Browse code
Add grant approval, scope.Add, tests
Jordan Liggitt authored on 2014/11/04 06:01:42Showing 21 changed files
- pkg/auth/oauth/handlers/grant.go
- pkg/auth/oauth/handlers/interfaces.go
- pkg/auth/server/csrf/cookie.go
- pkg/auth/server/csrf/cookie_test.go
- pkg/auth/server/csrf/empty.go
- pkg/auth/server/csrf/fake.go
- pkg/auth/server/csrf/interfaces.go
- pkg/auth/server/csrf/session.go
- pkg/auth/server/grant/grant.go
- pkg/auth/server/grant/grant_test.go
- pkg/auth/server/grant/interfaces.go
- pkg/auth/server/login/implicit.go
- pkg/auth/server/login/implicit_test.go
- pkg/auth/server/login/interfaces.go
- pkg/auth/server/login/login.go
- pkg/auth/server/login/login_test.go
- pkg/cmd/server/origin/auth.go
- pkg/oauth/registry/etcd/etcd.go
- pkg/oauth/registry/test/clientauthorization.go
- pkg/oauth/scope/scope.go
- pkg/oauth/scope/scope_test.go
| ... | ... |
@@ -2,11 +2,17 @@ package handlers |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"errors" |
| 5 |
+ "fmt" |
|
| 5 | 6 |
"net/http" |
| 7 |
+ "net/url" |
|
| 6 | 8 |
|
| 7 | 9 |
"github.com/RangelReale/osin" |
| 10 |
+ "github.com/golang/glog" |
|
| 8 | 11 |
|
| 9 | 12 |
"github.com/openshift/origin/pkg/auth/api" |
| 13 |
+ oapi "github.com/openshift/origin/pkg/oauth/api" |
|
| 14 |
+ "github.com/openshift/origin/pkg/oauth/registry/clientauthorization" |
|
| 15 |
+ "github.com/openshift/origin/pkg/oauth/scope" |
|
| 10 | 16 |
) |
| 11 | 17 |
|
| 12 | 18 |
type GrantCheck struct {
|
| ... | ... |
@@ -48,3 +54,108 @@ func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseW |
| 48 | 48 |
|
| 49 | 49 |
return |
| 50 | 50 |
} |
| 51 |
+ |
|
| 52 |
+type emptyGrant struct{}
|
|
| 53 |
+ |
|
| 54 |
+// NewEmptyGrant returns a no-op grant handler |
|
| 55 |
+func NewEmptyGrant() GrantHandler {
|
|
| 56 |
+ return emptyGrant{}
|
|
| 57 |
+} |
|
| 58 |
+ |
|
| 59 |
+// GrantNeeded implements the GrantHandler interface |
|
| 60 |
+func (emptyGrant) GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request) {
|
|
| 61 |
+ fmt.Fprintf(w, "<body>GrantNeeded - not implemented<pre>%#v\n%#v\n%#v</pre></body>", client, user, grant) |
|
| 62 |
+} |
|
| 63 |
+ |
|
| 64 |
+// GrantError implements the GrantHandler interface |
|
| 65 |
+func (emptyGrant) GrantError(err error, w http.ResponseWriter, req *http.Request) {
|
|
| 66 |
+ w.WriteHeader(http.StatusInternalServerError) |
|
| 67 |
+ fmt.Fprintf(w, "<body>GrantError - %s</body>", err) |
|
| 68 |
+} |
|
| 69 |
+ |
|
| 70 |
+type autoGrant struct {
|
|
| 71 |
+ authregistry clientauthorization.Registry |
|
| 72 |
+} |
|
| 73 |
+ |
|
| 74 |
+// NewAutoGrant returns a grant handler that automatically creates client authorizations |
|
| 75 |
+// when a grant is needed, then retries the original request |
|
| 76 |
+func NewAutoGrant(authregistry clientauthorization.Registry) GrantHandler {
|
|
| 77 |
+ return &autoGrant{authregistry}
|
|
| 78 |
+} |
|
| 79 |
+ |
|
| 80 |
+// GrantNeeded implements the GrantHandler interface |
|
| 81 |
+func (g *autoGrant) GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request) {
|
|
| 82 |
+ clientAuthID := g.authregistry.ClientAuthorizationID(user.GetName(), client.GetId()) |
|
| 83 |
+ clientAuth, err := g.authregistry.GetClientAuthorization(clientAuthID) |
|
| 84 |
+ if err == nil {
|
|
| 85 |
+ // Add new scopes and update |
|
| 86 |
+ clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(grant.Scope)) |
|
| 87 |
+ err = g.authregistry.UpdateClientAuthorization(clientAuth) |
|
| 88 |
+ if err != nil {
|
|
| 89 |
+ glog.Errorf("Unable to update authorization: %v", err)
|
|
| 90 |
+ g.GrantError(err, w, req) |
|
| 91 |
+ return |
|
| 92 |
+ } |
|
| 93 |
+ } else {
|
|
| 94 |
+ // Make sure client name, user name, grant scope, expiration, and redirect uri match |
|
| 95 |
+ clientAuth = &oapi.ClientAuthorization{
|
|
| 96 |
+ UserName: user.GetName(), |
|
| 97 |
+ UserUID: user.GetUID(), |
|
| 98 |
+ ClientName: client.GetId(), |
|
| 99 |
+ Scopes: scope.Split(grant.Scope), |
|
| 100 |
+ } |
|
| 101 |
+ clientAuth.ID = clientAuthID |
|
| 102 |
+ |
|
| 103 |
+ err = g.authregistry.CreateClientAuthorization(clientAuth) |
|
| 104 |
+ if err != nil {
|
|
| 105 |
+ glog.Errorf("Unable to create authorization: %v", err)
|
|
| 106 |
+ g.GrantError(err, w, req) |
|
| 107 |
+ return |
|
| 108 |
+ } |
|
| 109 |
+ } |
|
| 110 |
+ |
|
| 111 |
+ // Retry the request |
|
| 112 |
+ http.Redirect(w, req, req.URL.String(), http.StatusFound) |
|
| 113 |
+} |
|
| 114 |
+ |
|
| 115 |
+// GrantError implements the GrantHandler interface |
|
| 116 |
+func (g *autoGrant) GrantError(err error, w http.ResponseWriter, req *http.Request) {
|
|
| 117 |
+ w.WriteHeader(http.StatusInternalServerError) |
|
| 118 |
+ fmt.Fprintf(w, "<body>GrantError - %s</body>", err) |
|
| 119 |
+} |
|
| 120 |
+ |
|
| 121 |
+type redirectGrant struct {
|
|
| 122 |
+ url string |
|
| 123 |
+} |
|
| 124 |
+ |
|
| 125 |
+// NewRedirectGrant returns a grant handler that redirects to the given URL when a grant is needed. |
|
| 126 |
+// The following query parameters are added to the URL: |
|
| 127 |
+// then - original request URL |
|
| 128 |
+// client_id - requesting client's ID |
|
| 129 |
+// scopes - grant scope requested |
|
| 130 |
+// redirect_uri - original authorize request redirect_uri |
|
| 131 |
+func NewRedirectGrant(url string) GrantHandler {
|
|
| 132 |
+ return &redirectGrant{url}
|
|
| 133 |
+} |
|
| 134 |
+ |
|
| 135 |
+// GrantNeeded implements the GrantHandler interface |
|
| 136 |
+func (g *redirectGrant) GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request) {
|
|
| 137 |
+ redirectURL, err := url.Parse(g.url) |
|
| 138 |
+ if err != nil {
|
|
| 139 |
+ g.GrantError(err, w, req) |
|
| 140 |
+ return |
|
| 141 |
+ } |
|
| 142 |
+ redirectURL.RawQuery = url.Values{
|
|
| 143 |
+ "then": {req.URL.String()},
|
|
| 144 |
+ "client_id": {client.GetId()},
|
|
| 145 |
+ "scopes": {grant.Scope},
|
|
| 146 |
+ "redirect_uri": {grant.RedirectURI},
|
|
| 147 |
+ }.Encode() |
|
| 148 |
+ http.Redirect(w, req, redirectURL.String(), http.StatusFound) |
|
| 149 |
+} |
|
| 150 |
+ |
|
| 151 |
+// GrantError implements the GrantHandler interface |
|
| 152 |
+func (g *redirectGrant) GrantError(err error, w http.ResponseWriter, req *http.Request) {
|
|
| 153 |
+ w.WriteHeader(http.StatusInternalServerError) |
|
| 154 |
+ fmt.Fprintf(w, "<body>GrantError - %s</body>", err) |
|
| 155 |
+} |
| ... | ... |
@@ -19,12 +19,17 @@ type AuthenticationErrorHandler interface {
|
| 19 | 19 |
AuthenticationError(err error, w http.ResponseWriter, req *http.Request) |
| 20 | 20 |
} |
| 21 | 21 |
|
| 22 |
+// GrantChecker is responsible for determining if a user has authorized a client for a requested grant |
|
| 22 | 23 |
type GrantChecker interface {
|
| 24 |
+ // HasAuthorizedClient returns true if the user has authorized the client for the requested grant |
|
| 23 | 25 |
HasAuthorizedClient(client api.Client, user api.UserInfo, grant *api.Grant) (bool, error) |
| 24 | 26 |
} |
| 25 | 27 |
|
| 28 |
+// GrantHandler handles errors during the grant process, or the client requests an unauthorized grant |
|
| 26 | 29 |
type GrantHandler interface {
|
| 30 |
+ // GrantNeeded reacts when a client requests an unauthorized grant |
|
| 27 | 31 |
GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request) |
| 32 |
+ // GrantError handles an error during the grant process |
|
| 28 | 33 |
GrantError(err error, w http.ResponseWriter, req *http.Request) |
| 29 | 34 |
} |
| 30 | 35 |
|
| 31 | 36 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,69 @@ |
| 0 |
+package csrf |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "net/http" |
|
| 4 |
+ |
|
| 5 |
+ "code.google.com/p/go-uuid/uuid" |
|
| 6 |
+) |
|
| 7 |
+ |
|
| 8 |
+type cookieCsrf struct {
|
|
| 9 |
+ name string |
|
| 10 |
+ path string |
|
| 11 |
+ domain string |
|
| 12 |
+ secure bool |
|
| 13 |
+ httponly bool |
|
| 14 |
+} |
|
| 15 |
+ |
|
| 16 |
+// NewCookieCSRF stores random CSRF tokens in a cookie created with the given options. |
|
| 17 |
+// Empty CSRF tokens or tokens that do not match the value of the cookie on the request |
|
| 18 |
+// are rejected. |
|
| 19 |
+func NewCookieCSRF(name, path, domain string, secure, httponly bool) CSRF {
|
|
| 20 |
+ return &cookieCsrf{
|
|
| 21 |
+ name: name, |
|
| 22 |
+ path: path, |
|
| 23 |
+ domain: domain, |
|
| 24 |
+ secure: secure, |
|
| 25 |
+ httponly: httponly, |
|
| 26 |
+ } |
|
| 27 |
