Forces use of UTC time everywhere

ory · Dec 14, 2017 · 0cda6ce · 0cda6ce
1 parent 030c96c
commit 0cda6ce
Show file tree

Hide file tree

Showing 34 changed files with 269 additions and 35 deletions.
diff --git a/cmd/root.go b/cmd/root.go
@@ -34,7 +34,7 @@ var cfgFile string
 
 var (
 	Version   = "dev-master"
-	BuildTime = time.Now().String()
+	BuildTime = time.Now().UTC().String()
 	GitHash   = "undefined"
 )
 

diff --git a/cmd/server/helper_cert.go b/cmd/server/helper_cert.go
@@ -146,8 +146,8 @@ func createSelfSignedCertificate(key interface{}) (cert *x509.Certificate, err e
 			Organization: []string{"Hydra"},
 			CommonName:   "Hydra",
 		},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(time.Hour * 24 * 7),
+		NotBefore:             time.Now().UTC(),
+		NotAfter:              time.Now().UTC().Add(time.Hour * 24 * 7),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,

diff --git a/compose/firewall.go b/compose/firewall.go
@@ -73,7 +73,7 @@ func NewMockFirewallWithStore(issuer string, subject string, scopes fosite.Argum
 			L:                   l,
 		}, conf.Client(oauth2.NoContext, &oauth2.Token{
 			AccessToken: tokens[0][1],
-			Expiry:      time.Now().Add(time.Hour),
+			Expiry:      time.Now().UTC().Add(time.Hour),
 			TokenType:   "bearer",
 		})
 }
diff --git a/docs/api.swagger.json b/docs/api.swagger.json
@@ -1894,6 +1894,22 @@
           "type": "string",
           "x-go-name": "RedirectURL"
         },
+        "requestedAcr": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-go-name": "RequestedACR"
+        },
+        "requestedMaxAge": {
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "MaxAge"
+        },
+        "requestedPrompt": {
+          "type": "string",
+          "x-go-name": "RequestedPrompt"
+        },
         "requestedScopes": {
           "description": "RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator.",
           "type": "array",
@@ -1963,6 +1979,12 @@
     "Handler": {
       "type": "object",
       "properties": {
+        "Generators": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/KeyGenerator"
+          }
+        },
         "H": {
           "$ref": "#/definitions/Writer"
         },
@@ -1976,7 +1998,7 @@
           "$ref": "#/definitions/Firewall"
         }
       },
-      "x-go-package": "github.com/ory/hydra/warden/group"
+      "x-go-package": "github.com/ory/hydra/jwk"
     },
     "KeyGenerator": {
       "type": "object",
@@ -2013,6 +2035,12 @@
           },
           "x-go-name": "AccessTokenExtra"
         },
+        "authTime": {
+          "description": "AuthTime is the time when the End-User authentication occurred. Its value is a JSON number representing the\nnumber of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.",
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "AuthTime"
+        },
         "grantScopes": {
           "description": "A list of scopes that the user agreed to grant. It should be a subset of requestedScopes from the consent request.",
           "type": "array",
@@ -2029,6 +2057,11 @@
           },
           "x-go-name": "IDTokenExtra"
         },
+        "providedAcr": {
+          "description": "ProvidedAuthenticationContextClassReference specifies an Authentication Context Class Reference value that identifies\nthe Authentication Context Class that the authentication performed satisfied. The value \"0\" indicates the End-User\nauthentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1.\n\nIn summary ISO/IEC 29115 defines four levels, broadly summarized as follows.\n\nacr=0 does not satisfy Level 1 and could be, for example, authentication using a long-lived browser cookie.\nLevel 1 (acr=1): Minimal confidence in the asserted identity of the entity, but enough confidence that the\nentity is the same over consecutive authentication events. For example presenting a self-registered\nusername or password.\nLevel 2 (acr=2): There is some confidence in the asserted identity of the entity. For example confirming\nauthentication using a mobile app (\"Something you have\").\nLevel 3 (acr=3): High confidence in an asserted identity of the entity. For example sending a code to a mobile\nphone or using Google Authenticator or a fingerprint scanner (\"Something you have and something you know\" / \"Something you are\")\nLevel 4 (acr=4): Very high confidence in an asserted identity of the entity. Requires in-person identification.",
+          "type": "string",
+          "x-go-name": "ProvidedAuthenticationContextClassReference"
+        },
         "subject": {
           "description": "Subject represents a unique identifier of the user (or service, or legal entity, ...) that accepted the\nOAuth2 request.",
           "type": "string",
@@ -2042,6 +2075,11 @@
       "type": "object",
       "title": "RejectConsentRequestPayload represents data that will be used to reject a consent request.",
       "properties": {
+        "error": {
+          "description": "Error can be used to return an OpenID Connect or OAuth 2.0 error to the OAuth 2.0 client, such as login_required,\ninteraction_required, consent_required.",
+          "type": "string",
+          "x-go-name": "Error"
+        },
         "reason": {
           "description": "Reason represents the reason why the user rejected the consent request.",
           "type": "string",
@@ -2331,10 +2369,29 @@
           "x-go-name": "ID"
         },
         "redirectUrl": {
-          "description": "Redirect URL is the URL where the user agent should be redirected to after the consent has been\naccepted or rejected.",
+          "description": "RedirectURL is the URL where the user agent should be redirected to after the consent has been\naccepted or rejected.",
