Merge branch 'jul/oidc-auth-code-verification' into 'master'

Add authorization code verification method

See merge request TankerHQ/sdk-python!304

Author: JMounier

cffi_defs.h

@@ -61,29 +61,10 @@ struct tanker_error
   char const* message;
 };
 
-// ctanker/network.h
-
-struct tanker_http_request
-{
-  char const* method;
-  char const* url;
-  char const* instance_id;
-  char const* authorization;
-  char const* body;
-  int32_t body_size;
-};
-
-struct tanker_http_response
-{
-  char const* error_msg;
-  char const* content_type;
-  char const* body;
-  int64_t body_size;
-  int32_t status_code;
-};
+// ctanker/http.h There is no HTTP revese bindings for python
 
+// foward declarations to satisfy FFI
 typedef struct tanker_http_request tanker_http_request_t;
-typedef struct tanker_http_response tanker_http_response_t;
 
 typedef void tanker_http_request_handle_t;
 
@@ -103,9 +84,6 @@ struct tanker_http_options
 
 typedef struct tanker_http_options tanker_http_options_t;
 
-void tanker_http_handle_response(tanker_http_request_t*,
-                                 tanker_http_response_t*);
-
 // ctanker/datastore.h
 
 enum tanker_datastore_error_code
@@ -216,6 +194,7 @@ enum tanker_verification_method_type
   TANKER_VERIFICATION_METHOD_PREVERIFIED_PHONE_NUMBER,
   TANKER_VERIFICATION_METHOD_E2E_PASSPHRASE,
   TANKER_VERIFICATION_METHOD_PREVERIFIED_OIDC,
+  TANKER_VERIFICATION_METHOD_OIDC_AUTHORIZATION_CODE,
 
   TANKER_VERIFICATION_METHOD_LAST
 };
@@ -233,6 +212,7 @@ typedef struct tanker_options tanker_options_t;
 typedef struct tanker_email_verification tanker_email_verification_t;
 typedef struct tanker_phone_number_verification tanker_phone_number_verification_t;
 typedef struct tanker_preverified_oidc_verification tanker_preverified_oidc_verification_t;
+typedef struct tanker_oidc_authorization_code_verification tanker_oidc_authorization_code_verification_t;
 typedef struct tanker_verification tanker_verification_t;
 typedef struct tanker_verification_list tanker_verification_list_t;
 typedef struct tanker_verification_method tanker_verification_method_t;
@@ -306,6 +286,14 @@ struct tanker_preverified_oidc_verification
   char const* provider_id;
 };
 
+struct tanker_oidc_authorization_code_verification
+{
+  uint8_t version;
+  char const* provider_id;
+  char const* authorization_code;
+  char const* state;
+};
+
 struct tanker_verification
 {
   uint8_t version;
@@ -321,6 +309,7 @@ struct tanker_verification
   char const* preverified_email;
   char const* preverified_phone_number;
   tanker_preverified_oidc_verification_t preverified_oidc_verification;
+  tanker_oidc_authorization_code_verification_t oidc_authorization_code_verification;
 };
 
 struct tanker_verification_method
@@ -442,6 +431,9 @@ tanker_future_t* tanker_attach_provisional_identity(
 tanker_future_t* tanker_verify_provisional_identity(
     tanker_t* ctanker, tanker_verification_t const* verification);
 
+tanker_expected_t* tanker_authenticate_with_idp(tanker_t* session, char const* provider_id, char const* cookie);
+void tanker_free_authenticate_with_idp_result(tanker_oidc_authorization_code_verification_t* result);
+
 void tanker_free_buffer(void const* buffer);
 
 void tanker_free_verification_method_list(

tankersdk/__init__.py

@@ -16,6 +16,7 @@
     EmailVerification,
     EmailVerificationMethod,
     EncryptionOptions,
+    OidcAuthorizationCodeVerification,
     OidcIdTokenVerification,
     OidcIdTokenVerificationMethod,
     Padding,

tankersdk/experimental.py

@@ -0,0 +1,25 @@
+from _tanker import lib as tankerlib
+
+from .tanker import OidcAuthorizationCodeVerification, Tanker, ffihelpers
+
+
+async def authenticate_with_idp(
+    tanker: Tanker, provider_id: str, cookie: str
+) -> OidcAuthorizationCodeVerification:
+    c_provider_id = ffihelpers.str_to_c_string(provider_id)
+    c_cookie = ffihelpers.str_to_c_string(cookie)
+    c_expected_verification = tankerlib.tanker_authenticate_with_idp(
+        tanker.c_tanker, c_provider_id, c_cookie
+    )
+
+    c_verification = ffihelpers.unwrap_expected(
+        c_expected_verification, "tanker_oidc_authorization_code_verification_t*"
+    )
+    c_authorization_code = c_verification.authorization_code
+    c_state = c_verification.state
+
+    authorization_code = ffihelpers.c_string_to_str(c_authorization_code)
+    state = ffihelpers.c_string_to_str(c_state)
+
+    tankerlib.tanker_free_authenticate_with_idp_result(c_verification)
+    return OidcAuthorizationCodeVerification(provider_id, authorization_code, state)