+} |
|
| 28 |
+ |
|
| 29 |
+// Generate implements the CSRF interface |
|
| 30 |
+func (c *cookieCsrf) Generate(w http.ResponseWriter, req *http.Request) (string, error) {
|
|
| 31 |
+ cookie, err := req.Cookie(c.name) |
|
| 32 |
+ if err == nil && len(cookie.Value) > 0 {
|
|
| 33 |
+ return cookie.Value, nil |
|
| 34 |
+ } |
|
| 35 |
+ |
|
| 36 |
+ cookie = &http.Cookie{
|
|
| 37 |
+ Name: c.name, |
|
| 38 |
+ Value: uuid.NewUUID().String(), |
|
| 39 |
+ Path: c.path, |
|
| 40 |
+ Domain: c.domain, |
|
| 41 |
+ Secure: c.secure, |
|
| 42 |
+ HttpOnly: c.httponly, |
|
| 43 |
+ } |
|
| 44 |
+ http.SetCookie(w, cookie) |
|
| 45 |
+ |
|
| 46 |
+ return cookie.Value, nil |
|
| 47 |
+} |
|
| 48 |
+ |
|
| 49 |
+// Check implements the CSRF interface |
|
| 50 |
+func (c *cookieCsrf) Check(req *http.Request, value string) (bool, error) {
|
|
| 51 |
+ if len(value) == 0 {
|
|
| 52 |
+ return false, nil |
|
| 53 |
+ } |
|
| 54 |
+ |
|
| 55 |
+ cookie, err := req.Cookie(c.name) |
|
| 56 |
+ if err == http.ErrNoCookie {
|
|
| 57 |
+ return false, nil |
|
| 58 |
+ } |
|
| 59 |
+ if err != nil {
|
|
| 60 |
+ return false, err |
|
| 61 |
+ } |
|
| 62 |
+ |
|
| 63 |
+ if cookie.Value != value {
|
|
| 64 |
+ return false, nil |
|
| 65 |
+ } |
|
| 66 |
+ |
|
| 67 |
+ return true, nil |
|
| 68 |
+} |
| 0 | 69 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,180 @@ |
| 0 |
+package csrf |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "net/http" |
|
| 4 |
+ "net/http/httptest" |
|
| 5 |
+ "testing" |
|
| 6 |
+) |
|
| 7 |
+ |
|
| 8 |
+func TestCookieGenerate(t *testing.T) {
|
|
| 9 |
+ |
|
| 10 |
+ testCases := map[string]struct {
|
|
| 11 |
+ Name string |
|
| 12 |
+ Path string |
|
| 13 |
+ Domain string |
|
| 14 |
+ Secure bool |
|
| 15 |
+ HttpOnly bool |
|
| 16 |
+ ExistingCookie *http.Cookie |
|
| 17 |
+ |
|
| 18 |
+ ExpectToken string |
|
| 19 |
+ ExpectSetCookie bool |
|
| 20 |
+ }{
|
|
| 21 |
+ "use existing": {
|
|
| 22 |
+ Name: "csrf", |
|
| 23 |
+ ExistingCookie: &http.Cookie{Name: "csrf", Value: "existingvalue"},
|
|
| 24 |
+ |
|
| 25 |
+ ExpectToken: "existingvalue", |
|
| 26 |
+ ExpectSetCookie: false, |
|
| 27 |
+ }, |
|
| 28 |
+ |
|
| 29 |
+ "set missing": {
|
|
| 30 |
+ Name: "csrf", |
|
| 31 |
+ |
|
| 32 |
+ ExpectSetCookie: true, |
|
| 33 |
+ }, |
|
| 34 |
+ |
|
| 35 |
+ "set missing with other cookies": {
|
|
| 36 |
+ Name: "csrf", |
|
| 37 |
+ ExistingCookie: &http.Cookie{Name: "csrf2", Value: "existingvalue"},
|
|
| 38 |
+ |
|
| 39 |
+ ExpectSetCookie: true, |
|
| 40 |
+ }, |
|
| 41 |
+ |
|
| 42 |
+ "set missing with cookie options": {
|
|
| 43 |
+ Name: "csrf", |
|
| 44 |
+ Path: "/", |
|
| 45 |
+ Domain: "foo.com", |
|
| 46 |
+ Secure: true, |
|
| 47 |
+ HttpOnly: true, |
|
| 48 |
+ |
|
| 49 |
+ ExpectSetCookie: true, |
|
| 50 |
+ }, |
|
| 51 |
+ } |
|
| 52 |
+ |
|
| 53 |
+ for k, testCase := range testCases {
|
|
| 54 |
+ csrf := NewCookieCSRF(testCase.Name, testCase.Path, testCase.Domain, testCase.Secure, testCase.HttpOnly) |
|
| 55 |
+ |
|
| 56 |
+ req, _ := http.NewRequest("GET", "/", nil)
|
|
| 57 |
+ if testCase.ExistingCookie != nil {
|
|
| 58 |
+ req.AddCookie(testCase.ExistingCookie) |
|
| 59 |
+ } |
|
| 60 |
+ |
|
| 61 |
+ w := httptest.NewRecorder() |
|
| 62 |
+ token, err := csrf.Generate(w, req) |
|
| 63 |
+ |
|
| 64 |
+ if err != nil {
|
|
| 65 |
+ t.Errorf("%s: Unexpected error: %v", k, err)
|
|
| 66 |
+ continue |
|
| 67 |
+ } |
|
| 68 |
+ |
|
| 69 |
+ if len(testCase.ExpectToken) != 0 && token != testCase.ExpectToken {
|
|
| 70 |
+ t.Errorf("%s: Unexpected token %s, got %s", k, testCase.ExpectToken, token)
|
|
| 71 |
+ continue |
|
| 72 |
+ } |
|
| 73 |
+ |
|
| 74 |
+ setCookie := w.Header().Get("Set-Cookie")
|
|
| 75 |
+ if testCase.ExpectSetCookie {
|
|
| 76 |
+ if len(setCookie) == 0 {
|
|
| 77 |
+ t.Errorf("%s: Expected set-cookie header")
|
|
| 78 |
+ continue |
|
| 79 |
+ } |
|
| 80 |
+ |
|
| 81 |
+ protoCookie := &http.Cookie{
|
|
| 82 |
+ Name: testCase.Name, |
|
| 83 |
+ Value: token, |
|
| 84 |
+ Path: testCase.Path, |
|
| 85 |
+ Domain: testCase.Domain, |
|
| 86 |
+ Secure: testCase.Secure, |
|
| 87 |
+ HttpOnly: testCase.HttpOnly, |
|
| 88 |
+ } |
|
| 89 |
+ if setCookie != protoCookie.String() {
|
|
| 90 |
+ t.Errorf("%s: Expected Set-Cookie header of \"%s\", got \"%s\"", k, protoCookie.String(), setCookie)
|
|
| 91 |
+ continue |
|
| 92 |
+ } |
|
| 93 |
+ } else {
|
|
| 94 |
+ if len(setCookie) > 0 {
|
|
| 95 |
+ t.Errorf("%s: Didn't expect set-cookie header, got %s", k, setCookie)
|
|
| 96 |
+ continue |
|
| 97 |
+ } |
|
| 98 |
+ } |
|
| 99 |
+ } |
|
| 100 |
+} |
|
| 101 |
+ |
|
| 102 |
+func TestCookieCheck(t *testing.T) {
|
|
| 103 |
+ |
|
| 104 |
+ testCases := map[string]struct {
|
|
| 105 |
+ Name string |
|
| 106 |
+ Token string |
|
| 107 |
+ ExistingCookie *http.Cookie |
|
| 108 |
+ |
|
| 109 |
+ ExpectCheck bool |
|
| 110 |
+ }{
|
|
| 111 |
+ "fail empty token": {
|
|
| 112 |
+ Name: "csrf", |
|
| 113 |
+ Token: "", |
|
| 114 |
+ ExistingCookie: &http.Cookie{Name: "csrf", Value: "existingvalue"},
|
|
| 115 |
+ |
|
| 116 |
+ ExpectCheck: false, |
|
| 117 |
+ }, |
|
| 118 |
+ |
|
| 119 |
+ "fail empty cookie": {
|
|
| 120 |
+ Name: "csrf", |
|
| 121 |
+ Token: "mytoken", |
|
| 122 |
+ ExistingCookie: &http.Cookie{Name: "csrf", Value: ""},
|
|
| 123 |
+ |
|
| 124 |
+ ExpectCheck: false, |
|
| 125 |
+ }, |
|
| 126 |
+ |
|
| 127 |
+ "fail missing cookie": {
|
|
| 128 |
+ Name: "csrf", |
|
| 129 |
+ Token: "mytoken", |
|
| 130 |
+ |
|
| 131 |
+ ExpectCheck: false, |
|
| 132 |
+ }, |
|
| 133 |
+ |
|
| 134 |
+ "fail mismatch cookie": {
|
|
| 135 |
+ Name: "csrf", |
|
| 136 |
+ Token: "mytoken", |
|
| 137 |
+ ExistingCookie: &http.Cookie{Name: "csrf", Value: "existingvalue"},
|
|
| 138 |
+ |
|
| 139 |
+ ExpectCheck: false, |
|
| 140 |
+ }, |
|
| 141 |
+ |
|
| 142 |
+ "fail mismatch cookie name": {
|
|
| 143 |
+ Name: "csrf", |
|
| 144 |
+ Token: "mytoken", |
|
| 145 |
+ ExistingCookie: &http.Cookie{Name: "csrf2", Value: "mytoken"},
|
|
| 146 |
+ |
|
| 147 |
+ ExpectCheck: false, |
|
| 148 |
+ }, |
|
| 149 |
+ |
|
| 150 |
+ "pass matching cookie": {
|
|
| 151 |
+ Name: "csrf", |
|
| 152 |
+ Token: "existingvalue", |
|
| 153 |
+ ExistingCookie: &http.Cookie{Name: "csrf", Value: "existingvalue"},
|
|
| 154 |
+ |
|
| 155 |
+ ExpectCheck: true, |
|
| 156 |
+ }, |
|
| 157 |
+ } |
|
| 158 |
+ |
|
| 159 |
+ for k, testCase := range testCases {
|
|
| 160 |
+ csrf := NewCookieCSRF(testCase.Name, "", "", false, false) |
|
| 161 |
+ |
|
| 162 |
+ req, _ := http.NewRequest("GET", "/", nil)
|
|
| 163 |
+ if testCase.ExistingCookie != nil {
|
|
| 164 |
+ req.AddCookie(testCase.ExistingCookie) |
|
| 165 |
+ } |
|
| 166 |
+ |
|
| 167 |
+ ok, err := csrf.Check(req, testCase.Token) |
|
| 168 |
+ |
|
| 169 |
+ if err != nil {
|
|
| 170 |
+ t.Errorf("%s: Unexpected error: %v", k, err)
|
|
| 171 |
+ continue |
|
| 172 |
+ } |
|
| 173 |
+ |
|
| 174 |
+ if ok != testCase.ExpectCheck {
|
|
| 175 |
+ t.Errorf("%s: Expected check to return %v, returned %v", k, testCase.ExpectCheck, ok)
|
|
| 176 |
+ continue |
|
| 177 |
+ } |
|
| 178 |
+ } |
|
| 179 |
+} |
| 0 | 180 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,21 @@ |
| 0 |
+package csrf |
|
| 1 |
+ |
|
| 2 |
+import "net/http" |
|
| 3 |
+ |
|
| 4 |
+type emptyCsrf struct{}
|
|
| 5 |
+ |
|
| 6 |
+// NewEmptyCSRF returns a CSRF object which generates empty CSRF tokens, |
|
| 7 |
+// and accepts any token as valid |
|
| 8 |
+func NewEmptyCSRF() CSRF {
|
|
| 9 |
+ return emptyCsrf{}
|
|
| 10 |
+} |
|
| 11 |
+ |
|
| 12 |
+// Generate implements the CSRF interface |
|
| 13 |
+func (emptyCsrf) Generate(http.ResponseWriter, *http.Request) (string, error) {
|
|
| 14 |
+ return "", nil |
|
| 15 |
+} |
|
| 16 |
+ |
|
| 17 |
+// Check implements the CSRF interface |
|
| 18 |
+func (emptyCsrf) Check(*http.Request, string) (bool, error) {
|
|
| 19 |
+ return true, nil |
|
| 20 |
+} |
| 0 | 21 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,19 @@ |
| 0 |
+package csrf |
|
| 1 |
+ |
|
| 2 |
+import "net/http" |
|
| 3 |
+ |
|
| 4 |
+// FakeCSRF returns the given token and error for testing purposes |
|
| 5 |
+type FakeCSRF struct {
|
|
| 6 |
+ Token string |
|
| 7 |
+ Err error |
|
| 8 |
+} |
|
| 9 |
+ |
|
| 10 |
+// Generate implements the CSRF interface |
|
| 11 |
+func (c *FakeCSRF) Generate(w http.ResponseWriter, req *http.Request) (string, error) {
|
|
| 12 |
+ return c.Token, c.Err |
|
| 13 |
+} |
|
| 14 |
+ |
|
| 15 |
