From 125a6bdf11dade3db0c80d6e7932b375b38aaf67 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Mon, 26 Jun 2023 17:36:40 +0200 Subject: [PATCH] Allow setting a different issuer from the public base URL --- crates/cli/src/commands/server.rs | 3 ++- crates/cli/src/commands/templates.rs | 3 ++- crates/cli/src/commands/worker.rs | 3 ++- crates/config/src/sections/http.rs | 4 ++++ crates/handlers/src/test_utils.rs | 2 +- crates/router/src/url_builder.rs | 12 +++++++----- crates/templates/src/lib.rs | 2 +- docs/config.schema.json | 6 ++++++ 8 files changed, 25 insertions(+), 10 deletions(-) diff --git a/crates/cli/src/commands/server.rs b/crates/cli/src/commands/server.rs index a4a2a052..c869db3c 100644 --- a/crates/cli/src/commands/server.rs +++ b/crates/cli/src/commands/server.rs @@ -83,7 +83,8 @@ impl Options { let policy_factory = policy_factory_from_config(&config.policy).await?; let policy_factory = Arc::new(policy_factory); - let url_builder = UrlBuilder::new(config.http.public_base.clone()); + let url_builder = + UrlBuilder::new(config.http.public_base.clone(), config.http.issuer.clone()); // Load and compile the templates let templates = templates_from_config(&config.templates, &url_builder).await?; diff --git a/crates/cli/src/commands/templates.rs b/crates/cli/src/commands/templates.rs index 4c00e496..ce98c1d9 100644 --- a/crates/cli/src/commands/templates.rs +++ b/crates/cli/src/commands/templates.rs @@ -44,7 +44,8 @@ impl Options { let clock = SystemClock::default(); // XXX: we should disallow SeedableRng::from_entropy let mut rng = rand_chacha::ChaChaRng::from_entropy(); - let url_builder = mas_router::UrlBuilder::new("https://example.com/".parse()?); + let url_builder = + mas_router::UrlBuilder::new("https://example.com/".parse()?, None); let templates = Templates::load(path, url_builder).await?; templates.check_render(clock.now(), &mut rng).await?; diff --git a/crates/cli/src/commands/worker.rs b/crates/cli/src/commands/worker.rs index 5b131a74..9559ce31 100644 --- a/crates/cli/src/commands/worker.rs +++ b/crates/cli/src/commands/worker.rs @@ -37,7 +37,8 @@ impl Options { info!("Connecting to the database"); let pool = database_from_config(&config.database).await?; - let url_builder = UrlBuilder::new(config.http.public_base.clone()); + let url_builder = + UrlBuilder::new(config.http.public_base.clone(), config.http.issuer.clone()); // Load and compile the templates let templates = templates_from_config(&config.templates, &url_builder).await?; diff --git a/crates/config/src/sections/http.rs b/crates/config/src/sections/http.rs index 35507853..452595e5 100644 --- a/crates/config/src/sections/http.rs +++ b/crates/config/src/sections/http.rs @@ -326,6 +326,9 @@ pub struct HttpConfig { /// Public URL base from where the authentication service is reachable pub public_base: Url, + + /// OIDC issuer URL. Defaults to `public_base` if not set. + pub issuer: Option, } impl Default for HttpConfig { @@ -364,6 +367,7 @@ impl Default for HttpConfig { }], }, ], + issuer: Some(default_public_base()), public_base: default_public_base(), } } diff --git a/crates/handlers/src/test_utils.rs b/crates/handlers/src/test_utils.rs index e8b4540e..e3a98763 100644 --- a/crates/handlers/src/test_utils.rs +++ b/crates/handlers/src/test_utils.rs @@ -110,7 +110,7 @@ impl TestState { .join("..") .join(".."); - let url_builder = UrlBuilder::new("https://example.com/".parse()?); + let url_builder = UrlBuilder::new("https://example.com/".parse()?, None); let templates = Templates::load(workspace_root.join("templates"), url_builder.clone()).await?; diff --git a/crates/router/src/url_builder.rs b/crates/router/src/url_builder.rs index 7702e04f..4cc1e2e6 100644 --- a/crates/router/src/url_builder.rs +++ b/crates/router/src/url_builder.rs @@ -22,6 +22,7 @@ use crate::traits::Route; #[derive(Clone, Debug, PartialEq, Eq)] pub struct UrlBuilder { base: Url, + issuer: Url, } impl UrlBuilder { @@ -41,20 +42,21 @@ impl UrlBuilder { /// Create a new [`UrlBuilder`] from a base URL #[must_use] - pub fn new(base: Url) -> Self { - Self { base } + pub fn new(base: Url, issuer: Option) -> Self { + let issuer = issuer.unwrap_or_else(|| base.clone()); + Self { base, issuer } } /// OIDC issuer #[must_use] pub fn oidc_issuer(&self) -> Url { - self.base.clone() + self.issuer.clone() } - /// OIDC dicovery document URL + /// OIDC discovery document URL #[must_use] pub fn oidc_discovery(&self) -> Url { - self.url_for(&crate::endpoints::OidcConfiguration) + crate::endpoints::OidcConfiguration.absolute_url(&self.issuer) } /// OAuth 2.0 authorization endpoint diff --git a/crates/templates/src/lib.rs b/crates/templates/src/lib.rs index 95de35e2..73a36650 100644 --- a/crates/templates/src/lib.rs +++ b/crates/templates/src/lib.rs @@ -305,7 +305,7 @@ mod tests { let mut rng = rand::thread_rng(); let path = Utf8Path::new(env!("CARGO_MANIFEST_DIR")).join("../../templates/"); - let url_builder = UrlBuilder::new("https://example.com/".parse().unwrap()); + let url_builder = UrlBuilder::new("https://example.com/".parse().unwrap(), None); let templates = Templates::load(path, url_builder).await.unwrap(); templates.check_render(now, &mut rng).await.unwrap(); } diff --git a/docs/config.schema.json b/docs/config.schema.json index e98681ae..653d3779 100644 --- a/docs/config.schema.json +++ b/docs/config.schema.json @@ -59,6 +59,7 @@ "http": { "description": "Configuration of the HTTP server", "default": { + "issuer": "http://[::]:8080/", "listeners": [ { "binds": [ @@ -787,6 +788,11 @@ "public_base" ], "properties": { + "issuer": { + "description": "OIDC issuer URL. Defaults to `public_base` if not set.", + "type": "string", + "format": "uri" + }, "listeners": { "description": "List of listeners to run", "default": [],