dex/server/api.go

package server

import (
	"context"
	"errors"
	"fmt"

	"golang.org/x/crypto/bcrypt"

	"github.com/dexidp/dex/api/v2"
	"github.com/dexidp/dex/pkg/log"
	"github.com/dexidp/dex/server/internal"
	"github.com/dexidp/dex/storage"
	"github.com/dexidp/dex/version"
)

// apiVersion increases every time a new call is added to the API. Clients should use this info
// to determine if the server supports specific features.
const apiVersion = 2

const (
	// recCost is the recommended bcrypt cost, which balances hash strength and
	// efficiency.
	recCost = 12

	// upBoundCost is a sane upper bound on bcrypt cost determined by benchmarking:
	// high enough to ensure secure encryption, low enough to not put unnecessary
	// load on a dex server.
	upBoundCost = 16
)

// NewAPI returns a server which implements the gRPC API interface.
func NewAPI(s storage.Storage, logger log.Logger) api.DexServer {
	return dexAPI{
		s:      s,
		logger: logger,
	}
}

type dexAPI struct {
	s      storage.Storage
	logger log.Logger
}

func (d dexAPI) CreateClient(ctx context.Context, req *api.CreateClientReq) (*api.CreateClientResp, error) {
	if req.Client == nil {
		return nil, errors.New("no client supplied")
	}

	if req.Client.Id == "" {
		req.Client.Id = storage.NewID()
	}
	if req.Client.Secret == "" {
		req.Client.Secret = storage.NewID() + storage.NewID()
	}

	c := storage.Client{
		ID:           req.Client.Id,
		Secret:       req.Client.Secret,
		RedirectURIs: req.Client.RedirectUris,
		TrustedPeers: req.Client.TrustedPeers,
		Public:       req.Client.Public,
		Name:         req.Client.Name,
		LogoURL:      req.Client.LogoUrl,
	}
	if err := d.s.CreateClient(c); err != nil {
		if err == storage.ErrAlreadyExists {
			return &api.CreateClientResp{AlreadyExists: true}, nil
		}
		d.logger.Errorf("api: failed to create client: %v", err)
		return nil, fmt.Errorf("create client: %v", err)
	}

	return &api.CreateClientResp{
		Client: req.Client,
	}, nil
}

func (d dexAPI) UpdateClient(ctx context.Context, req *api.UpdateClientReq) (*api.UpdateClientResp, error) {
	if req.Id == "" {
		return nil, errors.New("update client: no client ID supplied")
	}

	err := d.s.UpdateClient(req.Id, func(old storage.Client) (storage.Client, error) {
		if req.RedirectUris != nil {
			old.RedirectURIs = req.RedirectUris
		}
		if req.TrustedPeers != nil {
			old.TrustedPeers = req.TrustedPeers
		}
		if req.Name != "" {
			old.Name = req.Name
		}
		if req.LogoUrl != "" {
			old.LogoURL = req.LogoUrl
		}
		return old, nil
	})
	if err != nil {
		if err == storage.ErrNotFound {
			return &api.UpdateClientResp{NotFound: true}, nil
		}
		d.logger.Errorf("api: failed to update the client: %v", err)
		return nil, fmt.Errorf("update client: %v", err)
	}
	return &api.UpdateClientResp{}, nil
}

func (d dexAPI) DeleteClient(ctx context.Context, req *api.DeleteClientReq) (*api.DeleteClientResp, error) {
	err := d.s.DeleteClient(req.Id)
	if err != nil {
		if err == storage.ErrNotFound {
			return &api.DeleteClientResp{NotFound: true}, nil
		}
		d.logger.Errorf("api: failed to delete client: %v", err)
		return nil, fmt.Errorf("delete client: %v", err)
	}
	return &api.DeleteClientResp{}, nil
}

