auth

Paddy 2015-04-11 Parent:2809016184f6 Child:73e12d5a1124

auth/authcode_test.go

Start to support deleting profiles through the API. Create a removeLoginsByProfile method on the profileStore, to allow an easy way to bulk-delete logins associated with a Profile after the Profile has been deleted. Create postgres and memstore implementations of the removeLoginsByProfile method. Create a cleanUpAfterProfileDeletion helper method that will clean up the child objects of a Profile (its Sessions, Tokens, Clients, etc.). The intended usage is to call this in a goroutine after a Profile has been deleted, to try and get things back in order. Detect when the UpdateProfileHandler API is used to set the Deleted flag of a Profile to true, and clean up after the Profile when that's the case. Add a DeleteProfileHandler API endpoint that is a shortcut to setting the Deleted flag of a Profile to true and cleaning up after the Profile. The problem with our approach thus far is that some of it is reversible and some is not. If a Profile is maliciously/accidentally deleted, it's simple enough to use the API as a superuser to restore the Profile. But doing that will not (and cannot) restore the Logins associated with that Profile, for example. While it would be nice to add a Deleted flag to our Logins that we could simply toggle, that would wreak havoc with our database constraints and ensuring uniqueness of Login values. I still don't have a solution for this, outside the superuser manually restoring a Login for the Profile, after which the user can authenticate themselves and add more Logins as desired. But there has to be a better way. I suppose since the passphrase is being stored with the Profile and not the Login, we could offer an endpoint that would automate this, but... well, that would be tricky. It would require the user remembering their Profile ID, and let's be honest, nobody's going to remember a UUID. Maybe such an endpoint would help from a customer service standpoint: we identify their Profile manually, then send them to /profiles/ID/restorelogin or something, and that lets them add a Login back to the Profile. I'll figure it out later. For now, we know we at least have enough information to identify a user is who they say they are and resolve the situation manually.

Download raw file

View source Diff to previous Annotate

paddy@29	1 package auth
paddy@29	2
paddy@29	3 import (
paddy@111	4 "bytes"
paddy@111	5 "io/ioutil"
paddy@111	6 "net/http"
paddy@111	7 "net/http/httptest"
paddy@111	8 "net/url"
paddy@156	9 "os"
paddy@111	10 "strings"
paddy@29	11 "testing"
paddy@29	12 "time"
paddy@29	13
paddy@107	14 "code.secondbit.org/uuid.hg"
paddy@29	15 )
paddy@29	16
paddy@156	17 func init() {
paddy@156	18 if os.Getenv("PG_TEST_DB") != "" {
paddy@156	19 p, err := NewPostgres(os.Getenv("PG_TEST_DB"))
paddy@156	20 if err != nil {
paddy@156	21 panic(err)
paddy@156	22 }
paddy@156	23 authCodeStores = append(authCodeStores, &p)
paddy@156	24 }
paddy@156	25 }
paddy@156	26
paddy@87	27 var authCodeStores = []authorizationCodeStore{NewMemstore()}
paddy@29	28
paddy@87	29 func compareAuthorizationCodes(authCode1, authCode2 AuthorizationCode) (success bool, field string, authCode1val, authCode2val interface{}) {
paddy@87	30 if authCode1.Code != authCode2.Code {
paddy@87	31 return false, "code", authCode1.Code, authCode2.Code
paddy@34	32 }
paddy@87	33 if !authCode1.Created.Equal(authCode2.Created) {
paddy@87	34 return false, "created", authCode1.Created, authCode2.Created
paddy@34	35 }
paddy@87	36 if authCode1.ExpiresIn != authCode2.ExpiresIn {
paddy@87	37 return false, "expires in", authCode1.ExpiresIn, authCode2.ExpiresIn
paddy@34	38 }
paddy@87	39 if !authCode1.ClientID.Equal(authCode2.ClientID) {
paddy@87	40 return false, "client ID", authCode1.ClientID, authCode2.ClientID
paddy@34	41 }
paddy@135	42 if len(authCode1.Scopes) != len(authCode2.Scopes) {
paddy@135	43 return false, "scopes", authCode1.Scopes, authCode2.Scopes
paddy@135	44 }
paddy@135	45 for pos, scope := range authCode1.Scopes {
paddy@135	46 if scope != authCode2.Scopes[pos] {
