Ejemplo n.º 1
0
func makeUserAPITestFixtures() *userAPITestFixtures {
	f := &userAPITestFixtures{}

	_, _, um := makeUserObjects(userUsers, userPasswords)

	cir := client.NewClientIdentityRepo([]oidc.ClientIdentity{
		oidc.ClientIdentity{
			Credentials: oidc.ClientCredentials{
				ID:     testClientID,
				Secret: testClientSecret,
			},
			Metadata: oidc.ClientMetadata{
				RedirectURLs: []url.URL{
					testRedirectURL,
				},
			},
		},
		oidc.ClientIdentity{
			Credentials: oidc.ClientCredentials{
				ID:     userBadClientID,
				Secret: "secret",
			},
			Metadata: oidc.ClientMetadata{
				RedirectURLs: []url.URL{
					testRedirectURL,
				},
			},
		},
	})

	cir.SetDexAdmin(testClientID, true)

	noop := func() error { return nil }

	keysFunc := func() []key.PublicKey {
		return []key.PublicKey{*key.NewPublicKey(testPrivKey.JWK())}
	}

	jwtvFactory := func(clientID string) oidc.JWTVerifier {
		return oidc.NewJWTVerifier(testIssuerURL.String(), clientID, noop, keysFunc)
	}

	f.emailer = &testEmailer{}
	api := api.NewUsersAPI(um, cir, f.emailer, "local")
	usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, cir)
	f.hSrv = httptest.NewServer(usrSrv.HTTPHandler())

	f.trans = &tokenHandlerTransport{
		Handler: usrSrv.HTTPHandler(),
		Token:   userGoodToken,
	}
	hc := &http.Client{
		Transport: f.trans,
	}
	f.client, _ = schema.NewWithBasePath(hc, f.hSrv.URL)

	return f
}
Ejemplo n.º 2
0
func (s *Server) HTTPHandler() http.Handler {
	checks := make([]health.Checkable, len(s.HealthChecks))
	copy(checks, s.HealthChecks)
	for _, idpc := range s.Connectors {
		idpc := idpc
		checks = append(checks, idpc)
	}

	clock := clockwork.NewRealClock()
	mux := http.NewServeMux()
	mux.HandleFunc(httpPathDiscovery, handleDiscoveryFunc(s.ProviderConfig()))
	mux.HandleFunc(httpPathAuth, handleAuthFunc(s, s.Connectors, s.LoginTemplate, s.EnableRegistration))
	mux.HandleFunc(httpPathOOB, handleOOBFunc(s, s.OOBTemplate))
	mux.HandleFunc(httpPathToken, handleTokenFunc(s))
	mux.HandleFunc(httpPathKeys, handleKeysFunc(s.KeyManager, clock))
	mux.Handle(httpPathHealth, makeHealthHandler(checks))

	if s.EnableRegistration {
		mux.HandleFunc(httpPathRegister, handleRegisterFunc(s, s.RegisterTemplate))
	}

	mux.HandleFunc(httpPathEmailVerify, handleEmailVerifyFunc(s.VerifyEmailTemplate,
		s.IssuerURL, s.KeyManager.PublicKeys, s.UserManager))

	mux.Handle(httpPathVerifyEmailResend, s.NewClientTokenAuthHandler(handleVerifyEmailResendFunc(s.IssuerURL,
		s.KeyManager.PublicKeys,
		s.UserEmailer,
		s.UserRepo,
		s.ClientManager)))

	mux.Handle(httpPathSendResetPassword, &SendResetPasswordEmailHandler{
		tpl:     s.SendResetPasswordEmailTemplate,
		emailer: s.UserEmailer,
		sm:      s.SessionManager,
		cm:      s.ClientManager,
	})

	mux.Handle(httpPathResetPassword, &ResetPasswordHandler{
		tpl:       s.ResetPasswordTemplate,
		issuerURL: s.IssuerURL,
		um:        s.UserManager,
		keysFunc:  s.KeyManager.PublicKeys,
	})

	mux.Handle(httpPathAcceptInvitation, &InvitationHandler{
		passwordResetURL:       s.absURL(httpPathResetPassword),
		issuerURL:              s.IssuerURL,
		um:                     s.UserManager,
		keysFunc:               s.KeyManager.PublicKeys,
		signerFunc:             s.KeyManager.Signer,
		redirectValidityWindow: s.SessionManager.ValidityWindow,
	})

	if s.EnableClientRegistration {
		mux.HandleFunc(httpPathClientRegistration, s.handleClientRegistration)
	}

	mux.HandleFunc(httpPathDebugVars, health.ExpvarHandler)

