dex/admin/api.go

// package admin provides an implementation of the API described in auth/schema/adminschema.
package admin

import (
	"net/http"

	"github.com/coreos/go-oidc/oidc"

	"github.com/coreos/dex/client"
	"github.com/coreos/dex/schema/adminschema"
	"github.com/coreos/dex/user"
	"github.com/coreos/dex/user/manager"
)

var (
	ClientIDGenerator = oidc.GenClientID
)

// AdminAPI provides the logic necessary to implement the Admin API.
type AdminAPI struct {
	userManager      *manager.UserManager
	userRepo         user.UserRepo
	passwordInfoRepo user.PasswordInfoRepo
	clientRepo       client.ClientRepo
	localConnectorID string
}

func NewAdminAPI(userRepo user.UserRepo, pwiRepo user.PasswordInfoRepo, clientRepo client.ClientRepo, userManager *manager.UserManager, localConnectorID string) *AdminAPI {
	if localConnectorID == "" {
		panic("must specify non-blank localConnectorID")
	}
	return &AdminAPI{
		userManager:      userManager,
		userRepo:         userRepo,
		passwordInfoRepo: pwiRepo,
		clientRepo:       clientRepo,
		localConnectorID: localConnectorID,
	}
}

// Error is the error type returned by AdminAPI methods.
type Error struct {
	Type string

	// The HTTP Code to return for this type of error.
	Code int

	Desc string

	// The underlying error - not to be consumed by external users.
	Internal error
}

func (e Error) Error() string {
	return e.Type
}

func errorMaker(typ string, desc string, code int) func(internal error) Error {
	return func(internal error) Error {
		return Error{
			Type:     typ,
			Code:     code,
			Desc:     desc,
			Internal: internal,
		}
	}
}

var (
	ErrorMissingClient = errorMaker("bad_request", "The 'client' cannot be empty", http.StatusBadRequest)(nil)

	// Called when oidc.ClientMetadata.Valid() fails.
	ErrorInvalidClientFunc = errorMaker("bad_request", "Your client could not be validated.", http.StatusBadRequest)

	errorMap = map[error]func(error) Error{
		user.ErrorNotFound:       errorMaker("resource_not_found", "Resource could not be found.", http.StatusNotFound),
		user.ErrorDuplicateEmail: errorMaker("bad_request", "Email already in use.", http.StatusBadRequest),
		user.ErrorInvalidEmail:   errorMaker("bad_request", "invalid email.", http.StatusBadRequest),

		adminschema.ErrorInvalidRedirectURI: errorMaker("bad_request", "invalid redirectURI.", http.StatusBadRequest),
		adminschema.ErrorInvalidLogoURI:     errorMaker("bad_request", "invalid logoURI.", http.StatusBadRequest),
		adminschema.ErrorInvalidClientURI:   errorMaker("bad_request", "invalid clientURI.", http.StatusBadRequest),
		adminschema.ErrorNoRedirectURI:      errorMaker("bad_request", "invalid redirectURI.", http.StatusBadRequest),
	}
)

func (a *AdminAPI) GetAdmin(id string) (adminschema.Admin, error) {
	usr, err := a.userRepo.Get(nil, id)

	if err != nil {
		return adminschema.Admin{}, mapError(err)
	}

	pwi, err := a.passwordInfoRepo.Get(nil, id)
	if err != nil {
		return adminschema.Admin{}, mapError(err)
	}

	return adminschema.Admin{
		Id:       id,
		Email:    usr.Email,
		Password: string(pwi.Password),
	}, nil
}

func (a *AdminAPI) CreateAdmin(admn adminschema.Admin) (string, error) {
	userID, err := a.userManager.CreateUser(user.User{
		Email: admn.Email,
		Admin: true}, user.Password(admn.Password), a.localConnectorID)
	if err != nil {
		return "", mapError(err)
	}
	return userID, nil
}

func (a *AdminAPI) GetState() (adminschema.State, error) {
	state := adminschema.State{}

	admins, err := a.userRepo.GetAdminCount(nil)
	if err != nil {
		return adminschema.State{}, err
	}

	state.AdminUserCreated = admins > 0

	return state, nil
}

func (a *AdminAPI) CreateClient(req adminschema.ClientCreateRequest) (adminschema.ClientCreateResponse, error) {
	if req.Client == nil {
		return adminschema.ClientCreateResponse{}, ErrorMissingClient
	}

	cli, err := adminschema.MapSchemaClientToClient(*req.Client)
	if err != nil {
		return adminschema.ClientCreateResponse{}, mapError(err)
	}

	if err := cli.Metadata.Valid(); err != nil {
		return adminschema.ClientCreateResponse{}, ErrorInvalidClientFunc(err)
	}

