authelia/internal/oidc/core_strategy_hmac.go

package oidc

import (
	"context"
	"fmt"
	"strings"
	"time"

	"github.com/ory/fosite"
	"github.com/ory/fosite/token/hmac"
	"github.com/ory/x/errorsx"
)

// HMACCoreStrategy implements oauth2.CoreStrategy. It's a copy of the oauth2.HMACSHAStrategy.
type HMACCoreStrategy struct {
	Enigma *hmac.HMACStrategy
	Config interface {
		fosite.AccessTokenLifespanProvider
		fosite.RefreshTokenLifespanProvider
		fosite.AuthorizeCodeLifespanProvider
	}
}

// AccessTokenSignature implements oauth2.AccessTokenStrategy.
func (h *HMACCoreStrategy) AccessTokenSignature(ctx context.Context, tokenString string) string {
	return h.Enigma.Signature(tokenString)
}

// GenerateAccessToken implements oauth2.AccessTokenStrategy.
func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (tokenString string, sig string, err error) {
	if tokenString, sig, err = h.Enigma.Generate(ctx); err != nil {
		return "", "", err
	}

	return h.setPrefix(tokenString, TokenPrefixPartAccessToken), sig, nil
}

// ValidateAccessToken implements oauth2.AccessTokenStrategy.
func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, tokenString string) (err error) {
	var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)
	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {
		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))
	}

	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
	}

	return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartAccessToken))
}

// RefreshTokenSignature implements oauth2.RefreshTokenStrategy.
func (h *HMACCoreStrategy) RefreshTokenSignature(ctx context.Context, tokenString string) string {
	return h.Enigma.Signature(tokenString)
}

// GenerateRefreshToken implements oauth2.RefreshTokenStrategy.
func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (tokenString string, sig string, err error) {
	if tokenString, sig, err = h.Enigma.Generate(ctx); err != nil {
		return "", "", err
	}

	return h.setPrefix(tokenString, TokenPrefixPartRefreshToken), sig, nil
}

// ValidateRefreshToken implements oauth2.RefreshTokenStrategy.
func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, tokenString string) (err error) {
	var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)

	if exp.IsZero() {
		return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartRefreshToken))
	}

	if exp.Before(time.Now().UTC()) {
		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
	}

	return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartRefreshToken))
}

// AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.
func (h *HMACCoreStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {
	return h.Enigma.Signature(token)
}

// GenerateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (tokenString string, sig string, err error) {
	if tokenString, sig, err = h.Enigma.Generate(ctx); err != nil {
		return "", "", err
	}

	return h.setPrefix(tokenString, TokenPrefixPartAuthorizeCode), sig, nil
}

// ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, tokenString string) (err error) {
	var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)

	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
	}

	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
	}

	return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartAuthorizeCode))
}

func (h *HMACCoreStrategy) getPrefix(part string) string {
	return h.getCustomPrefix(tokenPrefixOrgAutheliaFmt, part)
}

func (h *HMACCoreStrategy) getCustomPrefix(tokenPrefixFmt, part string) string {
	return fmt.Sprintf(tokenPrefixFmt, part)
}

func (h *HMACCoreStrategy) setPrefix(tokenString, part string) string {
	return h.getPrefix(part) + tokenString
}

func (h *HMACCoreStrategy) trimPrefix(tokenString, part string) string {
	if strings.HasPrefix(tokenString, h.getCustomPrefix(tokenPrefixOrgOryFmt, part)) {
		return strings.TrimPrefix(tokenString, h.getCustomPrefix(tokenPrefixOrgOryFmt, part))
	}

	return strings.TrimPrefix(tokenString, h.getPrefix(part))
}
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`package oidc`

			`import (`
			`"context"`
			`"fmt"`
			`"strings"`
			`"time"`

			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/token/hmac"`
			`"github.com/ory/x/errorsx"`
			`)`

			`// HMACCoreStrategy implements oauth2.CoreStrategy. It's a copy of the oauth2.HMACSHAStrategy.`
			`type HMACCoreStrategy struct {`
			`Enigma *hmac.HMACStrategy`
			`Config interface {`
			`fosite.AccessTokenLifespanProvider`
			`fosite.RefreshTokenLifespanProvider`
			`fosite.AuthorizeCodeLifespanProvider`
			`}`
			`}`

