auth

Paddy 2015-03-05 Parent:d30a3a12d387 Child:874c21d1dd8d

auth/client.go

Add a handler to add endpoints to a client. Add a handler that enables adding endpoints to a client through the API.

paddy@6	1 package auth
paddy@0	2
paddy@0	3 import (
paddy@108	4 "crypto/rand"
paddy@108	5 "encoding/hex"
paddy@85	6 "encoding/json"
paddy@31	7 "errors"
paddy@116	8 "log"
paddy@85	9 "net/http"
paddy@41	10 "net/url"
paddy@115	11 "strconv"
paddy@135	12 "strings"
paddy@41	13 "time"
paddy@31	14
paddy@116	15 "github.com/PuerkitoBio/purell"
paddy@116	16 "github.com/gorilla/mux"
paddy@116	17
paddy@107	18 "code.secondbit.org/uuid.hg"
paddy@0	19 )
paddy@0	20
paddy@121	21 func init() {
paddy@121	22 RegisterGrantType("client_credentials", GrantType{
paddy@121	23 Validate: clientCredentialsValidate,
paddy@121	24 Invalidate: nil,
paddy@121	25 IssuesRefresh: true,
paddy@121	26 ReturnToken: RenderJSONToken,
paddy@123	27 AllowsPublic: false,
paddy@124	28 AuditString: clientCredentialsAuditString,
paddy@121	29 })
paddy@121	30 }
paddy@121	31
paddy@31	32 var (
paddy@57	33 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.
paddy@57	34 ErrNoClientStore = errors.New("no clientStore was specified for the Context")
paddy@57	35 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.
paddy@57	36 ErrClientNotFound = errors.New("client not found in clientStore")
paddy@57	37 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with
paddy@57	38 // the same ID already exists in the clientStore.
paddy@57	39 ErrClientAlreadyExists = errors.New("client already exists in clientStore")
paddy@41	40
paddy@57	41 // ErrEmptyChange is returned when a Change has all its properties set to nil.
paddy@57	42 ErrEmptyChange = errors.New("change must have at least one property set")
paddy@57	43 // ErrClientNameTooShort is returned when a Client's Name property is too short.
paddy@57	44 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")
paddy@57	45 // ErrClientNameTooLong is returned when a Client's Name property is too long.
paddy@57	46 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")
paddy@57	47 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.
paddy@57	48 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")
paddy@57	49 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.
paddy@57	50 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")
paddy@57	51 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.
paddy@49	52 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")
paddy@57	53 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.
paddy@57	54 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")
paddy@116	55 // ErrEndpointURINotURL is returned when an Endpoint's URI property is not a valid absolute URL.
paddy@116	56 ErrEndpointURINotURL = errors.New("endpoint URI must be a valid absolute URL")
paddy@31	57 )
paddy@31	58
paddy@115	59 const (
paddy@131	60 clientTypePublic = "public"
paddy@131	61 clientTypeConfidential = "confidential"
paddy@131	62 minClientNameLen = 2
paddy@131	63 maxClientNameLen = 24
paddy@131	64 defaultClientResponseSize = 20
paddy@131	65 maxClientResponseSize = 50
paddy@130	66
paddy@130	67 normalizeFlags = purell.FlagsUsuallySafeNonGreedy \| purell.FlagSortQuery
paddy@115	68 )
paddy@115	69
paddy@25	70 // Client represents a client that grants access
paddy@25	71 // to the auth server, exchanging grants for tokens,
paddy@25	72 // and tokens for access.
paddy@0	73 type Client struct {
paddy@116	74 ID uuid.ID `json:"id,omitempty"`
paddy@116	75 Secret string `json:"secret,omitempty"`
paddy@116	76 OwnerID uuid.ID `json:"owner_id,omitempty"`
paddy@116	77 Name string `json:"name,omitempty"`
paddy@116	78 Logo string `json:"logo,omitempty"`
paddy@116	79 Website string `json:"website,omitempty"`
paddy@116	80 Type string `json:"type,omitempty"`
paddy@0	81 }
paddy@0	82
paddy@57	83 // ApplyChange applies the properties of the passed
paddy@57	84 // ClientChange to the Client object it is called on.
