Merge 0d91cbd into 6b9dd26

.travis.yml

@@ -31,7 +31,8 @@ script:
   - $GOPATH/bin/hydra token client --skip-tls-verify
 
 after_success:
-  - gox -ldflags "-X github.com/ory-am/hydra/cmd.Version=`git describe --tags` -X github.com/ory-am/hydra/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory-am/hydra/cmd.GitHash=`git rev-parse HEAD`" -output "dist/{{.Dir}}-{{.OS}}-{{.Arch}}"
+  - |-
+    [ "${TRAVIS_TAG}" != "" ] && [ "${TRAVIS_GO_VERSION}" == "1.7" ] && gox -ldflags "-X github.com/ory-am/hydra/cmd.Version=`git describe --tags` -X github.com/ory-am/hydra/cmd.BuildTime=`TZ=UTC date -u '+%Y-%m-%dT%H:%M:%SZ'` -X github.com/ory-am/hydra/cmd.GitHash=`git rev-parse HEAD`" -output "dist/ {.Dir}}-{{.OS}}-{{.Arch}}"
 
 deploy:
   provider: releases

client/handler.go

@@ -5,12 +5,12 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/pkg/errors"
 	"github.com/julienschmidt/httprouter"
 	"github.com/ory-am/common/rand/sequence"
 	"github.com/ory-am/hydra/firewall"
 	"github.com/ory-am/hydra/herodot"
 	"github.com/ory-am/ladon"
+	"github.com/pkg/errors"
 )
 
 type Handler struct {
@@ -46,10 +46,10 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 		return
 	}
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: ClientsResource,
 		Action:   "create",
-		Context: ladon.Context{
+		Context: map[string]interface{}{
 			"owner": c.Owner,
 		},
 	}, Scope); err != nil {
@@ -93,7 +93,7 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		return
 	}
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: ClientsResource,
 		Action:   "update",
 		Context: ladon.Context{
@@ -120,7 +120,7 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.P
 func (h *Handler) GetAll(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = herodot.NewContext()
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: ClientsResource,
 		Action:   "get",
 	}, Scope); err != nil {
@@ -152,7 +152,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 		return
 	}
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: fmt.Sprintf(ClientResource, id),
 		Action:   "get",
 		Context: ladon.Context{
@@ -171,7 +171,7 @@ func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	var ctx = herodot.NewContext()
 	var id = ps.ByName("id")
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: fmt.Sprintf(ClientResource, id),
 		Action:   "delete",
 	}, Scope); err != nil {

client/manager_memory.go

@@ -3,12 +3,12 @@ package client
 import (
 	"sync"
 
-	"github.com/pkg/errors"
+	"github.com/imdario/mergo"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pborman/uuid"
-	"github.com/imdario/mergo"
+	"github.com/pkg/errors"
 )
 
 type MemoryManager struct {

client/manager_rethinkdb.go

@@ -5,14 +5,14 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
+	"github.com/imdario/mergo"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/pborman/uuid"
+	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	r "gopkg.in/dancannon/gorethink.v2"
-	"github.com/imdario/mergo"
 )
 
 type RethinkManager struct {

cmd/cli/handler_warden.go

@@ -5,21 +5,21 @@ import (
 	"fmt"
 
 	"github.com/ory-am/hydra/config"
+	"github.com/ory-am/hydra/oauth2"
 	"github.com/ory-am/hydra/pkg"
-	"github.com/ory-am/hydra/warden"
 	"github.com/spf13/cobra"
 	"golang.org/x/net/context"
 )
 
 type WardenHandler struct {
 	Config *config.Config
-	M      *warden.HTTPWarden
+	M      *oauth2.HTTPIntrospector
 }
 
 func newWardenHandler(c *config.Config) *WardenHandler {
 	return &WardenHandler{
 		Config: c,
-		M:      &warden.HTTPWarden{},
+		M:      &oauth2.HTTPIntrospector{},
 	}
 }
 
