Skip to content

Commit

Permalink
Forces use of UTC time everywhere
Browse files Browse the repository at this point in the history
Closes #679
  • Loading branch information
arekkas authored and arekkas committed Dec 14, 2017
1 parent 05354cb commit 4161b61
Show file tree
Hide file tree
Showing 30 changed files with 239 additions and 32 deletions.
2 changes: 1 addition & 1 deletion cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ var cfgFile string

var (
Version = "dev-master"
BuildTime = time.Now().String()
BuildTime = time.Now().UTC().String()
GitHash = "undefined"
)

Expand Down
4 changes: 2 additions & 2 deletions cmd/server/helper_cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -146,8 +146,8 @@ func createSelfSignedCertificate(key interface{}) (cert *x509.Certificate, err e
Organization: []string{"Hydra"},
CommonName: "Hydra",
},
NotBefore: time.Now(),
NotAfter: time.Now().Add(time.Hour * 24 * 7),
NotBefore: time.Now().UTC(),
NotAfter: time.Now().UTC().Add(time.Hour * 24 * 7),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
Expand Down
2 changes: 1 addition & 1 deletion compose/firewall.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ func NewMockFirewallWithStore(issuer string, subject string, scopes fosite.Argum
L: l,
}, conf.Client(oauth2.NoContext, &oauth2.Token{
AccessToken: tokens[0][1],
Expiry: time.Now().Add(time.Hour),
Expiry: time.Now().UTC().Add(time.Hour),
TokenType: "bearer",
})
}
69 changes: 64 additions & 5 deletions docs/api.swagger.json
Original file line number Diff line number Diff line change
Expand Up @@ -1894,6 +1894,22 @@
"type": "string",
"x-go-name": "RedirectURL"
},
"requestedAcr": {
"type": "array",
"items": {
"type": "string"
},
"x-go-name": "RequestedACR"
},
"requestedMaxAge": {
"type": "integer",
"format": "int64",
"x-go-name": "MaxAge"
},
"requestedPrompt": {
"type": "string",
"x-go-name": "RequestedPrompt"
},
"requestedScopes": {
"description": "RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator.",
"type": "array",
Expand Down Expand Up @@ -2019,6 +2035,12 @@
},
"x-go-name": "AccessTokenExtra"
},
"authTime": {
"description": "AuthTime is the time when the End-User authentication occurred. Its value is a JSON number representing the\nnumber of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.",
"type": "integer",
"format": "int64",
"x-go-name": "AuthTime"
},
"grantScopes": {
"description": "A list of scopes that the user agreed to grant. It should be a subset of requestedScopes from the consent request.",
"type": "array",
Expand All @@ -2035,6 +2057,11 @@
},
"x-go-name": "IDTokenExtra"
},
"providedAcr": {
"description": "ProvidedAuthenticationContextClassReference specifies an Authentication Context Class Reference value that identifies\nthe Authentication Context Class that the authentication performed satisfied. The value \"0\" indicates the End-User\nauthentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1.\n\nIn summary ISO/IEC 29115 defines four levels, broadly summarized as follows.\n\nacr=0 does not satisfy Level 1 and could be, for example, authentication using a long-lived browser cookie.\nLevel 1 (acr=1): Minimal confidence in the asserted identity of the entity, but enough confidence that the\nentity is the same over consecutive authentication events. For example presenting a self-registered\nusername or password.\nLevel 2 (acr=2): There is some confidence in the asserted identity of the entity. For example confirming\nauthentication using a mobile app (\"Something you have\").\nLevel 3 (acr=3): High confidence in an asserted identity of the entity. For example sending a code to a mobile\nphone or using Google Authenticator or a fingerprint scanner (\"Something you have and something you know\" / \"Something you are\")\nLevel 4 (acr=4): Very high confidence in an asserted identity of the entity. Requires in-person identification.",
"type": "string",
"x-go-name": "ProvidedAuthenticationContextClassReference"
},
"subject": {
"description": "Subject represents a unique identifier of the user (or service, or legal entity, ...) that accepted the\nOAuth2 request.",
"type": "string",
Expand All @@ -2048,6 +2075,11 @@
"type": "object",
"title": "RejectConsentRequestPayload represents data that will be used to reject a consent request.",
"properties": {
"error": {
"description": "Error can be used to return an OpenID Connect or OAuth 2.0 error to the OAuth 2.0 client, such as login_required,\ninteraction_required, consent_required.",
"type": "string",
"x-go-name": "Error"
},
"reason": {
"description": "Reason represents the reason why the user rejected the consent request.",
"type": "string",
Expand Down Expand Up @@ -2337,10 +2369,29 @@
"x-go-name": "ID"
},
"redirectUrl": {
"description": "Redirect URL is the URL where the user agent should be redirected to after the consent has been\naccepted or rejected.",
"description": "RedirectURL is the URL where the user agent should be redirected to after the consent has been\naccepted or rejected.",
