dex/db/client.go

package db

import (
	"database/sql"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"reflect"

	"github.com/coreos/go-oidc/oidc"
	"github.com/go-gorp/gorp"
	"golang.org/x/crypto/bcrypt"

	"github.com/coreos/dex/client"
	pcrypto "github.com/coreos/dex/pkg/crypto"
	"github.com/coreos/dex/pkg/log"
)

const (
	clientTableName = "client_identity"

	bcryptHashCost = 10

	// Blowfish, the algorithm underlying bcrypt, has a maximum
	// password length of 72. We explicitly track and check this
	// since the bcrypt library will silently ignore portions of
	// a password past the first 72 characters.
	maxSecretLength = 72

	// postgres error codes
	pgErrorCodeUniqueViolation = "23505" // unique_violation
)

func init() {
	register(table{
		name:    clientTableName,
		model:   clientModel{},
		autoinc: false,
		pkey:    []string{"id"},
	})
}

func newClientModel(cli client.Client) (*clientModel, error) {
	secretBytes, err := base64.URLEncoding.DecodeString(cli.Credentials.Secret)
	if err != nil {
		return nil, err
	}
	hashed, err := bcrypt.GenerateFromPassword([]byte(
		secretBytes),
		bcryptHashCost)
	if err != nil {
		return nil, err
	}

	bmeta, err := json.Marshal(&cli.Metadata)
	if err != nil {
		return nil, err
	}

	cim := clientModel{
		ID:       cli.Credentials.ID,
		Secret:   hashed,
		Metadata: string(bmeta),
		DexAdmin: cli.Admin,
	}

	return &cim, nil
}

type clientModel struct {
	ID       string `db:"id"`
	Secret   []byte `db:"secret"`
	Metadata string `db:"metadata"`
	DexAdmin bool   `db:"dex_admin"`
}

func (m *clientModel) Client() (*client.Client, error) {
	ci := client.Client{
		Credentials: oidc.ClientCredentials{
			ID: m.ID,
		},
		Admin: m.DexAdmin,
	}

	if err := json.Unmarshal([]byte(m.Metadata), &ci.Metadata); err != nil {
		return nil, err
	}

	return &ci, nil
}

func NewClientRepo(dbm *gorp.DbMap) client.ClientRepo {
	return newClientRepo(dbm)
}

func newClientRepo(dbm *gorp.DbMap) *clientRepo {
	return &clientRepo{db: &db{dbm}}
}

func NewClientRepoFromClients(dbm *gorp.DbMap, clients []client.Client) (client.ClientRepo, error) {
	repo := newClientRepo(dbm)
	tx, err := repo.begin()
	if err != nil {
		return nil, err
	}
	defer tx.Rollback()
	exec := repo.executor(tx)
	for _, c := range clients {
		if c.Credentials.Secret == "" {
			return nil, fmt.Errorf("client %q has no secret", c.Credentials.ID)
		}
		cm, err := newClientModel(c)
		if err != nil {
			return nil, err
		}
		err = exec.Insert(cm)
		if err != nil {
			return nil, err
		}
	}
	if err := tx.Commit(); err != nil {
		return nil, err
	}
	return repo, nil
}

type clientRepo struct {
	*db
}

func (r *clientRepo) Get(clientID string) (client.Client, error) {
	m, err := r.executor(nil).Get(clientModel{}, clientID)
	if err == sql.ErrNoRows || m == nil {
		return client.Client{}, client.ErrorNotFound
	}
	if err != nil {
		return client.Client{}, err
	}

	cim, ok := m.(*clientModel)
	if !ok {
		log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))
		return client.Client{}, errors.New("unrecognized model")
	}

	ci, err := cim.Client()
	if err != nil {
		return client.Client{}, err
	}

	return *ci, nil
}

func (r *clientRepo) Metadata(clientID string) (*oidc.ClientMetadata, error) {
	c, err := r.Get(clientID)
	if err != nil {
		return nil, err
	}

	return &c.Metadata, nil
}

func (r *clientRepo) IsDexAdmin(clientID string) (bool, error) {
	m, err := r.executor(nil).Get(clientModel{}, clientID)
	if m == nil || err != nil {
		return false, err
	}

	cim, ok := m.(*clientModel)
	if !ok {
		log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))
		return false, errors.New("unrecognized model")
	}

