feat(go): delete useless double pub key

pathwar · May 17, 2023 · 77b23a7 · 77b23a7
1 parent 89a1b04
commit 77b23a7
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 66 deletions.
diff --git a/go/cmd/pathwar/util.go b/go/cmd/pathwar/util.go
@@ -67,7 +67,7 @@ var (
 func ssoFromFlags() (pwsso.Client, error) {
 	ssoOpts.Logger = logger.Named("sso")
 	ssoOpts.ApplyDefaults()
-	sso, err := pwsso.New(ssoOpts.Pubkey, ssoOpts.Pubkey2, ssoOpts.Realm, ssoOpts)
+	sso, err := pwsso.New(ssoOpts.Pubkey, ssoOpts.Realm, ssoOpts)
 	if err != nil {
 		return nil, errcode.ErrInitSSOClient.Wrap(err)
 	}

diff --git a/go/pkg/pwsso/client.go b/go/pkg/pwsso/client.go
@@ -21,16 +21,12 @@ type Opts struct {
 	Realm        string
 	TokenFile    string
 	Pubkey       string
-
-	// TODO: Adapt the code to support multiple public keys or use a single one
-	Pubkey2 string
 }
 
 // NewOpts returns sane default values for development
 func NewOpts() Opts {
 	return Opts{
 		Pubkey:       "",
-		Pubkey2:      "",
 		Realm:        testingRealm,
 		ClientID:     testingClientID,
 		ClientSecret: "",
@@ -44,9 +40,6 @@ func (opts *Opts) ApplyDefaults() {
 	if opts.Pubkey == "" {
 		opts.Pubkey = testingPubKey
 	}
-	if opts.Pubkey2 == "" {
-		opts.Pubkey2 = testingPubKey2
-	}
 }
 
 type Client interface {
@@ -56,15 +49,14 @@ type Client interface {
 }
 
 type client struct {
-	publicKey  interface{} // result of x509.ParsePKIXPublicKey
-	publicKey2 interface{} // result of x509.ParsePKIXPublicKey
-	logger     *zap.Logger
-	realm      string
-	clientID   string
-	opts       Opts
+	publicKey interface{} // result of x509.ParsePKIXPublicKey
+	logger    *zap.Logger
+	realm     string
+	clientID  string
+	opts      Opts
 }
 
-func New(publicKey string, publicKey2 string, realm string, opts Opts) (Client, error) {
+func New(publicKey string, realm string, opts Opts) (Client, error) {
 	c := &client{
 		opts:   opts,
 		realm:  realm,
@@ -89,19 +81,5 @@ func New(publicKey string, publicKey2 string, realm string, opts Opts) (Client,
 		c.publicKey = parsedKey
 	}
 
-	{ // parse public key 2
-		key := []byte(fmt.Sprintf("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----\n", publicKey2))
-		pubPem, _ := pem.Decode(key)
-		if pubPem == nil {
-			return nil, errcode.ErrSSOInvalidPublicKey
-		}
-
-		parsedKey, err := x509.ParsePKIXPublicKey(pubPem.Bytes)
-		if err != nil {
-			return nil, errcode.ErrSSOInvalidPublicKey.Wrap(err)
-		}
-		c.publicKey2 = parsedKey
-	}
-
 	return c, nil
 }
diff --git a/go/pkg/pwsso/testing.go b/go/pkg/pwsso/testing.go
@@ -11,7 +11,6 @@ import (
 
