auth

Paddy 2015-01-18 Parent:e000b1c24fc0 Child:565a9335e035

117:da77e083cf02 Go to Latest

auth/client.go

Change TODO to BUG. This is a refactor, not code to be added. It should show up in the gofmt bugs list.

Download raw file
View source Diff to previous Annotate
History
paddy@6 1 package auth
paddy@0 2
paddy@0 3 import (
paddy@108 4 "crypto/rand"
paddy@108 5 "encoding/hex"
paddy@85 6 "encoding/json"
paddy@31 7 "errors"
paddy@116 8 "log"
paddy@85 9 "net/http"
paddy@41 10 "net/url"
paddy@115 11 "strconv"
paddy@41 12 "time"
paddy@31 13
paddy@116 14 "github.com/PuerkitoBio/purell"
paddy@116 15 "github.com/gorilla/mux"
paddy@116 16
paddy@107 17 "code.secondbit.org/uuid.hg"
paddy@0 18 )
paddy@0 19
paddy@31 20 var (
paddy@57 21 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.
paddy@57 22 ErrNoClientStore = errors.New("no clientStore was specified for the Context")
paddy@57 23 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.
paddy@57 24 ErrClientNotFound = errors.New("client not found in clientStore")
paddy@57 25 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with
paddy@57 26 // the same ID already exists in the clientStore.
paddy@57 27 ErrClientAlreadyExists = errors.New("client already exists in clientStore")
paddy@41 28
paddy@57 29 // ErrEmptyChange is returned when a Change has all its properties set to nil.
paddy@57 30 ErrEmptyChange = errors.New("change must have at least one property set")
paddy@57 31 // ErrClientNameTooShort is returned when a Client's Name property is too short.
paddy@57 32 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")
paddy@57 33 // ErrClientNameTooLong is returned when a Client's Name property is too long.
paddy@57 34 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")
paddy@57 35 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.
paddy@57 36 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")
paddy@57 37 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.
paddy@57 38 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")
paddy@57 39 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.
paddy@49 40 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")
paddy@57 41 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.
paddy@57 42 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")
paddy@116 43 // ErrEndpointURINotURL is returned when an Endpoint's URI property is not a valid absolute URL.
paddy@116 44 ErrEndpointURINotURL = errors.New("endpoint URI must be a valid absolute URL")
paddy@31 45 )
paddy@31 46
paddy@115 47 const (
paddy@115 48 clientTypePublic = "public"
paddy@115 49 clientTypeConfidential = "confidential"
paddy@116 50 minClientNameLen = 2
paddy@116 51 maxClientNameLen = 24
paddy@115 52 )
paddy@115 53
paddy@25 54 // Client represents a client that grants access
paddy@25 55 // to the auth server, exchanging grants for tokens,
paddy@25 56 // and tokens for access.
paddy@0 57 type Client struct {
paddy@116 58 ID uuid.ID `json:"id,omitempty"`
paddy@116 59 Secret string `json:"secret,omitempty"`
paddy@116 60 OwnerID uuid.ID `json:"owner_id,omitempty"`
paddy@116 61 Name string `json:"name,omitempty"`
paddy@116 62 Logo string `json:"logo,omitempty"`
paddy@116 63 Website string `json:"website,omitempty"`
paddy@116 64 Type string `json:"type,omitempty"`
paddy@0 65 }
paddy@0 66
paddy@57 67 // ApplyChange applies the properties of the passed
paddy@57 68 // ClientChange to the Client object it is called on.
paddy@39 69 func (c *Client) ApplyChange(change ClientChange) {
paddy@39 70 if change.Secret != nil {
paddy@39 71 c.Secret = *change.Secret
paddy@39 72 }
paddy@39 73 if change.OwnerID != nil {
paddy@39 74 c.OwnerID = change.OwnerID
paddy@39 75 }
paddy@39 76 if change.Name != nil {
paddy@39 77 c.Name = *change.Name
paddy@39 78 }
paddy@39 79 if change.Logo != nil {
paddy@39 80 c.Logo = *change.Logo
paddy@39 81 }
paddy@39 82 if change.Website != nil {
paddy@39 83 c.Website = *change.Website
paddy@39 84 }
paddy@39 85 }
paddy@39 86
paddy@57 87 // ClientChange represents a bundle of options for
paddy@57 88 // updating a Client's mutable data.