paddy@39	85 func (c *Client) ApplyChange(change ClientChange) {
paddy@39	86 if change.Secret != nil {
paddy@39	87 c.Secret = *change.Secret
paddy@39	88 }
paddy@39	89 if change.OwnerID != nil {
paddy@39	90 c.OwnerID = change.OwnerID
paddy@39	91 }
paddy@39	92 if change.Name != nil {
paddy@39	93 c.Name = *change.Name
paddy@39	94 }
paddy@39	95 if change.Logo != nil {
paddy@39	96 c.Logo = *change.Logo
paddy@39	97 }
paddy@39	98 if change.Website != nil {
paddy@39	99 c.Website = *change.Website
paddy@39	100 }
paddy@39	101 }
paddy@39	102
paddy@57	103 // ClientChange represents a bundle of options for
paddy@57	104 // updating a Client's mutable data.
paddy@31	105 type ClientChange struct {
paddy@41	106 Secret *string
paddy@41	107 OwnerID uuid.ID
paddy@41	108 Name *string
paddy@41	109 Logo *string
paddy@41	110 Website *string
paddy@31	111 }
paddy@31	112
paddy@57	113 // Validate checks the ClientChange it is called on
paddy@57	114 // and asserts its internal validity, or lack thereof.
paddy@133	115 func (c ClientChange) Validate() []error {
paddy@133	116 errors := []error{}
paddy@42	117 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {
paddy@133	118 errors = append(errors, ErrEmptyChange)
paddy@133	119 return errors
paddy@42	120 }
paddy@41	121 if c.Name != nil && len(*c.Name) < 2 {
paddy@133	122 errors = append(errors, ErrClientNameTooShort)
paddy@41	123 }
paddy@41	124 if c.Name != nil && len(*c.Name) > 32 {
paddy@133	125 errors = append(errors, ErrClientNameTooLong)
paddy@41	126 }
paddy@42	127 if c.Logo != nil && *c.Logo != "" {
paddy@42	128 if len(*c.Logo) > 1024 {
paddy@133	129 errors = append(errors, ErrClientLogoTooLong)
paddy@42	130 }
paddy@42	131 u, err := url.Parse(*c.Logo)
paddy@42	132 if err != nil \|\| !u.IsAbs() {
paddy@133	133 errors = append(errors, ErrClientLogoNotURL)
paddy@42	134 }
paddy@41	135 }
paddy@42	136 if c.Website != nil && *c.Website != "" {
paddy@42	137 if len(*c.Website) > 140 {
paddy@133	138 errors = append(errors, ErrClientWebsiteTooLong)
paddy@42	139 }
paddy@42	140 u, err := url.Parse(*c.Website)
paddy@42	141 if err != nil \|\| !u.IsAbs() {
paddy@133	142 errors = append(errors, ErrClientWebsiteNotURL)
paddy@42	143 }
paddy@41	144 }
paddy@133	145 return errors
paddy@39	146 }
paddy@39	147
paddy@123	148 func getClientAuth(w http.ResponseWriter, r *http.Request, allowPublic bool) (uuid.ID, string, bool) {
paddy@85	149 enc := json.NewEncoder(w)
paddy@85	150 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()
paddy@85	151 if !fromAuthHeader {
paddy@85	152 clientIDStr = r.PostFormValue("client_id")
paddy@85	153 }
paddy@123	154 if clientIDStr == "" {
paddy@85	155 w.WriteHeader(http.StatusUnauthorized)
paddy@85	156 if fromAuthHeader {
paddy@85	157 w.Header().Set("WWW-Authenticate", "Basic")
paddy@85	158 }
paddy@85	159 renderJSONError(enc, "invalid_client")
paddy@123	160 return nil, "", false
paddy@123	161 }
paddy@129	162 if !allowPublic && !fromAuthHeader {
paddy@129	163 w.WriteHeader(http.StatusBadRequest)
paddy@129	164 renderJSONError(enc, "unauthorized_client")
paddy@129	165 return nil, "", false
paddy@129	166 }
paddy@123	167 clientID, err := uuid.Parse(clientIDStr)
paddy@123	168 if err != nil {
paddy@123	169 log.Println("Error decoding client ID:", err)
paddy@123	170 w.WriteHeader(http.StatusUnauthorized)
paddy@123	171 if fromAuthHeader {
paddy@123	172 w.Header().Set("WWW-Authenticate", "Basic")
paddy@123	173 }
paddy@123	174 renderJSONError(enc, "invalid_client")
paddy@123	175 return nil, "", false
paddy@123	176 }
paddy@123	177 return clientID, clientSecret, true
paddy@123	178 }
paddy@123	179
paddy@123	180 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {
paddy@123	181 enc := json.NewEncoder(w)
paddy@123	182 clientID, clientSecret, ok := getClientAuth(w, r, allowPublic)
paddy@123	183 if !ok {
paddy@85	184 return nil, false
paddy@85	185 }
paddy@123	186 _, _, fromAuthHeader := r.BasicAuth()
paddy@85	187 client, err := context.GetClient(clientID)
paddy@85	188 if err == ErrClientNotFound {
paddy@85	189 w.WriteHeader(http.StatusUnauthorized)
paddy@85	190 if fromAuthHeader {
paddy@85	191 w.Header().Set("WWW-Authenticate", "Basic")
paddy@85	192 }
paddy@85	193 renderJSONError(enc, "invalid_client")
paddy@85	194 return nil, false
paddy@85	195 } else if err != nil {
paddy@85	196 w.WriteHeader(http.StatusInternalServerError)
paddy@85	197 renderJSONError(enc, "server_error")
paddy@85	198 return nil, false
paddy@85	199 }
paddy@113	200 if client.Secret != clientSecret { // it's important that any client deemed "public" is not issued a client secret.
