2020-11-19 04:30:05 +00:00
|
|
|
|
// Copyright 2020 the Pinniped contributors. All Rights Reserved.
|
|
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
|
|
package authorizationcode
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
stderrors "errors"
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/ory/fosite"
|
|
|
|
|
"github.com/ory/fosite/handler/oauth2"
|
|
|
|
|
"github.com/ory/fosite/handler/openid"
|
|
|
|
|
"k8s.io/apimachinery/pkg/api/errors"
|
|
|
|
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
|
|
|
|
|
|
|
|
|
"go.pinniped.dev/internal/constable"
|
|
|
|
|
"go.pinniped.dev/internal/crud"
|
2020-12-01 22:53:22 +00:00
|
|
|
|
"go.pinniped.dev/internal/fositestorage"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2020-12-02 01:18:32 +00:00
|
|
|
|
ErrInvalidAuthorizeRequestData = constable.Error("authorization request data must be present")
|
2020-11-19 04:30:05 +00:00
|
|
|
|
ErrInvalidAuthorizeRequestVersion = constable.Error("authorization request data has wrong version")
|
|
|
|
|
|
|
|
|
|
authorizeCodeStorageVersion = "1"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var _ oauth2.AuthorizeCodeStorage = &authorizeCodeStorage{}
|
|
|
|
|
|
|
|
|
|
type authorizeCodeStorage struct {
|
|
|
|
|
storage crud.Storage
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type AuthorizeCodeSession struct {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
Active bool `json:"active"`
|
|
|
|
|
Request *fosite.Request `json:"request"`
|
|
|
|
|
Version string `json:"version"`
|
2020-11-19 04:30:05 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func New(secrets corev1client.SecretInterface) oauth2.AuthorizeCodeStorage {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
return &authorizeCodeStorage{storage: crud.New("authcode", secrets)}
|
2020-11-19 04:30:05 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *authorizeCodeStorage) CreateAuthorizeCodeSession(ctx context.Context, signature string, requester fosite.Requester) error {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
// This conversion assumes that we do not wrap the default type in any way
|
2020-11-19 04:30:05 +00:00
|
|
|
|
// i.e. we use the default fosite.OAuth2Provider.NewAuthorizeRequest implementation
|
|
|
|
|
// note that because this type is serialized and stored in Kube, we cannot easily change the implementation later
|
2020-12-01 22:53:22 +00:00
|
|
|
|
request, err := fositestorage.ValidateAndExtractAuthorizeRequest(requester)
|
2020-11-19 04:30:05 +00:00
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-01 19:01:23 +00:00
|
|
|
|
// Note, in case it is helpful, that Hydra stores specific fields from the requester:
|
2020-11-19 04:30:05 +00:00
|
|
|
|
// request ID
|
|
|
|
|
// requestedAt
|
|
|
|
|
// OAuth client ID
|
|
|
|
|
// requested scopes, granted scopes
|
|
|
|
|
// requested audience, granted audience
|
|
|
|
|
// url encoded request form
|
|
|
|
|
// session as JSON bytes with (optional) encryption
|
|
|
|
|
// session subject
|
|
|
|
|
// consent challenge from session which is the identifier ("authorization challenge")
|
|
|
|
|
// of the consent authorization request. It is used to identify the session.