paddy@135	47 return false, "scopes", authCode1.Scopes, authCode2.Scopes
paddy@135	48 }
paddy@34	49 }
paddy@87	50 if authCode1.RedirectURI != authCode2.RedirectURI {
paddy@87	51 return false, "redirect URI", authCode1.RedirectURI, authCode2.RedirectURI
paddy@34	52 }
paddy@87	53 if authCode1.State != authCode2.State {
paddy@87	54 return false, "state", authCode1.State, authCode2.State
paddy@34	55 }
paddy@111	56 if !authCode1.ProfileID.Equal(authCode2.ProfileID) {
paddy@111	57 return false, "profile ID", authCode1.ProfileID, authCode2.ProfileID
paddy@111	58 }
paddy@111	59 if authCode1.Used != authCode2.Used {
paddy@111	60 return false, "used", authCode1.Used, authCode2.Used
paddy@111	61 }
paddy@34	62 return true, "", nil, nil
paddy@34	63 }
paddy@34	64
paddy@111	65 func TestAuthorizationCodeStore(t *testing.T) {
paddy@36	66 t.Parallel()
paddy@87	67 authCode := AuthorizationCode{
paddy@29	68 Code: "code",
paddy@149	69 Created: time.Now().Round(time.Millisecond),
paddy@29	70 ExpiresIn: 180,
paddy@29	71 ClientID: uuid.NewID(),
paddy@135	72 Scopes: []string{"scope"},
paddy@29	73 RedirectURI: "redirectURI",
paddy@29	74 State: "state",
paddy@29	75 }
paddy@87	76 for _, store := range authCodeStores {
paddy@116	77 context := Context{authCodes: store}
paddy@116	78 err := context.SaveAuthorizationCode(authCode)
paddy@29	79 if err != nil {
paddy@87	80 t.Errorf("Error saving auth code to %T: %s", store, err)
paddy@34	81 }
paddy@116	82 err = context.SaveAuthorizationCode(authCode)
paddy@87	83 if err != ErrAuthorizationCodeAlreadyExists {
paddy@87	84 t.Errorf("Expected ErrAuthorizationCodeAlreadyExists from %T, got %+v", store, err)
paddy@29	85 }
paddy@116	86 retrieved, err := context.GetAuthorizationCode(authCode.Code)
paddy@29	87 if err != nil {
paddy@87	88 t.Errorf("Error retrieving auth code from %T: %s", store, err)
paddy@29	89 }
paddy@87	90 match, field, expectation, result := compareAuthorizationCodes(authCode, retrieved)
paddy@34	91 if !match {
paddy@87	92 t.Errorf("Expected `%v` in the `%s` field of auth code retrieved from %T, got `%v`", expectation, field, store, result)
paddy@34	93 }
paddy@116	94 err = context.UseAuthorizationCode(authCode.Code)
paddy@111	95 if err != nil {
paddy@111	96 t.Errorf("Error retrieving auth code from %T: %s", store, err)
paddy@111	97 }
paddy@116	98 retrieved, err = context.GetAuthorizationCode(authCode.Code)
paddy@111	99 if err != nil {
paddy@111	100 t.Errorf("Error retrieving auth code from %T: %s", store, err)
paddy@111	101 }
paddy@111	102 authCode.Used = true
paddy@111	103 match, field, expectation, result = compareAuthorizationCodes(authCode, retrieved)
paddy@111	104 if !match {
paddy@111	105 t.Errorf("Expected `%v` in the `%s` field of auth code retrieved from %T, got `%v`", expectation, field, store, result)
paddy@111	106 }
paddy@116	107 err = context.DeleteAuthorizationCode(authCode.Code)
paddy@29	108 if err != nil {
paddy@87	109 t.Errorf("Error removing auth code from %T: %s", store, err)
paddy@29	110 }
paddy@116	111 retrieved, err = context.GetAuthorizationCode(authCode.Code)
paddy@87	112 if err != ErrAuthorizationCodeNotFound {
paddy@87	113 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v and %+v", store, retrieved, err)
paddy@34	114 }
paddy@116	115 err = context.DeleteAuthorizationCode(authCode.Code)
paddy@87	116 if err != ErrAuthorizationCodeNotFound {
paddy@87	117 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v", store, err)
paddy@29	118 }
paddy@116	119 err = context.UseAuthorizationCode(authCode.Code)
paddy@111	120 if err != ErrAuthorizationCodeNotFound {
paddy@111	121 t.Errorf("Expected ErrAuthorizationCodeNotFound from %T, got %+v", store, err)
paddy@111	122 }
paddy@29	123 }
paddy@29	124 }
paddy@111	125
paddy@111	126 func TestAuthCodeGrantValidate(t *testing.T) {
paddy@111	127 t.Parallel()
paddy@111	128 store := NewMemstore()
paddy@111	129 testContext := Context{
paddy@111	130 clients: store,
paddy@111	131 authCodes: store,
paddy@111	132 profiles: store,
paddy@111	133 tokens: store,
paddy@111	134 sessions: store,
paddy@111	135 }
paddy@111	136 client := Client{
paddy@111	137 ID: uuid.NewID(),
