Refactor oidc auth OAS conversion (TykTechnologies#3950)

zhailuxu · Mar 23, 2022 · 518b3f8 · 518b3f8
1 parent 9a68483
commit 518b3f8
Show file tree

Hide file tree

Showing 2 changed files with 117 additions and 0 deletions.
diff --git a/apidef/oas/security.go b/apidef/oas/security.go
@@ -1,6 +1,8 @@
 package oas
 
 import (
+	"sort"
+
 	"github.com/TykTechnologies/tyk/apidef"
 	"github.com/getkin/kin-openapi/openapi3"
 	"github.com/lonelycode/osin"
@@ -267,6 +269,80 @@ func (s *OAS) extractOAuthTo(api *apidef.APIDefinition, name string) {
 	api.AuthConfigs[apidef.OAuthType] = authConfig
 }
 
+func (s *OAS) fillOIDC(api apidef.APIDefinition) {
+	authConfig, ok := api.AuthConfigs[apidef.OIDCType]
+	if !ok {
+		return
+	}
+
+	oidc := &OIDC{}
+	oidc.Enabled = api.UseOpenID
+	oidc.AuthSources.Fill(authConfig)
+	oidc.SegregateByClientId = api.OpenIDOptions.SegregateByClient
+
+	oidc.Providers = []Provider{}
+	for _, v := range api.OpenIDOptions.Providers {
+		var mapping []ClientToPolicy
+		for clientID, polID := range v.ClientIDs {
+			mapping = append(mapping, ClientToPolicy{ClientID: clientID, PolicyID: polID})
+		}
+
+		if len(mapping) == 0 {
+			mapping = nil
+		}
+
+		sort.Slice(mapping, func(i, j int) bool {
+			return mapping[i].ClientID < mapping[j].ClientID
+		})
+
+		oidc.Providers = append(oidc.Providers, Provider{Issuer: v.Issuer, ClientToPolicyMapping: mapping})
+	}
+
+	if len(oidc.Providers) == 0 {
+		oidc.Providers = nil
+	}
+
+	if oidc.Scopes == nil {
+		oidc.Scopes = &Scopes{}
+	}
+
+	oidc.Scopes.Fill(&api.Scopes.OIDC)
+	if ShouldOmit(oidc.Scopes) {
+		oidc.Scopes = nil
+	}
+
+	if ShouldOmit(oidc) {
+		oidc = nil
+	}
+
+	s.getTykAuthentication().OIDC = oidc
+}
+
+func (s *OAS) extractOIDCTo(api *apidef.APIDefinition) {
+	authConfig := apidef.AuthConfig{DisableHeader: true}
+
+	oidc := s.getTykAuthentication().OIDC
+	api.UseOpenID = oidc.Enabled
+	oidc.AuthSources.ExtractTo(&authConfig)
+
+	api.OpenIDOptions.SegregateByClient = oidc.SegregateByClientId
+
+	for _, p := range oidc.Providers {
+		clientIDs := make(map[string]string)
+		for _, mapping := range p.ClientToPolicyMapping {
+			clientIDs[mapping.ClientID] = mapping.PolicyID
+		}
+
+		api.OpenIDOptions.Providers = append(api.OpenIDOptions.Providers, apidef.OIDProviderConfig{Issuer: p.Issuer, ClientIDs: clientIDs})
+	}
+
+	if oidc.Scopes != nil {
+		oidc.Scopes.ExtractTo(&api.Scopes.OIDC)
+	}
+
+	api.AuthConfigs[apidef.OIDCType] = authConfig
+}
+
 func (s *OAS) fillCustomPlugin(api apidef.APIDefinition) {
 	authConfig, ok := api.AuthConfigs[apidef.CoprocessType]
 	if !ok {
@@ -323,6 +399,10 @@ func (s *OAS) extractSecurityTo(api *apidef.APIDefinition) {
 		api.AuthConfigs = make(map[string]apidef.AuthConfig)
 	}
 
+	if s.getTykAuthentication().OIDC != nil {
+		s.extractOIDCTo(api)
+	}
+
 	if s.getTykAuthentication().CustomPlugin != nil {
 		s.extractCustomPluginTo(api)
 	}
@@ -371,6 +451,7 @@ func (s *OAS) fillSecurity(api apidef.APIDefinition) {
 	s.fillJWT(api)
 	s.fillBasic(api)
 	s.fillOAuth(api)
+	s.fillOIDC(api)
 	s.fillCustomPlugin(api)
 	s.fillGoPlugin(api)
 

diff --git a/apidef/oas/security_test.go b/apidef/oas/security_test.go
@@ -1,6 +1,7 @@
 package oas
 
 import (
+	"sort"
 	"testing"
 
 	"github.com/TykTechnologies/tyk/apidef"
@@ -435,6 +436,41 @@ func TestOAS_OAuth(t *testing.T) {
 	assert.Equal(t, oas, convertedOAS)
 }
 
+func TestOAS_OIDC(t *testing.T) {
+	var oas OAS
+	var oidc OIDC
+	Fill(t, &oidc, 0)
+	sort.Slice(oidc.Scopes.ScopeToPolicyMapping, func(i, j int) bool {
+		return oidc.Scopes.ScopeToPolicyMapping[i].Scope < oidc.Scopes.ScopeToPolicyMapping[j].Scope
+	})
+
+	for _, provider := range oidc.Providers {
+		sort.Slice(provider.ClientToPolicyMapping, func(i, j int) bool {
+			return provider.ClientToPolicyMapping[i].ClientID < provider.ClientToPolicyMapping[j].ClientID
+		})
+	}
+
+	oas.Extensions = map[string]interface{}{
+		ExtensionTykAPIGateway: &XTykAPIGateway{
+			Server: Server{
+				Authentication: &Authentication{
+					OIDC: &oidc,
+				},
+			},
+		},
+	}
+
+	var api apidef.APIDefinition
+	api.AuthConfigs = make(map[string]apidef.AuthConfig)
+	oas.extractOIDCTo(&api)
+
+	var convertedOAS OAS
+	convertedOAS.SetTykExtension(&XTykAPIGateway{Server: Server{Authentication: &Authentication{}}})
+	convertedOAS.fillOIDC(api)
+
+	assert.Equal(t, oas, convertedOAS)
+}
+
 func TestOAS_CustomPlugin(t *testing.T) {
 	var oas OAS
 	var customPlugin CustomPlugin