auth
auth/client.go
Log ignored errors, grant revocations can return an error. Turn a few TODOs for logging errors into calls to log the actual error. Change the return type of grant revocations for GrantTypes to an error, so they can be logged by the system, not each GrantType. Implement a stub of the revocation function for the authcode GrantType.
1 package auth
3 import (
4 "encoding/json"
5 "errors"
6 "net/http"
7 "net/url"
8 "time"
10 "code.secondbit.org/uuid"
11 )
13 var (
14 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first.
15 ErrNoClientStore = errors.New("no clientStore was specified for the Context")
16 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore.
17 ErrClientNotFound = errors.New("client not found in clientStore")
18 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with
19 // the same ID already exists in the clientStore.
20 ErrClientAlreadyExists = errors.New("client already exists in clientStore")
22 // ErrEmptyChange is returned when a Change has all its properties set to nil.
23 ErrEmptyChange = errors.New("change must have at least one property set")
24 // ErrClientNameTooShort is returned when a Client's Name property is too short.
25 ErrClientNameTooShort = errors.New("client name must be at least 2 characters")
26 // ErrClientNameTooLong is returned when a Client's Name property is too long.
27 ErrClientNameTooLong = errors.New("client name must be at most 32 characters")
28 // ErrClientLogoTooLong is returned when a Client's Logo property is too long.
29 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters")
30 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL.
31 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL")
32 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long.
33 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters")
34 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL.
35 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL")
36 )
38 // Client represents a client that grants access
39 // to the auth server, exchanging grants for tokens,
40 // and tokens for access.
41 type Client struct {
42 ID uuid.ID
43 Secret string
44 OwnerID uuid.ID
45 Name string
46 Logo string
47 Website string
48 Type string
49 }
51 // ApplyChange applies the properties of the passed
52 // ClientChange to the Client object it is called on.
53 func (c *Client) ApplyChange(change ClientChange) {
54 if change.Secret != nil {
55 c.Secret = *change.Secret
56 }
57 if change.OwnerID != nil {
58 c.OwnerID = change.OwnerID
59 }
60 if change.Name != nil {
61 c.Name = *change.Name
62 }
63 if change.Logo != nil {
64 c.Logo = *change.Logo
65 }
66 if change.Website != nil {
67 c.Website = *change.Website
68 }
69 }
71 // ClientChange represents a bundle of options for
72 // updating a Client's mutable data.
73 type ClientChange struct {
74 Secret *string
75 OwnerID uuid.ID
76 Name *string
77 Logo *string
78 Website *string
79 }
81 // Validate checks the ClientChange it is called on
82 // and asserts its internal validity, or lack thereof.
83 func (c ClientChange) Validate() error {
84 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil {
85 return ErrEmptyChange
86 }
87 if c.Name != nil && len(*c.Name) < 2 {
88 return ErrClientNameTooShort
89 }
90 if c.Name != nil && len(*c.Name) > 32 {
91 return ErrClientNameTooLong
92 }
93 if c.Logo != nil && *c.Logo != "" {
94 if len(*c.Logo) > 1024 {
95 return ErrClientLogoTooLong
96 }
97 u, err := url.Parse(*c.Logo)
98 if err != nil || !u.IsAbs() {
99 return ErrClientLogoNotURL
100 }
101 }
102 if c.Website != nil && *c.Website != "" {
103 if len(*c.Website) > 140 {
104 return ErrClientWebsiteTooLong
105 }
106 u, err := url.Parse(*c.Website)
107 if err != nil || !u.IsAbs() {
108 return ErrClientWebsiteNotURL
109 }
110 }
111 return nil
112 }
114 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) {
115 enc := json.NewEncoder(w)
116 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth()
117 if !fromAuthHeader {
118 if !allowPublic {
119 w.WriteHeader(http.StatusBadRequest)
120 renderJSONError(enc, "unauthorized_client")
121 return nil, false
122 }
123 clientIDStr = r.PostFormValue("client_id")
124 }
125 clientID, err := uuid.Parse(clientIDStr)
126 if err != nil {
127 w.WriteHeader(http.StatusUnauthorized)
128 if fromAuthHeader {
129 w.Header().Set("WWW-Authenticate", "Basic")
130 }
131 renderJSONError(enc, "invalid_client")
132 return nil, false
133 }
134 client, err := context.GetClient(clientID)
135 if err == ErrClientNotFound {
136 w.WriteHeader(http.StatusUnauthorized)
137 if fromAuthHeader {
138 w.Header().Set("WWW-Authenticate", "Basic")
139 }
140 renderJSONError(enc, "invalid_client")
141 return nil, false
142 } else if err != nil {
143 w.WriteHeader(http.StatusInternalServerError)
144 renderJSONError(enc, "server_error")
145 return nil, false
146 }
147 if client.Secret != clientSecret {
148 w.WriteHeader(http.StatusUnauthorized)
149 if fromAuthHeader {
150 w.Header().Set("WWW-Authenticate", "Basic")
151 }
152 renderJSONError(enc, "invalid_client")
153 return nil, false
154 }
155 return clientID, true
156 }
158 // Endpoint represents a single URI that a Client
159 // controls. Users will be redirected to these URIs
160 // following successful authorization grants and
161 // exchanges for access tokens.