paddy@111	138 Secret: "super secret!",
paddy@111	139 OwnerID: uuid.NewID(),
paddy@111	140 Name: "My test client",
paddy@111	141 Logo: "https://secondbit.org/logo.png",
paddy@111	142 Website: "https://secondbit.org/",
paddy@111	143 Type: "public",
paddy@111	144 }
paddy@111	145 endpoint := Endpoint{
paddy@111	146 ID: uuid.NewID(),
paddy@111	147 ClientID: client.ID,
paddy@116	148 URI: "https://test.secondbit.org/redirect",
paddy@149	149 Added: time.Now().Round(time.Millisecond),
paddy@111	150 }
paddy@116	151 err := testContext.SaveClient(client)
paddy@111	152 if err != nil {
paddy@111	153 t.Fatal("Can't store client:", err)
paddy@111	154 }
paddy@151	155 err = testContext.AddEndpoints([]Endpoint{endpoint})
paddy@111	156 if err != nil {
paddy@111	157 t.Fatal("Can't store endpoint:", err)
paddy@111	158 }
paddy@111	159 code := AuthorizationCode{
paddy@111	160 Code: "myauthcode",
paddy@149	161 Created: time.Now().Round(time.Millisecond),
paddy@111	162 ExpiresIn: 180,
paddy@111	163 ClientID: uuid.NewID(),
paddy@135	164 Scopes: []string{"scope"},
paddy@111	165 RedirectURI: "redirectURI",
paddy@111	166 State: "state",
paddy@111	167 }
paddy@111	168 err = testContext.SaveAuthorizationCode(code)
paddy@111	169 if err != nil {
paddy@111	170 t.Fatal("Can't add auth code:", err)
paddy@111	171 }
paddy@112	172 code2 := code
paddy@112	173 code2.Code = "otherauthcode"
paddy@112	174 code2.ClientID = client.ID
paddy@112	175 err = testContext.SaveAuthorizationCode(code2)
paddy@112	176 if err != nil {
paddy@112	177 t.Fatal("Can't add second auth code:", err)
paddy@112	178 }
paddy@111	179 req, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@111	180 if err != nil {
paddy@111	181 t.Fatal("Can't build request:", err)
paddy@111	182 }
paddy@112	183 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@111	184 w := httptest.NewRecorder()
paddy@111	185 params := url.Values{}
paddy@111	186 body := bytes.NewBufferString(params.Encode())
paddy@111	187 req.Body = ioutil.NopCloser(body)
paddy@111	188 scope, profileID, valid := authCodeGrantValidate(w, req, testContext)
paddy@111	189 if valid {
paddy@112	190 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
paddy@111	191 }
paddy@111	192 if w.Code != http.StatusBadRequest {
paddy@111	193 t.Errorf("Expected status %d, got %d", http.StatusBadRequest, w.Code)
paddy@111	194 }
paddy@112	195 expectedBody := `{"error":"invalid_request"}`
paddy@112	196 if strings.TrimSpace(w.Body.String()) != expectedBody {
paddy@112	197 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
paddy@112	198 }
paddy@112	199
paddy@112	200 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	201 if err != nil {
paddy@112	202 t.Fatal("Can't build request:", err)
paddy@112	203 }
paddy@112	204 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	205 w = httptest.NewRecorder()
paddy@112	206 params = url.Values{}
paddy@112	207 params.Set("code", "notmycode")
paddy@112	208 body = bytes.NewBufferString(params.Encode())
paddy@112	209 req.Body = ioutil.NopCloser(body)
paddy@112	210 err = req.ParseForm()
paddy@112	211 if err != nil {
paddy@112	212 t.Log(err)
paddy@112	213 }
paddy@112	214 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
paddy@112	215 if valid {
paddy@112	216 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
paddy@112	217 }
paddy@112	218 if w.Code != http.StatusUnauthorized {
paddy@112	219 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
paddy@112	220 }
paddy@112	221 expectedBody = `{"error":"invalid_client"}`
paddy@112	222 if expectedBody != strings.TrimSpace(w.Body.String()) {
paddy@112	223 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
paddy@112	224 }
paddy@112	225
paddy@112	226 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	227 if err != nil {
paddy@112	228 t.Fatal("Can't build request:", err)
paddy@112	229 }
paddy@112	230 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	231 req.SetBasicAuth(client.ID.String(), client.Secret)
paddy@112	232 w = httptest.NewRecorder()
paddy@112	233 params = url.Values{}
paddy@112	234 params.Set("code", "notmycode")
