package storage import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/rsa" "encoding/base32" "errors" "fmt" "io" "strings" "time" jose "gopkg.in/square/go-jose.v2" ) var ( drivers = make(map[string]Driver) // stubbed out for testing now = time.Now ) // ErrNotFound is the error returned by storages if a resource cannot be found. var ErrNotFound = errors.New("not found") // Kubernetes only allows lower case letters for names. // // TODO(ericchiang): refactor ID creation onto the storage. var encoding = base32.NewEncoding("abcdefghijklmnopqrstuvwxyz234567") // NewNonce returns a new ID for the objects. func NewNonce() string { buff := make([]byte, 8) // 64 bit random ID. if _, err := io.ReadFull(rand.Reader, buff); err != nil { panic(err) } // Trim padding return strings.TrimRight(encoding.EncodeToString(buff), "=") } // Driver is the interface implemented by storage drivers. type Driver interface { // Open returns a storage implementation. It should only validate its // arguments and not return an error if the underlying storage is // unavailable. Open(config map[string]string) (Storage, error) } // Register makes a storage driver available by the provided name. If Register // is called twice with the same name or if driver is nil, it panics. func Register(name string, driver Driver) { if driver == nil { panic("driver cannot be nil") } if _, ok := drivers[name]; ok { panic("driver " + name + " is already registered") } drivers[name] = driver } // Open returns a new storage object with a given key rotation strategy. func Open(driverName string, config map[string]string) (Storage, error) { driver, ok := drivers[driverName] if !ok { return nil, fmt.Errorf("no driver of type %s found", driverName) } return driver.Open(config) } // Storage is the storage interface used by the server. Implementations, at minimum // require compare-and-swap atomic actions. // // Implementations are expected to perform their own garbage collection of // expired objects (expect keys which are handled by rotation). type Storage interface { Close() error // TODO(ericchiang): Let the storages set the IDs of these objects. CreateAuthRequest(a AuthRequest) error CreateClient(c Client) error CreateAuthCode(c AuthCode) error CreateRefresh(r Refresh) error // TODO(ericchiang): return (T, bool, error) so we can indicate not found // requests that way instead of using ErrNotFound. GetAuthRequest(id string) (AuthRequest, error) GetAuthCode(id string) (AuthCode, error) GetClient(id string) (Client, error) GetKeys() (Keys, error) GetRefresh(id string) (Refresh, error) ListClients() ([]Client, error) ListRefreshTokens() ([]Refresh, error) // Delete methods MUST be atomic. DeleteAuthRequest(id string) error DeleteAuthCode(code string) error DeleteClient(id string) error DeleteRefresh(id string) error // Update functions are assumed to be a performed within a single object transaction. UpdateClient(id string, updater func(old Client) (Client, error)) error UpdateKeys(updater func(old Keys) (Keys, error)) error UpdateAuthRequest(id string, updater func(a AuthRequest) (AuthRequest, error)) error } // Client is an OAuth2 client. // // For further reading see: // * Trusted peers: https://developers.google.com/identity/protocols/CrossClientAuth // * Public clients: https://developers.google.com/api-client-library/python/auth/installed-app type Client struct { ID string Secret string RedirectURIs []string // TrustedPeers are a list of peers which can issue tokens on this client's behalf. // Clients inherently trust themselves. TrustedPeers []string // Public clients must use either use a redirectURL 127.0.0.1:X or "urn:ietf:wg:oauth:2.0:oob" Public bool Name string LogoURL string } // Identity represents the ID Token claims supported by the server. type Identity struct { UserID string Username string Email string EmailVerified bool Groups []string // ConnectorData holds data used by the connector for subsequent requests after initial // authentication, such as access tokens for upstream provides. // // This data is never shared with end users, OAuth clients, or through the API. ConnectorData []byte } // AuthRequest represents a OAuth2 client authorization request. It holds the state // of a single auth flow up to the point that the user authorizes the client. type AuthRequest struct { ID string ClientID string ResponseTypes []string Scopes []string RedirectURI string Nonce string State string // The client has indicated that the end user must be shown an approval prompt // on all requests. The server cannot cache their initial action for subsequent // attempts. ForceApprovalPrompt bool // The identity of the end user. Generally nil until the user authenticates // with a backend. Identity *Identity // The connector used to login the user. Set when the user authenticates. ConnectorID string Expiry time.Time } // AuthCode represents a code which can be exchanged for an OAuth2 token response. type AuthCode struct { ID string ClientID string RedirectURI string ConnectorID string Nonce string Scopes []string Identity Identity Expiry time.Time } // Refresh is an OAuth2 refresh token. type Refresh struct { // The actual refresh token. RefreshToken string // Client this refresh token is valid for. ClientID string ConnectorID string // Scopes present in the initial request. Refresh requests may specify a set // of scopes different from the initial request when refreshing a token, // however those scopes must be encompassed by this set. Scopes []string Nonce string Identity Identity } // VerificationKey is a rotated signing key which can still be used to verify // signatures. type VerificationKey struct { PublicKey *jose.JSONWebKey `json:"publicKey"` Expiry time.Time `json:"expiry"` } // Keys hold encryption and signing keys. type Keys struct { // Key for creating and verifying signatures. These may be nil. SigningKey *jose.JSONWebKey SigningKeyPub *jose.JSONWebKey // Old signing keys which have been rotated but can still be used to validate // existing signatures. VerificationKeys []VerificationKey // The next time the signing key will rotate. // // For caching purposes, implementations MUST NOT update keys before this time. NextRotation time.Time } // Sign creates a JWT using the signing key. func (k Keys) Sign(payload []byte) (jws string, err error) { if k.SigningKey == nil { return "", fmt.Errorf("no key to sign payload with") } signingKey := jose.SigningKey{Key: k.SigningKey} switch key := k.SigningKey.Key.(type) { case *rsa.PrivateKey: // TODO(ericchiang): Allow different cryptographic hashes. signingKey.Algorithm = jose.RS256 case *ecdsa.PrivateKey: switch key.Params() { case elliptic.P256().Params(): signingKey.Algorithm = jose.ES256 case elliptic.P384().Params(): signingKey.Algorithm = jose.ES384 case elliptic.P521().Params(): signingKey.Algorithm = jose.ES512 default: return "", errors.New("unsupported ecdsa curve") } } signer, err := jose.NewSigner(signingKey, &jose.SignerOptions{}) if err != nil { return "", fmt.Errorf("new signier: %v", err) } signature, err := signer.Sign(payload) if err != nil { return "", fmt.Errorf("signing payload: %v", err) } return signature.CompactSerialize() }