RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/oidc/hmac.go

130 lines
4.4 KiB
Go
Raw Normal View History

refactor: merge master and fix missing rebinds (#4404) * build(deps): update module github.com/jackc/pgx/v5 to v5.1.0 (#4365) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * docs: add smkent as a contributor for code, design, and ideas (#4367) * update README.md * update .all-contributorsrc Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> * build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. * refactor(cmd): restrict bootstrap pnpm tasks to dev environment (#4370) * build(deps): update alpine docker tag to v3.16.3 (#4362) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update module github.com/ory/x to v0.0.514 (#4368) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * refactor: sql formatting (#4371) * refactor: sql spacing * refactor editor config * docs: clarify cloudflare docs (#4373) * build(deps): update dependency @types/react-dom to v18.0.9 (#4379) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update typescript-eslint monorepo to v5.43.0 (#4380) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency @types/jest to v29.2.3 (#4381) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency esbuild to v0.15.14 (#4383) * build(deps): update material-ui monorepo to v5.10.14 (#4385) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency vite to v3.2.4 (#4386) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update font awesome to v6.2.1 (#4389) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency typescript to v4.9.3 (#4390) * docs: adjust issue templates (#4391) * docs: adjust issue templates * docs: adjust wording * build(deps): update dependency jest-watch-typeahead to v2.2.1 (#4392) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency i18next to v22.0.6 (#4395) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update github.com/duosecurity/duo_api_golang digest to 091daa0 (#4396) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update traefik docker tag to v2.9.5 (#4398) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update module github.com/jackc/pgx/v5 to v5.1.1 (#4400) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update mariadb docker tag to v10.10.2 (#4399) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency eslint-plugin-react to v7.31.11 (#4401) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * build(deps): update dependency eslint to v8.28.0 (#4402) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(storage): schema inconsistency (#4262) * fix: missing pg rebinds * fix: refactoring issues * fix: refactoring issues Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: allcontributors[bot] <46447321+allcontributors[bot]@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-11-19 06:42:03 +00:00
package oidc
import (
"context"
"fmt"
"strings"
"time"
"github.com/ory/fosite"
"github.com/ory/fosite/token/hmac"
"github.com/ory/x/errorsx"
)
// HMACCoreStrategy implements oauth2.CoreStrategy. It's a copy of the oauth2.HMACSHAStrategy.
type HMACCoreStrategy struct {
Enigma *hmac.HMACStrategy
Config interface {
fosite.AccessTokenLifespanProvider
fosite.RefreshTokenLifespanProvider
fosite.AuthorizeCodeLifespanProvider
}
prefix *string
}
// AccessTokenSignature implements oauth2.AccessTokenStrategy.
func (h *HMACCoreStrategy) AccessTokenSignature(ctx context.Context, token string) string {
return h.Enigma.Signature(token)
}
// GenerateAccessToken implements oauth2.AccessTokenStrategy.
func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
token, sig, err := h.Enigma.Generate(ctx)
if err != nil {
return "", "", err
}
return h.setPrefix(token, "at"), sig, nil
}
// ValidateAccessToken implements oauth2.AccessTokenStrategy.
func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, token string) (err error) {
var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)
if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))
}
if !exp.IsZero() && exp.Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
}
return h.Enigma.Validate(ctx, h.trimPrefix(token, "at"))
}
// RefreshTokenSignature implements oauth2.RefreshTokenStrategy.
func (h *HMACCoreStrategy) RefreshTokenSignature(ctx context.Context, token string) string {
return h.Enigma.Signature(token)
}
// GenerateRefreshToken implements oauth2.RefreshTokenStrategy.
func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
token, sig, err := h.Enigma.Generate(ctx)
if err != nil {
return "", "", err
}
return h.setPrefix(token, "rt"), sig, nil
}
// ValidateRefreshToken implements oauth2.RefreshTokenStrategy.
func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)
if exp.IsZero() {
return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
}
if !exp.IsZero() && exp.Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
}
return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
}
// AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.
func (h *HMACCoreStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
return h.Enigma.Signature(token)
}
// GenerateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (token string, signature string, err error) {
token, sig, err := h.Enigma.Generate(ctx)
if err != nil {
return "", "", err
}
return h.setPrefix(token, "ac"), sig, nil
}
// ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)
if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
}
if !exp.IsZero() && exp.Before(time.Now().UTC()) {
return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
}
return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac"))
}
func (h *HMACCoreStrategy) getPrefix(part string) string {
if h.prefix == nil {
prefix := "ory_%s_"
h.prefix = &prefix
} else if len(*h.prefix) == 0 {
return ""
}
return fmt.Sprintf(*h.prefix, part)
}
func (h *HMACCoreStrategy) trimPrefix(token, part string) string {
return strings.TrimPrefix(token, h.getPrefix(part))
}
func (h *HMACCoreStrategy) setPrefix(token, part string) string {
return h.getPrefix(part) + token
}