// checkCost returns an error if the hash provided does not meet lower or upper
// bound cost requirements.
func checkCost(hash []byte) error {
	actual, err := bcrypt.Cost(hash)
	if err != nil {
		return fmt.Errorf("parsing bcrypt hash: %v", err)
	}
	if actual < bcrypt.DefaultCost {
		return fmt.Errorf("given hash cost = %d does not meet minimum cost requirement = %d", actual, bcrypt.DefaultCost)
	}
	if actual > upBoundCost {
		return fmt.Errorf("given hash cost = %d is above upper bound cost = %d, recommended cost = %d", actual, upBoundCost, recCost)
	}
	return nil
}

func (d dexAPI) CreatePassword(ctx context.Context, req *api.CreatePasswordReq) (*api.CreatePasswordResp, error) {
	if req.Password == nil {
		return nil, errors.New("no password supplied")
	}
	if req.Password.UserId == "" {
		return nil, errors.New("no user ID supplied")
	}
	if req.Password.Hash != nil {
		if err := checkCost(req.Password.Hash); err != nil {
			return nil, err
		}
	} else {
		return nil, errors.New("no hash of password supplied")
	}

	p := storage.Password{
		Email:    req.Password.Email,
		Hash:     req.Password.Hash,
		Username: req.Password.Username,
		UserID:   req.Password.UserId,
	}
	if err := d.s.CreatePassword(p); err != nil {
		if err == storage.ErrAlreadyExists {
			return &api.CreatePasswordResp{AlreadyExists: true}, nil
		}
		d.logger.Errorf("api: failed to create password: %v", err)
		return nil, fmt.Errorf("create password: %v", err)
	}

	return &api.CreatePasswordResp{}, nil
}

func (d dexAPI) UpdatePassword(ctx context.Context, req *api.UpdatePasswordReq) (*api.UpdatePasswordResp, error) {
	if req.Email == "" {
		return nil, errors.New("no email supplied")
	}
	if req.NewHash == nil && req.NewUsername == "" {
		return nil, errors.New("nothing to update")
	}

	if req.NewHash != nil {
		if err := checkCost(req.NewHash); err != nil {
			return nil, err
		}
	}

	updater := func(old storage.Password) (storage.Password, error) {
		if req.NewHash != nil {
			old.Hash = req.NewHash
		}

		if req.NewUsername != "" {
			old.Username = req.NewUsername
		}

		return old, nil
	}

	if err := d.s.UpdatePassword(req.Email, updater); err != nil {
		if err == storage.ErrNotFound {
			return &api.UpdatePasswordResp{NotFound: true}, nil
		}
		d.logger.Errorf("api: failed to update password: %v", err)
		return nil, fmt.Errorf("update password: %v", err)
	}

	return &api.UpdatePasswordResp{}, nil
}

func (d dexAPI) DeletePassword(ctx context.Context, req *api.DeletePasswordReq) (*api.DeletePasswordResp, error) {
	if req.Email == "" {
		return nil, errors.New("no email supplied")
	}

	err := d.s.DeletePassword(req.Email)
	if err != nil {
		if err == storage.ErrNotFound {
			return &api.DeletePasswordResp{NotFound: true}, nil
		}
		d.logger.Errorf("api: failed to delete password: %v", err)
		return nil, fmt.Errorf("delete password: %v", err)
	}
	return &api.DeletePasswordResp{}, nil
}

func (d dexAPI) GetVersion(ctx context.Context, req *api.VersionReq) (*api.VersionResp, error) {
	return &api.VersionResp{
		Server: version.Version,
		Api:    apiVersion,
	}, nil
}

func (d dexAPI) ListPasswords(ctx context.Context, req *api.ListPasswordReq) (*api.ListPasswordResp, error) {
	passwordList, err := d.s.ListPasswords()
	if err != nil {
		d.logger.Errorf("api: failed to list passwords: %v", err)
		return nil, fmt.Errorf("list passwords: %v", err)
	}