	pcfg := s.ProviderConfig()
	for _, idpc := range s.Connectors {
		errorURL, err := url.Parse(fmt.Sprintf("%s?connector_id=%s", pcfg.AuthEndpoint, idpc.ID()))
		if err != nil {
			log.Fatal(err)
		}
		idpc.Register(mux, *errorURL)
	}

	apiBasePath := path.Join(httpPathAPI, APIVersion)
	registerDiscoveryResource(apiBasePath, mux)

	usersAPI := usersapi.NewUsersAPI(s.UserManager, s.ClientManager, s.RefreshTokenRepo, s.UserEmailer, s.localConnectorID)
	handler := NewUserMgmtServer(usersAPI, s.JWTVerifierFactory(), s.UserManager, s.ClientManager).HTTPHandler()

	mux.Handle(apiBasePath+"/", handler)

	return http.Handler(mux)
}
Ejemplo n.º 3
0
func makeUserAPITestFixtures(clientCredsFlag bool) *userAPITestFixtures {
	f := &userAPITestFixtures{}

	dbMap, _, _, um := makeUserObjects(userUsers, userPasswords)
	clients := []client.LoadableClient{
		{
			Client: client.Client{
				Credentials: oidc.ClientCredentials{
					ID:     testClientID,
					Secret: testClientSecret,
				},
				Metadata: oidc.ClientMetadata{
					RedirectURIs: []url.URL{
						testRedirectURL,
					},
				},
			},
		},
		{
			Client: client.Client{
				Credentials: oidc.ClientCredentials{
					ID:     userBadClientID,
					Secret: base64.URLEncoding.EncodeToString([]byte("secret")),
				},
				Metadata: oidc.ClientMetadata{
					RedirectURIs: []url.URL{
						testBadRedirectURL,
					},
				},
			},
		},
	}

	_, clientManager, err := makeClientRepoAndManager(dbMap, clients)
	if err != nil {
		panic("Failed to create client identity manager: " + err.Error())
	}
	clientManager.SetDexAdmin(testClientID, true)

	noop := func() error { return nil }

	keysFunc := func() []key.PublicKey {
		return []key.PublicKey{*key.NewPublicKey(testPrivKey.JWK())}
	}

	jwtvFactory := func(clientID string) oidc.JWTVerifier {
		return oidc.NewJWTVerifier(testIssuerURL.String(), clientID, noop, keysFunc)
	}

	refreshRepo := db.NewRefreshTokenRepo(dbMap)
	for _, user := range userUsers {
		if _, err := refreshRepo.Create(user.User.ID, testClientID,
			"", append([]string{"offline_access"}, oidc.DefaultScope...)); err != nil {
			panic("Failed to create refresh token: " + err.Error())
		}
	}

	f.emailer = &testEmailer{}
	um.Clock = clock

	api := api.NewUsersAPI(um, clientManager, refreshRepo, f.emailer, "local", clientCredsFlag)
	usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, clientManager, clientCredsFlag)
	f.hSrv = httptest.NewServer(usrSrv.HTTPHandler())

	f.trans = &tokenHandlerTransport{
		Handler: usrSrv.HTTPHandler(),
		Token:   userGoodToken,
	}
	hc := &http.Client{
		Transport: f.trans,
	}
	f.client, _ = schema.NewWithBasePath(hc, f.hSrv.URL)

	return f
}
Ejemplo n.º 4
0
func makeUserAPITestFixtures() *userAPITestFixtures {
	f := &userAPITestFixtures{}

	dbMap, _, _, um := makeUserObjects(userUsers, userPasswords)
	clients := []client.Client{
		client.Client{
			Credentials: oidc.ClientCredentials{
				ID:     testClientID,
				Secret: testClientSecret,
			},
			Metadata: oidc.ClientMetadata{
				RedirectURIs: []url.URL{
					testRedirectURL,
				},
			},
		},
		client.Client{
			Credentials: oidc.ClientCredentials{
				ID:     userBadClientID,
				Secret: base64.URLEncoding.EncodeToString([]byte("secret")),
			},
			Metadata: oidc.ClientMetadata{
				RedirectURIs: []url.URL{
					testBadRedirectURL,
				},
			},
		},
	}
	clientIDGenerator := func(hostport string) (string, error) {
		return hostport, nil
	}
	secGen := func() ([]byte, error) {
		return []byte(testClientSecret), nil
	}
	clientRepo := db.NewClientRepo(dbMap)
	clientManager, err := manager.NewClientManagerFromClients(clientRepo, db.TransactionFactory(dbMap), clients, manager.ManagerOptions{ClientIDGenerator: clientIDGenerator, SecretGenerator: secGen})
	if err != nil {
		panic("Failed to create client identity manager: " + err.Error())
	}
	clientManager.SetDexAdmin(testClientID, true)