tankersdk/tanker.py

@@ -63,6 +63,7 @@ class VerificationMethodType(Enum):
     PREVERIFIED_PHONE_NUMBER = 7
     E2E_PASSPHRASE = 8
     PREVERIFIED_OIDC = 9
+    OIDC_AUTHORIZATION_CODE = 10
 
 
 class Verification:
@@ -148,6 +149,15 @@ def __init__(self, subject: str, provider_id: str):
         self.provider_id = provider_id
 
 
+class OidcAuthorizationCodeVerification(Verification):
+    method_type = VerificationMethodType.OIDC_AUTHORIZATION_CODE
+
+    def __init__(self, provider_id: str, authorization_code: str, state: str):
+        self.provider_id = provider_id
+        self.authorization_code = authorization_code
+        self.state = state
+
+
 class VerificationMethod:
     # Note: we want every subclass to have a 'mehod_type' attribute
     # of type VerificationMethodType, but there's no "good"
@@ -390,7 +400,7 @@ def __init__(
 
         # Note: we store things in `self` so they don't get
         # garbage collected later on
-        c_verification = ffi.new("tanker_verification_t *", {"version": 7})
+        c_verification = ffi.new("tanker_verification_t *", {"version": 8})
         if isinstance(verification, VerificationKeyVerification):
             c_verification.verification_method_type = (
                 tankerlib.TANKER_VERIFICATION_METHOD_VERIFICATION_KEY
@@ -479,6 +489,21 @@ def __init__(
             c_verification.preverified_oidc_verification = (
                 self._preverified_oidc_verification
             )
+        elif isinstance(verification, OidcAuthorizationCodeVerification):
+            c_verification.verification_method_type = (
+                tankerlib.TANKER_VERIFICATION_METHOD_OIDC_AUTHORIZATION_CODE
+            )
+            self._oidc_authorization_code_verification = {
+                "version": 1,
+                "provider_id": ffihelpers.str_to_c_string(verification.provider_id),
+                "authorization_code": ffihelpers.str_to_c_string(
+                    verification.authorization_code
+                ),
+                "state": ffihelpers.str_to_c_string(verification.state),
+            }
+            c_verification.oidc_authorization_code_verification = (
+                self._oidc_authorization_code_verification
+            )
 
         self._c_verification = c_verification
 

test/test_tanker.py

@@ -41,6 +41,7 @@
     VerificationOptions,
     error,
 )
+from tankersdk.experimental import authenticate_with_idp
 
 
 def encode(string: str) -> str:
@@ -68,6 +69,7 @@ def read_test_config() -> Dict[str, Any]:
         "clientSecret": assert_env("TANKER_OIDC_CLIENT_SECRET"),
         "provider": assert_env("TANKER_OIDC_PROVIDER"),
         "issuer": assert_env("TANKER_OIDC_ISSUER"),
+        "fakeOidcIssuerUrl": assert_env("TANKER_FAKE_OIDC_URL") + "/issuer",
     }
     res["oidc"]["users"] = {
         "martine": {
@@ -1546,6 +1548,24 @@ def set_up_oidc(app: Dict[str, str], admin: Admin) -> Dict[str, str]:
     return cast(Dict[str, str], admin.get_app(app["id"])["oidc_providers"][0])
 
 
+def set_up_fake_oidc(app: Dict[str, str], admin: Admin) -> Dict[str, str]:
+    fake_oidc_issuer_url = TEST_CONFIG["oidc"]["fakeOidcIssuerUrl"]
+
+    oidc_issuer = fake_oidc_issuer_url
+    oidc_client_id = "tanker"
+    oidc_provider = "fake-oidc"
+    admin.update_app(
+        app["id"],
+        oidc_providers=[
+            AppOidcProvider(
+                client_id=oidc_client_id, display_name=oidc_provider, issuer=oidc_issuer
+            )
+        ],
+    )
+
+    return cast(Dict[str, str], admin.get_app(app["id"])["oidc_providers"][0])
+
+
 @pytest.mark.asyncio
 async def test_oidc_verification(
     tmp_path: Path, app: Dict[str, str], admin: Admin
@@ -1584,6 +1604,61 @@ async def test_oidc_verification(
     await martine_laptop.stop()
 
