auth

Paddy 2015-03-21 Parent:93c758f57c69 Child:8267e1c8bcd1

auth/client.go

Do a first, naive pass at storing profiles in Postgres. This is untested against an actual database. It's a best-guess attempt at SQL. It _should_ work. I think. Start storing things in Postgres, starting with Profiles and Logins. This necessitates the addition of a Deleted property to the Profile type, because I'm not deleting those in case of accidental deletion. Logins, though, we'll delete. This also necessitates updating the profileStore interface to no longer have a deleteProfile method, because we're tracking that through updates now. Then we need to update our profileStore tests, because they no longer clean up after themselves. Which, come to think of it, may cause some problems later.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "crypto/rand"

5 "encoding/hex"

6 "encoding/json"

7 "errors"

8 "log"

9 "net/http"

10 "net/url"

11 "strconv"

12 "strings"

13 "time"

15 "github.com/PuerkitoBio/purell"

16 "github.com/gorilla/mux"

18 "code.secondbit.org/uuid.hg"

19 )

21 func init() {

22 RegisterGrantType("client_credentials", GrantType{

23 Validate: clientCredentialsValidate,

24 Invalidate: nil,

25 IssuesRefresh: true,

26 ReturnToken: RenderJSONToken,

27 AllowsPublic: false,

28 AuditString: clientCredentialsAuditString,

29 })

30 }

32 var (

33 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.

34 ErrNoClientStore = errors.New("no clientStore was specified for the Context")

35 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.

36 ErrClientNotFound = errors.New("client not found in clientStore")

37 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with

38 // the same ID already exists in the clientStore.

39 ErrClientAlreadyExists = errors.New("client already exists in clientStore")

40 // ErrEndpointNotFound is returned when an Endpoint is requested but not found in a clientSTore.

41 ErrEndpointNotFound = errors.New("endpoint not found in clientStore")

43 // ErrEmptyChange is returned when a Change has all its properties set to nil.

44 ErrEmptyChange = errors.New("change must have at least one property set")

45 // ErrClientNameTooShort is returned when a Client's Name property is too short.

46 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")

47 // ErrClientNameTooLong is returned when a Client's Name property is too long.

48 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")

49 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.

50 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")

51 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.

52 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")

53 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.

54 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")

55 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.

56 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")

57 // ErrEndpointURINotURL is returned when an Endpoint's URI property is not a valid absolute URL.

58 ErrEndpointURINotURL = errors.New("endpoint URI must be a valid absolute URL")

59 )

61 const (

62 clientTypePublic = "public"

63 clientTypeConfidential = "confidential"

64 minClientNameLen = 2

65 maxClientNameLen = 24

66 defaultClientResponseSize = 20

67 maxClientResponseSize = 50

68 defaultEndpointResponseSize = 20

69 maxEndpointResponseSize = 50

71 normalizeFlags = purell.FlagsUsuallySafeNonGreedy | purell.FlagSortQuery

72 )

74 // Client represents a client that grants access

75 // to the auth server, exchanging grants for tokens,

76 // and tokens for access.

77 type Client struct {

78 ID uuid.ID `json:"id,omitempty"`

79 Secret string `json:"secret,omitempty"`

80 OwnerID uuid.ID `json:"owner_id,omitempty"`

81 Name string `json:"name,omitempty"`

82 Logo string `json:"logo,omitempty"`

83 Website string `json:"website,omitempty"`

84 Type string `json:"type,omitempty"`

85 }

87 // ApplyChange applies the properties of the passed

88 // ClientChange to the Client object it is called on.

89 func (c *Client) ApplyChange(change ClientChange) {

90 if change.Secret != nil {

91 c.Secret = *change.Secret

92 }

93 if change.OwnerID != nil {

94 c.OwnerID = change.OwnerID

95 }

96 if change.Name != nil {

97 c.Name = *change.Name

98 }

99 if change.Logo != nil {

100 c.Logo = *change.Logo

101 }

102 if change.Website != nil {

103 c.Website = *change.Website

104 }

105 }

106

107 // ClientChange represents a bundle of options for

108 // updating a Client's mutable data.

109 type ClientChange struct {

110 Secret *string

111 OwnerID uuid.ID

112 Name *string

113 Logo *string

114 Website *string

115 }

116

117 // Validate checks the ClientChange it is called on

118 // and asserts its internal validity, or lack thereof.

119 func (c ClientChange) Validate() []error {

120 errors := []error{}

121 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {

122 errors = append(errors, ErrEmptyChange)

123 return errors

124 }

125 if c.Name != nil && len(*c.Name) < 2 {

126 errors = append(errors, ErrClientNameTooShort)

127 }

128 if c.Name != nil && len(*c.Name) > 32 {

129 errors = append(errors, ErrClientNameTooLong)

130 }

131 if c.Logo != nil && *c.Logo != "" {

132 if len(*c.Logo) > 1024 {

133 errors = append(errors, ErrClientLogoTooLong)

134 }

135 u, err := url.Parse(*c.Logo)

136 if err != nil || !u.IsAbs() {

137 errors = append(errors, ErrClientLogoNotURL)

138 }

139 }

140 if c.Website != nil && *c.Website != "" {

141 if len(*c.Website) > 140 {

142 errors = append(errors, ErrClientWebsiteTooLong)

143 }

144 u, err := url.Parse(*c.Website)

145 if err != nil || !u.IsAbs() {

146 errors = append(errors, ErrClientWebsiteNotURL)

147 }

148 }

149 return errors

150 }

151

152 func getClientAuth(w http.ResponseWriter, r *http.Request, allowPublic bool) (uuid.ID, string, bool) {

153 enc := json.NewEncoder(w)

154 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()

155 if !fromAuthHeader {

156 clientIDStr = r.PostFormValue("client_id")