	return cim.DexAdmin, nil
}

func (r *clientRepo) SetDexAdmin(clientID string, isAdmin bool) error {
	tx, err := r.begin()
	if err != nil {
		return err
	}
	defer tx.Rollback()
	exec := r.executor(tx)

	m, err := exec.Get(clientModel{}, clientID)
	if m == nil || err != nil {
		return err
	}

	cim, ok := m.(*clientModel)
	if !ok {
		log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))
		return errors.New("unrecognized model")
	}

	cim.DexAdmin = isAdmin
	_, err = exec.Update(cim)
	if err != nil {
		return err
	}

	return tx.Commit()
}

func (r *clientRepo) Authenticate(creds oidc.ClientCredentials) (bool, error) {
	m, err := r.executor(nil).Get(clientModel{}, creds.ID)
	if m == nil || err != nil {
		return false, err
	}

	cim, ok := m.(*clientModel)
	if !ok {
		log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))
		return false, errors.New("unrecognized model")
	}

	dec, err := base64.URLEncoding.DecodeString(creds.Secret)
	if err != nil {
		log.Errorf("error Decoding client creds: %v", err)
		return false, nil
	}

	if len(dec) > maxSecretLength {
		return false, nil
	}

	ok = bcrypt.CompareHashAndPassword(cim.Secret, dec) == nil
	return ok, nil
}

var alreadyExistsCheckers []func(err error) bool

func registerAlreadyExistsChecker(f func(err error) bool) {
	alreadyExistsCheckers = append(alreadyExistsCheckers, f)
}

// isAlreadyExistsErr detects database error codes for failing a unique constraint.
//
// Because database drivers are optionally compiled, use registerAlreadyExistsChecker to
// register driver specific implementations.
func isAlreadyExistsErr(err error) bool {
	for _, checker := range alreadyExistsCheckers {
		if checker(err) {
			return true
		}
	}
	return false
}

func (r *clientRepo) New(cli client.Client) (*oidc.ClientCredentials, error) {
	secret, err := pcrypto.RandBytes(maxSecretLength)
	if err != nil {
		return nil, err
	}

	cli.Credentials.Secret = base64.URLEncoding.EncodeToString(secret)
	cim, err := newClientModel(cli)

	if err != nil {
		return nil, err
	}

	if err := r.executor(nil).Insert(cim); err != nil {
		if isAlreadyExistsErr(err) {
			err = errors.New("client ID already exists")
		}
		return nil, err
	}

	cc := oidc.ClientCredentials{
		ID:     cli.Credentials.ID,
		Secret: cli.Credentials.Secret,
	}

	return &cc, nil
}

func (r *clientRepo) All() ([]client.Client, error) {
	qt := r.quote(clientTableName)
	q := fmt.Sprintf("SELECT * FROM %s", qt)
	objs, err := r.executor(nil).Select(&clientModel{}, q)
	if err != nil {
		return nil, err
	}

	cs := make([]client.Client, len(objs))
	for i, obj := range objs {
		m, ok := obj.(*clientModel)
		if !ok {
			return nil, errors.New("unable to cast client identity to clientModel")
		}

		ci, err := m.Client()
		if err != nil {
			return nil, err
		}
		cs[i] = *ci
	}
	return cs, nil
}
*: move original project to dex 2015-08-18 05:57:27 +05:30			`package db`

			`import (`
			`"database/sql"`
			`"encoding/base64"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
db: log schema errors, distinguish them from nil results where needed 2015-09-30 08:37:36 +05:30			`"reflect"`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`"github.com/coreos/go-oidc/oidc"`
db: gorp moved to github.com/go-gorp/gorp 2015-08-25 04:05:44 +05:30			`"github.com/go-gorp/gorp"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"golang.org/x/crypto/bcrypt"`

			`"github.com/coreos/dex/client"`
			`pcrypto "github.com/coreos/dex/pkg/crypto"`
			`"github.com/coreos/dex/pkg/log"`
			`)`

			`const (`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`clientTableName = "client_identity"`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`bcryptHashCost = 10`

			`// Blowfish, the algorithm underlying bcrypt, has a maximum`
			`// password length of 72. We explicitly track and check this`
			`// since the bcrypt library will silently ignore portions of`
			`// a password past the first 72 characters.`
			`maxSecretLength = 72`

