dex/client/manager/manager.go

package manager

import (
	"encoding/base64"

	"errors"

	"github.com/coreos/dex/client"
	pcrypto "github.com/coreos/dex/pkg/crypto"
	"github.com/coreos/dex/pkg/log"
	"github.com/coreos/dex/repo"
	"github.com/coreos/go-oidc/oidc"
	"golang.org/x/crypto/bcrypt"
)

const (
	// Blowfish, the algorithm underlying bcrypt, has a maximum
	// password length of 72. We explicitly track and check this
	// since the bcrypt library will silently ignore portions of
	// a password past the first 72 characters.
	maxSecretLength = 72
)

type ClientOptions struct {
	TrustedPeers []string
}

type SecretGenerator func() ([]byte, error)

func DefaultSecretGenerator() ([]byte, error) {
	return pcrypto.RandBytes(maxSecretLength)
}

func CompareHashAndPassword(hashedPassword, password []byte) error {
	if len(password) > maxSecretLength {
		return errors.New("password length greater than max secret length")
	}
	return bcrypt.CompareHashAndPassword(hashedPassword, password)
}

// ClientManager performs client-related "business-logic" functions on client and related objects.
// This is in contrast to the Repos which perform little more than CRUD operations.
type ClientManager struct {
	clientRepo        client.ClientRepo
	begin             repo.TransactionFactory
	secretGenerator   SecretGenerator
	clientIDGenerator func(string) (string, error)
}

type ManagerOptions struct {
	SecretGenerator   func() ([]byte, error)
	ClientIDGenerator func(string) (string, error)
}

func NewClientManager(clientRepo client.ClientRepo, txnFactory repo.TransactionFactory, options ManagerOptions) *ClientManager {
	if options.SecretGenerator == nil {
		options.SecretGenerator = DefaultSecretGenerator
	}
	if options.ClientIDGenerator == nil {
		options.ClientIDGenerator = oidc.GenClientID
	}
	return &ClientManager{
		clientRepo:        clientRepo,
		begin:             txnFactory,
		secretGenerator:   options.SecretGenerator,
		clientIDGenerator: options.ClientIDGenerator,
	}
}

func (m *ClientManager) New(cli client.Client, options *ClientOptions) (*oidc.ClientCredentials, error) {
	tx, err := m.begin()
	if err != nil {
		return nil, err
	}
	defer tx.Rollback()

	err = m.addClientCredentials(&cli)
	if err != nil {
		return nil, err
	}

	creds := cli.Credentials

	// Save Client
	_, err = m.clientRepo.New(tx, cli)
	if err != nil {
		return nil, err
	}

	if options != nil && len(options.TrustedPeers) > 0 {
		err = m.clientRepo.SetTrustedPeers(tx, creds.ID, options.TrustedPeers)
		if err != nil {
			return nil, err
		}
	}

	err = tx.Commit()
	if err != nil {
		return nil, err
	}

	// Returns creds with unhashed secret
	return &creds, nil
}

func (m *ClientManager) Get(id string) (client.Client, error) {
	return m.clientRepo.Get(nil, id)
}

func (m *ClientManager) All() ([]client.Client, error) {
	return m.clientRepo.All(nil)
}

func (m *ClientManager) Metadata(clientID string) (*oidc.ClientMetadata, error) {
	c, err := m.clientRepo.Get(nil, clientID)
	if err != nil {
		return nil, err
	}

	return &c.Metadata, nil
}

func (m *ClientManager) IsDexAdmin(clientID string) (bool, error) {
	c, err := m.clientRepo.Get(nil, clientID)
	if err != nil {
		return false, err
	}

	return c.Admin, nil
}

func (m *ClientManager) SetDexAdmin(clientID string, isAdmin bool) error {
	tx, err := m.begin()
	if err != nil {
		return err
	}
	defer tx.Rollback()

	c, err := m.clientRepo.Get(tx, clientID)
	if err != nil {
		return err
	}

	c.Admin = isAdmin
	err = m.clientRepo.Update(tx, c)
	if err != nil {
		return err
	}

