func newTestSingleRequestWithParams(hndl *handler, idp idpdb.Element, params map[string]interface{}) (*http.Request, error) { r, err := http.NewRequest("GET", "http://localhost/coop", nil) if err != nil { return nil, erro.Wrap(err) } codTok := jwt.New() codTok.SetHeader("alg", test_idpSigAlg) codTok.SetClaim("iss", idp.Id()) codTok.SetClaim("sub", test_cod) codTok.SetClaim("aud", audience.New(hndl.selfId)) codTok.SetClaim("from_client", test_frTa.Id()) codTok.SetClaim("user_tag", test_acntTag) codTok.SetClaim("user_tags", []string{test_subAcnt1Tag}) for k, v := range params { codTok.SetClaim(k, v) } if err := codTok.Sign(idp.Keys()); err != nil { return nil, erro.Wrap(err) } data, err := codTok.Encode() if err != nil { return nil, erro.Wrap(err) } r.Header.Set("X-Edo-Code-Tokens", string(data)) return r, nil }
func newTestMainIdpResponseWithParams(hndl *handler, idp idpdb.Element, params, idsTokParams map[string]interface{}) (status int, header http.Header, body []byte, err error) { now := time.Now() idsTok := jwt.New() idsTok.SetHeader("alg", test_idpSigAlg) idsTok.SetClaim("iss", idp.Id()) idsTok.SetClaim("sub", test_frTa.Id()) idsTok.SetClaim("aud", audience.New(hndl.selfId)) idsTok.SetClaim("exp", now.Add(time.Minute).Unix()) idsTok.SetClaim("iat", now.Unix()) idsTok.SetClaim("ids", map[string]map[string]interface{}{ test_acntTag: { "sub": test_acntId, "email": test_acntEmail, }, test_subAcnt1Tag: { "sub": test_subAcnt1Id, "email": test_subAcnt1Email, }, }) for k, v := range idsTokParams { idsTok.SetClaim(k, v) } if err := idsTok.Sign(idp.Keys()); err != nil { return 0, nil, nil, erro.Wrap(err) } data, err := idsTok.Encode() if err != nil { return 0, nil, nil, erro.Wrap(err) } m := map[string]interface{}{ "access_token": test_tok, "token_type": "Bearer", "expires_in": 1234, "scope": "openid email", "ids_token": string(data), } for k, v := range params { if v == nil { delete(m, k) } else { m[k] = v } } body, err = json.Marshal(m) if err != nil { return 0, nil, nil, erro.Wrap(err) } return http.StatusOK, http.Header{"Content-Type": {"application/json"}}, body, nil }
func newTestTokenResponse(page *Page, idp idpdb.Element, clms map[string]interface{}) (status int, hader http.Header, body []byte, err error) { m := map[string]interface{}{ "access_token": test_tok, "token_type": "Bearer", "expires_in": 3600, "scope": "openid email", } idTok := jwt.New() idTok.SetHeader("alg", test_idpSigAlg) idTok.SetClaim("iss", idp.Id()) idTok.SetClaim("sub", test_acntId) idTok.SetClaim("aud", page.selfId) now := time.Now() idTok.SetClaim("exp", now.Add(time.Minute).Unix()) idTok.SetClaim("iat", now.Unix()) idTok.SetClaim("nonce", test_nonc) hGen := jwt.HashGenerator(test_idpSigAlg) if !hGen.Available() { return 0, nil, nil, erro.New("unsupported algorithm " + test_idpSigAlg) } idTok.SetClaim("at_hash", hashutil.Hashing(hGen.New(), []byte(test_tok))) for k, v := range clms { idTok.SetClaim(k, v) } if err := idTok.Sign(idp.Keys()); err != nil { return 0, nil, nil, erro.Wrap(err) } data, err := idTok.Encode() if err != nil { return 0, nil, nil, erro.Wrap(err) } m["id_token"] = string(data) body, err = json.Marshal(m) if err != nil { return 0, nil, nil, erro.Wrap(err) } return http.StatusOK, nil, body, nil }
