warden: rename authorized / allowed endpoints to something more meaningful

.travis.yml

@@ -13,16 +13,15 @@ go:
   - 1.6
 
 install:
-  - go get github.com/axw/gocov/gocov github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/pierrre/gotestcover
-  # Workaround for travis
-  - go get -t -v ./...
-  - go install github.com/ory-am/hydra
+  - go get github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/pierrre/gotestcover github.com/Masterminds/glide
   - git clone https://github.com/docker-library/official-images.git ~/official-images
+  - glide install
+  - go install github.com/ory-am/hydra
 
 script:
-  - go test -bench=.* -run=nothing $(go list ./... | grep -v /vendor)
+  - gotestcover -coverprofile="cover.out" $(glide novendor)
   - go test -race $(go list ./... | grep -v /vendor | grep -v /cmd)
-  - gotestcover -coverprofile="cover.out" $(go list ./... | grep -v /vendor/)
+  - go test -v -bench=.* -run=none $(glide novendor)
   - goveralls -coverprofile="cover.out"
   - docker build -t hydra-travis-ci .
   - docker run -d hydra-travis-ci

README.md

@@ -11,9 +11,9 @@
 [![Code Climate](https://codeclimate.com/github/ory-am/hydra/badges/gpa.svg)](https://codeclimate.com/github/ory-am/hydra)
 [![Go Report Card](https://goreportcard.com/badge/github.com/ory-am/hydra)](https://goreportcard.com/report/github.com/ory-am/hydra)
 
-Hydra is being developed by german-based company [Ory](https://ory.am). Join our [newsletter](http://eepurl.com/bKT3N9) to stay on top of new developments.
-We respond to basic support requests on [Google Groups](https://groups.google.com/forum/#!forum/ory-hydra/new) and [Gitter](https://gitter.im/ory-am/hydra).
-If you are looking for enterprise support, [contact us now](mailto:[email protected]).
+Hydra is being developed by german-based company [Ory](https://ory.am). Join our [newsletter](http://eepurl.com/bKT3N9) to stay on top of new developments. We respond to *basic support requests in our free time* on [Google Groups](https://groups.google.com/forum/#!forum/ory-hydra/new) and [Gitter](https://gitter.im/ory-am/hydra).
+
+If you are looking for 24/7 enterprise support or SLAs, [contact us now](mailto:[email protected]).
 
 Hydra uses the security first OAuth2 and OpenID Connect SDK [Fosite](https://github.com/ory-am/fosite) and [Ladon](https://github.com/ory-am/ladon) for policy-based access control.
 
@@ -46,6 +46,7 @@ Hydra uses the security first OAuth2 and OpenID Connect SDK [Fosite](https://git
   - [Can I set the log level to warn, error, debug, ...?](#can-i-set-the-log-level-to-warn-error-debug-)
   - [I need to use a custom CA for RethinkDB](#i-need-to-use-a-custom-ca-for-rethinkdb)
   - [What will happen if an error occurs during an OAuth2 flow?](#what-will-happen-if-an-error-occurs-during-an-oauth2-flow)
+  - [Eventually consistent](#eventually-consistent)
   - [Is there a client library / SDK?](#is-there-a-client-library--sdk)
 - [Hall of Fame](#hall-of-fame)
 