           "type": "string",
           "x-go-name": "RedirectURL"
         },
+        "requestedAcr": {
+          "description": "RequestedAuthenticationContextClassReference specifies an Authentication Context Class Reference value that identifies\nthe Authentication Context Class that the authentication performed satisfied. The value \"0\" indicates the End-User\nauthentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1.\n\nIn summary ISO/IEC 29115 defines four levels, broadly summarized as follows.\n\nacr=0 does not satisfy Level 1 and could be, for example, authentication using a long-lived browser cookie.\nLevel 1 (acr=1): Minimal confidence in the asserted identity of the entity, but enough confidence that the\nentity is the same over consecutive authentication events. For example presenting a self-registered\nusername or password.\nLevel 2 (acr=2): There is some confidence in the asserted identity of the entity. For example confirming\nauthentication using a mobile app (\"Something you have\").\nLevel 3 (acr=3): High confidence in an asserted identity of the entity. For example sending a code to a mobile\nphone or using Google Authenticator or a fingerprint scanner (\"Something you have and something you know\" / \"Something you are\")\nLevel 4 (acr=4): Very high confidence in an asserted identity of the entity. Requires in-person identification.",
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-go-name": "RequestedAuthenticationContextClassReference"
+        },
+        "requestedMaxAge": {
+          "description": "MaxAge specifies the allowable elapsed time in seconds since the last time the End-User was actively\nauthenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively\nre-authenticate the End-User.",
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "MaxAge"
+        },
+        "requestedPrompt": {
+          "description": "Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server\nprompts the End-User for reauthentication and consent. The defined values are:\n\nnone: The consent app MUST NOT display any authentication or consent user interface pages. An error is returned\nif an End-User is not already authenticated or the Client does not have pre-configured consent for the requested\nClaims or does not fulfill other conditions for processing the request. The error code will typically be\nlogin_required, interaction_required. This can be used as a method to check for existing authentication and/or consent.\nlogin: The consent app SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the\nEnd-User, it MUST return an error, typically login_required.\nconsent: The consent app SHOULD prompt the End-User for consent before returning information to the Client.\nIf it cannot obtain consent, it MUST return an error, typically consent_required.\nselect_account: The consent app SHOULD prompt the End-User to select a user account. This enables an End-User\nwho has multiple accounts at the Authorization Server to select amongst the multiple accounts that they\nmight have current sessions for. If it cannot obtain an account selection choice made by the End-User,\nit MUST return an error, typically account_selection_required.\n\nThe prompt parameter can be used by the Client to make sure that the End-User is still present for the current\nsession or to bring attention to the request. If this parameter contains none with any other value, an error is returned.",
+          "type": "string",
+          "x-go-name": "Prompt"
+        },
         "requestedScopes": {
           "description": "RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator.",
           "type": "array",
@@ -3108,8 +3165,8 @@
         "token_endpoint",
         "jwks_uri",
         "subject_types_supported",
-        "id_token_signing_alg_values_supported",
-        "response_types_supported"
+        "response_types_supported",
+        "id_token_signing_alg_values_supported"
       ],
       "properties": {
         "authorization_endpoint": {
@@ -3126,12 +3183,12 @@
           "x-go-name": "ClaimsSupported"
         },
         "id_token_signing_alg_values_supported": {
-          "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT [JWT]. The algorithm RS256 MUST be included. The value none MAY be supported,\nbut MUST NOT be used unless the Response Type used returns no ID Token from the Authorization Endpoint\n(such as when using the Authorization Code Flow).",
+          "description": "JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token\nto encode the Claims in a JWT.",
           "type": "array",
           "items": {
             "type": "string"
           },
-          "x-go-name": "SigningAlgs"
+          "x-go-name": "IDTokenSigningAlgValuesSupported"
         },
         "issuer": {
           "description": "URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier.\nIf Issuer discovery is supported , this value MUST be identical to the issuer value returned\nby WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.",
@@ -3172,6 +3229,14 @@
           "type": "string",
           "x-go-name": "TokenURL"
         },
+        "token_endpoint_auth_methods_supported": {
+          "description": "JSON array containing a list of Client Authentication methods supported by this Token Endpoint. The options are\nclient_secret_post, client_secret_basic, client_secret_jwt, and private_key_jwt, as described in Section 9 of OpenID Connect Core 1.0",
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "x-go-name": "TokenEndpointAuthMethodsSupported"
+        },
         "userinfo_endpoint": {
           "description": "URL of the OP's UserInfo Endpoint.",
           "type": "string",

