Commit graph

57 commits

Author SHA1 Message Date
Bobby Rullo
09e889e7bc client: add public client to data model 2016-06-20 11:27:47 -07:00
Bobby Rullo
75473b4cba refresh tokens: grant claims based on scopes
Before,  this logic was only in the OIDCServer.CodeToken() method; now it has been
pulled out so that other paths, like OIDCServer.RefreshToken() can use
it.

The net affect, is that now refresh tokens can be used to get
cross-client authenticated ID Tokens.
2016-06-14 14:14:36 -07:00
Bobby Rullo
32a1994a5e refresh tokens: store and validate scopes.
A refresh request must fail if it asks for scopes that were not
originally granted when the refresh token was obtained.

This Commit:

* changes repo to store scopes with tokens
* changes repo interface signatures so that scopes can be stored and
  verified
* updates dependent code to pass along scopes
2016-06-14 14:14:36 -07:00
Bobby Rullo
88142764e9 db: Don't check that trusted peers clients exist
Checking that trusted peers exist means that you have to create clients
in a certain order, or else create all the clients, then update trusted
peers. Either way, not a great experience during setup.

The downside, of course, is that you lose validation of peer
IDs.
2016-06-08 11:54:15 -07:00
Bobby Rullo
ca18efb1fe client: load full clients w/ LoadableClient
The Client object on its own doesn't fully express everything about a
single client, and so when loading clients from a static configuration
it's not enough to just (de)serialize clients.

To that end, LoadableClient contains the full representation of a client
and associated entities.
2016-06-08 11:31:50 -07:00
Bobby Rullo
f9dbc8a3d2 db, client: add data model for trusted peers
Trusted Peers are clients that are authorized to mint tokens
for another client.
2016-06-07 17:16:09 -07:00
Bobby Rullo
1b4dca80d7 client: remove ClientManagerFromClients
Replaced by ClientRepoFromClients, which makes more sense IMO. Also, it
was doing the wrong thing: it was ignoring the client_id and client_secret
passed into it as far as I can tell.
2016-06-07 16:47:30 -07:00
Evan Cordell
a418e1c4e7 client: add client manager
adds a client manager to handle business logic, leaving the repo
for basic crud operations. Also adds client to the test script
2016-05-19 16:20:12 -07:00
Evan Cordell
3da98fcb8e client: add transaction support 2016-05-19 16:17:01 -07:00
Bobby Rullo
399b15abeb integration, *: Improve tests for admin api
* TestCreateClient was missing test coverage on error cases
* Fixed bug where 500s were being reported for bad requests
* changed function signature of NewAdminAPI back to old way of passing
  in lots of repos: passing in a DbMap made it difficult to test
* added swappable ID and Secret generators when creating Clients
2016-04-20 14:31:27 -07:00
Bobby Rullo
e7141336bc db: Client() should not return the secret
It's never used by downstream code, and besides, it's not really the
secret but a Hash of the secret.
2016-04-20 14:31:27 -07:00
Bobby Rullo
e5948ab3ce *: ClientIdentityXXX -> ClientXXX
Get rid of all outdated "ClientIdentity" terminology.
2016-04-20 14:31:27 -07:00
Bobby Rullo
95757e8779 *: Client Repo now deals with custom Client object
This is instead of oidc.ClientIdentity. This makes it easier to add new
fields custom to dex to the client.
2016-04-20 14:31:27 -07:00
Eric Chiang
5c5df23a57 db: print better error messages for invalid input
When client secrets are not base64 encoded, print an error message
that's not a generic base64 decode error:

   client secrets must be base64 decodable. See issue #337.
   Please consider replaceing "secret" with "c2VjcmV0"

When a user file is missing a mandatory field print an error message.

	Unable to build Server: user elroy-foo is missing email field

For #400
2016-04-11 16:31:50 -07:00
Eric Chiang
7416929455 *: add revocation methods to refresh repo 2016-04-06 11:25:50 -07:00
Eric Chiang
6120f7ac05 *: add isAdmin option to client repo when creating a client 2016-04-05 11:29:58 -07:00
Eric Chiang
60b843e78b Merge pull request #339 from ericchiang/case_insensitive_emails
db: email comparison should be case insensitive
2016-03-02 16:51:47 -08:00
Eric Chiang
09069a51a7 Merge pull request #356 from ericchiang/fix_cross_compilation
Fix cross compilation
2016-03-02 14:47:39 -08:00
Eric Chiang
875d5d09bf db: regenerate migrations 2016-03-02 14:47:17 -08:00
Eric Chiang
4feaae98b0 db: add better comment about migration 2016-03-02 14:47:00 -08:00
Eric Chiang
93b89ad0e9 db: protect the sqlite3 import with a cgo tag 2016-03-02 12:02:55 -08:00
Eric Chiang
2a0cc47419 db: generate in-memory migration assets 2016-03-01 10:59:25 -08:00
Eric Chiang
f738188c13 db: switch migration source to use in-memory migration
When reading migrations from files, sql-migrate attempts to split
SQL statements. The parsing logic does not handle $BODY$ statements
and broke when the migration included one.

