all: resolve issues with the sdk and cli

* closes #141 * closes #137 * closes #138
ory · Aug 5, 2016 · abc98cc · abc98cc
1 parent fa36f44
commit abc98cc
Show file tree

Hide file tree

Showing 9 changed files with 16 additions and 87 deletions.
diff --git a/client/manager_test.go b/client/manager_test.go
@@ -35,7 +35,7 @@ func init() {
 		Hasher:  &hash.BCrypt{},
 	}
 
-	localWarden, httpClient := internal.NewFirewall("foo", "alice", fosite.Arguments{Scope}, &ladon.DefaultPolicy{
+	localWarden, httpClient := internal.MockFirewall("foo", "alice", fosite.Arguments{Scope}, &ladon.DefaultPolicy{
 		ID:        "1",
 		Subjects:  []string{"alice"},
 		Resources: []string{"rn:hydra:clients<.*>"},

diff --git a/connection/manager_test.go b/connection/manager_test.go
@@ -46,7 +46,7 @@ var managers = map[string]Manager{
 var ts *httptest.Server
 
 func init() {
-	localWarden, httpClient := internal.NewFirewall("hydra", "alice", fosite.Arguments{scope},
+	localWarden, httpClient := internal.MockFirewall("hydra", "alice", fosite.Arguments{scope},
 		&ladon.DefaultPolicy{
 			ID:        "1",
 			Subjects:  []string{"alice"},

diff --git a/internal/firewall.go b/internal/firewall.go
@@ -14,7 +14,7 @@ import (
 	"golang.org/x/oauth2"
 )
 
-func NewFirewall(issuer string, subject string, scopes fosite.Arguments, p ...ladon.Policy) (firewall.Firewall, *http.Client) {
+func MockFirewall(issuer string, subject string, scopes fosite.Arguments, p ...ladon.Policy) (firewall.Firewall, *http.Client) {
 	tokens := pkg.Tokens(1)
 
 	fositeStore := pkg.FositeStore()
@@ -34,8 +34,8 @@ func NewFirewall(issuer string, subject string, scopes fosite.Arguments, p ...la
 	return &warden.LocalWarden{
 			Warden: ladonWarden,
 			TokenValidator: &core.CoreValidator{
-				AccessTokenStrategy: pkg.HMACStrategy,
-				AccessTokenStorage:  fositeStore,
+				CoreStrategy: pkg.HMACStrategy,
+				CoreStorage:  fositeStore,
 			},
 			Issuer:              issuer,
 			AccessTokenLifespan: time.Hour,

diff --git a/internal/fosite_store_test.go b/internal/fosite_store_test.go
@@ -19,10 +19,10 @@ import (
 
 var rethinkManager *FositeRehinkDBStore
 
-var clientManagers = map[string]pkg.FositeStorer{}
+var stores = map[string]pkg.FositeStorer{}
 
 func init() {
-	clientManagers["memory"] = &FositeMemoryStore{
+	stores["memory"] = &FositeMemoryStore{
 		AuthorizeCodes: make(map[string]fosite.Requester),
 		IDSessions:     make(map[string]fosite.Requester),
 		AccessTokens:   make(map[string]fosite.Requester),
@@ -82,7 +82,7 @@ func TestMain(m *testing.M) {
 	if err != nil {
 		logrus.Fatalf("Could not connect to database: %s", err)
 	}
-	clientManagers["rethink"] = rethinkManager
+	stores["rethink"] = rethinkManager
 
 	retCode := m.Run()
 	c.KillRemove()
@@ -138,7 +138,7 @@ func TestColdStartRethinkManager(t *testing.T) {
 
 func TestCreateGetDeleteAuthorizeCodes(t *testing.T) {
 	ctx := context.Background()
-	for k, m := range clientManagers {
+	for k, m := range stores {
 		_, err := m.GetAuthorizeCodeSession(ctx, "4321", &testSession{})
 		pkg.AssertError(t, true, err, "%s", k)
 
@@ -163,7 +163,7 @@ func TestCreateGetDeleteAuthorizeCodes(t *testing.T) {
 
 func TestCreateGetDeleteAccessTokenSession(t *testing.T) {
 	ctx := context.Background()
-	for k, m := range clientManagers {
+	for k, m := range stores {
 		_, err := m.GetAccessTokenSession(ctx, "4321", &testSession{})
 		pkg.AssertError(t, true, err, "%s", k)
 
@@ -188,7 +188,7 @@ func TestCreateGetDeleteAccessTokenSession(t *testing.T) {
 
 func TestCreateGetDeleteOpenIDConnectSession(t *testing.T) {
 	ctx := context.Background()
-	for k, m := range clientManagers {
+	for k, m := range stores {
 		_, err := m.GetOpenIDConnectSession(ctx, "4321", &fosite.Request{})
 		pkg.AssertError(t, true, err, "%s", k)
 
