auth

Paddy 2015-03-07 Parent:874c21d1dd8d Child:8fad4d66c7ea

auth/client.go

Test our GetClientHandler function, add isAuthError helper. Add a helper that identifies whether the error passed to it is an authentication error or is some other type of error. This is useful fo checking whether or not an internal error occurred while authenticating users. Update all instances where we call our authentication helper to make them use the new error helper. All tests continue to pass. Add a new test case for retrieving a client as an unauthenticated user. This clears the client's secret from the response before sending it. Update the GetClientHandler function to return the secret when the owner of the client used Basic Auth in the request. Add a new test case for retrieving a client as an authenticated user, both the owner and a non-owner user. This makes sure the secret is divulged only in the appropriate cases.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "crypto/rand"

5 "encoding/hex"

6 "encoding/json"

7 "errors"

8 "log"

9 "net/http"

10 "net/url"

11 "strconv"

12 "strings"

13 "time"

15 "github.com/PuerkitoBio/purell"

16 "github.com/gorilla/mux"

18 "code.secondbit.org/uuid.hg"

19 )

21 func init() {

22 RegisterGrantType("client_credentials", GrantType{

23 Validate: clientCredentialsValidate,

24 Invalidate: nil,

25 IssuesRefresh: true,

26 ReturnToken: RenderJSONToken,

27 AllowsPublic: false,

28 AuditString: clientCredentialsAuditString,

29 })

30 }

32 var (

33 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.

34 ErrNoClientStore = errors.New("no clientStore was specified for the Context")

35 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.

36 ErrClientNotFound = errors.New("client not found in clientStore")

37 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with

38 // the same ID already exists in the clientStore.

39 ErrClientAlreadyExists = errors.New("client already exists in clientStore")

41 // ErrEmptyChange is returned when a Change has all its properties set to nil.

42 ErrEmptyChange = errors.New("change must have at least one property set")

43 // ErrClientNameTooShort is returned when a Client's Name property is too short.

44 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")

45 // ErrClientNameTooLong is returned when a Client's Name property is too long.

46 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")

47 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.

48 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")

49 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.

50 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")

51 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.

52 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")

53 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.

54 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")

55 // ErrEndpointURINotURL is returned when an Endpoint's URI property is not a valid absolute URL.

56 ErrEndpointURINotURL = errors.New("endpoint URI must be a valid absolute URL")

57 )

59 const (

60 clientTypePublic = "public"

61 clientTypeConfidential = "confidential"

62 minClientNameLen = 2

63 maxClientNameLen = 24

64 defaultClientResponseSize = 20

65 maxClientResponseSize = 50

66 defaultEndpointResponseSize = 20

67 maxEndpointResponseSize = 50

69 normalizeFlags = purell.FlagsUsuallySafeNonGreedy | purell.FlagSortQuery

70 )

72 // Client represents a client that grants access

73 // to the auth server, exchanging grants for tokens,

74 // and tokens for access.

75 type Client struct {

76 ID uuid.ID `json:"id,omitempty"`

77 Secret string `json:"secret,omitempty"`

78 OwnerID uuid.ID `json:"owner_id,omitempty"`

79 Name string `json:"name,omitempty"`

80 Logo string `json:"logo,omitempty"`

81 Website string `json:"website,omitempty"`

82 Type string `json:"type,omitempty"`

83 }

85 // ApplyChange applies the properties of the passed

86 // ClientChange to the Client object it is called on.

87 func (c *Client) ApplyChange(change ClientChange) {

88 if change.Secret != nil {

89 c.Secret = *change.Secret

90 }

91 if change.OwnerID != nil {

92 c.OwnerID = change.OwnerID

93 }

94 if change.Name != nil {

95 c.Name = *change.Name

96 }

97 if change.Logo != nil {

98 c.Logo = *change.Logo

99 }

100 if change.Website != nil {

101 c.Website = *change.Website

102 }

103 }

104

105 // ClientChange represents a bundle of options for

106 // updating a Client's mutable data.

107 type ClientChange struct {

108 Secret *string

109 OwnerID uuid.ID

110 Name *string

111 Logo *string

112 Website *string

113 }

114

115 // Validate checks the ClientChange it is called on

116 // and asserts its internal validity, or lack thereof.

117 func (c ClientChange) Validate() []error {

118 errors := []error{}

119 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {

120 errors = append(errors, ErrEmptyChange)

121 return errors

122 }

123 if c.Name != nil && len(*c.Name) < 2 {

124 errors = append(errors, ErrClientNameTooShort)

125 }

126 if c.Name != nil && len(*c.Name) > 32 {

127 errors = append(errors, ErrClientNameTooLong)

128 }

129 if c.Logo != nil && *c.Logo != "" {

130 if len(*c.Logo) > 1024 {

131 errors = append(errors, ErrClientLogoTooLong)

132 }

133 u, err := url.Parse(*c.Logo)

134 if err != nil || !u.IsAbs() {

135 errors = append(errors, ErrClientLogoNotURL)

136 }

137 }

138 if c.Website != nil && *c.Website != "" {

139 if len(*c.Website) > 140 {

140 errors = append(errors, ErrClientWebsiteTooLong)

141 }

142 u, err := url.Parse(*c.Website)

143 if err != nil || !u.IsAbs() {

144 errors = append(errors, ErrClientWebsiteNotURL)

145 }

146 }

147 return errors

148 }

149

150 func getClientAuth(w http.ResponseWriter, r *http.Request, allowPublic bool) (uuid.ID, string, bool) {

151 enc := json.NewEncoder(w)

152 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()

153 if !fromAuthHeader {

154 clientIDStr = r.PostFormValue("client_id")

