update

plimble · May 12, 2017 · 6013809 · 6013809
1 parent 1595f48
commit 6013809
Show file tree

Hide file tree

Showing 20 changed files with 356 additions and 154 deletions.
diff --git a/consent.go b/consent.go
@@ -22,7 +22,8 @@ type Challenge struct {
 
 //go:generate mockery -name Consent
 type Consent interface {
-	UrlWithChallenge(clientID, scope string) (*url.URL, string, error)
+	Url() string
+	UrlWithChallenge(clientID, scope, redirectUri string) (*url.URL, string, error)
 	ValidateChallenge(challenge string) (*Challenge, error)
 }
 
@@ -36,6 +37,10 @@ func NewConsent(privateKey *rsa.PrivateKey, consentUrl string, challengeLifeSpan
 	return &consent{privateKey, challengeLifeSpan, consentUrl}
 }
 
+func (c *consent) Url() string {
+	return c.consentUrl
+}
+
 func (c *consent) ValidateChallenge(challenge string) (*Challenge, error) {
 	jwttoken, err := jwt.Parse(challenge, func(token *jwt.Token) (interface{}, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
@@ -64,15 +69,16 @@ func (c *consent) ValidateChallenge(challenge string) (*Challenge, error) {
 	return ch, nil
 }
 
-func (c *consent) UrlWithChallenge(clientID, scope string) (*url.URL, string, error) {
+func (c *consent) UrlWithChallenge(clientID, scope, redirectURI string) (*url.URL, string, error) {
 	now := time.Now().UTC().Truncate(time.Nanosecond)
 
 	id := uuid.New()
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
-		"jti": id,
-		"aud": clientID,
-		"scp": scope,
-		"exp": now.Add(time.Minute * time.Duration(c.challengeLifeSpan)).Unix(),
+		"jti":   id,
+		"aud":   clientID,
+		"scp":   scope,
+		"exp":   now.Add(time.Minute * time.Duration(c.challengeLifeSpan)).Unix(),
+		"redir": redirectURI,
 	})
 
 	challenge, err := token.SignedString(c.privateKey)

diff --git a/consent/client.go b/consent/client.go
diff --git a/errors.go b/errors.go
@@ -44,6 +44,7 @@ var (
 	errChallengeExpired         = Error(400, "invalid_request", `challenge token has expire`)
 	errResponseTypeUnSupported  = Error(400, "invalid_request", `Response type unsupported`)
 	errInvalidClient            = Error(400, "invalid_grant", `Invalid client`)
+	errUserDenied               = Error(400, "invalid_request", `User denied authorize`)
 )
 
 func ErrGrantTypeNotSupport(grantType string) *errorRes {

diff --git a/flow_authorize.go b/flow_authorize.go
@@ -38,6 +38,10 @@ func (f *authorizeFlow) Run(ctx *AuthorizeContext) *AuthorizeRes {
 		return &AuthorizeRes{RedirectURI: url, Error: err}
 	}
 
+	if ctx.Challenge == "denied" {
+		return &AuthorizeRes{Error: errUserDenied}
+	}
+
 	if err = f.validateChallenge(ctx); err != nil {
 		return &AuthorizeRes{Error: err}
 	}
@@ -136,7 +140,11 @@ func (f *authorizeFlow) validateChallenge(ctx *AuthorizeContext) error {
 }
 
 func (f *authorizeFlow) createRedirectConsentURL(ctx *AuthorizeContext) (*url.URL, error) {
-	consentUrl, consentid, err := f.consent.UrlWithChallenge(ctx.Client.ID, strings.Join(ctx.Scopes, " "))
+	u := *ctx.request.URL
+	u.RawQuery = ""
+	u.Fragment = ""
+
+	consentUrl, consentid, err := f.consent.UrlWithChallenge(ctx.Client.ID, strings.Join(ctx.Scopes, " "), u.String())
 	if err != nil {
 		return nil, errInternalServer.WithCause(err)
 	}

diff --git a/glide.lock b/glide.lock
diff --git a/glide.yaml b/glide.yaml
@@ -19,3 +19,6 @@ import:
 - package: golang.org/x/crypto
   subpackages:
   - acme/autocert
+- package: golang.org/x/net
+  subpackages:
+  - context
diff --git a/mocks/Consent.go b/mocks/Consent.go
@@ -9,29 +9,43 @@ type Consent struct {
 	mock.Mock
 }
 
