From ce14dc4368362004b73a6e2addc8c04b8f4e46a9 Mon Sep 17 00:00:00 2001 From: Bobby Rullo Date: Wed, 8 Jun 2016 13:53:26 -0700 Subject: [PATCH] examples, static: Add cross-client auth to example * add trustedPeers to a client in client.json.sample * add optional cross client auth to example web app * login page is now templated --- examples/app/assets.go | 237 ++++++++++++++++++++++++++++ examples/app/data/index.html | 21 +++ examples/app/main.go | 47 +++++- static/fixtures/clients.json.sample | 3 +- 4 files changed, 303 insertions(+), 5 deletions(-) create mode 100644 examples/app/assets.go create mode 100644 examples/app/data/index.html diff --git a/examples/app/assets.go b/examples/app/assets.go new file mode 100644 index 00000000..68712955 --- /dev/null +++ b/examples/app/assets.go @@ -0,0 +1,237 @@ +// Code generated by go-bindata. +// sources: +// data/index.html +// DO NOT EDIT! + +package main + +import ( + "bytes" + "compress/gzip" + "fmt" + "io" + "io/ioutil" + "os" + "path/filepath" + "strings" + "time" +) + +func bindataRead(data []byte, name string) ([]byte, error) { + gz, err := gzip.NewReader(bytes.NewBuffer(data)) + if err != nil { + return nil, fmt.Errorf("Read %q: %v", name, err) + } + + var buf bytes.Buffer + _, err = io.Copy(&buf, gz) + clErr := gz.Close() + + if err != nil { + return nil, fmt.Errorf("Read %q: %v", name, err) + } + if clErr != nil { + return nil, err + } + + return buf.Bytes(), nil +} + +type asset struct { + bytes []byte + info os.FileInfo +} + +type bindataFileInfo struct { + name string + size int64 + mode os.FileMode + modTime time.Time +} + +func (fi bindataFileInfo) Name() string { + return fi.name +} +func (fi bindataFileInfo) Size() int64 { + return fi.size +} +func (fi bindataFileInfo) Mode() os.FileMode { + return fi.mode +} +func (fi bindataFileInfo) ModTime() time.Time { + return fi.modTime +} +func (fi bindataFileInfo) IsDir() bool { + return false +} +func (fi bindataFileInfo) Sys() interface{} { + return nil +} + +var _dataIndexHtml = []byte("\x1f\x8b\x08\x00\x00\x09\x6e\x88\x00\xff\x7c\x91\xbd\x6e\x03\x21\x10\x84\x7b\x3f\xc5\x8a\x2a\x29\x2c\xfa\x08\x9f\x94\x3e\x55\x5e\x20\xe2\xb8\xb5\xbd\x12\x3f\x27\x58\xa2\xf8\xed\xb3\x88\x38\xc7\x45\x91\xbb\x19\xc1\x7e\x03\xb3\xe6\xca\xc1\x4f\x07\x00\x33\xa7\xe5\xd6\x84\xc8\x73\xca\x01\xac\x63\x4a\xf1\xa4\xb4\x4f\x17\x8a\xaa\x1f\xc9\x21\xdb\xd9\xe3\xdd\x35\x9f\x37\xd3\xec\x32\xc1\x6b\xe5\x2b\x46\x26\x67\x19\x41\x60\x2f\xc3\x85\x96\xb4\x9b\x00\x78\x72\x29\x04\x7b\x2c\xb8\xda\x2c\x13\x0b\x78\x2a\x0c\xe9\x0c\xce\x93\x60\x8e\xb4\x94\xe7\x31\x42\x4b\xc6\xdf\x48\x43\x71\xad\x0c\x7c\x5b\xf1\xa4\x18\xbf\x58\x41\xb4\x41\xb4\xcb\xa9\x94\x8f\x4e\x52\xd3\xcf\xf0\x61\x60\xfd\x3e\x46\x74\xff\xda\xdd\x8f\xc8\x52\xe7\x40\x02\xfd\xb4\xbe\x8a\x7d\x1b\x3a\x31\xba\xf5\xf5\x6f\x75\x19\x2f\xf2\x15\xcc\x5b\x7b\x0f\x98\xef\xfb\xcb\x1b\xd6\xe8\xbe\x1b\xa3\xfb\xb2\xbe\x03\x00\x00\xff\xff\x27\x69\xf8\xf2\xb4\x01\x00\x00") + +func dataIndexHtmlBytes() ([]byte, error) { + return bindataRead( + _dataIndexHtml, + "data/index.html", + ) +} + +func dataIndexHtml() (*asset, error) { + bytes, err := dataIndexHtmlBytes() + if err != nil { + return nil, err + } + + info := bindataFileInfo{name: "data/index.html", size: 436, mode: os.FileMode(420), modTime: time.Unix(1465417812, 0)} + a := &asset{bytes: bytes, info: info} + return a, nil +} + +// Asset loads and returns the asset for the given name. +// It returns an error if the asset could not be found or +// could not be loaded. +func Asset(name string) ([]byte, error) { + cannonicalName := strings.Replace(name, "\\", "/", -1) + if f, ok := _bindata[cannonicalName]; ok { + a, err := f() + if err != nil { + return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err) + } + return a.bytes, nil + } + return nil, fmt.Errorf("Asset %s not found", name) +} + +// MustAsset is like Asset but panics when Asset would return an error. +// It simplifies safe initialization of global variables. +func MustAsset(name string) []byte { + a, err := Asset(name) + if err != nil { + panic("asset: Asset(" + name + "): " + err.Error()) + } + + return a +} + +// AssetInfo loads and returns the asset info for the given name. +// It returns an error if the asset could not be found or +// could not be loaded. +func AssetInfo(name string) (os.FileInfo, error) { + cannonicalName := strings.Replace(name, "\\", "/", -1) + if f, ok := _bindata[cannonicalName]; ok { + a, err := f() + if err != nil { + return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err) + } + return a.info, nil + } + return nil, fmt.Errorf("AssetInfo %s not found", name) +} + +// AssetNames returns the names of the assets. +func AssetNames() []string { + names := make([]string, 0, len(_bindata)) + for name := range _bindata { + names = append(names, name) + } + return names +} + +// _bindata is a table, holding each asset generator, mapped to its name. +var _bindata = map[string]func() (*asset, error){ + "data/index.html": dataIndexHtml, +} + +// AssetDir returns the file names below a certain +// directory embedded in the file by go-bindata. +// For example if you run go-bindata on data/... and data contains the +// following hierarchy: +// data/ +// foo.txt +// img/ +// a.png +// b.png +// then AssetDir("data") would return []string{"foo.txt", "img"} +// AssetDir("data/img") would return []string{"a.png", "b.png"} +// AssetDir("foo.txt") and AssetDir("notexist") would return an error +// AssetDir("") will return []string{"data"}. +func AssetDir(name string) ([]string, error) { + node := _bintree + if len(name) != 0 { + cannonicalName := strings.Replace(name, "\\", "/", -1) + pathList := strings.Split(cannonicalName, "/") + for _, p := range pathList { + node = node.Children[p] + if node == nil { + return nil, fmt.Errorf("Asset %s not found", name) + } + } + } + if node.Func != nil { + return nil, fmt.Errorf("Asset %s not found", name) + } + rv := make([]string, 0, len(node.Children)) + for childName := range node.Children { + rv = append(rv, childName) + } + return rv, nil +} + +type bintree struct { + Func func() (*asset, error) + Children map[string]*bintree +} + +var _bintree = &bintree{nil, map[string]*bintree{ + "data": &bintree{nil, map[string]*bintree{ + "index.html": &bintree{dataIndexHtml, map[string]*bintree{}}, + }}, +}} + +// RestoreAsset restores an asset under the given directory +func RestoreAsset(dir, name string) error { + data, err := Asset(name) + if err != nil { + return err + } + info, err := AssetInfo(name) + if err != nil { + return err + } + err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755)) + if err != nil { + return err + } + err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode()) + if err != nil { + return err + } + err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime()) + if err != nil { + return err + } + return nil +} + +// RestoreAssets restores an asset under the given directory recursively +func RestoreAssets(dir, name string) error { + children, err := AssetDir(name) + // File + if err != nil { + return RestoreAsset(dir, name) + } + // Dir + for _, child := range children { + err = RestoreAssets(dir, filepath.Join(name, child)) + if err != nil { + return err + } + } + return nil +} + +func _filePath(dir, name string) string { + cannonicalName := strings.Replace(name, "\\", "/", -1) + return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...) +} diff --git a/examples/app/data/index.html b/examples/app/data/index.html new file mode 100644 index 00000000..826bc686 --- /dev/null +++ b/examples/app/data/index.html @@ -0,0 +1,21 @@ + + +