 const (
 	testingPubKey   = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlEFxLlywsbI5BQ7DVkA66fICWGIYPpD+aZNYRR7SIc0zdtJR4xMOt5CjM0vbYT4z2a1U2yl0ewunyxFm8niS8w6mKYFnOS4nnSchQyIAmJkpLC4eAjijCdEHdr8mSqamThSrVRGSYEEsa+adidC13kRDy7NDKhvZb8F0YqnktNk6WHSlb8r2QRLPJ1DX534jjXPY6l/eoHuLJAOZxBlfwV5Dg37TVmf2xAH812E7ZigycLAvhsMvr5x2jLavAEEnZZmlQf4cyQ4tlMzKS1Zp0NcdOGS/i6lrndc5pNtZQuGr8IGBrEbTRFUiavn/HDnyalYZy8T5LakXRdVaKdshAQIDAQAB"
-	testingPubKey2  = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmHSUp0A03r8otAKytg6W\n/R0sYwsdekziPSe94fICL1ia/e5SFPKxWXHLkIJyxKuKg3ozMrQoThpfzbhof8zG\nBDt5O6u9Y9ur1hb73vXpUTDsJafuh2VbvznjKQjn+rqC2vd3MaP2xZJ8M+k3gGMu\nOsRDwCqmlnlPfvfXwmyEFGjNW0maf/p2awFVmVTo4FyDrRh6FrXO8uprZRcGbTyM\nMeOX9wGD5cskiuF+gtqlX5DSz7w2bx4znKW1V9Fbu3WlFDONvaPbWGsbSVQjnItN\nWGRL01e9ZFM5CAAJbGGnYKhHyCseEuDihkwhshrewzsjDmkzQ8tJrmW2B/Npr3k/\n0wIDAQAB"
 	testingRealm    = "Pathwar-Dev"
 	testingClientID = "platform-cli"
 	testingToken    = "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJDck10ZmN1cjFDcVNtT28teHZacUt0ZTRoODk4ZjZpYl9KOGk5TXZDck5zIn0.eyJqdGkiOiI0ZGE4ZTM2NS1iZTkzLTRmMGEtYmU0ZC0yNDdjMzA4OGZmNWUiLCJleHAiOjE1ODM0Mjc1MTIsIm5iZiI6MCwiaWF0IjoxNTgzNDI3MjEyLCJpc3MiOiJodHRwczovL2lkLnBhdGh3YXIubGFuZC9hdXRoL3JlYWxtcy9QYXRod2FyLURldiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwNDgyNjZiOS0yY2M4LTQ2ZjMtOTcyZC0zN2YyZDhmY2M3NWIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwbGF0Zm9ybS1jbGkiLCJub25jZSI6IjZlMWUyYjc4LTk0MjgtNDRhNi04ZjIwLTA5NTY3ZTE1Y2FjMyIsImF1dGhfdGltZSI6MTU4MzQyNzIwNywic2Vzc2lvbl9zdGF0ZSI6ImEyMzg2N2U2LTc0ZjEtNGRmOS04ZDRiLWU5NTVlMWRmMmYxNCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicGxhdGZvcm0tY2xpIjp7InJvbGVzIjpbImFnZW50IiwiYWRtaW4iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSBvZmZsaW5lX2FjY2VzcyIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJuYW1lIjoiTWFuZnJlZCBUb3Vyb24iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJtb3VsIiwiZ2l2ZW5fbmFtZSI6Ik1hbmZyZWQiLCJmYW1pbHlfbmFtZSI6IlRvdXJvbiIsImVtYWlsIjoibUA0Mi5hbSJ9.I9jYiBGCacaBiqndq1EsinZxY-uWRjdHZbFRdE9CWsSiOEJzKGznufEppk0bj2XmAm4GwfWey55U-jHh91KgnDJG7XsgA2p_t-LX1yj4EgrHxcXQ0PiOKU19br4kbCfKVaOMsBQqa-pGyZVFwVc9rYmGA6xtx6No1O5j-tdsizp5-HVNil0E195ZnSoMiNk9yJsG8-ta7wrQ6u9PqPbnEuhltu6SZyfAD7gTw2RUDu77LKISIaJCPbD5IPj2Rtv2gfM4BoZ8TiMYO_DSRIAWsFc1C1z8iR6-BvAvOAfqDV4GeyD9DQsMDxz5qYmTnHnXMrVNSvYd6aehwyDik-ERIA"
@@ -27,7 +26,7 @@ func TestingClaims(t *testing.T) *Claims {
 
 func TestingToken(t *testing.T) *jwt.Token {
 	t.Helper()
-	token, _, err := TokenWithClaims(testingToken, testingPubKey, testingPubKey2, true)
+	token, _, err := TokenWithClaims(testingToken, testingPubKey, true)
 	if err != nil {
 		t.Fatalf("parse token: %v", err)
 	}
@@ -36,7 +35,7 @@ func TestingToken(t *testing.T) *jwt.Token {
 
 func TestingToken2(t *testing.T) *jwt.Token {
 	t.Helper()
-	token, _, err := TokenWithClaims(testingToken2, testingPubKey, testingPubKey2, true)
+	token, _, err := TokenWithClaims(testingToken2, testingPubKey, true)
 	if err != nil {
 		t.Fatalf("parse token: %v", err)
 	}
@@ -50,7 +49,7 @@ func TestingSSO(t *testing.T, logger *zap.Logger) Client {
 		Logger:      logger,
 		ClientID:    testingClientID,
 	}
-	sso, err := New(testingPubKey, testingPubKey2, testingRealm, ssoOpts)
+	sso, err := New(testingPubKey, testingRealm, ssoOpts)
 	if err != nil {
 		t.Fatalf("init SSO: %v", err)
 	}

