aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Crute <mike@crute.us>2021-11-24 10:56:43 -0800
committerMike Crute <mike@crute.us>2021-11-24 10:56:43 -0800
commitbb96127a71d3d22825a35ffc6b6c8bea0590f202 (patch)
tree65f2c31b618ff913e08bc2d8fea7f896a01323d2
parentff05652956161dd94aa109e2c5d40bd82d4cfd5d (diff)
downloadcloud-identity-broker-bb96127a71d3d22825a35ffc6b6c8bea0590f202.tar.bz2
cloud-identity-broker-bb96127a71d3d22825a35ffc6b6c8bea0590f202.tar.xz
cloud-identity-broker-bb96127a71d3d22825a35ffc6b6c8bea0590f202.zip
Use x/oauth2 instead of custom token
Diffstat
-rw-r--r--app/controllers/api_user.go9
-rw-r--r--app/middleware/auth.go6
-rw-r--r--app/models/user.go28
-rw-r--r--go.mod2
-rw-r--r--go.sum2
5 files changed, 17 insertions, 30 deletions
diff --git a/app/controllers/api_user.go b/app/controllers/api_user.go
index f265f26..e55d88d 100644
--- a/app/controllers/api_user.go
+++ b/app/controllers/api_user.go
@@ -82,15 +82,6 @@ func validateKeysAndTokens(in *models.User) error {
82 } 82 }
83 } 83 }
84 84
85 for k, v := range in.AuthTokens {
86 if k != v.Kind {
87 return &echo.HTTPError{
88 Code: http.StatusBadRequest,
89 Message: "Token kind must match hash key.",
90 }
91 }
92 }
93
94 return nil 85 return nil
95} 86}
96 87
diff --git a/app/middleware/auth.go b/app/middleware/auth.go
index 7cef4d7..5a3c2f6 100644
--- a/app/middleware/auth.go
+++ b/app/middleware/auth.go
@@ -15,6 +15,7 @@ import (
15 "github.com/labstack/echo/v4" 15 "github.com/labstack/echo/v4"
16 "github.com/prometheus/client_golang/prometheus" 16 "github.com/prometheus/client_golang/prometheus"
17 "github.com/prometheus/client_golang/prometheus/promauto" 17 "github.com/prometheus/client_golang/prometheus/promauto"
18 "golang.org/x/oauth2"
18) 19)
19 20
20// apiKeyRequests tracks the number of requests made with the legacy X-API-Key 21// apiKeyRequests tracks the number of requests made with the legacy X-API-Key
@@ -202,9 +203,8 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
202 dbUser.AddKey(sk) 203 dbUser.AddKey(sk)
203 dbUser.GCKeys() // This is a convenient place to do it 204 dbUser.GCKeys() // This is a convenient place to do it
204 205
205 dbUser.AddToken(&models.AuthToken{ 206 dbUser.AddToken("github", &oauth2.Token{
206 Kind: "github", 207 AccessToken: token.AccessToken,
207 Token: token.AccessToken,
208 RefreshToken: token.RefreshToken, 208 RefreshToken: token.RefreshToken,
209 }) 209 })
210 210
diff --git a/app/models/user.go b/app/models/user.go
index 4e37377..eb0ccbf 100644
--- a/app/models/user.go
+++ b/app/models/user.go
@@ -7,6 +7,7 @@ import (
7 "code.crute.us/mcrute/golib/db/mongodb" 7 "code.crute.us/mcrute/golib/db/mongodb"
8 "go.mongodb.org/mongo-driver/bson" 8 "go.mongodb.org/mongo-driver/bson"
9 "go.mongodb.org/mongo-driver/bson/primitive" 9 "go.mongodb.org/mongo-driver/bson/primitive"
10 "golang.org/x/oauth2"
10) 11)
11 12
12const userCol = "users" 13const userCol = "users"
@@ -18,22 +19,13 @@ type UserStore interface {
18 Delete(context.Context, *User) error 19 Delete(context.Context, *User) error
19} 20}
20 21
21type AuthToken struct {
22 Kind string `json:"kind"`
23 Token string `json:"token"`
24
25 // Do not expose refresh tokens in JSON as they are long-lived tokens that
26 // are harder to invalidate and thus rather security sensitive.
