Add external IDP management Admin API for OpenID (#15152)

2025-11-07 12:52:58 -05:00 · 2022-07-05 18:18:04 -07:00
parent ac055b09e9
commit af9bc7ea7d
7 changed files with 616 additions and 116 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1100,6 +1100,10 @@ func (c Config) ResolveConfigParam(subSys, target, cfgParam string) (value strin
 	}

 	defValue, isFound := defKVS.Lookup(cfgParam)
+	// Comments usually are absent from `defKVS`, so we handle it specially.
+	if cfgParam == Comment {
+		defValue, isFound = "", true
+	}
 	if !isFound {
 		return
 	}
@@ -1134,3 +1138,54 @@ func (c Config) ResolveConfigParam(subSys, target, cfgParam string) (value strin
 	cs = ValueSourceDef
 	return
 }
+
+// KVSrc represents a configuration parameter key and value along with the
+// source of the value.
+type KVSrc struct {
+	Key   string
+	Value string
+	Src   ValueSource
+}
+
+// GetResolvedConfigParams returns all applicable config parameters with their
+// value sources.
+func (c Config) GetResolvedConfigParams(subSys, target string) ([]KVSrc, error) {
+	// Initially only support OpenID
+	if !resolvableSubsystems.Contains(subSys) {
+		return nil, fmt.Errorf("unsupported subsystem: %s", subSys)
+	}
+
+	// Check if config param requested is valid.
+	defKVS, ok := DefaultKVS[subSys]
+	if !ok {
+		return nil, fmt.Errorf("unknown subsystem: %s", subSys)
+	}
+
+	r := make([]KVSrc, 0, len(defKVS)+1)
+	for _, kv := range defKVS {
+		v, vs := c.ResolveConfigParam(subSys, target, kv.Key)
+
+		// Fix `vs` when default.
+		if v == kv.Value {
+			vs = ValueSourceDef
+		}
+
+		r = append(r, KVSrc{
+			Key:   kv.Key,
+			Value: v,
+			Src:   vs,
+		})
+	}
+
+	// Add the comment key as well if non-empty.
+	v, vs := c.ResolveConfigParam(subSys, target, Comment)
+	if vs != ValueSourceDef {
+		r = append(r, KVSrc{
+			Key:   Comment,
+			Value: v,
+			Src:   vs,
+		})
+	}
+
+	return r, nil
+}
--- a/internal/config/identity/openid/help.go
+++ b/internal/config/identity/openid/help.go
@@ -52,6 +52,7 @@ var (
 		config.HelpKV{
 			Key:         ClientSecret,
 			Description: `secret for the unique public identifier for apps` + defaultHelpPostfix(ClientSecret),
+			Sensitive:   true,
 			Type:        "string",
 		},
 		config.HelpKV{
--- a/internal/config/identity/openid/openid.go
+++ b/internal/config/identity/openid/openid.go
@@ -24,6 +24,7 @@ import (
 	"errors"
 	"io"
 	"net/http"
+	"sort"
 	"strconv"
 	"strings"
 	"sync"
@@ -391,6 +392,107 @@ func LookupConfig(s config.Config, transport http.RoundTripper, closeRespFn func
 	return c, nil
 }

+// ErrProviderConfigNotFound - represents a non-existing provider error.
+var ErrProviderConfigNotFound = errors.New("provider configuration not found")
+
+// GetConfigInfo - returns configuration and related info for the given IDP
+// provider.
+func (r *Config) GetConfigInfo(s config.Config, cfgName string) ([]madmin.IDPCfgInfo, error) {
+	openIDConfigs, err := s.GetAvailableTargets(config.IdentityOpenIDSubSys)
+	if err != nil {
+		return nil, err
+	}
+
+	present := false
+	for _, cfg := range openIDConfigs {
+		if cfg == cfgName {
+			present = true
+			break
+		}
+	}
+
+	if !present {
+		return nil, ErrProviderConfigNotFound
+	}
+
+	kvsrcs, err := s.GetResolvedConfigParams(config.IdentityOpenIDSubSys, cfgName)
+	if err != nil {
+		return nil, err
+	}
+
+	res := make([]madmin.IDPCfgInfo, 0, len(kvsrcs)+1)
+	for _, kvsrc := range kvsrcs {
+		// skip default values.
+		if kvsrc.Src == config.ValueSourceDef {
+			if kvsrc.Key != madmin.EnableKey {
+				continue
+			}
+			// set an explicit on/off from live configuration.
+			kvsrc.Value = "off"
+			if _, ok := r.ProviderCfgs[cfgName]; ok {
+				if r.Enabled {
+					kvsrc.Value = "on"
+				}
+			}
+		}
+		res = append(res, madmin.IDPCfgInfo{
+			Key:   kvsrc.Key,
+			Value: kvsrc.Value,
+			IsCfg: true,
+			IsEnv: kvsrc.Src == config.ValueSourceEnv,
+		})
+	}
+
+	if provCfg, exists := r.ProviderCfgs[cfgName]; exists && provCfg.RolePolicy != "" {
+		// Append roleARN
+		res = append(res, madmin.IDPCfgInfo{
+			Key:   "roleARN",
+			Value: provCfg.roleArn.String(),
+			IsCfg: false,
+		})
+	}
+
+	// sort the structs by the key
+	sort.Slice(res, func(i, j int) bool {
+		return res[i].Key < res[j].Key
+	})
+
+	return res, nil
+}
+
+// GetConfigList - list openID configurations
+func (r *Config) GetConfigList(s config.Config) ([]madmin.IDPListItem, error) {
+	openIDConfigs, err := s.GetAvailableTargets(config.IdentityOpenIDSubSys)
+	if err != nil {
+		return nil, err
+	}
+
+	var res []madmin.IDPListItem
+	for _, cfg := range openIDConfigs {
+		pcfg, ok := r.ProviderCfgs[cfg]
+		if !ok {
+			res = append(res, madmin.IDPListItem{
+				Type:    "openid",
+				Name:    cfg,
+				Enabled: false,
+			})
+		} else {
+			var roleARN string
+			if pcfg.RolePolicy != "" {
+				roleARN = pcfg.roleArn.String()
+			}
+			res = append(res, madmin.IDPListItem{
+				Type:    "openid",
+				Name:    cfg,
+				Enabled: r.Enabled,
+				RoleARN: roleARN,
+			})
+		}
+	}
+
+	return res, nil
+}
+
 // Enabled returns if configURL is enabled.
 func Enabled(kvs config.KVS) bool {
 	return kvs.Get(ConfigURL) != ""