"type": "string",
"x-go-name": "RedirectURL"
},
"requestedAcr": {
"description": "RequestedAuthenticationContextClassReference specifies an Authentication Context Class Reference value that identifies\nthe Authentication Context Class that the authentication performed satisfied. The value \"0\" indicates the End-User\nauthentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1.\n\nIn summary ISO/IEC 29115 defines four levels, broadly summarized as follows.\n\nacr=0 does not satisfy Level 1 and could be, for example, authentication using a long-lived browser cookie.\nLevel 1 (acr=1): Minimal confidence in the asserted identity of the entity, but enough confidence that the\nentity is the same over consecutive authentication events. For example presenting a self-registered\nusername or password.\nLevel 2 (acr=2): There is some confidence in the asserted identity of the entity. For example confirming\nauthentication using a mobile app (\"Something you have\").\nLevel 3 (acr=3): High confidence in an asserted identity of the entity. For example sending a code to a mobile\nphone or using Google Authenticator or a fingerprint scanner (\"Something you have and something you know\" / \"Something you are\")\nLevel 4 (acr=4): Very high confidence in an asserted identity of the entity. Requires in-person identification.",
"type": "array",
"items": {
"type": "string"
},
"x-go-name": "RequestedAuthenticationContextClassReference"
},
"requestedMaxAge": {
"description": "MaxAge specifies the allowable elapsed time in seconds since the last time the End-User was actively\nauthenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively\nre-authenticate the End-User.",
"type": "integer",
"format": "int64",
"x-go-name": "MaxAge"
},
"requestedPrompt": {
"description": "Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server\nprompts the End-User for reauthentication and consent. The defined values are:\n\nnone: The consent app MUST NOT display any authentication or consent user interface pages. An error is returned\nif an End-User is not already authenticated or the Client does not have pre-configured consent for the requested\nClaims or does not fulfill other conditions for processing the request. The error code will typically be\nlogin_required, interaction_required. This can be used as a method to check for existing authentication and/or consent.\nlogin: The consent app SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the\nEnd-User, it MUST return an error, typically login_required.\nconsent: The consent app SHOULD prompt the End-User for consent before returning information to the Client.\nIf it cannot obtain consent, it MUST return an error, typically consent_required.\nselect_account: The consent app SHOULD prompt the End-User to select a user account. This enables an End-User\nwho has multiple accounts at the Authorization Server to select amongst the multiple accounts that they\nmight have current sessions for. If it cannot obtain an account selection choice made by the End-User,\nit MUST return an error, typically account_selection_required.\n\nThe prompt parameter can be used by the Client to make sure that the End-User is still present for the current\nsession or to bring attention to the request. If this parameter contains none with any other value, an error is returned.",
"type": "string",
"x-go-name": "Prompt"
},
"requestedScopes": {
"description": "RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator.",
"type": "array",
Expand Down Expand Up @@ -3114,8 +3165,8 @@
"token_endpoint",
"jwks_uri",
"subject_types_supported",
"id_token_signing_alg_values_supported",
"response_types_supported"
"response_types_supported",
"id_token_signing_alg_values_supported"
],
"properties": {
"authorization_endpoint": {
Expand All @@ -3132,12 +3183,12 @@
"x-go-name": "ClaimsSupported"
},
"id_token_signing_alg_values_supported": {
"description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,\nbut MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint\n(such as when using the Authorization Code Flow).",
"description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.",
"type": "array",
"items": {
"type": "string"
},
"x-go-name": "SigningAlgs"
"x-go-name": "IDTokenSigningAlgValuesSupported"
},
"issuer": {
"description": "URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.\nIf Issuer discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.",
Expand Down Expand Up @@ -3178,6 +3229,14 @@
"type": "string",
"x-go-name": "TokenURL"
},
"token_endpoint_auth_methods_supported": {
"description": "JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0",
"type": "array",
"items": {
"type": "string"
},
"x-go-name": "TokenEndpointAuthMethodsSupported"
},
"userinfo_endpoint": {
"description": "URL of the OP's UserInfo Endpoint.",
"type": "string",
Expand Down
2 changes: 1 addition & 1 deletion metrics/metrics.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ func (sw *Snapshot) Update() {
NumGC: m.NumGC,
}

