auth

Paddy 2015-03-21 Parent:93c758f57c69 Child:77db7c65216c

auth/client.go

Test our Postgres profileStore implementation. Update all our test cases to use time.Now().Round(time.Millisecond), because Go uses nanosecond precision on time values, but Postgres silently truncates that to millisecond precision. This caused our tests to report false failures that were just silent precision loss, not actual failures. Set up our authd server to use the Postgres store for profiles and automatically create a test scope when starting up. Log errors when creating Clients through the API, instead of just swallowing them and sending back cryptic act of god errors. Add a NewPostgres helper that returns a postgres profileStore from a connection string (passed through pq transparently). Add an Empty() bool helper to ProfileChange and BulkProfileChange types, so we can determine if there are any changes we need to act on easily. Log errors when creating Pofiles through the API, instead of just swalloing them and sending back cryptic act of god errors. Remove the ` quotes around field and table names, which are not supported in Postgres. This required adding a few functions/methods to pan. Detect situations where a profile was expected and not found, and return ErrProfileNotFound. Detect pq errors thrown when the profiles_pkey constraint is violated, and transform them to the ErrProfileAlreadyExists error. Detect empty ProfileChange and BulkProfileChange variables and abort the updateProfile and updateProfiles methods early, before invalid SQL is generated. Detect pq errors thrown when the logins_pkey constraint is violated, and transform them to the ErrLoginAlreadyExists error. Detect when removing a Login and no rows were affected, and return an ErrLoginNotFound. Create an sql dir with a postgres_init script that will initialize the schema of the tables expected in the database.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "crypto/rand"

5 "encoding/hex"

6 "encoding/json"

7 "errors"

8 "log"

9 "net/http"

10 "net/url"

11 "strconv"

12 "strings"

13 "time"

15 "github.com/PuerkitoBio/purell"

16 "github.com/gorilla/mux"

18 "code.secondbit.org/uuid.hg"

19 )

21 func init() {

22 RegisterGrantType("client_credentials", GrantType{

23 Validate: clientCredentialsValidate,

24 Invalidate: nil,

25 IssuesRefresh: true,

26 ReturnToken: RenderJSONToken,

27 AllowsPublic: false,

28 AuditString: clientCredentialsAuditString,

29 })

30 }

32 var (

33 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.

34 ErrNoClientStore = errors.New("no clientStore was specified for the Context")

35 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.

36 ErrClientNotFound = errors.New("client not found in clientStore")

37 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with

38 // the same ID already exists in the clientStore.

39 ErrClientAlreadyExists = errors.New("client already exists in clientStore")

40 // ErrEndpointNotFound is returned when an Endpoint is requested but not found in a clientSTore.

41 ErrEndpointNotFound = errors.New("endpoint not found in clientStore")

43 // ErrEmptyChange is returned when a Change has all its properties set to nil.

44 ErrEmptyChange = errors.New("change must have at least one property set")

45 // ErrClientNameTooShort is returned when a Client's Name property is too short.

46 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")

47 // ErrClientNameTooLong is returned when a Client's Name property is too long.

48 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")

49 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.

50 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")

51 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.

52 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")

53 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.

54 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")

55 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.

56 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")

57 // ErrEndpointURINotURL is returned when an Endpoint's URI property is not a valid absolute URL.

58 ErrEndpointURINotURL = errors.New("endpoint URI must be a valid absolute URL")

59 )

61 const (

62 clientTypePublic = "public"

63 clientTypeConfidential = "confidential"

64 minClientNameLen = 2

65 maxClientNameLen = 24

66 defaultClientResponseSize = 20

67 maxClientResponseSize = 50

68 defaultEndpointResponseSize = 20

69 maxEndpointResponseSize = 50

71 normalizeFlags = purell.FlagsUsuallySafeNonGreedy | purell.FlagSortQuery

72 )

74 // Client represents a client that grants access

75 // to the auth server, exchanging grants for tokens,

76 // and tokens for access.

