feat: Add enabled to federation resources (#423)

Add possibility to disable federated authentication by setting the idp
or mapping enabled status.

Closes: #269

Author: gtema

doc/src/federation/intro.md

@@ -59,19 +59,19 @@ Following tables are added:
 - federated_identity_provider
 
 ```rust
-{{#rustdoc_include ../../src/db/entity/federated_identity_provider.rs:9:22}}
+{{#rustdoc_include ../../../src/db/entity/federated_identity_provider.rs:15:30}}
 ```
 
 - federated_mapping
 
 ```rust
-{{#include ../../src/db/entity/federated_mapping.rs:10:26}}
+{{#include ../../../src/db/entity/federated_mapping.rs:15:32}}
 ```
 
 - federated_auth_state
 
 ```rust
-{{#include ../../src/db/entity/federated_auth_state.rs:8:16}}
+{{#include ../../../src/db/entity/federated_auth_state.rs:8:16}}
 ```
 
 ## Compatibility notes

rustfmt.toml

@@ -1,3 +1,3 @@
-format_code_in_doc_comments = true
-unstable_features = true
-wrap_comments = true
+# format_code_in_doc_comments = true
+# unstable_features = true
+# wrap_comments = true

src/api/v4/federation/auth.rs

@@ -137,6 +137,14 @@ pub async fn post(
         return Err(OidcError::MappingRequired)?;
     };
 
+    // Check for IdP and mapping `enabled` state
+    if !idp.enabled {
+        return Err(OidcError::IdentityProviderDisabled)?;
+    }
+    if !mapping.enabled {
+        return Err(OidcError::MappingDisabled)?;
+    }
+
     let client = if let Some(discovery_url) = &idp.oidc_discovery_url {
         let http_client = reqwest::ClientBuilder::new()
             // Following redirects opens the client up to SSRF vulnerabilities.

src/api/v4/federation/error.rs

@@ -43,6 +43,14 @@ pub enum OidcError {
     #[error("groups claim must be an array of strings")]
     GroupsClaimNotArrayOfStrings,
 
+    /// IdP is disabled.
+    #[error("identity provider is disabled")]
+    IdentityProviderDisabled,
+
+    /// Mapping is disabled.
+    #[error("mapping is disabled")]
+    MappingDisabled,
+
     #[error("request token error")]
     RequestToken { msg: String },
 
@@ -153,6 +161,12 @@ impl From<OidcError> for KeystoneApiError {
             e @ OidcError::ClientWithoutDiscoveryNotSupported => {
                 KeystoneApiError::InternalError(e.to_string())
             }
+            OidcError::IdentityProviderDisabled => {
+                KeystoneApiError::BadRequest("Federated Identity Provider is disabled.".to_string())
+            }
+            OidcError::MappingDisabled => {
+                KeystoneApiError::BadRequest("Federated Identity Provider mapping is disabled.".to_string())
+            }
             OidcError::MappingRequired => {
                 KeystoneApiError::BadRequest("Federated authentication requires mapping being specified in the payload or default set on the identity provider.".to_string())
             }

src/api/v4/federation/identity_provider/list.rs

@@ -133,6 +133,7 @@ mod tests {
                     id: "id".into(),
                     name: "name".into(),
                     domain_id: Some("did".into()),
+                    enabled: true,
                     default_mapping_name: Some("dummy".into()),
                     ..Default::default()
                 }])
@@ -164,6 +165,7 @@ mod tests {
                 id: "id".into(),
                 name: "name".into(),
                 domain_id: Some("did".into()),
+                enabled: true,
                 oidc_discovery_url: None,
                 oidc_client_id: None,
                 oidc_response_mode: None,

src/api/v4/federation/identity_provider/show.rs

@@ -115,6 +115,7 @@ mod tests {
                     id: "bar".into(),
                     name: "name".into(),
                     domain_id: Some("did".into()),
+                    enabled: true,
                     default_mapping_name: Some("dummy".into()),
                     ..Default::default()
                 }))
@@ -161,6 +162,7 @@ mod tests {
                 id: "bar".into(),
                 name: "name".into(),
                 domain_id: Some("did".into()),
+                enabled: true,
                 oidc_discovery_url: None,
                 oidc_client_id: None,
                 oidc_response_mode: None,

src/api/v4/federation/jwt.rs

@@ -162,6 +162,14 @@ pub async fn login(
         })?
         .to_owned();
 
+    // Check for IdP and mapping `enabled` state
+    if !idp.enabled {
+        return Err(OidcError::IdentityProviderDisabled)?;
+    }
+    if !mapping.enabled {
+        return Err(OidcError::MappingDisabled)?;
+    }
+
     tracing::debug!("Mapping is {:?}", mapping);
     let token_restriction = if let Some(tr_id) = &mapping.token_restriction_id {
         state

src/api/v4/federation/mapping/list.rs

@@ -107,6 +107,7 @@ mod tests {
                     name: "name".into(),
                     domain_id: Some("did".into()),
                     idp_id: "idp_id".into(),
+                    enabled: true,
                     user_id_claim: "sub".into(),
                     user_name_claim: "preferred_username".into(),
                     domain_id_claim: Some("domain_id".into()),
@@ -143,6 +144,7 @@ mod tests {
                 domain_id: Some("did".into()),
                 idp_id: "idp_id".into(),
                 r#type: MappingType::default(),
+                enabled: true,
                 allowed_redirect_uris: None,
                 user_id_claim: "sub".into(),
                 user_name_claim: "preferred_username".into(),
@@ -180,6 +182,7 @@ mod tests {
                     domain_id: Some("did".into()),
                     idp_id: "idp".into(),
                     r#type: MappingType::default().into(),
+                    enabled: true,
                     allowed_redirect_uris: None,
                     user_id_claim: "sub".into(),
                     user_name_claim: "preferred_username".into(),

src/api/v4/federation/mapping/show.rs

@@ -116,6 +116,7 @@ mod tests {
                     name: "name".into(),
                     domain_id: Some("did".into()),
                     idp_id: "idp_id".into(),
+                    enabled: true,
                     user_id_claim: "sub".into(),
                     user_name_claim: "preferred_username".into(),
                     domain_id_claim: Some("domain_id".into()),
@@ -166,6 +167,7 @@ mod tests {
                 domain_id: Some("did".into()),
                 idp_id: "idp_id".into(),
                 r#type: MappingType::default(),
+                enabled: true,
                 allowed_redirect_uris: None,
                 user_id_claim: "sub".into(),
                 user_name_claim: "preferred_username".into(),

src/api/v4/federation/oidc.rs

@@ -121,6 +121,14 @@ pub async fn callback(
             })
         })??;
 
+    // Check for IdP and mapping `enabled` state
+    if !idp.enabled {
+        return Err(OidcError::IdentityProviderDisabled)?;
+    }
+    if !mapping.enabled {
+        return Err(OidcError::MappingDisabled)?;
+    }
+
     let token_restrictions = if let Some(tr_id) = &mapping.token_restriction_id {
         state
             .provider