|
|
|
|
|
// signature for lookup in the DB
|
|
|
|
|
|
|
|
|
|
_, err = a.storage.Create(ctx, signature, &AuthorizeCodeSession{Active: true, Request: request, Version: authorizeCodeStorageVersion})
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *authorizeCodeStorage) GetAuthorizeCodeSession(ctx context.Context, signature string, _ fosite.Session) (fosite.Requester, error) {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
// Note, in case it is helpful, that Hydra:
|
|
|
|
|
// - uses the incoming fosite.Session to provide the type needed to json.Unmarshal their session bytes
|
|
|
|
|
// - gets the client from its DB as a concrete type via client ID, the hydra memory client just validates that the
|
|
|
|
|
// client ID exists
|
|
|
|
|
// - hydra uses the sha512.Sum384 hash of signature when using JWT as access token to reduce length
|
2020-11-19 04:30:05 +00:00
|
|
|
|
|
|
|
|
|
session, _, err := a.getSession(ctx, signature)
|
|
|
|
|
|
|
|
|
|
// we need to always pass both the request and error back
|
|
|
|
|
if session == nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return session.Request, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *authorizeCodeStorage) InvalidateAuthorizeCodeSession(ctx context.Context, signature string) error {
|
|
|
|
|
session, rv, err := a.getSession(ctx, signature)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
session.Active = false
|
|
|
|
|
if _, err := a.storage.Update(ctx, signature, rv, session); err != nil {
|
|
|
|
|
if errors.IsConflict(err) {
|
|
|
|
|
return &errSerializationFailureWithCause{cause: err}
|
|
|
|
|
}
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *authorizeCodeStorage) getSession(ctx context.Context, signature string) (*AuthorizeCodeSession, string, error) {
|
|
|
|
|
session := NewValidEmptyAuthorizeCodeSession()
|
|
|
|
|
rv, err := a.storage.Get(ctx, signature, session)
|
|
|
|
|
|
|
|
|
|
if errors.IsNotFound(err) {
|
|
|
|
|
return nil, "", fosite.ErrNotFound.WithCause(err).WithDebug(err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, "", fmt.Errorf("failed to get authorization code session for %s: %w", signature, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if version := session.Version; version != authorizeCodeStorageVersion {
|
|
|
|
|
return nil, "", fmt.Errorf("%w: authorization code session for %s has version %s instead of %s",
|
|
|
|
|
ErrInvalidAuthorizeRequestVersion, signature, version, authorizeCodeStorageVersion)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-02 01:18:32 +00:00
|
|
|
|
if session.Request.ID == "" {
|
2020-11-19 04:30:05 +00:00
|
|
|
|
return nil, "", fmt.Errorf("malformed authorization code session for %s: %w", signature, ErrInvalidAuthorizeRequestData)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// we must return the session in this case to allow fosite to revoke the associated tokens
|
|
|
|
|
if !session.Active {
|
|
|
|
|
return session, rv, fmt.Errorf("authorization code session for %s has already been used: %w", signature, fosite.ErrInvalidatedAuthorizeCode)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return session, rv, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewValidEmptyAuthorizeCodeSession() *AuthorizeCodeSession {
|
|
|
|
|
return &AuthorizeCodeSession{
|
2020-12-01 19:01:23 +00:00
|
|
|
|
Request: &fosite.Request{
|
|
|
|
|
Client: &fosite.DefaultOpenIDConnectClient{},
|
|
|
|
|
Session: &openid.DefaultSession{},
|
2020-11-19 04:30:05 +00:00
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var _ interface {
|
|
|
|
|
Is(error) bool
|
|
|
|
|
Unwrap() error
|
|
|
|
|
error
|
|
|
|
|
} = &errSerializationFailureWithCause{}
|
|
|
|
|
|
|
|
|
|
type errSerializationFailureWithCause struct {
|
|
|
|
|
cause error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (e *errSerializationFailureWithCause) Is(err error) bool {
|
|
|
|
|
return stderrors.Is(fosite.ErrSerializationFailure, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (e *errSerializationFailureWithCause) Unwrap() error {
|
|
|
|
|
return e.cause
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (e *errSerializationFailureWithCause) Error() string {
|
|
|
|
|
return fmt.Sprintf("%s: %s", fosite.ErrSerializationFailure, e.cause)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// ExpectedAuthorizeCodeSessionJSONFromFuzzing is used for round tripping tests.
|
|
|
|
|
// It is exported to allow integration tests to use it.