77 type Client struct {

78 ID uuid.ID `json:"id,omitempty"`

79 Secret string `json:"secret,omitempty"`

80 OwnerID uuid.ID `json:"owner_id,omitempty"`

81 Name string `json:"name,omitempty"`

82 Logo string `json:"logo,omitempty"`

83 Website string `json:"website,omitempty"`

84 Type string `json:"type,omitempty"`

85 }

87 // ApplyChange applies the properties of the passed

88 // ClientChange to the Client object it is called on.

89 func (c *Client) ApplyChange(change ClientChange) {

90 if change.Secret != nil {

91 c.Secret = *change.Secret

92 }

93 if change.OwnerID != nil {

94 c.OwnerID = change.OwnerID

95 }

96 if change.Name != nil {

97 c.Name = *change.Name

98 }

99 if change.Logo != nil {

100 c.Logo = *change.Logo

101 }

102 if change.Website != nil {

103 c.Website = *change.Website

104 }

105 }

106

107 // ClientChange represents a bundle of options for

108 // updating a Client's mutable data.

109 type ClientChange struct {

110 Secret *string

111 OwnerID uuid.ID

112 Name *string

113 Logo *string

114 Website *string

115 }

116

117 // Validate checks the ClientChange it is called on

118 // and asserts its internal validity, or lack thereof.

119 func (c ClientChange) Validate() []error {

120 errors := []error{}

121 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {

122 errors = append(errors, ErrEmptyChange)

123 return errors

124 }

125 if c.Name != nil && len(*c.Name) < 2 {

126 errors = append(errors, ErrClientNameTooShort)

127 }

128 if c.Name != nil && len(*c.Name) > 32 {

129 errors = append(errors, ErrClientNameTooLong)

130 }

131 if c.Logo != nil && *c.Logo != "" {

132 if len(*c.Logo) > 1024 {

133 errors = append(errors, ErrClientLogoTooLong)

134 }

135 u, err := url.Parse(*c.Logo)

136 if err != nil || !u.IsAbs() {

137 errors = append(errors, ErrClientLogoNotURL)

138 }

139 }

140 if c.Website != nil && *c.Website != "" {

141 if len(*c.Website) > 140 {

142 errors = append(errors, ErrClientWebsiteTooLong)

143 }

144 u, err := url.Parse(*c.Website)

145 if err != nil || !u.IsAbs() {

146 errors = append(errors, ErrClientWebsiteNotURL)

147 }

148 }

149 return errors

150 }

151

152 func getClientAuth(w http.ResponseWriter, r *http.Request, allowPublic bool) (uuid.ID, string, bool) {

153 enc := json.NewEncoder(w)

154 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()

155 if !fromAuthHeader {

156 clientIDStr = r.PostFormValue("client_id")

157 }

158 if clientIDStr == "" {

159 w.WriteHeader(http.StatusUnauthorized)

160 if fromAuthHeader {

161 w.Header().Set("WWW-Authenticate", "Basic")

162 }

163 renderJSONError(enc, "invalid_client")

164 return nil, "", false

165 }

166 if !allowPublic && !fromAuthHeader {

167 w.WriteHeader(http.StatusBadRequest)

168 renderJSONError(enc, "unauthorized_client")

169 return nil, "", false

170 }

171 clientID, err := uuid.Parse(clientIDStr)

172 if err != nil {

173 log.Println("Error decoding client ID:", err)

174 w.WriteHeader(http.StatusUnauthorized)

175 if fromAuthHeader {

176 w.Header().Set("WWW-Authenticate", "Basic")

177 }

178 renderJSONError(enc, "invalid_client")

179 return nil, "", false

180 }

181 return clientID, clientSecret, true

182 }

183

184 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {

185 enc := json.NewEncoder(w)

186 clientID, clientSecret, ok := getClientAuth(w, r, allowPublic)

187 if !ok {

188 return nil, false

189 }

190 _, _, fromAuthHeader := r.BasicAuth()

191 client, err := context.GetClient(clientID)

192 if err == ErrClientNotFound {

193 w.WriteHeader(http.StatusUnauthorized)

194 if fromAuthHeader {

195 w.Header().Set("WWW-Authenticate", "Basic")

196 }

197 renderJSONError(enc, "invalid_client")

198 return nil, false

199 } else if err != nil {

200 w.WriteHeader(http.StatusInternalServerError)

201 renderJSONError(enc, "server_error")

202 return nil, false

203 }

204 if client.Secret != clientSecret { // it's important that any client deemed "public" is not issued a client secret.

