update

plimble · May 24, 2017 · b6e9e60 · b6e9e60
1 parent 065e21a
commit b6e9e60
Show file tree

Hide file tree

Showing 6 changed files with 158 additions and 93 deletions.
diff --git a/oauth2/accesstoken.go b/oauth2/accesstoken.go
@@ -15,3 +15,13 @@ type AccessToken struct {
 func (a *AccessToken) Valid() bool {
 	return a != nil && a.AccessToken != "" && time.Now().UTC().Unix() > a.Expired
 }
+
+func (a *AccessToken) HasScope(scopes ...string) bool {
+	for _, scope := range scopes {
+		if ok := HierarchicScope(scope, a.Scopes); !ok {
+			return false
+		}
+	}
+
+	return true
+}
diff --git a/oauth2/storage.go b/oauth2/storage.go
@@ -1,6 +1,7 @@
 package oauth2
 
 type Storage interface {
+	GetClient(id string) (*Client, error)
 	GetClientWithSecret(id, secret string) (*Client, error)
 	GetRefreshToken(refreshToken string) (*RefreshToken, error)
 	GetAuthorizeCode(code string) (*AuthorizeCode, error)

diff --git a/oauth2/token_jwt.go b/oauth2/token_jwt.go
@@ -50,6 +50,7 @@ func (c *JWTTokenGenerator) CreateAccessToken(req *CreateAccessTokenRequest) (st
 		"iat":        now.Unix(),
 		"token_type": "bearer",
 		"scope":      strings.Join(req.Scopes, " "),
+		"extra":      req.Extras,
 	})
 
 	return token.SignedString(c.privateKey)
@@ -82,3 +83,59 @@ func (c *JWTTokenGenerator) CreateCode() string {
 func (c *JWTTokenGenerator) CreateRefreshToken() string {
 	return uuid.NewV4().String()
 }
+
+type JWTAccessToken struct {
+	Audience  string
+	ExpiresAt int64
+	ID        string
+	IssuedAt  int64
+	Issuer    string
+	Subject   string
+	Extra     map[string]interface{}
+	Scopes    []string
+}
+
+func (a *JWTAccessToken) Valid() bool {
+	return a != nil && time.Now().UTC().Unix() > a.ExpiresAt
+}
+
+func (a *JWTAccessToken) HasScope(scopes ...string) bool {
+	for _, scope := range scopes {
+		if ok := HierarchicScope(scope, a.Scopes); !ok {
+			return false
+		}
+	}
+
+	return true
+}
+
+func ClaimJWTAccessToken(publicKey *rsa.PublicKey, accesstoken string) (*JWTAccessToken, error) {
+	jwttoken, err := jwt.Parse(accesstoken, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+		}
+
+		return publicKey, nil
+	})
+	if err != nil || !jwttoken.Valid {
+		return nil, errors.New("Invalid token")
+	}
+
+	claims, ok := jwttoken.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, errors.New("Invalid jwt")
+	}
+
+	at := &JWTAccessToken{
+		Audience:  claims["aud"].(string),
+		ExpiresAt: claims["exp"].(int64),
+		ID:        claims["jti"].(string),
+		IssuedAt:  claims["iat"].(int64),
+		Issuer:    claims["iss"].(string),
+		Subject:   claims["sub"].(string),
+		Extra:     claims["extra"].(map[string]interface{}),
+		Scopes:    strings.Fields(claims["scope"].(string)),
+	}
+
+	return at, nil
+}
diff --git a/storage/dynamodb/storage.go b/storage/dynamodb/storage.go
@@ -31,16 +31,13 @@ func New(id, secret, region string) (*DynamoDB, error) {
 	return &DynamoDB{dynamodb.New(sess), cache}, nil
 }
 
-func (s *DynamoDB) GetClientWithSecret(id, secret string) (*oauth2.Client, error) {
+func (s *DynamoDB) GetClient(id string) (*oauth2.Client, error) {
 	res, err := s.db.GetItem(&dynamodb.GetItemInput{
 		TableName: aws.String("oauth_client"),
 		Key: map[string]*dynamodb.AttributeValue{
 			"id": {
 				S: aws.String(id),
 			},
-			"s": {
-				S: aws.String(secret),
-			},
 		},
 	})
 
@@ -58,6 +55,19 @@ func (s *DynamoDB) GetClientWithSecret(id, secret string) (*oauth2.Client, error
 	return c, err
 }
 
+func (s *DynamoDB) GetClientWithSecret(id, secret string) (*oauth2.Client, error) {
+	client, err := s.GetClient(id)
+	if err != nil {
+		return nil, err
+	}
+
+	if client.Secret != secret {
+		return nil, oauth2.DbNotFoundError(err)
+	}
+
+	return client, nil
+}
+
 func (s *DynamoDB) GetRefreshToken(refreshToken string) (*oauth2.RefreshToken, error) {
 	res, err := s.db.GetItem(&dynamodb.GetItemInput{
 		TableName: aws.String("oauth_refreshtoken"),

diff --git a/storage/dynamodb/storage_test.go b/storage/dynamodb/storage_test.go
@@ -42,10 +42,14 @@ func TestCRUDClient(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, expc, c)
 
+	c, err = db.GetClient(expc.ID)
+	require.NoError(t, err)
+	require.Equal(t, expc, c)
+
 	_, err = db.db.DeleteItem(&dynamodb.DeleteItemInput{
 		TableName: aws.String("oauth_client"),
 		Key: map[string]*dynamodb.AttributeValue{
-			"c": {
+			"id": {
 				S: aws.String(c.ID),
 			},
 		},
@@ -55,6 +59,7 @@ func TestCRUDClient(t *testing.T) {
 	c, err = db.GetClientWithSecret(c.ID, c.Secret)
 	require.Equal(t, oauth2.DbNotFoundError(nil), err)
 	require.Nil(t, c)
+
 }
 
 func TestCRUDAccessToken(t *testing.T) {