+// Check implements the CSRF interface |
|
| 16 |
+func (c *FakeCSRF) Check(req *http.Request, value string) (bool, error) {
|
|
| 17 |
+ return c.Token == value, c.Err |
|
| 18 |
+} |
| 0 | 19 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,11 @@ |
| 0 |
+package csrf |
|
| 1 |
+ |
|
| 2 |
+import "net/http" |
|
| 3 |
+ |
|
| 4 |
+// CSRF handles generating a csrf value, and checking the submitted value |
|
| 5 |
+type CSRF interface {
|
|
| 6 |
+ // Generate returns a CSRF token suitable for inclusion in a form |
|
| 7 |
+ Generate(http.ResponseWriter, *http.Request) (string, error) |
|
| 8 |
+ // Check returns true if the given token is valid for the given request |
|
| 9 |
+ Check(*http.Request, string) (bool, error) |
|
| 10 |
+} |
| 0 | 11 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,69 @@ |
| 0 |
+package csrf |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "net/http" |
|
| 4 |
+ |
|
| 5 |
+ "github.com/openshift/origin/pkg/auth/server/session" |
|
| 6 |
+ |
|
| 7 |
+ "code.google.com/p/go-uuid/uuid" |
|
| 8 |
+) |
|
| 9 |
+ |
|
| 10 |
+const CSRFKey = "csrf" |
|
| 11 |
+ |
|
| 12 |
+type sessionCsrf struct {
|
|
| 13 |
+ store session.Store |
|
| 14 |
+ name string |
|
| 15 |
+} |
|
| 16 |
+ |
|
| 17 |
+// NewSessionCSRF stores CSRF tokens in a session with the given name. |
|
| 18 |
+// Empty CSRF tokens or tokens that do not match the value in the session are rejected. |
|
| 19 |
+func NewSessionCSRF(store session.Store, name string) CSRF {
|
|
| 20 |
+ return &sessionCsrf{
|
|
| 21 |
+ store: store, |
|
| 22 |
+ name: name, |
|
| 23 |
+ } |
|
| 24 |
+} |
|
| 25 |
+ |
|
| 26 |
+// Generate implements the CSRF interface |
|
| 27 |
+func (c *sessionCsrf) Generate(w http.ResponseWriter, req *http.Request) (string, error) {
|
|
| 28 |
+ session, err := c.store.Get(req, c.name) |
|
| 29 |
+ if err != nil {
|
|
| 30 |
+ return "", err |
|
| 31 |
+ } |
|
| 32 |
+ |
|
| 33 |
+ values := session.Values() |
|
| 34 |
+ csrfString, ok := values[CSRFKey].(string) |
|
| 35 |
+ if ok && csrfString != "" {
|
|
| 36 |
+ return csrfString, nil |
|
| 37 |
+ } |
|
| 38 |
+ |
|
| 39 |
+ csrfString = uuid.NewUUID().String() |
|
| 40 |
+ values[CSRFKey] = csrfString |
|
| 41 |
+ |
|
| 42 |
+ // TODO: defer save until response is written? |
|
| 43 |
+ if err = c.store.Save(w, req); err != nil {
|
|
| 44 |
+ return "", err |
|
| 45 |
+ } |
|
| 46 |
+ |
|
| 47 |
+ return csrfString, nil |
|
| 48 |
+} |
|
| 49 |
+ |
|
| 50 |
+// Check implements the CSRF interface |
|
| 51 |
+func (c *sessionCsrf) Check(req *http.Request, value string) (bool, error) {
|
|
| 52 |
+ if len(value) == 0 {
|
|
| 53 |
+ return false, nil |
|
| 54 |
+ } |
|
| 55 |
+ |
|
| 56 |
+ session, err := c.store.Get(req, c.name) |
|
| 57 |
+ if err != nil {
|
|
| 58 |
+ return false, err |
|
| 59 |
+ } |
|
| 60 |
+ |
|
| 61 |
+ values := session.Values() |
|
| 62 |
+ csrfString, ok := values[CSRFKey].(string) |
|
| 63 |
+ if ok && csrfString == value {
|
|
| 64 |
+ return true, nil |
|
| 65 |
+ } |
|
| 66 |
+ |
|
| 67 |
+ return false, nil |
|
| 68 |
+} |
| 0 | 69 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,248 @@ |
| 0 |
+package grant |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "html/template" |
|
| 4 |
+ "net/http" |
|
| 5 |
+ "net/url" |
|
| 6 |
+ "strings" |
|
| 7 |
+ |
|
| 8 |
+ "github.com/golang/glog" |
|
| 9 |
+ authapi "github.com/openshift/origin/pkg/auth/api" |
|
| 10 |
+ "github.com/openshift/origin/pkg/auth/authenticator" |
|
| 11 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 12 |
+ oapi "github.com/openshift/origin/pkg/oauth/api" |
|
| 13 |
+ clientregistry "github.com/openshift/origin/pkg/oauth/registry/client" |
|
| 14 |
+ "github.com/openshift/origin/pkg/oauth/registry/clientauthorization" |
|
| 15 |
+ "github.com/openshift/origin/pkg/oauth/scope" |
|
| 16 |
+) |
|
| 17 |
+ |
|
| 18 |
+const ( |
|
| 19 |
+ thenParam = "then" |
|
| 20 |
+ csrfParam = "csrf" |
|
| 21 |
+ clientIDParam = "client_id" |
|
| 22 |
+ userNameParam = "user_name" |
|
| 23 |
+ scopesParam = "scopes" |
|
| 24 |
+ redirectURIParam = "redirect_uri" |
|
| 25 |
+) |
|
| 26 |
+ |
|
| 27 |
+// GrantFormRenderer is responsible for rendering a GrantForm to prompt the user |
|
| 28 |
+// to approve or reject a requested OAuth scope grant. |
|
| 29 |
+type GrantFormRenderer interface {
|
|
| 30 |
+ Render(form GrantForm, w http.ResponseWriter, req *http.Request) |
|
| 31 |
+} |
|
| 32 |
+ |
|
| 33 |
+type GrantForm struct {
|
|
| 34 |
+ Action string |
|
| 35 |
+ Error string |
|
| 36 |
+ Values GrantFormValues |
|
| 37 |
+} |
|
| 38 |
+ |
|
| 39 |
+type GrantFormValues struct {
|
|
| 40 |
+ Then string |
|
| 41 |
+ CSRF string |
|
| 42 |
+ ClientID string |
|
| 43 |
+ UserName string |
|
| 44 |
+ Scopes string |
|
| 45 |
+ RedirectURI string |
|
| 46 |
+} |
|
| 47 |
+ |
|
| 48 |
+type Grant struct {
|
|
| 49 |
+ auth authenticator.Request |
|
| 50 |
+ csrf csrf.CSRF |
|
| 51 |
+ render GrantFormRenderer |
|
| 52 |
+ clientregistry clientregistry.Registry |
|
| 53 |
+ authregistry clientauthorization.Registry |
|
| 54 |
+} |
|
| 55 |
+ |
|
| 56 |
+func NewGrant(csrf csrf.CSRF, auth authenticator.Request, render GrantFormRenderer, clientregistry clientregistry.Registry, authregistry clientauthorization.Registry) *Grant {
|
|
| 57 |
+ return &Grant{
|
|
| 58 |
+ auth: auth, |
|
| 59 |
+ csrf: csrf, |
|
| 60 |
+ render: render, |
|
| 61 |
+ clientregistry: clientregistry, |
|
| 62 |
+ authregistry: authregistry, |
|
| 63 |
+ } |
|
| 64 |
+} |
|
| 65 |
+ |
|
| 66 |
+// Install registers the grant handler into a mux. It is expected that the |
|
| 67 |
+// provided prefix will serve all operations. Path MUST NOT end in a slash. |
|
| 68 |
+func (l *Grant) Install(mux Mux, paths ...string) {
|
|
| 69 |
+ for _, path := range paths {
|
|
| 70 |
+ path = strings.TrimRight(path, "/") |
|
| 71 |
+ mux.HandleFunc(path, l.ServeHTTP) |
|
| 72 |
+ } |
|
| 73 |
+} |
|
| 74 |
+ |
|
| 75 |
+func (l *Grant) ServeHTTP(w http.ResponseWriter, req *http.Request) {
|
|
| 76 |
+ user, ok, err := l.auth.AuthenticateRequest(req) |
|
| 77 |
+ if err != nil || !ok {
|
|
| 78 |
+ l.redirect("You must reauthenticate before continuing", w, req)
|
|
| 79 |
+ return |
|
| 80 |
+ } |
|
| 81 |
+ |
|
| 82 |
+ switch req.Method {
|
|
| 83 |
+ case "GET": |
|
| 84 |
+ l.handleGrantForm(user, w, req) |
|
| 85 |
+ case "POST": |
|
| 86 |
+ l.handleGrant(user, w, req) |
|
| 87 |
+ default: |
|
| 88 |
+ http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) |
|
| 89 |
+ } |
|
| 90 |
+} |
|
| 91 |
+ |
|
| 92 |
+func (l *Grant) handleGrantForm(user authapi.UserInfo, w http.ResponseWriter, req *http.Request) {
|
|
| 93 |
+ q := req.URL.Query() |
|
| 94 |
+ then := q.Get("then")
|
|
| 95 |
+ clientID := q.Get("client_id")
|
|
| 96 |
+ scopes := q.Get("scopes")
|
|
| 97 |
+ redirectURI := q.Get("redirect_uri")
|
|
| 98 |
+ |
|
| 99 |
+ client, err := l.clientregistry.GetClient(clientID) |
|
| 100 |
+ if err != nil || client == nil {
|
|
| 101 |
+ l.failed("Could not find client for client_id", w, req)
|
|
| 102 |
+ return |
|
| 103 |
+ } |
|
| 104 |
+ |
|
| 105 |
+ uri, err := getBaseURL(req) |
|
| 106 |
+ if err != nil {
|
|
| 107 |
+ glog.Errorf("Unable to generate base URL: %v", err)
|
|
| 108 |
+ http.Error(w, "Unable to determine URL", http.StatusInternalServerError) |
|
| 109 |
+ return |
|
| 110 |
+ } |
|
| 111 |
+ |
|
| 112 |
+ csrf, err := l.csrf.Generate(w, req) |
|
| 113 |
+ if err != nil {
|
|
| 114 |
+ glog.Errorf("Unable to generate CSRF token: %v", err)
|
|
| 115 |
+ l.failed("Could not generate CSRF token", w, req)
|
|
| 116 |
+ return |
|
| 117 |
+ } |
|
| 118 |
+ |
|
| 119 |
+ form := GrantForm{
|
|
| 120 |
+ Action: uri.String(), |
|
| 121 |
+ Values: GrantFormValues{
|
|
| 122 |
+ Then: then, |
|
| 123 |
+ CSRF: csrf, |
|
| 124 |
+ ClientID: client.Name, |
|
| 125 |
+ UserName: user.GetName(), |
|
| 126 |
+ Scopes: scopes, |
|
| 127 |
+ RedirectURI: redirectURI, |
|
| 128 |
+ }, |
|
| 129 |
+ } |
|
| 130 |
+ |
|
| 131 |
+ l.render.Render(form, w, req) |
|
| 132 |
+} |
|
| 133 |
+ |
|
| 134 |
+func (l *Grant) handleGrant(user authapi.UserInfo, w http.ResponseWriter, req *http.Request) {
|
|
| 135 |
+ if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil {
|
|
| 136 |
+ glog.Errorf("Unable to check CSRF token: %v", err)
|
|
| 137 |
+ l.failed("Invalid CSRF token", w, req)
|
|
| 138 |
+ return |
|
| 139 |
+ } |
|
| 140 |
+ |
|
| 141 |
+ then := req.FormValue("then")