diff --git a/metrics/metrics.go b/metrics/metrics.go
@@ -165,7 +165,7 @@ func (sw *Snapshot) Update() {
 		NumGC:        m.NumGC,
 	}
 
-	sw.UpTime = int64(time.Now().Sub(sw.start) / time.Second)
+	sw.UpTime = int64(time.Now().UTC().Sub(sw.start) / time.Second)
 
 }
 

diff --git a/metrics/middleware.go b/metrics/middleware.go
@@ -65,7 +65,7 @@ func NewMetricsManager(issuerURL string, databaseURL string, l logrus.FieldLogge
 			Metrics:        newMetrics(),
 			HTTPMetrics:    newHttpMetrics(),
 			Paths:          map[string]*PathMetrics{},
-			start:          time.Now(),
+			start:          time.Now().UTC(),
 		},
 		internalID:  uuid.New(),
 		Segment:     analytics.New("h8dRH3kVCWKkIFWydBmWsyYHR4M0u0vr"),
@@ -179,9 +179,9 @@ func (sw *MetricsManager) ServeHTTP(rw http.ResponseWriter, r *http.Request, nex
 	sw.Unlock()
 
 	// Latency
-	start := time.Now()
+	start := time.Now().UTC()
 	next(rw, r)
-	latency := time.Now().Sub(start) / time.Millisecond
+	latency := time.Now().UTC().Sub(start) / time.Millisecond
 
 	// Collecting request info
 	res := rw.(negroni.ResponseWriter)

diff --git a/metrics/middleware_test.go b/metrics/middleware_test.go
@@ -33,7 +33,7 @@ import (
 )
 
 func TestMiddleware(t *testing.T) {
-	rand.Seed(time.Now().Unix())
+	rand.Seed(time.Now().UTC().Unix())
 	mw := metrics.NewMetricsManager("", "", logrus.StandardLogger())
 	n := negroni.New()
 	r := httprouter.New()
@@ -88,7 +88,7 @@ func TestMiddleware(t *testing.T) {
 }
 
 func TestRacyMiddleware(t *testing.T) {
-	rand.Seed(time.Now().Unix())
+	rand.Seed(time.Now().UTC().Unix())
 	mw := metrics.NewMetricsManager("", "", logrus.StandardLogger())
 	n := negroni.New()
 	r := httprouter.New()

diff --git a/pkg/retry.go b/pkg/retry.go
@@ -25,15 +25,15 @@ func Retry(logger logrus.FieldLogger, maxWait time.Duration, failAfter time.Dura
 	var lastStart time.Time
 	err = errors.New("Did not connect.")
 	loopWait := time.Millisecond * 100
-	retryStart := time.Now()
-	for retryStart.Add(failAfter).After(time.Now()) {
-		lastStart = time.Now()
+	retryStart := time.Now().UTC()
+	for retryStart.Add(failAfter).After(time.Now().UTC()) {
+		lastStart = time.Now().UTC()
 		if err = f(); err == nil {
 			return nil
 		}
 
-		if lastStart.Add(maxWait * 2).Before(time.Now()) {
-			retryStart = time.Now()
+		if lastStart.Add(maxWait * 2).Before(time.Now().UTC()) {
+			retryStart = time.Now().UTC()
 		}
 
