From 8a3ec888ffac1b97d2c70752ffca712b15d1ec8b Mon Sep 17 00:00:00 2001
From: Brian Candler <b.candler@pobox.com>
Date: Tue, 22 Feb 2022 22:15:58 +0000
Subject: [PATCH] Add backend for Hashicorp Vault OIDC Provider

---
 social_core/backends/vault.py            | 18 +++++++++++
 social_core/tests/backends/test_vault.py | 41 ++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 social_core/backends/vault.py
 create mode 100644 social_core/tests/backends/test_vault.py

diff --git a/social_core/backends/vault.py b/social_core/backends/vault.py
new file mode 100644
index 00000000..42421134
--- /dev/null
+++ b/social_core/backends/vault.py
@@ -0,0 +1,18 @@
+"""
+Backend for Hashicorp Vault OIDC Identity Provider in Vault 1.9+
+https://www.vaultproject.io/docs/secrets/identity/oidc-provider
+"""
+import base64
+
+from social_core.backends.open_id_connect import OpenIdConnectAuth
+from social_core.utils import cache
+
+
+
+class VaultOpenIdConnect(OpenIdConnectAuth):
+    """
+    Vault OIDC authentication backend
+
+    This is an alias for the generic OIDC backend
+    """
+    name = 'vault'
diff --git a/social_core/tests/backends/test_vault.py b/social_core/tests/backends/test_vault.py
new file mode 100644
index 00000000..dd79606d
--- /dev/null
+++ b/social_core/tests/backends/test_vault.py
@@ -0,0 +1,41 @@
+import json
+
+from httpretty import HTTPretty
+
+from .oauth import OAuth2Test
+from .test_open_id_connect import OpenIdConnectTestMixin
+
+class VaultOpenIdConnectTest(OpenIdConnectTestMixin, OAuth2Test):
+    backend_path = \
+        'social_core.backends.vault.VaultOpenIdConnect'
+    issuer = 'https://vault.example.net:8200/v1/identity/oidc/provider/default'
+    openid_config_body = json.dumps({
+      'issuer': 'https://vault.example.net:8200/v1/identity/oidc/provider/default',
+      'jwks_uri': 'https://vault.example.net:8200/v1/identity/oidc/provider/default/.well-known/keys',
+      'authorization_endpoint': 'https://vault.example.net:8200/ui/vault/identity/oidc/provider/default/authorize',
+      'token_endpoint': 'https://vault.example.net:8200/v1/identity/oidc/provider/default/token',
+      'userinfo_endpoint': 'https://vault.example.net:8200/v1/identity/oidc/provider/default/userinfo',
+      'request_uri_parameter_supported': False,
+      'grant_types_supported': [ 'authorization_code' ],
+      'token_endpoint_auth_methods_supported': [ 'client_secret_basic' ],
+    })
+
+    expected_username = 'cartman'
+
+    def extra_settings(self):
+        settings = super().extra_settings()
+        settings.update({
+            f'SOCIAL_AUTH_{self.name}_OIDC_ENDPOINT': 'https://vault.example.net:8200/v1/identity/oidc/provider/default',
+        })
+        return settings
+
+    def pre_complete_callback(self, start_url):
+        super().pre_complete_callback(start_url)
+        HTTPretty.register_uri('GET',
+                               uri=self.backend.userinfo_url(),
+                               status=200,
+                               body=json.dumps({'preferred_username': self.expected_username}),
+                               content_type='text/json')
+
+    def test_everything_works(self):
+        self.do_login()