	err = tx.Commit()
	if err != nil {
		return err
	}
	return nil
}

func (m *ClientManager) Authenticate(creds oidc.ClientCredentials) (bool, error) {
	clientSecret, err := m.clientRepo.GetSecret(nil, creds.ID)
	if err != nil || clientSecret == nil {
		return false, nil
	}

	dec, err := base64.URLEncoding.DecodeString(creds.Secret)
	if err != nil {
		log.Errorf("error Decoding client creds: %v", err)
		return false, nil
	}

	ok := CompareHashAndPassword(clientSecret, dec) == nil
	return ok, nil
}

func (m *ClientManager) addClientCredentials(cli *client.Client) error {
	// Generate Client ID
	if len(cli.Metadata.RedirectURIs) < 1 {
		return errors.New("no client redirect url given")
	}
	clientID, err := m.clientIDGenerator(cli.Metadata.RedirectURIs[0].Host)
	if err != nil {
		return err
	}

	// Generate Secret
	secret, err := m.secretGenerator()
	if err != nil {
		return err
	}
	clientSecret := base64.URLEncoding.EncodeToString(secret)
	cli.Credentials = oidc.ClientCredentials{
		ID:     clientID,
		Secret: clientSecret,
	}
	return nil
}
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`package manager`

			`import (`
			`"encoding/base64"`

			`"errors"`

			`"github.com/coreos/dex/client"`
			`pcrypto "github.com/coreos/dex/pkg/crypto"`
			`"github.com/coreos/dex/pkg/log"`
			`"github.com/coreos/dex/repo"`
			`"github.com/coreos/go-oidc/oidc"`
			`"golang.org/x/crypto/bcrypt"`
			`)`

			`const (`
			`// Blowfish, the algorithm underlying bcrypt, has a maximum`
			`// password length of 72. We explicitly track and check this`
			`// since the bcrypt library will silently ignore portions of`
			`// a password past the first 72 characters.`
			`maxSecretLength = 72`
			`)`

db, client: add data model for trusted peers Trusted Peers are clients that are authorized to mint tokens for another client. 2016-04-23 02:39:28 +05:30			`type ClientOptions struct {`
			`TrustedPeers []string`
			`}`

client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`type SecretGenerator func() ([]byte, error)`

			`func DefaultSecretGenerator() ([]byte, error) {`
			`return pcrypto.RandBytes(maxSecretLength)`
			`}`

			`func CompareHashAndPassword(hashedPassword, password []byte) error {`
			`if len(password) > maxSecretLength {`
			`return errors.New("password length greater than max secret length")`
			`}`
			`return bcrypt.CompareHashAndPassword(hashedPassword, password)`
			`}`

			`// ClientManager performs client-related "business-logic" functions on client and related objects.`
			`// This is in contrast to the Repos which perform little more than CRUD operations.`
			`type ClientManager struct {`
			`clientRepo client.ClientRepo`
			`begin repo.TransactionFactory`
			`secretGenerator SecretGenerator`
			`clientIDGenerator func(string) (string, error)`
			`}`

			`type ManagerOptions struct {`
			`SecretGenerator func() ([]byte, error)`
			`ClientIDGenerator func(string) (string, error)`
			`}`

			`func NewClientManager(clientRepo client.ClientRepo, txnFactory repo.TransactionFactory, options ManagerOptions) *ClientManager {`
			`if options.SecretGenerator == nil {`
			`options.SecretGenerator = DefaultSecretGenerator`
			`}`
			`if options.ClientIDGenerator == nil {`
			`options.ClientIDGenerator = oidc.GenClientID`
			`}`
			`return &ClientManager{`
			`clientRepo: clientRepo,`
			`begin: txnFactory,`
			`secretGenerator: options.SecretGenerator,`
			`clientIDGenerator: options.ClientIDGenerator,`
			`}`
			`}`