155 }

156 if clientIDStr == "" {

157 w.WriteHeader(http.StatusUnauthorized)

158 if fromAuthHeader {

159 w.Header().Set("WWW-Authenticate", "Basic")

160 }

161 renderJSONError(enc, "invalid_client")

162 return nil, "", false

163 }

164 if !allowPublic && !fromAuthHeader {

165 w.WriteHeader(http.StatusBadRequest)

166 renderJSONError(enc, "unauthorized_client")

167 return nil, "", false

168 }

169 clientID, err := uuid.Parse(clientIDStr)

170 if err != nil {

171 log.Println("Error decoding client ID:", err)

172 w.WriteHeader(http.StatusUnauthorized)

173 if fromAuthHeader {

174 w.Header().Set("WWW-Authenticate", "Basic")

175 }

176 renderJSONError(enc, "invalid_client")

177 return nil, "", false

178 }

179 return clientID, clientSecret, true

180 }

181

182 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {

183 enc := json.NewEncoder(w)

184 clientID, clientSecret, ok := getClientAuth(w, r, allowPublic)

185 if !ok {

186 return nil, false

187 }

188 _, _, fromAuthHeader := r.BasicAuth()

189 client, err := context.GetClient(clientID)

190 if err == ErrClientNotFound {

191 w.WriteHeader(http.StatusUnauthorized)

192 if fromAuthHeader {

193 w.Header().Set("WWW-Authenticate", "Basic")

194 }

195 renderJSONError(enc, "invalid_client")

196 return nil, false

197 } else if err != nil {

198 w.WriteHeader(http.StatusInternalServerError)

199 renderJSONError(enc, "server_error")

200 return nil, false

201 }

202 if client.Secret != clientSecret { // it's important that any client deemed "public" is not issued a client secret.

203 w.WriteHeader(http.StatusUnauthorized)

204 if fromAuthHeader {

205 w.Header().Set("WWW-Authenticate", "Basic")

206 }

207 renderJSONError(enc, "invalid_client")

208 return nil, false

209 }

210 return clientID, true

211 }

212

213 // Endpoint represents a single URI that a Client

214 // controls. Users will be redirected to these URIs

215 // following successful authorization grants and

216 // exchanges for access tokens.

217 type Endpoint struct {

218 ID uuid.ID `json:"id,omitempty"`

219 ClientID uuid.ID `json:"client_id,omitempty"`

220 URI string `json:"uri,omitempty"`

221 NormalizedURI string `json:"-"`

222 Added time.Time `json:"added,omitempty"`

223 }

224

225 func normalizeURIString(in string) (string, error) {

226 n, err := purell.NormalizeURLString(in, normalizeFlags)

227 if err != nil {

228 log.Println(err)

229 return in, ErrEndpointURINotURL

230 }

231 return n, nil

232 }

233

234 func normalizeURI(in *url.URL) string {

235 return purell.NormalizeURL(in, normalizeFlags)

236 }

237

238 type sortedEndpoints []Endpoint

239

240 func (s sortedEndpoints) Len() int {

241 return len(s)

242 }

243

244 func (s sortedEndpoints) Less(i, j int) bool {

245 return s[i].Added.Before(s[j].Added)

246 }

247

248 func (s sortedEndpoints) Swap(i, j int) {

249 s[i], s[j] = s[j], s[i]

250 }

251

252 type clientStore interface {

253 getClient(id uuid.ID) (Client, error)

254 saveClient(client Client) error

255 updateClient(id uuid.ID, change ClientChange) error

256 deleteClient(id uuid.ID) error

257 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)

258

259 addEndpoints(client uuid.ID, endpoint []Endpoint) error

260 removeEndpoint(client, endpoint uuid.ID) error

261 checkEndpoint(client uuid.ID, endpoint string) (bool, error)

262 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)

263 countEndpoints(client uuid.ID) (int64, error)

264 }

265

266 func (m *memstore) getClient(id uuid.ID) (Client, error) {

267 m.clientLock.RLock()

268 defer m.clientLock.RUnlock()

269 c, ok := m.clients[id.String()]

270 if !ok {

271 return Client{}, ErrClientNotFound

272 }

273 return c, nil

274 }

275

276 func (m *memstore) saveClient(client Client) error {

277 m.clientLock.Lock()

278 defer m.clientLock.Unlock()

279 if _, ok := m.clients[client.ID.String()]; ok {

280 return ErrClientAlreadyExists

281 }

282 m.clients[client.ID.String()] = client

283 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)

284 return nil

285 }

286

287 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {

288 m.clientLock.Lock()

289 defer m.clientLock.Unlock()

290 c, ok := m.clients[id.String()]

291 if !ok {

292 return ErrClientNotFound

293 }

294 c.ApplyChange(change)

295 m.clients[id.String()] = c

296 return nil

297 }

298

299 func (m *memstore) deleteClient(id uuid.ID) error {

300 client, err := m.getClient(id)

301 if err != nil {

302 return err

303 }

304 m.clientLock.Lock()

305 defer m.clientLock.Unlock()

306 delete(m.clients, id.String())

307 pos := -1

308 for p, item := range m.profileClientLookup[client.OwnerID.String()] {

309 if item.Equal(id) {

310 pos = p

311 break

312 }

313 }

314 if pos >= 0 {

315 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)

316 }

317 return nil

318 }

319

320 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {

321 ids := m.lookupClientsByProfileID(ownerID.String())

322 if len(ids) > num+offset {

323 ids = ids[offset : num+offset]

324 } else if len(ids) > offset {

325 ids = ids[offset:]

326 } else {

327 return []Client{}, nil