package op import ( "context" "crypto/rsa" "errors" "net/url" "reflect" "strings" "time" "git.coopgo.io/coopgo-platform/mobility-accounts/handlers" "git.coopgo.io/coopgo-platform/mobility-accounts/storage" "github.com/mitchellh/mapstructure" "github.com/ory/fosite" "github.com/ory/fosite/compose" "github.com/ory/fosite/handler/openid" "gopkg.in/square/go-jose.v2" ) func NewProvider(c OIDCNamespaceConfig, h handlers.MobilityAccountsHandler, s storage.Storage, privateKey *rsa.PrivateKey) fosite.OAuth2Provider { config := &compose.Config{ RedirectSecureChecker: func(checkUrl *url.URL) bool { if strings.HasSuffix(checkUrl.Host, "svc.cluster.local") || strings.HasSuffix(checkUrl.Host, "localhost") { return true } return false }, } storage := NewOIDCProviderStore(c, h, s.KV) secret := []byte(c.SecretKey) return compose.ComposeAllEnabled(config, storage, secret, privateKey) } type OIDCProviderStore struct { Namespace string MobilityAccountsHandler handlers.MobilityAccountsHandler KV storage.KVStore Clients map[string]fosite.Client } func NewOIDCProviderStore(c OIDCNamespaceConfig, h handlers.MobilityAccountsHandler, storage storage.KVStore) *OIDCProviderStore { clients := map[string]fosite.Client{} for _, v := range c.Clients { client := &fosite.DefaultClient{ ID: v.ID, Secret: []byte(v.Secret), RedirectURIs: v.RedirectURIs, ResponseTypes: v.ResponseTypes, GrantTypes: v.GrantTypes, Scopes: v.Scopes, Audience: v.Audience, Public: v.Public, } if v.OIDC { oidc_client := &fosite.DefaultOpenIDConnectClient{ DefaultClient: client, TokenEndpointAuthMethod: v.TokenEndpointAuthMethod, } clients[v.ID] = oidc_client } else { clients[v.ID] = client } } return &OIDCProviderStore{ MobilityAccountsHandler: h, KV: storage, Clients: clients, } } func (s *OIDCProviderStore) GetClient(_ context.Context, id string) (fosite.Client, error) { cl, ok := s.Clients[id] if !ok { return nil, fosite.ErrNotFound } return cl, nil } func (s *OIDCProviderStore) Authenticate(_ context.Context, name string, secret string) error { _, err := s.MobilityAccountsHandler.Login(name, secret, s.Namespace) if err != nil { return fosite.ErrNotFound } return nil } func (s *OIDCProviderStore) CreateOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) error { err := s.KV.Put("id_sessions/"+authorizeCode, requester) if err != nil { return err } return nil } func (s *OIDCProviderStore) GetOpenIDConnectSession(_ context.Context, authorizeCode string, requester fosite.Requester) (fosite.Requester, error) { d, err := s.KV.Get("id_sessions/" + authorizeCode) if err != nil { return nil, fosite.ErrNotFound } //return d.(fosite.Requester), nil return DecodeRequest(d) // req := fosite.NewRequest() // req.Session = new(openid.DefaultSession) // decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ // Metadata: nil, // DecodeHook: mapstructure.ComposeDecodeHookFunc( // ToTimeHookFunc()), // Result: &req, // }) // if err != nil { // return req, err // } // if err = decoder.Decode(d); err != nil { // return req, err // } // return req, nil } // DeleteOpenIDConnectSession is not really called from anywhere and it is deprecated. func (s *OIDCProviderStore) DeleteOpenIDConnectSession(_ context.Context, authorizeCode string) error { err := s.KV.Delete("id_sessions/" + authorizeCode) if err != nil { return err } return nil } func (s *OIDCProviderStore) ClientAssertionJWTValid(_ context.Context, jti string) error { if _, exists := s.KV.Get("blacklisted_jtis/" + jti); exists == nil { return fosite.ErrJTIKnown } return nil } func (s *OIDCProviderStore) SetClientAssertionJWT(_ context.Context, jti string, exp time.Time) error { if _, exists := s.KV.Get("blacklisted_jtis/" + jti); exists == nil { return fosite.ErrJTIKnown } duration := exp.Sub(time.Now()) if duration < 0 { return errors.New("already expired") } err := s.KV.PutWithTTL("blacklisted_jtis/"+jti, true, duration) if err != nil { return err } return nil } func (s *OIDCProviderStore) CreateAuthorizeCodeSession(_ context.Context, code string, req fosite.Requester) error { res := StoreAuthorizeCode{ Active: true, Requester: req.