From e2b88d211a27d7b0aeff4b10f7140990133337bd Mon Sep 17 00:00:00 2001
From: Sawada Shota <shota.sawada@crowdworks.co.jp>
Date: Thu, 3 Jan 2019 19:31:12 +0900
Subject: [PATCH] cmd: Enable to validate by old system secret (#1249)

* enable to validate by old system secret when setting `ROTATED_SYSTEM_SECRET`
* don't hash when rotated system secret is empty
* add test for rotated system secret getter

Signed-off-by: Shota SAWADA <xiootas@gmail.com>
---
 cmd/root.go                          | 3 +++
 cmd/server/handler_oauth2_factory.go | 2 +-
 config/config.go                     | 7 ++++++-
 config/config_test.go                | 7 +++++++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 5c4b7f82a57..2ac76a652a5 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -138,6 +138,9 @@ func initConfig() {
 	viper.BindEnv("SYSTEM_SECRET")
 	viper.SetDefault("SYSTEM_SECRET", "")
 
+	viper.BindEnv("ROTATED_SYSTEM_SECRET")
+	viper.SetDefault("ROTATED_SYSTEM_SECRET", "")
+
 	viper.BindEnv("CLIENT_SECRET")
 	viper.SetDefault("CLIENT_SECRET", "")
 
diff --git a/cmd/server/handler_oauth2_factory.go b/cmd/server/handler_oauth2_factory.go
index 86bc67c4930..38589583f08 100644
--- a/cmd/server/handler_oauth2_factory.go
+++ b/cmd/server/handler_oauth2_factory.go
@@ -94,7 +94,7 @@ func newOAuth2Provider(c *config.Config) fosite.OAuth2Provider {
 	}
 
 	var coreStrategy foauth2.CoreStrategy
-	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), nil)
+	hmacStrategy := compose.NewOAuth2HMACStrategy(fc, c.GetSystemSecret(), c.GetRotatedSystemSecrets())
 	if c.OAuth2AccessTokenStrategy == "jwt" {
 		kid := uuid.New()
 		if _, err := createOrGetJWK(c, oauth2.OAuth2JWTKeyName, kid, "private"); err != nil {
diff --git a/config/config.go b/config/config.go
index 766fb20d291..686bee12d03 100644
--- a/config/config.go
+++ b/config/config.go
@@ -364,7 +364,8 @@ func (c *Config) Context() *Context {
 		Hasher:     hasher,
 		FositeStrategy: &foauth2.HMACSHAStrategy{
 			Enigma: &hmac.HMACStrategy{
-				GlobalSecret: c.GetSystemSecret(),
+				GlobalSecret:         c.GetSystemSecret(),
+				RotatedGlobalSecrets: c.GetRotatedSystemSecrets(),
 			},
 			AccessTokenLifespan:   c.GetAccessTokenLifespan(),
 			AuthorizeCodeLifespan: c.GetAuthCodeLifespan(),
@@ -396,6 +397,10 @@ func (c *Config) GetCookieSecret() []byte {
 }
 
 func (c *Config) GetRotatedSystemSecrets() [][]byte {
+	if len(c.RotatedSystemSecret) == 0 {
+		return nil
+	}
+
 	return [][]byte{
 		pkg.HashStringSecret(c.RotatedSystemSecret),
 	}
diff --git a/config/config_test.go b/config/config_test.go
index 35355d551b9..c8f3f78d163 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -105,6 +105,13 @@ func TestSystemSecret(t *testing.T) {
 	assert.EqualValues(t, c.GetSystemSecret(), c2.GetSystemSecret())
 }
 
+func TestRotatedSystemSecrets(t *testing.T) {
+	c := &Config{RotatedSystemSecret: "foobarbazbarasdfasdffoobarbazbarasdfasdf"}
+	assert.EqualValues(t, c.GetRotatedSystemSecrets(), c.GetRotatedSystemSecrets())
+	c2 := &Config{RotatedSystemSecret: ""}
+	assert.Nil(t, c2.GetRotatedSystemSecrets())
+}
+
 func TestResolve(t *testing.T) {
 	c := &Config{EndpointURL: "https://localhost:1234"}
 	assert.Equal(t, c.Resolve("foo", "bar").String(), "https://localhost:1234/foo/bar")