|
|
| 142 |
+ clientID := req.FormValue("client_id")
|
|
| 143 |
+ scopes := req.FormValue("scopes")
|
|
| 144 |
+ |
|
| 145 |
+ client, err := l.clientregistry.GetClient(clientID) |
|
| 146 |
+ if err != nil || client == nil {
|
|
| 147 |
+ l.failed("Could not find client for client_id", w, req)
|
|
| 148 |
+ return |
|
| 149 |
+ } |
|
| 150 |
+ |
|
| 151 |
+ clientAuthID := l.authregistry.ClientAuthorizationID(user.GetName(), client.Name) |
|
| 152 |
+ |
|
| 153 |
+ clientAuth, err := l.authregistry.GetClientAuthorization(clientAuthID) |
|
| 154 |
+ if err == nil && clientAuth != nil {
|
|
| 155 |
+ // Add new scopes and update |
|
| 156 |
+ clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes)) |
|
| 157 |
+ if err = l.authregistry.UpdateClientAuthorization(clientAuth); err != nil {
|
|
| 158 |
+ glog.Errorf("Unable to update authorization: %v", err)
|
|
| 159 |
+ l.failed("Could not update client authorization", w, req)
|
|
| 160 |
+ return |
|
| 161 |
+ } |
|
| 162 |
+ } else {
|
|
| 163 |
+ // Make sure client name, user name, grant scope, expiration, and redirect uri match |
|
| 164 |
+ clientAuth = &oapi.ClientAuthorization{
|
|
| 165 |
+ UserName: user.GetName(), |
|
| 166 |
+ UserUID: user.GetUID(), |
|
| 167 |
+ ClientName: client.Name, |
|
| 168 |
+ Scopes: scope.Split(scopes), |
|
| 169 |
+ } |
|
| 170 |
+ clientAuth.ID = clientAuthID |
|
| 171 |
+ |
|
| 172 |
+ if err = l.authregistry.CreateClientAuthorization(clientAuth); err != nil {
|
|
| 173 |
+ glog.Errorf("Unable to create authorization: %v", err)
|
|
| 174 |
+ l.failed("Could not create client authorization", w, req)
|
|
| 175 |
+ return |
|
| 176 |
+ } |
|
| 177 |
+ } |
|
| 178 |
+ |
|
| 179 |
+ if len(then) == 0 {
|
|
| 180 |
+ l.failed("Approval granted, but no redirect URL was specified", w, req)
|
|
| 181 |
+ return |
|
| 182 |
+ } |
|
| 183 |
+ |
|
| 184 |
+ http.Redirect(w, req, then, http.StatusFound) |
|
| 185 |
+} |
|
| 186 |
+ |
|
| 187 |
+func (l *Grant) failed(reason string, w http.ResponseWriter, req *http.Request) {
|
|
| 188 |
+ form := GrantForm{
|
|
| 189 |
+ Error: reason, |
|
| 190 |
+ } |
|
| 191 |
+ l.render.Render(form, w, req) |
|
| 192 |
+} |
|
| 193 |
+func (l *Grant) redirect(reason string, w http.ResponseWriter, req *http.Request) {
|
|
| 194 |
+ then := req.FormValue("then")
|
|
| 195 |
+ |
|
| 196 |
+ // TODO: validate then |
|
| 197 |
+ if len(then) == 0 {
|
|
| 198 |
+ l.failed(reason, w, req) |
|
| 199 |
+ return |
|
| 200 |
+ } |
|
| 201 |
+ http.Redirect(w, req, then, http.StatusFound) |
|
| 202 |
+} |
|
| 203 |
+ |
|
| 204 |
+func getBaseURL(req *http.Request) (*url.URL, error) {
|
|
| 205 |
+ uri, err := url.Parse(req.RequestURI) |
|
| 206 |
+ if err != nil {
|
|
| 207 |
+ return nil, err |
|
| 208 |
+ } |
|
| 209 |
+ uri.Scheme, uri.Host, uri.RawQuery, uri.Fragment = req.URL.Scheme, req.URL.Host, "", "" |
|
| 210 |
+ return uri, nil |
|
| 211 |
+} |
|
| 212 |
+ |
|
| 213 |
+// DefaultGrantFormRenderer displays a page prompting the user to approve an OAuth grant. |
|
| 214 |
+// The requesting client id, requested scopes, and redirect URI are displayed to the user. |
|
| 215 |
+var DefaultGrantFormRenderer = grantTemplateRenderer{}
|
|
| 216 |
+ |
|
| 217 |
+type grantTemplateRenderer struct{}
|
|
| 218 |
+ |
|
| 219 |
+func (r grantTemplateRenderer) Render(form GrantForm, w http.ResponseWriter, req *http.Request) {
|
|
| 220 |
+ w.Header().Add("Content-Type", "text/html")
|
|
| 221 |
+ w.WriteHeader(http.StatusOK) |
|
| 222 |
+ if err := grantTemplate.Execute(w, form); err != nil {
|
|
| 223 |
+ glog.Errorf("Unable to render grant template: %v", err)
|
|
| 224 |
+ } |
|
| 225 |
+} |
|
| 226 |
+ |
|
| 227 |
+var grantTemplate = template.Must(template.New("grantForm").Parse(`
|
|
| 228 |
+{{ if .Error }}
|
|
| 229 |
+<div class="message">{{ .Error }}</div>
|
|
| 230 |
+{{ else }}
|
|
| 231 |
+<form action="{{ .Action }}" method="POST">
|
|
| 232 |
+ <input type="hidden" name="then" value="{{ .Values.Then }}">
|
|
| 233 |
+ <input type="hidden" name="csrf" value="{{ .Values.CSRF }}">
|
|
| 234 |
+ <input type="hidden" name="client_id" value="{{ .Values.ClientID }}">
|
|
| 235 |
+ <input type="hidden" name="user_name" value="{{ .Values.UserName }}">
|
|
| 236 |
+ <input type="hidden" name="scopes" value="{{ .Values.Scopes }}">
|
|
| 237 |
+ <input type="hidden" name="redirect_uri" value="{{ .Values.RedirectURI }}">
|
|
| 238 |
+ |
|
| 239 |
+ <div>Do you approve this client?</div> |
|
| 240 |
+ <div>Client: {{ .Values.ClientID }}</div>
|
|
| 241 |
+ <div>Scope: {{ .Values.Scopes }}</div>
|
|
| 242 |
+ <div>URI: {{ .Values.RedirectURI }}</div>
|
|
| 243 |
+ |
|
| 244 |
+ <input type="submit" value="Approve"> |
|
| 245 |
+</form> |
|
| 246 |
+{{ end }}
|
|
| 247 |
+`)) |
| 0 | 248 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,345 @@ |
| 0 |
+package grant |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "errors" |
|
| 4 |
+ "io/ioutil" |
|
| 5 |
+ "net/http" |
|
| 6 |
+ "net/http/httptest" |
|
| 7 |
+ "net/url" |
|
| 8 |
+ "reflect" |
|
| 9 |
+ "strings" |
|
| 10 |
+ "testing" |
|
| 11 |
+ |
|
| 12 |
+ "github.com/openshift/origin/pkg/auth/api" |
|
| 13 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 14 |
+ oapi "github.com/openshift/origin/pkg/oauth/api" |
|
| 15 |
+ "github.com/openshift/origin/pkg/oauth/registry/test" |
|
| 16 |
+) |
|
| 17 |
+ |
|
| 18 |
+type testAuth struct {
|
|
| 19 |
+ User api.UserInfo |
|
| 20 |
+ Success bool |
|
| 21 |
+ Err error |
|
| 22 |
+} |
|
| 23 |
+ |
|
| 24 |
+func (t *testAuth) AuthenticateRequest(req *http.Request) (api.UserInfo, bool, error) {
|
|
| 25 |
+ return t.User, t.Success, t.Err |
|
| 26 |
+} |
|
| 27 |
+ |
|
| 28 |
+func goodAuth(username string) *testAuth {
|
|
| 29 |
+ return &testAuth{Success: true, User: &api.DefaultUserInfo{Name: username}}
|
|
| 30 |
+} |
|
| 31 |
+func badAuth(err error) *testAuth {
|
|
| 32 |
+ return &testAuth{Success: false, User: nil, Err: err}
|
|
| 33 |
+} |
|
| 34 |
+ |
|
| 35 |
+func goodClientRegistry(clientID string, redirectURIs []string) *test.ClientRegistry {
|
|
| 36 |
+ client := &oapi.Client{Name: clientID, Secret: "mysecret", RedirectURIs: redirectURIs}
|
|
| 37 |
+ client.ID = clientID |
|
| 38 |
+ return &test.ClientRegistry{Client: client}
|
|
| 39 |
+} |
|
| 40 |
+func badClientRegistry(err error) *test.ClientRegistry {
|
|
| 41 |
+ return &test.ClientRegistry{Err: err}
|
|
| 42 |
+} |
|
| 43 |
+ |
|
| 44 |
+func emptyAuthRegistry() *test.ClientAuthorizationRegistry {
|
|
| 45 |
+ return &test.ClientAuthorizationRegistry{}
|
|
| 46 |
+} |
|
| 47 |
+func existingAuthRegistry(scopes []string) *test.ClientAuthorizationRegistry {
|
|
| 48 |
+ auth := oapi.ClientAuthorization{
|
|
| 49 |
+ UserName: "existingUserName", |
|
| 50 |
+ UserUID: "existingUserUID", |
|
| 51 |
+ ClientName: "existingClientName", |
|
| 52 |
+ Scopes: scopes, |
|
| 53 |
+ } |
|
| 54 |
+ auth.ID = "existingID" |
|
| 55 |
+ return &test.ClientAuthorizationRegistry{ClientAuthorization: &auth}
|
|
| 56 |
+} |
|
| 57 |
+ |
|
| 58 |
+func TestGrant(t *testing.T) {
|
|
| 59 |
+ testCases := map[string]struct {
|
|
| 60 |
+ CSRF csrf.CSRF |
|
| 61 |
+ Auth *testAuth |
|
| 62 |
+ ClientRegistry *test.ClientRegistry |
|
| 63 |
+ AuthRegistry *test.ClientAuthorizationRegistry |
|
| 64 |
+ |
|
| 65 |
+ Path string |
|
| 66 |
+ PostValues url.Values |
|
| 67 |
+ |
|
| 68 |
+ ExpectStatusCode int |
|
| 69 |
+ ExpectCreatedAuthScopes []string |
|
| 70 |
+ ExpectUpdatedAuthScopes []string |
|
| 71 |
+ ExpectRedirect string |
|
| 72 |
+ ExpectContains []string |
|
| 73 |
+ ExpectThen string |
|
| 74 |
+ }{
|
|
| 75 |
+ "display form": {
|
|
| 76 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 77 |
+ Auth: goodAuth("username"),
|
|
| 78 |
+ ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),
|
|
| 79 |
+ AuthRegistry: emptyAuthRegistry(), |
|
| 80 |
+ Path: "/grant?client_id=myclient&scopes=myscope1%20myscope2&redirect_uri=/myredirect&then=/authorize", |
|
| 81 |
+ |
|
| 82 |
+ ExpectStatusCode: 200, |
|
| 83 |
+ ExpectContains: []string{
|
|
| 84 |
+ `action="/grant"`, |
|
| 85 |
+ `name="csrf" value="test"`, |
|
| 86 |
+ `name="client_id" value="myclient"`, |
|
| 87 |
+ `name="scopes" value="myscope1 myscope2"`, |
|
| 88 |
+ `name="redirect_uri" value="/myredirect"`, |
|
| 89 |
+ `name="then" value="/authorize"`, |
|
| 90 |
+ }, |
|
| 91 |
+ }, |
|
| 92 |
+ |
|
| 93 |
+ "Unauthenticated with redirect": {
|