+ + + + + + +
Authenticate for: +
+ (comma-separated list of client-ids) +
+ + +
+
+ +
+ + diff --git a/examples/app/main.go b/examples/app/main.go index 71215415..46dcca1b 100644 --- a/examples/app/main.go +++ b/examples/app/main.go @@ -1,5 +1,8 @@ package main +//go:generate go-bindata -pkg main -o assets.go data/ +//go:generate gofmt -w assets.go + import ( "bytes" "crypto/tls" @@ -7,11 +10,13 @@ import ( "encoding/json" "flag" "fmt" + "html/template" "io/ioutil" "net" "net/http" "net/url" "os" + "strings" "time" "github.com/coreos/go-oidc/jose" @@ -21,8 +26,11 @@ import ( pflag "github.com/coreos/dex/pkg/flag" phttp "github.com/coreos/dex/pkg/http" "github.com/coreos/dex/pkg/log" + "github.com/coreos/dex/scope" ) +var indexTemplate *template.Template + func main() { fs := flag.NewFlagSet("oidc-app", flag.ExitOnError) listen := fs.String("listen", "http://127.0.0.1:5555", "") @@ -136,8 +144,14 @@ func main() { Handler: hdlr, } - log.Infof("Binding to %s...", httpsrv.Addr) + indexBytes, err := Asset("data/index.html") + if err != nil { + log.Fatalf("could not load template: %q", err) + } + indexTemplate = template.Must(template.New("root").Parse(string(indexBytes))) + + log.Infof("Binding to %s...", httpsrv.Addr) if useTLS { log.Info("Key and cert file provided. Using TLS") log.Fatal(httpsrv.ListenAndServeTLS(*certFile, *keyFile)) @@ -167,13 +181,22 @@ func NewClientHandler(c *oidc.Client, issuer string, cbURL url.URL) http.Handler } func handleIndex(w http.ResponseWriter, r *http.Request) { - w.Write([]byte("login")) - w.Write([]byte("
")) - w.Write([]byte("register")) + err := indexTemplate.Execute(w, nil) + if err != nil { + phttp.WriteError(w, http.StatusInternalServerError, + fmt.Sprintf("unable to execute template: %v", err)) + + } } func handleLoginFunc(c *oidc.Client) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { + err := r.ParseForm() + if err != nil { + phttp.WriteError(w, http.StatusBadRequest, + fmt.Sprintf("Could not parse request: %v", err)) + } + oac, err := c.OAuthClient() if err != nil { panic("unable to proceed") @@ -183,6 +206,22 @@ func handleLoginFunc(c *oidc.Client) http.HandlerFunc { if err != nil { panic("unable to proceed") } + + xClient := r.Form.Get("cross_client") + if xClient != "" { + xClients := strings.Split(xClient, ",") + for i, x := range xClients { + xClients[i] = scope.ScopeGoogleCrossClient + x + } + q := u.Query() + scope := q.Get("scope") + scopes := strings.Split(scope, " ") + scopes = append(scopes, xClients...) + scope = strings.Join(scopes, " ") + q.Set("scope", scope) + u.RawQuery = q.Encode() + } + http.Redirect(w, r, u.String(), http.StatusFound) } } diff --git a/static/fixtures/clients.json.sample b/static/fixtures/clients.json.sample index c5295f1a..4fb9b62e 100644 --- a/static/fixtures/clients.json.sample +++ b/static/fixtures/clients.json.sample @@ -2,7 +2,8 @@ { "id": "XXX", "secret": "c2VjcmV0ZQ==", - "redirectURLs": ["http://127.0.0.1:5555/callback"] + "redirectURLs": ["http://127.0.0.1:5555/callback"], + "trustedPeers": ["example-app"] }, { "id": "example-app",