paddy@85	201 w.WriteHeader(http.StatusUnauthorized)
paddy@85	202 if fromAuthHeader {
paddy@85	203 w.Header().Set("WWW-Authenticate", "Basic")
paddy@85	204 }
paddy@85	205 renderJSONError(enc, "invalid_client")
paddy@85	206 return nil, false
paddy@85	207 }
paddy@85	208 return clientID, true
paddy@85	209 }
paddy@85	210
paddy@57	211 // Endpoint represents a single URI that a Client
paddy@57	212 // controls. Users will be redirected to these URIs
paddy@57	213 // following successful authorization grants and
paddy@57	214 // exchanges for access tokens.
paddy@41	215 type Endpoint struct {
paddy@116	216 ID uuid.ID `json:"id,omitempty"`
paddy@116	217 ClientID uuid.ID `json:"client_id,omitempty"`
paddy@116	218 URI string `json:"uri,omitempty"`
paddy@116	219 NormalizedURI string `json:"-"`
paddy@116	220 Added time.Time `json:"added,omitempty"`
paddy@116	221 }
paddy@116	222
paddy@116	223 func normalizeURIString(in string) (string, error) {
paddy@130	224 n, err := purell.NormalizeURLString(in, normalizeFlags)
paddy@116	225 if err != nil {
paddy@116	226 log.Println(err)
paddy@116	227 return in, ErrEndpointURINotURL
paddy@116	228 }
paddy@116	229 return n, nil
paddy@116	230 }
paddy@116	231
paddy@116	232 func normalizeURI(in *url.URL) string {
paddy@130	233 return purell.NormalizeURL(in, normalizeFlags)
paddy@41	234 }
paddy@41	235
paddy@41	236 type sortedEndpoints []Endpoint
paddy@41	237
paddy@41	238 func (s sortedEndpoints) Len() int {
paddy@41	239 return len(s)
paddy@41	240 }
paddy@41	241
paddy@41	242 func (s sortedEndpoints) Less(i, j int) bool {
paddy@41	243 return s[i].Added.Before(s[j].Added)
paddy@41	244 }
paddy@41	245
paddy@41	246 func (s sortedEndpoints) Swap(i, j int) {
paddy@41	247 s[i], s[j] = s[j], s[i]
paddy@41	248 }
paddy@41	249
paddy@57	250 type clientStore interface {
paddy@57	251 getClient(id uuid.ID) (Client, error)
paddy@57	252 saveClient(client Client) error
paddy@57	253 updateClient(id uuid.ID, change ClientChange) error
paddy@57	254 deleteClient(id uuid.ID) error
paddy@57	255 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)
paddy@41	256
paddy@115	257 addEndpoints(client uuid.ID, endpoint []Endpoint) error
paddy@57	258 removeEndpoint(client, endpoint uuid.ID) error
paddy@58	259 checkEndpoint(client uuid.ID, endpoint string) (bool, error)
paddy@57	260 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)
paddy@57	261 countEndpoints(client uuid.ID) (int64, error)
paddy@0	262 }
paddy@31	263
paddy@57	264 func (m *memstore) getClient(id uuid.ID) (Client, error) {
paddy@31	265 m.clientLock.RLock()
paddy@31	266 defer m.clientLock.RUnlock()
paddy@31	267 c, ok := m.clients[id.String()]
paddy@31	268 if !ok {
paddy@31	269 return Client{}, ErrClientNotFound
paddy@31	270 }
paddy@31	271 return c, nil
paddy@31	272 }
paddy@31	273
paddy@57	274 func (m *memstore) saveClient(client Client) error {
paddy@31	275 m.clientLock.Lock()