			`// postgres error codes`
			`pgErrorCodeUniqueViolation = "23505" // unique_violation`
			`)`

			`func init() {`
			`register(table{`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`name: clientTableName,`
			`model: clientModel{},`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`autoinc: false,`
			`pkey: []string{"id"},`
			`})`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func newClientModel(cli client.Client) (*clientModel, error) {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`secretBytes, err := base64.URLEncoding.DecodeString(cli.Credentials.Secret)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`hashed, err := bcrypt.GenerateFromPassword([]byte(`
			`secretBytes),`
			`bcryptHashCost)`
			`if err != nil {`
			`return nil, err`
			`}`

			`bmeta, err := json.Marshal(&cli.Metadata)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cim := clientModel{`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`ID: cli.Credentials.ID,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`Secret: hashed,`
			`Metadata: string(bmeta),`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`DexAdmin: cli.Admin,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

			`return &cim, nil`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`type clientModel struct {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			ID string `db:"id"`
			Secret []byte `db:"secret"`
			Metadata string `db:"metadata"`
db: add DB migration code and scripts. 2015-08-20 04:10:36 +05:30			DexAdmin bool `db:"dex_admin"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (m clientModel) Client() (client.Client, error) {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`ci := client.Client{`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`Credentials: oidc.ClientCredentials{`
db: Client() should not return the secret It's never used by downstream code, and besides, it's not really the secret but a Hash of the secret. 2016-04-19 05:22:40 +05:30			`ID: m.ID,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`},`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`Admin: m.DexAdmin,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: add migration to update JSON fields and require postgres 9.4+ The "redirectURLs" field in the client metadata has been updated to the correct "redirect_uris". To allow backwards compatibility use Postgres' JSON features to update the actual JSON in the text field. json_build_object was introduced in Postgres 9.4. So update the documentations to require at least this version. 2016-01-13 06:47:50 +05:30			`if err := json.Unmarshal([]byte(m.Metadata), &ci.Metadata); err != nil {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`return nil, err`
			`}`

			`return &ci, nil`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func NewClientRepo(dbm *gorp.DbMap) client.ClientRepo {`
			`return newClientRepo(dbm)`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func newClientRepo(dbm gorp.DbMap) clientRepo {`
			`return &clientRepo{db: &db{dbm}}`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func NewClientRepoFromClients(dbm *gorp.DbMap, clients []client.Client) (client.ClientRepo, error) {`
			`repo := newClientRepo(dbm)`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`tx, err := repo.begin()`
db: add sqlite3 support 2016-02-09 05:31:16 +05:30			`if err != nil {`
			`return nil, err`
			`}`
			`defer tx.Rollback()`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`exec := repo.executor(tx)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`for _, c := range clients {`
db: print better error messages for invalid input When client secrets are not base64 encoded, print an error message that's not a generic base64 decode error: client secrets must be base64 decodable. See issue #337. Please consider replaceing "secret" with "c2VjcmV0" When a user file is missing a mandatory field print an error message. Unable to build Server: user elroy-foo is missing email field For #400 2016-04-12 05:01:50 +05:30			`if c.Credentials.Secret == "" {`
			`return nil, fmt.Errorf("client %q has no secret", c.Credentials.ID)`
			`}`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cm, err := newClientModel(c)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`err = exec.Insert(cm)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`
			`}`
db: add sqlite3 support 2016-02-09 05:31:16 +05:30			`if err := tx.Commit(); err != nil {`
			`return nil, err`
			`}`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`return repo, nil`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`type clientRepo struct {`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`*db`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r *clientRepo) Get(clientID string) (client.Client, error) {`
			`m, err := r.executor(nil).Get(clientModel{}, clientID)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err == sql.ErrNoRows \|\| m == nil {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`return client.Client{}, client.ErrorNotFound`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`
			`if err != nil {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`return client.Client{}, err`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cim, ok := m.(*clientModel)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if !ok {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))`
			`return client.Client{}, errors.New("unrecognized model")`
			`}`