-// UrlWithChallenge provides a mock function with given fields: clientID, scope
-func (_m *Consent) UrlWithChallenge(clientID string, scope string) (*url.URL, string, error) {
-	ret := _m.Called(clientID, scope)
+// Url provides a mock function with given fields:
+func (_m *Consent) Url() string {
+	ret := _m.Called()
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func() string); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	return r0
+}
+
+// UrlWithChallenge provides a mock function with given fields: clientID, scope, redirectUri
+func (_m *Consent) UrlWithChallenge(clientID string, scope string, redirectUri string) (*url.URL, string, error) {
+	ret := _m.Called(clientID, scope, redirectUri)
 
 	var r0 *url.URL
-	if rf, ok := ret.Get(0).(func(string, string) *url.URL); ok {
-		r0 = rf(clientID, scope)
+	if rf, ok := ret.Get(0).(func(string, string, string) *url.URL); ok {
+		r0 = rf(clientID, scope, redirectUri)
 	} else {
 		if ret.Get(0) != nil {
 			r0 = ret.Get(0).(*url.URL)
 		}
 	}
 
 	var r1 string
-	if rf, ok := ret.Get(1).(func(string, string) string); ok {
-		r1 = rf(clientID, scope)
+	if rf, ok := ret.Get(1).(func(string, string, string) string); ok {
+		r1 = rf(clientID, scope, redirectUri)
 	} else {
 		r1 = ret.Get(1).(string)
 	}
 
 	var r2 error
-	if rf, ok := ret.Get(2).(func(string, string) error); ok {
-		r2 = rf(clientID, scope)
+	if rf, ok := ret.Get(2).(func(string, string, string) error); ok {
+		r2 = rf(clientID, scope, redirectUri)
 	} else {
 		r2 = ret.Error(2)
 	}

diff --git a/oauth2.go b/oauth2.go
@@ -40,11 +40,7 @@ func New(clientStorage ClientStorage, tokenStorage TokenStorage, strategy *Strat
 		tokenStore:            o.tokenStorage,
 	}
 
-	o.consent = NewConsent(
-		nil,
-		o.strategy.authorizeConfig.ConsentUrl,
-		o.strategy.authorizeConfig.ChallengeLifeSpan,
-	)
+	o.consent = o.strategy.authorizeConfig.Consent
 
 	o.accessTokenFlow = &accessTokenFlow{
 		tokenManager:   o.tokenManager,
@@ -110,13 +106,13 @@ func (o *oauth2) IntrospectionHandler(w http.ResponseWriter, r *http.Request) {
 func (o *oauth2) AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
 	ctx, err := parseAuthorizeRequest(w, r)
 	if err != nil {
-		redirectError(&ctx.HTTPContext, o.strategy.authorizeConfig.ConsentUrl, err)
+		redirectError(&ctx.HTTPContext, o.consent.Url(), err)
 		return
 	}
 
 	res := o.authorizeFlow.Run(ctx)
 	if res.Error != nil {
-		redirectError(&ctx.HTTPContext, o.strategy.authorizeConfig.ConsentUrl, err)
+		redirectError(&ctx.HTTPContext, o.consent.Url(), err)
 		return
 	}
 

diff --git a/scope.go b/scope.go
@@ -1,10 +1,5 @@
 package clover
 
-type Scope struct {
-	ID          string `json:"id"`
-	Description string `json:"description"`
-}
-
 //go:generate mockery -name ScopeValidator
 type ScopeValidator interface {
 	// Validate the request scopes and is it allowed in client scopes

diff --git a/scope/mocks/ScopeStorage.go b/scope/mocks/ScopeStorage.go
@@ -1,23 +1,23 @@
 package mocks
 
-import clover "github.com/plimble/clover"
 import mock "github.com/stretchr/testify/mock"
+import scope "github.com/plimble/clover/scope"
 
 // ScopeStorage is an autogenerated mock type for the ScopeStorage type
 type ScopeStorage struct {
 	mock.Mock
 }
 
 // GetScopeByIDs provides a mock function with given fields: ids
-func (_m *ScopeStorage) GetScopeByIDs(ids []string) ([]*clover.Scope, error) {
+func (_m *ScopeStorage) GetScopeByIDs(ids []string) ([]*scope.Scope, error) {
 	ret := _m.Called(ids)
 
-	var r0 []*clover.Scope
-	if rf, ok := ret.Get(0).(func([]string) []*clover.Scope); ok {
+	var r0 []*scope.Scope
+	if rf, ok := ret.Get(0).(func([]string) []*scope.Scope); ok {
 		r0 = rf(ids)
 	} else {
 		if ret.Get(0) != nil {
-			r0 = ret.Get(0).([]*clover.Scope)
+			r0 = ret.Get(0).([]*scope.Scope)
 		}
 	}
 

diff --git a/scope/scope.go b/scope/scope.go
@@ -4,12 +4,16 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
-	"github.com/plimble/clover"
 )
 
+type Scope struct {
+	ID          string `json:"id"`
+	Description string `json:"description"`
+}
+
 //go:generate mockery -name ScopeStorage
 type ScopeStorage interface {
-	GetScopeByIDs(ids []string) ([]*clover.Scope, error)
+	GetScopeByIDs(ids []string) ([]*Scope, error)
 }
 
 type ScopeValidator struct {