initial commit

2020-01-31 15:22:16 +01:00 · 2020-01-31 15:22:16 +01:00 · 6d0890e280
commit 6d0890e280
68 changed files with 5986 additions and 0 deletions
--- a/example/client/api/api.go
+++ b/example/client/api/api.go
@ -0,0 +1,90 @@
+package main
+
+// import (
+// 	"encoding/json"
+// 	"fmt"
+// 	"log"
+// 	"net/http"
+// 	"os"
+
+// 	"github.com/caos/oidc/pkg/oidc"
+// 	"github.com/caos/oidc/pkg/oidc/rp"
+// 	"github.com/caos/utils/logging"
+// )
+
+// const (
+// 	publicURL            string = "/public"
+// 	protectedURL         string = "/protected"
+// 	protectedExchangeURL string = "/protected/exchange"
+// )
+
+func main() {
+	// 	clientID := os.Getenv("CLIENT_ID")
+	// 	clientSecret := os.Getenv("CLIENT_SECRET")
+	// 	issuer := os.Getenv("ISSUER")
+	// 	port := os.Getenv("PORT")
+
+	// 	// ctx := context.Background()
+
+	// 	providerConfig := &oidc.ProviderConfig{
+	// 		ClientID:     clientID,
+	// 		ClientSecret: clientSecret,
+	// 		Issuer:       issuer,
+	// 	}
+	// 	provider, err := rp.NewDefaultProvider(providerConfig)
+	// 	logging.Log("APP-nx6PeF").OnError(err).Panic("error creating provider")
+
+	// 	http.HandleFunc(publicURL, func(w http.ResponseWriter, r *http.Request) {
+	// 		w.Write([]byte("OK"))
+	// 	})
+
+	// 	http.HandleFunc(protectedURL, func(w http.ResponseWriter, r *http.Request) {
+	// 		ok, token := checkToken(w, r)
+	// 		if !ok {
+	// 			return
+	// 		}
+	// 		resp, err := provider.Introspect(r.Context(), token)
+	// 		if err != nil {
+	// 			http.Error(w, err.Error(), http.StatusForbidden)
+	// 			return
+	// 		}
+	// 		data, err := json.Marshal(resp)
+	// 		if err != nil {
+	// 			http.Error(w, err.Error(), http.StatusInternalServerError)
+	// 			return
+	// 		}
+	// 		w.Write(data)
+	// 	})
+
+	// 	http.HandleFunc(protectedExchangeURL, func(w http.ResponseWriter, r *http.Request) {
+	// 		ok, token := checkToken(w, r)
+	// 		if !ok {
+	// 			return
+	// 		}
+	// 		tokens, err := provider.DelegationTokenExchange(r.Context(), token, oidc.WithResource([]string{"Test"}))
+	// 		if err != nil {
+	// 			http.Error(w, "failed to exchange token: "+err.Error(), http.StatusUnauthorized)
+	// 			return
+	// 		}
+
+	// 		data, err := json.Marshal(tokens)
+	// 		if err != nil {
+	// 			http.Error(w, err.Error(), http.StatusInternalServerError)
+	// 			return
+	// 		}
+	// 		w.Write(data)
+	// 	})
+
+	// 	lis := fmt.Sprintf("127.0.0.1:%s", port)
+	// 	log.Printf("listening on http://%s/", lis)
+	// 	log.Fatal(http.ListenAndServe(lis, nil))
+	// }
+
+	// func checkToken(w http.ResponseWriter, r *http.Request) (bool, string) {
+	// 	token := r.Header.Get("authorization")
+	// 	if token == "" {
+	// 		http.Error(w, "Auth header missing", http.StatusUnauthorized)
+	// 		return false, ""
+	// 	}
+	// 	return true, token
+}
--- a/example/client/app/app.go
+++ b/example/client/app/app.go
@ -0,0 +1,96 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/google/uuid"
+
+	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/rp"
+	"github.com/caos/oidc/pkg/utils"
+)
+
+var (
+	callbackPath string = "/auth/callback"
+	key          []byte = []byte("test1234test1234")
+)
+
+func main() {
+	clientID := os.Getenv("CLIENT_ID")
+	clientSecret := os.Getenv("CLIENT_SECRET")
+	issuer := os.Getenv("ISSUER")