	var passwords []*api.Password
	for _, password := range passwordList {
		p := api.Password{
			Email:    password.Email,
			Username: password.Username,
			UserId:   password.UserID,
		}
		passwords = append(passwords, &p)
	}

	return &api.ListPasswordResp{
		Passwords: passwords,
	}, nil
}

func (d dexAPI) VerifyPassword(ctx context.Context, req *api.VerifyPasswordReq) (*api.VerifyPasswordResp, error) {
	if req.Email == "" {
		return nil, errors.New("no email supplied")
	}

	if req.Password == "" {
		return nil, errors.New("no password to verify supplied")
	}

	password, err := d.s.GetPassword(req.Email)
	if err != nil {
		if err == storage.ErrNotFound {
			return &api.VerifyPasswordResp{
				NotFound: true,
			}, nil
		}
		d.logger.Errorf("api: there was an error retrieving the password: %v", err)
		return nil, fmt.Errorf("verify password: %v", err)
	}

	if err := bcrypt.CompareHashAndPassword(password.Hash, []byte(req.Password)); err != nil {
		d.logger.Infof("api: password check failed: %v", err)
		return &api.VerifyPasswordResp{
			Verified: false,
		}, nil
	}
	return &api.VerifyPasswordResp{
		Verified: true,
	}, nil
}

func (d dexAPI) ListRefresh(ctx context.Context, req *api.ListRefreshReq) (*api.ListRefreshResp, error) {
	id := new(internal.IDTokenSubject)
	if err := internal.Unmarshal(req.UserId, id); err != nil {
		d.logger.Errorf("api: failed to unmarshal ID Token subject: %v", err)
		return nil, err
	}

	var refreshTokenRefs []*api.RefreshTokenRef
	offlineSessions, err := d.s.GetOfflineSessions(id.UserId, id.ConnId)
	if err != nil {
		if err == storage.ErrNotFound {
			// This means that this user-client pair does not have a refresh token yet.
			// An empty list should be returned instead of an error.
			return &api.ListRefreshResp{
				RefreshTokens: refreshTokenRefs,
			}, nil
		}
		d.logger.Errorf("api: failed to list refresh tokens %t here : %v", err == storage.ErrNotFound, err)
		return nil, err
	}

	for _, session := range offlineSessions.Refresh {
		r := api.RefreshTokenRef{
			Id:        session.ID,
			ClientId:  session.ClientID,
			CreatedAt: session.CreatedAt.Unix(),
			LastUsed:  session.LastUsed.Unix(),
		}
		refreshTokenRefs = append(refreshTokenRefs, &r)
	}

	return &api.ListRefreshResp{
		RefreshTokens: refreshTokenRefs,
	}, nil
}

func (d dexAPI) RevokeRefresh(ctx context.Context, req *api.RevokeRefreshReq) (*api.RevokeRefreshResp, error) {
	id := new(internal.IDTokenSubject)
	if err := internal.Unmarshal(req.UserId, id); err != nil {
		d.logger.Errorf("api: failed to unmarshal ID Token subject: %v", err)
		return nil, err
	}

	var (
		refreshID string
		notFound  bool
	)
	updater := func(old storage.OfflineSessions) (storage.OfflineSessions, error) {
		refreshRef := old.Refresh[req.ClientId]
		if refreshRef == nil || refreshRef.ID == "" {
			d.logger.Errorf("api: refresh token issued to client %q for user %q not found for deletion", req.ClientId, id.UserId)
			notFound = true
			return old, storage.ErrNotFound
		}

		refreshID = refreshRef.ID

		// Remove entry from Refresh list of the OfflineSession object.
		delete(old.Refresh, req.ClientId)

		return old, nil
	}

	if err := d.s.UpdateOfflineSessions(id.UserId, id.ConnId, updater); err != nil {
		if err == storage.ErrNotFound {
			return &api.RevokeRefreshResp{NotFound: true}, nil
		}
		d.logger.Errorf("api: failed to update offline session object: %v", err)
		return nil, err
	}

	if notFound {
		return &api.RevokeRefreshResp{NotFound: true}, nil
	}

	// Delete the refresh token from the storage
	//
	// TODO(ericchiang): we don't have any good recourse if this call fails.
	// Consider garbage collection of refresh tokens with no associated ref.
	if err := d.s.DeleteRefresh(refreshID); err != nil {
		d.logger.Errorf("failed to delete refresh token: %v", err)
		return nil, err
	}

	return &api.RevokeRefreshResp{}, nil
}
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`package server`