Replace go-bindata with a small migration generation script and use
in memory migrations instead.
2016-03-01 10:55:05 -08:00
Eric Chiang
208afd3b01 *: add functional tests for case insensitive emails 2016-03-01 10:54:12 -08:00
Eric Chiang
9bc68edae7 *: add migration to convert all emails to lowercase
Fixes #338
2016-03-01 10:51:50 -08:00
Eric Chiang
22180c697f db: only allow one open connection for in memory databases
sqlite3 in memory databases do not support concurrent writes. Limit
number of open connections to prevent race conditions.
2016-02-22 16:30:48 -08:00
Eric Chiang
ed5dee9960 db: clean up quote and executor function calls, improve translate docs 2016-02-16 18:19:23 -08:00
Eric Chiang
1658e86b2a *: fix govet warnings 2016-02-12 13:19:05 -08:00
Eric Chiang
72d1ecab64 *: remove in memory password info repo 2016-02-12 13:19:05 -08:00
Eric Chiang
95560404a3 *: remove in memory refresh repo 2016-02-12 13:19:05 -08:00
Eric Chiang
7bac93aa20 *: remove in memory session repos
Move manager to it's own package so it can import db. Move all
references to the in memory session repos to use sqlite3.
2016-02-12 13:19:05 -08:00
Eric Chiang
bfd63b7514 db: add sqlite3 support 2016-02-12 13:19:05 -08:00
Eric Chiang
af790e46bb Merge pull request #267 from ericchiang/metadata
add dynamic client registration
2016-02-01 16:25:57 -08:00
Eric Chiang
d255007ed9 db: log ignored base64 decode error
Closes #270
2016-01-15 15:31:46 -08:00
Eric Chiang
9796a1e648 *: add migration to update JSON fields and require postgres 9.4+
The "redirectURLs" field in the client metadata has been updated
to the correct "redirect_uris". To allow backwards compatibility
use Postgres' JSON features to update the actual JSON in the text
field.

json_build_object was introduced in Postgres 9.4. So update the
documentations to require at least this version.
2016-01-12 17:19:07 -08:00
Bobby Rullo
c1f8effe1a db, functional: make value column in key not pkey
go-oidc increased the size of the generated keys, which were too large
to be used as primary keys in postgres.
2015-12-28 16:02:16 -08:00
Eric Chiang
a7138b3cfd db: rebuild miration assets using go generate 2015-12-21 09:45:53 -08:00
Eric Chiang
6cb3146b09 build,db: don't call go-bindata on every build
Add go generate rule to generate migration assets.
2015-12-21 09:43:45 -08:00
Eric Chiang
49389c9b90 cmd, db: verify at least one secret is passed to --key-secrets
Passing an empty list to the overlord or worker's --key-secrets
flag currently causes an out of range panic. Always check to ensure
there's at least one element passed.

Fixes #130
Fixes #217
2015-12-16 20:28:21 -08:00
Eric Chiang
9f3bf0d160 db: strconv.ParseInt specify base 10
closes #99
2015-12-09 14:47:21 -08:00
Eric Chiang
5295344f9e db: fixed missing return statement GetConnectorByID
Added missing err return introduced by #199
2015-12-07 20:58:36 -08:00
Eric Chiang
f43655a8c3 user/manager: connector must exists when creating remote identity
Add ConnectorConfigRepo to UserManager. When trying to create a
RemoteIdentity, validate that the connector ID exists.

Fixes #198
2015-12-07 17:34:08 -08:00
George Tankersley
07a4d4441e pkg/crypto: replace old crypto with new crypto 2015-10-29 13:45:25 -07:00
Joe Bowers
c70b29f83d db: log schema errors, distinguish them from nil results where needed 2015-09-29 20:07:36 -07:00
Joe Bowers
2ed2859896 repo: functional repo tests
includes changes to ensure uniform errors for DB and in-memory repos
2015-09-29 16:46:48 -07:00
Joe Bowers
e5db302312 server: expose user disable API endpoint 2015-09-29 16:46:30 -07:00
Joe Bowers
60a36e2c2e server,db: flag for disabling user login 2015-09-25 14:25:06 -07:00
Giulio Iotti
472e4a02a4 *: Remove unnecessary else statements
Whenever it makes the code easier to follow, use early return to
avoid else statements.
2015-09-04 22:45:32 +03:00
Yifan Gu
44c6cb44f5 refresh: bcrypt raw bytes rather than base64 encoded string.
This enables us to control the length of the bytes that will be bcrypted,
by default it's 64.

Also changed the token's stored form from string('text') to []byte('bytea')
and added some test cases for different types of invalid tokens.
2015-09-02 14:23:20 -07:00
Yifan Gu
066fd859ec session: add 'scope' field in session. 2015-08-31 13:51:59 -07:00