+	port := os.Getenv("PORT")
+
+	ctx := context.Background()
+
+	rpConfig := &rp.Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		Issuer:       issuer,
+		CallbackURL:  fmt.Sprintf("http://localhost:%v%v", port, callbackPath),
+		Scopes:       []string{"openid", "profile", "email"},
+	}
+	cookieHandler := utils.NewCookieHandler(key, key, utils.WithUnsecure())
+	provider, err := rp.NewDefaultRP(rpConfig, rp.WithCookieHandler(cookieHandler)) //rp.WithPKCE(cookieHandler)) //,
+	if err != nil {
+		logrus.Fatalf("error creating provider %s", err.Error())
+	}
+
+	// state := "foobar"
+	state := uuid.New().String()
+
+	http.Handle("/login", provider.AuthURLHandler(state))
+	// http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
+	// 	http.Redirect(w, r, provider.AuthURL(state), http.StatusFound)
+	// })
+
+	// http.HandleFunc(callbackPath, func(w http.ResponseWriter, r *http.Request) {
+	// 	tokens, err := provider.CodeExchange(ctx, r.URL.Query().Get("code"))
+	// 	if err != nil {
+	// 		http.Error(w, "failed to exchange token: "+err.Error(), http.StatusUnauthorized)
+	// 		return
+	// 	}
+	// 	data, err := json.Marshal(tokens)
+	// 	if err != nil {
+	// 		http.Error(w, err.Error(), http.StatusInternalServerError)
+	// 		return
+	// 	}
+	// 	w.Write(data)
+	// })
+
+	marshal := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens, state string) {
+		_ = state
+		data, err := json.Marshal(tokens)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Write(data)
+	}
+
+	http.Handle(callbackPath, provider.CodeExchangeHandler(marshal))
+
+	http.HandleFunc("/test", func(w http.ResponseWriter, r *http.Request) {
+		tokens, err := provider.ClientCredentials(ctx, "scope")
+		if err != nil {
+			http.Error(w, "failed to exchange token: "+err.Error(), http.StatusUnauthorized)
+			return
+		}
+
+		data, err := json.Marshal(tokens)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Write(data)
+	})
+	lis := fmt.Sprintf("127.0.0.1:%s", port)
+	logrus.Infof("listening on http://%s/", lis)
+	logrus.Fatal(http.ListenAndServe("127.0.0.1:5556", nil))
+}
--- a/example/doc.go
+++ b/example/doc.go
@ -0,0 +1 @@
+package example
--- a/example/internal/mock/storage.go
+++ b/example/internal/mock/storage.go
@ -0,0 +1,250 @@
+package mock
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"errors"
+	"time"
+
+	"gopkg.in/square/go-jose.v2"
+
+	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/oidc/pkg/op"
+)
+
+type AuthStorage struct {
+	key *rsa.PrivateKey
+}
+
+func NewAuthStorage() op.Storage {
+	reader := rand.Reader
+	bitSize := 2048
+	key, err := rsa.GenerateKey(reader, bitSize)
+	if err != nil {
+		panic(err)
+	}
+	return &AuthStorage{
+		key: key,
+	}
+}
+
+type AuthRequest struct {
+	ID            string
+	ResponseType  oidc.ResponseType
+	RedirectURI   string
+	Nonce         string
+	ClientID      string
+	CodeChallenge *oidc.CodeChallenge
+}
+
+func (a *AuthRequest) GetACR() string {
+	return ""
+}
+
+func (a *AuthRequest) GetAMR() []string {
+	return []string{
+		"password",
+	}
+}
+
+func (a *AuthRequest) GetAudience() []string {
+	return []string{
+		a.ClientID,
+	}
+}
+
+func (a *AuthRequest) GetAuthTime() time.Time {
+	return time.Now().UTC()
+}
+
+func (a *AuthRequest) GetClientID() string {
+	return a.ClientID
+}
+