			`import (`
Replace x/net/context with context of stdlib 2019-08-30 09:52:46 +00:00			`"context"`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`"errors"`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`"fmt"`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`"golang.org/x/crypto/bcrypt"`
*: update go-oidc and use standard library's context package 2017-03-08 18:33:19 +00:00
Add v2 api module 2020-07-01 12:20:57 +00:00			`"github.com/dexidp/dex/api/v2"`
Add logger interface and stop relying on Logrus directly 2019-02-22 12:19:23 +00:00			`"github.com/dexidp/dex/pkg/log"`
*: github.com/coreos/dex -> github.com/dexidp/dex Signed-off-by: Stephan Renatus <srenatus@chef.io> 2018-09-03 06:44:44 +00:00			`"github.com/dexidp/dex/server/internal"`
			`"github.com/dexidp/dex/storage"`
			`"github.com/dexidp/dex/version"`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`)`

*: fix comment typos found with github.com/client9/misspell 2016-12-13 20:23:16 +00:00			`// apiVersion increases every time a new call is added to the API. Clients should use this info`
api: add gRPC definition for version endpoint. 2016-11-09 20:33:33 +00:00			`// to determine if the server supports specific features.`
api: Update timestamp type for RefreshTokenRef to int64. 2017-03-17 22:01:21 +00:00			`const apiVersion = 2`
api: add gRPC definition for version endpoint. 2016-11-09 20:33:33 +00:00
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`const (`
			`// recCost is the recommended bcrypt cost, which balances hash strength and`
			`// efficiency.`
			`recCost = 12`

			`// upBoundCost is a sane upper bound on bcrypt cost determined by benchmarking:`
			`// high enough to ensure secure encryption, low enough to not put unnecessary`
			`// load on a dex server.`
			`upBoundCost = 16`
			`)`
server: log bcrypt cost if > 12, error on runtime > 10s The bcrypt hashing algorithm runtime grows exponentially with cost, and might cause a timeout if the cost is too high. Notifying the user of high cost and of long running calculations will help with tuning and debugging. 2017-07-25 21:26:47 +00:00
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`// NewAPI returns a server which implements the gRPC API interface.`
Add logger interface and stop relying on Logrus directly 2019-02-22 12:19:23 +00:00			`func NewAPI(s storage.Storage, logger log.Logger) api.DexServer {`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`return dexAPI{`
			`s: s,`
			`logger: logger,`
			`}`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`}`

			`type dexAPI struct {`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`s storage.Storage`
Add logger interface and stop relying on Logrus directly 2019-02-22 12:19:23 +00:00			`logger log.Logger`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`}`

			`func (d dexAPI) CreateClient(ctx context.Context, req api.CreateClientReq) (api.CreateClientResp, error) {`
			`if req.Client == nil {`
			`return nil, errors.New("no client supplied")`
			`}`

			`if req.Client.Id == "" {`
			`req.Client.Id = storage.NewID()`
			`}`
			`if req.Client.Secret == "" {`
			`req.Client.Secret = storage.NewID() + storage.NewID()`
			`}`