(*fosite.Request), } err := s.KV.Put("authorize_codes/"+code, res) if err != nil { return err } return nil } func (s *OIDCProviderStore) GetAuthorizeCodeSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error) { rel, err := s.KV.Get("authorize_codes/" + code) if err != nil { return nil, fosite.ErrNotFound } sac, err := DecodeStoreAuthorizeCode(rel) if err != nil { return nil, err } if !sac.Active { return sac.Requester, fosite.ErrInvalidatedAuthorizeCode } return sac.Requester, nil } func (s *OIDCProviderStore) InvalidateAuthorizeCodeSession(ctx context.Context, code string) error { rel, err := s.KV.Get("authorize_codes/" + code) if err != nil { return fosite.ErrNotFound } sac, err := DecodeStoreAuthorizeCode(rel) if err != nil { return err } sac.Active = false err = s.KV.Put("authorize_codes/"+code, sac) if err != nil { return err } return nil } func (s *OIDCProviderStore) CreatePKCERequestSession(_ context.Context, code string, req fosite.Requester) error { err := s.KV.Put("pkce/"+code, req) if err != nil { return err } return nil } func (s *OIDCProviderStore) GetPKCERequestSession(_ context.Context, code string, _ fosite.Session) (fosite.Requester, error) { rel, err := s.KV.Get("pkce/" + code) if err != nil { return nil, fosite.ErrNotFound } req := fosite.NewRequest() req.Session = new(fosite.DefaultSession) decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ Metadata: nil, DecodeHook: mapstructure.ComposeDecodeHookFunc( ToTimeHookFunc()), Result: &req, }) if err != nil { return req, err } if err = decoder.Decode(rel); err != nil { return req, err } return req, nil } func (s *OIDCProviderStore) DeletePKCERequestSession(_ context.Context, code string) error { err := s.KV.Delete("pkce/" + code) if err != nil { return fosite.ErrNotFound } return nil } func (s *OIDCProviderStore) CreateAccessTokenSession(_ context.Context, signature string, req fosite.Requester) error { err := s.KV.Put("access_tokens/"+signature, req) if err != nil { return err } err = s.KV.Put("access_tokens_request_ids/"+req.GetID(), signature) if err != nil { return err } return nil } func (s *OIDCProviderStore) GetAccessTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error) { rel, err := s.KV.Get("access_tokens/" + signature) if err != nil { return nil, fosite.ErrNotFound } //return rel.(fosite.Requester), nil req := fosite.NewRequest() req.Session = new(fosite.DefaultSession) decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ Metadata: nil, DecodeHook: mapstructure.ComposeDecodeHookFunc( ToTimeHookFunc()), Result: &req, }) if err != nil { return req, err } if err = decoder.Decode(rel); err != nil { return req, err } return req, nil } func (s *OIDCProviderStore) DeleteAccessTokenSession(_ context.Context, signature string) error { err := s.KV.Delete("access_tokens/" + signature) if err != nil { return fosite.ErrNotFound } return nil } func (s *OIDCProviderStore) CreateRefreshTokenSession(_ context.Context, signature string, req fosite.Requester) error { err := s.KV.Put("refresh_tokens/"+signature, StoreRefreshToken{Active: true, Requester: req}) if err != nil { return err } err = s.KV.Put("refresh_tokens_request_ids/"+req.GetID(), signature) if err != nil { return err } return nil } func (s *OIDCProviderStore) GetRefreshTokenSession(_ context.Context, signature string, _ fosite.Session) (fosite.Requester, error) { rel, err := s.KV.Get("refresh_tokens/" + signature) if err != nil { return nil, fosite.ErrNotFound } var srt StoreRefreshToken if err = mapstructure.Decode(rel.(map[string]any), &srt); err != nil { return nil, err } if !srt.Active { return nil, fosite.ErrInactiveToken } return srt.Requester, nil } func (s *OIDCProviderStore) DeleteRefreshTokenSession(_ context.Context, signature string) error { err := s.KV.Delete("refresh_tokens/" + signature) if err != nil { return fosite.ErrNotFound } return nil } func (s *OIDCProviderStore) RevokeRefreshToken(ctx context.Context, requestID string) error { if signature, err := s.KV.Get("refresh_tokens_request_ids" + requestID); err == nil { rel, err := s.KV.Get("refresh_tokens/" + signature.(string)) if err != nil { return fosite.ErrNotFound } var srt StoreRefreshToken if err = mapstructure.Decode(rel.(map[string]any), &srt); err != nil { return err } srt.Active = false err = s.KV.Put("refresh_tokens/"+signature.(string), srt) if err != nil { return err } } return nil } func (s *OIDCProviderStore) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error { // no configuration option is available; grace period is not available with memory store return s.RevokeRefreshToken(ctx, requestID) } func (s *OIDCProviderStore) RevokeAccessToken(ctx context.Context, requestID string) error { if signature, err := s.KV.Get("access_tokens_request_ids/" + requestID); err != nil { if err := s.DeleteAccessTokenSession(ctx, signature.