@@ -34,11 +34,11 @@ func (h *WardenHandler) IsAuthorized(cmd *cobra.Command, args []string) {
 	}
 
 	scopes, _ := cmd.Flags().GetStringSlice("scopes")
-	res, err := h.M.TokenValid(context.Background(), args[0], scopes...)
+	res, err := h.M.IntrospectToken(context.Background(), args[0], scopes...)
 	pkg.Must(err, "Could not validate token: %s", err)
 
 	out, err := json.MarshalIndent(res, "", "\t")
-	pkg.Must(err, "Could not marshall keys: %s", err)
+	pkg.Must(err, "Could not prettify token: %s", err)
 
 	fmt.Printf("%s\n", out)
 }

cmd/server/handler.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	"github.com/julienschmidt/httprouter"
 	"github.com/meatballhat/negroni-logrus"
 	"github.com/ory-am/hydra/client"
@@ -19,6 +18,7 @@ import (
 	"github.com/ory-am/hydra/policy"
 	"github.com/ory-am/hydra/warden"
 	"github.com/ory-am/ladon"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/urfave/negroni"
 	"golang.org/x/net/context"

cmd/server/handler_oauth2_factory.go

@@ -5,7 +5,6 @@ import (
 	"net/url"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	"github.com/julienschmidt/httprouter"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/compose"
@@ -16,6 +15,7 @@ import (
 	"github.com/ory-am/hydra/jwk"
 	"github.com/ory-am/hydra/oauth2"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 	r "gopkg.in/dancannon/gorethink.v2"
 )

cmd/server/helper_cert.go

@@ -10,10 +10,10 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	"github.com/ory-am/hydra/config"
 	"github.com/ory-am/hydra/jwk"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"github.com/square/go-jose"

cmd/server/helper_keys.go

@@ -5,10 +5,10 @@ import (
 	"crypto/rsa"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	"github.com/ory-am/hydra/config"
 	"github.com/ory-am/hydra/jwk"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/pkg/errors"
 )
 
 func createRS256KeysIfNotExist(c *config.Config, set, kid, use string) {

config/backend_connections.go

@@ -9,8 +9,8 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/pkg/errors"
 	"github.com/spf13/viper"
 	r "gopkg.in/dancannon/gorethink.v2"
 )

config/config.go

@@ -13,12 +13,12 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	foauth2 "github.com/ory-am/fosite/handler/oauth2"
 	"github.com/ory-am/fosite/hash"
 	"github.com/ory-am/fosite/token/hmac"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/ory-am/ladon"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 	"golang.org/x/net/context"

connection/handler.go

@@ -6,12 +6,11 @@ import (
 	"net/http"
 
 	"github.com/asaskevich/govalidator"
-	"github.com/pkg/errors"
 	"github.com/julienschmidt/httprouter"
 	"github.com/ory-am/hydra/firewall"
 	"github.com/ory-am/hydra/herodot"
-	"github.com/ory-am/ladon"
 	"github.com/pborman/uuid"
+	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 )
 
@@ -52,7 +51,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	var conn Connection
 	var ctx = context.Background()
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: connectionsResource,
 		Action:   "create",
 	}, scope); err != nil {
@@ -85,7 +84,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, ps httprouter.P
 func (h *Handler) FindLocal(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = context.Background()
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: connectionsResource,
 		Action:   "find",
 	}, scope); err != nil {
@@ -105,7 +104,7 @@ func (h *Handler) FindLocal(w http.ResponseWriter, r *http.Request, ps httproute
 func (h *Handler) FindRemote(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = context.Background()
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: connectionsResource,
 		Action:   "find",
 	}, scope); err != nil {
@@ -126,7 +125,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 	var ctx = context.Background()
 	var id = ps.ByName("id")
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: fmt.Sprintf(connectionResource, id),
 		Action:   "get",
 	}, scope); err != nil {
@@ -147,7 +146,7 @@ func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	var ctx = context.Background()
 	var id = ps.ByName("id")
 
-	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &firewall.TokenAccessRequest{
 		Resource: fmt.Sprintf(connectionResource, id),
 		Action:   "delete",
 	}, scope); err != nil {

connection/manager_memory.go

@@ -3,8 +3,8 @@ package connection
 import (
 	"sync"
 