			`c := storage.Client{`
			`ID: req.Client.Id,`
			`Secret: req.Client.Secret,`
			`RedirectURIs: req.Client.RedirectUris,`
			`TrustedPeers: req.Client.TrustedPeers,`
			`Public: req.Client.Public,`
			`Name: req.Client.Name,`
			`LogoURL: req.Client.LogoUrl,`
			`}`
			`if err := d.s.CreateClient(c); err != nil {`
storage: Surface "already exists" errors. 2017-02-21 23:00:22 +00:00			`if err == storage.ErrAlreadyExists {`
			`return &api.CreateClientResp{AlreadyExists: true}, nil`
			`}`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`d.logger.Errorf("api: failed to create client: %v", err)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, fmt.Errorf("create client: %v", err)`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`}`

			`return &api.CreateClientResp{`
			`Client: req.Client,`
			`}, nil`
			`}`

Extend the API with a function which updates the client configuration 2018-08-08 15:21:02 +00:00			`func (d dexAPI) UpdateClient(ctx context.Context, req api.UpdateClientReq) (api.UpdateClientResp, error) {`
			`if req.Id == "" {`
			`return nil, errors.New("update client: no client ID supplied")`
			`}`

			`err := d.s.UpdateClient(req.Id, func(old storage.Client) (storage.Client, error) {`
Update also to a list of empty redirect URIs and Peers 2018-11-13 08:59:45 +00:00			`if req.RedirectUris != nil {`
Revert "Avoid overwriting exiting redirect URI and trusted peers when updating the client" This reverts commit 49fa5ee6e8271d433cd9a3b00c3533495e285c3e. 2018-11-13 08:58:17 +00:00			`old.RedirectURIs = req.RedirectUris`
Extend the API with a function which updates the client configuration 2018-08-08 15:21:02 +00:00			`}`
Update also to a list of empty redirect URIs and Peers 2018-11-13 08:59:45 +00:00			`if req.TrustedPeers != nil {`
Revert "Avoid overwriting exiting redirect URI and trusted peers when updating the client" This reverts commit 49fa5ee6e8271d433cd9a3b00c3533495e285c3e. 2018-11-13 08:58:17 +00:00			`old.TrustedPeers = req.TrustedPeers`
Extend the API with a function which updates the client configuration 2018-08-08 15:21:02 +00:00			`}`
			`if req.Name != "" {`
			`old.Name = req.Name`
			`}`
			`if req.LogoUrl != "" {`
			`old.LogoURL = req.LogoUrl`
			`}`
			`return old, nil`
			`})`
			`if err != nil {`
			`if err == storage.ErrNotFound {`
			`return &api.UpdateClientResp{NotFound: true}, nil`
			`}`
			`d.logger.Errorf("api: failed to update the client: %v", err)`
			`return nil, fmt.Errorf("update client: %v", err)`
			`}`
			`return &api.UpdateClientResp{}, nil`
			`}`

server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`func (d dexAPI) DeleteClient(ctx context.Context, req api.DeleteClientReq) (api.DeleteClientResp, error) {`
			`err := d.s.DeleteClient(req.Id)`
			`if err != nil {`
			`if err == storage.ErrNotFound {`
			`return &api.DeleteClientResp{NotFound: true}, nil`
			`}`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`d.logger.Errorf("api: failed to delete client: %v", err)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, fmt.Errorf("delete client: %v", err)`
server: add gRPC service implementation 2016-10-04 07:26:04 +00:00			`}`
			`return &api.DeleteClientResp{}, nil`
			`}`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`// checkCost returns an error if the hash provided does not meet lower or upper`
			`// bound cost requirements.`
			`func checkCost(hash []byte) error {`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`actual, err := bcrypt.Cost(hash)`
			`if err != nil {`
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`return fmt.Errorf("parsing bcrypt hash: %v", err)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`}`
			`if actual < bcrypt.DefaultCost {`
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`return fmt.Errorf("given hash cost = %d does not meet minimum cost requirement = %d", actual, bcrypt.DefaultCost)`
			`}`
			`if actual > upBoundCost {`
			`return fmt.Errorf("given hash cost = %d is above upper bound cost = %d, recommended cost = %d", actual, upBoundCost, recCost)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`}`
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`return nil`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`}`

