Add refresh token expiration tests and some refactoring

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
2021-01-06 04:22:38 +04:00
parent 06c8ab5aa7
commit 0c75ed12e2
5 changed files with 513 additions and 237 deletions
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -1005,237 +1004,6 @@ func (s *Server) exchangeAuthCode(w http.ResponseWriter, authCode storage.AuthCo
 	return s.toAccessTokenResponse(idToken, accessToken, refreshToken, expiry), nil
 }

-// handle a refresh token request https://tools.ietf.org/html/rfc6749#section-6
-func (s *Server) handleRefreshToken(w http.ResponseWriter, r *http.Request, client storage.Client) {
-	code := r.PostFormValue("refresh_token")
-	scope := r.PostFormValue("scope")
-	if code == "" {
-		s.tokenErrHelper(w, errInvalidRequest, "No refresh token in request.", http.StatusBadRequest)
-		return
-	}
-
-	token := new(internal.RefreshToken)
-	if err := internal.Unmarshal(code, token); err != nil {
-		// For backward compatibility, assume the refresh_token is a raw refresh token ID
-		// if it fails to decode.
-		//
-		// Because refresh_token values that aren't unmarshable were generated by servers
-		// that don't have a Token value, we'll still reject any attempts to claim a
-		// refresh_token twice.
-		token = &internal.RefreshToken{RefreshId: code, Token: ""}
-	}
-
-	refresh, err := s.storage.GetRefresh(token.RefreshId)
-	if err != nil {
-		s.logger.Errorf("failed to get refresh token: %v", err)
-		if err == storage.ErrNotFound {
-			s.tokenErrHelper(w, errInvalidRequest, "Refresh token is invalid or has already been claimed by another client.", http.StatusBadRequest)
-		} else {
-			s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		}
-		return
-	}
-
-	if refresh.ClientID != client.ID {
-		s.logger.Errorf("client %s trying to claim token for client %s", client.ID, refresh.ClientID)
-		s.tokenErrHelper(w, errInvalidRequest, "Refresh token is invalid or has already been claimed by another client.", http.StatusBadRequest)
-		return
-	}
-	if refresh.Token != token.Token {
-		switch {
-		case !s.refreshTokenPolicy.AllowedToReuse(refresh.LastUsed):
-			fallthrough
-		case refresh.ObsoleteToken != token.Token:
-			fallthrough
-		case refresh.ObsoleteToken == "":
-			s.logger.Errorf("refresh token with id %s claimed twice", refresh.ID)
-			s.tokenErrHelper(w, errInvalidRequest, "Refresh token is invalid or has already been claimed by another client.", http.StatusBadRequest)
-			return
-		}
-	}
-	if s.refreshTokenPolicy.CompletelyExpired(refresh.CreatedAt) {
-		s.logger.Errorf("refresh token with id %s expired", refresh.ID)
-		s.tokenErrHelper(w, errInvalidRequest, "Refresh token expired.", http.StatusBadRequest)
-		return
-	}
-	if s.refreshTokenPolicy.ExpiredBecauseUnused(refresh.LastUsed) {
-		s.logger.Errorf("refresh token with id %s expired because being unused", refresh.ID)
-		s.tokenErrHelper(w, errInvalidRequest, "Refresh token expired.", http.StatusBadRequest)
-		return
-	}
-
-	// Per the OAuth2 spec, if the client has omitted the scopes, default to the original
-	// authorized scopes.
-	//
-	// https://tools.ietf.org/html/rfc6749#section-6
-	scopes := refresh.Scopes
-	if scope != "" {
-		requestedScopes := strings.Fields(scope)
-		var unauthorizedScopes []string
-
-		for _, s := range requestedScopes {
-			contains := func() bool {
-				for _, scope := range refresh.Scopes {
-					if s == scope {
-						return true
-					}
-				}
-				return false
-			}()
-			if !contains {
-				unauthorizedScopes = append(unauthorizedScopes, s)
-			}
-		}
-
-		if len(unauthorizedScopes) > 0 {
-			msg := fmt.Sprintf("Requested scopes contain unauthorized scope(s): %q.", unauthorizedScopes)
-			s.tokenErrHelper(w, errInvalidRequest, msg, http.StatusBadRequest)
-			return
-		}
-		scopes = requestedScopes
-	}
-
-	var connectorData []byte
-
-	session, err := s.storage.GetOfflineSessions(refresh.Claims.UserID, refresh.ConnectorID)
-	switch {
-	case err != nil:
-		if err != storage.ErrNotFound {
-			s.logger.Errorf("failed to get offline session: %v", err)
-			return
-		}
-	case len(refresh.ConnectorData) > 0:
-		// Use the old connector data if it exists, should be deleted once used
-		connectorData = refresh.ConnectorData
-	default:
-		connectorData = session.ConnectorData
-	}
-
-	conn, err := s.getConnector(refresh.ConnectorID)
-	if err != nil {
-		s.logger.Errorf("connector with ID %q not found: %v", refresh.ConnectorID, err)
-		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		return
-	}
-	ident := connector.Identity{
-		UserID:            refresh.Claims.UserID,
-		Username:          refresh.Claims.Username,
-		PreferredUsername: refresh.Claims.PreferredUsername,
-		Email:             refresh.Claims.Email,
-		EmailVerified:     refresh.Claims.EmailVerified,
-		Groups:            refresh.Claims.Groups,
-		ConnectorData:     connectorData,
-	}
-
-	// Can the connector refresh the identity? If so, attempt to refresh the data
-	// in the connector.
