Microsoft Entra ID provider (#2390)

* Microsoft Entra ID Provider * fix typo in function name * documentation tweaks * documentation and comment tweak * docs tweaks * final tweaks * refactor: drop flag for skipping graph groups * update legacy / deprecated provider page and sort provider overview * reformat * move entra-id provider into switch (treat like every other provider * fix test case and reformat * fix sidebar configuration * apply review suggestions * add pagination for graph api * fix: do not error when groups unable to retrieve * doc: number of groups fix * restore master packages * docs: tiny docs tweak * address review comments * fix codegen --------- Co-authored-by: tuunit <jan@larwig.com>
2025-11-29 22:48:19 +02:00 · 2024-12-31 12:46:13 +01:00
parent c64ec1251b
commit 5f188e5b6b
14 changed files with 617 additions and 51 deletions
--- a/providers/ms_entra_id_test.go
+++ b/providers/ms_entra_id_test.go
@@ -0,0 +1,185 @@
+package providers
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+	"github.com/stretchr/testify/assert"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestAzureEntraOIDCProviderNewMultiTenant(t *testing.T) {
+	g := NewWithT(t)
+
+	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
+		options.Provider{OIDCConfig: options.OIDCOptions{
+			IssuerURL:                      "https://login.microsoftonline.com/common/v2.0",
+			InsecureSkipIssuerVerification: true,
+		}},
+	)
+	g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
+}
+
+func TestAzureEntraOIDCProviderNewSingleTenant(t *testing.T) {
+	g := NewWithT(t)
+
+	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
+		options.Provider{OIDCConfig: options.OIDCOptions{
+			IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
+		}},
+	)
+	g.Expect(provider.Data().ProviderName).To(Equal("Microsoft Entra ID"))
+}
+
+func TestAzureEntraOIDCProviderEnrichSessionGroupOverage(t *testing.T) {
+	// Create ID Token that indicates group overage with _claim_names
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
+	claimsWithGroupOverage := &claimsWithGroupOverage{
+		jwt.RegisteredClaims{
+			Issuer: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
+		},
+		map[string]string{"groups": "src1"},
+	}
+
+	jwtWithClaims := jwt.NewWithClaims(jwt.SigningMethodRS256, claimsWithGroupOverage)
+	signedJWT, err := jwtWithClaims.SignedString(key)
+
+	assert.NoError(t, err)
+
+	session := CreateAuthorizedSession()
+	session.IDToken = signedJWT
+	session.Email = "mock@example.com"
+
+	// Create provider
+	provider := NewMicrosoftEntraIDProvider(&ProviderData{},
+		options.Provider{OIDCConfig: options.OIDCOptions{
+			IssuerURL: "https://login.microsoftonline.com/18014347-dd57-41a1-8191-7a1f734ea457/v2.0",
+		}},
+	)
+
+	// Create mocked Azure Graph server and override Graph URL
+	mockedGraph := mockGraphAPI(false)
+	mockedGraphURL, _ := url.Parse(mockedGraph.URL)
+	updateURL(provider.microsoftGraphURL, mockedGraphURL.Host)
+
+	// Test EnrichSession
+	err = provider.EnrichSession(context.Background(), session)
+
+	assert.NoError(t, err)
+	assert.Contains(t, session.Groups, "85d7d600-7804-4d92-8d43-9c33c21c130c")
+	assert.Contains(t, session.Groups, "916f0604-8a3b-4a69-bda9-06db11a8f0cd")
+	assert.Contains(t, session.Groups, "b1aef995-6b55-4ac6-bbfe-e829810e9352", "Pagination using $skiptoken failed")
+}
+
+func TestAzureEntraOIDCProviderValidateSessionAllowedTenants(t *testing.T) {
+	// Create multi-tenant Azure Entra provider with allowed tenants
+	provider := NewMicrosoftEntraIDProvider(
+		&ProviderData{
+			Verifier: &mockedVerifier{},
+		},
+		options.Provider{
+			OIDCConfig: options.OIDCOptions{
+				IssuerURL:                      "https://login.microsoftonline.com/common/v2.0",
+				InsecureSkipIssuerVerification: true,
+				InsecureSkipNonce:              true,
+			},
+			MicrosoftEntraIDConfig: options.MicrosoftEntraIDOptions{
+				AllowedTenants: []string{"85d7d600-7804-4d92-8d43-9c33c21c130c"},
+			},
+		},
+	)
+
+	// Check for invalid tenant
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
+
+	idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
+		Issuer: "https://login.microsoftonline.com/invalid_tenant/v2.0",
+	})
+	invalidJWT, err := idToken.SignedString(key)
+	assert.NoError(t, err)
+
+	session := CreateAuthorizedSession()
+	session.IDToken = invalidJWT
+
+	valid := provider.ValidateSession(context.Background(), session)
+	assert.False(t, valid)
+
+	// Check for valid tenant
+	idToken = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{
+		Issuer: "https://login.microsoftonline.com/85d7d600-7804-4d92-8d43-9c33c21c130c/v2.0",
+	})
+	validJWT, err := idToken.SignedString(key)
+	assert.NoError(t, err)
+
+	session = CreateAuthorizedSession()
+	session.IDToken = validJWT
+
+	valid = provider.ValidateSession(context.Background(), session)
+	assert.True(t, valid)
+}
+
+func mockGraphAPI(noGroupMemberPermissions bool) *httptest.Server {
+	groupsPath := "/v1.0/me/transitiveMemberOf"
+
+	return httptest.NewServer(http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			if noGroupMemberPermissions {
+				w.WriteHeader(401)
+			} else if r.URL.Path == groupsPath && r.Method == http.MethodGet && len(r.URL.Query()["$skiptoken"]) > 0 {
+				// Second page (pagination)
+				w.Write([]byte(`{
+					"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
+					"value": [
+						{
+							"@odata.type": "#microsoft.graph.group",
+							"id": "b1aef995-6b55-4ac6-bbfe-e829810e9352"
+						}
+					]
+				}`))
+
+			} else if r.URL.Path == groupsPath && r.Method == http.MethodGet {
+				// First page (pagination)
+				w.Write([]byte(fmt.Sprintf(`{
+					"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#directoryObjects(id)",
+					"@odata.nextLink": "http://%s/v1.0/me/transitiveMemberOf?$select=id&$top=2&$skiptoken=TEST_TOKEN",
+					"value": [
+						{
+							"@odata.type": "#microsoft.graph.group",
+							"id": "85d7d600-7804-4d92-8d43-9c33c21c130c"
+						  },
+						  {
+							"@odata.type": "#microsoft.graph.group",
+							"id": "916f0604-8a3b-4a69-bda9-06db11a8f0cd"
+						  }
+					]
+				}`, r.Host)))
+			}
+		},
+	))
+}
+
+type claimsWithGroupOverage struct {
+	jwt.RegisteredClaims
+	ClaimNames interface{} `json:"_claim_names,omitempty"`
+}
+
+func (c *claimsWithGroupOverage) Valid() error {
+	return nil
+}
+
+type mockedVerifier struct {
+}
+
+func (v *mockedVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error) {
+	return nil, nil
+}