From 863cae4a2715fc711169edcdf0467e9faa589a62 Mon Sep 17 00:00:00 2001 From: "Aeneas Rekkas (arekkas)" Date: Tue, 9 Aug 2016 22:04:08 +0200 Subject: [PATCH 1/6] cmd: resolve broken formatting issue --- cmd/server/helper_client.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/server/helper_client.go b/cmd/server/helper_client.go index 2c0f8c9c9eb..c9139777a90 100644 --- a/cmd/server/helper_client.go +++ b/cmd/server/helper_client.go @@ -63,8 +63,8 @@ func (h *Handler) createRootIfNewInstall(c *config.Config) { logrus.Infoln("Temporary root client created.") if forceRoot == "" { - logrus.Infoln("client_id: %s", root.GetID()) - logrus.Infoln("client_secret: %s", string(secret)) + logrus.Infof("client_id: %s", root.GetID()) + logrus.Infof("client_secret: %s", string(secret)) logrus.Warn("WARNING: YOU MUST delete this client once in production, as credentials may have been leaked logfiles.") } } From d7cd05f55ccd91bd4e0bdccf8b89e023406cdaca Mon Sep 17 00:00:00 2001 From: "Aeneas Rekkas (arekkas)" Date: Tue, 9 Aug 2016 22:09:11 +0200 Subject: [PATCH 2/6] client: field scopes should be scope --- client/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/client.go b/client/client.go index 15b7286aca3..62523af67a8 100644 --- a/client/client.go +++ b/client/client.go @@ -12,7 +12,7 @@ type Client struct { RedirectURIs []string `json:"redirect_uris" gorethink:"redirect_uris"` GrantTypes []string `json:"grant_types" gorethink:"grant_types"` ResponseTypes []string `json:"response_types" gorethink:"response_types"` - Scopes string `json:"scopes" gorethink:"scopes"` + Scopes string `json:"scope" gorethink:"scopes"` Owner string `json:"owner" gorethink:"owner"` PolicyURI string `json:"policy_uri" gorethink:"policy_uri"` TermsOfServiceURI string `json:"tos_uri" gorethink:"tos_uri"` From e2f8ca6c37f8337b898d5fc7abb419b12e540e47 Mon Sep 17 00:00:00 2001 From: "Aeneas Rekkas (arekkas)" Date: Tue, 9 Aug 2016 22:44:48 +0200 Subject: [PATCH 3/6] config: fix broken system secret method and add test case for it --- config/config.go | 9 +++++++-- config/config_test.go | 14 +++++++++++++- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/config/config.go b/config/config.go index e5745ce57ae..688d4541968 100644 --- a/config/config.go +++ b/config/config.go @@ -52,6 +52,7 @@ type Config struct { cluster *url.URL `yaml:"-"` oauth2Client *http.Client `yaml:"-"` context *Context `yaml:"-"` + systemSecret []byte } func matchesRange(r *http.Request, ranges []string) error { @@ -238,11 +239,15 @@ func (c *Config) OAuth2Client(cmd *cobra.Command) *http.Client { } func (c *Config) GetSystemSecret() []byte { + if len(c.systemSecret) > 0 { + return c.systemSecret + } + var secret = []byte(c.SystemSecret) if len(secret) >= 16 { hash := sha256.Sum256(secret) secret = hash[:] - c.SystemSecret = string(secret) + c.systemSecret = secret return secret } @@ -254,7 +259,7 @@ func (c *Config) GetSystemSecret() []byte { logrus.Infof("Generated system secret: %s", secret) hash := sha256.Sum256(secret) secret = hash[:] - c.SystemSecret = string(secret) + c.systemSecret = secret logrus.Warnln("WARNING: DO NOT generate system secrets in production. The secret will be leaked to the logs.") return secret } diff --git a/config/config_test.go b/config/config_test.go index baa1670b914..be173ce5639 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -1,8 +1,20 @@ package config -import "testing" +import ( + "testing" + "github.com/stretchr/testify/assert" +) func TestConfig(t *testing.T) { c := &Config{} _ = c.Context() } + +func TestSystemSecret(t *testing.T) { + c3 := &Config{} + assert.EqualValues(t, c3.GetSystemSecret(), c3.GetSystemSecret()) + c := &Config{SystemSecret: "foobarbazbarasdfasdffoobarbazbarasdfasdf"} + assert.EqualValues(t, c.GetSystemSecret(), c.GetSystemSecret()) + c2 := &Config{SystemSecret: "foobarbazbarasdfasdffoobarbazbarasdfasdf"} + assert.EqualValues(t, c.GetSystemSecret(), c2.GetSystemSecret()) +} From 51193f073987269e213e321b2ce9256e54350ca6 Mon Sep 17 00:00:00 2001 From: "Aeneas Rekkas (arekkas)" Date: Tue, 9 Aug 2016 22:50:19 +0200 Subject: [PATCH 4/6] client: scope should be scope in rethinkdb too --- client/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/client.go b/client/client.go index 62523af67a8..ee52a40d54b 100644 --- a/client/client.go +++ b/client/client.go @@ -12,7 +12,7 @@ type Client struct { RedirectURIs []string `json:"redirect_uris" gorethink:"redirect_uris"` GrantTypes []string `json:"grant_types" gorethink:"grant_types"` ResponseTypes []string `json:"response_types" gorethink:"response_types"` - Scopes string `json:"scope" gorethink:"scopes"` + Scopes string `json:"scope" gorethink:"scope"` Owner string `json:"owner" gorethink:"owner"` PolicyURI string `json:"policy_uri" gorethink:"policy_uri"` TermsOfServiceURI string `json:"tos_uri" gorethink:"tos_uri"` From aede954fdc985c25b9c52708dac5feb01196c495 Mon Sep 17 00:00:00 2001 From: "Aeneas Rekkas (arekkas)" Date: Wed, 10 Aug 2016 00:15:52 +0200 Subject: [PATCH 5/6] client: scope should be scope in rethinkdb too --- client/client.go | 7 +++-- cmd/cli/handler_client.go | 5 ++-- cmd/server/helper_client.go | 2 +- config/config_test.go | 52 +++++++++++++++++++++++++++++++++ doc.go | 2 +- oauth2/consent_strategy.go | 3 +- oauth2/oauth2_auth_code_test.go | 3 +- oauth2/oauth2_test.go | 7 +++-- warden/warden_http.go | 9 +++--- 9 files changed, 74 insertions(+), 16 deletions(-) diff --git a/client/client.go b/client/client.go index ee52a40d54b..23ce612bb1f 100644 --- a/client/client.go +++ b/client/client.go @@ -1,8 +1,9 @@ package client import ( - "github.com/ory-am/fosite" "strings" + + "github.com/ory-am/fosite" ) type Client struct { @@ -12,7 +13,7 @@ type Client struct { RedirectURIs []string `json:"redirect_uris" gorethink:"redirect_uris"` GrantTypes []string `json:"grant_types" gorethink:"grant_types"` ResponseTypes []string `json:"response_types" gorethink:"response_types"` - Scopes string `json:"scope" gorethink:"scope"` + Scope string `json:"scope" gorethink:"scope"` Owner string `json:"owner" gorethink:"owner"` PolicyURI string `json:"policy_uri" gorethink:"policy_uri"` TermsOfServiceURI string `json:"tos_uri" gorethink:"tos_uri"` @@ -34,7 +35,7 @@ func (c *Client) GetHashedSecret() []byte { } func (c *Client) GetScopes() fosite.Arguments { - return fosite.Arguments(strings.Split(c.Scopes, " ")) + return fosite.Arguments(strings.Split(c.Scope, " ")) } func (c *Client) GetGrantTypes() fosite.Arguments { diff --git a/cmd/cli/handler_client.go b/cmd/cli/handler_client.go index 48a532ae89e..578282a07c2 100644 --- a/cmd/cli/handler_client.go +++ b/cmd/cli/handler_client.go @@ -5,11 +5,12 @@ import ( "fmt" "os" + "strings" + "github.com/ory-am/hydra/client" "github.com/ory-am/hydra/config" "github.com/ory-am/hydra/pkg" "github.com/spf13/cobra" - "strings" ) type ClientHandler struct { @@ -70,7 +71,7 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) { ID: id, Secret: string(secret), ResponseTypes: responseTypes, - Scopes: strings.Join(allowedScopes, " "), + Scope: strings.Join(allowedScopes, " "), GrantTypes: grantTypes, RedirectURIs: callbacks, Name: name, diff --git a/cmd/server/helper_client.go b/cmd/server/helper_client.go index c9139777a90..f38ea79cc17 100644 --- a/cmd/server/helper_client.go +++ b/cmd/server/helper_client.go @@ -42,7 +42,7 @@ func (h *Handler) createRootIfNewInstall(c *config.Config) { Name: "This temporary client is generated by hydra and is granted all of hydra's administrative privileges. It must be removed when everything is set up.", ResponseTypes: []string{"id_token", "code", "token"}, GrantTypes: []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"}, - Scopes: "hydra openid offline", + Scope: "hydra openid offline", RedirectURIs: []string{"http://localhost:4445/callback"}, Secret: secret, } diff --git a/config/config_test.go b/config/config_test.go index be173ce5639..bf0a7c6b72e 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -1,13 +1,42 @@ package config import ( + "net/http" "testing" + "time" + "github.com/stretchr/testify/assert" ) func TestConfig(t *testing.T) { c := &Config{} _ = c.Context() + + assert.Equal(t, c.GetAccessTokenLifespan(), time.Hour) +} + +func TestDoesRequestSatisfyTermination(t *testing.T) { + c := &Config{AllowTLSTermination: ""} + assert.NotNil(t, c.DoesRequestSatisfyTermination(new(http.Request))) + + c = &Config{AllowTLSTermination: "127.0.0.1/24"} + r := &http.Request{Header: http.Header{}} + assert.NotNil(t, c.DoesRequestSatisfyTermination(r)) + + r = &http.Request{Header: http.Header{"X-Forwarded-Proto": []string{"http"}}} + assert.NotNil(t, c.DoesRequestSatisfyTermination(r)) + + r = &http.Request{ + RemoteAddr: "227.0.0.1:123", + Header: http.Header{"X-Forwarded-Proto": []string{"https"}}, + } + assert.NotNil(t, c.DoesRequestSatisfyTermination(r)) + + r = &http.Request{ + RemoteAddr: "127.0.0.1:123", + Header: http.Header{"X-Forwarded-Proto": []string{"https"}}, + } + assert.Nil(t, c.DoesRequestSatisfyTermination(r)) } func TestSystemSecret(t *testing.T) { @@ -18,3 +47,26 @@ func TestSystemSecret(t *testing.T) { c2 := &Config{SystemSecret: "foobarbazbarasdfasdffoobarbazbarasdfasdf"} assert.EqualValues(t, c.GetSystemSecret(), c2.GetSystemSecret()) } + +func TestResolve(t *testing.T) { + c := &Config{ClusterURL: "https://localhost:1234"} + assert.Equal(t, c.Resolve("foo", "bar").String(), "https://localhost:1234/foo/bar") + assert.Equal(t, c.Resolve("/foo", "/bar").String(), "https://localhost:1234/foo/bar") + + c = &Config{ClusterURL: "https://localhost:1234/"} + assert.Equal(t, c.Resolve("/foo", "/bar").String(), "https://localhost:1234/foo/bar") + + c = &Config{ClusterURL: "https://localhost:1234/bar"} + assert.Equal(t, c.Resolve("/foo", "/bar").String(), "https://localhost:1234/bar/foo/bar") +} + +func TestLifespan(t *testing.T) { + assert.Equal(t, (&Config{}).GetAccessTokenLifespan(), time.Hour) + assert.Equal(t, (&Config{AccessTokenLifespan: "6h"}).GetAccessTokenLifespan(), time.Hour*6) + + assert.Equal(t, (&Config{}).GetAuthCodeLifespan(), time.Minute*10) + assert.Equal(t, (&Config{AuthCodeLifespan: "15m"}).GetAuthCodeLifespan(), time.Minute*15) + + assert.Equal(t, (&Config{}).GetIDTokenLifespan(), time.Hour) + assert.Equal(t, (&Config{IDTokenLifespan: "10s"}).GetIDTokenLifespan(), time.Second*10) +} diff --git a/doc.go b/doc.go index 0bd3c58d177..1d32270048e 100644 --- a/doc.go +++ b/doc.go @@ -6,4 +6,4 @@ // Hydra is built for high throughput environments. Check out the below siege benchmark on a Macbook Pro Late 2013, connected to RethinkDB validating access tokens. // // The official repository is located at https://github.com/ory-am/hydra -package main \ No newline at end of file +package main diff --git a/oauth2/consent_strategy.go b/oauth2/consent_strategy.go index c5479bf9d49..2fb31b001dd 100644 --- a/oauth2/consent_strategy.go +++ b/oauth2/consent_strategy.go @@ -4,9 +4,10 @@ import ( "fmt" "time" + "gopkg.in/dgrijalva/jwt-go.v2" + "crypto/rsa" - "github.com/dgrijalva/jwt-go" "github.com/go-errors/errors" "github.com/ory-am/fosite" "github.com/ory-am/fosite/handler/openid" diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go index c13565850af..74a18765b4a 100644 --- a/oauth2/oauth2_auth_code_test.go +++ b/oauth2/oauth2_auth_code_test.go @@ -6,7 +6,8 @@ import ( "testing" "time" - "github.com/dgrijalva/jwt-go" + "gopkg.in/dgrijalva/jwt-go.v2" + "github.com/go-errors/errors" "github.com/julienschmidt/httprouter" ejwt "github.com/ory-am/fosite/token/jwt" diff --git a/oauth2/oauth2_test.go b/oauth2/oauth2_test.go index f7c9636aab8..24246abfd8a 100644 --- a/oauth2/oauth2_test.go +++ b/oauth2/oauth2_test.go @@ -4,6 +4,8 @@ import ( "net/http/httptest" "time" + "gopkg.in/dgrijalva/jwt-go.v2" + "fmt" "net/url" @@ -19,7 +21,6 @@ import ( "github.com/ory-am/hydra/pkg" "golang.org/x/oauth2" "golang.org/x/oauth2/clientcredentials" - "github.com/dgrijalva/jwt-go" ) var hasher = &hash.BCrypt{} @@ -87,7 +88,7 @@ func init() { RedirectURIs: []string{ts.URL + "/callback"}, ResponseTypes: []string{"id_token", "code", "token"}, GrantTypes: []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"}, - Scopes: "hydra", + Scope: "hydra", } c, _ := url.Parse(ts.URL + "/consent") @@ -100,7 +101,7 @@ func init() { RedirectURIs: []string{ts.URL + "/callback"}, ResponseTypes: []string{"id_token", "code", "token"}, GrantTypes: []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"}, - Scopes: "hydra", + Scope: "hydra", } oauthConfig = &oauth2.Config{ diff --git a/warden/warden_http.go b/warden/warden_http.go index 482d563fe28..780f18e20c6 100644 --- a/warden/warden_http.go +++ b/warden/warden_http.go @@ -4,6 +4,11 @@ import ( "net/http" "net/url" + "bytes" + "encoding/json" + "io/ioutil" + "strconv" + "github.com/go-errors/errors" "github.com/ory-am/fosite" "github.com/ory-am/hydra/firewall" @@ -12,10 +17,6 @@ import ( "golang.org/x/net/context" "golang.org/x/oauth2" "golang.org/x/oauth2/clientcredentials" - "bytes" - "io/ioutil" - "strconv" - "encoding/json" ) type HTTPWarden struct { From 2f6bc917157e42c1a2ae2f97658ef56060cedc3b Mon Sep 17 00:00:00 2001 From: "Aeneas Rekkas (arekkas)" Date: Wed, 10 Aug 2016 00:27:08 +0200 Subject: [PATCH 6/6] oauth2: resolve import paths broken by goimports --- oauth2/consent_strategy.go | 3 +-- oauth2/oauth2_auth_code_test.go | 3 +-- oauth2/oauth2_test.go | 8 +++----- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/oauth2/consent_strategy.go b/oauth2/consent_strategy.go index 2fb31b001dd..722310599ce 100644 --- a/oauth2/consent_strategy.go +++ b/oauth2/consent_strategy.go @@ -4,9 +4,8 @@ import ( "fmt" "time" - "gopkg.in/dgrijalva/jwt-go.v2" - "crypto/rsa" + "github.com/dgrijalva/jwt-go" "github.com/go-errors/errors" "github.com/ory-am/fosite" diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go index 74a18765b4a..c13565850af 100644 --- a/oauth2/oauth2_auth_code_test.go +++ b/oauth2/oauth2_auth_code_test.go @@ -6,8 +6,7 @@ import ( "testing" "time" - "gopkg.in/dgrijalva/jwt-go.v2" - + "github.com/dgrijalva/jwt-go" "github.com/go-errors/errors" "github.com/julienschmidt/httprouter" ejwt "github.com/ory-am/fosite/token/jwt" diff --git a/oauth2/oauth2_test.go b/oauth2/oauth2_test.go index 24246abfd8a..9825eb4b3eb 100644 --- a/oauth2/oauth2_test.go +++ b/oauth2/oauth2_test.go @@ -1,14 +1,12 @@ package oauth2_test import ( - "net/http/httptest" - "time" - - "gopkg.in/dgrijalva/jwt-go.v2" - "fmt" + "net/http/httptest" "net/url" + "time" + "github.com/dgrijalva/jwt-go" "github.com/go-errors/errors" "github.com/julienschmidt/httprouter" "github.com/ory-am/fosite"