|
|
|
|
|
const ExpectedAuthorizeCodeSessionJSONFromFuzzing = `{
|
|
|
|
|
"active": true,
|
|
|
|
|
"request": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"id": "嫎l蟲aƖ啘艿",
|
|
|
|
|
"requestedAt": "2082-11-10T18:36:11.627253638Z",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"client": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"id": "!ſɄĈp[述齛ʘUȻ.5ȿE",
|
|
|
|
|
"client_secret": "UQ==",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"redirect_uris": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"ǣ珑 ʑ飶畛Ȳ螤Yɫüeɯ紤邥翔勋\\",
|
|
|
|
|
"Bʒ;",
|
|
|
|
|
"鿃攴Ųęʍ鎾ʦ©cÏN,Ġ/_"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"grant_types": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"憉sHĒ尥窘挼Ŀʼn"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"response_types": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"4",
|
|
|
|
|
"ʄÔ@}i{絧遗Ū^ȝĸ谋Vʋ鱴閇T"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"scopes": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"R鴝順諲ŮŚ节ȭŀȋc剠鏯ɽÿ¸"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"audience": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"Ƥ"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"public": true,
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"jwks_uri": "BA瘪囷ɫCʄɢ雐譄uée'",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"jwks": {
|
|
|
|
|
"keys": [
|
|
|
|
|
{
|
|
|
|
|
"kty": "OKP",
|
|
|
|
|
"crv": "Ed25519",
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"x": "nK9xgX_iN7u3u_i8YOO7ZRT_WK028Vd_nhtsUu7Eo6E",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"x5u": {
|
|
|
|
|
"Scheme": "",
|
|
|
|
|
"Opaque": "",
|
|
|
|
|
"User": null,
|
|
|
|
|
"Host": "",
|
|
|
|
|
"Path": "",
|
|
|
|
|
"RawPath": "",
|
|
|
|
|
"ForceQuery": false,
|
|
|
|
|
"RawQuery": "",
|
|
|
|
|
"Fragment": "",
|
|
|
|
|
"RawFragment": ""
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"kty": "OKP",
|
|
|
|
|
"crv": "Ed25519",
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"x": "UbbswQgzWhfGCRlwQmMp6fw_HoIoqkIaKT-2XN2fuYU",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"x5u": {
|
|
|
|
|
"Scheme": "",
|
|
|
|
|
"Opaque": "",
|
|
|
|
|
"User": null,
|
|
|
|
|
"Host": "",
|
|
|
|
|
"Path": "",
|
|
|
|
|
"RawPath": "",
|
|
|
|
|
"ForceQuery": false,
|
|
|
|
|
"RawQuery": "",
|
|
|
|
|
"Fragment": "",
|
|
|
|
|
"RawFragment": ""
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
},
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"token_endpoint_auth_method": "ŚǗƳȕ暭Q0ņP羾,塐",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"request_uris": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"lj翻LH^俤µDzɹ@©|\u003eɃ",
|
|
|
|
|
"[:c顎疻紵D"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"request_object_signing_alg": "m1Ì恣S@T嵇LJV,Æ櫔袆鋹奘",
|
|
|
|
|
"token_endpoint_auth_signing_alg": "Fãƻʚ肈ą8O+a駣"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
},
|
|
|
|
|
"scopes": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"ɼk瘸'鴵yſǮŁ±\u003eFA曎餄FxD溪",
|
|
|
|
|
