Merge branch 'envoy-start' into 'main'

Enable Envoy to run consistently locally and in Docker

See merge request gitlab-org/software-supply-chain-security/authorization/sparkled!6

4 files changed, 46 insertions, 22 deletions

diff --git a/pkg/oidc/oidc.go b/pkg/oidc/oidc.go
index 5ff8c28..4704f63 100644
--- a/pkg/oidc/oidc.go
+++ b/pkg/oidc/oidc.go
@@ -13,12 +13,7 @@ type OpenID struct {
 	OIDCConfig *oidc.Config
 }
 
-func New(ctx context.Context, issuer string, clientID, clientSecret, callbackURL string) (*OpenID, error) {
-	provider, err := oidc.NewProvider(ctx, issuer)
-	if err != nil {
-		return nil, err
-	}
-
+func New(provider *oidc.Provider, clientID, clientSecret, callbackURL string) *OpenID {
 	return &OpenID{
 		Provider: provider,
 		Config: &oauth2.Config{
@@ -31,7 +26,7 @@ func New(ctx context.Context, issuer string, clientID, clientSecret, callbackURL
 		OIDCConfig: &oidc.Config{
 			ClientID: clientID,
 		},
-	}, nil
+	}
 }
 
 func (o *OpenID) ValidateIDToken(ctx context.Context, rawIDToken RawToken) (*IDToken, error) {
diff --git a/pkg/oidc/oidc_test.go b/pkg/oidc/oidc_test.go
index 47a58ba..a3dc7e4 100644
--- a/pkg/oidc/oidc_test.go
+++ b/pkg/oidc/oidc_test.go
@@ -1,11 +1,9 @@
 package oidc
 
 import (
-	"context"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 func TestOpenID(t *testing.T) {
@@ -13,9 +11,14 @@ func TestOpenID(t *testing.T) {
 	defer srv.Close()
 
 	t.Run("GET /.well-known/openid-configuration", func(t *testing.T) {
-		openID, err := New(context.Background(), srv.Issuer(), "client_id", "client_secret", "https://example.com/oauth/callback")
-		require.NoError(t, err)
+		openID := New(
+			srv.Provider,
+			srv.MockOIDC.ClientID,
+			srv.MockOIDC.ClientSecret,
+			"https://example.com/oauth/callback",
+		)
 
 		assert.Equal(t, srv.AuthorizationEndpoint(), openID.Provider.Endpoint().AuthURL)
+		assert.Equal(t, srv.TokenEndpoint(), openID.Provider.Endpoint().TokenURL)
 	})
 }
diff --git a/pkg/oidc/provider.go b/pkg/oidc/provider.go
new file mode 100644
index 0000000..31f7577
--- /dev/null
+++ b/pkg/oidc/provider.go
@@ -0,0 +1,27 @@
+package oidc
+
+import (
+	"context"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+)
+
+func NewProvider(ctx context.Context, issuer string, report func(error)) *oidc.Provider {
+	provider, err := oidc.NewProvider(ctx, issuer)
+	if err == nil {
+		return provider
+	}
+
+	report(err)
+
+	config := &oidc.ProviderConfig{
+		IssuerURL:     issuer,
+		AuthURL:       issuer + "/oauth/authorize",
+		TokenURL:      issuer + "/oauth/token",
+		DeviceAuthURL: "",
+		UserInfoURL:   issuer + "/oauth/userinfo",
+		JWKSURL:       issuer + "/oauth/disovery/keys",
+		Algorithms:    []string{"RS256"},
+	}
+	return config.NewProvider(ctx)
+}
diff --git a/pkg/oidc/test_server.go b/pkg/oidc/test_server.go
index 5a25549..81b37ca 100644
--- a/pkg/oidc/test_server.go
+++ b/pkg/oidc/test_server.go
@@ -30,20 +30,19 @@ func NewTestServer(t *testing.T) *TestServer {
 		})
 	})
 
-	provider, err := oidc.NewProvider(t.Context(), srv.Issuer())
-	require.NoError(t, err)
-
-	config := &oauth2.Config{
-		ClientID:     srv.Config().ClientID,
-		ClientSecret: srv.Config().ClientSecret,
-		RedirectURL:  "https://example.com/oauth/callback",
-		Endpoint:     provider.Endpoint(),
-		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
-	}
+	provider := NewProvider(t.Context(), srv.Issuer(), func(err error) {
+		require.NoError(t, err)
+	})
 
 	return &TestServer{
 		srv,
-		config,
+		&oauth2.Config{
+			ClientID:     srv.ClientID,
+			ClientSecret: srv.ClientSecret,
+			RedirectURL:  "https://example.com/oauth/callback",
+			Endpoint:     provider.Endpoint(),
+			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
+		},
 		provider,
 		t,
 	}