	noop := func() error { return nil }

	keysFunc := func() []key.PublicKey {
		return []key.PublicKey{*key.NewPublicKey(testPrivKey.JWK())}
	}

	jwtvFactory := func(clientID string) oidc.JWTVerifier {
		return oidc.NewJWTVerifier(testIssuerURL.String(), clientID, noop, keysFunc)
	}

	refreshRepo := db.NewRefreshTokenRepo(dbMap)
	for _, user := range userUsers {
		if _, err := refreshRepo.Create(user.User.ID, testClientID); err != nil {
			panic("Failed to create refresh token: " + err.Error())
		}
	}

	f.emailer = &testEmailer{}
	um.Clock = clock

	api := api.NewUsersAPI(um, clientManager, refreshRepo, f.emailer, "local")
	usrSrv := server.NewUserMgmtServer(api, jwtvFactory, um, clientManager)
	f.hSrv = httptest.NewServer(usrSrv.HTTPHandler())

	f.trans = &tokenHandlerTransport{
		Handler: usrSrv.HTTPHandler(),
		Token:   userGoodToken,
	}
	hc := &http.Client{
		Transport: f.trans,
	}
	f.client, _ = schema.NewWithBasePath(hc, f.hSrv.URL)

	return f
}
Ejemplo n.º 5
0
func (s *Server) HTTPHandler() http.Handler {
	checks := make([]health.Checkable, len(s.HealthChecks))
	copy(checks, s.HealthChecks)
	for _, idpc := range s.Connectors {
		idpc := idpc
		checks = append(checks, idpc)
	}

	clock := clockwork.NewRealClock()
	mux := http.NewServeMux()
	mux.HandleFunc(httpPathDiscovery, handleDiscoveryFunc(s.ProviderConfig()))
	mux.HandleFunc(httpPathAuth, handleAuthFunc(s, s.Connectors, s.LoginTemplate))
	mux.HandleFunc(httpPathToken, handleTokenFunc(s))
	mux.HandleFunc(httpPathKeys, handleKeysFunc(s.KeyManager, clock))
	mux.Handle(httpPathHealth, makeHealthHandler(checks))
	mux.HandleFunc(httpPathRegister, handleRegisterFunc(s))
	mux.HandleFunc(httpPathEmailVerify, handleEmailVerifyFunc(s.VerifyEmailTemplate,
		s.IssuerURL, s.KeyManager.PublicKeys, s.UserManager))

	mux.Handle(httpPathVerifyEmailResend, s.NewClientTokenAuthHandler(handleVerifyEmailResendFunc(s.IssuerURL,
		s.KeyManager.PublicKeys,
		s.UserEmailer,
		s.UserRepo,
		s.ClientIdentityRepo)))

	mux.Handle(httpPathSendResetPassword, &SendResetPasswordEmailHandler{
		tpl:     s.SendResetPasswordEmailTemplate,
		emailer: s.UserEmailer,
		sm:      s.SessionManager,
		cr:      s.ClientIdentityRepo,
	})

	mux.Handle(httpPathResetPassword, &ResetPasswordHandler{
		tpl:       s.ResetPasswordTemplate,
		issuerURL: s.IssuerURL,
		um:        s.UserManager,
		keysFunc:  s.KeyManager.PublicKeys,
	})

	mux.HandleFunc(httpPathDebugVars, health.ExpvarHandler)

	pcfg := s.ProviderConfig()
	for _, idpc := range s.Connectors {
		errorURL, err := url.Parse(fmt.Sprintf("%s?connector_id=%s", pcfg.AuthEndpoint, idpc.ID()))
		if err != nil {
			log.Fatal(err)
		}
		idpc.Register(mux, *errorURL)
	}

	apiBasePath := path.Join(httpPathAPI, APIVersion)
	registerDiscoveryResource(apiBasePath, mux)

	clientPath, clientHandler := registerClientResource(apiBasePath, s.ClientIdentityRepo)
	mux.Handle(path.Join(apiBasePath, clientPath), s.NewClientTokenAuthHandler(clientHandler))

	usersAPI := usersapi.NewUsersAPI(s.UserManager, s.ClientIdentityRepo, s.UserEmailer, s.localConnectorID)
	mux.Handle(path.Join(apiBasePath, UsersSubTree), NewUserMgmtServer(usersAPI, s.JWTVerifierFactory(), s.UserManager, s.ClientIdentityRepo).HTTPHandler())

	return http.Handler(mux)
}
Ejemplo n.º 6
0
func (s *Server) HTTPHandler() http.Handler {
	checks := make([]health.Checkable, len(s.HealthChecks))
	copy(checks, s.HealthChecks)
	for _, idpc := range s.Connectors {
		idpc := idpc
		checks = append(checks, idpc)
	}

	clock := clockwork.NewRealClock()
	mux := http.NewServeMux()

