From 30ddc0b610957a07b64967b64c1f4ad30269f289 Mon Sep 17 00:00:00 2001 From: Webb Scales <7795764+webbnh@users.noreply.github.com> Date: Mon, 10 Jul 2023 12:04:31 -0400 Subject: [PATCH] Fix OIDC access to verify TLS connection (#3487) * Add exception message to ServerConnectionError * Abort keycloak retries on connection and other non-HTTP errors * Use consistent approach to TLS verification for OIDC connection --- lib/pbench/server/auth/__init__.py | 23 +++++++++++-------- lib/pbench/test/unit/server/auth/test_auth.py | 4 ++-- server/lib/config/pbench-server-default.cfg | 6 ++--- .../etc/pbench-server/pbench-server.cfg | 5 ++-- 4 files changed, 20 insertions(+), 18 deletions(-) diff --git a/lib/pbench/server/auth/__init__.py b/lib/pbench/server/auth/__init__.py index 90ad3358ac..f16992e1f2 100644 --- a/lib/pbench/server/auth/__init__.py +++ b/lib/pbench/server/auth/__init__.py @@ -205,10 +205,10 @@ def wait_for_oidc_server( try: oidc_server = server_config.get("openid", "server_url") oidc_realm = server_config.get("openid", "realm") - # Get a custom cert location to verify Keycloak ssl if its define - # in the config file. Otherwise, we default to using system-wide - # certificates. - cert = server_config.get("openid", "cert_location", fallback=True) + # Look for a custom CA to use in the verification of the TLS + # connection to the OIDC server. If it is undefined, the value of + # True will result in using the default TLS verification. + ca_cert = server_config.get("openid", "tls_ca_file", fallback=True) except (NoOptionError, NoSectionError) as exc: raise OpenIDClient.NotConfigured() from exc @@ -224,6 +224,8 @@ def wait_for_oidc_server( # https://urllib3.readthedocs.io/en/latest/reference/urllib3.util.html#module-urllib3.util.retry retry = Retry( total=8, + connect=0, + other=0, backoff_factor=2, status_forcelist=tuple(int(x) for x in HTTPStatus if x != 200), ) @@ -236,11 +238,11 @@ def wait_for_oidc_server( try: response = session.get( f"{oidc_server}/realms/{oidc_realm}/.well-known/openid-configuration", - verify=cert, + verify=ca_cert, ) response.raise_for_status() except Exception as exc: - raise OpenIDClient.ServerConnectionError() from exc + raise OpenIDClient.ServerConnectionError(str(exc)) from exc if response.json().get("issuer") == f"{oidc_server}/realms/{oidc_realm}": logger.debug("OIDC server connection verified") connected = True @@ -268,14 +270,15 @@ def construct_oidc_client(cls, server_config: PbenchServerConfig) -> "OpenIDClie server_url = server_config.get("openid", "server_url") client = server_config.get("openid", "client") realm = server_config.get("openid", "realm") + # Look for a custom CA to use in the verification of the TLS + # connection to the OIDC server. If it is undefined, the value of + # True will result in using the default TLS verification. + ca_cert = server_config.get("openid", "tls_ca_file", fallback=True) except (NoOptionError, NoSectionError) as exc: raise OpenIDClient.NotConfigured() from exc oidc_client = cls( - server_url=server_url, - client_id=client, - realm_name=realm, - verify=False, + server_url=server_url, client_id=client, realm_name=realm, verify=ca_cert ) oidc_client.set_oidc_public_key() return oidc_client diff --git a/lib/pbench/test/unit/server/auth/test_auth.py b/lib/pbench/test/unit/server/auth/test_auth.py index 2884d23ea7..8251c46ebd 100644 --- a/lib/pbench/test/unit/server/auth/test_auth.py +++ b/lib/pbench/test/unit/server/auth/test_auth.py @@ -300,7 +300,7 @@ def test_wait_for_oidc_server_fail(self, make_logger): config["openid"] = { "server_url": "https://example.com", "realm": "realm", - "cert_location": "/ca.crt", + "tls_ca_file": "/ca.crt", } # Keycloak well-known endpoint without any response @@ -338,7 +338,7 @@ def test_wait_for_oidc_server_succ(self, make_logger): config["openid"] = { "server_url": "https://example.com", "realm": "realm", - "cert_location": "/ca.crt", + "tls_ca_file": "/ca.crt", } # Keycloak well-known endpoint returning response with valid issuer diff --git a/server/lib/config/pbench-server-default.cfg b/server/lib/config/pbench-server-default.cfg index f61193e5f1..44203c097e 100644 --- a/server/lib/config/pbench-server-default.cfg +++ b/server/lib/config/pbench-server-default.cfg @@ -104,9 +104,9 @@ realm = pbench-server # Client entity name requesting OIDC to authenticate a user. client = pbench-client -# Cert location for connecting to the OIDC client -# If you want to use a custom CA then its location path should be recorded. -#cert_location = /path/CA +# Custom CA for verifying the TLS connection to the OIDC client. +# If omitted, TLS verification will use the system's trusted CA list. +#tls_ca_file = /path/to/CA/file [logging] logger_type = devlog diff --git a/server/pbenchinacan/etc/pbench-server/pbench-server.cfg b/server/pbenchinacan/etc/pbench-server/pbench-server.cfg index d72ede682d..372d3c9268 100644 --- a/server/pbenchinacan/etc/pbench-server/pbench-server.cfg +++ b/server/pbenchinacan/etc/pbench-server/pbench-server.cfg @@ -27,9 +27,8 @@ secret-key = "pbench-in-a-can secret shhh" [openid] server_url = https://localhost:8090 -# Override the default cert value to use for pbenchinacan Keycloak container -# connection. -cert_location = /etc/pki/tls/certs/pbench_CA.crt +# Provide a CA cert for the pbenchinacan Keycloak server connection. +tls_ca_file = /etc/pki/tls/certs/pbench_CA.crt ########################################################################### # The rest will come from the default config file.