sw.UpTime = int64(time.Now().Sub(sw.start) / time.Second)
sw.UpTime = int64(time.Now().UTC().Sub(sw.start) / time.Second)

}

Expand Down
6 changes: 3 additions & 3 deletions metrics/middleware.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ func NewMetricsManager(issuerURL string, databaseURL string, l logrus.FieldLogge
Metrics: newMetrics(),
HTTPMetrics: newHttpMetrics(),
Paths: map[string]*PathMetrics{},
start: time.Now(),
start: time.Now().UTC(),
},
internalID: uuid.New(),
Segment: analytics.New("h8dRH3kVCWKkIFWydBmWsyYHR4M0u0vr"),
Expand Down Expand Up @@ -179,9 +179,9 @@ func (sw *MetricsManager) ServeHTTP(rw http.ResponseWriter, r *http.Request, nex
sw.Unlock()

// Latency
start := time.Now()
start := time.Now().UTC()
next(rw, r)
latency := time.Now().Sub(start) / time.Millisecond
latency := time.Now().UTC().Sub(start) / time.Millisecond

// Collecting request info
res := rw.(negroni.ResponseWriter)
Expand Down
4 changes: 2 additions & 2 deletions metrics/middleware_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import (
)

func TestMiddleware(t *testing.T) {
rand.Seed(time.Now().Unix())
rand.Seed(time.Now().UTC().Unix())
mw := metrics.NewMetricsManager("", "", logrus.StandardLogger())
n := negroni.New()
r := httprouter.New()
Expand Down Expand Up @@ -88,7 +88,7 @@ func TestMiddleware(t *testing.T) {
}

func TestRacyMiddleware(t *testing.T) {
rand.Seed(time.Now().Unix())
rand.Seed(time.Now().UTC().Unix())
mw := metrics.NewMetricsManager("", "", logrus.StandardLogger())
n := negroni.New()
r := httprouter.New()
Expand Down
10 changes: 5 additions & 5 deletions pkg/retry.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,15 @@ func Retry(logger logrus.FieldLogger, maxWait time.Duration, failAfter time.Dura
var lastStart time.Time
err = errors.New("Did not connect.")
loopWait := time.Millisecond * 100
retryStart := time.Now()
for retryStart.Add(failAfter).After(time.Now()) {
lastStart = time.Now()
retryStart := time.Now().UTC()
for retryStart.Add(failAfter).After(time.Now().UTC()) {
lastStart = time.Now().UTC()
if err = f(); err == nil {
return nil
}

if lastStart.Add(maxWait * 2).Before(time.Now()) {
retryStart = time.Now()
if lastStart.Add(maxWait * 2).Before(time.Now().UTC()) {
retryStart = time.Now().UTC()
}