diff --git a/go/pkg/pwsso/token.go b/go/pkg/pwsso/token.go
@@ -9,7 +9,7 @@ import (
 )
 
 func (c *client) TokenWithClaims(bearer string) (*jwt.Token, jwt.MapClaims, error) {
-	token, claims, err := TokenWithClaims(bearer, c.publicKey, c.publicKey2, c.opts.AllowUnsafe)
+	token, claims, err := TokenWithClaims(bearer, c.publicKey, c.opts.AllowUnsafe)
 	if err != nil {
 		c.logger.Warn("token with claims",
 			zap.Error(err),
@@ -21,7 +21,7 @@ func (c *client) TokenWithClaims(bearer string) (*jwt.Token, jwt.MapClaims, erro
 	return token, claims, err
 }
 
-func TokenWithClaims(bearer string, pubkey interface{}, pubkey2 interface{}, allowUnsafe bool) (*jwt.Token, jwt.MapClaims, error) {
+func TokenWithClaims(bearer string, pubkey interface{}, allowUnsafe bool) (*jwt.Token, jwt.MapClaims, error) {
 	claims := jwt.MapClaims{}
 
 	// FIXME: add an option to automatically fetch the public key from
@@ -32,32 +32,24 @@ func TokenWithClaims(bearer string, pubkey interface{}, pubkey2 interface{}, all
 	kf := func(token *jwt.Token) (interface{}, error) {
 		return pubkey, nil
 	}
-
-	kf2 := func(token *jwt.Token) (interface{}, error) {
-		return pubkey2, nil
-	}
-
 	token, err := jwt.ParseWithClaims(bearer, claims, kf)
 	if err != nil {
-		token, err = jwt.ParseWithClaims(bearer, claims, kf2)
-		if err != nil {
-			if allowUnsafe {
-				zap.L().Warn(
-					"invalid token",
-					zap.Error(err),
-					zap.Bool("client-unsafe", true),
-				)
-				parser := new(jwt.Parser)
-				token, _, err := parser.ParseUnverified(bearer, claims)
-				if err != nil {
-					return nil, nil, errcode.ErrSSOInvalidBearer.Wrap(err)
-				}
-				return token, claims, nil
-			}
-			e, ok := err.(*jwt.ValidationError)
-			if !ok || (ok && e.Errors&jwt.ValidationErrorIssuedAt == 0) { // don't report error that token used before issued.
+		if allowUnsafe {
+			zap.L().Warn(
+				"invalid token",
+				zap.Error(err),
+				zap.Bool("client-unsafe", true),
+			)
+			parser := new(jwt.Parser)
+			token, _, err := parser.ParseUnverified(bearer, claims)
+			if err != nil {
 				return nil, nil, errcode.ErrSSOInvalidBearer.Wrap(err)
 			}
+			return token, claims, nil
+		}
+		e, ok := err.(*jwt.ValidationError)
+		if !ok || (ok && e.Errors&jwt.ValidationErrorIssuedAt == 0) { // don't report error that token used before issued.
+			return nil, nil, errcode.ErrSSOInvalidBearer.Wrap(err)
 		}
 	}
 	return token, claims, nil
@@ -122,22 +114,16 @@ func ClaimsFromToken(token *jwt.Token) *Claims {
 		claims.ActionToken.Exp = &t
 	}
 
-	// pathwar specific
-	if v := mc["preferred_username"]; v != nil {
-		claims.PreferredUsername = v.(string)
+	// OIDC specific
+	if v := mc["nickname"]; v != nil {
+		claims.Nickname = v.(string)
 	}
 	if v := mc["email"]; v != nil {
 		claims.Email = v.(string)
 	}
 	if v := mc["email_verified"]; v != nil {
 		claims.EmailVerified = v.(bool)
 	}
-	if v := mc["given_name"]; v != nil {
-		claims.GivenName = v.(string)
-	}
-	if v := mc["family_name"]; v != nil {
-		claims.FamilyName = v.(string)
-	}
 
 	//FIXME: add more claims
 	return claims