paddy@31	276 defer m.clientLock.Unlock()
paddy@31	277 if _, ok := m.clients[client.ID.String()]; ok {
paddy@31	278 return ErrClientAlreadyExists
paddy@31	279 }
paddy@31	280 m.clients[client.ID.String()] = client
paddy@31	281 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)
paddy@31	282 return nil
paddy@31	283 }
paddy@31	284
paddy@57	285 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {
paddy@39	286 m.clientLock.Lock()
paddy@39	287 defer m.clientLock.Unlock()
paddy@39	288 c, ok := m.clients[id.String()]
paddy@39	289 if !ok {
paddy@39	290 return ErrClientNotFound
paddy@39	291 }
paddy@39	292 c.ApplyChange(change)
paddy@39	293 m.clients[id.String()] = c
paddy@31	294 return nil
paddy@31	295 }
paddy@31	296
paddy@57	297 func (m *memstore) deleteClient(id uuid.ID) error {
paddy@57	298 client, err := m.getClient(id)
paddy@31	299 if err != nil {
paddy@31	300 return err
paddy@31	301 }
paddy@31	302 m.clientLock.Lock()
paddy@31	303 defer m.clientLock.Unlock()
paddy@31	304 delete(m.clients, id.String())
paddy@31	305 pos := -1
paddy@31	306 for p, item := range m.profileClientLookup[client.OwnerID.String()] {
paddy@31	307 if item.Equal(id) {
paddy@31	308 pos = p
paddy@31	309 break
paddy@31	310 }
paddy@31	311 }
paddy@31	312 if pos >= 0 {
paddy@31	313 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)
paddy@31	314 }
paddy@31	315 return nil
paddy@31	316 }
paddy@31	317
paddy@57	318 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {
paddy@33	319 ids := m.lookupClientsByProfileID(ownerID.String())
paddy@31	320 if len(ids) > num+offset {
paddy@31	321 ids = ids[offset : num+offset]
paddy@31	322 } else if len(ids) > offset {
paddy@31	323 ids = ids[offset:]
paddy@31	324 } else {
paddy@31	325 return []Client{}, nil
paddy@31	326 }
paddy@31	327 clients := []Client{}
paddy@31	328 for _, id := range ids {
paddy@57	329 client, err := m.getClient(id)
paddy@31	330 if err != nil {
paddy@31	331 return []Client{}, err
paddy@31	332 }
paddy@31	333 clients = append(clients, client)
paddy@31	334 }
paddy@31	335 return clients, nil
paddy@31	336 }
paddy@41	337
paddy@115	338 func (m *memstore) addEndpoints(client uuid.ID, endpoints []Endpoint) error {
paddy@41	339 m.endpointLock.Lock()
paddy@41	340 defer m.endpointLock.Unlock()
paddy@115	341 m.endpoints[client.String()] = append(m.endpoints[client.String()], endpoints...)
paddy@41	342 return nil
paddy@41	343 }
paddy@41	344
paddy@57	345 func (m *memstore) removeEndpoint(client, endpoint uuid.ID) error {
paddy@41	346 m.endpointLock.Lock()
paddy@41	347 defer m.endpointLock.Unlock()
paddy@41	348 pos := -1
paddy@41	349 for p, item := range m.endpoints[client.String()] {
paddy@41	350 if item.ID.Equal(endpoint) {
paddy@41	351 pos = p
paddy@41	352 break
paddy@41	353 }
paddy@41	354 }
paddy@41	355 if pos >= 0 {
paddy@41	356 m.endpoints[client.String()] = append(m.endpoints[client.String()][:pos], m.endpoints[client.String()][pos+1:]...)
