dex/client/client.go

package client

import (
	"encoding/base64"
	"encoding/json"
	"errors"
	"io"
	"net/url"
	"reflect"

	"golang.org/x/crypto/bcrypt"

	"github.com/coreos/dex/repo"
	"github.com/coreos/go-oidc/oidc"
)

var (
	ErrorInvalidClientID          = errors.New("not a valid client ID")
	ErrorInvalidRedirectURL       = errors.New("not a valid redirect url for the given client")
	ErrorCantChooseRedirectURL    = errors.New("must provide a redirect url; client has many")
	ErrorNoValidRedirectURLs      = errors.New("no valid redirect URLs for this client.")
	ErrorPublicClientRedirectURIs = errors.New("native clients cannot have redirect URIs")
	ErrorPublicClientMissingName  = errors.New("native clients must have a name")

	ErrorMissingRedirectURI = errors.New("no client redirect url given")

	ErrorNotFound = errors.New("no data found")
)

type ValidationError struct {
	Err error
}

func (v ValidationError) Error() string {
	return v.Err.Error()
}

const (
	bcryptHashCost = 10
)

func HashSecret(creds oidc.ClientCredentials) ([]byte, error) {
	secretBytes, err := base64.URLEncoding.DecodeString(creds.Secret)
	if err != nil {
		return nil, err
	}
	hashed, err := bcrypt.GenerateFromPassword([]byte(
		secretBytes),
		bcryptHashCost)
	if err != nil {
		return nil, err
	}
	return hashed, nil
}

type Client struct {
	Credentials oidc.ClientCredentials
	Metadata    oidc.ClientMetadata
	Admin       bool
	Public      bool
}

type ClientRepo interface {
	Get(tx repo.Transaction, clientID string) (Client, error)

	// GetSecret returns the (base64 encoded) hashed client secret
	GetSecret(tx repo.Transaction, clientID string) ([]byte, error)

	// All returns all registered Clients
	All(tx repo.Transaction) ([]Client, error)

	// New registers a Client with the repo.
	// An unused ID must be provided. A corresponding secret will be returned
	// in a ClientCredentials struct along with the provided ID.
	New(tx repo.Transaction, client Client) (*oidc.ClientCredentials, error)

	Update(tx repo.Transaction, client Client) error

	// GetTrustedPeers returns the list of clients authorized to mint ID token for the given client.
	GetTrustedPeers(tx repo.Transaction, clientID string) ([]string, error)

	// SetTrustedPeers sets the list of clients authorized to mint ID token for the given client.
	SetTrustedPeers(tx repo.Transaction, clientID string, clientIDs []string) error
}

// ValidRedirectURL returns the passed in URL if it is present in the redirectURLs list, and returns an error otherwise.
// If nil is passed in as the rURL and there is only one URL in redirectURLs,
// that URL will be returned. If nil is passed but theres >1 URL in the slice,
// then an error is returned.
func ValidRedirectURL(rURL *url.URL, redirectURLs []url.URL) (url.URL, error) {
	if len(redirectURLs) == 0 {
		return url.URL{}, ErrorNoValidRedirectURLs
	}

	if rURL == nil {
		if len(redirectURLs) > 1 {
			return url.URL{}, ErrorCantChooseRedirectURL
		}

		return redirectURLs[0], nil
	}

	for _, ru := range redirectURLs {
		if reflect.DeepEqual(ru, *rURL) {
			return ru, nil
		}
	}
	return url.URL{}, ErrorInvalidRedirectURL
}

// LoadableClient contains sufficient information for creating a Client and its related entities.
type LoadableClient struct {
	Client       Client
	TrustedPeers []string
}

func ClientsFromReader(r io.Reader) ([]LoadableClient, error) {
	var c []struct {
		ID           string   `json:"id"`
		Secret       string   `json:"secret"`
		RedirectURLs []string `json:"redirectURLs"`
		Admin        bool     `json:"admin"`
		Public       bool     `json:"public"`
		TrustedPeers []string `json:"trustedPeers"`
	}
	if err := json.NewDecoder(r).Decode(&c); err != nil {
		return nil, err
	}
	clients := make([]LoadableClient, len(c))
	for i, client := range c {
		if client.ID == "" {
			return nil, errors.New("clients must have an ID")
		}
		if len(client.Secret) == 0 {
			return nil, errors.New("clients must have a Secret")
		}
		redirectURIs := make([]url.URL, len(client.RedirectURLs))
		for j, u := range client.RedirectURLs {
			uri, err := url.Parse(u)
			if err != nil {
				return nil, err
			}
			redirectURIs[j] = *uri
		}

