auth
auth/authcode.go
Test around client types and secrets. Implement a test that the CreateClient handler will correctly create a confidential client and issue a secret for it. Also, just generally test that clients that are confidential are issued secrets and clients that are public are not.
| paddy@26 | 1 package auth |
| paddy@26 | 2 |
| paddy@26 | 3 import ( |
| paddy@84 | 4 "encoding/json" |
| paddy@29 | 5 "errors" |
| paddy@84 | 6 "net/http" |
| paddy@26 | 7 "time" |
| paddy@26 | 8 |
| paddy@107 | 9 "code.secondbit.org/uuid.hg" |
| paddy@26 | 10 ) |
| paddy@26 | 11 |
| paddy@84 | 12 func init() { |
| paddy@84 | 13 RegisterGrantType("authorization_code", GrantType{ |
| paddy@84 | 14 Validate: authCodeGrantValidate, |
| paddy@94 | 15 Invalidate: authCodeGrantInvalidate, |
| paddy@84 | 16 IssuesRefresh: true, |
| paddy@85 | 17 ReturnToken: RenderJSONToken, |
| paddy@123 | 18 AllowsPublic: true, |
| paddy@124 | 19 AuditString: authCodeGrantAuditString, |
| paddy@84 | 20 }) |
| paddy@84 | 21 } |
| paddy@84 | 22 |
| paddy@29 | 23 var ( |
| paddy@87 | 24 // ErrNoAuthorizationCodeStore is returned when a Context tries to act on a authorizationCodeStore without setting one first. |
| paddy@87 | 25 ErrNoAuthorizationCodeStore = errors.New("no authorizationCodeStore was specified for the Context") |
| paddy@87 | 26 // ErrAuthorizationCodeNotFound is returned when an AuthorizationCode is requested but not found in the authorizationCodeStore. |
| paddy@87 | 27 ErrAuthorizationCodeNotFound = errors.New("authorization code not found in authorizationCodeStore") |
| paddy@87 | 28 // ErrAuthorizationCodeAlreadyExists is returned when an AuthorizationCode is added to a authorizationCodeStore, but another AuthorizationCode with the |
| paddy@87 | 29 // same Code already exists in the authorizationCodeStore. |
| paddy@87 | 30 ErrAuthorizationCodeAlreadyExists = errors.New("authorization code already exists in authorizationCodeStore") |
| paddy@29 | 31 ) |
| paddy@29 | 32 |
| paddy@87 | 33 // AuthorizationCode represents an authorization grant made by a user to a Client, to |
| paddy@57 | 34 // access user data within a defined Scope for a limited amount of time. |
| paddy@87 | 35 type AuthorizationCode struct { |
| paddy@26 | 36 Code string |
| paddy@26 | 37 Created time.Time |
| paddy@26 | 38 ExpiresIn int32 |
| paddy@26 | 39 ClientID uuid.ID |
| paddy@26 | 40 Scope string |
| paddy@26 | 41 RedirectURI string |
| paddy@26 | 42 State string |
| paddy@69 | 43 ProfileID uuid.ID |
| paddy@94 | 44 Used bool |
| paddy@26 | 45 } |
| paddy@26 | 46 |
| paddy@87 | 47 type authorizationCodeStore interface { |
| paddy@87 | 48 getAuthorizationCode(code string) (AuthorizationCode, error) |
| paddy@87 | 49 saveAuthorizationCode(authCode AuthorizationCode) error |
| paddy@87 | 50 deleteAuthorizationCode(code string) error |
| paddy@94 | 51 useAuthorizationCode(code string) error |
| paddy@26 | 52 } |
| paddy@29 | 53 |
| paddy@87 | 54 func (m *memstore) getAuthorizationCode(code string) (AuthorizationCode, error) { |
| paddy@87 | 55 m.authCodeLock.RLock() |
| paddy@87 | 56 defer m.authCodeLock.RUnlock() |
| paddy@87 | 57 authCode, ok := m.authCodes[code] |
| paddy@29 | 58 if !ok { |
| paddy@87 | 59 return AuthorizationCode{}, ErrAuthorizationCodeNotFound |
| paddy@29 | 60 } |
| paddy@87 | 61 return authCode, nil |
| paddy@29 | 62 } |
| paddy@29 | 63 |
| paddy@87 | 64 func (m *memstore) saveAuthorizationCode(authCode AuthorizationCode) error { |
