Add support for RFC6750 bearer tokens to ocserv

This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.

Resolves: #240

Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>

tests/Makefile.am

@@ -151,6 +151,7 @@ human_addr_CPPFLAGS = $(AM_CPPFLAGS)
 human_addr_SOURCES = human_addr.c
 human_addr_LDADD = $(LDADD)
 
+
 valid_hostname_LDADD = $(LDADD)
 
 port_parsing_LDADD = $(LDADD)
@@ -159,8 +160,16 @@ check_PROGRAMS = str-test str-test2 ipv4-prefix ipv6-prefix kkdcp-parsing json-e
 	port-parsing human_addr valid-hostname url-escape html-escape cstp-recv \
 	proxyproto-v1
 
+gen_oidc_test_data_CPPFLAGS = $(AM_CPPFLAGS) 
+gen_oidc_test_data_SOURCES = generate_oidc_test_data.c
+gen_oidc_test_data_LDADD = $(LDADD) $(CJOSE_LIBS) $(JANSSON_LIBS)
 
-TESTS = $(dist_check_SCRIPTS) $(check_PROGRAMS) $(xfail_scripts)
+if ENABLE_OIDC_AUTH_TESTS
+check_PROGRAMS += gen_oidc_test_data
+dist_check_SCRIPTS += test-oidc
+endif
+
+TESTS =  $(check_PROGRAMS) $(dist_check_SCRIPTS) $(xfail_scripts)
 
 XFAIL_TESTS = $(xfail_scripts)
 

tests/config-auth.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE config-auth SYSTEM "config-auth.dtd">
+<config-auth client="vpn" type="init">
+    <version who="vpn">v5.01</version>
+</config-auth>
+
+

tests/data/test-oidc-auth.config

@@ -0,0 +1,198 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+auth = "oidc[config=@SRCDIR@/data/oidc.json]"
+
+isolate-workers = false
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = [IP|HOSTNAME]
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@ 
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+min-reauth-time = 20
+
+max-ban-score = 9999999
+
+# The time (in seconds) that all score kept for a client is reset.
+ban-reset-time = 10
+
+# In case you'd like to change the default points.
+ban-points-wrong-password = 10
+ban-points-connection = 1
+ban-points-kkdcp = 1
+
+
+# Cookie timeout (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. That cookie will be invalided if not
+# used within this timeout value. On a user disconnection, that
+# cookie will also be active for this time amount prior to be
+# invalid. That should allow a reasonable amount of time for roaming
+# between different networks.
+cookie-timeout = 30
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# PID file
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = @OCCTL_SOCKET@
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+# Use the keywork local to advertize the local P-t-P address as DNS server
+dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+ipv6-network = fe80::
+ipv6-prefix = 16
+#ipv6-dns = 
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu = 
+
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. They are only available if the server is built 
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+

