From a7ccf3652f4c847d04ddb794dc9af67aed69cae7 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Sun, 5 Feb 2023 18:11:30 +1100 Subject: [PATCH] docs: fix rfc references and fix misc issues (#4879) --- api/openapi.yml | 6 +- config.template.yml | 2 +- .../en/configuration/first-factor/file.md | 4 +- .../en/configuration/first-factor/ldap.md | 2 +- .../identity-providers/open-id-connect.md | 14 ++-- .../en/configuration/prologue/common.md | 4 +- .../time-based-one-time-password.md | 4 +- .../configuration/security/access-control.md | 8 +- .../openid-connect/introduction.md | 10 +-- docs/content/en/reference/guides/passwords.md | 4 +- .../guides/server-asset-overrides.md | 2 +- .../en/roadmap/active/openid-connect.md | 12 +-- internal/configuration/config.template.yml | 2 +- internal/middlewares/cors.go | 4 +- internal/mocks/random.go | 39 +++++++--- internal/notification/smtp_notifier.go | 4 +- internal/oidc/store.go | 6 +- internal/random/const.go | 4 +- .../random/{crypto.go => cryptographical.go} | 74 ++++++++++--------- internal/random/{math.go => mathematical.go} | 68 +++++++++++------ internal/random/provider.go | 14 ++-- .../suites/example/compose/haproxy/http.lua | 4 +- .../compose/redis/templates/master.conf | 2 +- .../compose/redis/templates/slave.conf | 2 +- 24 files changed, 172 insertions(+), 123 deletions(-) rename internal/random/{crypto.go => cryptographical.go} (83%) rename internal/random/{math.go => mathematical.go} (75%) diff --git a/api/openapi.yml b/api/openapi.yml index 7979d6f94..6b8debfa8 100644 --- a/api/openapi.yml +++ b/api/openapi.yml @@ -816,7 +816,7 @@ paths: summary: OAuth 2.0 Authorization Server Metadata description: > This endpoint retrieves the OAuth 2.0 Authorization Server Metadata document (RFC8414) used by clients to - perform discovery for an OAuth 2.0 Authorization Server. See https://www.rfc-editor.org/rfc/rfc8414. + perform discovery for an OAuth 2.0 Authorization Server. See https://datatracker.ietf.org/doc/html/rfc8414. responses: "200": description: OK @@ -2822,8 +2822,8 @@ components: description: > JSON array containing a list of the JWS [JWS] signing algorithms (alg values) [JWA] supported by the UserInfo Endpoint to encode the Claims in a JWT [JWT]. The value none MAY be included. See Also: - JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 JWT: - https://datatracker.ietf.org/doc/html/rfc7519 + JWS: https://datatracker.ietf.org/doc/html/rfc7515 JWA: https://datatracker.ietf.org/doc/html/rfc7518 + JWT: https://datatracker.ietf.org/doc/html/rfc7519 type: array example: ["none", "RS256"] items: diff --git a/config.template.yml b/config.template.yml index 7da204922..1058fecc1 100644 --- a/config.template.yml +++ b/config.template.yml @@ -426,7 +426,7 @@ authentication_backend: ## changed once attributed to a user otherwise it would break the configuration for that user. Technically, ## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use ## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to - ## follow https://www.ietf.org/rfc/rfc2307.txt. + ## follow https://datatracker.ietf.org/doc/html/rfc2307. # username_attribute: uid ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. diff --git a/docs/content/en/configuration/first-factor/file.md b/docs/content/en/configuration/first-factor/file.md index 3ced89c64..856d3da0d 100644 --- a/docs/content/en/configuration/first-factor/file.md +++ b/docs/content/en/configuration/first-factor/file.md @@ -256,8 +256,8 @@ truncation that [Bcrypt] does. It is not supported by many other systems.* Controls the hashing cost when hashing passwords using [Bcrypt]. -[Argon2]: https://www.rfc-editor.org/rfc/rfc9106.html +[Argon2]: https://datatracker.ietf.org/doc/html/rfc9106 [Scrypt]: https://en.wikipedia.org/wiki/Scrypt -[PBKDF2]: https://www.ietf.org/rfc/rfc2898.html +[PBKDF2]: https://datatracker.ietf.org/doc/html/rfc2898 [SHA2 Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt [Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt diff --git a/docs/content/en/configuration/first-factor/ldap.md b/docs/content/en/configuration/first-factor/ldap.md index 95b91524d..7a0ee0d31 100644 --- a/docs/content/en/configuration/first-factor/ldap.md +++ b/docs/content/en/configuration/first-factor/ldap.md @@ -316,4 +316,4 @@ for your users. [username attribute]: #usernameattribute [TechNet wiki]: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx -[RFC2307]: https://www.rfc-editor.org/rfc/rfc2307.html +[RFC2307]: https://datatracker.ietf.org/doc/html/rfc2307 diff --git a/docs/content/en/configuration/identity-providers/open-id-connect.md b/docs/content/en/configuration/identity-providers/open-id-connect.md index 4b7984953..c13393cd7 100644 --- a/docs/content/en/configuration/identity-providers/open-id-connect.md +++ b/docs/content/en/configuration/identity-providers/open-id-connect.md @@ -170,7 +170,7 @@ encoded PEM format used to sign/encrypt the [OpenID Connect 1.0] [JWT]'s. When c JSON key's in the JWKs [Discoverable Endpoint](../../integration/openid-connect/introduction.md#discoverable-endpoints) as per [RFC7517]. -[RFC7517]: https://www.rfc-editor.org/rfc/rfc7517 +[RFC7517]: https://datatracker.ietf.org/doc/html/rfc7517 [x5c]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.7 [x5t]: https://datatracker.ietf.org/doc/html/rfc7517#section-4.8 @@ -251,7 +251,7 @@ this value. {{< confkey type="string" default="public_clients_only" required="no" >}} -[Proof Key for Code Exchange](https://www.rfc-editor.org/rfc/rfc7636.html) enforcement policy: if specified, must be +[Proof Key for Code Exchange](https://datatracker.ietf.org/doc/html/rfc7636) enforcement policy: if specified, must be either `never`, `public_clients_only` or `always`. If set to `public_clients_only` (default), [PKCE] will be required for public clients using the @@ -530,12 +530,12 @@ To integrate Authelia's [OpenID Connect 1.0] implementation with a relying party [token lifespan]: https://docs.apigee.com/api-platform/antipatterns/oauth-long-expiration [OpenID Connect 1.0]: https://openid.net/connect/ -[JWT]: https://www.rfc-editor.org/rfc/rfc7519.html -[RFC6234]: https://www.rfc-editor.org/rfc/rfc6234.html -[RFC4648]: https://www.rfc-editor.org/rfc/rfc4648.html -[RFC7468]: https://www.rfc-editor.org/rfc/rfc7468.html +[JWT]: https://datatracker.ietf.org/doc/html/rfc7519 +[RFC6234]: https://datatracker.ietf.org/doc/html/rfc6234 +[RFC4648]: https://datatracker.ietf.org/doc/html/rfc4648 +[RFC7468]: https://datatracker.ietf.org/doc/html/rfc7468 [RFC6749 Section 2.1]: https://datatracker.ietf.org/doc/html/rfc6749#section-2.1 -[PKCE]: https://www.rfc-editor.org/rfc/rfc7636.html +[PKCE]: https://datatracker.ietf.org/doc/html/rfc7636 [Authorization Code Flow]: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth [Subject Identifier Type]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes [Pairwise Identifier Algorithm]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg diff --git a/docs/content/en/configuration/prologue/common.md b/docs/content/en/configuration/prologue/common.md index a5ea1ee3f..f250ea251 100644 --- a/docs/content/en/configuration/prologue/common.md +++ b/docs/content/en/configuration/prologue/common.md @@ -154,7 +154,7 @@ The value must be one or more certificates encoded in the DER base64 ([RFC4648]) ### private_key -{{< confkey type="string" required="yes" >}} +{{< confkey type="string" required="no" >}} *__Important Note:__ This can also be defined using a [secret](../methods/secrets.md) which is __strongly recommended__ especially for containerized deployments.* @@ -163,6 +163,8 @@ The private key to be used with the [certificate_chain](#certificatechain) for m The value must be one private key encoded in the DER base64 ([RFC4648]) encoded PEM format. +[RFC4648]: https://datatracker.ietf.org/doc/html/rfc4648 + ## Server Buffers ### read diff --git a/docs/content/en/configuration/second-factor/time-based-one-time-password.md b/docs/content/en/configuration/second-factor/time-based-one-time-password.md index 0783aa149..b93ca987b 100644 --- a/docs/content/en/configuration/second-factor/time-based-one-time-password.md +++ b/docs/content/en/configuration/second-factor/time-based-one-time-password.md @@ -172,5 +172,5 @@ at least a minimal configuration that has the storage backend connection details See the [CLI Documentation](../../reference/cli/authelia/authelia_storage_user_totp_export.md) for methods to perform