|
| 94 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 95 |
+ Auth: badAuth(nil), |
|
| 96 |
+ Path: "/grant?then=/authorize", |
|
| 97 |
+ |
|
| 98 |
+ ExpectStatusCode: 302, |
|
| 99 |
+ ExpectRedirect: "/authorize", |
|
| 100 |
+ }, |
|
| 101 |
+ |
|
| 102 |
+ "Unauthenticated without redirect": {
|
|
| 103 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 104 |
+ Auth: badAuth(nil), |
|
| 105 |
+ Path: "/grant", |
|
| 106 |
+ |
|
| 107 |
+ ExpectStatusCode: 200, |
|
| 108 |
+ ExpectContains: []string{"reauthenticate"},
|
|
| 109 |
+ }, |
|
| 110 |
+ |
|
| 111 |
+ "Auth error with redirect": {
|
|
| 112 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 113 |
+ Auth: badAuth(errors.New("Auth error")),
|
|
| 114 |
+ Path: "/grant?then=/authorize", |
|
| 115 |
+ |
|
| 116 |
+ ExpectStatusCode: 302, |
|
| 117 |
+ ExpectRedirect: "/authorize", |
|
| 118 |
+ }, |
|
| 119 |
+ |
|
| 120 |
+ "Auth error without redirect": {
|
|
| 121 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 122 |
+ Auth: badAuth(errors.New("Auth error")),
|
|
| 123 |
+ Path: "/grant", |
|
| 124 |
+ |
|
| 125 |
+ ExpectStatusCode: 200, |
|
| 126 |
+ ExpectContains: []string{"reauthenticate"},
|
|
| 127 |
+ }, |
|
| 128 |
+ |
|
| 129 |
+ "error when POST fails CSRF": {
|
|
| 130 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 131 |
+ Auth: goodAuth("username"),
|
|
| 132 |
+ ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),
|
|
| 133 |
+ AuthRegistry: emptyAuthRegistry(), |
|
| 134 |
+ Path: "/grant", |
|
| 135 |
+ PostValues: url.Values{
|
|
| 136 |
+ "client_id": {"myclient"},
|
|
| 137 |
+ "scopes": {"myscope1 myscope2"},
|
|
| 138 |
+ "redirect_uri": {"/myredirect"},
|
|
| 139 |
+ "then": {"/authorize"},
|
|
| 140 |
+ "csrf": {"wrong"},
|
|
| 141 |
+ }, |
|
| 142 |
+ |
|
| 143 |
+ ExpectStatusCode: 200, |
|
| 144 |
+ ExpectContains: []string{"CSRF"},
|
|
| 145 |
+ }, |
|
| 146 |
+ |
|
| 147 |
+ "error displaying form with invalid client": {
|
|
| 148 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 149 |
+ Auth: goodAuth("username"),
|
|
| 150 |
+ ClientRegistry: badClientRegistry(nil), |
|
| 151 |
+ AuthRegistry: emptyAuthRegistry(), |
|
| 152 |
+ Path: "/grant", |
|
| 153 |
+ |
|
| 154 |
+ ExpectStatusCode: 200, |
|
| 155 |
+ ExpectContains: []string{"find client"},
|
|
| 156 |
+ }, |
|
| 157 |
+ |
|
| 158 |
+ "error submitting form with invalid client": {
|
|
| 159 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 160 |
+ Auth: goodAuth("username"),
|
|
| 161 |
+ ClientRegistry: badClientRegistry(nil), |
|
| 162 |
+ AuthRegistry: emptyAuthRegistry(), |
|
| 163 |
+ Path: "/grant", |
|
| 164 |
+ PostValues: url.Values{
|
|
| 165 |
+ "client_id": {"myclient"},
|
|
| 166 |
+ "scopes": {"myscope1 myscope2"},
|
|
| 167 |
+ "redirect_uri": {"/myredirect"},
|
|
| 168 |
+ "then": {"/authorize"},
|
|
| 169 |
+ "csrf": {"test"},
|
|
| 170 |
+ }, |
|
| 171 |
+ |
|
| 172 |
+ ExpectStatusCode: 200, |
|
| 173 |
+ ExpectContains: []string{"find client"},
|
|
| 174 |
+ }, |
|
| 175 |
+ |
|
| 176 |
+ "successful create grant with redirect": {
|
|
| 177 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 178 |
+ Auth: goodAuth("username"),
|
|
| 179 |
+ ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),
|
|
| 180 |
+ AuthRegistry: emptyAuthRegistry(), |
|
| 181 |
+ Path: "/grant", |
|
| 182 |
+ PostValues: url.Values{
|
|
| 183 |
+ "client_id": {"myclient"},
|
|
| 184 |
+ "scopes": {"myscope1 myscope2"},
|
|
| 185 |
+ "redirect_uri": {"/myredirect"},
|
|
| 186 |
+ "then": {"/authorize"},
|
|
| 187 |
+ "csrf": {"test"},
|
|
| 188 |
+ }, |
|
| 189 |
+ |
|
| 190 |
+ ExpectStatusCode: 302, |
|
| 191 |
+ ExpectCreatedAuthScopes: []string{"myscope1", "myscope2"},
|
|
| 192 |
+ ExpectRedirect: "/authorize", |
|
| 193 |
+ }, |
|
| 194 |
+ |
|
| 195 |
+ "successful create grant without redirect": {
|
|
| 196 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 197 |
+ Auth: goodAuth("username"),
|
|
| 198 |
+ ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),
|
|
| 199 |
+ AuthRegistry: emptyAuthRegistry(), |
|
| 200 |
+ Path: "/grant", |
|
| 201 |
+ PostValues: url.Values{
|
|
| 202 |
+ "client_id": {"myclient"},
|
|
| 203 |
+ "scopes": {"myscope1 myscope2"},
|
|
| 204 |
+ "redirect_uri": {"/myredirect"},
|
|
| 205 |
+ "csrf": {"test"},
|
|
| 206 |
+ }, |
|
| 207 |
+ |
|
| 208 |
+ ExpectStatusCode: 200, |
|
| 209 |
+ ExpectCreatedAuthScopes: []string{"myscope1", "myscope2"},
|
|
| 210 |
+ ExpectContains: []string{
|
|
| 211 |
+ "granted", |
|
| 212 |
+ "no redirect", |
|
| 213 |
+ }, |
|
| 214 |
+ }, |
|
| 215 |
+ |
|
| 216 |
+ "successful update grant with identical scopes": {
|
|
| 217 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 218 |
+ Auth: goodAuth("username"),
|
|
| 219 |
+ ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),
|
|
| 220 |
+ AuthRegistry: existingAuthRegistry([]string{"myscope2", "myscope1"}),
|
|
| 221 |
+ Path: "/grant", |
|
| 222 |
+ PostValues: url.Values{
|
|
| 223 |
+ "client_id": {"myclient"},
|
|
| 224 |
+ "scopes": {"myscope1 myscope2"},
|
|
| 225 |
+ "redirect_uri": {"/myredirect"},
|
|
| 226 |
+ "then": {"/authorize"},
|
|
| 227 |
+ "csrf": {"test"},
|
|
| 228 |
+ }, |
|
| 229 |
+ |
|
| 230 |
+ ExpectStatusCode: 302, |
|
| 231 |
+ ExpectUpdatedAuthScopes: []string{"myscope1", "myscope2"},
|
|
| 232 |
+ ExpectRedirect: "/authorize", |
|
| 233 |
+ }, |
|
| 234 |
+ |
|
| 235 |
+ "successful update grant with additional scopes": {
|
|
| 236 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 237 |
+ Auth: goodAuth("username"),
|
|
| 238 |
+ ClientRegistry: goodClientRegistry("myclient", []string{"myredirect"}),
|
|
| 239 |
+ AuthRegistry: existingAuthRegistry([]string{"existingscope2", "existingscope1"}),
|
|
| 240 |
+ Path: "/grant", |
|
| 241 |
+ PostValues: url.Values{
|
|
| 242 |
+ "client_id": {"myclient"},
|
|
| 243 |
+ "scopes": {"newscope1 existingscope1"},
|
|
| 244 |
+ "redirect_uri": {"/myredirect"},
|
|
| 245 |
+ "then": {"/authorize"},
|
|
| 246 |
+ "csrf": {"test"},
|
|
| 247 |
+ }, |
|
| 248 |
+ |
|
| 249 |
+ ExpectStatusCode: 302, |
|
| 250 |
+ ExpectUpdatedAuthScopes: []string{"existingscope1", "existingscope2", "newscope1"},
|
|
| 251 |
+ ExpectRedirect: "/authorize", |
|
| 252 |
+ }, |
|
| 253 |
+ } |
|
| 254 |
+ |
|
| 255 |
+ for k, testCase := range testCases {
|
|
| 256 |
+ server := httptest.NewServer(NewGrant(testCase.CSRF, testCase.Auth, DefaultGrantFormRenderer, testCase.ClientRegistry, testCase.AuthRegistry)) |
|
| 257 |
+ |
|
| 258 |
+ var resp *http.Response |
|
| 259 |
+ if testCase.PostValues != nil {
|
|
| 260 |
+ r, err := postForm(server.URL+testCase.Path, testCase.PostValues) |
|
| 261 |
+ if err != nil {
|
|
| 262 |
+ t.Errorf("%s: unexpected error: %v", k, err)
|
|
| 263 |
+ continue |
|
| 264 |
+ } |
|
| 265 |
+ resp = r |
|
| 266 |
+ } else {
|
|
| 267 |
+ r, err := getUrl(server.URL + testCase.Path) |
|
| 268 |
+ if err != nil {
|
|
| 269 |
+ t.Errorf("%s: unexpected error: %v", k, err)
|
|
| 270 |
+ continue |
|
| 271 |
+ } |
|
| 272 |
+ resp = r |
|
| 273 |
+ } |
|
| 274 |
+ defer resp.Body.Close() |
|
| 275 |
+ |
|
| 276 |
+ if testCase.ExpectStatusCode != 0 && testCase.ExpectStatusCode != resp.StatusCode {
|
|
| 277 |
+ t.Errorf("%s: unexpected response: %#v", k, resp)
|
|
| 278 |
+ continue |
|
| 279 |
+ } |
|
| 280 |
+ |
|
| 281 |
+ if len(testCase.ExpectCreatedAuthScopes) > 0 {
|
|
| 282 |
+ auth := testCase.AuthRegistry.CreatedAuthorization |
|
| 283 |
+ if auth == nil {
|
|
| 284 |
+ t.Errorf("%s: expected created auth, got nil", k)
|
|
| 285 |
+ continue |
|
| 286 |
+ } |
|
| 287 |
+ if !reflect.DeepEqual(testCase.ExpectCreatedAuthScopes, auth.Scopes) {
|
|
| 288 |
+ t.Errorf("%s: expected created scopes %v, got %v", k, testCase.ExpectCreatedAuthScopes, auth.Scopes)
|
|
| 289 |
+ } |
|
| 290 |
+ } |
|
| 291 |
+ |
|
| 292 |
+ if len(testCase.ExpectUpdatedAuthScopes) > 0 {
|
|
| 293 |
+ auth := testCase.AuthRegistry.UpdatedAuthorization |
|
| 294 |
+ if auth == nil {
|
|
| 295 |
+ t.Errorf("%s: expected updated auth, got nil", k)
|
|
| 296 |
+ continue |
|
| 297 |
+ } |
|
| 298 |
+ if !reflect.DeepEqual(testCase.ExpectUpdatedAuthScopes, auth.Scopes) {
|
|
| 299 |
+ t.Errorf("%s: expected updated scopes %v, got %v", k, testCase.ExpectUpdatedAuthScopes, auth.Scopes)
|
|
| 300 |
+ } |
|
| 301 |
+ } |
|
| 302 |
+ |
|
| 303 |
+ if testCase.ExpectRedirect != "" {
|
|
| 304 |
+ uri, err := resp.Location() |
|
| 305 |
