From 6f4779cc51bf4f2ee5b97541fb77d8f882497710 Mon Sep 17 00:00:00 2001 From: arekkas Date: Sun, 29 Apr 2018 14:10:30 +0200 Subject: [PATCH] Resolves travis and docker issues --- .circleci/config.yml | 10 +-- Dockerfile | 5 +- Dockerfile-alpine | 5 +- authentication/oauth2_client_credentials.go | 2 +- authentication/oauth2_introspection.go | 81 ++++++++++++--------- cmd/client/handler_warden.go | 2 +- cmd/server/serve.go | 2 +- cmd/warden_oauth2.go | 2 +- 8 files changed, 61 insertions(+), 48 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index ee45064ad..41a62c01e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -5,29 +5,29 @@ version: 2 jobs: format: docker: - - image: circleci/golang:1.9 + - image: circleci/golang:1.10 working_directory: /go/src/github.com/ory/keto steps: - checkout - - run: curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o /go/bin/dep && chmod +x /go/bin/dep + - run: curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh - run: go get -u golang.org/x/tools/cmd/goimports - run: dep ensure -vendor-only - run: ./scripts/test-format.sh swagger: docker: - - image: circleci/golang:1.9 + - image: circleci/golang:1.10 working_directory: /go/src/github.com/ory/keto steps: - checkout - - run: curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o /go/bin/dep && chmod +x /go/bin/dep + - run: curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh - run: go get -u github.com/go-swagger/go-swagger/cmd/swagger golang.org/x/tools/cmd/goimports - run: dep ensure -vendor-only - run: ./scripts/run-genswag.sh test: docker: - - image: circleci/golang:1.9 + - image: circleci/golang:1.10 environment: - TEST_DATABASE_POSTGRESQL=postgres://test:test@localhost:5432/hydra?sslmode=disable - TEST_DATABASE_MYSQL=root:test@(localhost:3306)/mysql?parseTime=true diff --git a/Dockerfile b/Dockerfile index ff8687a76..068a83540 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,10 @@ -FROM golang:1.9-alpine +FROM golang:1.10-alpine ARG git_tag ARG git_commit RUN apk add --no-cache git build-base curl -RUN curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o $GOPATH/bin/dep -RUN chmod +x $GOPATH/bin/dep +RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh WORKDIR /go/src/github.com/ory/keto diff --git a/Dockerfile-alpine b/Dockerfile-alpine index eabb5801c..f13681c2a 100644 --- a/Dockerfile-alpine +++ b/Dockerfile-alpine @@ -1,11 +1,10 @@ -FROM golang:1.9-alpine +FROM golang:1.10-alpine ARG git_tag ARG git_commit RUN apk add --no-cache git build-base curl -RUN curl -L -s https://github.com/golang/dep/releases/download/v0.3.2/dep-linux-amd64 -o $GOPATH/bin/dep -RUN chmod +x $GOPATH/bin/dep +RUN curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh WORKDIR /go/src/github.com/ory/keto diff --git a/authentication/oauth2_client_credentials.go b/authentication/oauth2_client_credentials.go index 1b9452c30..d86039765 100644 --- a/authentication/oauth2_client_credentials.go +++ b/authentication/oauth2_client_credentials.go @@ -48,7 +48,7 @@ type AuthenticationOAuth2ClientCredentialsRequest struct { ClientSecret string `json:"secret"` // Scopes is an array of scopes that are required. - Scopes []string `json:"scopes"` + Scopes []string `json:"scope"` } func NewOAuth2ClientCredentialsSession() *OAuth2ClientCredentialsSession { diff --git a/authentication/oauth2_introspection.go b/authentication/oauth2_introspection.go index da952fa17..ba4fe319e 100644 --- a/authentication/oauth2_introspection.go +++ b/authentication/oauth2_introspection.go @@ -44,26 +44,26 @@ type OAuth2Session struct { *DefaultSession // GrantedScopes is a list of scopes that the subject authorized when asked for consent. - GrantedScopes []string `json:"grantedScopes"` + GrantedScopes []string `json:"granted_scope"` // Issuer is the id of the issuer, typically an hydra instance. Issuer string `json:"issuer"` // ClientID is the id of the OAuth2 client that requested the token. - ClientID string `json:"clientId"` + ClientID string `json:"client_id"` // IssuedAt is the token creation time stamp. - IssuedAt time.Time `json:"issuedAt"` + IssuedAt time.Time `json:"issued_at"` // ExpiresAt is the expiry timestamp. - ExpiresAt time.Time `json:"expiresAt"` + ExpiresAt time.Time `json:"expires_at"` - NotBefore time.Time `json:"notBefore,omitempty"` + NotBefore time.Time `json:"not_before,omitempty"` Username string `json:"username,omitempty"` - Audience string `json:"audience,omitempty"` + Audience []string `json:"audience,omitempty"` - // Extra represents arbitrary session data. - Extra map[string]interface{} `json:"accessTokenExtra"` + // Session represents arbitrary session data. + Extra map[string]interface{} `json:"session"` } type IntrospectionResponse struct { @@ -71,13 +71,16 @@ type IntrospectionResponse struct { Scope string `json:"scope,omitempty"` ClientID string `json:"client_id,omitempty"` // Here, it's sub - Subject string `json:"sub,omitempty"` - ExpiresAt