func newCallbackRequestWithIdToken(page *Page, idp idpdb.Element, clms map[string]interface{}) (*http.Request, error) { q := url.Values{} q.Set("code", test_cod) q.Set("state", test_stat) idTok := jwt.New() idTok.SetHeader("alg", test_idpSigAlg) idTok.SetClaim("iss", idp.Id()) idTok.SetClaim("sub", test_acntId) idTok.SetClaim("aud", page.selfId) now := time.Now() idTok.SetClaim("exp", now.Add(time.Minute).Unix()) idTok.SetClaim("iat", now.Unix()) idTok.SetClaim("nonce", test_nonc) hGen := jwt.HashGenerator(test_idpSigAlg) if !hGen.Available() { return nil, erro.New("unsupported algorithm " + test_idpSigAlg) } idTok.SetClaim("c_hash", hashutil.Hashing(hGen.New(), []byte(test_cod))) for k, v := range clms { idTok.SetClaim(k, v) } if err := idTok.Sign(idp.Keys()); err != nil { return nil, erro.Wrap(err) } data, err := idTok.Encode() if err != nil { return nil, erro.Wrap(err) } q.Set("id_token", string(data)) r, err := http.NewRequest("GET", "http://localhost/callback?"+q.Encode(), nil) if err != nil { return nil, erro.Wrap(err) } r.AddCookie(&http.Cookie{ Name: page.sessLabel, Value: test_sessId, }) return r, nil }
// アクセストークンを使って、ID プロバイダからアカウント情報を取得する。 func (this *environment) getAccountInfo(req *callbackRequest, tok *token.Element, idp idpdb.Element) (attrs map[string]interface{}, err error) { acntReq, err := http.NewRequest("GET", idp.AccountUri(), nil) if err != nil { return nil, erro.Wrap(err) } acntReq.Header.Set(tagAuthorization, tagBearer+" "+tok.Id()) server.LogRequest(level.DEBUG, acntReq, this.debug, this.logPref) resp, err := http.DefaultClient.Do(acntReq) if err != nil { return nil, erro.Wrap(err) } defer resp.Body.Close() server.LogResponse(level.DEBUG, resp, this.debug, this.logPref) log.Info(this.logPref, "Got account info response from "+idp.Id()) if err := json.NewDecoder(resp.Body).Decode(&attrs); err != nil { return nil, erro.Wrap(err) } log.Info(this.logPref, "Got account info") return attrs, nil }
func (this *environment) callbackServe(w http.ResponseWriter, r *http.Request) error { if this.sessId == "" { return erro.Wrap(server.NewError(http.StatusBadRequest, "no session ", nil)) } sess, err := this.sessDb.Get(this.sessId) if err != nil { return erro.Wrap(err) } else if sess == nil { return erro.Wrap(server.NewError(http.StatusBadRequest, "declared user session is not exist", nil)) } this.sess = sess log.Debug(this.logPref, "Declared user session is exist") savedDate := sess.Date() sess.Invalidate() if ok, err := this.sessDb.Replace(sess, savedDate); err != nil { return erro.Wrap(err) } else if !ok { return erro.Wrap(server.NewError(http.StatusBadRequest, "reused user session", nil)) } req, err := parseCallbackRequest(r) if err != nil { return erro.Wrap(server.NewError(http.StatusBadRequest, erro.Unwrap(err).Error(), err)) } log.Debug(this.logPref, "Parsed callback request") if req.state() != sess.State() { return erro.Wrap(server.NewError(http.StatusForbidden, "invalid state", nil)) } var idp idpdb.Element var attrs1 map[string]interface{} if sess.IdProvider() != "" { idp, err = this.idpDb.Get(sess.IdProvider()) if err != nil { return erro.Wrap(err) } else if idp == nil { return erro.Wrap(server.NewError(http.StatusBadRequest, "ID provider "+sess.IdProvider()+" is not exist", nil)) } log.Debug(this.logPref, "ID provider "+idp.Id()+" is exist") } else { idTok, err := parseIdToken(req.idToken()) if err != nil { return erro.Wrap(server.NewError(http.StatusBadRequest, erro.Unwrap(err).Error(), err)) } idp, err = this.idpDb.Get(idTok.idProvider()) if err != nil { return erro.Wrap(err) } else if idp == nil { return erro.Wrap(server.NewError(http.StatusBadRequest, "ID provider "+idTok.idProvider()+" is not exist", nil)) } log.Debug(this.logPref, "ID provider "+idp.Id()+" is exist") if idTok.nonce() != sess.Nonce() { return erro.Wrap(server.NewError(http.StatusForbidden, "invalid nonce", nil)) } else if err := idTok.verify(idp.Keys()); err != nil { return erro.Wrap(server.NewError(http.StatusForbidden, erro.Unwrap(err).Error(), err)) } else if err := idTok.verifyCodeHash(req.code()); err != nil { return erro.Wrap(server.NewError(http.StatusForbidden, erro.Unwrap(err).Error(), err)) } attrs1 = idTok.attributes() log.Debug(this.logPref, "ID token is OK") } // アクセストークンを取得する。 tok, idTok, err := this.getAccessToken(req, idp) if err != nil { return erro.Wrap(err) } // アカウント情報を取得する。 attrs2, err := this.getAccountInfo(req, tok, idp) if err != nil { return erro.Wrap(err) } // アカウント情報をまとめる。 jt := jwt.New() jt.SetHeader(tagAlg, tagNone) for _, m := range []map[string]interface{}{attrs1, idTok.attributes(), attrs2} { for k, v := range m { jt.SetClaim(k, v) } } jt.SetClaim(tagAt_tag, tok.Tag()) jt.SetClaim(tagAt_exp, tok.Expires().Unix()) buff, err := jt.Encode() if err != nil { return erro.Wrap(err) } // フロントエンドのためにセッション期限を延長する。 now := time.Now() http.SetCookie(w, this.newCookie(sess.Id(), now.Add(-time.Second))) http.SetCookie(w, this.newFrontCookie(this.idGen.String(this.fsessLen), now.Add(this.fsessExpIn))) log.Info(this.logPref, "Upgrade user session to frontend session") // フロントエンドが使うので保存しなくて良い。 w.Header().Add(tagX_auth_user, string(buff)) w.Header().Add(tagCache_control, tagNo_store) w.Header().Add(tagPragma, tagNo_cache) http.Redirect(w, r, sess.Path(), http.StatusFound) log.Info(this.logPref, "Redirect to "+sess.Path()) return nil }
// 認可コードを使って、ID プロバイダからアクセストークンを取得する。 func (this *environment) getAccessToken(req *callbackRequest, idp idpdb.Element) (*token.Element, *idToken, error) { keys, err := this.keyDb.Get() if err != nil { return nil, nil, erro.Wrap(err) } queries := url.Values{} // grant_type queries.Set(tagGrant_type, tagAuthorization_code) // code queries.Set(tagCode, req.code()) // redirect_uri queries.Set(tagRedirect_uri, this.sess.RedirectUri()) // client_id queries.Set(tagClient_id, this.sess.Ta()) // client_assertion_type queries.Set(tagClient_assertion_type, cliAssTypeJwt_bearer) // client_assertion ass := jwt.New() now := time.Now() ass.SetHeader(tagAlg, this.sigAlg) ass.SetClaim(tagIss, this.sess.Ta()) ass.SetClaim(tagSub, this.sess.Ta()) ass.SetClaim(tagAud, idp.TokenUri()) ass.SetClaim(tagJti, this.idGen.String(this.jtiLen)) ass.SetClaim(tagExp, now.Add(this.jtiExpIn).Unix()) ass.SetClaim(tagIat, now.Unix()) if err := ass.Sign(keys); err != nil { return nil, nil, erro.Wrap(err) } buff, err := ass.Encode() if err != nil { return nil, nil, erro.Wrap(err) } queries.Set(tagClient_assertion, string(buff)) tokReq, err := http.NewRequest("POST", idp.TokenUri(), strings.NewReader(queries.Encode())) if err != nil { return nil, nil, erro.Wrap(err) } tokReq.Header.Set(tagContent_type, contTypeForm) server.LogRequest(level.DEBUG, tokReq, this.debug, this.logPref) resp, err := http.DefaultClient.Do(tokReq) if err != nil { return nil, nil, erro.Wrap(err) } defer resp.Body.Close() server.LogResponse(level.DEBUG, resp, this.debug, this.logPref) log.Info(this.logPref, "Got token response from "+idp.Id()) tokResp, err := parseTokenResponse(resp) if err != nil { return nil, nil, erro.Wrap(server.NewError(http.StatusForbidden, "cannot get access token", nil)) } tok := token.New(tokResp.token(), this.idGen.String(this.tokTagLen), tokResp.expires(), idp.Id(), tokResp.scope()) log.Info(this.logPref, "Got access token "+logutil.Mosaic(tok.Id())) if err := this.tokDb.Save(tok, time.Now().Add(this.tokDbExpIn)); err != nil { return nil, nil, erro.Wrap(err) } log.Info(this.logPref, "Saved access token "+logutil.Mosaic(tok.Id())) idTok, err := parseIdToken(tokResp.idToken()) if err != nil { return nil, nil, erro.Wrap(server.NewError(http.StatusForbidden, erro.Unwrap(err).Error(), err)) } else if idTok.nonce() != this.sess.Nonce() { return nil, nil, erro.Wrap(server.NewError(http.StatusForbidden, "invalid nonce", nil)) } else if err := idTok.verify(idp.Keys()); err != nil { return nil, nil, erro.Wrap(server.NewError(http.StatusForbidden, erro.Unwrap(err).Error(), err)) } else if idTok.tokenHash() != nil { if err := idTok.verifyTokenHash(tok.Id()); err != nil { return nil, nil, erro.Wrap(server.NewError(http.StatusForbidden, erro.Unwrap(err).Error(), err)) } } log.Info(this.logPref, "ID token is OK") return tok, idTok, nil }
func (this *environment) getInfo(isMain bool, idp idpdb.Element, codTok *codeToken) (frTa string, tok *token.Element, tagToAttrs map[string]map[string]interface{}, err error) { params := map[string]interface{}{} // grant_type params[tagGrant_type] = tagCooperation_code // code params[tagCode] = codTok.code() // claims if isMain { // TODO 受け取り方を考えないと。 } // user_claims // TODO 受け取り方を考えないと。 // client_assertion_type params[tagClient_assertion_type] = cliAssTypeJwt_bearer // client_assertion keys, err := this.keyDb.Get() if err != nil { return "", nil, nil, erro.Wrap(err) } ass, err := makeAssertion(this.handler, keys, idp.CoopToUri()) if err != nil { return "", nil, nil, erro.Wrap(err) } params[tagClient_assertion] = string(ass) data, err := json.Marshal(params) if err != nil { return "", nil, nil, erro.Wrap(err) } r, err := http.NewRequest("POST", idp.CoopToUri(), bytes.NewReader(data)) r.Header.Set(tagContent_type, contTypeJson) log.Debug(this.logPref, "Made main cooperation-to request") server.LogRequest(level.DEBUG, r, this.debug, this.logPref) resp, err := this.conn.Do(r) if err != nil { return "", nil, nil, erro.Wrap(err) } defer resp.Body.Close() server.LogResponse(level.DEBUG, resp, this.debug, this.logPref) if resp.StatusCode != http.StatusOK { var buff struct { Error string Error_description string } if err := json.NewDecoder(resp.Body).Decode(&buff); err != nil { return "", nil, nil, erro.Wrap(err) } return "", nil, nil, erro.Wrap(idperr.New(buff.Error, buff.Error_description, resp.StatusCode, nil)) } coopResp, err := parseCoopResponse(resp) if err != nil { return "", nil, nil, erro.Wrap(idperr.New(idperr.Access_denied, erro.Unwrap(err).Error(), http.StatusForbidden, err)) } idsTok, err := parseIdsToken(coopResp.idsToken()) if err != nil { return "", nil, nil, erro.Wrap(idperr.New(idperr.Access_denied, erro.Unwrap(err).Error(), http.StatusForbidden, err)) } else if err := idsTok.verify(idp.Keys()); err != nil { return "", nil, nil, erro.Wrap(idperr.New(idperr.Access_denied, erro.Unwrap(err).Error(), http.StatusForbidden, err)) } tagToAttrs = map[string]map[string]interface{}{} for acntTag := range codTok.accountTags() { attrs := idsTok.attributes()[acntTag] if attrs == nil { return "", nil, nil, erro.Wrap(idperr.New(idperr.Access_denied, "cannot get sub account tagged by "+acntTag, http.StatusForbidden, nil)) } tagToAttrs[acntTag] = attrs } if isMain { attrs := idsTok.attributes()[codTok.accountTag()] if attrs == nil { return "", nil, nil, erro.Wrap(idperr.New(idperr.Access_denied, "cannot get main account tagged by "+codTok.accountTag(), http.StatusForbidden, nil)) } tagToAttrs[codTok.accountTag()] = attrs if coopResp.token() == "" { return "", nil, nil, erro.Wrap(idperr.New(idperr.Access_denied, "cannot get token", http.StatusForbidden, nil)) } now := time.Now() tok = token.New(coopResp.token(), this.idGen.String(this.tokTagLen), now.Add(coopResp.expiresIn()), idsTok.idProvider(), coopResp.scope()) log.Info(this.logPref, "Got access token "+logutil.Mosaic(tok.Id())) if err := this.tokDb.Save(tok, now.Add(this.tokDbExpIn)); err != nil { return "", nil, nil, erro.Wrap(err) } log.Info(this.logPref, "Saved access token "+logutil.Mosaic(tok.Id())) } return idsTok.fromTa(), tok, tagToAttrs, nil }
func (this *environment) serve(w http.ResponseWriter, r *http.Request) error { req, err := parseRequest(r) if err != nil { return erro.Wrap(idperr.New(idperr.Invalid_request, erro.Unwrap(err).Error(), http.StatusBadRequest, err)) } var acntTag string tags := map[string]bool{} var refHash string type idpUnit struct { idp idpdb.Element codTok *codeToken } units := []*idpUnit{} for _, rawCodTok := range req.codeTokens() { codTok, err := parseCodeToken(rawCodTok) if err != nil { return erro.Wrap(idperr.New(idperr.Invalid_request, erro.Unwrap(err).Error(), http.StatusBadRequest, err)) } else if !codTok.audience()[this.selfId] { return erro.Wrap(idperr.New(idperr.Invalid_request, "invalid audience", http.StatusBadRequest, nil)) } else if codTok.referralHash() == "" && len(req.codeTokens()) > 1 { return erro.Wrap(idperr.New(idperr.Invalid_request, "no referral hash", http.StatusBadRequest, nil)) } else if codTok.accountTag() != "" { if acntTag != "" { return erro.Wrap(idperr.New(idperr.Invalid_request, "two main token", http.StatusBadRequest, nil)) } acntTag = codTok.accountTag() log.Debug(this.logPref, "Main account tag is "+acntTag) if codTok.fromTa() == "" { return erro.Wrap(idperr.New(idperr.Invalid_request, "no from-TA in main token", http.StatusBadRequest, nil)) } log.Debug(this.logPref, "From-TA is "+codTok.fromTa()) } else if len(codTok.accountTags()) == 0 { return erro.Wrap(idperr.New(idperr.Invalid_request, "no account tags in sub