+func (a *AuthRequest) GetCode() string {
+	return "code"
+}
+
+func (a *AuthRequest) GetCodeChallenge() *oidc.CodeChallenge {
+	return a.CodeChallenge
+}
+
+func (a *AuthRequest) GetID() string {
+	return a.ID
+}
+
+func (a *AuthRequest) GetNonce() string {
+	return a.Nonce
+}
+
+func (a *AuthRequest) GetRedirectURI() string {
+	return a.RedirectURI
+	// return "http://localhost:5556/auth/callback"
+}
+
+func (a *AuthRequest) GetResponseType() oidc.ResponseType {
+	return a.ResponseType
+}
+
+func (a *AuthRequest) GetScopes() []string {
+	return []string{
+		"openid",
+		"profile",
+		"email",
+	}
+}
+
+func (a *AuthRequest) GetState() string {
+	return ""
+}
+
+func (a *AuthRequest) GetSubject() string {
+	return "sub"
+}
+
+func (a *AuthRequest) Done() bool {
+	return true
+}
+
+var (
+	a = &AuthRequest{}
+	t bool
+)
+
+func (s *AuthStorage) CreateAuthRequest(_ context.Context, authReq *oidc.AuthRequest) (op.AuthRequest, error) {
+	a = &AuthRequest{ID: "id", ClientID: authReq.ClientID, ResponseType: authReq.ResponseType, Nonce: authReq.Nonce, RedirectURI: authReq.RedirectURI}
+	if authReq.CodeChallenge != "" {
+		a.CodeChallenge = &oidc.CodeChallenge{
+			Challenge: authReq.CodeChallenge,
+			Method:    authReq.CodeChallengeMethod,
+		}
+	}
+	t = false
+	return a, nil
+}
+func (s *AuthStorage) AuthRequestByCode(context.Context, string) (op.AuthRequest, error) {
+	return a, nil
+}
+func (s *AuthStorage) DeleteAuthRequest(context.Context, string) error {
+	t = true
+	return nil
+}
+func (s *AuthStorage) AuthRequestByID(_ context.Context, id string) (op.AuthRequest, error) {
+	if id != "id" || t {
+		return nil, errors.New("not found")
+	}
+	return a, nil
+}
+func (s *AuthStorage) GetSigningKey(_ context.Context) (*jose.SigningKey, error) {
+	return &jose.SigningKey{Algorithm: jose.RS256, Key: s.key}, nil
+}
+func (s *AuthStorage) GetKey(_ context.Context) (*rsa.PrivateKey, error) {
+	return s.key, nil
+}
+func (s *AuthStorage) SaveKeyPair(ctx context.Context) (*jose.SigningKey, error) {
+	return s.GetSigningKey(ctx)
+}
+func (s *AuthStorage) GetKeySet(_ context.Context) (*jose.JSONWebKeySet, error) {
+	pubkey := s.key.Public()
+	return &jose.JSONWebKeySet{
+		Keys: []jose.JSONWebKey{
+			jose.JSONWebKey{Key: pubkey, Use: "sig", Algorithm: "RS256", KeyID: "1"},
+		},
+	}, nil
+}
+
+func (s *AuthStorage) GetClientByClientID(_ context.Context, id string) (op.Client, error) {
+	if id == "none" {
+		return nil, errors.New("not found")
+	}
+	var appType op.ApplicationType
+	var authMethod op.AuthMethod
+	var accessTokenType op.AccessTokenType
+	if id == "web" {
+		appType = op.ApplicationTypeWeb
+		authMethod = op.AuthMethodBasic
+		accessTokenType = op.AccessTokenTypeBearer
+	} else if id == "native" {
+		appType = op.ApplicationTypeNative
+		authMethod = op.AuthMethodNone
+		accessTokenType = op.AccessTokenTypeBearer
+	} else {
+		appType = op.ApplicationTypeUserAgent
+		authMethod = op.AuthMethodNone
+		accessTokenType = op.AccessTokenTypeJWT
+	}
+	return &ConfClient{ID: id, applicationType: appType, authMethod: authMethod, accessTokenType: accessTokenType}, nil
+}
+
+func (s *AuthStorage) AuthorizeClientIDSecret(_ context.Context, id string, _ string) error {
+	return nil
+}
+
+func (s *AuthStorage) GetUserinfoFromScopes(context.Context, []string) (*oidc.Userinfo, error) {
