auth
2014-09-01
auth/util.go.old
Deprecate old implementations. Let's remove all of the osin stuff altogether, in favour of a more testable, unit-based approach. Leave all the old files around, for easy reference, but add the .old suffix so the go tools don't pick them up.
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/util.go.old Mon Sep 01 09:13:52 2014 -0400 1.3 @@ -0,0 +1,102 @@ 1.4 +package auth 1.5 + 1.6 +import ( 1.7 + "encoding/base64" 1.8 + "errors" 1.9 + "fmt" 1.10 + "net/http" 1.11 + "net/url" 1.12 + "strings" 1.13 + 1.14 + "code.google.com/p/go-uuid/uuid" 1.15 +) 1.16 + 1.17 +var ( 1.18 + BasicAuthNotSetError = errors.New("Authorization header not set.") 1.19 + InvalidBasicAuthTypeError = errors.New("Invalid basic auth type.") 1.20 + InvalidBasicAuthMessage = errors.New("Invalid basic auth format.") 1.21 +) 1.22 + 1.23 +// Parse basic authentication header 1.24 +type BasicAuth struct { 1.25 + Username string 1.26 + Password string 1.27 +} 1.28 + 1.29 +// Return authorization header data 1.30 +func CheckBasicAuth(r *http.Request) (BasicAuth, error) { 1.31 + if r.Header.Get("Authorization") == "" { 1.32 + return BasicAuth{}, BasicAuthNotSetError 1.33 + } 1.34 + 1.35 + s := strings.SplitN(r.Header.Get("Authorization"), " ", 2) 1.36 + if len(s) != 2 || s[0] != "Basic" { 1.37 + return BasicAuth{}, InvalidBasicAuthTypeError 1.38 + } 1.39 + 1.40 + b, err := base64.StdEncoding.DecodeString(s[1]) 1.41 + if err != nil { 1.42 + return BasicAuth{}, err 1.43 + } 1.44 + pair := strings.SplitN(string(b), ":", 2) 1.45 + if len(pair) != 2 { 1.46 + return BasicAuth{}, InvalidBasicAuthMessage 1.47 + } 1.48 + 1.49 + return BasicAuth{Username: pair[0], Password: pair[1]}, nil 1.50 +} 1.51 + 1.52 +// getClientAuth checks client basic authentication in params if allowed, 1.53 +// otherwise gets it from the header. 1.54 +func getClientAuth(r *http.Request, allowQueryParams bool) (BasicAuth, error) { 1.55 + 1.56 + if allowQueryParams { 1.57 + // Allow for auth without password 1.58 + if _, hasSecret := r.Form["client_secret"]; hasSecret { 1.59 + auth := BasicAuth{ 1.60 + Username: r.Form.Get("client_id"), 1.61 + Password: r.Form.Get("client_secret"), 1.62 + } 1.63 + if auth.Username != "" { 1.64 + return auth, nil 1.65 + } 1.66 + } 1.67 + } 1.68 + 1.69 + return CheckBasicAuth(r) 1.70 +} 1.71 + 1.72 +func newToken() string { 1.73 + return base64.StdEncoding.EncodeToString([]byte(uuid.New())) 1.74 +} 1.75 + 1.76 +// validateURI validates that redirectURI is contained in baseURI 1.77 +func validateURI(baseURI string, redirectURI string) error { 1.78 + if baseURI == "" || redirectURI == "" { 1.79 + return errors.New("urls cannot be blank.") 1.80 + } 1.81 + 1.82 + // parse base url 1.83 + base, err := url.Parse(baseURI) 1.84 + if err != nil { 1.85 + return err 1.86 + } 1.87 + 1.88 + // parse passed url 1.89 + redirect, err := url.Parse(redirectURI) 1.90 + if err != nil { 1.91 + return err 1.92 + } 1.93 + 1.94 + // must not have fragment 1.95 + if base.Fragment != "" || redirect.Fragment != "" { 1.96 + return errors.New("url must not include fragment.") 1.97 + } 1.98 + 1.99 + // check if urls match 1.100 + if base.Scheme == redirect.Scheme && base.Host == redirect.Host && len(redirect.Path) >= len(base.Path) && strings.HasPrefix(redirect.Path, base.Path) { 1.101 + return nil 1.102 + } 1.103 + 1.104 + return errors.New(fmt.Sprintf("urls don't validate: %s / %s\n", baseURI, redirectURI)) 1.105 +}