paddy@31 89 type ClientChange struct {
paddy@41 90 Secret *string
paddy@41 91 OwnerID uuid.ID
paddy@41 92 Name *string
paddy@41 93 Logo *string
paddy@41 94 Website *string
paddy@31 95 }
paddy@31 96
paddy@57 97 // Validate checks the ClientChange it is called on
paddy@57 98 // and asserts its internal validity, or lack thereof.
paddy@39 99 func (c ClientChange) Validate() error {
paddy@42 100 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {
paddy@42 101 return ErrEmptyChange
paddy@42 102 }
paddy@41 103 if c.Name != nil && len(*c.Name) < 2 {
paddy@41 104 return ErrClientNameTooShort
paddy@41 105 }
paddy@41 106 if c.Name != nil && len(*c.Name) > 32 {
paddy@41 107 return ErrClientNameTooLong
paddy@41 108 }
paddy@42 109 if c.Logo != nil && *c.Logo != "" {
paddy@42 110 if len(*c.Logo) > 1024 {
paddy@42 111 return ErrClientLogoTooLong
paddy@42 112 }
paddy@42 113 u, err := url.Parse(*c.Logo)
paddy@42 114 if err != nil || !u.IsAbs() {
paddy@42 115 return ErrClientLogoNotURL
paddy@42 116 }
paddy@41 117 }
paddy@42 118 if c.Website != nil && *c.Website != "" {
paddy@42 119 if len(*c.Website) > 140 {
paddy@42 120 return ErrClientWebsiteTooLong
paddy@42 121 }
paddy@42 122 u, err := url.Parse(*c.Website)
paddy@42 123 if err != nil || !u.IsAbs() {
paddy@42 124 return ErrClientWebsiteNotURL
paddy@42 125 }
paddy@41 126 }
paddy@39 127 return nil
paddy@39 128 }
paddy@39 129
paddy@85 130 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {
paddy@85 131 enc := json.NewEncoder(w)
paddy@85 132 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()
paddy@85 133 if !fromAuthHeader {
paddy@85 134 if !allowPublic {
paddy@85 135 w.WriteHeader(http.StatusBadRequest)
paddy@85 136 renderJSONError(enc, "unauthorized_client")
paddy@85 137 return nil, false
paddy@85 138 }
paddy@85 139 clientIDStr = r.PostFormValue("client_id")
paddy@85 140 }
paddy@85 141 clientID, err := uuid.Parse(clientIDStr)
paddy@85 142 if err != nil {
paddy@85 143 w.WriteHeader(http.StatusUnauthorized)
paddy@85 144 if fromAuthHeader {
paddy@85 145 w.Header().Set("WWW-Authenticate", "Basic")
paddy@85 146 }
paddy@85 147 renderJSONError(enc, "invalid_client")
paddy@85 148 return nil, false
paddy@85 149 }
paddy@85 150 client, err := context.GetClient(clientID)
paddy@85 151 if err == ErrClientNotFound {
paddy@85 152 w.WriteHeader(http.StatusUnauthorized)
paddy@85 153 if fromAuthHeader {
paddy@85 154 w.Header().Set("WWW-Authenticate", "Basic")
paddy@85 155 }
paddy@85 156 renderJSONError(enc, "invalid_client")
paddy@85 157 return nil, false
paddy@85 158 } else if err != nil {
paddy@85 159 w.WriteHeader(http.StatusInternalServerError)
paddy@85 160 renderJSONError(enc, "server_error")
paddy@85 161 return nil, false
paddy@85 162 }
paddy@113 163 if client.Secret != clientSecret { // it's important that any client deemed "public" is not issued a client secret.
paddy@85 164 w.WriteHeader(http.StatusUnauthorized)
paddy@85 165 if fromAuthHeader {
paddy@85 166 w.Header().Set("WWW-Authenticate", "Basic")
paddy@85 167 }
paddy@85 168 renderJSONError(enc, "invalid_client")
paddy@85 169 return nil, false
paddy@85 170 }
paddy@85 171 return clientID, true
paddy@85 172 }
paddy@85 173
paddy@57 174 // Endpoint represents a single URI that a Client
paddy@57 175 // controls. Users will be redirected to these URIs
paddy@57 176 // following successful authorization grants and
paddy@57 177 // exchanges for access tokens.
