From 5d91ebfd62717f8174a8655c5c17a8a1bdd5bf07 Mon Sep 17 00:00:00 2001 From: Livio Amstutz Date: Fri, 10 Jan 2020 09:27:52 +0100 Subject: [PATCH] cleanup --- pkg/op/authrequest_test.go | 4 +- pkg/op/config.go | 1 - pkg/op/storage.go | 1 - pkg/rp/default_verifier.go | 91 -------------------------------------- pkg/rp/jwks.go | 28 ++++-------- 5 files changed, 10 insertions(+), 115 deletions(-) diff --git a/pkg/op/authrequest_test.go b/pkg/op/authrequest_test.go index 3c4c1e6..b0599c3 100644 --- a/pkg/op/authrequest_test.go +++ b/pkg/op/authrequest_test.go @@ -108,7 +108,7 @@ func TestValidateAuthRequest(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := op.ValidateAuthRequest(tt.args.authRequest, tt.args.storage); (err != nil) != tt.wantErr { + if err := op.ValidateAuthRequest(nil, tt.args.authRequest, tt.args.storage); (err != nil) != tt.wantErr { t.Errorf("ValidateAuthRequest() error = %v, wantErr %v", err, tt.wantErr) } }) @@ -218,7 +218,7 @@ func TestValidateAuthReqRedirectURI(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := op.ValidateAuthReqRedirectURI(tt.args.uri, tt.args.clientID, tt.args.responseType, tt.args.storage); (err != nil) != tt.wantErr { + if err := op.ValidateAuthReqRedirectURI(nil, tt.args.uri, tt.args.clientID, tt.args.responseType, tt.args.storage); (err != nil) != tt.wantErr { t.Errorf("ValidateRedirectURI() error = %v, wantErr %v", err.Error(), tt.wantErr) } }) diff --git a/pkg/op/config.go b/pkg/op/config.go index 9ebfc1c..ee569aa 100644 --- a/pkg/op/config.go +++ b/pkg/op/config.go @@ -13,7 +13,6 @@ type Configuration interface { UserinfoEndpoint() Endpoint KeysEndpoint() Endpoint - // SupportedScopes() []string AuthMethodPostSupported() bool Port() string diff --git a/pkg/op/storage.go b/pkg/op/storage.go index 81c9c58..a6e323e 100644 --- a/pkg/op/storage.go +++ b/pkg/op/storage.go @@ -36,7 +36,6 @@ type AuthRequest interface { GetAudience() []string GetAuthTime() time.Time GetClientID() string - // GetCode() string GetCodeChallenge() *oidc.CodeChallenge GetNonce() string GetRedirectURI() string diff --git a/pkg/rp/default_verifier.go b/pkg/rp/default_verifier.go index 6d25411..58adddb 100644 --- a/pkg/rp/default_verifier.go +++ b/pkg/rp/default_verifier.go @@ -96,12 +96,6 @@ func WithSupportedSigningAlgorithms(algs ...string) func(*verifierConfig) { } } -// func WithVerifierHTTPClient(client *http.Client) func(*verifierConfig) { -// return func(conf *verifierConfig) { -// conf.httpClient = client -// } -// } - type verifierConfig struct { issuer string clientID string @@ -213,12 +207,8 @@ func (v *DefaultVerifier) VerifyIDToken(ctx context.Context, idTokenString strin if err = v.checkAuthTime(claims.AuthTime); err != nil { return nil, err } - //return idtoken struct, err return claims, nil - // }) - // _ = token - // return err } func (v *DefaultVerifier) parseToken(tokenString string) (*oidc.IDTokenClaims, []byte, error) { @@ -297,68 +287,6 @@ func (v *DefaultVerifier) checkSignature(ctx context.Context, idTokenString stri return jose.SignatureAlgorithm(sig.Header.Algorithm), nil } -// type KeySet struct { -// remoteURL url.URL -// httpClient *http.Client -// keys []jose.JSONWebKey - -// m sync.Mutex -// inflight *inflight -// } - -// func (k *KeySet) GetKey(ctx context.Context, keyID string) (*jose.JSONWebKey, error) { -// key, err := k.getKey(keyID) -// if err != nil { -// //lock -// k.updateKeys(ctx) -// //unlock -// return k.getKey(keyID) -// } -// return key, nil -// } - -// func (k *KeySet) getKey(keyID string) (*jose.JSONWebKey, error) { -// k.m.Lock() -// keys := k.keys -// k.m.Unlock() -// for _, key := range keys { -// if key.KeyID == keyID { -// return &key, nil -// } -// } -// return nil, nil //TODO: err -// } - -// func (k *KeySet) retrieveNewKeys(ctx context.Context) ([]jose.JSONWebKey, error) { -// resp, err := k.httpClient.Get(k.remoteURL.String()) -// if err != nil { -// return nil, err -// } -// if resp.StatusCode != http.StatusOK { -// return nil, nil //TODO: errs -// } - -// defer resp.Body.Close() -// body, err := ioutil.ReadAll(resp.Body) -// if err != nil { -// return nil, err -// } - -// var keySet jose.JSONWebKeySet -// err = json.Unmarshal(body, keySet) -// if err != nil { -// return nil, err -// } -// return keySet.Keys, nil -// } - -// func (k *KeySet) updateKeys(ctx context.Context) error { -// k.inflight -// k.m.Lock() -// k.keys = keySet.Keys -// return nil -// } - func (v *DefaultVerifier) checkExpiration(expiration time.Time) error { expiration = expiration.Round(time.Second) if !v.now().Before(expiration) { @@ -419,25 +347,6 @@ func (v *DefaultVerifier) decryptToken(tokenString string) (string, error) { return tokenString, nil //TODO: impl } -// func (v *Verifier) parseIDToken(tokenString string) (IDToken, error) { -// var claims jwt.StandardClaims -// token, err := jwt.ParseWithClaims(tokenString, &claims, func(token *jwt.Token) (interface{}, error) { -// claims.VerifyIssuer(v.config.Issuer, true) - -// // return token.Header["alg"] -// }) - -// payload, err := parseJWT(rawIDToken) -// if err != nil { -// return nil, fmt.Errorf("oidc: malformed jwt: %v", err) -// } -// var token IDToken -// if err := json.Unmarshal(payload, &token); err != nil { -// return nil, fmt.Errorf("oidc: failed to unmarshal claims: %v", err) -// } -// return token, nil //TODO: impl -// } - func (v *DefaultVerifier) verifyAccessToken(accessToken, atHash string, sigAlgorithm jose.SignatureAlgorithm) error { if atHash == "" { return nil //TODO: return error diff --git a/pkg/rp/jwks.go b/pkg/rp/jwks.go index 3851374..45ab9f4 100644 --- a/pkg/rp/jwks.go +++ b/pkg/rp/jwks.go @@ -6,7 +6,6 @@ import ( "fmt" "net/http" "sync" - "time" "github.com/caos/oidc/pkg/utils" @@ -22,7 +21,6 @@ func NewRemoteKeySet(client *http.Client, jwksURL string) oidc.KeySet { type remoteKeySet struct { jwksURL string httpClient *http.Client - // now func() time.Time // guard all other fields mu sync.Mutex @@ -33,7 +31,6 @@ type remoteKeySet struct { // A set of cached keys and their expiry. cachedKeys []jose.JSONWebKey - expiry time.Time } // inflight is used to wait on some in-flight request from multiple goroutines. @@ -76,7 +73,7 @@ func (r *remoteKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig break } - keys, _ := r.keysFromCache() + keys := r.keysFromCache() payload, err, ok := checkKey(keyID, keys, jws) if ok { return payload, err @@ -94,10 +91,10 @@ func (r *remoteKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSig return payload, err } -func (r *remoteKeySet) keysFromCache() (keys []jose.JSONWebKey, expiry time.Time) { +func (r *remoteKeySet) keysFromCache() (keys []jose.JSONWebKey) { r.mu.Lock() defer r.mu.Unlock() - return r.cachedKeys, r.expiry + return r.cachedKeys } // keysFromRemote syncs the key set from the remote set, records the values in the @@ -127,7 +124,7 @@ func (r *remoteKeySet) keysFromRemote(ctx context.Context) ([]jose.JSONWebKey, e func (r *remoteKeySet) updateKeys(ctx context.Context) { // Sync keys and finish inflight when that's done. - keys, expiry, err := r.fetchRemoteKeys(ctx) + keys, err := r.fetchRemoteKeys(ctx) r.inflight.done(keys, err) @@ -138,33 +135,24 @@ func (r *remoteKeySet) updateKeys(ctx context.Context) { if err == nil { r.cachedKeys = keys - r.expiry = expiry } // Free inflight so a different request can run. r.inflight = nil } -func (r *remoteKeySet) fetchRemoteKeys(ctx context.Context) ([]jose.JSONWebKey, time.Time, error) { +func (r *remoteKeySet) fetchRemoteKeys(ctx context.Context) ([]jose.JSONWebKey, error) { req, err := http.NewRequest("GET", r.jwksURL, nil) if err != nil { - return nil, time.Time{}, fmt.Errorf("oidc: can't create request: %v", err) + return nil, fmt.Errorf("oidc: can't create request: %v", err) } keySet := new(jose.JSONWebKeySet) if err = utils.HttpRequest(r.httpClient, req, keySet); err != nil { - return nil, time.Time{}, fmt.Errorf("oidc: failed to get keys: %v", err) + return nil, fmt.Errorf("oidc: failed to get keys: %v", err) } - // If the server doesn't provide cache control headers, assume the - // keys expire immediately. - // expiry := r.now() - - // _, e, err := cachecontrol.CachableResponse(req, resp, cachecontrol.Options{}) - // if err == nil && e.After(expiry) { - // expiry = e - // } - return keySet.Keys, time.Now(), nil + return keySet.Keys, nil } func checkKey(keyID string, keys []jose.JSONWebKey, jws *jose.JSONWebSignature) ([]byte, error, bool) {