setPreEstablishedRedirectUri(null); client.setUseCurrentUri(null); } else { client.setPreEstablishedRedirectUri(preEstablishedRedirectUri); client.setUseCurrentUri(false);
OAuth2.UserInfoMapping userInfoMapping = authnMethod.getUserInfoMapping(); client.setClientId(isSet(clientId) ? clientId : client.getClientId()); client.setClientSecret(isSet(clientSecret) ? clientSecret : client.getClientSecret()); client.setAccessTokenUri(isSet(accessTokenUri) ? accessTokenUri : client.getAccessTokenUri()); client.setUserAuthorizationUri(isSet(userAuthorizationUri) ? userAuthorizationUri : client.getUserAuthorizationUri()); client.setScope(isSet(scope) ? scope : client.getScope()); client.setClientAuthenticationScheme(isSet(clientAuthenticationScheme) ? clientAuthenticationScheme : client.getClientAuthenticationScheme()); client.setPreEstablishedRedirectUri(null); client.setUseCurrentUri(null); } else { client.setPreEstablishedRedirectUri(preEstablishedRedirectUri); client.setUseCurrentUri(false);
/** * @return True if any core field in an authentication method has a non-empty value. "Core fields" * are generally required fields to make an authentication method work, such as client ID/secret, * or path to a certficate store. */ private boolean maybeShouldBeEnabled(Authn n) { OAuth2 o = n.getOauth2(); Saml s = n.getSaml(); Ldap l = n.getLdap(); IAP i = n.getIap(); // There isn't a good "core fields" for X509 return StringUtils.isNotEmpty(o.getClient().getClientId()) || StringUtils.isNotEmpty(o.getClient().getClientSecret()) || StringUtils.isNotEmpty(s.getIssuerId()) || StringUtils.isNotEmpty(s.getKeyStore()) || StringUtils.isNotEmpty(l.getUserDnPattern()) || StringUtils.isNotEmpty(l.getUserSearchBase()) || StringUtils.isNotEmpty(l.getUserSearchFilter()) || StringUtils.isNotEmpty(i.getAudience()); } }
@Override public void validate(ConfigProblemSetBuilder p, OAuth2 n) { if (!n.isEnabled()) { return; } if (n.getClient().getClientId() == null) { p.addProblem(Problem.Severity.ERROR, "No OAuth2 client id was supplied"); } if (n.getClient().getClientSecret() == null) { p.addProblem(Problem.Severity.ERROR, "No OAuth2 client secret was supplied"); } if (n.getProvider() == OAuth2.Provider.GOOGLE && (n.getUserInfoRequirements() == null || !n.getUserInfoRequirements().containsKey("hd"))) { p.addProblem(Problem.Severity.WARNING, "Missing 'hd' field within " + "userInfoRequirements of Google OAuth provider. This could expose your Spinnaker " + "instance to anyone with a Gmail account.", "userInfoRequirements"); } } }
@Override public void validate(ConfigProblemSetBuilder p, OAuth2 n) { if (!n.isEnabled()) { return; } if (n.getClient().getClientId() == null) { p.addProblem(Problem.Severity.ERROR, "No OAuth2 client id was supplied"); } if (n.getClient().getClientSecret() == null) { p.addProblem(Problem.Severity.ERROR, "No OAuth2 client secret was supplied"); } if (n.getProvider() == OAuth2.Provider.GOOGLE && (n.getUserInfoRequirements() == null || !n.getUserInfoRequirements().containsKey("hd"))) { p.addProblem(Problem.Severity.WARNING, "Missing 'hd' field within " + "userInfoRequirements of Google OAuth provider. This could expose your Spinnaker " + "instance to anyone with a Gmail account.", "userInfoRequirements"); } } }