	// metadata is guaranteed to have at least one redirect_uri by earlier validation.
	id, err := ClientIDGenerator(cli.Metadata.RedirectURIs[0].Host)
	if err != nil {
		return adminschema.ClientCreateResponse{}, mapError(err)
	}

	cli.Credentials.ID = id

	creds, err := a.clientRepo.New(nil, cli)
	if err != nil {
		return adminschema.ClientCreateResponse{}, mapError(err)
	}

	req.Client.Id = creds.ID
	req.Client.Secret = creds.Secret
	return adminschema.ClientCreateResponse{
		Client: req.Client,
	}, nil
}

func mapError(e error) error {
	if mapped, ok := errorMap[e]; ok {
		return mapped(e)
	}
	return Error{
		Code:     http.StatusInternalServerError,
		Type:     "server_error",
		Desc:     "",
		Internal: e,
	}
}
*: move original project to dex 2015-08-18 05:57:27 +05:30			`// package admin provides an implementation of the API described in auth/schema/adminschema.`
			`package admin`

			`import (`
			`"net/http"`

*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`"github.com/coreos/go-oidc/oidc"`

			`"github.com/coreos/dex/client"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`"github.com/coreos/dex/schema/adminschema"`
			`"github.com/coreos/dex/user"`
user: move user manager to it's own package This commit moves the user.Manage to its own package (user/manager) so it can import the connector package in a later commit. For clarity, it renames "Manager" to "UserManager" using gorname. This commit has no functional changes. 2015-12-08 04:59:58 +05:30			`"github.com/coreos/dex/user/manager"`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`)`

integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`var (`
			`ClientIDGenerator = oidc.GenClientID`
			`)`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`// AdminAPI provides the logic necessary to implement the Admin API.`
			`type AdminAPI struct {`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`userManager *manager.UserManager`
			`userRepo user.UserRepo`
			`passwordInfoRepo user.PasswordInfoRepo`
			`clientRepo client.ClientRepo`
			`localConnectorID string`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`

integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`func NewAdminAPI(userRepo user.UserRepo, pwiRepo user.PasswordInfoRepo, clientRepo client.ClientRepo, userManager manager.UserManager, localConnectorID string) AdminAPI {`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`if localConnectorID == "" {`
			`panic("must specify non-blank localConnectorID")`
			`}`
			`return &AdminAPI{`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`userManager: userManager,`
integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`userRepo: userRepo,`
			`passwordInfoRepo: pwiRepo,`
			`clientRepo: clientRepo,`
*: ClientIdentityXXX -> ClientXXX Get rid of all outdated "ClientIdentity" terminology. 2016-04-15 04:57:57 +05:30			`localConnectorID: localConnectorID,`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`
			`}`

			`// Error is the error type returned by AdminAPI methods.`
			`type Error struct {`
			`Type string`

			`// The HTTP Code to return for this type of error.`
			`Code int`

			`Desc string`

			`// The underlying error - not to be consumed by external users.`
			`Internal error`
			`}`

			`func (e Error) Error() string {`
			`return e.Type`
			`}`

			`func errorMaker(typ string, desc string, code int) func(internal error) Error {`
			`return func(internal error) Error {`
			`return Error{`
			`Type: typ,`
			`Code: code,`
			`Desc: desc,`
			`Internal: internal,`
			`}`
			`}`
			`}`

			`var (`
integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`ErrorMissingClient = errorMaker("bad_request", "The 'client' cannot be empty", http.StatusBadRequest)(nil)`

