Added oidc authentication

Signed-off-by: Octavian Ionescu <[email protected]>

Author: itavy

package-lock.json

@@ -26,6 +26,7 @@
   "dependencies": {
     "debug": "^4.3.4",
     "mustache": "^4.2.0",
+    "open": "^10.1.0",
     "postman-request": "^2.88.1-postman.33",
     "tv4": "^1.3.0"
   },

package.json

@@ -1258,6 +1258,73 @@ module.exports = {
             res: approleResponse,
         },
     },
+    oidcAuthUrl: {
+        method: 'POST',
+        path: '/auth/oidc/oidc/auth_url',
+        schema: {
+            req: {
+                type: 'object',
+                properties: {
+                    redirect_uri: {
+                        type: 'string'
+                    },
+                    client_nonce: {
+                        type: 'string'
+                    },
+                    role: {
+                        type: 'string'
+                    }
+                },
+                required: ['redirect_uri']
+            },
+            res: {
+                type: 'object',
+                properties: {
+                    request_id: {
+                        type: 'string'
+                    },
+                    data: {
+                        type: 'object',
+                        properties: {
+                            auth_url: {
+                                type: 'string'
+                            }
+                        },
+                        required: ['auth_url']
+                    }
+                },
+                required: ['request_id', 'data']
+            }
+        }
+    },
+    oidcCallback: {
+        method: 'GET',
+        path: '/auth/oidc/oidc/callback',
+        tokenSource: true,
+        schema: {
+            query: {
+                type: 'object',
+                properties: {
+                    state: {
+                        type: 'string',
+                    },
+                    code: {
+                        type: 'string',
+                    },
+                    client_nonce: {
+                        type: 'string'
+                    }
+                },
+                required: ['state', 'code']
+            },
+            res: {
+                type: 'object',
+                properties: {
+                    auth,
+                }
+            }
+        }
+    },
     health: {
         method: 'GET',
         path: '/sys/health',
@@ -1334,4 +1401,4 @@ module.exports = {
         method: 'PUT',
         path: '/sys/step-down',
     },
-}
+}

src/commands.js

@@ -6,6 +6,8 @@ const originalCommands = require('./commands.js');
 const originalMustache = require('mustache');
 const util = require('util');
 const request = require('postman-request');
+const { randomBytes } = require('crypto');
+const http = require('http');
 
 class VaultError extends Error {}
 
@@ -244,5 +246,51 @@ module.exports = (config = {}) => {
     const assignFunctions = (commandName) => generateFunction(commandName, commands[commandName]);
     Object.keys(commands).forEach(assignFunctions);
 
+    client['oidcFlow'] = () => import('open')
+        .then(({default: open}) => {
+            const oidcCallbackPath = '/oidc/callback';
+            const serverConfig = {
+                host: 'localhost',
+                port: 8250,
+                protocol: 'http'
+            }
+            return new Promise((done, reject) => {
+                const client_nonce = randomBytes(20).toString('hex').slice(20);
+
+                const server = http.createServer((req, res) => {
+                    const responseUrl = new URL(req.url, `${serverConfig.protocol}://${serverConfig.host}`)
+                    if (responseUrl.pathname === oidcCallbackPath) {
+                        res.write('Signed in via your OIDC provider\nYou can now close this window and start using Vault.');
+                        res.end();
+                        const code = responseUrl.searchParams.get('code')
+                        const state = responseUrl.searchParams.get('state')
+                        client.oidcCallback({
+                            state,
+                            code,
+                            client_nonce,
+                        })
+                            .then(() => {
+                                server.close(done);
+                            })
+                            .catch(reject)
+                    }
+                    if (!res.writableEnded) {
+                        res.end();
+                    }
+                });
+
+                server.listen(serverConfig.port, serverConfig.host, () => {});
+
+                client.oidcAuthUrl({
+                    redirect_uri: `${serverConfig.protocol}://${serverConfig.host}:${serverConfig.port}${oidcCallbackPath}`,
+                    client_nonce,
+                })
+                    .then((r) => {
+                        open(r.data.auth_url)
+                    })
+                    .catch(reject)
+            })
+        })
+
     return client;
 };