tests/generate_oidc_test_data.c

@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2020 Microsoft Corporation
+ *
+ * Author: Alan Jowett
+ *
+ * This file is part of ocserv.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+ 
+#include <config.h>
+#include <unistd.h>
+
+#include <cjose/cjose.h>
+#include <jansson.h>
+#include <string.h>
+
+cjose_jwk_t *create_key(const char *kid)
+{
+	cjose_err err;
+	cjose_jwk_t *key = cjose_jwk_create_EC_random(CJOSE_JWK_EC_P_256, &err);
+	if (!key) {
+		return NULL;
+	}
+
+	if (!cjose_jwk_set_kid(key, kid, strlen(kid), &err)) {
+		return NULL;
+	}
+	return key;
+}
+
+json_t *create_oidc_config(const char *openid_configuration_url,
+			   const char *user_name_claim, const char *audience,
+			   const char *issuer)
+{
+	bool result = false;
+	json_t *config = json_object();
+	json_t *required_claims = json_object();
+	if (json_object_set_new
+	    (config, "openid_configuration_url",
+	     json_string(openid_configuration_url))) {
+		goto cleanup;
+	}
+
+	if (json_object_set_new
+	    (config, "user_name_claim", json_string(user_name_claim))) {
+		goto cleanup;
+	}
+
+	if (json_object_set_new(required_claims, "aud", json_string(audience))) {
+		goto cleanup;
+	}
+
+	if (json_object_set_new(required_claims, "iss", json_string(issuer))) {
+		goto cleanup;
+	}
+
+	if (json_object_set_new(config, "required_claims", required_claims)) {
+		goto cleanup;
+	}
+
+	required_claims = NULL;
+
+	result = true;
+
+ cleanup:
+	if (!result && config) {
+		json_decref(config);
+		config = NULL;
+	}
+
+	return config;
+}
+
+json_t *create_openid_configuration(char *key_url)
+{
+	json_t *config = json_object();
+	if (json_object_set_new(config, "jwks_uri", json_string(key_url))) {
+		json_decref(config);
+		return NULL;
+	}
+	return config;
+}
+
+json_t *create_keys(cjose_jwk_t * key)
+{
+	cjose_err err;
+	json_t *keys_json = json_object();
+	json_t *keys_array = json_array();
+	json_t *key_json;
+
+	const char *key_str = cjose_jwk_to_json(key, false, &err);
+	key_json = json_loads(key_str, 0, NULL);
+	json_array_append_new(keys_array, key_json);
+	json_object_set_new(keys_json, "keys", keys_array);
+	return keys_json;
+}
+
+json_t *create_header(const char *typ, const char *alg, const char *kid)
+{
+	json_t *header_json = json_object();
+	if (typ) {
+		json_object_set_new(header_json, "typ", json_string(typ));
+	}
+	if (alg) {
+		json_object_set_new(header_json, "alg", json_string(alg));
+	}
+	if (kid) {
+		json_object_set_new(header_json, "kid", json_string(kid));
+	}
+	return header_json;
+}
+
+json_t *create_claims(const char *audience, const char *issuer,
+		      json_int_t issued_at, json_int_t not_before,
+		      json_int_t expires, const char *preferred_user_name)
+{
+	json_t *claims_json = json_object();
+	if (audience) {
+		json_object_set_new(claims_json, "aud", json_string(audience));
+	}
+	if (issuer) {
+		json_object_set_new(claims_json, "iss", json_string(issuer));
+	}
+	if (issued_at) {
+		json_object_set_new(claims_json, "iat",
+				    json_integer(issued_at));
+	}
+	if (not_before) {
+		json_object_set_new(claims_json, "nbf",
+				    json_integer(not_before));
+	}
+	if (expires) {
+		json_object_set_new(claims_json, "exp", json_integer(expires));
+	}
+	if (preferred_user_name) {
+		json_object_set_new(claims_json, "preferred_username",
+				    json_string(preferred_user_name));
+	}
+	return claims_json;
+}
+
+cjose_jws_t *create_jws(cjose_jwk_t * key, json_t * header, json_t * claims)
+{
+	cjose_err err;
+	char *claims_str = json_dumps(claims, 0);
+	cjose_jws_t *jws =
+	    cjose_jws_sign(key, header, (const uint8_t *)claims_str,
+			   strlen(claims_str), &err);
+	free(claims_str);
+	return jws;
+}
+
+bool write_jws_to_file(cjose_jws_t * jws, const char *file)
+{
+	cjose_err err;
+	const char *jws_str;
+	FILE *f = fopen(file, "w");
+	if (!cjose_jws_export(jws, &jws_str, &err)) {
+		fclose(f);
+		return false;
+	}
+
+	fprintf(f, "%s", jws_str);
+	fclose(f);
+	return true;
+}
+
+void generate_token(const char *output_folder, const char *token_name,
+		    cjose_jwk_t * key, const char *typ, const char *alg,
+		    const char *kid, const char *audience, const char *issuer,
+		    const char *user_name, json_int_t issued_at,
+		    json_int_t not_before, json_int_t expires)
+{
+	char token_file[1024];
+	snprintf(token_file, sizeof(token_file), "%s/%s.token", output_folder,
+		 token_name);
+	json_t *header = create_header(typ, alg, kid);
+	json_t *claims =
+	    create_claims(audience, issuer, issued_at, not_before, expires,
+			  user_name);
+	cjose_jws_t *jws = create_jws(key, header, claims);
+	write_jws_to_file(jws, token_file);
+
+	cjose_jws_release(jws);
+	json_decref(header);
+	json_decref(claims);
+}
+
+void generate_config_files(const char *output_folder, cjose_jwk_t * key,
+			   const char *expected_audience,
+			   const char *expected_issuer,
+			   const char *user_name_claim)
+{
+	char oidc_config_file[1024];
+	char openid_configuration_file[1024];
+	char keys_file[1024];
+	char openid_configuration_uri[1024];
+	char keys_uri[1024];
+	int retval;
+	retval =
+	    snprintf(oidc_config_file, sizeof(oidc_config_file), "%s/oidc.json",
+		     output_folder);
+
+	retval =
+	    snprintf(openid_configuration_file,
+		     sizeof(openid_configuration_file),
+		     "%s/openid-configuration.json", output_folder);
+	if (retval < 0 || retval > sizeof(openid_configuration_file)) {
+		exit(1);
+	}
+
+	retval =
+	    snprintf(keys_file, sizeof(keys_file), "%s/keys.json",
+		     output_folder);
+	if (retval < 0 || retval > sizeof(openid_configuration_file)) {
+		exit(1);
+	}
+	retval =
+	    snprintf(openid_configuration_uri, sizeof(openid_configuration_uri),
+		     "file://localhost%s", openid_configuration_file);
+	if (retval < 0 || retval > sizeof(openid_configuration_file)) {
+		exit(1);
+	}
+
+	retval =
+	    snprintf(keys_uri, sizeof(keys_uri), "file://localhost%s",
+		     keys_file);
+	if (retval < 0 || retval > sizeof(openid_configuration_file)) {
+		exit(1);
+	}
+
+	json_t *oidc_config =
+	    create_oidc_config(openid_configuration_uri, "preferred_username",
+			       "SomeAudience", "SomeIssuer");
+	json_t *openid_configuration = create_openid_configuration(keys_uri);
+	json_t *keys = create_keys(key);
+
+	json_dump_file(oidc_config, oidc_config_file, 0);
+	json_dump_file(openid_configuration, openid_configuration_file, 0);
+	json_dump_file(keys, keys_file, 0);
+
+	json_decref(oidc_config);
+	json_decref(openid_configuration);
+	json_decref(keys);
+}
+
+int main(int argc, char **argv)
+{
+	char working_directory[1024];
+	const char audience[] = "SomeAudience";
+	const char issuer[] = "SomeIssuer";
+	const char user_name_claim[] = "preferred_user_name";
+	const char kid[] = "My Fake Key";
+	const char user_name[] = "SomeUser";
+	const char typ[] = "JWT";
+	const char alg[] = "ES256";
+	time_t now = time(NULL);
+
+	if (!getcwd(working_directory, sizeof(working_directory))) {
+		return 1;
+	}
+	strncat(working_directory, "/data", sizeof(working_directory));
+
+	cjose_jwk_t *key = create_key("My Fake Key");
+
+	generate_config_files(working_directory, key, audience, issuer,
+			      user_name_claim);
+
+	generate_token(working_directory, "success_good", key, typ, alg, kid,
+		       audience, issuer, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_expired", key, typ, alg, kid,
+		       audience, issuer, user_name, now - 7260, now - 7260,
+		       now - 3600);
+	generate_token(working_directory, "fail_bad_typ", key, "FOO", alg, kid,
+		       audience, issuer, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_bad_alg", key, typ, "FOO", kid,
+		       audience, issuer, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_wrong_kid", key, typ, alg,
+		       "FOO", audience, issuer, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_wrong_aud", key, typ, alg, kid,
+		       "FOO", issuer, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_wrong_iss", key, typ, alg, kid,
+		       audience, "FOO", user_name, now - 60, now - 60,
+		       now + 3600);
+
+	generate_token(working_directory, "fail_missing_aud", key, typ, alg,
+		       kid, NULL, issuer, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_missing_iss", key, typ, alg,
+		       kid, audience, NULL, user_name, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_missing_user", key, typ, alg,
+		       kid, audience, issuer, NULL, now - 60, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_missing_iat", key, typ, alg,
+		       kid, audience, issuer, user_name, 0, now - 60,
+		       now + 3600);
+	generate_token(working_directory, "fail_missing_nbf", key, typ, alg,
+		       kid, audience, issuer, user_name, now - 60, 0,
+		       now + 3600);
+	generate_token(working_directory, "fail_missing_exp", key, typ, alg,
+		       kid, audience, issuer, user_name, now - 60, now - 60, 0);
+	return 0;
+}