paddy@41 178 type Endpoint struct {
paddy@116 179 ID uuid.ID `json:"id,omitempty"`
paddy@116 180 ClientID uuid.ID `json:"client_id,omitempty"`
paddy@116 181 URI string `json:"uri,omitempty"`
paddy@116 182 NormalizedURI string `json:"-"`
paddy@116 183 Added time.Time `json:"added,omitempty"`
paddy@116 184 }
paddy@116 185
paddy@116 186 func normalizeURIString(in string) (string, error) {
paddy@116 187 n, err := purell.NormalizeURLString(in, purell.FlagsUsuallySafeNonGreedy|purell.FlagSortQuery)
paddy@116 188 if err != nil {
paddy@116 189 log.Println(err)
paddy@116 190 return in, ErrEndpointURINotURL
paddy@116 191 }
paddy@116 192 return n, nil
paddy@116 193 }
paddy@116 194
paddy@116 195 func normalizeURI(in *url.URL) string {
paddy@116 196 return purell.NormalizeURL(in, purell.FlagsUsuallySafeNonGreedy|purell.FlagSortQuery)
paddy@41 197 }
paddy@41 198
paddy@41 199 type sortedEndpoints []Endpoint
paddy@41 200
paddy@41 201 func (s sortedEndpoints) Len() int {
paddy@41 202 return len(s)
paddy@41 203 }
paddy@41 204
paddy@41 205 func (s sortedEndpoints) Less(i, j int) bool {
paddy@41 206 return s[i].Added.Before(s[j].Added)
paddy@41 207 }
paddy@41 208
paddy@41 209 func (s sortedEndpoints) Swap(i, j int) {
paddy@41 210 s[i], s[j] = s[j], s[i]
paddy@41 211 }
paddy@41 212
paddy@57 213 type clientStore interface {
paddy@57 214 getClient(id uuid.ID) (Client, error)
paddy@57 215 saveClient(client Client) error
paddy@57 216 updateClient(id uuid.ID, change ClientChange) error
paddy@57 217 deleteClient(id uuid.ID) error
paddy@57 218 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)
paddy@41 219
paddy@115 220 addEndpoints(client uuid.ID, endpoint []Endpoint) error
paddy@57 221 removeEndpoint(client, endpoint uuid.ID) error
paddy@58 222 checkEndpoint(client uuid.ID, endpoint string) (bool, error)
paddy@57 223 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)
paddy@57 224 countEndpoints(client uuid.ID) (int64, error)
paddy@0 225 }
paddy@31 226
paddy@57 227 func (m *memstore) getClient(id uuid.ID) (Client, error) {
paddy@31 228 m.clientLock.RLock()
paddy@31 229 defer m.clientLock.RUnlock()
paddy@31 230 c, ok := m.clients[id.String()]
paddy@31 231 if !ok {
paddy@31 232 return Client{}, ErrClientNotFound
paddy@31 233 }
paddy@31 234 return c, nil
paddy@31 235 }
paddy@31 236
paddy@57 237 func (m *memstore) saveClient(client Client) error {
paddy@31 238 m.clientLock.Lock()
paddy@31 239 defer m.clientLock.Unlock()
paddy@31 240 if _, ok := m.clients[client.ID.String()]; ok {
paddy@31 241 return ErrClientAlreadyExists
paddy@31 242 }
paddy@31 243 m.clients[client.ID.String()] = client
paddy@31 244 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)
paddy@31 245 return nil
paddy@31 246 }
paddy@31 247
paddy@57 248 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {
paddy@39 249 m.clientLock.Lock()
paddy@39 250 defer m.clientLock.Unlock()
paddy@39 251 c, ok := m.clients[id.String()]
paddy@39 252 if !ok {
paddy@39 253 return ErrClientNotFound
paddy@39 254 }
paddy@39 255 c.ApplyChange(change)
paddy@39 256 m.clients[id.String()] = c
paddy@31 257 return nil
paddy@31 258 }
paddy@31 259
paddy@57 260 func (m *memstore) deleteClient(id uuid.ID) error {
paddy@57 261 client, err := m.getClient(id)
paddy@31 262 if err != nil {
paddy@31 263 return err
paddy@31 264 }
paddy@31 265 m.clientLock.Lock()
paddy@31 266 defer m.clientLock.Unlock()
paddy@31 267 delete(m.clients, id.String())
paddy@31 268 pos := -1
paddy@31 269 for p, item := range m.profileClientLookup[client.OwnerID.String()] {
paddy@31 270 if item.Equal(id) {
paddy@31 271 pos = p
paddy@31 272 break
paddy@31 273 }