@@ -215,7 +215,7 @@ func TestCreateGetDeleteOpenIDConnectSession(t *testing.T) {
 
 func TestCreateGetDeleteRefreshTokenSession(t *testing.T) {
 	ctx := context.Background()
-	for k, m := range clientManagers {
+	for k, m := range stores {
 		_, err := m.GetRefreshTokenSession(ctx, "4321", &testSession{})
 		pkg.AssertError(t, true, err, "%s", k)
 

diff --git a/jwk/manager_test.go b/jwk/manager_test.go
@@ -32,7 +32,7 @@ var testGenerator = &RS256Generator{}
 var ts *httptest.Server
 
 func init() {
-	localWarden, httpClient := internal.NewFirewall(
+	localWarden, httpClient := internal.MockFirewall(
 		"tests",
 		"alice",
 		fosite.Arguments{

diff --git a/pkg/arg_count.go b/pkg/arg_count.go
diff --git a/pkg/errors.go b/pkg/errors.go
@@ -31,11 +31,3 @@ func LogError(err error) {
 		log.WithError(err).Printf("Got error.")
 	}
 }
-
-func ForwardToErrorHandler(w http.ResponseWriter, r *http.Request, err error, errorHandlerURL url.URL) {
-	q := errorHandlerURL.Query()
-	q.Set("error", err.Error())
-	errorHandlerURL.RawQuery = q.Encode()
-
-	http.Redirect(w, r, errorHandlerURL.String(), http.StatusFound)
-}
diff --git a/policy/manager_test.go b/policy/manager_test.go
@@ -21,7 +21,7 @@ import (
 var managers = map[string]ladon.Manager{}
 
 func init() {
-	localWarden, httpClient := internal.NewFirewall("hydra", "alice", fosite.Arguments{scope},
+	localWarden, httpClient := internal.MockFirewall("hydra", "alice", fosite.Arguments{scope},
 		&ladon.DefaultPolicy{
 			ID:        "1",
 			Subjects:  []string{"alice"},

diff --git a/warden/warden_local.go b/warden/warden_local.go
@@ -18,8 +18,8 @@ import (
 )
 
 type LocalWarden struct {
-	Warden         ladon.Warden
-	TokenValidator *core.CoreValidator
+	Warden ladon.Warden
+	OAuth2 fosite.OAuth2Provider
 
 	AccessTokenLifespan time.Duration
 	Issuer              string
@@ -38,17 +38,6 @@ func (w *LocalWarden) actionAllowed(ctx context.Context, a *ladon.Request, scope
 		return nil, errors.New("Subject mismatch " + a.Subject + " - " + session.Subject)
 	}
 
-	if !matchScopes(oauthRequest.GetGrantedScopes(), scopes, session, oauthRequest.GetClient()) {
-		logrus.WithFields(logrus.Fields{
-			"scopes":   scopes,
-			"subject":  a.Subject,
-			"audience": oauthRequest.GetClient().GetID(),
-			"request":  a,
-			"reason":   "scope mismatch",
-		}).Infof("Access denied")
-		return nil, errors.New(herodot.ErrForbidden)
-	}
-
 	a.Subject = session.Subject
 	if err := w.Warden.IsAllowed(a); err != nil {
 		logrus.WithFields(logrus.Fields{
@@ -130,16 +119,6 @@ func (w *LocalWarden) Authorized(ctx context.Context, token string, scopes ...st
 	}
 
 	session = oauthRequest.GetSession().(*oauth2.Session)
-	if !matchScopes(oauthRequest.GetGrantedScopes(), scopes, session, oauthRequest.Client) {
-		logrus.WithFields(logrus.Fields{
-			"scopes":   scopes,
-			"subject":  session,
-			"audience": oauthRequest.GetClient().GetID(),
-			"reason":   "scope mismatch",
-		}).Infof("Access denied")
-		return nil, errors.New(herodot.ErrForbidden)
-	}
-
 	return &Context{
 		Subject:       session.Subject,
 		GrantedScopes: oauthRequest.GetGrantedScopes(),
@@ -173,16 +152,6 @@ func (w *LocalWarden) HTTPAuthorized(ctx context.Context, r *http.Request, scope
 	}
 
 	session = oauthRequest.GetSession().(*oauth2.Session)
-	if !matchScopes(oauthRequest.GetGrantedScopes(), scopes, session, oauthRequest.Client) {
-		logrus.WithFields(logrus.Fields{
-			"scopes":   scopes,
-			"subject":  session.Subject,
-			"audience": oauthRequest.GetClient().GetID(),
-			"reason":   "scope mismatch",
-		}).Infof("Access denied")
-		return nil, errors.New(herodot.ErrForbidden)
-	}
-
 	return &Context{
 		Subject:       session.Subject,
 		GrantedScopes: oauthRequest.GetGrantedScopes(),
@@ -192,21 +161,3 @@ func (w *LocalWarden) HTTPAuthorized(ctx context.Context, r *http.Request, scope
 		ExpiresAt:     session.AccessTokenExpiresAt(oauthRequest.GetRequestedAt().Add(w.AccessTokenLifespan)),
 	}, nil
 }
-
-func matchScopes(granted []string, requested []string, session *oauth2.Session, c fosite.Client) bool {
-	scopes := &fosite.DefaultScopes{Scopes: granted}
-	for _, r := range requested {
-		if !scopes.Grant(r) {
-			logrus.WithFields(logrus.Fields{
-				"reason":           "scope mismatch",
-				"granted_scopes":   granted,
-				"requested_scopes": requested,
-				"audience":         c.GetID(),
-				"subject":          session.Subject,
-			}).Infof("Authentication failed.")
-			return false
-		}
-	}
-
-	return true
-}