 		LogError(err, logger)

diff --git a/sdk/go/hydra/swagger/consent_request.go b/sdk/go/hydra/swagger/consent_request.go
@@ -21,6 +21,12 @@ type ConsentRequest struct {
 	// Redirect URL is the URL where the user agent should be redirected to after the consent has been accepted or rejected.
 	RedirectUrl string `json:"redirectUrl,omitempty"`
 
+	RequestedAcr []string `json:"requestedAcr,omitempty"`
+
+	RequestedMaxAge int64 `json:"requestedMaxAge,omitempty"`
+
+	RequestedPrompt string `json:"requestedPrompt,omitempty"`
+
 	// RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator.
 	RequestedScopes []string `json:"requestedScopes,omitempty"`
 }
diff --git a/sdk/go/hydra/swagger/consent_request_acceptance.go b/sdk/go/hydra/swagger/consent_request_acceptance.go
@@ -15,12 +15,18 @@ type ConsentRequestAcceptance struct {
 	// AccessTokenExtra represents arbitrary data that will be added to the access token and that will be returned on introspection and warden requests.
 	AccessTokenExtra map[string]interface{} `json:"accessTokenExtra,omitempty"`
 
+	// AuthTime is the time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
+	AuthTime int64 `json:"authTime,omitempty"`
+
 	// A list of scopes that the user agreed to grant. It should be a subset of requestedScopes from the consent request.
 	GrantScopes []string `json:"grantScopes,omitempty"`
 
 	// IDTokenExtra represents arbitrary data that will be added to the ID token. The ID token will only be issued if the user agrees to it and if the client requested an ID token.
 	IdTokenExtra map[string]interface{} `json:"idTokenExtra,omitempty"`
 
+	// ProvidedAuthenticationContextClassReference specifies an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The value \"0\" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1.  In summary ISO/IEC 29115 defines four levels, broadly summarized as follows.  acr=0 does not satisfy Level 1 and could be, for example, authentication using a long-lived browser cookie. Level 1 (acr=1): Minimal confidence in the asserted identity of the entity, but enough confidence that the entity is the same over consecutive authentication events. For example presenting a self-registered username or password. Level 2 (acr=2): There is some confidence in the asserted identity of the entity. For example confirming authentication using a mobile app (\"Something you have\"). Level 3 (acr=3): High confidence in an asserted identity of the entity. For example sending a code to a mobile phone or using Google Authenticator or a fingerprint scanner (\"Something you have and something you know\" / \"Something you are\") Level 4 (acr=4): Very high confidence in an asserted identity of the entity. Requires in-person identification.
+	ProvidedAcr string `json:"providedAcr,omitempty"`
+
 	// Subject represents a unique identifier of the user (or service, or legal entity, ...) that accepted the OAuth2 request.
 	Subject string `json:"subject,omitempty"`
 }
diff --git a/sdk/go/hydra/swagger/consent_request_rejection.go b/sdk/go/hydra/swagger/consent_request_rejection.go
@@ -12,6 +12,9 @@ package swagger
 
 type ConsentRequestRejection struct {
 
+	// Error can be used to return an OpenID Connect or OAuth 2.0 error to the OAuth 2.0 client, such as login_required, interaction_required, consent_required.
+	Error_ string `json:"error,omitempty"`
+
 	// Reason represents the reason why the user rejected the consent request.
 	Reason string `json:"reason,omitempty"`
 }
diff --git a/sdk/go/hydra/swagger/docs/ConsentRequest.md b/sdk/go/hydra/swagger/docs/ConsentRequest.md
@@ -6,6 +6,9 @@ Name | Type | Description | Notes
 **ClientId** | **string** | ClientID is the client id that initiated the OAuth2 request. | [optional] [default to null]
 **Id** | **string** | ID is the id of this consent request. | [optional] [default to null]
 **RedirectUrl** | **string** | Redirect URL is the URL where the user agent should be redirected to after the consent has been accepted or rejected. | [optional] [default to null]
+**RequestedAcr** | **[]string** |  | [optional] [default to null]
+**RequestedMaxAge** | **int64** |  | [optional] [default to null]
+**RequestedPrompt** | **string** |  | [optional] [default to null]
 **RequestedScopes** | **[]string** | RequestedScopes represents a list of scopes that have been requested by the OAuth2 request initiator. | [optional] [default to null]
 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)