feat: add OIDC federations support

iam.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/selectel/iam-go/iamerrors"
 	baseclient "github.com/selectel/iam-go/internal/client"
+	"github.com/selectel/iam-go/service/federations/oidc"
 	"github.com/selectel/iam-go/service/federations/saml"
 	"github.com/selectel/iam-go/service/groups"
 	"github.com/selectel/iam-go/service/roles"
@@ -66,6 +67,9 @@ type Client struct {
 	// SAMLFederations instance is used to make requests against Selectel IAM API and manage SAML Federations.
 	// It also contains Certificates service, which is used to manage certificates.
 	SAMLFederations *saml.Service
+
+	// OIDCFederations instance is used to make requests against Selectel IAM API and manage OIDC Federations.
+	OIDCFederations *oidc.Service
 }
 
 type AuthOpts struct {
@@ -141,6 +145,7 @@ func New(opts ...Option) (*Client, error) {
 	c.Roles = roles.New(c.baseClient)
 	c.S3Credentials = s3credentials.New(c.baseClient)
 	c.SAMLFederations = saml.New(c.baseClient)
+	c.OIDCFederations = oidc.New(c.baseClient)
 
 	return c, nil
 }

iam_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/selectel/iam-go/iamerrors"
 	baseclient "github.com/selectel/iam-go/internal/client"
+	"github.com/selectel/iam-go/service/federations/oidc"
 	"github.com/selectel/iam-go/service/federations/saml"
 	"github.com/selectel/iam-go/service/groups"
 	"github.com/selectel/iam-go/service/roles"
@@ -66,6 +67,7 @@ func TestNew(t *testing.T) {
 					Roles:           roles.New(baseClient),
 					S3Credentials:   s3credentials.New(baseClient),
 					SAMLFederations: saml.New(baseClient),
+					OIDCFederations: oidc.New(baseClient),
 				}
 			},
 			expectedError: nil,
@@ -110,6 +112,7 @@ func TestNew(t *testing.T) {
 					Roles:           roles.New(baseClient),
 					S3Credentials:   s3credentials.New(baseClient),
 					SAMLFederations: saml.New(baseClient),
+					OIDCFederations: oidc.New(baseClient),
 				}
 			},
 			expectedError: nil,
@@ -147,6 +150,7 @@ func TestNew(t *testing.T) {
 					Roles:           roles.New(baseClient),
 					S3Credentials:   s3credentials.New(baseClient),
 					SAMLFederations: saml.New(baseClient),
+					OIDCFederations: oidc.New(baseClient),
 				}
 			},
 			expectedError: nil,

iamerrors/iamerrors.go

@@ -38,6 +38,11 @@ var (
 	ErrFederationCertificateNotFound   = errors.New("FEDERATION_CERTIFICATE_NOT_FOUND")
 	ErrFederationMaxAgeHoursRequired   = errors.New("FEDERATION_MAX_AGE_HOURS_REQUIRED")
 	ErrFederationNotFound              = errors.New("FEDERATION_NOT_FOUND")
+	ErrFederationClientIDRequired      = errors.New("FEDERATION_CLIENT_ID_REQUIRED")
+	ErrFederationClientSecretRequired  = errors.New("FEDERATION_CLIENT_SECRET_REQUIRED")
+	ErrFederationAuthURLRequired       = errors.New("FEDERATION_AUTH_URL_REQUIRED")
+	ErrFederationTokenURLRequired      = errors.New("FEDERATION_TOKEN_URL_REQUIRED")
+	ErrFederationJWKSURLRequired       = errors.New("FEDERATION_JWKS_URL_REQUIRED")
 
 	ErrCredentialNameRequired      = errors.New("CREDENTIAL_NAME_REQUIRED")
 	ErrCredentialAccessKeyRequired = errors.New("CREDENTIAL_ACCESS_KEY_REQUIRED")
@@ -86,6 +91,10 @@ var (
 		ErrFederationCertificateNotFound.Error():   ErrFederationCertificateNotFound,
 		ErrFederationNotFound.Error():              ErrFederationNotFound,
 		ErrFederationMaxAgeHoursRequired.Error():   ErrFederationMaxAgeHoursRequired,
+		ErrFederationClientIDRequired.Error():      ErrFederationClientIDRequired,
+		ErrFederationAuthURLRequired.Error():       ErrFederationAuthURLRequired,
+		ErrFederationTokenURLRequired.Error():      ErrFederationTokenURLRequired,
+		ErrFederationJWKSURLRequired.Error():       ErrFederationJWKSURLRequired,
 		ErrUserOrGroupNotFound.Error():             ErrUserOrGroupNotFound,
 		ErrServiceUserNameRequired.Error():         ErrServiceUserNameRequired,
 		ErrServiceUserPasswordRequired.Error():     ErrServiceUserPasswordRequired,

service/federations/oidc/doc.go

@@ -0,0 +1,2 @@
+// Package oidc provides a set of functions for interacting with the Selectel OIDC Federations API.
+package oidc

service/federations/oidc/groupmappings/doc.go

@@ -0,0 +1,3 @@
+// Package groupmappings provides a set of functions for interacting with
+// the Selectel OIDC Federation Group Mappings API.
+package groupmappings

