Skip to content

Commit

Permalink
revert: splitting the HMAC SHA strategy (#813) (#815)
Browse files Browse the repository at this point in the history
This reverts commit 576230a.
  • Loading branch information
aeneasr authored Jul 10, 2024
1 parent e00e96d commit 27de382
Show file tree
Hide file tree
Showing 7 changed files with 57 additions and 109 deletions.
6 changes: 2 additions & 4 deletions compose/compose_strategy.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,8 @@ type HMACSHAStrategyConfigurator interface {

func NewOAuth2HMACStrategy(config HMACSHAStrategyConfigurator) *oauth2.HMACSHAStrategy {
return &oauth2.HMACSHAStrategy{
BaseHMACSHAStrategy: &oauth2.BaseHMACSHAStrategy{
Enigma: &hmac.HMACStrategy{Config: config},
Config: config,
},
Enigma: &hmac.HMACStrategy{Config: config},
Config: config,
}
}

Expand Down
60 changes: 39 additions & 21 deletions handler/oauth2/strategy_hmacsha.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ package oauth2

import (
"context"
"fmt"
"strings"
"time"

"github.com/ory/x/errorsx"
Expand All @@ -13,39 +15,55 @@ import (
enigma "github.com/ory/fosite/token/hmac"
)

var _ CoreStrategy = (*BaseHMACSHAStrategy)(nil)

type BaseHMACSHAStrategy struct {
type HMACSHAStrategy struct {
Enigma *enigma.HMACStrategy
Config interface {
fosite.AccessTokenLifespanProvider
fosite.RefreshTokenLifespanProvider
fosite.AuthorizeCodeLifespanProvider
}
prefix *string
}

func (h *BaseHMACSHAStrategy) AccessTokenSignature(_ context.Context, token string) string {
func (h *HMACSHAStrategy) AccessTokenSignature(ctx context.Context, token string) string {
return h.Enigma.Signature(token)
}

func (h *BaseHMACSHAStrategy) RefreshTokenSignature(_ context.Context, token string) string {
func (h *HMACSHAStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
return h.Enigma.Signature(token)
}

func (h *BaseHMACSHAStrategy) AuthorizeCodeSignature(_ context.Context, token string) string {
func (h *HMACSHAStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
return h.Enigma.Signature(token)
}

func (h *BaseHMACSHAStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
func (h *HMACSHAStrategy) getPrefix(part string) string {
if h.prefix == nil {
prefix := "ory_%s_"
h.prefix = &prefix
} else if len(*h.prefix) == 0 {
return ""
}

return fmt.Sprintf(*h.prefix, part)
}

func (h *HMACSHAStrategy) trimPrefix(token, part string) string {
return strings.TrimPrefix(token, h.getPrefix(part))
}

func (h *HMACSHAStrategy) setPrefix(token, part string) string {
return h.getPrefix(part) + token
}

func (h *HMACSHAStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
token, sig, err := h.Enigma.Generate(ctx)
if err != nil {
return "", "", err
}

return token, sig, nil
return h.setPrefix(token, "at"), sig, nil
}

func (h *BaseHMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
func (h *HMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)
if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))
Expand All @@ -55,42 +73,42 @@ func (h *BaseHMACSHAStrategy) ValidateAccessToken(ctx context.Context, r fosite.
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
}

return h.Enigma.Validate(ctx, token)
return h.Enigma.Validate(ctx, h.trimPrefix(token, "at"))
}

func (h *BaseHMACSHAStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
func (h *HMACSHAStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
token, sig, err := h.Enigma.Generate(ctx)
if err != nil {
return "", "", err
}

return token, sig, nil
return h.setPrefix(token, "rt"), sig, nil
}

func (h *BaseHMACSHAStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
func (h *HMACSHAStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)
if exp.IsZero() {
// Unlimited lifetime
return h.Enigma.Validate(ctx, token)
return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
}

if !exp.IsZero() && exp.Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
}

return h.Enigma.Validate(ctx, token)
return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
}

func (h *BaseHMACSHAStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
func (h *HMACSHAStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
token, sig, err := h.Enigma.Generate(ctx)
if err != nil {
return "", "", err
}

return token, sig, nil
return h.setPrefix(token, "ac"), sig, nil
}

func (h *BaseHMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
func (h *HMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)
if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
Expand All @@ -100,5 +118,5 @@ func (h *BaseHMACSHAStrategy) ValidateAuthorizeCode(ctx context.Context, r fosit
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
}

return h.Enigma.Validate(ctx, token)
return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac"))
}
60 changes: 0 additions & 60 deletions handler/oauth2/strategy_hmacsha_prefixed.go

This file was deleted.

10 changes: 4 additions & 6 deletions handler/oauth2/strategy_hmacsha_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,10 @@ import (
)

var hmacshaStrategy = HMACSHAStrategy{
BaseHMACSHAStrategy: &BaseHMACSHAStrategy{
Enigma: &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}},
Config: &fosite.Config{
AccessTokenLifespan: time.Hour * 24,
AuthorizeCodeLifespan: time.Hour * 24,
},
Enigma: &hmac.HMACStrategy{Config: &fosite.Config{GlobalSecret: []byte("foobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar")}},
Config: &fosite.Config{
AccessTokenLifespan: time.Hour * 24,
AuthorizeCodeLifespan: time.Hour * 24,
},
}

Expand Down
8 changes: 3 additions & 5 deletions handler/openid/flow_hybrid_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,9 @@ import (
)

var hmacStrategy = &oauth2.HMACSHAStrategy{
BaseHMACSHAStrategy: &oauth2.BaseHMACSHAStrategy{
Enigma: &hmac.HMACStrategy{
Config: &fosite.Config{
GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows-nobody-knows"),
},
Enigma: &hmac.HMACStrategy{
Config: &fosite.Config{
GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows-nobody-knows"),
},
},
}
Expand Down
8 changes: 3 additions & 5 deletions handler/pkce/handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,9 @@ func (m *mockCodeStrategy) ValidateAuthorizeCode(ctx context.Context, requester
func TestPKCEHandleAuthorizeEndpointRequest(t *testing.T) {
var config fosite.Config
h := &Handler{
Storage: storage.NewMemoryStore(),
AuthorizeCodeStrategy: &oauth2.HMACSHAStrategy{
BaseHMACSHAStrategy: new(oauth2.BaseHMACSHAStrategy),
},
Config: &config,
Storage: storage.NewMemoryStore(),
AuthorizeCodeStrategy: new(oauth2.HMACSHAStrategy),
Config: &config,
}
w := fosite.NewAuthorizeResponse()
r := fosite.NewAuthorizeRequest()
Expand Down
14 changes: 6 additions & 8 deletions integration/helper_setup_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -173,17 +173,15 @@ func newJWTBearerAppClient(ts *httptest.Server) *clients.JWTBearer {
}

var hmacStrategy = &oauth2.HMACSHAStrategy{
BaseHMACSHAStrategy: &oauth2.BaseHMACSHAStrategy{
Enigma: &hmac.HMACStrategy{
Config: &fosite.Config{
GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"),
},
},
Enigma: &hmac.HMACStrategy{
Config: &fosite.Config{
AccessTokenLifespan: accessTokenLifespan,
AuthorizeCodeLifespan: authCodeLifespan,
GlobalSecret: []byte("some-super-cool-secret-that-nobody-knows"),
},
},
Config: &fosite.Config{
AccessTokenLifespan: accessTokenLifespan,
AuthorizeCodeLifespan: authCodeLifespan,
},
}

var defaultRSAKey = gen.MustRSAKey()
Expand Down

0 comments on commit 27de382

Please sign in to comment.