			`ci, err := cim.Client()`
			`if err != nil {`
			`return client.Client{}, err`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`return *ci, nil`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r clientRepo) Metadata(clientID string) (oidc.ClientMetadata, error) {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`c, err := r.Get(clientID)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`return &c.Metadata, nil`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r *clientRepo) IsDexAdmin(clientID string) (bool, error) {`
			`m, err := r.executor(nil).Get(clientModel{}, clientID)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if m == nil \|\| err != nil {`
			`return false, err`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cim, ok := m.(*clientModel)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if !ok {`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`return false, errors.New("unrecognized model")`
			`}`

			`return cim.DexAdmin, nil`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r *clientRepo) SetDexAdmin(clientID string, isAdmin bool) error {`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`tx, err := r.begin()`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return err`
			`}`
db: add sqlite3 support 2016-02-09 05:31:16 +05:30			`defer tx.Rollback()`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`exec := r.executor(tx)`
*: move original project to dex 2015-08-18 05:57:27 +05:30
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`m, err := exec.Get(clientModel{}, clientID)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if m == nil \|\| err != nil {`
			`return err`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cim, ok := m.(*clientModel)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if !ok {`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`return errors.New("unrecognized model")`
			`}`

			`cim.DexAdmin = isAdmin`
db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`_, err = exec.Update(cim)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return err`
			`}`

db: add sqlite3 support 2016-02-09 05:31:16 +05:30			`return tx.Commit()`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r *clientRepo) Authenticate(creds oidc.ClientCredentials) (bool, error) {`
			`m, err := r.executor(nil).Get(clientModel{}, creds.ID)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if m == nil \|\| err != nil {`
			`return false, err`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cim, ok := m.(*clientModel)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if !ok {`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`log.Errorf("expected clientModel but found %v", reflect.TypeOf(m))`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`return false, errors.New("unrecognized model")`
			`}`

			`dec, err := base64.URLEncoding.DecodeString(creds.Secret)`
			`if err != nil {`
db: log ignored base64 decode error Closes #270 2016-01-16 05:01:29 +05:30			`log.Errorf("error Decoding client creds: %v", err)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`return false, nil`
			`}`

			`if len(dec) > maxSecretLength {`
			`return false, nil`
			`}`

			`ok = bcrypt.CompareHashAndPassword(cim.Secret, dec) == nil`
			`return ok, nil`
			`}`

db: protect the sqlite3 import with a cgo tag 2016-03-03 01:32:55 +05:30			`var alreadyExistsCheckers []func(err error) bool`

			`func registerAlreadyExistsChecker(f func(err error) bool) {`
			`alreadyExistsCheckers = append(alreadyExistsCheckers, f)`
			`}`

			`// isAlreadyExistsErr detects database error codes for failing a unique constraint.`
			`//`
			`// Because database drivers are optionally compiled, use registerAlreadyExistsChecker to`
			`// register driver specific implementations.`
			`func isAlreadyExistsErr(err error) bool {`
			`for _, checker := range alreadyExistsCheckers {`
			`if checker(err) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r clientRepo) New(cli client.Client) (oidc.ClientCredentials, error) {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`secret, err := pcrypto.RandBytes(maxSecretLength)`
			`if err != nil {`
			`return nil, err`
			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`cli.Credentials.Secret = base64.URLEncoding.EncodeToString(secret)`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`cim, err := newClientModel(cli)`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`

db: clean up quote and executor function calls, improve translate docs 2016-02-17 07:49:23 +05:30			`if err := r.executor(nil).Insert(cim); err != nil {`
db: protect the sqlite3 import with a cgo tag 2016-03-03 01:32:55 +05:30			`if isAlreadyExistsErr(err) {`
			`err = errors.New("client ID already exists")`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`
			`return nil, err`
			`}`

			`cc := oidc.ClientCredentials{`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`ID: cli.Credentials.ID,`
			`Secret: cli.Credentials.Secret,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

			`return &cc, nil`
			`}`

*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`func (r *clientRepo) All() ([]client.Client, error) {`
			`qt := r.quote(clientTableName)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`q := fmt.Sprintf("SELECT * FROM %s", qt)`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`objs, err := r.executor(nil).Select(&clientModel{}, q)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`cs := make([]client.Client, len(objs))`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`for i, obj := range objs {`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`m, ok := obj.(*clientModel)`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if !ok {`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`return nil, errors.New("unable to cast client identity to clientModel")`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`ci, err := m.Client()`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if err != nil {`
			`return nil, err`
			`}`
			`cs[i] = *ci`
			`}`
			`return cs, nil`
			`}`