exports. -[RFC4226]: https://www.rfc-editor.org/rfc/rfc4226.html -[RFC6238]: https://www.rfc-editor.org/rfc/rfc6238.html +[RFC4226]: https://datatracker.ietf.org/doc/html/rfc4226 +[RFC6238]: https://datatracker.ietf.org/doc/html/rfc6238 diff --git a/docs/content/en/configuration/security/access-control.md b/docs/content/en/configuration/security/access-control.md index 99dd2225d..5dae020d8 100644 --- a/docs/content/en/configuration/security/access-control.md +++ b/docs/content/en/configuration/security/access-control.md @@ -588,7 +588,7 @@ The match type `Equals` matches if the value extracted from the pattern is equal match value is a list/slice). The regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names -should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html) +should not be compared in a case-sensitive way as per the [RFC4343](https://datatracker.ietf.org/doc/html/rfc4343) abstract and [RFC3986 Section 3.2.2](https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2). We do not currently apply any other normalization to usernames or groups when matching these groups. As such it's @@ -664,6 +664,6 @@ access_control: policy: bypass ``` -[RFC7231]: https://www.rfc-editor.org/rfc/rfc7231.html -[RFC5789]: https://www.rfc-editor.org/rfc/rfc5789.html -[RFC4918]: https://www.rfc-editor.org/rfc/rfc4918.html +[RFC7231]: https://datatracker.ietf.org/doc/html/rfc7231 +[RFC5789]: https://datatracker.ietf.org/doc/html/rfc5789 +[RFC4918]: https://datatracker.ietf.org/doc/html/rfc4918 diff --git a/docs/content/en/integration/openid-connect/introduction.md b/docs/content/en/integration/openid-connect/introduction.md index 93d50ffe1..44267c1ac 100644 --- a/docs/content/en/integration/openid-connect/introduction.md +++ b/docs/content/en/integration/openid-connect/introduction.md @@ -166,16 +166,16 @@ These endpoints implement OpenID Connect elements. [OpenID Connect 1.0]: https://openid.net/connect/ [OpenID Connect Discovery]: https://openid.net/specs/openid-connect-discovery-1_0.html -[OAuth 2.0 Authorization Server Metadata]: https://www.rfc-editor.org/rfc/rfc8414.html +[OAuth 2.0 Authorization Server Metadata]: https://datatracker.ietf.org/doc/html/rfc8414 [JSON Web Key Sets]: https://datatracker.ietf.org/doc/html/rfc7517#section-5 [Authorization]: https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint [Token]: https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint [UserInfo]: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo -[Introspection]: https://www.rfc-editor.org/rfc/rfc7662.html -[Revocation]: https://www.rfc-editor.org/rfc/rfc7009.html +[Introspection]: https://datatracker.ietf.org/doc/html/rfc7662 +[Revocation]: https://datatracker.ietf.org/doc/html/rfc7009 -[RFC8176]: https://www.rfc-editor.org/rfc/rfc8176.html -[RFC4122]: https://www.rfc-editor.org/rfc/rfc4122.html +[RFC8176]: https://datatracker.ietf.org/doc/html/rfc8176 +[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122 [Subject Identifier Types]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes diff --git a/docs/content/en/reference/guides/passwords.md b/docs/content/en/reference/guides/passwords.md index de2955edf..a21fc3bf0 100644 --- a/docs/content/en/reference/guides/passwords.md +++ b/docs/content/en/reference/guides/passwords.md @@ -193,9 +193,9 @@ This table suggests the parameters for the [SHA2 Crypt] algorithm: | Standard CPU | sha512 | 50000 | 16 | | High End CPU | sha512 | 150000 | 16 | -[Argon2]: https://www.rfc-editor.org/rfc/rfc9106.html +[Argon2]: https://datatracker.ietf.org/doc/html/rfc9106 [Scrypt]: https://en.wikipedia.org/wiki/Scrypt -[PBKDF2]: https://www.ietf.org/rfc/rfc2898.html +[PBKDF2]: https://datatracker.ietf.org/doc/html/rfc2898 [SHA2 Crypt]: https://www.akkadia.org/drepper/SHA-crypt.txt [Bcrypt]: https://en.wikipedia.org/wiki/Bcrypt [FIPS-140 compliance]: https://csrc.nist.gov/publications/detail/fips/140/2/final diff --git a/docs/content/en/reference/guides/server-asset-overrides.md b/docs/content/en/reference/guides/server-asset-overrides.md index a593af76c..3da947350 100644 --- a/docs/content/en/reference/guides/server-asset-overrides.md +++ b/docs/content/en/reference/guides/server-asset-overrides.md @@ -46,7 +46,7 @@ utilize these overrides should either check for changes to the files in the The locales directory holds folders of internationalization locales. This directory can be utilized to override these locales. They are the names of locales that are returned by the `navigator.langauge` ECMAScript command. These are -generally those in the [RFC5646 / BCP47 Format](https://www.rfc-editor.org/rfc/rfc5646.html) specifically the language +generally those in the [RFC5646 / BCP47 Format](https://datatracker.ietf.org/doc/html/rfc5646) specifically the language codes from [Crowdin](https://support.crowdin.com/api/language-codes/). Each directory has JSON files which you can explore the format of in the diff --git a/docs/content/en/roadmap/active/openid-connect.md b/docs/content/en/roadmap/active/openid-connect.md index 0dce3552a..e49c56565 100644 --- a/docs/content/en/roadmap/active/openid-connect.md +++ b/docs/content/en/roadmap/active/openid-connect.md @@ -115,7 +115,7 @@ Feature List: {{< roadmap-status stage="in-progress" version="v4.38.0" >}} -* [OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html) +* [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) * Per-Client [Proof Key Code Exchange (PKCE)] Policy ### Beta 7 @@ -177,7 +177,7 @@ Should be implemented alongside [Dynamic Client Registration](#openid-connect-dy {{< roadmap-status stage="complete" version="v4.34.0" >}} -See the [IETF Specification RFC8414](https://www.rfc-editor.org/rfc/rfc8414.html) for more information. +See the [IETF Specification RFC8414](https://datatracker.ietf.org/doc/html/rfc8414) for more information. #### OpenID Connect Session Management @@ -205,9 +205,9 @@ The `preferred_username` claim was missing and was fixed. [Cross Origin Resource Sharing]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS -[RFC8176]: https://www.rfc-editor.org/rfc/rfc8176.html -[RFC8693 Section 4.3]: https://www.rfc-editor.org/rfc/rfc8693.html/#section-4.3 -[RFC4122]: https://www.rfc-editor.org/rfc/rfc4122.html +[RFC8176]: https://datatracker.ietf.org/doc/html/rfc8176 +[RFC8693 Section 4.3]: https://datatracker.ietf.org/doc/html/rfc8693/#section-4.3 +[RFC4122]: https://datatracker.ietf.org/doc/html/rfc4122 [OpenID Connect]: https://openid.net/connect/ [OpenID Connect Front-Channel Logout]: https://openid.net/specs/openid-connect-frontchannel-1_0.html @@ -219,4 +219,4 @@ The `preferred_username` claim was missing and was fixed. [OpenID Connect Core (Subject Identifier Types)]: https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes [OpenID Connect Core (Pairwise Identifier Algorithm)]: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg [OpenID Connect Core (Mandatory to Implement Features for All OpenID Providers)]: https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI -[Proof Key Code Exchange (PKCE)]: https://www.rfc-editor.org/rfc/rfc7636.html +[Proof Key Code Exchange (PKCE)]: https://datatracker.ietf.org/doc/html/rfc7636 diff --git a/internal/configuration/config.template.yml b/internal/configuration/config.template.yml index 7da204922..1058fecc1 100644 --- a/internal/configuration/config.template.yml +++ b/internal/configuration/config.template.yml @@ -426,7 +426,7 @@ authentication_backend: ## changed once attributed to a user otherwise it would break the configuration for that user. Technically, ## non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead advise to use ## a filter to perform alternative lookups and the attributes mentioned above (sAMAccountName and uid) to - ## follow https://www.ietf.org/rfc/rfc2307.txt. + ## follow https://datatracker.ietf.org/doc/html/rfc2307. # username_attribute: uid ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. diff --git a/internal/middlewares/cors.go b/internal/middlewares/cors.go index 8de1aaf84..006615bcb 100644 --- a/internal/middlewares/cors.go +++ b/internal/middlewares/cors.go @@ -234,11 +234,11 @@ func (p *CORSPolicy) handleOPTIONS(ctx *fasthttp.RequestCtx) { /* The OPTIONS method should not return a 204 as per the following specifications when read together: - RFC7231 (https://www.rfc-editor.org/rfc/rfc7231#section-4.3.7): + RFC7231 (https://datatracker.ietf.org/doc/html/rfc7231#section-4.3.7): A