| paddy@87 | 65 m.authCodeLock.Lock() |
| paddy@87 | 66 defer m.authCodeLock.Unlock() |
| paddy@87 | 67 _, ok := m.authCodes[authCode.Code] |
| paddy@29 | 68 if ok { |
| paddy@87 | 69 return ErrAuthorizationCodeAlreadyExists |
| paddy@29 | 70 } |
| paddy@87 | 71 m.authCodes[authCode.Code] = authCode |
| paddy@29 | 72 return nil |
| paddy@29 | 73 } |
| paddy@29 | 74 |
| paddy@87 | 75 func (m *memstore) deleteAuthorizationCode(code string) error { |
| paddy@87 | 76 m.authCodeLock.Lock() |
| paddy@87 | 77 defer m.authCodeLock.Unlock() |
| paddy@87 | 78 _, ok := m.authCodes[code] |
| paddy@29 | 79 if !ok { |
| paddy@87 | 80 return ErrAuthorizationCodeNotFound |
| paddy@29 | 81 } |
| paddy@87 | 82 delete(m.authCodes, code) |
| paddy@29 | 83 return nil |
| paddy@29 | 84 } |
| paddy@84 | 85 |
| paddy@94 | 86 func (m *memstore) useAuthorizationCode(code string) error { |
| paddy@94 | 87 m.authCodeLock.Lock() |
| paddy@94 | 88 defer m.authCodeLock.Unlock() |
| paddy@94 | 89 a, ok := m.authCodes[code] |
| paddy@94 | 90 if !ok { |
| paddy@94 | 91 return ErrAuthorizationCodeNotFound |
| paddy@94 | 92 } |
| paddy@94 | 93 a.Used = true |
| paddy@94 | 94 m.authCodes[code] = a |
| paddy@94 | 95 return nil |
| paddy@94 | 96 } |
| paddy@94 | 97 |
| paddy@84 | 98 func authCodeGrantValidate(w http.ResponseWriter, r *http.Request, context Context) (scope string, profileID uuid.ID, valid bool) { |
| paddy@84 | 99 enc := json.NewEncoder(w) |
| paddy@84 | 100 code := r.PostFormValue("code") |
| paddy@84 | 101 if code == "" { |
| paddy@84 | 102 w.WriteHeader(http.StatusBadRequest) |
| paddy@84 | 103 renderJSONError(enc, "invalid_request") |
| paddy@84 | 104 return |
| paddy@84 | 105 } |
| paddy@123 | 106 clientID, _, ok := getClientAuth(w, r, true) |
| paddy@123 | 107 if !ok { |
| paddy@84 | 108 return |
| paddy@84 | 109 } |
| paddy@87 | 110 authCode, err := context.GetAuthorizationCode(code) |
| paddy@84 | 111 if err != nil { |
| paddy@87 | 112 if err == ErrAuthorizationCodeNotFound { |
| paddy@84 | 113 w.WriteHeader(http.StatusBadRequest) |
| paddy@84 | 114 renderJSONError(enc, "invalid_grant") |
| paddy@84 | 115 return |
| paddy@84 | 116 } |
| paddy@84 | 117 w.WriteHeader(http.StatusInternalServerError) |
| paddy@84 | 118 renderJSONError(enc, "server_error") |
| paddy@84 | 119 return |
| paddy@84 | 120 } |
| paddy@85 | 121 redirectURI := r.PostFormValue("redirect_uri") |
| paddy@87 | 122 if authCode.RedirectURI != redirectURI { |
| paddy@84 | 123 w.WriteHeader(http.StatusBadRequest) |
| paddy@84 | 124 renderJSONError(enc, "invalid_grant") |
| paddy@84 | 125 return |
| paddy@84 | 126 } |
| paddy@87 | 127 if !authCode.ClientID.Equal(clientID) { |
| paddy@84 | 128 w.WriteHeader(http.StatusBadRequest) |
| paddy@84 | 129 renderJSONError(enc, "invalid_grant") |
| paddy@84 | 130 return |
| paddy@84 | 131 } |
| paddy@87 | 132 return authCode.Scope, authCode.ProfileID, true |
| paddy@84 | 133 } |
| paddy@90 | 134 |
| paddy@90 | 135 func authCodeGrantInvalidate(r *http.Request, context Context) error { |
| paddy@94 | 136 code := r.PostFormValue("code") |
| paddy@94 | 137 if code == "" { |
| paddy@94 | 138 return ErrAuthorizationCodeNotFound |
| paddy@94 | 139 } |
| paddy@94 | 140 return context.UseAuthorizationCode(code) |
| paddy@90 | 141 } |
| paddy@124 | 142 |
| paddy@124 | 143 func authCodeGrantAuditString(r *http.Request) string { |
| paddy@124 | 144 return "authcode:" + r.PostFormValue("code") |
| paddy@124 | 145 } |