"綻N镪p赌h%桙dĽ"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"grantedScopes": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"癗E]Ņʘʟ車s"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"form": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"蹬器ķ8ŷ萒寎廭#疶昄Ą-Ƃƞ轵": [
|
|
|
|
|
"熞ĝƌĆ1ȇyǴ濎=Tʉȼʁŀ\u003c",
|
|
|
|
|
"耡q戨稞R÷mȵg釽[ƞ@",
|
|
|
|
|
"đ[嬧鱒Ȁ彆媚杨嶒ĤGÀ吧Lŷ"
|
|
|
|
|
],
|
|
|
|
|
"餟": [
|
|
|
|
|
"蒍z\u0026(K鵢Kj ŏ9Q韉Ķ%",
|
|
|
|
|
"輫ǘ(¨Ƞ亱6ě#嫀^xz ",
|
|
|
|
|
"@耢ɝ^¡!犃ĹĐJí¿ō擫"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"session": {
|
|
|
|
|
"Claims": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"JTI": "懫砰¿C筽娴ƓaPu镈賆ŗɰ",
|
|
|
|
|
"Issuer": "皶竇瞍涘¹焕iǢǽɽĺŧ",
|
|
|
|
|
"Subject": "矠M6ɡǜg炾ʙ$%o6肿Ȫ",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"Audience": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"ƌÙ鯆GQơ鮫R嫁ɍUƞ9+u!Ȱ踾$"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"Nonce": "us旸Ť/Õ薝隧;綡,鼞",
|
|
|
|
|
"ExpiresAt": "2065-11-30T13:47:03.613000626Z",
|
|
|
|
|
"IssuedAt": "1976-02-22T09:57:20.479850437Z",
|
|
|
|
|
"RequestedAt": "2016-04-13T04:18:53.648949323Z",
|
|
|
|
|
"AuthTime": "2098-07-12T04:38:54.034043015Z",
|
|
|
|
|
"AccessTokenHash": "滮]",
|
|
|
|
|
"AuthenticationContextClassReference": "°3\u003eÙ",
|
|
|
|
|
"AuthenticationMethodsReference": "k?µ鱔ǤÂ",
|
|
|
|
|
"CodeHash": "Țƒ1v¸KĶ跭};",
|
2020-11-19 04:30:05 +00:00
|
|
|
|
"Extra": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"=ſ氆": {
|
|
|
|
|
"Ƿī,廖ʡ彑V\\廳蟕Ț": [
|
|
|
|
|
843216989
|
|
|
|
|
],
|
|
|
|
|
"蔯ʠ浵Ī": {
|
|
|
|
|
"H\"nǕ=rlƆ褡{ǏSȳŅ": {
|
|
|
|
|
"Žg": false
|
|
|
|
|
},
|
|
|
|
|
"枱鰧ɛ鸁A渇": null
|
|
|
|
|
}
|
2020-11-19 04:30:05 +00:00
|
|
|
|
},
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"斻遟a衪荖舃9闄岈锘肺ńʥƕU}j%": 2520197933
|
2020-11-19 04:30:05 +00:00
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"Headers": {
|
|
|
|
|
"Extra": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"熒ɘȏıȒ諃龟ŴŠ'耐Ƭ扵ƹ玄ɕwL": {
|
|
|
|
|
"ýÏʥZq7烱藌\\捀¿őŧQ": {
|
|
|
|
|
"微'X焌襱ǭɕņ殥!_": null,
|
|
|
|
|
"荇届UȚ?戋璖$9\u00269舋": {
|
|
|
|
|
"ɕ餦ÑEǰ哤癨浦浏1Rk頓ć§蚲6": true
|
2020-11-19 04:30:05 +00:00
|
|
|
|
}
|
2020-12-01 19:01:23 +00:00
|
|
|
|
},
|
|
|
|
|
"鲒鿮禗O暒aJP鐜?ĮV嫎h譭ȉ]DĘ": [
|
|
|
|
|
954647573
|
|
|
|
|
]
|
2020-11-19 04:30:05 +00:00
|
|
|
|
},
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"皩Ƭ}Ɇ.雬Ɨ´唁": 1572524915
|
2020-11-19 04:30:05 +00:00
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ExpiresAt": {
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"\u003cqċ譈8ŪɎP绿MÅ": "2031-10-18T22:07:34.950803105Z",
|
|
|
|
|
"ȸěaʜD捛?½ʀ+Ċ偢镳ʬÍɷȓ\u003c": "2049-05-13T15:27:20.968432454Z"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
},
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"Username": "1藍殙菥趏酱Nʎ\u0026^横懋ƶ峦Fïȫƅw",
|
|
|
|
|
"Subject": "檾ĩĆ爨4犹|v炩f柏ʒ鴙*鸆偡"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
},
|
|
|
|
|
"requestedAudience": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"肯Ûx穞Ƀ",
|
|
|
|
|
"ź蕴3ǐ薝Ƅ腲=ʐ诂鱰屾Ê窢ɋ鄊qɠ谫"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
],
|
|
|
|
|
"grantedAudience": [
|
2020-12-01 19:01:23 +00:00
|
|
|
|
"ǵƕ牀1鞊\\ȹ)}鉍商OɄƣ圔,xĪ",
|
|
|
|
|
"悾xn冏裻摼0Ʈ蚵Ȼ塕»£#稏扟X"
|
2020-11-19 04:30:05 +00:00
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
"version": "1"
|
|
|
|
|
}`
|