157 }

158 if clientIDStr == "" {

159 w.WriteHeader(http.StatusUnauthorized)

160 if fromAuthHeader {

161 w.Header().Set("WWW-Authenticate", "Basic")

162 }

163 renderJSONError(enc, "invalid_client")

164 return nil, "", false

165 }

166 if !allowPublic && !fromAuthHeader {

167 w.WriteHeader(http.StatusBadRequest)

168 renderJSONError(enc, "unauthorized_client")

169 return nil, "", false

170 }

171 clientID, err := uuid.Parse(clientIDStr)

172 if err != nil {

173 log.Println("Error decoding client ID:", err)

174 w.WriteHeader(http.StatusUnauthorized)

175 if fromAuthHeader {

176 w.Header().Set("WWW-Authenticate", "Basic")

177 }

178 renderJSONError(enc, "invalid_client")

179 return nil, "", false

180 }

181 return clientID, clientSecret, true

182 }

183

184 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {

185 enc := json.NewEncoder(w)

186 clientID, clientSecret, ok := getClientAuth(w, r, allowPublic)

187 if !ok {

188 return nil, false

189 }

190 _, _, fromAuthHeader := r.BasicAuth()

191 client, err := context.GetClient(clientID)

192 if err == ErrClientNotFound {

193 w.WriteHeader(http.StatusUnauthorized)

194 if fromAuthHeader {

195 w.Header().Set("WWW-Authenticate", "Basic")

196 }

197 renderJSONError(enc, "invalid_client")

198 return nil, false

199 } else if err != nil {

200 w.WriteHeader(http.StatusInternalServerError)

201 renderJSONError(enc, "server_error")

202 return nil, false

203 }

204 if client.Secret != clientSecret { // it's important that any client deemed "public" is not issued a client secret.

205 w.WriteHeader(http.StatusUnauthorized)

206 if fromAuthHeader {

207 w.Header().Set("WWW-Authenticate", "Basic")

208 }

209 renderJSONError(enc, "invalid_client")

210 return nil, false

211 }

212 return clientID, true

213 }

214

215 // Endpoint represents a single URI that a Client

216 // controls. Users will be redirected to these URIs

217 // following successful authorization grants and

218 // exchanges for access tokens.

219 type Endpoint struct {

220 ID uuid.ID `json:"id,omitempty"`

221 ClientID uuid.ID `json:"client_id,omitempty"`

222 URI string `json:"uri,omitempty"`

223 NormalizedURI string `json:"-"`

224 Added time.Time `json:"added,omitempty"`

225 }

226

227 func normalizeURIString(in string) (string, error) {

228 n, err := purell.NormalizeURLString(in, normalizeFlags)

229 if err != nil {

230 log.Println(err)

231 return in, ErrEndpointURINotURL

232 }

233 return n, nil

234 }

235

236 func normalizeURI(in *url.URL) string {

237 return purell.NormalizeURL(in, normalizeFlags)

238 }

239

240 type sortedEndpoints []Endpoint

241

242 func (s sortedEndpoints) Len() int {

243 return len(s)

244 }

245

246 func (s sortedEndpoints) Less(i, j int) bool {

247 return s[i].Added.Before(s[j].Added)

248 }

249

250 func (s sortedEndpoints) Swap(i, j int) {

251 s[i], s[j] = s[j], s[i]

252 }

253

254 type clientStore interface {

255 getClient(id uuid.ID) (Client, error)

256 saveClient(client Client) error

257 updateClient(id uuid.ID, change ClientChange) error

258 deleteClient(id uuid.ID) error

259 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)

260

261 addEndpoints(client uuid.ID, endpoint []Endpoint) error

262 removeEndpoint(client, endpoint uuid.ID) error

263 getEndpoint(client, endpoint uuid.ID) (Endpoint, error)

264 checkEndpoint(client uuid.ID, endpoint string) (bool, error)

265 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)

266 countEndpoints(client uuid.ID) (int64, error)

267 }

268

269 func (m *memstore) getClient(id uuid.ID) (Client, error) {

270 m.clientLock.RLock()

271 defer m.clientLock.RUnlock()

272 c, ok := m.clients[id.String()]

273 if !ok {

274 return Client{}, ErrClientNotFound

275 }

276 return c, nil

277 }

278

279 func (m *memstore) saveClient(client Client) error {

280 m.clientLock.Lock()

281 defer m.clientLock.Unlock()

282 if _, ok := m.clients[client.ID.String()]; ok {

283 return ErrClientAlreadyExists

284 }

285 m.clients[client.ID.String()] = client

286 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)

287 return nil

288 }

289

290 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {

291 m.clientLock.Lock()

292 defer m.clientLock.Unlock()

293 c, ok := m.clients[id.String()]

294 if !ok {

295 return ErrClientNotFound

296 }

297 c.ApplyChange(change)

298 m.clients[id.String()] = c

299 return nil

300 }

301

302 func (m *memstore) deleteClient(id uuid.ID) error {

303 client, err := m.getClient(id)

304 if err != nil {

305 return err

306 }

307 m.clientLock.Lock()

308 defer m.clientLock.Unlock()

309 delete(m.clients, id.String())

310 pos := -1

311 for p, item := range m.profileClientLookup[client.OwnerID.String()] {

312 if item.Equal(id) {

313 pos = p

314 break

315 }

316 }

317 if pos >= 0 {

318 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)

319 }

320 return nil

321 }

322

323 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {

324 ids := m.lookupClientsByProfileID(ownerID.String())

325 if len(ids) > num+offset {

326 ids = ids[offset : num+offset]

327 } else if len(ids) > offset {

328 ids = ids[offset:]

329 } else {

330 return []Client{}, nil