+	return &oidc.Userinfo{
+		Subject: a.GetSubject(),
+		Address: &oidc.UserinfoAddress{
+			StreetAddress: "Hjkhkj 789\ndsf",
+		},
+		UserinfoEmail: oidc.UserinfoEmail{
+			Email:         "test",
+			EmailVerified: true,
+		},
+		UserinfoPhone: oidc.UserinfoPhone{
+			PhoneNumber:         "sadsa",
+			PhoneNumberVerified: true,
+		},
+		UserinfoProfile: oidc.UserinfoProfile{
+			UpdatedAt: time.Now(),
+		},
+		// Claims: map[string]interface{}{
+		// 	"test": "test",
+		// 	"hkjh": "",
+		// },
+	}, nil
+}
+
+type ConfClient struct {
+	applicationType op.ApplicationType
+	authMethod      op.AuthMethod
+	ID              string
+	accessTokenType op.AccessTokenType
+}
+
+func (c *ConfClient) GetID() string {
+	return c.ID
+}
+func (c *ConfClient) RedirectURIs() []string {
+	return []string{
+		"https://registered.com/callback",
+		"http://localhost:9999/callback",
+		"http://localhost:5556/auth/callback",
+		"custom://callback",
+		"https://localhost:8443/test/a/instructions-example/callback",
+		"https://op.certification.openid.net:62064/authz_cb",
+		"https://op.certification.openid.net:62064/authz_post",
+	}
+}
+
+func (c *ConfClient) LoginURL(id string) string {
+	return "login?id=" + id
+}
+
+func (c *ConfClient) ApplicationType() op.ApplicationType {
+	return c.applicationType
+}
+
+func (c *ConfClient) GetAuthMethod() op.AuthMethod {
+	return c.authMethod
+}
+
+func (c *ConfClient) AccessTokenLifetime() time.Duration {
+	return time.Duration(5 * time.Minute)
+}
+func (c *ConfClient) IDTokenLifetime() time.Duration {
+	return time.Duration(5 * time.Minute)
+}
+func (c *ConfClient) AccessTokenType() op.AccessTokenType {
+	return c.accessTokenType
+}
--- a/example/server/default/default.go
+++ b/example/server/default/default.go
@ -0,0 +1,65 @@
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"html/template"
+	"log"
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	"github.com/caos/oidc/example/internal/mock"
+	"github.com/caos/oidc/pkg/op"
+)
+
+func main() {
+	ctx := context.Background()
+	config := &op.Config{
+		Issuer:    "http://localhost:9998/",
+		CryptoKey: sha256.Sum256([]byte("test")),
+		Port:      "9998",
+	}
+	storage := mock.NewAuthStorage()
+	handler, err := op.NewDefaultOP(ctx, config, storage, op.WithCustomTokenEndpoint("test"))
+	if err != nil {
+		log.Fatal(err)
+	}
+	router := handler.HttpHandler().Handler.(*mux.Router)
+	router.Methods("GET").Path("/login").HandlerFunc(HandleLogin)
+	router.Methods("POST").Path("/login").HandlerFunc(HandleCallback)
+	op.Start(ctx, handler)
+	<-ctx.Done()
+}
+
+func HandleLogin(w http.ResponseWriter, r *http.Request) {
+	tpl := `
+	<!DOCTYPE html>
+	<html>
+		<head>
+			<meta charset="UTF-8">
+			<title>Login</title>
+		</head>
+		<body>
+			<form method="POST" action="/login">
+				<input name="client"/>
+				<button type="submit">Login</button>
+			</form>
+		</body>
+	</html>`
+	t, err := template.New("login").Parse(tpl)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	err = t.Execute(w, nil)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+	}
+}
+
+func HandleCallback(w http.ResponseWriter, r *http.Request) {
+	r.ParseForm()
+	client := r.FormValue("client")
+	http.Redirect(w, r, "/authorize/"+client, http.StatusFound)
+}