Skip to content

Commit

Permalink
Resolves travis and docker issues
Browse files Browse the repository at this point in the history
  • Loading branch information
arekkas authored and arekkas committed Apr 29, 2018
1 parent c55139b commit 6f4779c
Show file tree
Hide file tree
Showing 8 changed files with 61 additions and 48 deletions.
10 changes: 5 additions & 5 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,29 +5,29 @@ version: 2
jobs:
format:
docker:
- image: circleci/golang:1.9
- image: circleci/golang:1.10
working_directory: /go/src/github.com/ory/keto
steps:
- checkout
- run: curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o /go/bin/dep && chmod +x /go/bin/dep
- run: curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
- run: go get -u golang.org/x/tools/cmd/goimports
- run: dep ensure -vendor-only
- run: ./scripts/test-format.sh

swagger:
docker:
- image: circleci/golang:1.9
- image: circleci/golang:1.10
working_directory: /go/src/github.com/ory/keto
steps:
- checkout
- run: curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o /go/bin/dep && chmod +x /go/bin/dep
- run: curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
- run: go get -u github.com/go-swagger/go-swagger/cmd/swagger golang.org/x/tools/cmd/goimports
- run: dep ensure -vendor-only
- run: ./scripts/run-genswag.sh

test:
docker:
- image: circleci/golang:1.9
- image: circleci/golang:1.10
environment:
- TEST_DATABASE_POSTGRESQL=postgres://test:test@localhost:5432/hydra?sslmode=disable
- TEST_DATABASE_MYSQL=root:test@(localhost:3306)/mysql?parseTime=true
Expand Down
5 changes: 2 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
FROM golang:1.9-alpine
FROM golang:1.10-alpine

ARG git_tag
ARG git_commit

RUN apk add --no-cache git build-base curl
RUN curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o $GOPATH/bin/dep
RUN chmod +x $GOPATH/bin/dep
RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh

WORKDIR /go/src/github.com/ory/keto

Expand Down
5 changes: 2 additions & 3 deletions Dockerfile-alpine
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
FROM golang:1.9-alpine
FROM golang:1.10-alpine

ARG git_tag
ARG git_commit

RUN apk add --no-cache git build-base curl
RUN curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o $GOPATH/bin/dep
RUN chmod +x $GOPATH/bin/dep
RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh

WORKDIR /go/src/github.com/ory/keto

Expand Down
2 changes: 1 addition & 1 deletion authentication/oauth2_client_credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ type AuthenticationOAuth2ClientCredentialsRequest struct {
ClientSecret string `json:"secret"`

// Scopes is an array of scopes that are required.
Scopes []string `json:"scopes"`
Scopes []string `json:"scope"`
}

func NewOAuth2ClientCredentialsSession() *OAuth2ClientCredentialsSession {
Expand Down
81 changes: 48 additions & 33 deletions authentication/oauth2_introspection.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,40 +44,43 @@ type OAuth2Session struct {
*DefaultSession

// GrantedScopes is a list of scopes that the subject authorized when asked for consent.
GrantedScopes []string `json:"grantedScopes"`
GrantedScopes []string `json:"granted_scope"`

// Issuer is the id of the issuer, typically an hydra instance.
Issuer string `json:"issuer"`

// ClientID is the id of the OAuth2 client that requested the token.
ClientID string `json:"clientId"`
ClientID string `json:"client_id"`

// IssuedAt is the token creation time stamp.
IssuedAt time.Time `json:"issuedAt"`
IssuedAt time.Time `json:"issued_at"`

// ExpiresAt is the expiry timestamp.
ExpiresAt time.Time `json:"expiresAt"`
ExpiresAt time.Time `json:"expires_at"`

NotBefore time.Time `json:"notBefore,omitempty"`
NotBefore time.Time `json:"not_before,omitempty"`
Username string `json:"username,omitempty"`
Audience string `json:"audience,omitempty"`
Audience []string `json:"audience,omitempty"`

// Extra represents arbitrary session data.
Extra map[string]interface{} `json:"accessTokenExtra"`
// Session represents arbitrary session data.
Extra map[string]interface{} `json:"session"`
}

type IntrospectionResponse struct {
Active bool `json:"active"`
Scope string `json:"scope,omitempty"`
ClientID string `json:"client_id,omitempty"`
// Here, it's sub
Subject string `json:"sub,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
NotBefore int64 `json:"nbf,omitempty"`
Username string `json:"username,omitempty"`
Audience string `json:"aud,omitempty"`
Issuer string `json:"iss,omitempty"`
Subject string `json:"sub,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
NotBefore int64 `json:"nbf,omitempty"`
Username string `json:"username,omitempty"`
Audience []string `json:"aud,omitempty"`
Issuer string `json:"iss,omitempty"`

// Session represents arbitrary session data.
Extra map[string]interface{} `json:"ext"`
}

type OAuth2IntrospectionAuthentication struct {
Expand All @@ -92,7 +95,7 @@ type AuthenticationOAuth2IntrospectionRequest struct {
Token string `json:"token"`