token", http.StatusBadRequest, nil)) } for tag := range codTok.accountTags() { if tags[tag] { return erro.Wrap(idperr.New(idperr.Invalid_request, "tag "+tag+" overlaps", http.StatusBadRequest, nil)) } tags[tag] = true log.Debug(this.logPref, "Account tag is "+tag) } if codTok.referralHash() != "" { if refHash == "" { refHash = codTok.referralHash() } else if codTok.referralHash() != refHash { return erro.Wrap(idperr.New(idperr.Invalid_request, "invalid referral hash", http.StatusBadRequest, nil)) } } var idp idpdb.Element if idp, err = this.idpDb.Get(codTok.idProvider()); err != nil { return erro.Wrap(err) } else if idp == nil { return erro.Wrap(idperr.New(idperr.Invalid_request, "ID provider "+codTok.idProvider()+" is not exist", http.StatusBadRequest, nil)) } log.Debug(this.logPref, "ID provider "+idp.Id()+" is exist") if err := codTok.verify(idp.Keys()); err != nil { return erro.Wrap(idperr.New(idperr.Invalid_request, erro.Unwrap(err).Error(), http.StatusBadRequest, err)) } log.Debug(this.logPref, "Verified cooperation code") units = append(units, &idpUnit{idp, codTok}) } if acntTag == "" { return erro.Wrap(idperr.New(idperr.Invalid_request, "no main account tag", http.StatusBadRequest, nil)) } log.Debug(this.logPref, "Cooperation codes are OK") var tok *token.Element var mainAttrs map[string]interface{} tagToAttrs := map[string]map[string]interface{}{} var frTa string for _, unit := range units { var tToA map[string]map[string]interface{} var fT string if unit.codTok.accountTag() != "" { fT, tok, tToA, err = this.getInfoFromMainIdProvider(unit.idp, unit.codTok) if err != nil { return erro.Wrap(err) } log.Debug(this.logPref, "Got account info from main ID provider "+unit.idp.Id()) } else { fT, tToA, err = this.getInfoFromSubIdProvider(unit.idp, unit.codTok) if err != nil { return erro.Wrap(err) } log.Debug(this.logPref, "Got account info from sub ID provider "+unit.idp.Id()) } for tag, attrs := range tToA { if tag == acntTag { attrs[tagIss] = unit.idp.Id() attrs[tagAt_tag] = tok.Tag() attrs[tagAt_exp] = tok.Expires().Unix() mainAttrs = attrs } else { attrs[tagIss] = unit.idp.Id() tagToAttrs[tag] = attrs } } if frTa == "" { frTa = fT } else if frTa != fT { return erro.Wrap(idperr.New(idperr.Invalid_request, "two from-TA ID", http.StatusBadRequest, nil)) } } log.Debug(this.logPref, "Got all account info") jt := jwt.New() jt.SetHeader(tagAlg, tagNone) for k, v := range mainAttrs { jt.SetClaim(k, v) } mainInfo, err := jt.Encode() if err != nil { return erro.Wrap(err) } var relInfo []byte sessFlag := true if len(tagToAttrs) > 0 { jt = jwt.New() jt.SetHeader(tagAlg, tagNone) for acntTag, attrs := range tagToAttrs { jt.SetClaim(acntTag, attrs) if sessFlag { for k := range attrs { if !sessionEnable(k) { sessFlag = false } } } } relInfo, err = jt.Encode() if err != nil { return erro.Wrap(err) } } w.Header().Set(tagX_auth_user, string(mainInfo)) w.Header().Set(tagX_auth_user_tag, acntTag) w.Header().Set(tagX_auth_from_id, frTa) if relInfo != nil { w.Header().Set(tagX_auth_users, string(relInfo)) } if sessFlag { sessId := this.idGen.String(this.sessLen) http.SetCookie(w, this.handler.newCookie(sessId, tok.Expires())) log.Debug(this.logPref, "Report session "+logutil.Mosaic(sessId)) } return nil }