paddy@31 274 }
paddy@31 275 if pos >= 0 {
paddy@31 276 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)
paddy@31 277 }
paddy@31 278 return nil
paddy@31 279 }
paddy@31 280
paddy@57 281 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {
paddy@33 282 ids := m.lookupClientsByProfileID(ownerID.String())
paddy@31 283 if len(ids) > num+offset {
paddy@31 284 ids = ids[offset : num+offset]
paddy@31 285 } else if len(ids) > offset {
paddy@31 286 ids = ids[offset:]
paddy@31 287 } else {
paddy@31 288 return []Client{}, nil
paddy@31 289 }
paddy@31 290 clients := []Client{}
paddy@31 291 for _, id := range ids {
paddy@57 292 client, err := m.getClient(id)
paddy@31 293 if err != nil {
paddy@31 294 return []Client{}, err
paddy@31 295 }
paddy@31 296 clients = append(clients, client)
paddy@31 297 }
paddy@31 298 return clients, nil
paddy@31 299 }
paddy@41 300
paddy@115 301 func (m *memstore) addEndpoints(client uuid.ID, endpoints []Endpoint) error {
paddy@41 302 m.endpointLock.Lock()
paddy@41 303 defer m.endpointLock.Unlock()
paddy@115 304 m.endpoints[client.String()] = append(m.endpoints[client.String()], endpoints...)
paddy@41 305 return nil
paddy@41 306 }
paddy@41 307
paddy@57 308 func (m *memstore) removeEndpoint(client, endpoint uuid.ID) error {
paddy@41 309 m.endpointLock.Lock()
paddy@41 310 defer m.endpointLock.Unlock()
paddy@41 311 pos := -1
paddy@41 312 for p, item := range m.endpoints[client.String()] {
paddy@41 313 if item.ID.Equal(endpoint) {
paddy@41 314 pos = p
paddy@41 315 break
paddy@41 316 }
paddy@41 317 }
paddy@41 318 if pos >= 0 {
paddy@41 319 m.endpoints[client.String()] = append(m.endpoints[client.String()][:pos], m.endpoints[client.String()][pos+1:]...)
paddy@41 320 }
paddy@41 321 return nil
paddy@41 322 }
paddy@41 323
paddy@58 324 func (m *memstore) checkEndpoint(client uuid.ID, endpoint string) (bool, error) {
paddy@41 325 m.endpointLock.RLock()
paddy@41 326 defer m.endpointLock.RUnlock()
paddy@41 327 for _, candidate := range m.endpoints[client.String()] {
paddy@116 328 if endpoint == candidate.NormalizedURI {
paddy@41 329 return true, nil
paddy@41 330 }
paddy@41 331 }
paddy@41 332 return false, nil
paddy@41 333 }
paddy@41 334
paddy@57 335 func (m *memstore) listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error) {
paddy@41 336 m.endpointLock.RLock()
paddy@41 337 defer m.endpointLock.RUnlock()
paddy@41 338 return m.endpoints[client.String()], nil
paddy@41 339 }
paddy@54 340
paddy@57 341 func (m *memstore) countEndpoints(client uuid.ID) (int64, error) {
paddy@54 342 m.endpointLock.RLock()
paddy@54 343 defer m.endpointLock.RUnlock()
paddy@54 344 return int64(len(m.endpoints[client.String()])), nil
paddy@54 345 }
paddy@108 346
paddy@108 347 type newClientReq struct {
paddy@108 348 Name string `json:"name"`
paddy@108 349 Logo string `json:"logo"`
paddy@108 350 Website string `json:"website"`
paddy@108 351 Type string `json:"type"`
paddy@108 352 Endpoints []string `json:"endpoints"`
paddy@108 353 }
paddy@108 354
paddy@108 355 func RegisterClientHandlers(r *mux.Router, context Context) {
paddy@108 356 r.Handle("/clients", wrap(context, CreateClientHandler)).Methods("POST")
paddy@108 357 }
paddy@108 358
paddy@108 359 func CreateClientHandler(w http.ResponseWriter, r *http.Request, c Context) {
paddy@115 360 errors := []requestError{}
paddy@108 361 username, password, ok := r.BasicAuth()
paddy@108 362 if !ok {
paddy@115 363 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@115 364 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@108 365 return
paddy@108 366 }
paddy@108 367 profile, err := authenticate(username, password, c)