LogError(err, logger)
Expand Down
6 changes: 6 additions & 0 deletions sdk/go/hydra/swagger/consent_request.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ type ConsentRequest struct {
// Redirect URL is the URL where the user agent should be redirected to after the consent has been accepted or rejected.
RedirectUrl string `json:"redirectUrl,omitempty"`

RequestedAcr []string `json:"requestedAcr,omitempty"`

RequestedMaxAge int64 `json:"requestedMaxAge,omitempty"`

RequestedPrompt string `json:"requestedPrompt,omitempty"`

// RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator.
RequestedScopes []string `json:"requestedScopes,omitempty"`
}
6 changes: 6 additions & 0 deletions sdk/go/hydra/swagger/consent_request_acceptance.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,18 @@ type ConsentRequestAcceptance struct {
// AccessTokenExtra represents arbitrary data that will be added to the access token and that will be returned on introspection and warden requests.
AccessTokenExtra map[string]interface{} `json:"accessTokenExtra,omitempty"`

// AuthTime is the time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
AuthTime int64 `json:"authTime,omitempty"`

// A list of scopes that the user agreed to grant. It should be a subset of requestedScopes from the consent request.
GrantScopes []string `json:"grantScopes,omitempty"`

// IDTokenExtra represents arbitrary data that will be added to the ID token. The ID token will only be issued if the user agrees to it and if the client requested an ID token.
IdTokenExtra map[string]interface{} `json:"idTokenExtra,omitempty"`

// ProvidedAuthenticationContextClassReference specifies an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value \"0\" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. In summary ISO/IEC 29115 defines four levels, broadly summarized as follows. acr=0 does not satisfy Level 1 and could be, for example, authentication using a long-lived browser cookie. Level 1 (acr=1): Minimal confidence in the asserted identity of the entity, but enough confidence that the entity is the same over consecutive authentication events. For example presenting a self-registered username or password. Level 2 (acr=2): There is some confidence in the asserted identity of the entity. For example confirming authentication using a mobile app (\"Something you have\"). Level 3 (acr=3): High confidence in an asserted identity of the entity. For example sending a code to a mobile phone or using Google Authenticator or a fingerprint scanner (\"Something you have and something you know\" / \"Something you are\") Level 4 (acr=4): Very high confidence in an asserted identity of the entity. Requires in-person identification.
ProvidedAcr string `json:"providedAcr,omitempty"`

// Subject represents a unique identifier of the user (or service, or legal entity, ...) that accepted the OAuth2 request.
Subject string `json:"subject,omitempty"`
}
3 changes: 3 additions & 0 deletions sdk/go/hydra/swagger/consent_request_rejection.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ package swagger

type ConsentRequestRejection struct {

// Error can be used to return an OpenID Connect or OAuth 2.0 error to the OAuth 2.0 client, such as login_required, interaction_required, consent_required.
Error_ string `json:"error,omitempty"`

// Reason represents the reason why the user rejected the consent request.
Reason string `json:"reason,omitempty"`
}
3 changes: 3 additions & 0 deletions sdk/go/hydra/swagger/docs/ConsentRequest.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ Name | Type | Description | Notes
**ClientId** | **string** | ClientID is the client id that initiated the OAuth2 request. | [optional] [default to null]
**Id** | **string** | ID is the id of this consent request. | [optional] [default to null]
**RedirectUrl** | **string** | Redirect URL is the URL where the user agent should be redirected to after the consent has been accepted or rejected. | [optional] [default to null]
**RequestedAcr** | **[]string** | | [optional] [default to null]
**RequestedMaxAge** | **int64** | | [optional] [default to null]
**RequestedPrompt** | **string** | | [optional] [default to null]
**RequestedScopes** | **[]string** | RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator. | [optional] [default to null]

[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
Expand Down
Loading

0 comments on commit 4161b61

Please sign in to comment.