1 files changed, 70 insertions, 40 deletions

diff --git a/jws_validator.go b/jws_validator.go
index e77c026..0b2467f 100644
--- a/jws_validator.go
+++ b/jws_validator.go
@@ -1,103 +1,133 @@
 package main
 
 import (
-        "crypto/sha256"
-        "encoding/hex"
-        "fmt"
+        "github.com/pkg/errors"
         "gopkg.in/square/go-jose.v2"
         "gopkg.in/square/go-jose.v2/jwt"
+        "net/url"
         "time"
 )
 
+// TODO
+// validate amr claim contains requested acr values (selective_mfa will be just mfa)
+// validate acr claim is the same as requested acr_values
+//
+// acr_values can be mfa or selective_mfa (mfa only for external users)
+// mfa amr values:
+// pas - password
+// otp - OTP code
+// u2f - U2F code
+// mfa - multi-factor
+// hrd - hardware OTP device used
+// sft - software OTP device used
+
 type Claims struct {
         Nonce string `json:"nonce,omitempty"`
         jwt.Claims
 }
 
+type JWSValidationContext struct {
+        KeyFetcher   JWKSFetcher
+        Issuer       string
+        ClientId     *url.URL
+        ClockSkew    time.Duration
+        MaxLiftetime time.Duration
+}
+
 type JWSValidator interface {
         Validate(string, string) (*Claims, error)
 }
 
 type jwsValidator struct {
         algorithms  *stringSet
-        jwks        map[string]jose.JSONWebKey
+        jwks        JWKSFetcher
         issuer      string
-        clientID    string
+        clientId    *url.URL
         clockSkew   time.Duration
         maxLifetime time.Duration
 }
 
-// TODO
-// validate amr claim contains requested acr values (selective_mfa will be just mfa)
-// validate acr claim is the same as requested acr_values
-func NewJWSValidator(jwks map[string]jose.JSONWebKey, issuer string, client_id string, skew time.Duration, max_life time.Duration) JWSValidator {
+func NewJWSValidator(c *JWSValidationContext) JWSValidator {
         return &jwsValidator{
                 algorithms:  NewStringSet("PS256", "PS385", "PS512"),
-                jwks:        jwks,
-                issuer:      issuer,
-                clientID:    client_id,
-                clockSkew:   skew,
-                maxLifetime: max_life,
+                jwks:        c.KeyFetcher,
+                issuer:      c.Issuer,
+                clientId:    c.ClientId,
+                clockSkew:   c.ClockSkew,
+                maxLifetime: c.MaxLiftetime,
         }
 }
 
 func (v *jwsValidator) Validate(j string, nonce string) (*Claims, error) {
-        parsed_jwt, err := jwt.ParseSigned(j)
+        parsed, err := jwt.ParseSigned(j)
+        if err != nil {
+                return nil, errors.WithStack(err)
+        }
+
+        if err := v.validateHeaders(parsed.Headers); err != nil {
+                return nil, errors.WithStack(err)
+        }
+
+        kid := parsed.Headers[0].KeyID
+        key, err := v.jwks.GetKey(kid)
+        if err != nil {
+                return nil, errors.WithStack(err)
+        }
+
+        claims, err := v.validateClaims(parsed, key)
         if err != nil {
-                return nil, err
+                return nil, errors.WithStack(err)
         }
 
-        if len(parsed_jwt.Headers) != 1 {
-                return nil, fmt.Errorf("Invalid signature count")
+        if err := v.validateNonce(nonce, claims.Nonce); err != nil {
+                return nil, errors.WithStack(err)
         }
 
-        head := parsed_jwt.Headers[0]
+        return claims, nil
+}
 
-        if !v.algorithms.Contains(head.Algorithm) {
-                return nil, fmt.Errorf("Invalid signature algorithm")
+func (v *jwsValidator) validateHeaders(h []jose.Header) error {
+        if len(h) != 1 {
+                return errors.Errorf("Invalid signature count")
         }
 
-        if typ, ok := head.ExtraHeaders[jose.HeaderType]; !ok || typ != "JWS" {
-                return nil, fmt.Errorf("Invalid token type")
+        if !v.algorithms.Contains(h[0].Algorithm) {
+                return errors.Errorf("Invalid signature algorithm")
         }
 
-        key, ok := v.jwks[head.KeyID]
-        if !ok {
-                return nil, fmt.Errorf("No key found for key id")
+        if typ, ok := h[0].ExtraHeaders[jose.HeaderType]; !ok || typ != "JWS" {
+                return errors.Errorf("Invalid token type")
         }
 
+        return nil
+}
+
+func (v *jwsValidator) validateClaims(j *jwt.JSONWebToken, k *jose.JSONWebKey) (*Claims, error) {
         claims := &Claims{}
-        if err = parsed_jwt.Claims(key, claims); err != nil {
-                return nil, err
+        if err := j.Claims(k, claims); err != nil {
+                return nil, errors.WithStack(err)
         }
 
         exp := jwt.Expected{
                 Issuer:   v.issuer,
-                Audience: jwt.Audience{v.clientID},
+                Audience: jwt.Audience{v.clientId.String()},
                 Time:     time.Now(),
         }
 
         if err := claims.ValidateWithLeeway(exp, v.clockSkew); err != nil {
-                return nil, err
+                return nil, errors.WithStack(err)
         }
 
         if claims.IssuedAt.Time().Add(v.maxLifetime).Before(time.Now()) {
-                return nil, fmt.Errorf("Token exceeded max lifetime")
-        }
-
-        if err = v.validateNonce(nonce, claims.Nonce); err != nil {
-                return nil, err
+                return nil, errors.Errorf("Token exceeded max lifetime")
         }
 
         return claims, nil
 }
 
 func (v *jwsValidator) validateNonce(nonce string, token_nonce string) error {
-        s256 := sha256.New()
-        s256.Write([]byte(nonce))
-        hashed_nonce := hex.EncodeToString(s256.Sum(nil))
-        if token_nonce != hashed_nonce {
-                return fmt.Errorf("Invalid nonce")
+        if token_nonce != Sha256Hex(nonce) {
+                return errors.Errorf("Invalid nonce: %s = %q vs %q", nonce, token_nonce, Sha256Hex(nonce))
         }
 
         return nil