			`// Called when oidc.ClientMetadata.Valid() fails.`
			`ErrorInvalidClientFunc = errorMaker("bad_request", "Your client could not be validated.", http.StatusBadRequest)`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`errorMap = map[error]func(error) Error{`
			`user.ErrorNotFound: errorMaker("resource_not_found", "Resource could not be found.", http.StatusNotFound),`
			`user.ErrorDuplicateEmail: errorMaker("bad_request", "Email already in use.", http.StatusBadRequest),`
			`user.ErrorInvalidEmail: errorMaker("bad_request", "invalid email.", http.StatusBadRequest),`
integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30
			`adminschema.ErrorInvalidRedirectURI: errorMaker("bad_request", "invalid redirectURI.", http.StatusBadRequest),`
			`adminschema.ErrorInvalidLogoURI: errorMaker("bad_request", "invalid logoURI.", http.StatusBadRequest),`
			`adminschema.ErrorInvalidClientURI: errorMaker("bad_request", "invalid clientURI.", http.StatusBadRequest),`
			`adminschema.ErrorNoRedirectURI: errorMaker("bad_request", "invalid redirectURI.", http.StatusBadRequest),`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`}`
			`)`

			`func (a *AdminAPI) GetAdmin(id string) (adminschema.Admin, error) {`
			`usr, err := a.userRepo.Get(nil, id)`

			`if err != nil {`
			`return adminschema.Admin{}, mapError(err)`
			`}`

			`pwi, err := a.passwordInfoRepo.Get(nil, id)`
			`if err != nil {`
			`return adminschema.Admin{}, mapError(err)`
			`}`

			`return adminschema.Admin{`
			`Id: id,`
			`Email: usr.Email,`
			`Password: string(pwi.Password),`
			`}, nil`
			`}`

			`func (a *AdminAPI) CreateAdmin(admn adminschema.Admin) (string, error) {`
			`userID, err := a.userManager.CreateUser(user.User{`
			`Email: admn.Email,`
			`Admin: true}, user.Password(admn.Password), a.localConnectorID)`
			`if err != nil {`
			`return "", mapError(err)`
			`}`
			`return userID, nil`
			`}`

			`func (a *AdminAPI) GetState() (adminschema.State, error) {`
			`state := adminschema.State{}`

			`admins, err := a.userRepo.GetAdminCount(nil)`
			`if err != nil {`
			`return adminschema.State{}, err`
			`}`

			`state.AdminUserCreated = admins > 0`

			`return state, nil`
			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`func (a *AdminAPI) CreateClient(req adminschema.ClientCreateRequest) (adminschema.ClientCreateResponse, error) {`
integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`if req.Client == nil {`
			`return adminschema.ClientCreateResponse{}, ErrorMissingClient`
			`}`

*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`cli, err := adminschema.MapSchemaClientToClient(*req.Client)`
			`if err != nil {`
			`return adminschema.ClientCreateResponse{}, mapError(err)`
			`}`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`if err := cli.Metadata.Valid(); err != nil {`
integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`return adminschema.ClientCreateResponse{}, ErrorInvalidClientFunc(err)`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`}`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30
integration, : Improve tests for admin api TestCreateClient was missing test coverage on error cases * Fixed bug where 500s were being reported for bad requests * changed function signature of NewAdminAPI back to old way of passing in lots of repos: passing in a DbMap made it difficult to test * added swappable ID and Secret generators when creating Clients 2016-04-20 06:57:45 +05:30			`// metadata is guaranteed to have at least one redirect_uri by earlier validation.`
			`id, err := ClientIDGenerator(cli.Metadata.RedirectURIs[0].Host)`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`if err != nil {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`return adminschema.ClientCreateResponse{}, mapError(err)`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`}`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30
			`cli.Credentials.ID = id`

client: add transaction support 2016-05-12 03:05:24 +05:30			`creds, err := a.clientRepo.New(nil, cli)`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`if err != nil {`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30			`return adminschema.ClientCreateResponse{}, mapError(err)`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`}`
*: Client Repo now deals with custom Client object This is instead of oidc.ClientIdentity. This makes it easier to add new fields custom to dex to the client. 2016-04-15 04:27:53 +05:30
			`req.Client.Id = creds.ID`
			`req.Client.Secret = creds.Secret`
			`return adminschema.ClientCreateResponse{`
			`Client: req.Client,`
			`}, nil`
*: add client registration endpoint to admin API 2016-04-06 00:07:26 +05:30			`}`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`func mapError(e error) error {`
			`if mapped, ok := errorMap[e]; ok {`
			`return mapped(e)`
			`}`
			`return Error{`
			`Code: http.StatusInternalServerError,`
			`Type: "server_error",`
			`Desc: "",`
			`Internal: e,`
			`}`
			`}`