paddy@41	357 }
paddy@41	358 return nil
paddy@41	359 }
paddy@41	360
paddy@58	361 func (m *memstore) checkEndpoint(client uuid.ID, endpoint string) (bool, error) {
paddy@41	362 m.endpointLock.RLock()
paddy@41	363 defer m.endpointLock.RUnlock()
paddy@41	364 for _, candidate := range m.endpoints[client.String()] {
paddy@116	365 if endpoint == candidate.NormalizedURI {
paddy@41	366 return true, nil
paddy@41	367 }
paddy@41	368 }
paddy@41	369 return false, nil
paddy@41	370 }
paddy@41	371
paddy@57	372 func (m *memstore) listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error) {
paddy@41	373 m.endpointLock.RLock()
paddy@41	374 defer m.endpointLock.RUnlock()
paddy@41	375 return m.endpoints[client.String()], nil
paddy@41	376 }
paddy@54	377
paddy@57	378 func (m *memstore) countEndpoints(client uuid.ID) (int64, error) {
paddy@54	379 m.endpointLock.RLock()
paddy@54	380 defer m.endpointLock.RUnlock()
paddy@54	381 return int64(len(m.endpoints[client.String()])), nil
paddy@54	382 }
paddy@108	383
paddy@108	384 type newClientReq struct {
paddy@108	385 Name string `json:"name"`
paddy@108	386 Logo string `json:"logo"`
paddy@108	387 Website string `json:"website"`
paddy@108	388 Type string `json:"type"`
paddy@108	389 Endpoints []string `json:"endpoints"`
paddy@108	390 }
paddy@108	391
paddy@108	392 func RegisterClientHandlers(r *mux.Router, context Context) {
paddy@108	393 r.Handle("/clients", wrap(context, CreateClientHandler)).Methods("POST")
paddy@131	394 r.Handle("/clients", wrap(context, ListClientsHandler)).Methods("GET")
paddy@131	395 r.Handle("/clients/{id}", wrap(context, GetClientHandler)).Methods("GET")
paddy@133	396 r.Handle("/clients/{id}", wrap(context, UpdateClientHandler)).Methods("PATCH")
paddy@128	397 // BUG(paddy): We need to implement a handler to delete a client. Also, what should that do with the grants and tokens belonging to that client?
paddy@137	398 r.Handle("/clients/{id}/endpoints", wrap(context, AddEndpointsHandler)).Methods("POST")
paddy@128	399 // BUG(paddy): We need to implement a handler to remove an endpoint from a client.
paddy@128	400 // BUG(paddy): We need to implement a handler to list endpoints.
paddy@108	401 }
paddy@108	402
paddy@108	403 func CreateClientHandler(w http.ResponseWriter, r *http.Request, c Context) {
paddy@115	404 errors := []requestError{}
paddy@108	405 username, password, ok := r.BasicAuth()
paddy@108	406 if !ok {
paddy@115	407 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@115	408 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@108	409 return
paddy@108	410 }
paddy@108	411 profile, err := authenticate(username, password, c)
paddy@108	412 if err != nil {
paddy@115	413 errors = append(errors, requestError{Slug: requestErrAccessDenied})
paddy@115	414 encode(w, r, http.StatusUnauthorized, response{Errors: errors})
paddy@108	415 return
paddy@108	416 }
paddy@108	417 var req newClientReq
paddy@108	418 decoder := json.NewDecoder(r.Body)
paddy@108	419 err = decoder.Decode(&req)
paddy@108	420 if err != nil {
paddy@108	421 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
paddy@108	422 return
paddy@108	423 }
paddy@116	424 if req.Type == "" {
paddy@116	425 errors = append(errors, requestError{Slug: requestErrMissing, Field: "/type"})
paddy@116	426 } else if req.Type != clientTypePublic && req.Type != clientTypeConfidential {
paddy@115	427 errors = append(errors, requestError{Slug: requestErrInvalidValue, Field: "/type"})
paddy@116	428 }
paddy@116	429 if req.Name == "" {
paddy@116	430 errors = append(errors, requestError{Slug: requestErrMissing, Field: "/name"})
paddy@116	431 } else if len(req.Name) < minClientNameLen {
paddy@116	432 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/name"})
paddy@116	433 } else if len(req.Name) > maxClientNameLen {