+ if err != nil {
|
|
| 306 |
+ t.Errorf("%s: unexpected error: %v", k, err)
|
|
| 307 |
+ continue |
|
| 308 |
+ } |
|
| 309 |
+ if uri.String() != server.URL+testCase.ExpectRedirect {
|
|
| 310 |
+ t.Errorf("%s: unexpected redirect: %s", k, uri.String())
|
|
| 311 |
+ } |
|
| 312 |
+ } |
|
| 313 |
+ |
|
| 314 |
+ if len(testCase.ExpectContains) > 0 {
|
|
| 315 |
+ data, _ := ioutil.ReadAll(resp.Body) |
|
| 316 |
+ body := string(data) |
|
| 317 |
+ for i := range testCase.ExpectContains {
|
|
| 318 |
+ if !strings.Contains(body, testCase.ExpectContains[i]) {
|
|
| 319 |
+ t.Errorf("%s: did not find expected value %s: %s", k, testCase.ExpectContains[i], body)
|
|
| 320 |
+ continue |
|
| 321 |
+ } |
|
| 322 |
+ } |
|
| 323 |
+ } |
|
| 324 |
+ } |
|
| 325 |
+} |
|
| 326 |
+ |
|
| 327 |
+func postForm(url string, body url.Values) (resp *http.Response, err error) {
|
|
| 328 |
+ tr := &http.Transport{}
|
|
| 329 |
+ req, err := http.NewRequest("POST", url, strings.NewReader(body.Encode()))
|
|
| 330 |
+ if err != nil {
|
|
| 331 |
+ return nil, err |
|
| 332 |
+ } |
|
| 333 |
+ req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
| 334 |
+ return tr.RoundTrip(req) |
|
| 335 |
+} |
|
| 336 |
+ |
|
| 337 |
+func getUrl(url string) (resp *http.Response, err error) {
|
|
| 338 |
+ tr := &http.Transport{}
|
|
| 339 |
+ req, err := http.NewRequest("GET", url, nil)
|
|
| 340 |
+ if err != nil {
|
|
| 341 |
+ return nil, err |
|
| 342 |
+ } |
|
| 343 |
+ return tr.RoundTrip(req) |
|
| 344 |
+} |
| 0 | 345 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,9 @@ |
| 0 |
+package grant |
|
| 1 |
+ |
|
| 2 |
+import "net/http" |
|
| 3 |
+ |
|
| 4 |
+// Mux is an object that can register http handlers. |
|
| 5 |
+type Mux interface {
|
|
| 6 |
+ Handle(pattern string, handler http.Handler) |
|
| 7 |
+ HandleFunc(pattern string, handler func(http.ResponseWriter, *http.Request)) |
|
| 8 |
+} |
| ... | ... |
@@ -9,6 +9,7 @@ import ( |
| 9 | 9 |
"github.com/openshift/origin/pkg/auth/api" |
| 10 | 10 |
"github.com/openshift/origin/pkg/auth/authenticator" |
| 11 | 11 |
"github.com/openshift/origin/pkg/auth/oauth/handlers" |
| 12 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 12 | 13 |
) |
| 13 | 14 |
|
| 14 | 15 |
type RequestAuthenticator interface {
|
| ... | ... |
@@ -33,12 +34,12 @@ type ConfirmFormValues struct {
|
| 33 | 33 |
} |
| 34 | 34 |
|
| 35 | 35 |
type Confirm struct {
|
| 36 |
- csrf CSRF |
|
| 36 |
+ csrf csrf.CSRF |
|
| 37 | 37 |
auth RequestAuthenticator |
| 38 | 38 |
render ConfirmFormRenderer |
| 39 | 39 |
} |
| 40 | 40 |
|
| 41 |
-func NewConfirm(csrf CSRF, auth RequestAuthenticator, render ConfirmFormRenderer) *Confirm {
|
|
| 41 |
+func NewConfirm(csrf csrf.CSRF, auth RequestAuthenticator, render ConfirmFormRenderer) *Confirm {
|
|
| 42 | 42 |
return &Confirm{
|
| 43 | 43 |
csrf: csrf, |
| 44 | 44 |
auth: auth, |
| ... | ... |
@@ -79,7 +80,7 @@ func (c *Confirm) handleConfirmForm(w http.ResponseWriter, req *http.Request) {
|
| 79 | 79 |
form.Error = "An unknown error has occured. Please try again." |
| 80 | 80 |
} |
| 81 | 81 |
|
| 82 |
- csrf, err := c.csrf.Generate() |
|
| 82 |
+ csrf, err := c.csrf.Generate(w, req) |
|
| 83 | 83 |
if err != nil {
|
| 84 | 84 |
glog.Errorf("Unable to generate CSRF token: %v", err)
|
| 85 | 85 |
} |
| ... | ... |
@@ -99,7 +100,7 @@ func (c *Confirm) handleConfirmForm(w http.ResponseWriter, req *http.Request) {
|
| 99 | 99 |
} |
| 100 | 100 |
|
| 101 | 101 |
func (c *Confirm) handleConfirm(w http.ResponseWriter, req *http.Request) {
|
| 102 |
- if ok, err := c.csrf.Check(req.FormValue("csrf")); !ok || err != nil {
|
|
| 102 |
+ if ok, err := c.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil {
|
|
| 103 | 103 |
glog.Errorf("Unable to check CSRF token: %v", err)
|
| 104 | 104 |
failed("token expired", w, req)
|
| 105 | 105 |
return |
| ... | ... |
@@ -10,6 +10,7 @@ import ( |
| 10 | 10 |
"testing" |
| 11 | 11 |
|
| 12 | 12 |
"github.com/openshift/origin/pkg/auth/api" |
| 13 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 13 | 14 |
) |
| 14 | 15 |
|
| 15 | 16 |
type testImplicit struct {
|
| ... | ... |
@@ -35,7 +36,7 @@ func (t *testImplicit) AuthenticationSucceeded(user api.UserInfo, then string, w |
| 35 | 35 |
|
| 36 | 36 |
func TestImplicit(t *testing.T) {
|
| 37 | 37 |
testCases := map[string]struct {
|
| 38 |
- CSRF *testCSRF |
|
| 38 |
+ CSRF csrf.CSRF |
|
| 39 | 39 |
Implicit *testImplicit |
| 40 | 40 |
Path string |
| 41 | 41 |
PostValues url.Values |
| ... | ... |
@@ -46,7 +47,7 @@ func TestImplicit(t *testing.T) {
|
| 46 | 46 |
ExpectThen string |
| 47 | 47 |
}{
|
| 48 | 48 |
"display confirm form": {
|
| 49 |
- CSRF: &testCSRF{"test", nil},
|
|
| 49 |
+ CSRF: &csrf.FakeCSRF{"test", nil},
|
|
| 50 | 50 |
Implicit: &testImplicit{Success: true, User: &api.DefaultUserInfo{Name: "user"}},
|
| 51 | 51 |
Path: "/login", |
| 52 | 52 |
ExpectContains: []string{
|
| ... | ... |
@@ -55,35 +56,35 @@ func TestImplicit(t *testing.T) {
|
| 55 | 55 |
}, |
| 56 | 56 |
}, |
| 57 | 57 |
"successful POST redirects": {
|
| 58 |
- CSRF: &testCSRF{"test", nil},
|
|
| 58 |
+ CSRF: &csrf.FakeCSRF{"test", nil},
|
|
| 59 | 59 |
Implicit: &testImplicit{Success: true, User: &api.DefaultUserInfo{Name: "user"}},
|
| 60 | 60 |
Path: "/login?then=%2Ffoo", |
| 61 | 61 |
PostValues: url.Values{"csrf": []string{"test"}},
|
| 62 | 62 |
ExpectThen: "/foo", |
| 63 | 63 |
}, |
| 64 | 64 |
"redirect when POST fails CSRF": {
|
| 65 |
- CSRF: &testCSRF{"test", nil},
|
|
| 65 |
+ CSRF: &csrf.FakeCSRF{"test", nil},
|
|
| 66 | 66 |
Implicit: &testImplicit{Success: true, User: &api.DefaultUserInfo{Name: "user"}},
|
| 67 | 67 |
Path: "/login", |
| 68 | 68 |
PostValues: url.Values{"csrf": []string{"wrong"}},
|
| 69 | 69 |
ExpectRedirect: "/login?reason=token+expired", |
| 70 | 70 |
}, |
| 71 | 71 |
"redirect when not authenticated": {
|
| 72 |
- CSRF: &testCSRF{"test", nil},
|
|
| 72 |
+ CSRF: &csrf.FakeCSRF{"test", nil},
|
|
| 73 | 73 |
Implicit: &testImplicit{Success: false},
|
| 74 | 74 |
Path: "/login", |
| 75 | 75 |
PostValues: url.Values{"csrf": []string{"test"}},
|
| 76 | 76 |
ExpectRedirect: "/login?reason=access+denied", |
| 77 | 77 |
}, |
| 78 | 78 |
"redirect on auth failure": {
|
| 79 |
- CSRF: &testCSRF{"test", nil},
|
|
| 79 |
+ CSRF: &csrf.FakeCSRF{"test", nil},
|
|
| 80 | 80 |
Implicit: &testImplicit{Err: errors.New("failed")},
|
| 81 | 81 |
Path: "/login", |
| 82 | 82 |
PostValues: url.Values{"csrf": []string{"test"}},
|
| 83 | 83 |
ExpectRedirect: "/login?reason=access+denied", |
| 84 | 84 |
}, |
| 85 | 85 |
"expect GET error": {
|
| 86 |
- CSRF: &testCSRF{"test", nil},
|
|
| 86 |
+ CSRF: &csrf.FakeCSRF{"test", nil},
|
|
| 87 | 87 |
Implicit: &testImplicit{Err: errors.New("failed")},
|
| 88 | 88 |
ExpectContains: []string{`"message">An unknown error has occured. Contact your administrator`},
|
| 89 | 89 |
}, |
| ... | ... |
@@ -9,6 +9,7 @@ import ( |
| 9 | 9 |
|
| 10 | 10 |
"github.com/openshift/origin/pkg/auth/authenticator" |
| 11 | 11 |
"github.com/openshift/origin/pkg/auth/oauth/handlers" |
| 12 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 12 | 13 |
) |
| 13 | 14 |
|
| 14 | 15 |
type PasswordAuthenticator interface {
|
| ... | ... |
@@ -34,12 +35,12 @@ type LoginFormValues struct {
|
| 34 | 34 |
} |
| 35 | 35 |
|
| 36 | 36 |
type Login struct {
|
| 37 |
- csrf CSRF |
|
| 37 |
+ csrf csrf.CSRF |
|
| 38 | 38 |
auth PasswordAuthenticator |
| 39 | 39 |
render LoginFormRenderer |
| 40 | 40 |
} |
| 41 | 41 |
|
| 42 |
-func NewLogin(csrf CSRF, auth PasswordAuthenticator, render LoginFormRenderer) *Login {
|
|
| 42 |
+func NewLogin(csrf csrf.CSRF, auth PasswordAuthenticator, render LoginFormRenderer) *Login {
|
|
| 43 | 43 |
return &Login{
|
| 44 | 44 |
csrf: csrf, |
| 45 | 45 |
auth: auth, |
| ... | ... |
@@ -95,7 +96,7 @@ func (l *Login) handleLoginForm(w http.ResponseWriter, req *http.Request) {
|
| 95 | 95 |
form.Error = "An unknown error has occured. Please try again." |
| 96 | 96 |
} |
| 97 | 97 |
|
| 98 |
- csrf, err := l.csrf.Generate() |
|
| 98 |
+ csrf, err := l.csrf.Generate(w, req) |
|
| 99 | 99 |
if err != nil {
|
| 100 | 100 |
glog.Errorf("Unable to generate CSRF token: %v", err)
|
| 101 | 101 |
} |
| ... | ... |
@@ -105,7 +106,7 @@ func (l *Login) handleLoginForm(w http.ResponseWriter, req *http.Request) {
|
| 105 | 105 |
} |
| 106 | 106 |
|
| 107 | 107 |
func (l *Login) handleLogin(w http.ResponseWriter, req *http.Request) {
|
| 108 |