			`func (d dexAPI) CreatePassword(ctx context.Context, req api.CreatePasswordReq) (api.CreatePasswordResp, error) {`
			`if req.Password == nil {`
			`return nil, errors.New("no password supplied")`
			`}`
			`if req.Password.UserId == "" {`
			`return nil, errors.New("no user ID supplied")`
			`}`
			`if req.Password.Hash != nil {`
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`if err := checkCost(req.Password.Hash); err != nil {`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, err`
			`}`
			`} else {`
			`return nil, errors.New("no hash of password supplied")`
			`}`

			`p := storage.Password{`
			`Email: req.Password.Email,`
			`Hash: req.Password.Hash,`
			`Username: req.Password.Username,`
			`UserID: req.Password.UserId,`
			`}`
			`if err := d.s.CreatePassword(p); err != nil {`
storage: Surface "already exists" errors. 2017-02-21 23:00:22 +00:00			`if err == storage.ErrAlreadyExists {`
			`return &api.CreatePasswordResp{AlreadyExists: true}, nil`
			`}`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`d.logger.Errorf("api: failed to create password: %v", err)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, fmt.Errorf("create password: %v", err)`
			`}`

			`return &api.CreatePasswordResp{}, nil`
			`}`

			`func (d dexAPI) UpdatePassword(ctx context.Context, req api.UpdatePasswordReq) (api.UpdatePasswordResp, error) {`
			`if req.Email == "" {`
			`return nil, errors.New("no email supplied")`
			`}`
			`if req.NewHash == nil && req.NewUsername == "" {`
			`return nil, errors.New("nothing to update")`
			`}`

			`if req.NewHash != nil {`
server: set sane bcrypt cost upper bound 2017-08-17 21:46:07 +00:00			`if err := checkCost(req.NewHash); err != nil {`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, err`
			`}`
			`}`

			`updater := func(old storage.Password) (storage.Password, error) {`
			`if req.NewHash != nil {`
			`old.Hash = req.NewHash`
			`}`

			`if req.NewUsername != "" {`
			`old.Username = req.NewUsername`
			`}`

			`return old, nil`
			`}`

			`if err := d.s.UpdatePassword(req.Email, updater); err != nil {`
			`if err == storage.ErrNotFound {`
			`return &api.UpdatePasswordResp{NotFound: true}, nil`
			`}`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`d.logger.Errorf("api: failed to update password: %v", err)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, fmt.Errorf("update password: %v", err)`
			`}`

			`return &api.UpdatePasswordResp{}, nil`
			`}`

			`func (d dexAPI) DeletePassword(ctx context.Context, req api.DeletePasswordReq) (api.DeletePasswordResp, error) {`
			`if req.Email == "" {`
			`return nil, errors.New("no email supplied")`
			`}`

			`err := d.s.DeletePassword(req.Email)`
			`if err != nil {`
			`if err == storage.ErrNotFound {`
			`return &api.DeletePasswordResp{NotFound: true}, nil`
			`}`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`d.logger.Errorf("api: failed to delete password: %v", err)`
api: add gRPC endpoints for creating, updating and deleting passwords 2016-10-27 23:28:11 +00:00			`return nil, fmt.Errorf("delete password: %v", err)`
			`}`
			`return &api.DeletePasswordResp{}, nil`
			`}`
api: add gRPC definition for version endpoint. 2016-11-09 20:33:33 +00:00
			`func (d dexAPI) GetVersion(ctx context.Context, req api.VersionReq) (api.VersionResp, error) {`
			`return &api.VersionResp{`
			`Server: version.Version,`
			`Api: apiVersion,`
			`}, nil`
			`}`
api: adding a gRPC call for listing passwords. 2016-11-17 22:50:58 +00:00
			`func (d dexAPI) ListPasswords(ctx context.Context, req api.ListPasswordReq) (api.ListPasswordResp, error) {`
			`passwordList, err := d.s.ListPasswords()`
			`if err != nil {`
server: modify error messages to use logrus. 2016-12-12 22:54:01 +00:00			`d.logger.Errorf("api: failed to list passwords: %v", err)`
api: adding a gRPC call for listing passwords. 2016-11-17 22:50:58 +00:00			`return nil, fmt.Errorf("list passwords: %v", err)`
			`}`

