auth

Paddy 2015-02-20 Parent:bc842183181d Child:d30a3a12d387

auth/client.go

Introduced scopes. Created a Scope type and a scopeStore interface, along with the memstore methods for the scopeStore. This will allow applications to define access with granularity, so users can grant access to some data, not _all_ data. We're operating on the assumption that there won't be an unreasonable number of scopes defined, so there is no paging operation included for the ListScopes method. This is a decision that may have to be revisited in the future, depending on usecases.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "crypto/rand"

5 "encoding/hex"

6 "encoding/json"

7 "errors"

8 "log"

9 "net/http"

10 "net/url"

11 "strconv"

12 "time"

14 "github.com/PuerkitoBio/purell"

15 "github.com/gorilla/mux"

17 "code.secondbit.org/uuid.hg"

18 )

20 func init() {

21 RegisterGrantType("client_credentials", GrantType{

22 Validate: clientCredentialsValidate,

23 Invalidate: nil,

24 IssuesRefresh: true,

25 ReturnToken: RenderJSONToken,

26 AllowsPublic: false,

27 AuditString: clientCredentialsAuditString,

28 })

29 }

31 var (

32 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.

33 ErrNoClientStore = errors.New("no clientStore was specified for the Context")

34 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.

35 ErrClientNotFound = errors.New("client not found in clientStore")

36 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with

37 // the same ID already exists in the clientStore.

38 ErrClientAlreadyExists = errors.New("client already exists in clientStore")

40 // ErrEmptyChange is returned when a Change has all its properties set to nil.

41 ErrEmptyChange = errors.New("change must have at least one property set")

42 // ErrClientNameTooShort is returned when a Client's Name property is too short.

43 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")

44 // ErrClientNameTooLong is returned when a Client's Name property is too long.

45 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")

46 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.

47 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")

48 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.

49 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")

50 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.

51 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")

52 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.

53 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")

54 // ErrEndpointURINotURL is returned when an Endpoint's URI property is not a valid absolute URL.

55 ErrEndpointURINotURL = errors.New("endpoint URI must be a valid absolute URL")

56 )

58 const (

59 clientTypePublic = "public"

60 clientTypeConfidential = "confidential"

61 minClientNameLen = 2

62 maxClientNameLen = 24

63 defaultClientResponseSize = 20

64 maxClientResponseSize = 50

66 normalizeFlags = purell.FlagsUsuallySafeNonGreedy | purell.FlagSortQuery

67 )

69 // Client represents a client that grants access

70 // to the auth server, exchanging grants for tokens,

71 // and tokens for access.

72 type Client struct {

73 ID uuid.ID `json:"id,omitempty"`

74 Secret string `json:"secret,omitempty"`

75 OwnerID uuid.ID `json:"owner_id,omitempty"`

76 Name string `json:"name,omitempty"`

77 Logo string `json:"logo,omitempty"`

78 Website string `json:"website,omitempty"`

79 Type string `json:"type,omitempty"`

80 }

82 // ApplyChange applies the properties of the passed

83 // ClientChange to the Client object it is called on.

84 func (c *Client) ApplyChange(change ClientChange) {

85 if change.Secret != nil {

86 c.Secret = *change.Secret

87 }

88 if change.OwnerID != nil {

89 c.OwnerID = change.OwnerID

90 }

91 if change.Name != nil {

92 c.Name = *change.Name

93 }

94 if change.Logo != nil {

95 c.Logo = *change.Logo

96 }

97 if change.Website != nil {

98 c.Website = *change.Website

99 }

100 }

101

102 // ClientChange represents a bundle of options for

103 // updating a Client's mutable data.

104 type ClientChange struct {

105 Secret *string

106 OwnerID uuid.ID

107 Name *string

108 Logo *string

109 Website *string

110 }

111

112 // Validate checks the ClientChange it is called on

113 // and asserts its internal validity, or lack thereof.

114 func (c ClientChange) Validate() []error {

115 errors := []error{}

116 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {

117 errors = append(errors, ErrEmptyChange)

118 return errors

119 }

120 if c.Name != nil && len(*c.Name) < 2 {

121 errors = append(errors, ErrClientNameTooShort)

122 }

123 if c.Name != nil && len(*c.Name) > 32 {

124 errors = append(errors, ErrClientNameTooLong)

125 }

126 if c.Logo != nil && *c.Logo != "" {

127 if len(*c.Logo) > 1024 {

128 errors = append(errors, ErrClientLogoTooLong)

129 }

130 u, err := url.Parse(*c.Logo)

131 if err != nil || !u.IsAbs() {

132 errors = append(errors, ErrClientLogoNotURL)

133 }

134 }

135 if c.Website != nil && *c.Website != "" {

136 if len(*c.Website) > 140 {

137 errors = append(errors, ErrClientWebsiteTooLong)

138 }

139 u, err := url.Parse(*c.Website)

140 if err != nil || !u.IsAbs() {

141 errors = append(errors, ErrClientWebsiteNotURL)

142 }

143 }

144 return errors

145 }

146

147 func getClientAuth(w http.ResponseWriter, r *http.Request, allowPublic bool) (uuid.ID, string, bool) {

148 enc := json.NewEncoder(w)

149 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()

150 if !fromAuthHeader {

151 clientIDStr = r.PostFormValue("client_id")

152 }

153 if clientIDStr == "" {

154 w.WriteHeader(http.StatusUnauthorized)

155 if fromAuthHeader {

156 w.Header().Set("WWW-Authenticate", "Basic")