paddy@108 368 if err != nil {
paddy@115 369 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@115 370 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@108 371 return
paddy@108 372 }
paddy@108 373 var req newClientReq
paddy@108 374 decoder := json.NewDecoder(r.Body)
paddy@108 375 err = decoder.Decode(&req)
paddy@108 376 if err != nil {
paddy@108 377 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
paddy@108 378 return
paddy@108 379 }
paddy@116 380 if req.Type == "" {
paddy@116 381 errors = append(errors, requestError{Slug: requestErrMissing, Field: "/type"})
paddy@116 382 } else if req.Type != clientTypePublic && req.Type != clientTypeConfidential {
paddy@115 383 errors = append(errors, requestError{Slug: requestErrInvalidValue, Field: "/type"})
paddy@116 384 }
paddy@116 385 if req.Name == "" {
paddy@116 386 errors = append(errors, requestError{Slug: requestErrMissing, Field: "/name"})
paddy@116 387 } else if len(req.Name) < minClientNameLen {
paddy@116 388 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/name"})
paddy@116 389 } else if len(req.Name) > maxClientNameLen {
paddy@116 390 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/name"})
paddy@116 391 }
paddy@116 392 if len(errors) > 0 {
paddy@115 393 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@108 394 return
paddy@108 395 }
paddy@108 396 client := Client{
paddy@108 397 ID: uuid.NewID(),
paddy@108 398 OwnerID: profile.ID,
paddy@108 399 Name: req.Name,
paddy@108 400 Logo: req.Logo,
paddy@108 401 Website: req.Website,
paddy@108 402 Type: req.Type,
paddy@108 403 }
paddy@115 404 if client.Type == clientTypePublic {
paddy@115 405 secret := make([]byte, 32)
paddy@115 406 _, err = rand.Read(secret)
paddy@115 407 if err != nil {
paddy@115 408 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@115 409 return
paddy@115 410 }
paddy@115 411 client.Secret = hex.EncodeToString(secret)
paddy@115 412 }
paddy@108 413 err = c.SaveClient(client)
paddy@108 414 if err != nil {
paddy@115 415 if err == ErrClientAlreadyExists {
paddy@115 416 errors = append(errors, requestError{Slug: requestErrConflict, Field: "/id"})
paddy@115 417 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@115 418 return
paddy@115 419 }
paddy@115 420 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@108 421 return
paddy@108 422 }
paddy@108 423 endpoints := []Endpoint{}
paddy@115 424 for pos, u := range req.Endpoints {
paddy@108 425 uri, err := url.Parse(u)
paddy@108 426 if err != nil {
paddy@115 427 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Field: "/endpoints/" + strconv.Itoa(pos)})
paddy@108 428 continue
paddy@108 429 }
paddy@116 430 if !uri.IsAbs() {
paddy@116 431 errors = append(errors, requestError{Slug: requestErrInvalidValue, Field: "/endpoints/" + strconv.Itoa(pos)})
paddy@116 432 continue
paddy@116 433 }
paddy@108 434 endpoint := Endpoint{
paddy@108 435 ID: uuid.NewID(),
paddy@108 436 ClientID: client.ID,
paddy@116 437 URI: uri.String(),
paddy@108 438 Added: time.Now(),
paddy@108 439 }
paddy@108 440 endpoints = append(endpoints, endpoint)
paddy@108 441 }
paddy@115 442 err = c.AddEndpoints(client.ID, endpoints)
paddy@115 443 if err != nil {
paddy@115 444 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@115 445 encode(w, r, http.StatusInternalServerError, response{Errors: errors, Clients: []Client{client}})
paddy@115 446 return
paddy@115 447 }
paddy@108 448 resp := response{
paddy@108 449 Clients: []Client{client},
paddy@108 450 Endpoints: endpoints,
paddy@116 451 Errors: errors,
paddy@108 452 }
paddy@108 453 encode(w, r, http.StatusCreated, resp)
paddy@108 454 }