int64 `json:"exp,omitempty"` - IssuedAt int64 `json:"iat,omitempty"` - NotBefore int64 `json:"nbf,omitempty"` - Username string `json:"username,omitempty"` - Audience string `json:"aud,omitempty"` - Issuer string `json:"iss,omitempty"` + Subject string `json:"sub,omitempty"` + ExpiresAt int64 `json:"exp,omitempty"` + IssuedAt int64 `json:"iat,omitempty"` + NotBefore int64 `json:"nbf,omitempty"` + Username string `json:"username,omitempty"` + Audience []string `json:"aud,omitempty"` + Issuer string `json:"iss,omitempty"` + + // Session represents arbitrary session data. + Extra map[string]interface{} `json:"ext"` } type OAuth2IntrospectionAuthentication struct { @@ -92,7 +95,7 @@ type AuthenticationOAuth2IntrospectionRequest struct { Token string `json:"token"` // Scopes is an array of scopes that are required. - Scopes []string `json:"scopes"` + Scopes []string `json:"scope"` } func NewOAuth2Session() *OAuth2Session { @@ -123,7 +126,29 @@ func (a *OAuth2IntrospectionAuthentication) Authenticate(r *http.Request) (Sessi return nil, errors.WithStack(err) } - body := url.Values{"token": {token.Token}, "scope": {strings.Join(token.Scopes, " ")}} + ir, err := a.Introspect(token.Token, token.Scopes, a.scopeStrategy) + if err != nil { + return nil, err + } + + return &OAuth2Session{ + DefaultSession: &DefaultSession{ + Subject: ir.Subject, + }, + GrantedScopes: strings.Split(ir.Scope, " "), + ClientID: ir.ClientID, + ExpiresAt: time.Unix(ir.ExpiresAt, 0).UTC(), + IssuedAt: time.Unix(ir.IssuedAt, 0).UTC(), + NotBefore: time.Unix(ir.NotBefore, 0).UTC(), + Username: ir.Username, + Audience: ir.Audience, + Issuer: ir.Issuer, + Extra: ir.Extra, + }, nil +} + +func (a *OAuth2IntrospectionAuthentication) Introspect(token string, scopes []string, strategy fosite.ScopeStrategy) (*IntrospectionResponse, error) { + body := url.Values{"token": {token}, "scope": {strings.Join(scopes, " ")}} resp, err := a.client.Post(a.introspectionURL, "application/x-www-form-urlencoded", strings.NewReader(body.Encode())) if err != nil { return nil, errors.WithStack(err) @@ -143,23 +168,13 @@ func (a *OAuth2IntrospectionAuthentication) Authenticate(r *http.Request) (Sessi return nil, errors.WithStack(ErrUnauthorized.WithReason("Access token introspection says token is not active")) } - for _, scope := range token.Scopes { - if !a.scopeStrategy(strings.Split(ir.Scope, " "), scope) { - return nil, errors.WithStack(ErrUnauthorized.WithReason(fmt.Sprintf("Scope %s was not granted", scope))) + if strategy != nil { + for _, scope := range scopes { + if !a.scopeStrategy(strings.Split(ir.Scope, " "), scope) { + return nil, errors.WithStack(ErrUnauthorized.WithReason(fmt.Sprintf("Scope %s was not granted", scope))) + } } } - return &OAuth2Session{ - DefaultSession: &DefaultSession{ - Subject: ir.Subject, - }, - GrantedScopes: strings.Split(ir.Scope, " "), - ClientID: ir.ClientID, - ExpiresAt: time.Unix(ir.ExpiresAt, 0).UTC(), - IssuedAt: time.Unix(ir.IssuedAt, 0).UTC(), - NotBefore: time.Unix(ir.NotBefore, 0).UTC(), - Username: ir.Username, - Audience: ir.Audience, - Issuer: ir.Issuer, - }, nil + return &ir, nil } diff --git a/cmd/client/handler_warden.go b/cmd/client/handler_warden.go index 5d2a399b5..613936f1b 100644 --- a/cmd/client/handler_warden.go +++ b/cmd/client/handler_warden.go @@ -50,7 +50,7 @@ func newWardenHandler() *WardenHandler { func (h *WardenHandler) IsOAuth2AccessTokenAuthorized(cmd *cobra.Command, args []string) { token, _ := cmd.Flags().GetString("token") - scopes, _ := cmd.Flags().GetStringArray("scopes") + scopes, _ := cmd.Flags().GetStringArray("scope") action, _ := cmd.Flags().GetString("actions") resource, _ := cmd.Flags().GetString("resources") diff --git a/cmd/server/serve.go b/cmd/server/serve.go index d55d3a670..6426ebae4 100644 --- a/cmd/server/serve.go +++ b/cmd/server/serve.go @@ -96,7 +96,7 @@ func RunServe( viper.GetString("AUTHENTICATOR_OAUTH2_INTROSPECTION_CLIENT_SECRET"), viper.GetString("AUTHENTICATOR_OAUTH2_INTROSPECTION_TOKEN_URL"), viper.GetString("AUTHENTICATOR_OAUTH2_INTROSPECTION_URL"), - strings.Split(viper.GetString("OAUTH2_SCOPES"), ","), + strings.Split(viper.GetString("OAUTH2_SCOPE"), ","), strategy, ), "oauth2/clients": authentication.NewOAuth2ClientCredentialsAuthentication( diff --git a/cmd/warden_oauth2.go b/cmd/warden_oauth2.go index d11fa1985..ce351ae77 100644 --- a/cmd/warden_oauth2.go +++ b/cmd/warden_oauth2.go @@ -38,7 +38,7 @@ func init() { // is called directly, e.g.: // oauth2Cmd.Flags().BoolP("toggle", "t", false, "Help message for toggle") oauth2Cmd.Flags().String("token", "", "The request's bearer token") - oauth2Cmd.Flags().StringArray("scopes", []string{}, "The request's required scopes") + oauth2Cmd.Flags().StringArray("scope", []string{}, "The request's required scope") oauth2Cmd.Flags().String("action", "", "The request's action") oauth2Cmd.Flags().String("resource", "", "The request's resource") }