add basic openid auth

Author: zvonand

src/Access/AccessTokenProcessor.cpp

@@ -119,9 +119,28 @@ std::unique_ptr<IAccessTokenProcessor> IAccessTokenProcessor::parseTokenProcesso
 
             return std::make_unique<AzureAccessTokenProcessor>(name, cache_lifetime, email_regex_str, tenant_id_str);
         }
+        else if (provider == "openid")
+        {
+            bool is_auto = config.hasProperty(prefix + ".configuration_endpoint");
+            bool is_manual = config.hasProperty(prefix + ".userinfo_endpoint") &&
+                             config.hasProperty(prefix + ".token_introspection_endpoint") &&
+                             (config.hasProperty(prefix + ".userinfo_endpoint") == config.hasProperty(prefix + ".token_introspection_endpoint"));
+
+            if (is_auto && !is_manual)
+            {
+                return std::make_unique<OpenIDAccessTokenProcessor>(name, cache_lifetime, email_regex_str, config.getString(prefix + ".configuration_endpoint"));
+            }
+            else if (!is_auto && is_manual)
+            {
+                return std::make_unique<OpenIDAccessTokenProcessor>(name, cache_lifetime, email_regex_str, config.getString(prefix + ".userinfo_endpoint"), config.getString(prefix + ".token_introspection_endpoint"));
+            }
+
+            throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER, "Could not parse access token processor {}: "
+                            "Either configuration_endpoint or both userinfo_endpoint and token_introspection_endpoint shall be specified", name);
+        }
         else
             throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER,
-                            "Could not parse access token processor {}: unknown provider {}", name, provider);
+                            "Could not parse access token processor {}: unknown provider type {}", name, provider);
     }
 
     throw Exception(ErrorCodes::INVALID_CONFIG_PARAMETER,
@@ -316,4 +335,57 @@ String AzureAccessTokenProcessor::validateTokenAndGetUsername(const String & tok
     return getValueByKey(user_info_json, "sub");
 }
 
+OpenIDAccessTokenProcessor::OpenIDAccessTokenProcessor(const String & name_,
+                           const UInt64 cache_invalidation_interval_,
+                           const String & email_regex_str,
+                           const String & openid_config_endpoint_)
+    : IAccessTokenProcessor(name_, cache_invalidation_interval_, email_regex_str)
+{
+    const picojson::object openid_config = getObjectFromURI(Poco::URI(openid_config_endpoint_));
+
+    if (!openid_config.contains("userinfo_endpoint") || !openid_config.contains("introspection_endpoint"))
+        throw Exception(ErrorCodes::AUTHENTICATION_FAILED, "{}: Cannot extract userinfo_endpoint or introspection_endpoint from OIDC configuration, consider manual configuration.", name);
+}
+
+bool OpenIDAccessTokenProcessor::resolveAndValidate(const TokenCredentials & credentials)
+{
+    const String & token = credentials.getToken();
+
+    try
+    {
+        String username = validateTokenAndGetUsername(token);
+        if (!username.empty())
+        {
+            /// Credentials are passed as const everywhere up the flow, so we have to comply,
+            /// in this case const_cast looks acceptable.
+            const_cast<TokenCredentials &>(credentials).setUserName(username);
+        }
+        else
+            LOG_TRACE(getLogger("AccessTokenProcessor"), "{}: Failed to get username with token", name);
+
+    }
+    catch (...)
+    {
+        return false;
+    }
+
+    return true;
+
+    /// TODO: add proper groups functionality
+//    try
+//    {
+//        const_cast<TokenCredentials &>(credentials).setExpiresAt(jwt::decode(token).get_expires_at());
+//    }
+//    catch (...) {
+//        LOG_TRACE(getLogger("AccessTokenProcessor"),
+//                  "{}: No expiration data found in a valid token, will use default cache lifetime", name);
+//    }
+}
+
+String OpenIDAccessTokenProcessor::validateTokenAndGetUsername(const String & token) const
+{
+    picojson::object user_info_json = getObjectFromURI(userinfo_endpoint, token);
+    return getValueByKey(user_info_json, "sub");
+}
+
 }

src/Access/AccessTokenProcessor.h

@@ -21,7 +21,7 @@ namespace ErrorCodes
     extern const int INVALID_CONFIG_PARAMETER;
 }
 
-class GoogleAccessTokenProcessor;
+//class GoogleAccessTokenProcessor;
 
 class IAccessTokenProcessor
 {
@@ -57,6 +57,8 @@ class IAccessTokenProcessor
     const String name;
     const UInt64 cache_invalidation_interval;
     re2::RE2 email_regex;
+
+    bool valid;
 };
 
 
@@ -97,4 +99,31 @@ class AzureAccessTokenProcessor : public IAccessTokenProcessor
     String validateTokenAndGetUsername(const String & token) const;
 };
 
+class OpenIDAccessTokenProcessor : public IAccessTokenProcessor
+{
+public:
+    /// Obtain endpoints from openid-configuration URL
+    OpenIDAccessTokenProcessor(const String & name_,
+                              const UInt64 cache_invalidation_interval_,
+                              const String & email_regex_str,
+                              const String & openid_config_endpoint_);
+
+    /// Specify endpoints manually
+    OpenIDAccessTokenProcessor(const String & name_,
+                               const UInt64 cache_invalidation_interval_,
+                               const String & email_regex_str,
+                               const String & userinfo_endpoint_,
+                               const String & token_introspection_endpoint_)
+        : IAccessTokenProcessor(name_, cache_invalidation_interval_, email_regex_str),
+        userinfo_endpoint(userinfo_endpoint_), token_introspection_endpoint(token_introspection_endpoint_) {}
+
+    bool resolveAndValidate(const TokenCredentials & credentials) override;
+private:
+    const Poco::URI userinfo_endpoint;
+    const Poco::URI token_introspection_endpoint;
+
+
+    String validateTokenAndGetUsername(const String & token) const;
+};
+
 }