- if ok, err := l.csrf.Check(req.FormValue("csrf")); !ok || err != nil {
|
|
| 108 |
+ if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil {
|
|
| 109 | 109 |
glog.Errorf("Unable to check CSRF token: %v", err)
|
| 110 | 110 |
failed("token expired", w, req)
|
| 111 | 111 |
return |
| ... | ... |
@@ -10,21 +10,9 @@ import ( |
| 10 | 10 |
"testing" |
| 11 | 11 |
|
| 12 | 12 |
"github.com/openshift/origin/pkg/auth/api" |
| 13 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 13 | 14 |
) |
| 14 | 15 |
|
| 15 |
-type testCSRF struct {
|
|
| 16 |
- Token string |
|
| 17 |
- Err error |
|
| 18 |
-} |
|
| 19 |
- |
|
| 20 |
-func (t *testCSRF) Generate() (string, error) {
|
|
| 21 |
- return t.Token, t.Err |
|
| 22 |
-} |
|
| 23 |
- |
|
| 24 |
-func (t *testCSRF) Check(token string) (bool, error) {
|
|
| 25 |
- return t.Token == token, t.Err |
|
| 26 |
-} |
|
| 27 |
- |
|
| 28 | 16 |
type testAuth struct {
|
| 29 | 17 |
Username string |
| 30 | 18 |
Password string |
| ... | ... |
@@ -50,7 +38,7 @@ func (t *testAuth) AuthenticationSucceeded(user api.UserInfo, then string, w htt |
| 50 | 50 |
|
| 51 | 51 |
func TestLogin(t *testing.T) {
|
| 52 | 52 |
testCases := map[string]struct {
|
| 53 |
- CSRF *testCSRF |
|
| 53 |
+ CSRF csrf.CSRF |
|
| 54 | 54 |
Auth *testAuth |
| 55 | 55 |
Path string |
| 56 | 56 |
PostValues url.Values |
| ... | ... |
@@ -61,7 +49,7 @@ func TestLogin(t *testing.T) {
|
| 61 | 61 |
ExpectThen string |
| 62 | 62 |
}{
|
| 63 | 63 |
"display form": {
|
| 64 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 64 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 65 | 65 |
Auth: &testAuth{},
|
| 66 | 66 |
Path: "/login", |
| 67 | 67 |
|
| ... | ... |
@@ -72,7 +60,7 @@ func TestLogin(t *testing.T) {
|
| 72 | 72 |
}, |
| 73 | 73 |
}, |
| 74 | 74 |
"display form with errors": {
|
| 75 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 75 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 76 | 76 |
Auth: &testAuth{},
|
| 77 | 77 |
Path: "?then=foo&reason=failed&username=user", |
| 78 | 78 |
|
| ... | ... |
@@ -84,21 +72,21 @@ func TestLogin(t *testing.T) {
|
| 84 | 84 |
}, |
| 85 | 85 |
}, |
| 86 | 86 |
"redirect when POST fails CSRF": {
|
| 87 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 87 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 88 | 88 |
Auth: &testAuth{},
|
| 89 | 89 |
Path: "/login", |
| 90 | 90 |
PostValues: url.Values{"csrf": []string{"wrong"}},
|
| 91 | 91 |
ExpectRedirect: "/login?reason=token+expired", |
| 92 | 92 |
}, |
| 93 | 93 |
"redirect with 'then' when POST fails CSRF": {
|
| 94 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 94 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 95 | 95 |
Auth: &testAuth{},
|
| 96 | 96 |
Path: "/login?then=test", |
| 97 | 97 |
PostValues: url.Values{"csrf": []string{"wrong"}},
|
| 98 | 98 |
ExpectRedirect: "/login?reason=token+expired&then=test", |
| 99 | 99 |
}, |
| 100 | 100 |
"redirect when no username": {
|
| 101 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 101 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 102 | 102 |
Auth: &testAuth{},
|
| 103 | 103 |
Path: "/login", |
| 104 | 104 |
PostValues: url.Values{
|
| ... | ... |
@@ -107,7 +95,7 @@ func TestLogin(t *testing.T) {
|
| 107 | 107 |
ExpectRedirect: "/login?reason=user+required", |
| 108 | 108 |
}, |
| 109 | 109 |
"redirect when not authenticated": {
|
| 110 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 110 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 111 | 111 |
Auth: &testAuth{Success: false},
|
| 112 | 112 |
Path: "/login", |
| 113 | 113 |
PostValues: url.Values{
|
| ... | ... |
@@ -117,7 +105,7 @@ func TestLogin(t *testing.T) {
|
| 117 | 117 |
ExpectRedirect: "/login?reason=access+denied", |
| 118 | 118 |
}, |
| 119 | 119 |
"redirect on auth error": {
|
| 120 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 120 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 121 | 121 |
Auth: &testAuth{Err: errors.New("failed")},
|
| 122 | 122 |
Path: "/login", |
| 123 | 123 |
PostValues: url.Values{
|
| ... | ... |
@@ -127,7 +115,7 @@ func TestLogin(t *testing.T) {
|
| 127 | 127 |
ExpectRedirect: "/login?reason=unknown+error", |
| 128 | 128 |
}, |
| 129 | 129 |
"redirect preserving then param": {
|
| 130 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 130 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 131 | 131 |
Auth: &testAuth{Err: errors.New("failed")},
|
| 132 | 132 |
Path: "/login", |
| 133 | 133 |
PostValues: url.Values{
|
| ... | ... |
@@ -138,7 +126,7 @@ func TestLogin(t *testing.T) {
|
| 138 | 138 |
ExpectRedirect: "/login?reason=unknown+error&then=anotherurl", |
| 139 | 139 |
}, |
| 140 | 140 |
"login successful": {
|
| 141 |
- CSRF: &testCSRF{Token: "test"},
|
|
| 141 |
+ CSRF: &csrf.FakeCSRF{Token: "test"},
|
|
| 142 | 142 |
Auth: &testAuth{Success: true, User: &api.DefaultUserInfo{Name: "user"}},
|
| 143 | 143 |
Path: "/login?then=done", |
| 144 | 144 |
PostValues: url.Values{
|
| ... | ... |
@@ -21,10 +21,14 @@ import ( |
| 21 | 21 |
"github.com/openshift/origin/pkg/auth/oauth/handlers" |
| 22 | 22 |
"github.com/openshift/origin/pkg/auth/oauth/registry" |
| 23 | 23 |
authnregistry "github.com/openshift/origin/pkg/auth/oauth/registry" |
| 24 |
+ "github.com/openshift/origin/pkg/auth/server/csrf" |
|
| 25 |
+ "github.com/openshift/origin/pkg/auth/server/grant" |
|
| 24 | 26 |
"github.com/openshift/origin/pkg/auth/server/login" |
| 25 | 27 |
"github.com/openshift/origin/pkg/auth/server/session" |
| 26 | 28 |
|
| 27 | 29 |
cmdutil "github.com/openshift/origin/pkg/cmd/util" |
| 30 |
+ clientregistry "github.com/openshift/origin/pkg/oauth/registry/client" |
|
| 31 |
+ "github.com/openshift/origin/pkg/oauth/registry/clientauthorization" |
|
| 28 | 32 |
oauthetcd "github.com/openshift/origin/pkg/oauth/registry/etcd" |
| 29 | 33 |
"github.com/openshift/origin/pkg/oauth/server/osinserver" |
| 30 | 34 |
"github.com/openshift/origin/pkg/oauth/server/osinserver/registrystorage" |
| ... | ... |
@@ -33,6 +37,7 @@ import ( |
| 33 | 33 |
const ( |
| 34 | 34 |
OpenShiftOAuthAPIPrefix = "/oauth" |
| 35 | 35 |
OpenShiftLoginPrefix = "/login" |
| 36 |
+ OpenShiftApprovePrefix = "/oauth/approve" |
|
| 36 | 37 |
OpenShiftOAuthCallbackPrefix = "/oauth2callback" |
| 37 | 38 |
) |
| 38 | 39 |
|
| ... | ... |
@@ -62,7 +67,7 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {
|
| 62 | 62 |
config := osinserver.NewDefaultServerConfig() |
| 63 | 63 |
|
| 64 | 64 |
grantChecker := registry.NewClientAuthorizationGrantChecker(oauthEtcd) |
| 65 |
- grantHandler := emptyGrant{}
|
|
| 65 |
+ grantHandler := c.getGrantHandler(mux, authRequestHandler, oauthEtcd, oauthEtcd) |
|
| 66 | 66 |
|
| 67 | 67 |
server := osinserver.New( |
| 68 | 68 |
config, |
| ... | ... |
@@ -94,11 +99,35 @@ func (c *AuthConfig) InstallAPI(mux cmdutil.Mux) []string {
|
| 94 | 94 |
} |
| 95 | 95 |
} |
| 96 | 96 |
|
| 97 |
+// getCSRF returns the object responsible for generating and checking CSRF tokens |
|
| 98 |
+func getCSRF() csrf.CSRF {
|
|
| 99 |
+ return csrf.NewCookieCSRF("csrf", "/", "", false, false)
|
|
| 100 |
+} |
|
| 101 |
+ |
|
| 102 |
+// getGrantHandler returns the object that handles approving or rejecting grant requests |
|
| 103 |
+func (c *AuthConfig) getGrantHandler(mux cmdutil.Mux, auth authenticator.Request, clientregistry clientregistry.Registry, authregistry clientauthorization.Registry) handlers.GrantHandler {
|
|
| 104 |
+ var grantHandler handlers.GrantHandler |
|
| 105 |
+ grantHandlerType := env("ORIGIN_GRANT_HANDLER", "prompt")
|
|
| 106 |
+ switch grantHandlerType {
|
|
| 107 |
+ case "empty": |
|
| 108 |
+ grantHandler = handlers.NewEmptyGrant() |
|
| 109 |
+ case "auto": |
|
| 110 |
+ grantHandler = handlers.NewAutoGrant(authregistry) |
|
| 111 |
+ case "prompt": |
|
| 112 |
+ grantServer := grant.NewGrant(getCSRF(), auth, grant.DefaultGrantFormRenderer, clientregistry, authregistry) |
|
| 113 |
+ grantServer.Install(mux, OpenShiftApprovePrefix) |
|
| 114 |
+ grantHandler = handlers.NewRedirectGrant(OpenShiftApprovePrefix) |
|
| 115 |
+ default: |
|
| 116 |
+ glog.Fatalf("No grant handler found that matches %v. The oauth server cannot start!", grantHandlerType)
|
|
| 117 |
+ } |
|
| 118 |
+ return grantHandler |
|
| 119 |
+} |
|
| 120 |
+ |
|
| 97 | 121 |
func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, success handlers.AuthenticationSuccessHandler, error handlers.AuthenticationErrorHandler) handlers.AuthenticationHandler {