service/federations/oidc/groupmappings/requests.go

@@ -0,0 +1,190 @@
+package groupmappings
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/url"
+
+	"github.com/selectel/iam-go/iamerrors"
+	"github.com/selectel/iam-go/internal/client"
+)
+
+const apiVersion = "v1"
+
+// Service is used to communicate with the OIDC Federations Group Mappings API.
+type Service struct {
+	baseClient *client.BaseClient
+}
+
+// New Initialises Service with the given client.
+func New(baseClient *client.BaseClient) *Service {
+	return &Service{
+		baseClient: baseClient,
+	}
+}
+
+// List returns a list of mappings for the OIDC Federation.
+func (s *Service) List(ctx context.Context, federationID string) (*GroupMappingsResponse, error) {
+	if federationID == "" {
+		return nil, iamerrors.Error{Err: iamerrors.ErrFederationIDRequired, Desc: "No federationID was provided."}
+	}
+
+	path, err := url.JoinPath(apiVersion, "federations", "oidc", federationID, "group-mappings")
+	if err != nil {
+		return nil, iamerrors.Error{Err: iamerrors.ErrInternalAppError, Desc: err.Error()}
+	}
+
+	response, err := s.baseClient.DoRequest(ctx, client.DoRequestInput{
+		Body:   nil,
+		Method: http.MethodGet,
+		Path:   path,
+	})
+	if err != nil {
+		//nolint:wrapcheck // DoRequest already wraps the error.
+		return nil, err
+	}
+
+	var mappings GroupMappingsResponse
+	err = client.UnmarshalJSON(response, &mappings)
+	if err != nil {
+		return nil, iamerrors.Error{Err: iamerrors.ErrInternalAppError, Desc: err.Error()}
+	}
+
+	return &mappings, nil
+}
+
+// Update updates mappings for the OIDC Federation.
+func (s *Service) Update(
+	ctx context.Context, federationID string, input GroupMappingsRequest,
+) error {
+	if federationID == "" {
+		return iamerrors.Error{Err: iamerrors.ErrFederationIDRequired, Desc: "No federationID was provided."}
+	}
+
+	path, err := url.JoinPath(apiVersion, "federations", "oidc", federationID, "group-mappings")
+	if err != nil {
+		return iamerrors.Error{Err: iamerrors.ErrInternalAppError, Desc: err.Error()}
+	}
+
+	body, err := json.Marshal(input)
+	if err != nil {
+		return iamerrors.Error{Err: iamerrors.ErrInternalAppError, Desc: err.Error()}
+	}
+
+	_, err = s.baseClient.DoRequest(ctx, client.DoRequestInput{
+		Body:   bytes.NewReader(body),
+		Method: http.MethodPut,
+		Path:   path,
+	})
+	if err != nil {
+		//nolint:wrapcheck // DoRequest already wraps the error.
+		return err
+	}
+
+	return nil
+}
+
+// Add creates mapping between internal and external group.
+func (s *Service) Add(
+	ctx context.Context, federationID, groupID, externalGroupID string,
+) error {
+	path, err := buildExternalGroupMappingPath(federationID, groupID, externalGroupID)
+	if err != nil {
+		return err
+	}
+
+	_, err = s.baseClient.DoRequest(ctx, client.DoRequestInput{
+		Body:   nil,
+		Method: http.MethodPut,
+		Path:   path,
+	})
+	if err != nil {
+		//nolint:wrapcheck // DoRequest already wraps the error.
+		return err
+	}
+
+	return nil
+}
+
+// Delete deletes mapping between internal and external group.
+func (s *Service) Delete(
+	ctx context.Context, federationID, groupID, externalGroupID string,
+) error {
+	path, err := buildExternalGroupMappingPath(federationID, groupID, externalGroupID)
+	if err != nil {
+		return err
+	}
+
+	_, err = s.baseClient.DoRequest(ctx, client.DoRequestInput{
+		Body:   nil,
+		Method: http.MethodDelete,
+		Path:   path,
+	})
+	if err != nil {
+		//nolint:wrapcheck // DoRequest already wraps the error.
+		return err
+	}
+
+	return nil
+}
+
+// Exists checks that internal and external groups are mapped.
+func (s *Service) Exists(
+	ctx context.Context, federationID, groupID, externalGroupID string,
+) (bool, error) {
+	path, err := buildExternalGroupMappingPath(federationID, groupID, externalGroupID)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = s.baseClient.DoRequest(ctx, client.DoRequestInput{
+		Body:   nil,
+		Method: http.MethodHead,
+		Path:   path,
+	})
+	if err != nil {
+		if errors.Is(err, iamerrors.ErrFederationNotFound) ||
+			errors.Is(err, iamerrors.ErrGroupNotFound) ||
+			errors.Is(err, iamerrors.ErrUserOrGroupNotFound) {
+			return false, nil
+		}
+
+		//nolint:wrapcheck // DoRequest already wraps the error.
+		return false, err
+	}
+
+	return true, nil
+}
+
+func buildExternalGroupMappingPath(
+	federationID, groupID, externalGroupID string,
+) (string, error) {
+	if federationID == "" {
+		return "", iamerrors.Error{Err: iamerrors.ErrFederationIDRequired, Desc: "No federationID was provided."}
+	}
+	if groupID == "" {
+		return "", iamerrors.Error{Err: iamerrors.ErrGroupIDRequired, Desc: "No groupID was provided."}
+	}
+	if externalGroupID == "" {
+		return "", iamerrors.Error{Err: iamerrors.ErrInputDataRequired, Desc: "No externalGroupID was provided."}
+	}
+
+	path, err := url.JoinPath(
+		apiVersion,
+		"federations",
+		"oidc",
+		federationID,
+		"group-mappings",
+		groupID,
+		"external-groups",
+		externalGroupID,
+	)
+	if err != nil {
+		return "", iamerrors.Error{Err: iamerrors.ErrInternalAppError, Desc: err.Error()}
+	}
+
+	return path, nil
+}