server MUST generate a Content-Length field with a value of "0" if no payload body is to be sent in the response. - RFC7230 (https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2): + RFC7230 (https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.2): A server MUST NOT send a Content-Length header field in any response with a status code of 1xx (Informational) or 204 (No Content). */ diff --git a/internal/mocks/random.go b/internal/mocks/random.go index 9bab56ddd..497bc4d1e 100644 --- a/internal/mocks/random.go +++ b/internal/mocks/random.go @@ -121,33 +121,48 @@ func (mr *MockRandomMockRecorder) IntErr(arg0 interface{}) *gomock.Call { return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntErr", reflect.TypeOf((*MockRandom)(nil).IntErr), arg0) } -// Integer mocks base method. -func (m *MockRandom) Integer(arg0 int) int { +// Intn mocks base method. +func (m *MockRandom) Intn(arg0 int) int { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "Integer", arg0) + ret := m.ctrl.Call(m, "Intn", arg0) ret0, _ := ret[0].(int) return ret0 } -// Integer indicates an expected call of Integer. -func (mr *MockRandomMockRecorder) Integer(arg0 interface{}) *gomock.Call { +// Intn indicates an expected call of Intn. +func (mr *MockRandomMockRecorder) Intn(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Integer", reflect.TypeOf((*MockRandom)(nil).Integer), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Intn", reflect.TypeOf((*MockRandom)(nil).Intn), arg0) } -// IntegerErr mocks base method. -func (m *MockRandom) IntegerErr(arg0 int) (int, error) { +// IntnErr mocks base method. +func (m *MockRandom) IntnErr(arg0 int) (int, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "IntegerErr", arg0) + ret := m.ctrl.Call(m, "IntnErr", arg0) ret0, _ := ret[0].(int) ret1, _ := ret[1].(error) return ret0, ret1 } -// IntegerErr indicates an expected call of IntegerErr. -func (mr *MockRandomMockRecorder) IntegerErr(arg0 interface{}) *gomock.Call { +// IntnErr indicates an expected call of IntnErr. +func (mr *MockRandomMockRecorder) IntnErr(arg0 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntegerErr", reflect.TypeOf((*MockRandom)(nil).IntegerErr), arg0) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IntnErr", reflect.TypeOf((*MockRandom)(nil).IntnErr), arg0) +} + +// Prime mocks base method. +func (m *MockRandom) Prime(arg0 int) (*big.Int, error) { + m.ctrl.T.Helper() + ret := m.ctrl.Call(m, "Prime", arg0) + ret0, _ := ret[0].(*big.Int) + ret1, _ := ret[1].(error) + return ret0, ret1 +} + +// Prime indicates an expected call of Prime. +func (mr *MockRandomMockRecorder) Prime(arg0 interface{}) *gomock.Call { + mr.mock.ctrl.T.Helper() + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Prime", reflect.TypeOf((*MockRandom)(nil).Prime), arg0) } // Read mocks base method. diff --git a/internal/notification/smtp_notifier.go b/internal/notification/smtp_notifier.go index a42fe62f4..a7533e67b 100644 --- a/internal/notification/smtp_notifier.go +++ b/internal/notification/smtp_notifier.go @@ -163,8 +163,8 @@ func (n *SMTPNotifier) Send(ctx context.Context, recipient mail.Address, subject } func (n *SMTPNotifier) setMessageID(msg *gomail.Msg, domain string) { - rn := n.random.Integer(100000000) - rm := n.random.Integer(10000) + rn := n.random.Intn(100000000) + rm := n.random.Intn(10000) rs := n.random.StringCustom(17, random.CharSetAlphaNumeric) pid := os.Getpid() + rm diff --git a/internal/oidc/store.go b/internal/oidc/store.go index 91b8b8a11..d192ed1b8 100644 --- a/internal/oidc/store.go +++ b/internal/oidc/store.go @@ -180,7 +180,7 @@ func (s *Store) DeleteAccessTokenSession(ctx context.Context, signature string) return s.revokeSessionBySignature(ctx, storage.OAuth2SessionTypeAccessToken, signature) } -// RevokeAccessToken revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 +// RevokeAccessToken revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 // If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. // This implements a portion of oauth2.TokenRevocationStorage. func (s *Store) RevokeAccessToken(ctx context.Context, requestID string) (err error) { @@ -205,7 +205,7 @@ func (s *Store) DeleteRefreshTokenSession(ctx context.Context, signature