			`// AccessTokenSignature implements oauth2.AccessTokenStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) AccessTokenSignature(ctx context.Context, tokenString string) string {`
			`return h.Enigma.Signature(tokenString)`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// GenerateAccessToken implements oauth2.AccessTokenStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Requester) (tokenString string, sig string, err error) {`
			`if tokenString, sig, err = h.Enigma.Generate(ctx); err != nil {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`return "", "", err`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.setPrefix(tokenString, TokenPrefixPartAccessToken), sig, nil`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// ValidateAccessToken implements oauth2.AccessTokenStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Requester, tokenString string) (err error) {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`var exp = r.GetSession().GetExpiresAt(fosite.AccessToken)`
			`if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx)).Before(time.Now().UTC()) {`
			`return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAccessTokenLifespan(ctx))))`
			`}`

			`if !exp.IsZero() && exp.Before(time.Now().UTC()) {`
			`return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartAccessToken))`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// RefreshTokenSignature implements oauth2.RefreshTokenStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) RefreshTokenSignature(ctx context.Context, tokenString string) string {`
			`return h.Enigma.Signature(tokenString)`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// GenerateRefreshToken implements oauth2.RefreshTokenStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Requester) (tokenString string, sig string, err error) {`
			`if tokenString, sig, err = h.Enigma.Generate(ctx); err != nil {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`return "", "", err`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.setPrefix(tokenString, TokenPrefixPartRefreshToken), sig, nil`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// ValidateRefreshToken implements oauth2.RefreshTokenStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, tokenString string) (err error) {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)`
refactor(oidc): simplify hmac core strategy (#4711) 2023-01-06 23:28:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`if exp.IsZero() {`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartRefreshToken))`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

refactor(oidc): simplify hmac core strategy (#4711) 2023-01-06 23:28:53 +00:00			`if exp.Before(time.Now().UTC()) {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartRefreshToken))`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.`
			`func (h *HMACCoreStrategy) AuthorizeCodeSignature(ctx context.Context, token string) string {`
			`return h.Enigma.Signature(token)`
			`}`

			`// GenerateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.Requester) (tokenString string, sig string, err error) {`
			`if tokenString, sig, err = h.Enigma.Generate(ctx); err != nil {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`return "", "", err`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.setPrefix(tokenString, TokenPrefixPartAuthorizeCode), sig, nil`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`// ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.`
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, tokenString string) (err error) {`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)`
refactor(oidc): simplify hmac core strategy (#4711) 2023-01-06 23:28:53 +00:00
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {`
			`return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))`
			`}`

			`if !exp.IsZero() && exp.Before(time.Now().UTC()) {`
			`return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))`
			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return h.Enigma.Validate(ctx, h.trimPrefix(tokenString, TokenPrefixPartAuthorizeCode))`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

			`func (h *HMACCoreStrategy) getPrefix(part string) string {`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`return h.getCustomPrefix(tokenPrefixOrgAutheliaFmt, part)`
			`}`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`func (h *HMACCoreStrategy) getCustomPrefix(tokenPrefixFmt, part string) string {`
			`return fmt.Sprintf(tokenPrefixFmt, part)`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) setPrefix(tokenString, part string) string {`
			`return h.getPrefix(part) + tokenString`
build(deps): update module github.com/ory/fosite to v0.43.0 (#4269) This updates fosite and refactors our usage out of compose. 2022-11-13 03:26:10 +00:00			`}`
refactor(oidc): simplify hmac core strategy (#4711) 2023-01-06 23:28:53 +00:00
feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`func (h *HMACCoreStrategy) trimPrefix(tokenString, part string) string {`
			`if strings.HasPrefix(tokenString, h.getCustomPrefix(tokenPrefixOrgOryFmt, part)) {`
			`return strings.TrimPrefix(tokenString, h.getCustomPrefix(tokenPrefixOrgOryFmt, part))`
feat(oidc): pushed authorization requests (#4546) This implements RFC9126 OAuth 2.0 Pushed Authorization Requests. See https://datatracker.ietf.org/doc/html/rfc9126 for the specification details. 2023-03-06 03:58:50 +00:00			`}`

feat(oidc): private_key_jwt client auth (#5280) This adds support for the private_key_jwt client authentication method. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-05-15 00:32:10 +00:00			`return strings.TrimPrefix(tokenString, h.getPrefix(part))`
refactor(oidc): simplify hmac core strategy (#4711) 2023-01-06 23:28:53 +00:00			`}`