 
+@pytest.mark.asyncio
+async def test_oidc_authorization_code_verification(
+    tmp_path: Path, app: Dict[str, str], admin: Admin
+) -> None:
+    provider_config = set_up_fake_oidc(app, admin)
+    provider_id = provider_config["id"]
+    subject_cookie = "fake_oidc_subject=martine"
+
+    phone_path = tmp_path / "phone"
+    phone_path.mkdir(exist_ok=True)
+    martine_phone = create_tanker(app["id"], persistent_path=phone_path)
+    identity = tankersdk_identity.create_identity(
+        app["id"], app["secret"], str(uuid.uuid4())
+    )
+
+    await martine_phone.start(identity)
+
+    verification1 = await authenticate_with_idp(
+        martine_phone, provider_id, subject_cookie
+    )
+    verification2 = await authenticate_with_idp(
+        martine_phone, provider_id, subject_cookie
+    )
+    await martine_phone.register_identity(verification1)
+    await martine_phone.stop()
+
+    laptop_path = tmp_path / "laptop"
+    laptop_path.mkdir(exist_ok=True)
+    martine_laptop = create_tanker(app["id"], persistent_path=laptop_path)
+    await martine_laptop.start(identity)
+
+    assert martine_laptop.status == TankerStatus.IDENTITY_VERIFICATION_NEEDED
+    await martine_laptop.verify_identity(verification2)
+    assert martine_laptop.status == TankerStatus.READY
+
+    actual_methods = await martine_laptop.get_verification_methods()
+    (actual_method,) = actual_methods
+    assert actual_method.method_type == VerificationMethodType.OIDC_ID_TOKEN
+
+    await martine_laptop.stop()
+
+    tablet_path = tmp_path / "tablet"
+    tablet_path.mkdir(exist_ok=True)
+    martine_tablet = create_tanker(app["id"], persistent_path=tablet_path)
+    await martine_tablet.start(identity)
+    verification3 = await authenticate_with_idp(
+        martine_tablet, provider_id, "fake_oidc_subject=not_martine"
+    )
+
+    assert martine_tablet.status == TankerStatus.IDENTITY_VERIFICATION_NEEDED
+    with pytest.raises(error.InvalidVerification):
+        await martine_tablet.verify_identity(verification3)
+    await martine_tablet.stop()
+
+
 @pytest.mark.asyncio
 async def test_register_fails_with_preverified_email(
     tmp_path: Path, app: Dict[str, str], admin: Admin
@@ -1886,6 +1961,53 @@ async def test_set_verification_method_with_oidc(
     await phone_tanker.stop()
 
 
+@pytest.mark.asyncio
+async def test_set_oidc_authorization_code_verification(
+    tmp_path: Path, app: Dict[str, str], admin: Admin
+) -> None:
+    provider_config = set_up_fake_oidc(app, admin)
+    provider_id = provider_config["id"]
+    subject_cookie = "fake_oidc_subject=alice"
+    passphrase = "The cake is not a lie"
+
+    laptop_path = tmp_path / "laptop"
+    laptop_path.mkdir(exist_ok=True)
+    laptop_tanker = create_tanker(app["id"], persistent_path=laptop_path)
+    alice_identity = tankersdk_identity.create_identity(
+        app["id"], app["secret"], str(uuid.uuid4())
+    )
+
+    await laptop_tanker.start(alice_identity)
+    await laptop_tanker.register_identity(PassphraseVerification(passphrase))
+
+    verification2 = await authenticate_with_idp(
+        laptop_tanker, provider_id, subject_cookie
+    )
+    await laptop_tanker.set_verification_method(verification2)
+
+    methods = set(await laptop_tanker.get_verification_methods())
+    assert len(methods) == 2
+    oidc_methods = [x for x in methods if isinstance(x, OidcIdTokenVerificationMethod)]
+    assert oidc_methods[0].provider_id == provider_config["id"]
+    assert oidc_methods[0].provider_display_name == provider_config["display_name"]
+
+    phone_path = tmp_path.joinpath("phone")
+    phone_path.mkdir(exist_ok=True)
+    phone_tanker = create_tanker(app["id"], persistent_path=phone_path)
+
+    await phone_tanker.start(alice_identity)
+    assert phone_tanker.status == TankerStatus.IDENTITY_VERIFICATION_NEEDED
+
+    verification2 = await authenticate_with_idp(
+        laptop_tanker, provider_id, subject_cookie
+    )
+    await phone_tanker.verify_identity(verification2)
+    assert phone_tanker.status == TankerStatus.READY
+
+    await laptop_tanker.stop()
+    await phone_tanker.stop()
+
+
 def test_prehash_password_empty() -> None:
     with pytest.raises(error.InvalidArgument):
         tankersdk.prehash_password("")