string) return s.revokeSessionBySignature(ctx, storage.OAuth2SessionTypeRefreshToken, signature) } -// RevokeRefreshToken revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 +// RevokeRefreshToken revokes a refresh token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 // If the particular token is a refresh token and the authorization server supports the revocation of access tokens, // then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note). // This implements a portion of oauth2.TokenRevocationStorage. @@ -213,7 +213,7 @@ func (s *Store) RevokeRefreshToken(ctx context.Context, requestID string) (err e return s.provider.DeactivateOAuth2SessionByRequestID(ctx, storage.OAuth2SessionTypeRefreshToken, requestID) } -// RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 +// RevokeRefreshTokenMaybeGracePeriod revokes an access token as specified in: https://datatracker.ietf.org/doc/html/rfc7009#section-2.1 // If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well. // This implements a portion of oauth2.TokenRevocationStorage. func (s *Store) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) (err error) { diff --git a/internal/random/const.go b/internal/random/const.go index 4a171f17f..99a9add61 100644 --- a/internal/random/const.go +++ b/internal/random/const.go @@ -25,7 +25,7 @@ const ( CharSetSymbolic = "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~" // CharSetSymbolicRFC3986Unreserved are RFC3986 unreserved symbol characters. - // See https://www.rfc-editor.org/rfc/rfc3986#section-2.3. + // See https://datatracker.ietf.org/doc/html/rfc3986#section-2.3. CharSetSymbolicRFC3986Unreserved = "-._~" // CharSetAlphaNumeric are literally just valid alphanumeric printable ASCII chars. @@ -35,7 +35,7 @@ const ( CharSetASCII = CharSetAlphabetic + CharSetNumeric + CharSetSymbolic // CharSetRFC3986Unreserved are RFC3986 unreserved characters. - // See https://www.rfc-editor.org/rfc/rfc3986#section-2.3. + // See https://datatracker.ietf.org/doc/html/rfc3986#section-2.3. CharSetRFC3986Unreserved = CharSetAlphabetic + CharSetNumeric + CharSetSymbolicRFC3986Unreserved // CharSetUnambiguousUpper are a set of unambiguous uppercase characters. diff --git a/internal/random/crypto.go b/internal/random/cryptographical.go similarity index 83% rename from internal/random/crypto.go rename to internal/random/cryptographical.go index bff1e0dce..caa78e320 100644 --- a/internal/random/crypto.go +++ b/internal/random/cryptographical.go @@ -18,11 +18,7 @@ func (r *Cryptographical) Read(p []byte) (n int, err error) { // BytesErr returns random data as bytes with the standard random.DefaultN length and can contain any byte values // (including unreadable byte values). If an error is returned from the random read this function returns it. func (r *Cryptographical) BytesErr() (data []byte, err error) { - data = make([]byte, DefaultN) - - _, err = rand.Read(data) - - return data, err + return r.BytesCustomErr(0, nil) } // Bytes returns random data as bytes with the standard random.DefaultN length and can contain any byte values @@ -49,8 +45,10 @@ func (r *Cryptographical) BytesCustomErr(n int, charset []byte) (data []byte, er t := len(charset) - for i := 0; i < n; i++ { - data[i] = charset[data[i]%byte(t)] + if t > 0 { + for i := 0; i < n; i++ { + data[i] = charset[data[i]%byte(t)] + } } return data, nil @@ -81,6 +79,36 @@ func (r *Cryptographical) StringCustom(n int, characters string) (data string) { return string(r.BytesCustom(n, []byte(characters))) } +// IntnErr returns a random int error combination with a maximum of n. +func (r *Cryptographical) IntnErr(n int) (value int, err error) { + if n <= 0 { + return 0, fmt.Errorf("n must be more than 0") + } + + max := big.NewInt(int64(n)) + + var result *big.Int + + if result, err = r.IntErr(max); err != nil { + return 0, err + } + + value = int(result.Int64()) + + if value < 0 { + return 0, fmt.Errorf("generated number is too big for int") + } + + return value, nil +} + +// Intn returns a random int with a maximum of n. +func (r *Cryptographical) Intn(n int) (value int) { + value, _ = r.IntnErr(n) + + return value +} + // IntErr returns a random *big.Int error combination with a maximum