paddy@116	434 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/name"})
paddy@116	435 }
paddy@116	436 if len(errors) > 0 {
paddy@115	437 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@108	438 return
paddy@108	439 }
paddy@108	440 client := Client{
paddy@108	441 ID: uuid.NewID(),
paddy@108	442 OwnerID: profile.ID,
paddy@108	443 Name: req.Name,
paddy@108	444 Logo: req.Logo,
paddy@108	445 Website: req.Website,
paddy@108	446 Type: req.Type,
paddy@108	447 }
paddy@118	448 if client.Type == clientTypeConfidential {
paddy@115	449 secret := make([]byte, 32)
paddy@115	450 _, err = rand.Read(secret)
paddy@115	451 if err != nil {
paddy@115	452 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@115	453 return
paddy@115	454 }
paddy@115	455 client.Secret = hex.EncodeToString(secret)
paddy@115	456 }
paddy@108	457 err = c.SaveClient(client)
paddy@108	458 if err != nil {
paddy@115	459 if err == ErrClientAlreadyExists {
paddy@115	460 errors = append(errors, requestError{Slug: requestErrConflict, Field: "/id"})
paddy@115	461 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@115	462 return
paddy@115	463 }
paddy@115	464 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@108	465 return
paddy@108	466 }
paddy@108	467 endpoints := []Endpoint{}
paddy@115	468 for pos, u := range req.Endpoints {
paddy@108	469 uri, err := url.Parse(u)
paddy@108	470 if err != nil {
paddy@115	471 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Field: "/endpoints/" + strconv.Itoa(pos)})
paddy@108	472 continue
paddy@108	473 }
paddy@116	474 if !uri.IsAbs() {
paddy@116	475 errors = append(errors, requestError{Slug: requestErrInvalidValue, Field: "/endpoints/" + strconv.Itoa(pos)})
paddy@116	476 continue
paddy@116	477 }
paddy@108	478 endpoint := Endpoint{
paddy@108	479 ID: uuid.NewID(),
paddy@108	480 ClientID: client.ID,
paddy@116	481 URI: uri.String(),
paddy@108	482 Added: time.Now(),
paddy@108	483 }
paddy@108	484 endpoints = append(endpoints, endpoint)
paddy@108	485 }
paddy@115	486 err = c.AddEndpoints(client.ID, endpoints)
paddy@115	487 if err != nil {
paddy@115	488 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@115	489 encode(w, r, http.StatusInternalServerError, response{Errors: errors, Clients: []Client{client}})
paddy@115	490 return
paddy@115	491 }
paddy@108	492 resp := response{
paddy@108	493 Clients: []Client{client},
paddy@108	494 Endpoints: endpoints,
paddy@116	495 Errors: errors,
paddy@108	496 }
paddy@108	497 encode(w, r, http.StatusCreated, resp)
paddy@108	498 }
paddy@121	499
paddy@131	500 func GetClientHandler(w http.ResponseWriter, r *http.Request, c Context) {
paddy@131	501 errors := []requestError{}
paddy@131	502 vars := mux.Vars(r)
paddy@131	503 if vars["id"] == "" {
paddy@131	504 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
paddy@131	505 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@131	506 return
paddy@131	507 }
paddy@131	508 id, err := uuid.Parse(vars["id"])
paddy@131	509 if err != nil {
paddy@131	510 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "id"})
paddy@131	511 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@131	512 return
paddy@131	513 }
paddy@131	514 client, err := c.GetClient(id)
paddy@131	515 if err != nil {
paddy@131	516 if err == ErrClientNotFound {
paddy@131	517 errors = append(errors, requestError{Slug: requestErrNotFound, Param: "id"})
paddy@131	518 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@131	519 return
paddy@131	520 }
paddy@131	521 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@131	522 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@131	523 return
paddy@131	524 }
paddy@131	525 client.Secret = ""
paddy@131	526 // BUG(paddy): How should auth be handled for retrieving clients?