		clients[i] = LoadableClient{
			Client: Client{
				Credentials: oidc.ClientCredentials{
					ID:     client.ID,
					Secret: client.Secret,
				},
				Metadata: oidc.ClientMetadata{
					RedirectURIs: redirectURIs,
				},
				Admin:  client.Admin,
				Public: client.Public,
			},
			TrustedPeers: client.TrustedPeers,
		}
	}
	return clients, nil
}
*: move original project to dex 2015-08-18 05:57:27 +05:30			`package client`

			`import (`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`"encoding/base64"`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`"encoding/json"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"errors"`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`"io"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"net/url"`
			`"reflect"`

client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`"golang.org/x/crypto/bcrypt"`

client: add transaction support 2016-05-12 03:05:24 +05:30			`"github.com/coreos/dex/repo"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"github.com/coreos/go-oidc/oidc"`
			`)`

			`var (`
client: add public client to data model 2016-06-16 04:09:04 +05:30			`ErrorInvalidClientID = errors.New("not a valid client ID")`
			`ErrorInvalidRedirectURL = errors.New("not a valid redirect url for the given client")`
			`ErrorCantChooseRedirectURL = errors.New("must provide a redirect url; client has many")`
			`ErrorNoValidRedirectURLs = errors.New("no valid redirect URLs for this client.")`
			`ErrorPublicClientRedirectURIs = errors.New("native clients cannot have redirect URIs")`
			`ErrorPublicClientMissingName = errors.New("native clients must have a name")`

			`ErrorMissingRedirectURI = errors.New("no client redirect url given")`

			`ErrorNotFound = errors.New("no data found")`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`)`

client: add public client to data model 2016-06-16 04:09:04 +05:30			`type ValidationError struct {`
			`Err error`
			`}`

			`func (v ValidationError) Error() string {`
			`return v.Err.Error()`
			`}`

client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`const (`
			`bcryptHashCost = 10`
			`)`

			`func HashSecret(creds oidc.ClientCredentials) ([]byte, error) {`
			`secretBytes, err := base64.URLEncoding.DecodeString(creds.Secret)`
			`if err != nil {`
			`return nil, err`
			`}`
			`hashed, err := bcrypt.GenerateFromPassword([]byte(`
			`secretBytes),`
			`bcryptHashCost)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return hashed, nil`
			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`type Client struct {`
			`Credentials oidc.ClientCredentials`
			`Metadata oidc.ClientMetadata`
			`Admin bool`
client: add public client to data model 2016-06-16 04:09:04 +05:30			`Public bool`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`type ClientRepo interface {`
client: add transaction support 2016-05-12 03:05:24 +05:30			`Get(tx repo.Transaction, clientID string) (Client, error)`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`// GetSecret returns the (base64 encoded) hashed client secret`
			`GetSecret(tx repo.Transaction, clientID string) ([]byte, error)`
*: move original project to dex 2015-08-18 05:57:27 +05:30
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`// All returns all registered Clients`
client: add transaction support 2016-05-12 03:05:24 +05:30			`All(tx repo.Transaction) ([]Client, error)`
*: move original project to dex 2015-08-18 05:57:27 +05:30
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`// New registers a Client with the repo.`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`// An unused ID must be provided. A corresponding secret will be returned`
			`// in a ClientCredentials struct along with the provided ID.`
client: add transaction support 2016-05-12 03:05:24 +05:30			`New(tx repo.Transaction, client Client) (*oidc.ClientCredentials, error)`
*: move original project to dex 2015-08-18 05:57:27 +05:30
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`Update(tx repo.Transaction, client Client) error`
db, client: add data model for trusted peers Trusted Peers are clients that are authorized to mint tokens for another client. 2016-04-23 02:39:28 +05:30
			`// GetTrustedPeers returns the list of clients authorized to mint ID token for the given client.`
			`GetTrustedPeers(tx repo.Transaction, clientID string) ([]string, error)`

			`// SetTrustedPeers sets the list of clients authorized to mint ID token for the given client.`
			`SetTrustedPeers(tx repo.Transaction, clientID string, clientIDs []string) error`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