paddy@112	235 body = bytes.NewBufferString(params.Encode())
paddy@112	236 req.Body = ioutil.NopCloser(body)
paddy@112	237 err = req.ParseForm()
paddy@112	238 if err != nil {
paddy@112	239 t.Log(err)
paddy@112	240 }
paddy@112	241 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
paddy@112	242 if valid {
paddy@112	243 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
paddy@112	244 }
paddy@112	245 if w.Code != http.StatusBadRequest {
paddy@112	246 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
paddy@112	247 }
paddy@112	248 expectedBody = `{"error":"invalid_grant"}`
paddy@112	249 if expectedBody != strings.TrimSpace(w.Body.String()) {
paddy@112	250 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
paddy@112	251 }
paddy@112	252
paddy@112	253 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	254 if err != nil {
paddy@112	255 t.Fatal("Can't build request:", err)
paddy@112	256 }
paddy@112	257 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	258 req.SetBasicAuth(client.ID.String(), client.Secret)
paddy@112	259 w = httptest.NewRecorder()
paddy@112	260 params = url.Values{}
paddy@112	261 params.Set("code", code.Code)
paddy@112	262 params.Set("redirect_uri", "not my redirectURI")
paddy@112	263 body = bytes.NewBufferString(params.Encode())
paddy@112	264 req.Body = ioutil.NopCloser(body)
paddy@112	265 err = req.ParseForm()
paddy@112	266 if err != nil {
paddy@112	267 t.Log(err)
paddy@112	268 }
paddy@112	269 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
paddy@112	270 if valid {
paddy@112	271 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
paddy@112	272 }
paddy@112	273 if w.Code != http.StatusBadRequest {
paddy@112	274 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
paddy@112	275 }
paddy@112	276 expectedBody = `{"error":"invalid_grant"}`
paddy@112	277 if expectedBody != strings.TrimSpace(w.Body.String()) {
paddy@112	278 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
paddy@112	279 }
paddy@112	280
paddy@112	281 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	282 if err != nil {
paddy@112	283 t.Fatal("Can't build request:", err)
paddy@112	284 }
paddy@112	285 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	286 req.SetBasicAuth(client.ID.String(), client.Secret)
paddy@112	287 w = httptest.NewRecorder()
paddy@112	288 params = url.Values{}
paddy@112	289 params.Set("code", code.Code)
paddy@112	290 params.Set("redirect_uri", code.RedirectURI)
paddy@112	291 body = bytes.NewBufferString(params.Encode())
paddy@112	292 req.Body = ioutil.NopCloser(body)
paddy@112	293 err = req.ParseForm()
paddy@112	294 if err != nil {
paddy@112	295 t.Log(err)
paddy@112	296 }
paddy@112	297 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
paddy@112	298 if valid {
paddy@112	299 t.Fatalf("Expected invalid auth code, got scope `%s` and profileID `%s`.", scope, profileID)
paddy@112	300 }
paddy@112	301 if w.Code != http.StatusBadRequest {
paddy@112	302 t.Errorf("Expected status %d, got %d", http.StatusUnauthorized, w.Code)
paddy@112	303 }
paddy@112	304 expectedBody = `{"error":"invalid_grant"}`
paddy@112	305 if expectedBody != strings.TrimSpace(w.Body.String()) {
paddy@112	306 t.Errorf("Expected body of `%s`, got `%s`", expectedBody, strings.TrimSpace(w.Body.String()))
paddy@112	307 }
paddy@112	308
paddy@112	309 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	310 if err != nil {
paddy@112	311 t.Fatal("Can't build request:", err)
paddy@112	312 }
paddy@112	313 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	314 req.SetBasicAuth(client.ID.String(), client.Secret)
paddy@112	315 w = httptest.NewRecorder()
paddy@112	316 params = url.Values{}
paddy@112	317 params.Set("code", code2.Code)
paddy@112	318 params.Set("redirect_uri", code2.RedirectURI)
paddy@112	319 body = bytes.NewBufferString(params.Encode())
paddy@112	320 req.Body = ioutil.NopCloser(body)
paddy@112	321 err = req.ParseForm()
paddy@112	322 if err != nil {
paddy@112	323 t.Log(err)
paddy@112	324 }
paddy@112	325 scope, profileID, valid = authCodeGrantValidate(w, req, testContext)
paddy@112	326 if !valid {
paddy@112	327 t.Fatalf("Expected valid auth code, was not valid.")