|
| 98 | 122 |
// TODO presumeably we'll want either a list of what we've got or a way to describe a registry of these |
| 99 | 123 |
// hard-coded strings as a stand-in until it gets sorted out |
| 100 | 124 |
var authHandler handlers.AuthenticationHandler |
| 101 |
- authHandlerType := env("ORIGIN_AUTH_HANDLER", "empty")
|
|
| 125 |
+ authHandlerType := env("ORIGIN_AUTH_HANDLER", "login")
|
|
| 102 | 126 |
switch authHandlerType {
|
| 103 | 127 |
case "google", "github": |
| 104 | 128 |
callbackPath := OpenShiftOAuthCallbackPrefix + "/" + authHandlerType |
| ... | ... |
@@ -139,7 +168,7 @@ func (c *AuthConfig) getAuthenticationHandler(mux cmdutil.Mux, success handlers. |
| 139 | 139 |
|
| 140 | 140 |
authHandler = &redirectAuthHandler{RedirectURL: OpenShiftLoginPrefix, ThenParam: "then"}
|
| 141 | 141 |
success := handlers.AuthenticationSuccessHandlers{success, redirectSuccessHandler{}}
|
| 142 |
- login := login.NewLogin(emptyCsrf{}, &callbackPasswordAuthenticator{passwordAuth, success}, login.DefaultLoginFormRenderer)
|
|
| 142 |
+ login := login.NewLogin(getCSRF(), &callbackPasswordAuthenticator{passwordAuth, success}, login.DefaultLoginFormRenderer)
|
|
| 143 | 143 |
login.Install(mux, OpenShiftLoginPrefix) |
| 144 | 144 |
case "empty": |
| 145 | 145 |
authHandler = emptyAuth{}
|
| ... | ... |
@@ -195,9 +224,6 @@ func (emptyAuth) AuthenticationNeeded(w http.ResponseWriter, req *http.Request) |
| 195 | 195 |
func (emptyAuth) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) {
|
| 196 | 196 |
fmt.Fprintf(w, "<body>AuthenticationError - %s</body>", err) |
| 197 | 197 |
} |
| 198 |
-func (emptyAuth) String() string {
|
|
| 199 |
- return "emptyAuth" |
|
| 200 |
-} |
|
| 201 | 198 |
|
| 202 | 199 |
// Captures the original request url as a "then" param in a redirect to a login flow |
| 203 | 200 |
type redirectAuthHandler struct {
|
| ... | ... |
@@ -225,30 +251,6 @@ func (auth *redirectAuthHandler) AuthenticationError(err error, w http.ResponseW |
| 225 | 225 |
fmt.Fprintf(w, "<body>AuthenticationError - %s</body>", err) |
| 226 | 226 |
} |
| 227 | 227 |
|
| 228 |
-func (auth *redirectAuthHandler) String() string {
|
|
| 229 |
- return fmt.Sprintf("redirectAuth{url:%s, then:%s}", auth.RedirectURL, auth.ThenParam)
|
|
| 230 |
-} |
|
| 231 |
- |
|
| 232 |
-type emptyGrant struct{}
|
|
| 233 |
- |
|
| 234 |
-func (emptyGrant) GrantNeeded(client api.Client, user api.UserInfo, grant *api.Grant, w http.ResponseWriter, req *http.Request) {
|
|
| 235 |
- fmt.Fprintf(w, "<body>GrantNeeded - not implemented<pre>%#v\n%#v\n%#v</pre></body>", client, user, grant) |
|
| 236 |
-} |
|
| 237 |
- |
|
| 238 |
-func (emptyGrant) GrantError(err error, w http.ResponseWriter, req *http.Request) {
|
|
| 239 |
- fmt.Fprintf(w, "<body>GrantError - %s</body>", err) |
|
| 240 |
-} |
|
| 241 |
- |
|
| 242 |
-type emptyCsrf struct{}
|
|
| 243 |
- |
|
| 244 |
-func (emptyCsrf) Generate() (string, error) {
|
|
| 245 |
- return "", nil |
|
| 246 |
-} |
|
| 247 |
- |
|
| 248 |
-func (emptyCsrf) Check(string) (bool, error) {
|
|
| 249 |
- return true, nil |
|
| 250 |
-} |
|
| 251 |
- |
|
| 252 | 228 |
// |
| 253 | 229 |
// Approves any login attempt with non-blank username and password |
| 254 | 230 |
// |
| ... | ... |
@@ -166,8 +166,9 @@ func (r *Etcd) CreateClientAuthorization(client *api.ClientAuthorization) error |
| 166 | 166 |
return err |
| 167 | 167 |
} |
| 168 | 168 |
|
| 169 |
-func (r *Etcd) UpdateClientAuthorization(*api.ClientAuthorization) error {
|
|
| 170 |
- return errors.New("not supported")
|
|
| 169 |
+func (r *Etcd) UpdateClientAuthorization(client *api.ClientAuthorization) error {
|
|
| 170 |
+ err := etcderrs.InterpretUpdateError(r.SetObj(makeClientAuthorizationKey(client.ID), client), "clientAuthorization", client.ID) |
|
| 171 |
+ return err |
|
| 171 | 172 |
} |
| 172 | 173 |
|
| 173 | 174 |
func (r *Etcd) DeleteClientAuthorization(name string) error {
|
| ... | ... |
@@ -12,6 +12,8 @@ type ClientAuthorizationRegistry struct {
|
| 12 | 12 |
Err error |
| 13 | 13 |
ClientAuthorizations *api.ClientAuthorizationList |
| 14 | 14 |
ClientAuthorization *api.ClientAuthorization |
| 15 |
+ CreatedAuthorization *api.ClientAuthorization |
|
| 16 |
+ UpdatedAuthorization *api.ClientAuthorization |
|
| 15 | 17 |
DeletedClientAuthorizationId string |
| 16 | 18 |
} |
| 17 | 19 |
|
| ... | ... |
@@ -28,10 +30,12 @@ func (r *ClientAuthorizationRegistry) GetClientAuthorization(id string) (*api.Cl |
| 28 | 28 |
} |
| 29 | 29 |
|
| 30 | 30 |
func (r *ClientAuthorizationRegistry) CreateClientAuthorization(grant *api.ClientAuthorization) error {
|
| 31 |
+ r.CreatedAuthorization = grant |
|
| 31 | 32 |
return r.Err |
| 32 | 33 |
} |
| 33 | 34 |
|
| 34 | 35 |
func (r *ClientAuthorizationRegistry) UpdateClientAuthorization(grant *api.ClientAuthorization) error {
|
| 36 |
+ r.UpdatedAuthorization = grant |
|
| 35 | 37 |
return r.Err |
| 36 | 38 |
} |
| 37 | 39 |
|
| ... | ... |
@@ -5,6 +5,22 @@ import ( |
| 5 | 5 |
"strings" |
| 6 | 6 |
) |
| 7 | 7 |
|
| 8 |
+// Add takes two sets of scopes, and returns a combined sorted set of scopes |
|
| 9 |
+func Add(has []string, new []string) []string {
|
|
| 10 |
+ sorted := sortAndCopy(has) |
|
| 11 |
+ for _, s := range new {
|
|
| 12 |
+ i := sort.SearchStrings(sorted, s) |
|
| 13 |
+ if i == len(sorted) {
|
|
| 14 |
+ sorted = append(sorted, s) |
|
| 15 |
+ } else if sorted[i] != s {
|
|
| 16 |
+ sorted = append(sorted, "") |
|
| 17 |
+ copy(sorted[i+1:], sorted[i:]) |
|
| 18 |
+ sorted[i] = s |
|
| 19 |
+ } |
|
| 20 |
+ } |
|
| 21 |
+ return sorted |
|
| 22 |
+} |
|
| 23 |
+ |
|
| 8 | 24 |
func Split(scope string) []string {
|
| 9 | 25 |
scope = strings.TrimSpace(scope) |
| 10 | 26 |
if scope == "" {
|
| 11 | 27 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,67 @@ |
| 0 |
+package scope |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "reflect" |
|
| 4 |
+ "testing" |
|
| 5 |
+) |
|
| 6 |
+ |
|
| 7 |
+func TestAdd(t *testing.T) {
|
|
| 8 |
+ // Empty |
|
| 9 |
+ checkAdd(t, []string{}, []string{}, []string{})
|
|
| 10 |
+ |
|
| 11 |
+ // No new scopes |
|
| 12 |
+ checkAdd(t, []string{"A"}, []string{}, []string{"A"})
|
|
| 13 |
+ |
|
| 14 |
+ // Duplicates |
|
| 15 |
+ checkAdd(t, []string{"A"}, []string{"A"}, []string{"A"})
|
|
| 16 |
+ |
|
| 17 |
+ // Unsorted |
|
| 18 |
+ checkAdd(t, []string{"B", "A"}, []string{"A", "B"}, []string{"A", "B"})
|
|
| 19 |
+ |
|
| 20 |
+ // Additional new scopes |
|
| 21 |
+ checkAdd(t, []string{"B", "A"}, []string{"C", "A", "B"}, []string{"A", "B", "C"})
|
|
| 22 |
+ |
|
| 23 |
+ // No existing scopes |
|
| 24 |
+ checkAdd(t, []string{}, []string{"C", "A", "B"}, []string{"A", "B", "C"})
|
|
| 25 |
+} |
|
| 26 |
+ |
|
| 27 |
+func checkAdd(t *testing.T, s1, s2, expected []string) {
|
|
| 28 |
+ actual := Add(s1, s2) |
|
| 29 |
+ if !reflect.DeepEqual(expected, actual) {
|
|
| 30 |
+ t.Errorf("Expected %v + %v to be %v, but got %v", s1, s2, expected, actual)
|
|
| 31 |
+ } |
|
| 32 |
+} |
|
| 33 |
+ |
|
| 34 |
+func TestCovers(t *testing.T) {
|
|
| 35 |
+ // Empty request |
|
| 36 |
+ checkCovers(t, []string{}, []string{}, true)
|
|
| 37 |
+ checkCovers(t, []string{"A"}, []string{}, true)
|
|
| 38 |
+ checkCovers(t, []string{"B", "A"}, []string{}, true)
|
|
| 39 |
+ |
|
| 40 |
+ // Equal request |
|
| 41 |
+ checkCovers(t, []string{"A"}, []string{"A"}, true)
|
|
| 42 |
+ // Covered request |
|
| 43 |
+ checkCovers(t, []string{"B", "A"}, []string{"A"}, true)
|
|
| 44 |
+ // Sorting difference |
|
| 45 |
+ checkCovers(t, []string{"B", "A"}, []string{"A", "B"}, true)
|
|
| 46 |
+ // Superset |
|
| 47 |
+ checkCovers(t, []string{"B", "A", "C"}, []string{"A", "B"}, true)
|
|
| 48 |
+ |
|
| 49 |
+ // Empty has |
|
| 50 |
+ checkCovers(t, []string{}, []string{"A"}, false)
|
|
| 51 |
+ // Different has |
|
| 52 |
+ checkCovers(t, []string{"B"}, []string{"A"}, false)
|
|
| 53 |
+ // Partially overlapping has |
|
| 54 |
+ checkCovers(t, []string{"A", "B"}, []string{"A", "C"}, false)
|
|
| 55 |
+} |
|
| 56 |
+ |
|
| 57 |
+func checkCovers(t *testing.T, has, requested []string, expected bool) {
|
|
| 58 |
+ actual := Covers(has, requested) |
|
| 59 |
+ if actual != expected {
|
|
| 60 |
+ if expected {
|
|
| 61 |
+ t.Errorf("Expected %v to cover %v, but it did not", has, requested)
|
|
| 62 |
+ } else {
|
|
| 63 |
+ t.Errorf("Expected %v to not cover %v, but it did", has, requested)
|
|
| 64 |
+ } |
|
| 65 |
+ } |
|
| 66 |
+} |