205 w.WriteHeader(http.StatusUnauthorized)

206 if fromAuthHeader {

207 w.Header().Set("WWW-Authenticate", "Basic")

208 }

209 renderJSONError(enc, "invalid_client")

210 return nil, false

211 }

212 return clientID, true

213 }

214

215 // Endpoint represents a single URI that a Client

216 // controls. Users will be redirected to these URIs

217 // following successful authorization grants and

218 // exchanges for access tokens.

219 type Endpoint struct {

220 ID uuid.ID `json:"id,omitempty"`

221 ClientID uuid.ID `json:"client_id,omitempty"`

222 URI string `json:"uri,omitempty"`

223 NormalizedURI string `json:"-"`

224 Added time.Time `json:"added,omitempty"`

225 }

226

227 func normalizeURIString(in string) (string, error) {

228 n, err := purell.NormalizeURLString(in, normalizeFlags)

229 if err != nil {

230 log.Println(err)

231 return in, ErrEndpointURINotURL

232 }

233 return n, nil

234 }

235

236 func normalizeURI(in *url.URL) string {

237 return purell.NormalizeURL(in, normalizeFlags)

238 }

239

240 type sortedEndpoints []Endpoint

241

242 func (s sortedEndpoints) Len() int {

243 return len(s)

244 }

245

246 func (s sortedEndpoints) Less(i, j int) bool {

247 return s[i].Added.Before(s[j].Added)

248 }

249

250 func (s sortedEndpoints) Swap(i, j int) {

251 s[i], s[j] = s[j], s[i]

252 }

253

254 type clientStore interface {

255 getClient(id uuid.ID) (Client, error)

256 saveClient(client Client) error

257 updateClient(id uuid.ID, change ClientChange) error

258 deleteClient(id uuid.ID) error

259 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)

260

261 addEndpoints(client uuid.ID, endpoint []Endpoint) error

262 removeEndpoint(client, endpoint uuid.ID) error

263 getEndpoint(client, endpoint uuid.ID) (Endpoint, error)

264 checkEndpoint(client uuid.ID, endpoint string) (bool, error)

265 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)

266 countEndpoints(client uuid.ID) (int64, error)

267 }

268

269 func (m *memstore) getClient(id uuid.ID) (Client, error) {

270 m.clientLock.RLock()

271 defer m.clientLock.RUnlock()

272 c, ok := m.clients[id.String()]

273 if !ok {

274 return Client{}, ErrClientNotFound

275 }

276 return c, nil

277 }

278

279 func (m *memstore) saveClient(client Client) error {

280 m.clientLock.Lock()

281 defer m.clientLock.Unlock()

282 if _, ok := m.clients[client.ID.String()]; ok {

283 return ErrClientAlreadyExists

284 }

285 m.clients[client.ID.String()] = client

286 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)

287 return nil

288 }

289

290 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {

291 m.clientLock.Lock()

292 defer m.clientLock.Unlock()

293 c, ok := m.clients[id.String()]

294 if !ok {

295 return ErrClientNotFound

296 }

297 c.ApplyChange(change)

298 m.clients[id.String()] = c

299 return nil

300 }

301

302 func (m *memstore) deleteClient(id uuid.ID) error {

303 client, err := m.getClient(id)

304 if err != nil {

305 return err

306 }

307 m.clientLock.Lock()

308 defer m.clientLock.Unlock()

309 delete(m.clients, id.String())

310 pos := -1

311 for p, item := range m.profileClientLookup[client.OwnerID.String()] {

312 if item.Equal(id) {

313 pos = p

314 break

315 }

316 }

317 if pos >= 0 {

318 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)

319 }

320 return nil

321 }

322

323 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {

324 ids := m.lookupClientsByProfileID(ownerID.String())

325 if len(ids) > num+offset {

326 ids = ids[offset : num+offset]

327 } else if len(ids) > offset {

328 ids = ids[offset:]

329 } else {

330 return []Client{}, nil