(string)); err != nil { return err } } return nil } func (s *OIDCProviderStore) GetPublicKey(ctx context.Context, issuer string, subject string, keyId string) (*jose.JSONWebKey, error) { if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil { var ipk IssuerPublicKeys if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil { return nil, err } if subKeys, ok := ipk.KeysBySub[subject]; ok { if keyScopes, ok := subKeys.Keys[keyId]; ok { return keyScopes.Key, nil } } } return nil, fosite.ErrNotFound } func (s *OIDCProviderStore) GetPublicKeys(ctx context.Context, issuer string, subject string) (*jose.JSONWebKeySet, error) { if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil { var ipk IssuerPublicKeys if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil { return nil, err } if subKeys, ok := ipk.KeysBySub[subject]; ok { if len(subKeys.Keys) == 0 { return nil, fosite.ErrNotFound } keys := make([]jose.JSONWebKey, 0, len(subKeys.Keys)) for _, keyScopes := range subKeys.Keys { keys = append(keys, *keyScopes.Key) } return &jose.JSONWebKeySet{Keys: keys}, nil } } return nil, fosite.ErrNotFound } func (s *OIDCProviderStore) GetPublicKeyScopes(ctx context.Context, issuer string, subject string, keyId string) ([]string, error) { if issuerKeys, err := s.KV.Get("issuer_public_keys/" + issuer); err == nil { var ipk IssuerPublicKeys if err = mapstructure.Decode(issuerKeys.(map[string]any), &ipk); err != nil { return nil, err } if subKeys, ok := ipk.KeysBySub[subject]; ok { if keyScopes, ok := subKeys.Keys[keyId]; ok { return keyScopes.Scopes, nil } } } return nil, fosite.ErrNotFound } func (s *OIDCProviderStore) IsJWTUsed(ctx context.Context, jti string) (bool, error) { err := s.ClientAssertionJWTValid(ctx, jti) if err != nil { return true, nil } return false, nil } func (s *OIDCProviderStore) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) error { return s.SetClientAssertionJWT(ctx, jti, exp) } // CreatePARSession stores the pushed authorization request context. The requestURI is used to derive the key. func (s *OIDCProviderStore) CreatePARSession(ctx context.Context, requestURI string, request fosite.AuthorizeRequester) error { err := s.KV.Put("par_sessions/"+requestURI, request) if err != nil { return err } return nil } // GetPARSession gets the push authorization request context. If the request is nil, a new request object // is created. Otherwise, the same object is updated. func (s *OIDCProviderStore) GetPARSession(ctx context.Context, requestURI string) (fosite.AuthorizeRequester, error) { rel, err := s.KV.Get("par_sessions/" + requestURI) if err != nil { return nil, fosite.ErrNotFound } return rel.(fosite.AuthorizeRequester), nil } // DeletePARSession deletes the context. func (s *OIDCProviderStore) DeletePARSession(ctx context.Context, requestURI string) error { err := s.KV.Delete("par_sessions/" + requestURI) if err != nil { return fosite.ErrNotFound } return nil } type StoreAuthorizeCode struct { Active bool `json:"active"` Requester *fosite.Request `json:"requester"` } func DecodeStoreAuthorizeCode(rel interface{}) (StoreAuthorizeCode, error) { sac := StoreAuthorizeCode{ Active: false, Requester: fosite.NewRequest(), } // metadata := mapstructure.Metadata{} sac.Requester.Session = new(openid.DefaultSession) decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ // Metadata: &metadata, DecodeHook: mapstructure.ComposeDecodeHookFunc( ToTimeHookFunc(), ToBytes(), ), TagName: "json", Result: &sac, }) if err != nil { return sac, err } if err = decoder.Decode(rel); err != nil { return sac, err } return sac, nil } func DecodeRequest(rel interface{}) (*fosite.Request, error) { req := fosite.NewRequest() req.Session = new(openid.DefaultSession) decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{ // Metadata: &metadata, DecodeHook: mapstructure.ComposeDecodeHookFunc( ToTimeHookFunc(), ToBytes(), ), TagName: "json", Result: &req, }) if err != nil { return req, err } if err = decoder.Decode(rel); err != nil { return req, err } return req, nil } type StoreRefreshToken struct { Active bool Requester fosite.Requester } type IssuerPublicKeys struct { Issuer string KeysBySub map[string]SubjectPublicKeys `mapstructure:"keys_by_sub"` } type SubjectPublicKeys struct { Subject string Keys map[string]PublicKeyScopes } type PublicKeyScopes struct { Key *jose.JSONWebKey Scopes []string } func ToTimeHookFunc() mapstructure.DecodeHookFunc { return func( f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) { if t != reflect.TypeOf(time.Time{}) { return data, nil } switch f.Kind() { case reflect.String: return time.Parse(time.RFC3339, data.(string)) case reflect.Float64: return time.Unix(0, int64(data.(float64))*int64(time.Millisecond)), nil case reflect.Int64: return time.Unix(0, data.(int64)*int64(time.Millisecond)), nil default: return data, nil } // Convert it by parsing } } func ToBytes() mapstructure.DecodeHookFunc { return func( f reflect.Type, t reflect.Type, data interface{}) (interface{}, error) { if t == reflect.TypeOf([]byte("")) && f.Kind() == reflect.String { return []byte(data.(string)), nil } return data, nil } }