27 RefreshToken string `json:"-"`
28}
29
30type User struct { 22type User struct {
31 Username string `bson:"_id" json:"username"` 23 Username string `bson:"_id" json:"username"`
32 IsAdmin bool `json:"is_admin"` 24 IsAdmin bool `json:"is_admin"`
33 IsService bool `json:"is_service"` 25 IsService bool `json:"is_service"`
34 Keys map[string]*SessionKey `json:"keys,omitempty"` // kid -> key 26 Keys map[string]*SessionKey `json:"keys,omitempty"` // kid -> key
35 AuthTokens map[string]*AuthToken `json:"auth_tokens,omitempty"` // kind -> token 27 AuthTokens map[string]*oauth2.Token `json:"auth_tokens,omitempty"` // kind -> token
36 Deleted *time.Time `json:"deleted,omitempty"` 28 Deleted *time.Time `json:"deleted,omitempty"`
37} 29}
38 30
39// GCKeys garbage collects keys that are no longer valid 31// GCKeys garbage collects keys that are no longer valid
@@ -62,11 +54,11 @@ func (u *User) AddKey(k *SessionKey) {
62 u.Keys[k.KeyId] = k 54 u.Keys[k.KeyId] = k
63} 55}
64 56
65func (u *User) AddToken(t *AuthToken) { 57func (u *User) AddToken(name string, t *oauth2.Token) {
66 if u.AuthTokens == nil { 58 if u.AuthTokens == nil {
67 u.AuthTokens = map[string]*AuthToken{} 59 u.AuthTokens = map[string]*oauth2.Token{}
68 } 60 }
69 u.AuthTokens[t.Kind] = t 61 u.AuthTokens[name] = t
70} 62}
71 63
72type MongoDbUserStore struct { 64type MongoDbUserStore struct {
diff --git a/go.mod b/go.mod
index df20f18..b6e4841 100644
--- a/go.mod
+++ b/go.mod
@@ -13,6 +13,7 @@ require (
13 github.com/prometheus/client_golang v1.11.0 13 github.com/prometheus/client_golang v1.11.0
14 github.com/spf13/cobra v1.2.1 14 github.com/spf13/cobra v1.2.1
15 go.mongodb.org/mongo-driver v1.7.4 15 go.mongodb.org/mongo-driver v1.7.4
16 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c
16 golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 17 golang.org/x/time v0.0.0-20201208040808-7e3f01d25324
17 gopkg.in/square/go-jose.v2 v2.5.1 18 gopkg.in/square/go-jose.v2 v2.5.1
18) 19)
@@ -80,6 +81,7 @@ require (
80 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect 81 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
81 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect 82 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect
82 golang.org/x/text v0.3.7 // indirect 83 golang.org/x/text v0.3.7 // indirect
84 google.golang.org/appengine v1.6.7 // indirect
83 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect 85 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
84 google.golang.org/grpc v1.41.0 // indirect 86 google.golang.org/grpc v1.41.0 // indirect
85 google.golang.org/protobuf v1.26.0 // indirect 87 google.golang.org/protobuf v1.26.0 // indirect
diff --git a/go.sum b/go.sum
index 3f63d02..0f8b967 100644
--- a/go.sum
+++ b/go.sum
@@ -605,6 +605,7 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ
605golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 605golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
606golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 606golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
607golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 607golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
608golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI=
608golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= 609golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
609golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 610golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
610golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 611golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -787,6 +788,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
787google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= 788google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
788google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 789google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
789google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 790google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
791google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
790google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= 792google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
791google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 793google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
792google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= 794google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
© 2015 Mike Crute