paddy@111	328 }
paddy@111	329 }
paddy@112	330
paddy@112	331 func TestAuthCodeGrantInvalidate(t *testing.T) {
paddy@112	332 t.Parallel()
paddy@112	333 store := NewMemstore()
paddy@112	334 testContext := Context{
paddy@112	335 clients: store,
paddy@112	336 authCodes: store,
paddy@112	337 profiles: store,
paddy@112	338 tokens: store,
paddy@112	339 sessions: store,
paddy@112	340 }
paddy@112	341 code := AuthorizationCode{
paddy@112	342 Code: "myauthcode",
paddy@149	343 Created: time.Now().Round(time.Millisecond),
paddy@112	344 ExpiresIn: 180,
paddy@112	345 ClientID: uuid.NewID(),
paddy@135	346 Scopes: []string{"scope"},
paddy@112	347 RedirectURI: "redirectURI",
paddy@112	348 State: "state",
paddy@112	349 }
paddy@112	350 err := testContext.SaveAuthorizationCode(code)
paddy@112	351 if err != nil {
paddy@112	352 t.Fatal("Can't add auth code:", err)
paddy@112	353 }
paddy@112	354 req, err := http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	355 if err != nil {
paddy@112	356 t.Fatal("Can't build request:", err)
paddy@112	357 }
paddy@112	358 err = authCodeGrantInvalidate(req, testContext)
paddy@112	359 if err != ErrAuthorizationCodeNotFound {
paddy@112	360 t.Errorf("Expected `%s`, got `%+v`", ErrAuthorizationCodeNotFound, err)
paddy@112	361 }
paddy@112	362 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	363 if err != nil {
paddy@112	364 t.Fatal("Can't build request:", err)
paddy@112	365 }
paddy@112	366 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	367 params := url.Values{}
paddy@112	368 params.Set("code", "notmycode")
paddy@112	369 body := bytes.NewBufferString(params.Encode())
paddy@112	370 req.Body = ioutil.NopCloser(body)
paddy@112	371 err = authCodeGrantInvalidate(req, testContext)
paddy@112	372 if err != ErrAuthorizationCodeNotFound {
paddy@112	373 t.Errorf("Expected `%s`, got `%+v`", ErrAuthorizationCodeNotFound, err)
paddy@112	374 }
paddy@112	375 req, err = http.NewRequest("POST", "https://test.auth.secondbit.org/oauth2/grant", nil)
paddy@112	376 if err != nil {
paddy@112	377 t.Fatal("Can't build request:", err)
paddy@112	378 }
paddy@112	379 req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
paddy@112	380 params.Set("code", code.Code)
paddy@112	381 body = bytes.NewBufferString(params.Encode())
paddy@112	382 req.Body = ioutil.NopCloser(body)
paddy@112	383 err = authCodeGrantInvalidate(req, testContext)
paddy@112	384 if err != nil {
paddy@112	385 t.Error("Error invalidating auth code:", err)
paddy@112	386 }
paddy@112	387 authCode, err := testContext.GetAuthorizationCode(code.Code)
paddy@112	388 if err != nil {
paddy@112	389 t.Error("Error retrieving auth code:", err)
paddy@112	390 }
paddy@112	391 if !authCode.Used {
paddy@112	392 t.Error("Expected auth code to be used, was not.")
paddy@112	393 }
paddy@112	394 }