157 }

158 renderJSONError(enc, "invalid_client")

159 return nil, "", false

160 }

161 if !allowPublic && !fromAuthHeader {

162 w.WriteHeader(http.StatusBadRequest)

163 renderJSONError(enc, "unauthorized_client")

164 return nil, "", false

165 }

166 clientID, err := uuid.Parse(clientIDStr)

167 if err != nil {

168 log.Println("Error decoding client ID:", err)

169 w.WriteHeader(http.StatusUnauthorized)

170 if fromAuthHeader {

171 w.Header().Set("WWW-Authenticate", "Basic")

172 }

173 renderJSONError(enc, "invalid_client")

174 return nil, "", false

175 }

176 return clientID, clientSecret, true

177 }

178

179 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {

180 enc := json.NewEncoder(w)

181 clientID, clientSecret, ok := getClientAuth(w, r, allowPublic)

182 if !ok {

183 return nil, false

184 }

185 _, _, fromAuthHeader := r.BasicAuth()

186 client, err := context.GetClient(clientID)

187 if err == ErrClientNotFound {

188 w.WriteHeader(http.StatusUnauthorized)

189 if fromAuthHeader {

190 w.Header().Set("WWW-Authenticate", "Basic")

191 }

192 renderJSONError(enc, "invalid_client")

193 return nil, false

194 } else if err != nil {

195 w.WriteHeader(http.StatusInternalServerError)

196 renderJSONError(enc, "server_error")

197 return nil, false

198 }

199 if client.Secret != clientSecret { // it's important that any client deemed "public" is not issued a client secret.

200 w.WriteHeader(http.StatusUnauthorized)

201 if fromAuthHeader {

202 w.Header().Set("WWW-Authenticate", "Basic")

203 }

204 renderJSONError(enc, "invalid_client")

205 return nil, false

206 }

207 return clientID, true

208 }

209

210 // Endpoint represents a single URI that a Client

211 // controls. Users will be redirected to these URIs

212 // following successful authorization grants and

213 // exchanges for access tokens.

214 type Endpoint struct {

215 ID uuid.ID `json:"id,omitempty"`

216 ClientID uuid.ID `json:"client_id,omitempty"`

217 URI string `json:"uri,omitempty"`

218 NormalizedURI string `json:"-"`

219 Added time.Time `json:"added,omitempty"`

220 }

221

222 func normalizeURIString(in string) (string, error) {

223 n, err := purell.NormalizeURLString(in, normalizeFlags)

224 if err != nil {

225 log.Println(err)

226 return in, ErrEndpointURINotURL

227 }

228 return n, nil

229 }

230

231 func normalizeURI(in *url.URL) string {

232 return purell.NormalizeURL(in, normalizeFlags)

233 }

234

235 type sortedEndpoints []Endpoint

236

237 func (s sortedEndpoints) Len() int {

238 return len(s)

239 }

240

241 func (s sortedEndpoints) Less(i, j int) bool {

242 return s[i].Added.Before(s[j].Added)

243 }

244

245 func (s sortedEndpoints) Swap(i, j int) {

246 s[i], s[j] = s[j], s[i]

247 }

248

249 type clientStore interface {

250 getClient(id uuid.ID) (Client, error)

251 saveClient(client Client) error

252 updateClient(id uuid.ID, change ClientChange) error

253 deleteClient(id uuid.ID) error

254 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)

255

256 addEndpoints(client uuid.ID, endpoint []Endpoint) error

257 removeEndpoint(client, endpoint uuid.ID) error

258 checkEndpoint(client uuid.ID, endpoint string) (bool, error)

259 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)

260 countEndpoints(client uuid.ID) (int64, error)

261 }

262

263 func (m *memstore) getClient(id uuid.ID) (Client, error) {

264 m.clientLock.RLock()

265 defer m.clientLock.RUnlock()

266 c, ok := m.clients[id.String()]

267 if !ok {

268 return Client{}, ErrClientNotFound

269 }

270 return c, nil

271 }

272

273 func (m *memstore) saveClient(client Client) error {

274 m.clientLock.Lock()

275 defer m.clientLock.Unlock()

276 if _, ok := m.clients[client.ID.String()]; ok {

277 return ErrClientAlreadyExists

278 }

279 m.clients[client.ID.String()] = client

280 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)

281 return nil

282 }

283

284 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {

285 m.clientLock.Lock()

286 defer m.clientLock.Unlock()

287 c, ok := m.clients[id.String()]

288 if !ok {

289 return ErrClientNotFound

290 }

291 c.ApplyChange(change)

292 m.clients[id.String()] = c

293 return nil

294 }

295

296 func (m *memstore) deleteClient(id uuid.ID) error {

297 client, err := m.getClient(id)

298 if err != nil {

299 return err

300 }

301 m.clientLock.Lock()

302 defer m.clientLock.Unlock()

303 delete(m.clients, id.String())

304 pos := -1

305 for p, item := range m.profileClientLookup[client.OwnerID.String()] {

306 if item.Equal(id) {

307 pos = p

308 break

309 }

310 }

311 if pos >= 0 {

312 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)

313 }

314 return nil

315 }

316

317 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {

318 ids := m.lookupClientsByProfileID(ownerID.String())

319 if len(ids) > num+offset {

320 ids = ids[offset : num+offset]

321 } else if len(ids) > offset {

322 ids = ids[offset:]

323 } else {

324 return []Client{}, nil