paddy@131	527 resp := response{
paddy@131	528 Clients: []Client{client},
paddy@131	529 Errors: errors,
paddy@131	530 }
paddy@131	531 encode(w, r, http.StatusOK, resp)
paddy@131	532 }
paddy@131	533
paddy@131	534 func ListClientsHandler(w http.ResponseWriter, r *http.Request, c Context) {
paddy@131	535 errors := []requestError{}
paddy@131	536 var err error
paddy@131	537 // BUG(paddy): If ids are provided in query params, retrieve only those clients
paddy@131	538 // BUG(paddy): We should have auth when listing clients
paddy@131	539 num := defaultClientResponseSize
paddy@131	540 offset := 0
paddy@131	541 ownerIDStr := r.URL.Query().Get("owner_id")
paddy@131	542 numStr := r.URL.Query().Get("num")
paddy@131	543 offsetStr := r.URL.Query().Get("offset")
paddy@131	544 if numStr != "" {
paddy@131	545 num, err = strconv.Atoi(numStr)
paddy@131	546 if err != nil {
paddy@131	547 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "num"})
paddy@131	548 }
paddy@131	549 if num > maxClientResponseSize {
paddy@131	550 errors = append(errors, requestError{Slug: requestErrOverflow, Param: "num"})
paddy@131	551 }
paddy@131	552 }
paddy@131	553 if offsetStr != "" {
paddy@131	554 offset, err = strconv.Atoi(offsetStr)
paddy@131	555 if err != nil {
paddy@131	556 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "offset"})
paddy@131	557 }
paddy@131	558 }
paddy@131	559 if ownerIDStr == "" {
paddy@131	560 errors = append(errors, requestError{Slug: requestErrMissing, Param: "owner_id"})
paddy@131	561 }
paddy@131	562 if len(errors) > 0 {
paddy@131	563 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@131	564 return
paddy@131	565 }
paddy@131	566 ownerID, err := uuid.Parse(ownerIDStr)
paddy@131	567 if err != nil {
paddy@131	568 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "owner_id"})
paddy@131	569 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@131	570 return
paddy@131	571 }
paddy@131	572 clients, err := c.ListClientsByOwner(ownerID, num, offset)
paddy@131	573 if err != nil {
paddy@131	574 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@131	575 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@131	576 return
paddy@131	577 }
paddy@131	578 for pos, client := range clients {
paddy@131	579 client.Secret = ""
paddy@131	580 clients[pos] = client
paddy@131	581 }
paddy@131	582 resp := response{
paddy@131	583 Clients: clients,
paddy@131	584 Errors: errors,
paddy@131	585 }
paddy@131	586 encode(w, r, http.StatusOK, resp)
paddy@131	587 }
paddy@131	588
paddy@133	589 func UpdateClientHandler(w http.ResponseWriter, r *http.Request, c Context) {
paddy@133	590 errors := []requestError{}
paddy@133	591 vars := mux.Vars(r)
paddy@133	592 if _, ok := vars["id"]; !ok {
paddy@133	593 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
paddy@133	594 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@133	595 return
paddy@133	596 }
paddy@133	597 var change ClientChange
paddy@133	598 err := decode(r, &change)
paddy@133	599 if err != nil {
paddy@133	600 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Field: "/"})
paddy@133	601 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@133	602 return
paddy@133	603 }
paddy@133	604 errs := change.Validate()
paddy@133	605 for _, err := range errs {
paddy@133	606 switch err {
paddy@133	607 case ErrEmptyChange:
paddy@133	608 errors = append(errors, requestError{Slug: requestErrMissing, Field: "/"})
paddy@133	609 case ErrClientNameTooShort:
paddy@133	610 errors = append(errors, requestError{Slug: requestErrInsufficient, Field: "/name"})
paddy@133	611 case ErrClientNameTooLong:
paddy@133	612 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/name"})
paddy@133	613 case ErrClientLogoTooLong:
paddy@133	614 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/logo"})
paddy@133	615 case ErrClientLogoNotURL:
paddy@133	616 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Field: "/logo"})
paddy@133	617 case ErrClientWebsiteTooLong:
paddy@133	618 errors = append(errors, requestError{Slug: requestErrOverflow, Field: "/website"})
paddy@133	619 case ErrClientWebsiteNotURL:
paddy@133	620 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Field: "/website"})
paddy@133	621 default:
paddy@133	622 log.Println("Unrecognised error from client change validation:", err)
paddy@133	623 }
paddy@133	624 }
paddy@133	625 id, err := uuid.Parse(vars["id"])
paddy@133	626 if err != nil {
paddy@133	627 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "id"})
paddy@133	628 }
paddy@133	629 if len(errors) > 0 {
paddy@133	630 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@133	631 return
paddy@133	632 }
paddy@133	633 client, err := c.GetClient(id)
paddy@133	634 if err == ErrClientNotFound {
paddy@133	635 errors = append(errors, requestError{Slug: requestErrNotFound, Param: "id"})