	// Handler methods which register handlers at prefixed paths.
	handle := func(urlPath string, h http.Handler) {
		p := path.Join(s.IssuerURL.Path, urlPath)
		// path.Join always trims trailing slashes (https://play.golang.org/p/GRr0jDd9P7).
		// If path being registered has a trailing slash, add it back on.
		if strings.HasSuffix(urlPath, "/") {
			p = p + "/"
		}
		mux.Handle(p, h)
	}
	handleFunc := func(urlPath string, hf http.HandlerFunc) {
		handle(urlPath, hf)
	}
	handleStripPrefix := func(urlPath string, h http.Handler) {
		if s.IssuerURL.Path != "" {
			handle(urlPath, http.StripPrefix(s.IssuerURL.Path, h))
		} else {
			handle(urlPath, h)
		}
	}

	handleFunc(httpPathDiscovery, handleDiscoveryFunc(s.ProviderConfig()))
	handleFunc(httpPathAuth, handleAuthFunc(s, s.IssuerURL, s.Connectors, s.LoginTemplate, s.EnableRegistration))
	handleFunc(httpPathOOB, handleOOBFunc(s, s.OOBTemplate))
	handleFunc(httpPathToken, handleTokenFunc(s))
	handleFunc(httpPathKeys, handleKeysFunc(s.KeyManager, clock))
	handle(httpPathHealth, makeHealthHandler(checks))

	if s.EnableRegistration {
		handleFunc(httpPathRegister, handleRegisterFunc(s, s.RegisterTemplate))
	}

	handleFunc(httpPathEmailVerify, handleEmailVerifyFunc(s.VerifyEmailTemplate,
		s.IssuerURL, s.KeyManager.PublicKeys, s.UserManager))

	handle(httpPathVerifyEmailResend, s.NewClientTokenAuthHandler(handleVerifyEmailResendFunc(s.IssuerURL,
		s.KeyManager.PublicKeys,
		s.UserEmailer,
		s.UserRepo,
		s.ClientManager)))

	handle(httpPathSendResetPassword, &SendResetPasswordEmailHandler{
		tpl:     s.SendResetPasswordEmailTemplate,
		emailer: s.UserEmailer,
		sm:      s.SessionManager,
		cm:      s.ClientManager,
	})

	handle(httpPathResetPassword, &ResetPasswordHandler{
		tpl:       s.ResetPasswordTemplate,
		issuerURL: s.IssuerURL,
		um:        s.UserManager,
		keysFunc:  s.KeyManager.PublicKeys,
	})

	handle(httpPathAcceptInvitation, &InvitationHandler{
		passwordResetURL:       s.absURL(httpPathResetPassword),
		issuerURL:              s.IssuerURL,
		um:                     s.UserManager,
		keysFunc:               s.KeyManager.PublicKeys,
		signerFunc:             s.KeyManager.Signer,
		redirectValidityWindow: s.SessionManager.ValidityWindow,
	})

	if s.EnableClientRegistration {
		handleFunc(httpPathClientRegistration, s.handleClientRegistration)
	}

	handleFunc(httpPathDebugVars, health.ExpvarHandler)

	pcfg := s.ProviderConfig()
	for _, idpc := range s.Connectors {
		errorURL, err := url.Parse(fmt.Sprintf("%s?connector_id=%s", pcfg.AuthEndpoint, idpc.ID()))
		if err != nil {
			log.Fatal(err)
		}
		// NOTE(ericchiang): This path MUST end in a "/" in order to indicate a
		// path prefix rather than an absolute path.
		handle(path.Join(httpPathAuth, idpc.ID())+"/", idpc.Handler(*errorURL))
	}

	apiBasePath := path.Join(httpPathAPI, APIVersion)
	registerDiscoveryResource(apiBasePath, mux)

	usersAPI := usersapi.NewUsersAPI(s.UserManager, s.ClientManager, s.RefreshTokenRepo, s.UserEmailer, s.localConnectorID, s.EnableClientCredentialAccess)
	handler := NewUserMgmtServer(usersAPI, s.JWTVerifierFactory(), s.UserManager, s.ClientManager, s.EnableClientCredentialAccess).HTTPHandler()

	handleStripPrefix(apiBasePath+"/", handler)

	return http.Handler(mux)
}