// Scopes is an array of scopes that are required.
Scopes []string `json:"scopes"`
Scopes []string `json:"scope"`
}

func NewOAuth2Session() *OAuth2Session {
Expand Down Expand Up @@ -123,7 +126,29 @@ func (a *OAuth2IntrospectionAuthentication) Authenticate(r *http.Request) (Sessi
return nil, errors.WithStack(err)
}

body := url.Values{"token": {token.Token}, "scope": {strings.Join(token.Scopes, " ")}}
ir, err := a.Introspect(token.Token, token.Scopes, a.scopeStrategy)
if err != nil {
return nil, err
}

return &OAuth2Session{
DefaultSession: &DefaultSession{
Subject: ir.Subject,
},
GrantedScopes: strings.Split(ir.Scope, " "),
ClientID: ir.ClientID,
ExpiresAt: time.Unix(ir.ExpiresAt, 0).UTC(),
IssuedAt: time.Unix(ir.IssuedAt, 0).UTC(),
NotBefore: time.Unix(ir.NotBefore, 0).UTC(),
Username: ir.Username,
Audience: ir.Audience,
Issuer: ir.Issuer,
Extra: ir.Extra,
}, nil
}

func (a *OAuth2IntrospectionAuthentication) Introspect(token string, scopes []string, strategy fosite.ScopeStrategy) (*IntrospectionResponse, error) {
body := url.Values{"token": {token}, "scope": {strings.Join(scopes, " ")}}
resp, err := a.client.Post(a.introspectionURL, "application/x-www-form-urlencoded", strings.NewReader(body.Encode()))
if err != nil {
return nil, errors.WithStack(err)
Expand All @@ -143,23 +168,13 @@ func (a *OAuth2IntrospectionAuthentication) Authenticate(r *http.Request) (Sessi
return nil, errors.WithStack(ErrUnauthorized.WithReason("Access token introspection says token is not active"))
}

for _, scope := range token.Scopes {
if !a.scopeStrategy(strings.Split(ir.Scope, " "), scope) {
return nil, errors.WithStack(ErrUnauthorized.WithReason(fmt.Sprintf("Scope %s was not granted", scope)))
if strategy != nil {
for _, scope := range scopes {
if !a.scopeStrategy(strings.Split(ir.Scope, " "), scope) {
return nil, errors.WithStack(ErrUnauthorized.WithReason(fmt.Sprintf("Scope %s was not granted", scope)))
}
}
}

return &OAuth2Session{
DefaultSession: &DefaultSession{
Subject: ir.Subject,
},
GrantedScopes: strings.Split(ir.Scope, " "),
ClientID: ir.ClientID,
ExpiresAt: time.Unix(ir.ExpiresAt, 0).UTC(),
IssuedAt: time.Unix(ir.IssuedAt, 0).UTC(),
NotBefore: time.Unix(ir.NotBefore, 0).UTC(),
Username: ir.Username,
Audience: ir.Audience,
Issuer: ir.Issuer,
}, nil
return &ir, nil
}
2 changes: 1 addition & 1 deletion cmd/client/handler_warden.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ func newWardenHandler() *WardenHandler {

func (h *WardenHandler) IsOAuth2AccessTokenAuthorized(cmd *cobra.Command, args []string) {
token, _ := cmd.Flags().GetString("token")
scopes, _ := cmd.Flags().GetStringArray("scopes")
scopes, _ := cmd.Flags().GetStringArray("scope")
action, _ := cmd.Flags().GetString("actions")
resource, _ := cmd.Flags().GetString("resources")

Expand Down
2 changes: 1 addition & 1 deletion cmd/server/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ func RunServe(
viper.GetString("AUTHENTICATOR_OAUTH2_INTROSPECTION_CLIENT_SECRET"),
viper.GetString("AUTHENTICATOR_OAUTH2_INTROSPECTION_TOKEN_URL"),
viper.GetString("AUTHENTICATOR_OAUTH2_INTROSPECTION_URL"),
strings.Split(viper.GetString("OAUTH2_SCOPES"), ","),
strings.Split(viper.GetString("OAUTH2_SCOPE"), ","),
strategy,
),
"oauth2/clients": authentication.NewOAuth2ClientCredentialsAuthentication(
Expand Down
2 changes: 1 addition & 1 deletion cmd/warden_oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ func init() {
// is called directly, e.g.:
// oauth2Cmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
oauth2Cmd.Flags().String("token", "", "The request's bearer token")
oauth2Cmd.Flags().StringArray("scopes", []string{}, "The request's required scopes")
oauth2Cmd.Flags().StringArray("scope", []string{}, "The request's required scope")
oauth2Cmd.Flags().String("action", "", "The request's action")
oauth2Cmd.Flags().String("resource", "", "The request's resource")
}

0 comments on commit 6f4779c

Please sign in to comment.