162 type Endpoint struct {
163 ID uuid.ID
164 ClientID uuid.ID
165 URI url.URL
166 Added time.Time
167 }
169 type sortedEndpoints []Endpoint
171 func (s sortedEndpoints) Len() int {
172 return len(s)
173 }
175 func (s sortedEndpoints) Less(i, j int) bool {
176 return s[i].Added.Before(s[j].Added)
177 }
179 func (s sortedEndpoints) Swap(i, j int) {
180 s[i], s[j] = s[j], s[i]
181 }
183 type clientStore interface {
184 getClient(id uuid.ID) (Client, error)
185 saveClient(client Client) error
186 updateClient(id uuid.ID, change ClientChange) error
187 deleteClient(id uuid.ID) error
188 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error)
190 addEndpoint(client uuid.ID, endpoint Endpoint) error
191 removeEndpoint(client, endpoint uuid.ID) error
192 checkEndpoint(client uuid.ID, endpoint string) (bool, error)
193 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error)
194 countEndpoints(client uuid.ID) (int64, error)
195 }
197 func (m *memstore) getClient(id uuid.ID) (Client, error) {
198 m.clientLock.RLock()
199 defer m.clientLock.RUnlock()
200 c, ok := m.clients[id.String()]
201 if !ok {
202 return Client{}, ErrClientNotFound
203 }
204 return c, nil
205 }
207 func (m *memstore) saveClient(client Client) error {
208 m.clientLock.Lock()
209 defer m.clientLock.Unlock()
210 if _, ok := m.clients[client.ID.String()]; ok {
211 return ErrClientAlreadyExists
212 }
213 m.clients[client.ID.String()] = client
214 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID)
215 return nil
216 }
218 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error {
219 m.clientLock.Lock()
220 defer m.clientLock.Unlock()
221 c, ok := m.clients[id.String()]
222 if !ok {
223 return ErrClientNotFound
224 }
225 c.ApplyChange(change)
226 m.clients[id.String()] = c
227 return nil
228 }
230 func (m *memstore) deleteClient(id uuid.ID) error {
231 client, err := m.getClient(id)
232 if err != nil {
233 return err
234 }
235 m.clientLock.Lock()
236 defer m.clientLock.Unlock()
237 delete(m.clients, id.String())
238 pos := -1
239 for p, item := range m.profileClientLookup[client.OwnerID.String()] {
240 if item.Equal(id) {
241 pos = p
242 break
243 }
244 }
245 if pos >= 0 {
246 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...)
247 }
248 return nil
249 }
251 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) {
252 ids := m.lookupClientsByProfileID(ownerID.String())
253 if len(ids) > num+offset {
254 ids = ids[offset : num+offset]
255 } else if len(ids) > offset {
256 ids = ids[offset:]
257 } else {
258 return []Client{}, nil
259 }
260 clients := []Client{}
261 for _, id := range ids {
262 client, err := m.getClient(id)
263 if err != nil {
264 return []Client{}, err
265 }
266 clients = append(clients, client)
267 }
268 return clients, nil
269 }
271 func (m *memstore) addEndpoint(client uuid.ID, endpoint Endpoint) error {
272 m.endpointLock.Lock()
273 defer m.endpointLock.Unlock()
274 m.endpoints[client.String()] = append(m.endpoints[client.String()], endpoint)
275 return nil
276 }
278 func (m *memstore) removeEndpoint(client, endpoint uuid.ID) error {
279 m.endpointLock.Lock()
280 defer m.endpointLock.Unlock()
281 pos := -1
282 for p, item := range m.endpoints[client.String()] {
283 if item.ID.Equal(endpoint) {
284 pos = p
285 break
286 }
287 }
288 if pos >= 0 {
289 m.endpoints[client.String()] = append(m.endpoints[client.String()][:pos], m.endpoints[client.String()][pos+1:]...)
290 }
291 return nil
292 }
294 func (m *memstore) checkEndpoint(client uuid.ID, endpoint string) (bool, error) {
295 m.endpointLock.RLock()
296 defer m.endpointLock.RUnlock()
297 for _, candidate := range m.endpoints[client.String()] {
298 if endpoint == candidate.URI.String() {
299 return true, nil
300 }
301 }
302 return false, nil
303 }
305 func (m *memstore) listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error) {
306 m.endpointLock.RLock()
307 defer m.endpointLock.RUnlock()
308 return m.endpoints[client.String()], nil
309 }
311 func (m *memstore) countEndpoints(client uuid.ID) (int64, error) {
312 m.endpointLock.RLock()
313 defer m.endpointLock.RUnlock()
314 return int64(len(m.endpoints[client.String()])), nil
315 }