tests/test-oidc

@@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# Copyright (C) 2020 Microsoft Corporation
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GnuTLS; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+SERV="${SERV:-../src/ocserv}"
+srcdir=${srcdir:-.}
+NO_NEED_ROOT=1
+PORT=4503
+PIDFILE=ocserv-pid.$$.tmp
+OCCTL_SOCKET=./occtl-oidc-$$.socket
+
+. `dirname $0`/common.sh
+
+echo "Testing local backend with oidc token auth... "
+
+update_config test-oidc-auth.config
+launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$!
+wait_server $PID
+
+for token in data/success_*; do
+    http_result=$(LD_PRELOAD=libsocket_wrapper.so curl --insecure https://$ADDRESS:$PORT --request POST --data config-auth.xml --header "Authorization:Bearer=`cat $token`" --output /dev/null --write-out "%{http_code}")
+    if [ "$http_result" != "200" ]; then
+        fail $PID "Token incorrectly rejected returned $http_result"  
+    fi
+done
+for token in data/fail_*; do
+    http_result=$(LD_PRELOAD=libsocket_wrapper.so curl --insecure https://$ADDRESS:$PORT --request POST --data config-auth.xml --header "Authorization:Bearer=`cat $token`" --output /dev/null --silent --write-out "%{http_code}")
+    if [ "$http_result" != "401" ]; then
+        fail $PID "Token incorrectly accepted returned $http_result"
+    fi
+done
+
+if ! test -f ${PIDFILE};then
+	fail $PID "Could not find pid file ${PIDFILE}"
+fi
+
+cleanup
+
+exit 0