of max. func (r *Cryptographical) IntErr(max *big.Int) (value *big.Int, err error) { if max == nil { @@ -105,32 +133,8 @@ func (r *Cryptographical) Int(max *big.Int) (value *big.Int) { return value } -// IntegerErr returns a random int error combination with a maximum of n. -func (r *Cryptographical) IntegerErr(n int) (value int, err error) { - if n <= 0 { - return 0, fmt.Errorf("n must be more than 0") - } - - max := big.NewInt(int64(n)) - - var result *big.Int - - if result, err = r.IntErr(max); err != nil { - return 0, err - } - - value = int(result.Int64()) - - if value < 0 { - return 0, fmt.Errorf("generated number is too big for int") - } - - return value, nil -} - -// Integer returns a random int with a maximum of n. -func (r *Cryptographical) Integer(n int) (value int) { - value, _ = r.IntegerErr(n) - - return value +// Prime returns a number of the given bit length that is prime with high probability. Prime will return error for any +// error returned by rand.Read or if bits < 2. +func (r *Cryptographical) Prime(bits int) (prime *big.Int, err error) { + return rand.Prime(rand.Reader, bits) } diff --git a/internal/random/math.go b/internal/random/mathematical.go similarity index 75% rename from internal/random/math.go rename to internal/random/mathematical.go index d95a2d7f7..24b8e34d3 100644 --- a/internal/random/math.go +++ b/internal/random/mathematical.go @@ -1,26 +1,36 @@ package random import ( + crand "crypto/rand" "fmt" "math/big" "math/rand" + "sync" "time" ) // NewMathematical runs rand.Seed with the current time and returns a random.Provider, specifically *random.Mathematical. func NewMathematical() *Mathematical { - rand.Seed(time.Now().UnixNano()) - - return &Mathematical{} + return &Mathematical{ + rand: rand.New(rand.NewSource(time.Now().UnixNano())), //nolint:gosec + lock: &sync.Mutex{}, + } } // Mathematical is the random.Provider which uses math/rand and is COMPLETELY UNSAFE FOR PRODUCTION IN MOST SITUATIONS. // Use random.Cryptographical instead. -type Mathematical struct{} +type Mathematical struct { + rand *rand.Rand + lock *sync.Mutex +} // Read implements the io.Reader interface. func (r *Mathematical) Read(p []byte) (n int, err error) { - return rand.Read(p) //nolint:gosec + r.lock.Lock() + + defer r.lock.Unlock() + + return r.rand.Read(p) } // BytesErr returns random data as bytes with the standard random.DefaultN length and can contain any byte values @@ -28,7 +38,7 @@ func (r *Mathematical) Read(p []byte) (n int, err error) { func (r *Mathematical) BytesErr() (data []byte, err error) { data = make([]byte, DefaultN) - if _, err = rand.Read(data); err != nil { //nolint:gosec + if _, err = r.Read(data); err != nil { return nil, err } @@ -53,7 +63,7 @@ func (r *Mathematical) BytesCustomErr(n int, charset []byte) (data []byte, err e data = make([]byte, n) - if _, err = rand.Read(data); err != nil { //nolint:gosec + if _, err = r.Read(data); err != nil { return nil, err } @@ -91,17 +101,18 @@ func (r *Mathematical) StringCustom(n int, characters string) (data string) { return string(r.BytesCustom(n, []byte(characters))) } -// IntErr returns a random *big.Int error combination with a maximum of max. -func (r *Mathematical) IntErr(max *big.Int) (value *big.Int, err error) { - if max == nil { - return nil, fmt.Errorf("max is required") - } +// Intn returns a random int with a maximum of n. +func (r *Mathematical) Intn(n int) int { + r.lock.Lock() - if max.Sign() <= 0 { - return nil, fmt.Errorf("max must be 1 or more") - } + defer r.lock.Unlock() - return big.NewInt(int64(rand.Intn(max.Sign()))), nil //nolint:gosec + return r.rand.Intn(n) +} + +// IntnErr returns a random int error combination with a maximum of n. +func (r *Mathematical) IntnErr(n int) (output int, err error) { + return r.Intn(n), nil } // Int returns a random *big.Int with a maximum of max. @@ -115,12 +126,25 @@ func (r *Mathematical) Int(max *big.Int) (value *big.Int) { return value } -// IntegerErr returns a random int error combination with a maximum of n. -func (r *Mathematical) IntegerErr(n int) (output int, err error) { - return r.Integer(n), nil +// IntErr returns a random *big.Int error combination with a maximum of max. +func (r *Mathematical) IntErr(max *big.Int) (value *big.Int, err error) { + if max == nil { + return nil, fmt.Errorf("max is required") + } + + if max.Sign() <= 0 { + return nil, fmt.Errorf("max must be 1 or more") + } + + r.lock.Lock() + + defer r.lock.Unlock() + + return big.NewInt(int64(r.Intn(max.Sign()))), nil } -// Integer returns a random int with a maximum of n. -func (r *Mathematical) Integer(n int) int { - return rand.Intn(n) //nolint:gosec +// Prime returns a number of the given bit length that is prime with high probability. Prime will return error for any +// error returned by rand.Read or if bits < 2. +func (r *Mathematical) Prime(bits int) (prime *big.Int, err error) { + return crand.Prime(r, bits) } diff --git a/internal/random/provider.go b/internal/random/provider.go index 7eeda72ab..41becf4b0 100644 --- a/internal/random/provider.go +++ b/internal/random/provider.go @@ -32,15 +32,19 @@ type Provider interface { // StringCustom is an overload of GenerateCustom which takes a characters string and returns a string. StringCustom(n int, characters string) (data string) + // Intn returns a random integer with a maximum of n. + Intn(n int) (value int) + + // IntnErr returns a random int error combination with a maximum of n. + IntnErr(n int) (value int, err error) + // IntErr returns a random *big.Int error combination with a maximum of max. IntErr(max *big.Int) (value *big.Int, err error) // Int returns a random *big.Int with a maximum of max. Int(max *big.Int) (value *big.Int) - // IntegerErr returns a random int error combination with a maximum of n. - IntegerErr(n int) (value int, err error) - - // Integer returns a random integer with a maximum of n. - Integer(n int) (value int) + // Prime returns a number of the given bit length that is prime with high probability. Prime will return error for any + // error returned by rand.Read or if bits < 2. + Prime(bits int) (prime *big.Int, err error) } diff --git a/internal/suites/example/compose/haproxy/http.lua b/internal/suites/example/compose/haproxy/http.lua index 44809c8ed..064eb5dda 100644 --- a/internal/suites/example/compose/haproxy/http.lua +++ b/internal/suites/example/compose/haproxy/http.lua @@ -752,9 +752,9 @@ M.base64 = {} --- URL safe base64 encoder -- -- Padding ('=') is omited, as permited per RFC --- https://tools.ietf.org/html/rfc4648 +-- https://datatracker.ietf.org/doc/html/rfc4648 -- in order to follow JSON Web Signature RFC --- https://tools.ietf.org/html/rfc7515 +-- https://datatracker.ietf.org/doc/html/rfc7515 -- -- @param s String (can be binary data) to encode -- @param enc Function which implements base64 encoder (e.g. HAProxy base64 fetch) diff --git a/internal/suites/example/compose/redis/templates/master.conf b/internal/suites/example/compose/redis/templates/master.conf index 59b22cc1b..50e985d0d 100644 --- a/internal/suites/example/compose/redis/templates/master.conf +++ b/internal/suites/example/compose/redis/templates/master.conf @@ -1617,7 +1617,7 @@ notify-keyspace-events "" ############################### GOPHER SERVER ################################# # Redis contains an implementation of the Gopher protocol, as specified in -# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt). +# the RFC 1436 (https://datatracker.ietf.org/doc/html/rfc1436). # # The Gopher protocol was very popular in the late '90s. It is an alternative # to the web, and the implementation both server and client side is so simple diff --git a/internal/suites/example/compose/redis/templates/slave.conf b/internal/suites/example/compose/redis/templates/slave.conf index a65aa2bb3..47aa8338f 100644 --- a/internal/suites/example/compose/redis/templates/slave.conf +++ b/internal/suites/example/compose/redis/templates/slave.conf @@ -1617,7 +1617,7 @@ notify-keyspace-events "" ############################### GOPHER SERVER ################################# # Redis contains an implementation of the Gopher protocol, as specified in -# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt). +# the RFC 1436 (https://datatracker.ietf.org/doc/html/rfc1436). # # The Gopher protocol was very popular in the late '90s. It is an alternative # to the web, and the implementation both server and client side is so simple