db, client: add data model for trusted peers Trusted Peers are clients that are authorized to mint tokens for another client. 2016-04-23 02:39:28 +05:30			`func (m ClientManager) New(cli client.Client, options ClientOptions) (*oidc.ClientCredentials, error) {`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`tx, err := m.begin()`
			`if err != nil {`
			`return nil, err`
			`}`
			`defer tx.Rollback()`

client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`err = m.addClientCredentials(&cli)`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`if err != nil {`
			`return nil, err`
			`}`

client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`creds := cli.Credentials`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30
			`// Save Client`
client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`_, err = m.clientRepo.New(tx, cli)`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`if err != nil {`
			`return nil, err`
			`}`

db, client: add data model for trusted peers Trusted Peers are clients that are authorized to mint tokens for another client. 2016-04-23 02:39:28 +05:30			`if options != nil && len(options.TrustedPeers) > 0 {`
			`err = m.clientRepo.SetTrustedPeers(tx, creds.ID, options.TrustedPeers)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`

client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`err = tx.Commit()`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Returns creds with unhashed secret`
			`return &creds, nil`
			`}`

			`func (m *ClientManager) Get(id string) (client.Client, error) {`
			`return m.clientRepo.Get(nil, id)`
			`}`

			`func (m *ClientManager) All() ([]client.Client, error) {`
			`return m.clientRepo.All(nil)`
			`}`

			`func (m ClientManager) Metadata(clientID string) (oidc.ClientMetadata, error) {`
			`c, err := m.clientRepo.Get(nil, clientID)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &c.Metadata, nil`
			`}`

			`func (m *ClientManager) IsDexAdmin(clientID string) (bool, error) {`
			`c, err := m.clientRepo.Get(nil, clientID)`
			`if err != nil {`
			`return false, err`
			`}`

			`return c.Admin, nil`
			`}`

			`func (m *ClientManager) SetDexAdmin(clientID string, isAdmin bool) error {`
			`tx, err := m.begin()`
			`if err != nil {`
			`return err`
			`}`
			`defer tx.Rollback()`

			`c, err := m.clientRepo.Get(tx, clientID)`
			`if err != nil {`
			`return err`
			`}`

			`c.Admin = isAdmin`
			`err = m.clientRepo.Update(tx, c)`
			`if err != nil {`
			`return err`
			`}`

			`err = tx.Commit()`
			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

			`func (m *ClientManager) Authenticate(creds oidc.ClientCredentials) (bool, error) {`
			`clientSecret, err := m.clientRepo.GetSecret(nil, creds.ID)`
			`if err != nil \|\| clientSecret == nil {`
			`return false, nil`
			`}`

			`dec, err := base64.URLEncoding.DecodeString(creds.Secret)`
			`if err != nil {`
			`log.Errorf("error Decoding client creds: %v", err)`
			`return false, nil`
			`}`

			`ok := CompareHashAndPassword(clientSecret, dec) == nil`
			`return ok, nil`
			`}`

client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`func (m ClientManager) addClientCredentials(cli client.Client) error {`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`// Generate Client ID`
client manager: accept full client when creating 2016-05-20 05:40:42 +05:30			`if len(cli.Metadata.RedirectURIs) < 1 {`
client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`return errors.New("no client redirect url given")`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`}`
client manager: accept full client when creating 2016-05-20 05:40:42 +05:30			`clientID, err := m.clientIDGenerator(cli.Metadata.RedirectURIs[0].Host)`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`if err != nil {`
client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`return err`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`}`

			`// Generate Secret`
			`secret, err := m.secretGenerator()`
			`if err != nil {`
client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`return err`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`}`
			`clientSecret := base64.URLEncoding.EncodeToString(secret)`
client manager: accept full client when creating 2016-05-20 05:40:42 +05:30			`cli.Credentials = oidc.ClientCredentials{`
			`ID: clientID,`
			`Secret: clientSecret,`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`}`
client: generateClientCreds -> addClientCreds a little easier to read this way IMO. 2016-06-03 07:09:58 +05:30			`return nil`
client: add client manager adds a client manager to handle business logic, leaving the repo for basic crud operations. Also adds client to the test script 2016-05-12 22:23:01 +05:30			`}`