-	"github.com/pkg/errors"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/pkg/errors"
 )
 
 type MemoryManager struct {

connection/manager_rethinkdb.go

@@ -8,8 +8,8 @@ import (
 	"time"
 
 	"github.com/Sirupsen/logrus"
-	"github.com/pkg/errors"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/pkg/errors"
 	"golang.org/x/net/context"
 )
 

docs/sdk/go.md

@@ -110,7 +110,7 @@ func anyHttpHandler(w http.ResponseWriter, r *http.Request) {
     fmt.Sprintf("%s", ctx.Subject)
 
     // Check if a token is valid and the token's subject fulfills the policy based access request.
-    ctx, err := hydra.Warden.TokenAllowed(context.Background(), "access-token", &ladon.Request{
+    ctx, err := hydra.Warden.TokenAllowed(context.Background(), "access-token", &firewall.TokenAccessRequest{
         Resource: "matrix",
         Action:   "create",
         Context:  ladon.Context{},

firewall/warden.go

@@ -5,7 +5,6 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/ory-am/ladon"
 	"golang.org/x/net/context"
 )
 
@@ -34,37 +33,56 @@ type Context struct {
 	Extra map[string]interface{} `json:"ext"`
 }
 
+// AccessRequest is the warden's request object.
+type AccessRequest struct {
+	// Resource is the resource that access is requested to.
+	Resource string `json:"resource"`
+
+	// Action is the action that is requested on the resource.
+	Action string `json:"action"`
+
+	// Subejct is the subject that is requesting access.
+	Subject string `json:"subject"`
+
+	// Context is the request's environmental context.
+	Context map[string]interface{} `json:"context"`
+}
+
+type TokenAccessRequest struct {
+	// Resource is the resource that access is requested to.
+	Resource string `json:"resource"`
+
+	// Action is the action that is requested on the resource.
+	Action string `json:"action"`
+
+	// Context is the request's environmental context.
+	Context map[string]interface{} `json:"context"`
+}
+
 // Firewall offers various validation strategies for access tokens.
 type Firewall interface {
-	// TokenValid checks if the given token is valid and if the requested scopes are satisfied. Returns
-	// a context if the token is valid and an error if not.
-	//
-	//  ctx, err := firewall.TokenValid(context.Background(), "access-token", "photos", "files")
-	//  fmt.Sprintf("%s", ctx.Subject)
-	TokenValid(ctx context.Context, token string, scopes ...string) (*Context, error)
-
 	// IsAllowed uses policies to return nil if the access request can be fulfilled or an error if not.
 	//
-	//  ctx, err := firewall.IsAllowed(context.Background(), &ladon.Request{
+	//  ctx, err := firewall.IsAllowed(context.Background(), &AccessRequest{
 	//    Subject:  "alice",
 	//    Resource: "matrix",
 	//    Action:   "create",
 	//    Context:  ladon.Context{},
 	//  }, "photos", "files")
 	//
 	//  fmt.Sprintf("%s", ctx.Subject)
-	IsAllowed(ctx context.Context, accessRequest *ladon.Request) error
+	IsAllowed(ctx context.Context, accessRequest *AccessRequest) error
 
 	// TokenAllowed uses policies and a token to return a context and no error if the access request can be fulfilled or an error if not.
 	//
-	//  ctx, err := firewall.TokenAllowed(context.Background(), "access-token", &ladon.Request{
+	//  ctx, err := firewall.TokenAllowed(context.Background(), "access-token", &TokenAccessRequest{
 	//    Resource: "matrix",
 	//    Action:   "create",
 	//    Context:  ladon.Context{},
 	//  }, "photos", "files")
 	//
 	//  fmt.Sprintf("%s", ctx.Subject)
-	TokenAllowed(ctx context.Context, token string, accessRequest *ladon.Request, scopes ...string) (*Context, error)
+	TokenAllowed(ctx context.Context, token string, accessRequest *TokenAccessRequest, scopes ...string) (*Context, error)
 
 	// TokenFromRequest returns an access token from the HTTP Authorization header.
 	//