			`var passwords []*api.Password`
			`for _, password := range passwordList {`
			`p := api.Password{`
			`Email: password.Email,`
			`Username: password.Username,`
			`UserId: password.UserID,`
			`}`
			`passwords = append(passwords, &p)`
			`}`

			`return &api.ListPasswordResp{`
			`Passwords: passwords,`
			`}, nil`
			`}`
api: adding a gRPC call for listing refresh tokens. 2017-02-10 19:33:54 +00:00
Add VerifyPassword to API It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true. Co-authored-by: Alban Seurat <alban.seurat@me.com> 2018-08-06 19:04:56 +00:00			`func (d dexAPI) VerifyPassword(ctx context.Context, req api.VerifyPasswordReq) (api.VerifyPasswordResp, error) {`
			`if req.Email == "" {`
			`return nil, errors.New("no email supplied")`
			`}`

			`if req.Password == "" {`
			`return nil, errors.New("no password to verify supplied")`
			`}`

			`password, err := d.s.GetPassword(req.Email)`
			`if err != nil {`
			`if err == storage.ErrNotFound {`
			`return &api.VerifyPasswordResp{`
			`NotFound: true,`
			`}, nil`
			`}`
			`d.logger.Errorf("api: there was an error retrieving the password: %v", err)`
			`return nil, fmt.Errorf("verify password: %v", err)`
			`}`

			`if err := bcrypt.CompareHashAndPassword(password.Hash, []byte(req.Password)); err != nil {`
server/api: fix logging in VerifyPassword Before: msg="api: password check failed : %vcrypto/bcrypt: hashedPassword is not the hash of the given password" After: msg="api: password check failed : crypto/bcrypt: hashedPassword is not the hash of the given password" Signed-off-by: Stephan Renatus <srenatus@chef.io> 2019-07-30 12:52:32 +00:00			`d.logger.Infof("api: password check failed: %v", err)`
Add VerifyPassword to API It takes in an email and plain text password to verify. If it fails to find a password stored for email, it returns not_found. If it finds the password hash stored but that hash doesn't match the password passed via the API, it returns verified = false, else it returns verified = true. Co-authored-by: Alban Seurat <alban.seurat@me.com> 2018-08-06 19:04:56 +00:00			`return &api.VerifyPasswordResp{`
			`Verified: false,`
			`}, nil`
			`}`
			`return &api.VerifyPasswordResp{`
			`Verified: true,`
			`}, nil`
			`}`

api: adding a gRPC call for listing refresh tokens. 2017-02-10 19:33:54 +00:00			`func (d dexAPI) ListRefresh(ctx context.Context, req api.ListRefreshReq) (api.ListRefreshResp, error) {`
			`id := new(internal.IDTokenSubject)`
			`if err := internal.Unmarshal(req.UserId, id); err != nil {`
			`d.logger.Errorf("api: failed to unmarshal ID Token subject: %v", err)`
api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`return nil, err`
api: adding a gRPC call for listing refresh tokens. 2017-02-10 19:33:54 +00:00			`}`

server/api: return empty list of refresh tokens if user does not have any 2017-04-28 18:54:39 +00:00			`var refreshTokenRefs []*api.RefreshTokenRef`
api: adding a gRPC call for listing refresh tokens. 2017-02-10 19:33:54 +00:00			`offlineSessions, err := d.s.GetOfflineSessions(id.UserId, id.ConnId)`
			`if err != nil {`
server/api: return empty list of refresh tokens if user does not have any 2017-04-28 18:54:39 +00:00			`if err == storage.ErrNotFound {`
			`// This means that this user-client pair does not have a refresh token yet.`
			`// An empty list should be returned instead of an error.`
			`return &api.ListRefreshResp{`
			`RefreshTokens: refreshTokenRefs,`
			`}, nil`
			`}`
			`d.logger.Errorf("api: failed to list refresh tokens %t here : %v", err == storage.ErrNotFound, err)`
api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`return nil, err`
api: adding a gRPC call for listing refresh tokens. 2017-02-10 19:33:54 +00:00			`}`