			`// ValidRedirectURL returns the passed in URL if it is present in the redirectURLs list, and returns an error otherwise.`
			`// If nil is passed in as the rURL and there is only one URL in redirectURLs,`
			`// that URL will be returned. If nil is passed but theres >1 URL in the slice,`
			`// then an error is returned.`
			`func ValidRedirectURL(rURL *url.URL, redirectURLs []url.URL) (url.URL, error) {`
			`if len(redirectURLs) == 0 {`
			`return url.URL{}, ErrorNoValidRedirectURLs`
			`}`

			`if rURL == nil {`
			`if len(redirectURLs) > 1 {`
			`return url.URL{}, ErrorCantChooseRedirectURL`
			`}`

			`return redirectURLs[0], nil`
			`}`

			`for _, ru := range redirectURLs {`
			`if reflect.DeepEqual(ru, *rURL) {`
			`return ru, nil`
			`}`
			`}`
			`return url.URL{}, ErrorInvalidRedirectURL`
			`}`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30
client: load full clients w/ LoadableClient The Client object on its own doesn't fully express everything about a single client, and so when loading clients from a static configuration it's not enough to just (de)serialize clients. To that end, LoadableClient contains the full representation of a client and associated entities. 2016-06-09 00:01:50 +05:30			`// LoadableClient contains sufficient information for creating a Client and its related entities.`
			`type LoadableClient struct {`
			`Client Client`
			`TrustedPeers []string`
			`}`

			`func ClientsFromReader(r io.Reader) ([]LoadableClient, error) {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`var c []struct {`
			ID string `json:"id"`
			Secret string `json:"secret"`
			RedirectURLs []string `json:"redirectURLs"`
client: load full clients w/ LoadableClient The Client object on its own doesn't fully express everything about a single client, and so when loading clients from a static configuration it's not enough to just (de)serialize clients. To that end, LoadableClient contains the full representation of a client and associated entities. 2016-06-09 00:01:50 +05:30			Admin bool `json:"admin"`
client: add public client to data model 2016-06-16 04:09:04 +05:30			Public bool `json:"public"`
client: load full clients w/ LoadableClient The Client object on its own doesn't fully express everything about a single client, and so when loading clients from a static configuration it's not enough to just (de)serialize clients. To that end, LoadableClient contains the full representation of a client and associated entities. 2016-06-09 00:01:50 +05:30			TrustedPeers []string `json:"trustedPeers"`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`}`
			`if err := json.NewDecoder(r).Decode(&c); err != nil {`
			`return nil, err`
			`}`
client: load full clients w/ LoadableClient The Client object on its own doesn't fully express everything about a single client, and so when loading clients from a static configuration it's not enough to just (de)serialize clients. To that end, LoadableClient contains the full representation of a client and associated entities. 2016-06-09 00:01:50 +05:30			`clients := make([]LoadableClient, len(c))`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`for i, client := range c {`
client: Add tests for ClientsFromReader Also require client ID and secret. 2016-04-15 23:53:48 +05:30			`if client.ID == "" {`
			`return nil, errors.New("clients must have an ID")`
			`}`
			`if len(client.Secret) == 0 {`
			`return nil, errors.New("clients must have a Secret")`
			`}`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`redirectURIs := make([]url.URL, len(client.RedirectURLs))`
			`for j, u := range client.RedirectURLs {`
			`uri, err := url.Parse(u)`
			`if err != nil {`
			`return nil, err`
			`}`
			`redirectURIs[j] = *uri`
			`}`

client: load full clients w/ LoadableClient The Client object on its own doesn't fully express everything about a single client, and so when loading clients from a static configuration it's not enough to just (de)serialize clients. To that end, LoadableClient contains the full representation of a client and associated entities. 2016-06-09 00:01:50 +05:30			`clients[i] = LoadableClient{`
			`Client: Client{`
			`Credentials: oidc.ClientCredentials{`
			`ID: client.ID,`
			`Secret: client.Secret,`
			`},`
			`Metadata: oidc.ClientMetadata{`
			`RedirectURIs: redirectURIs,`
			`},`
client: add public client to data model 2016-06-16 04:09:04 +05:30			`Admin: client.Admin,`
			`Public: client.Public,`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`},`
client: load full clients w/ LoadableClient The Client object on its own doesn't fully express everything about a single client, and so when loading clients from a static configuration it's not enough to just (de)serialize clients. To that end, LoadableClient contains the full representation of a client and associated entities. 2016-06-09 00:01:50 +05:30			`TrustedPeers: client.TrustedPeers,`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`}`
			`}`
			`return clients, nil`
			`}`