-	//
-	// TODO(ericchiang): We may want a strict mode where connectors that don't implement
-	// this interface can't perform refreshing.
-	if refreshConn, ok := conn.Connector.(connector.RefreshConnector); ok {
-		newIdent, err := refreshConn.Refresh(r.Context(), parseScopes(scopes), ident)
-		if err != nil {
-			s.logger.Errorf("failed to refresh identity: %v", err)
-			s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-			return
-		}
-		ident = newIdent
-	}
-
-	claims := storage.Claims{
-		UserID:            ident.UserID,
-		Username:          ident.Username,
-		PreferredUsername: ident.PreferredUsername,
-		Email:             ident.Email,
-		EmailVerified:     ident.EmailVerified,
-		Groups:            ident.Groups,
-	}
-
-	accessToken, err := s.newAccessToken(client.ID, claims, scopes, refresh.Nonce, refresh.ConnectorID)
-	if err != nil {
-		s.logger.Errorf("failed to create new access token: %v", err)
-		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		return
-	}
-
-	idToken, expiry, err := s.newIDToken(client.ID, claims, scopes, refresh.Nonce, accessToken, "", refresh.ConnectorID)
-	if err != nil {
-		s.logger.Errorf("failed to create ID token: %v", err)
-		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		return
-	}
-
-	newToken := token
-	if s.refreshTokenPolicy.RotationEnabled() {
-		newToken = &internal.RefreshToken{
-			RefreshId: refresh.ID,
-			Token:     storage.NewID(),
-		}
-	}
-
-	lastUsed := s.now()
-	updater := func(old storage.RefreshToken) (storage.RefreshToken, error) {
-		if s.refreshTokenPolicy.RotationEnabled() {
-			if old.Token != refresh.Token {
-				if s.refreshTokenPolicy.AllowedToReuse(old.LastUsed) && old.ObsoleteToken == refresh.Token {
-					newToken.Token = old.Token
-					return old, nil
-				}
-				return old, errors.New("refresh token claimed twice")
-			}
-
-			old.ObsoleteToken = old.Token
-		}
-
-		old.Token = newToken.Token
-		// Update the claims of the refresh token.
-		//
-		// UserID intentionally ignored for now.
-		old.Claims.Username = ident.Username
-		old.Claims.PreferredUsername = ident.PreferredUsername
-		old.Claims.Email = ident.Email
-		old.Claims.EmailVerified = ident.EmailVerified
-		old.Claims.Groups = ident.Groups
-		old.LastUsed = lastUsed
-
-		// ConnectorData has been moved to OfflineSession
-		old.ConnectorData = []byte{}
-		return old, nil
-	}
-
-	// Update LastUsed time stamp in refresh token reference object
-	// in offline session for the user.
-	if err := s.storage.UpdateOfflineSessions(refresh.Claims.UserID, refresh.ConnectorID, func(old storage.OfflineSessions) (storage.OfflineSessions, error) {
-		if old.Refresh[refresh.ClientID].ID != refresh.ID {
-			return old, errors.New("refresh token invalid")
-		}
-		old.Refresh[refresh.ClientID].LastUsed = lastUsed
-		old.ConnectorData = ident.ConnectorData
-		return old, nil
-	}); err != nil {
-		s.logger.Errorf("failed to update offline session: %v", err)
-		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		return
-	}
-
-	// Update refresh token in the storage.
-	if err := s.storage.UpdateRefreshToken(refresh.ID, updater); err != nil {
-		s.logger.Errorf("failed to update refresh token: %v", err)
-		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		return
-	}
-
-	rawNewToken, err := internal.Marshal(newToken)
-	if err != nil {
-		s.logger.Errorf("failed to marshal refresh token: %v", err)
-		s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
-		return
-	}
-
-	resp := s.toAccessTokenResponse(idToken, accessToken, rawNewToken, expiry)
-	s.writeAccessToken(w, resp)
-}
-
 func (s *Server) handleUserInfo(w http.ResponseWriter, r *http.Request) {
 	const prefix = "Bearer "