			`for _, session := range offlineSessions.Refresh {`
			`r := api.RefreshTokenRef{`
			`Id: session.ID,`
			`ClientId: session.ClientID,`
api: Update timestamp type for RefreshTokenRef to int64. 2017-03-17 22:01:21 +00:00			`CreatedAt: session.CreatedAt.Unix(),`
			`LastUsed: session.LastUsed.Unix(),`
api: adding a gRPC call for listing refresh tokens. 2017-02-10 19:33:54 +00:00			`}`
			`refreshTokenRefs = append(refreshTokenRefs, &r)`
			`}`

			`return &api.ListRefreshResp{`
			`RefreshTokens: refreshTokenRefs,`
			`}, nil`
			`}`
api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00
			`func (d dexAPI) RevokeRefresh(ctx context.Context, req api.RevokeRefreshReq) (api.RevokeRefreshResp, error) {`
			`id := new(internal.IDTokenSubject)`
			`if err := internal.Unmarshal(req.UserId, id); err != nil {`
			`d.logger.Errorf("api: failed to unmarshal ID Token subject: %v", err)`
			`return nil, err`
			`}`

server: fix panic caused by deleting refresh token twice through api 2017-09-06 06:50:07 +00:00			`var (`
			`refreshID string`
			`notFound bool`
			`)`
api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`updater := func(old storage.OfflineSessions) (storage.OfflineSessions, error) {`
server: fix panic caused by deleting refresh token twice through api 2017-09-06 06:50:07 +00:00			`refreshRef := old.Refresh[req.ClientId]`
			`if refreshRef == nil \|\| refreshRef.ID == "" {`
			`d.logger.Errorf("api: refresh token issued to client %q for user %q not found for deletion", req.ClientId, id.UserId)`
			`notFound = true`
			`return old, storage.ErrNotFound`
api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`}`

server: fix panic caused by deleting refresh token twice through api 2017-09-06 06:50:07 +00:00			`refreshID = refreshRef.ID`

api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`// Remove entry from Refresh list of the OfflineSession object.`
			`delete(old.Refresh, req.ClientId)`

			`return old, nil`
			`}`

			`if err := d.s.UpdateOfflineSessions(id.UserId, id.ConnId, updater); err != nil {`
			`if err == storage.ErrNotFound {`
			`return &api.RevokeRefreshResp{NotFound: true}, nil`
			`}`
			`d.logger.Errorf("api: failed to update offline session object: %v", err)`
			`return nil, err`
			`}`

server: fix panic caused by deleting refresh token twice through api 2017-09-06 06:50:07 +00:00			`if notFound {`
			`return &api.RevokeRefreshResp{NotFound: true}, nil`
			`}`

api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`// Delete the refresh token from the storage`
server: fix panic caused by deleting refresh token twice through api 2017-09-06 06:50:07 +00:00			`//`
			`// TODO(ericchiang): we don't have any good recourse if this call fails.`
			`// Consider garbage collection of refresh tokens with no associated ref.`
api: adding a gRPC call for revoking refresh tokens. 2017-02-14 22:40:20 +00:00			`if err := d.s.DeleteRefresh(refreshID); err != nil {`
			`d.logger.Errorf("failed to delete refresh token: %v", err)`
			`return nil, err`
			`}`

			`return &api.RevokeRefreshResp{}, nil`
			`}`