@@ -135,7 +136,7 @@ Hydra is a twelve factor OAuth2 and OpenID Connect provider
 
 #### Building from source
 
-If you wish to compile hydra yourself, you need to install and set up [Go](https://golang.org/) and add `$GOPATH/bin`
+If you wish to compile hydra yourself, you need to install and set up [Go 1.5+](https://golang.org/) and add `$GOPATH/bin`
 to your `$PATH`. To do so, run the following commands in a shell (bash, sh, cmd.exe, ...):
 
 ```
@@ -434,7 +435,7 @@ Or by specifying the following flags:
 
 ### I want to disable HTTPS for testing
 
-You can do so by running `hydra host --force-dangerous-http`.
+You can do so by running `hydra host --dangerous-force-http`.
 
 ### Can I set the log level to warn, error, debug, ...?
 
@@ -464,6 +465,12 @@ or via command line flag:
 The user agent will either, according to spec, be redirected to the OAuth2 client who initiated the request, if possible. If not, the user agent will be redirected to the identity provider
 endpoint and an `error` and `error_description` query parameter will be appended to it's URL.
 
+### Eventually consistent
+
+Using hydra with RethinkDB implies eventual consistency on all endpoints, except `/oauth2/auth` and `/oauth2/token`.
+Eventual consistent data is usually not immediately available. This is dependent on the network latency between Hydra
+and RethinkDB.
+
 ### Is there a client library / SDK?
 
 Yes, for Go! It is available at `github.com/ory-am/hydra/sdk`.
@@ -570,7 +577,7 @@ Validate requests with the Warden, uses [`ory-am/hydra/warden.HTTPWarden`](warde
 import "github.com/ory-am/ladon"
 
 // Check if action is allowed
-hydra.Warden.HTTPActionAllowed(ctx, req, &ladon.Request{
+hydra.Warden.HTTPRequestAllowed(ctx, req, &ladon.Request{
     Resource: "urn:media:images",
     Action: "get",
     Subject: "bob",

client/client.go

@@ -1,6 +1,9 @@
 package client
 
-import "github.com/ory-am/fosite"
+import (
+	"github.com/ory-am/fosite"
+	"strings"
+)
 
 type Client struct {
 	ID                string   `json:"id" gorethink:"id"`
@@ -9,7 +12,7 @@ type Client struct {
 	RedirectURIs      []string `json:"redirect_uris" gorethink:"redirect_uris"`
 	GrantTypes        []string `json:"grant_types" gorethink:"grant_types"`
 	ResponseTypes     []string `json:"response_types" gorethink:"response_types"`
-	GrantedScopes     []string `json:"granted_scopes" gorethink:"granted_scopes"`
+	Scopes            string `json:"scopes" gorethink:"scopes"`
 	Owner             string   `json:"owner" gorethink:"owner"`
 	PolicyURI         string   `json:"policy_uri" gorethink:"policy_uri"`
 	TermsOfServiceURI string   `json:"tos_uri" gorethink:"tos_uri"`
@@ -30,10 +33,8 @@ func (c *Client) GetHashedSecret() []byte {
 	return []byte(c.Secret)
 }
 
-func (c *Client) GetGrantedScopes() fosite.Scopes {
-	return &fosite.DefaultScopes{
-		Scopes: c.GrantedScopes,
-	}
+func (c *Client) GetScopes() fosite.Arguments {
+	return fosite.Arguments(strings.Split(c.Scopes, " "))
 }
 
 func (c *Client) GetGrantTypes() fosite.Arguments {

client/handler.go

@@ -45,7 +45,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 		return
 	}
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: ClientsResource,
 		Action:   "create",
 		Context: ladon.Context{
@@ -80,7 +80,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 func (h *Handler) GetAll(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = herodot.NewContext()
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: ClientsResource,
 		Action:   "get",
 	}, Scope); err != nil {
@@ -106,13 +106,13 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 	var ctx = herodot.NewContext()
 	var id = ps.ByName("id")
 
-	c, err := h.Manager.GetClient(id)
+	c, err := h.Manager.GetConcreteClient(id)
 	if err != nil {
 		h.H.WriteError(ctx, w, r, err)
 		return
 	}
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: fmt.Sprintf(ClientResource, id),
 		Action:   "get",
 		Context: ladon.Context{
@@ -123,15 +123,15 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 		return
 	}
 
-	c.(*Client).Secret = ""
+	c.Secret = ""
 	h.H.Write(ctx, w, r, c)
 }
 
 func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = herodot.NewContext()
 	var id = ps.ByName("id")
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: fmt.Sprintf(ClientResource, id),