paddy@133	636 encode(w, r, http.StatusNotFound, response{Errors: errors})
paddy@133	637 return
paddy@133	638 } else if err != nil {
paddy@133	639 log.Println("Error retrieving client:", err)
paddy@133	640 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@133	641 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@133	642 return
paddy@133	643 }
paddy@133	644 if change.Secret != nil && client.Type == clientTypeConfidential {
paddy@133	645 secret := make([]byte, 32)
paddy@133	646 _, err = rand.Read(secret)
paddy@133	647 if err != nil {
paddy@133	648 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@133	649 return
paddy@133	650 }
paddy@133	651 newSecret := hex.EncodeToString(secret)
paddy@133	652 change.Secret = &newSecret
paddy@133	653 }
paddy@133	654 err = c.UpdateClient(id, change)
paddy@133	655 if err != nil {
paddy@133	656 log.Println("Error updating client:", err)
paddy@133	657 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@133	658 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@133	659 return
paddy@133	660 }
paddy@133	661 client.ApplyChange(change)
paddy@133	662 encode(w, r, http.StatusOK, response{Clients: []Client{client}, Errors: errors})
paddy@133	663 return
paddy@133	664 }
paddy@133	665
paddy@137	666 func AddEndpointsHandler(w http.ResponseWriter, r *http.Request, c Context) {
paddy@137	667 type addEndpointReq struct {
paddy@137	668 Endpoints []string `json:"endpoints"`
paddy@137	669 }
paddy@137	670 errors := []requestError{}
paddy@137	671 vars := mux.Vars(r)
paddy@137	672 if vars["id"] == "" {
paddy@137	673 errors = append(errors, requestError{Slug: requestErrMissing, Param: "id"})
paddy@137	674 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@137	675 return
paddy@137	676 }
paddy@137	677 id, err := uuid.Parse(vars["id"])
paddy@137	678 if err != nil {
paddy@137	679 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Param: "id"})
paddy@137	680 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@137	681 return
paddy@137	682 }
paddy@137	683 _, err = c.GetClient(id)
paddy@137	684 if err != nil {
paddy@137	685 if err == ErrClientNotFound {
paddy@137	686 errors = append(errors, requestError{Slug: requestErrNotFound, Param: "id"})
paddy@137	687 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@137	688 return
paddy@137	689 }
paddy@137	690 errors = append(errors, requestError{Slug: requestErrActOfGod})
paddy@137	691 encode(w, r, http.StatusInternalServerError, response{Errors: errors})
paddy@137	692 return
paddy@137	693 }
paddy@137	694 var req addEndpointReq
paddy@137	695 decoder := json.NewDecoder(r.Body)
paddy@137	696 err = decoder.Decode(&req)
paddy@137	697 if err != nil {
paddy@137	698 encode(w, r, http.StatusBadRequest, invalidFormatResponse)
paddy@137	699 return
paddy@137	700 }
paddy@137	701 if len(req.Endpoints) < 1 {
paddy@137	702 errors = append(errors, requestError{Slug: requestErrMissing, Field: "/endpoints"})
paddy@137	703 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@137	704 return
paddy@137	705 }
paddy@137	706 endpoints := []Endpoint{}
paddy@137	707 for pos, u := range req.Endpoints {
paddy@137	708 if parsed, err := url.Parse(u); err != nil {
paddy@137	709 errors = append(errors, requestError{Slug: requestErrInvalidFormat, Field: "/endpoints/" + strconv.Itoa(pos)})
paddy@137	710 continue
paddy@137	711 } else if !parsed.IsAbs() {
paddy@137	712 errors = append(errors, requestError{Slug: requestErrInvalidValue, Field: "/endpoints" + strconv.Itoa(pos)})
paddy@137	713 continue
paddy@137	714 }
paddy@137	715 e := Endpoint{
paddy@137	716 ID: uuid.NewID(),
paddy@137	717 ClientID: id,
paddy@137	718 URI: u,
paddy@137	719 Added: time.Now(),
paddy@137	720 }
paddy@137	721 endpoints = append(endpoints, e)
paddy@137	722 }
paddy@137	723 if len(errors) > 0 {
paddy@137	724 encode(w, r, http.StatusBadRequest, response{Errors: errors})
paddy@137	725 return
paddy@137	726 }
paddy@137	727 err = c.AddEndpoints(id, endpoints)
paddy@137	728 if err != nil {
paddy@137	729 encode(w, r, http.StatusInternalServerError, actOfGodResponse)
paddy@137	730 return
paddy@137	731 }
paddy@137	732 resp := response{
paddy@137	733 Errors: errors,
paddy@137	734 Endpoints: endpoints,
paddy@137	735 }
paddy@137	736 encode(w, r, http.StatusCreated, resp)
paddy@137	737 }
paddy@137	738
paddy@135	739 func clientCredentialsValidate(w http.ResponseWriter, r *http.Request, context Context) (scopes []string, profileID uuid.ID, valid bool) {
paddy@135	740 scopes = strings.Split(r.PostFormValue("scope"), " ")
paddy@121	741 valid = true
paddy@121	742 return
paddy@121	743 }
paddy@124	744
paddy@124	745 func clientCredentialsAuditString(r *http.Request) string {
paddy@124	746 return "client_credentials"
paddy@124	747 }