 		Action:   "delete",
 	}, Scope); err != nil {

client/manager.go

@@ -18,4 +18,6 @@ type Storage interface {
 	DeleteClient(id string) error
 
 	GetClients() (map[string]Client, error)
+
+	GetConcreteClient(id string) (*Client, error)
 }

client/manager_http.go

@@ -14,7 +14,7 @@ type HTTPManager struct {
 	Dry      bool
 }
 
-func (m *HTTPManager) GetClient(id string) (fosite.Client, error) {
+func (m *HTTPManager) GetConcreteClient(id string) (*Client, error) {
 	var c Client
 	var r = pkg.NewSuperAgent(pkg.JoinURL(m.Endpoint, id).String())
 	r.Client = m.Client
@@ -26,6 +26,10 @@ func (m *HTTPManager) GetClient(id string) (fosite.Client, error) {
 	return &c, nil
 }
 
+func (m *HTTPManager) GetClient(id string) (fosite.Client, error) {
+	return m.GetConcreteClient(id)
+}
+
 func (m *HTTPManager) CreateClient(c *Client) error {
 	var r = pkg.NewSuperAgent(m.Endpoint.String())
 	r.Client = m.Client

client/manager_memory.go

@@ -16,7 +16,7 @@ type MemoryManager struct {
 	sync.RWMutex
 }
 
-func (m *MemoryManager) GetClient(id string) (fosite.Client, error) {
+func (m *MemoryManager) GetConcreteClient(id string) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()
 
@@ -27,6 +27,10 @@ func (m *MemoryManager) GetClient(id string) (fosite.Client, error) {
 	return &c, nil
 }
 
+func (m *MemoryManager) GetClient(id string) (fosite.Client, error) {
+	return m.GetConcreteClient(id)
+}
+
 func (m *MemoryManager) Authenticate(id string, secret []byte) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()

client/manager_rethinkdb.go

@@ -23,7 +23,7 @@ type RethinkManager struct {
 	Hasher  hash.Hasher
 }
 
-func (m *RethinkManager) GetClient(id string) (fosite.Client, error) {
+func (m *RethinkManager) GetConcreteClient(id string) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()
 
@@ -34,6 +34,10 @@ func (m *RethinkManager) GetClient(id string) (fosite.Client, error) {
 	return &c, nil
 }
 
+func (m *RethinkManager) GetClient(id string) (fosite.Client, error) {
+	return m.GetConcreteClient(id)
+}
+
 func (m *RethinkManager) Authenticate(id string, secret []byte) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()

client/manager_test.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/julienschmidt/httprouter"
+	"github.com/ory-am/dockertest"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/hash"
 	. "github.com/ory-am/hydra/client"
@@ -22,7 +23,6 @@ import (
 	"github.com/pborman/uuid"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/net/context"
-	"gopkg.in/ory-am/dockertest.v2"
 )
 
 var clientManagers = map[string]Storage{}

cmd/cli/handler_client.go

@@ -9,6 +9,7 @@ import (
 	"github.com/ory-am/hydra/config"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/spf13/cobra"
+	"strings"
 )
 
 type ClientHandler struct {
@@ -69,7 +70,7 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 		ID:            id,
 		Secret:        string(secret),
 		ResponseTypes: responseTypes,
-		GrantedScopes: allowedScopes,
+		Scopes:        strings.Join(allowedScopes, " "),
 		GrantTypes:    grantTypes,
 		RedirectURIs:  callbacks,
 		Name:          name,

cmd/cli/handler_warden.go

@@ -34,11 +34,7 @@ func (h *WardenHandler) IsAuthorized(cmd *cobra.Command, args []string) {
 	}
 
 	scopes, _ := cmd.Flags().GetStringSlice("scopes")
-	if len(scopes) == 0 {
-		scopes = []string{"core"}
-	}
-
-	res, err := h.M.Authorized(context.Background(), args[0], scopes...)
+	res, err := h.M.InspectToken(context.Background(), args[0], scopes...)
 	pkg.Must(err, "Could not validate token: %s", err)
 
 	out, err := json.MarshalIndent(res, "", "\t")

cmd/clients_create.go

@@ -22,6 +22,6 @@ func init() {
 	clientsCreateCmd.Flags().StringSliceP("callbacks", "c", []string{}, "REQUIRED list of allowed callback URLs")
 	clientsCreateCmd.Flags().StringSliceP("grant-types", "g", []string{"authorization_code"}, "A list of allowed grant types")
 	clientsCreateCmd.Flags().StringSliceP("response-types", "r", []string{"code"}, "A list of allowed response types")
-	clientsCreateCmd.Flags().StringSliceP("allowed-scopes", "a", []string{"core"}, "A list of allowed scopes")
+	clientsCreateCmd.Flags().StringSliceP("allowed-scopes", "a", []string{""}, "A list of allowed scopes")
 	clientsCreateCmd.Flags().StringP("name", "n", "", "The client's name")
 }