diff --git a/consent/strategy.go b/consent/strategy.go index cc4e8c8334f..f0027a36744 100644 --- a/consent/strategy.go +++ b/consent/strategy.go @@ -24,7 +24,7 @@ type Strategy interface { ctx context.Context, w http.ResponseWriter, r *http.Request, - req fosite.DeviceAuthorizeRequester, + req fosite.DeviceUserRequester, ) (*flow.AcceptOAuth2ConsentRequest, *flow.Flow, error) HandleOpenIDConnectLogout(ctx context.Context, w http.ResponseWriter, r *http.Request) (*flow.LogoutResult, error) HandleHeadlessLogout(ctx context.Context, w http.ResponseWriter, r *http.Request, sid string) error diff --git a/consent/strategy_default.go b/consent/strategy_default.go index f14c55d8ff0..15ac2e240c7 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -216,7 +216,7 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(ctx context.Context, w ht // Generate the request URL iu := s.c.OAuth2AuthURL(ctx) - if _, ok := req.(fosite.DeviceAuthorizeRequester); ok { + if _, ok := req.(fosite.DeviceUserRequester); ok { iu = s.c.OAuth2DeviceAuthorisationURL(ctx) } iu.RawQuery = r.URL.RawQuery @@ -426,8 +426,8 @@ func (s *DefaultStrategy) verifyAuthentication( }, }, } - } else if _, ok := req.(fosite.DeviceAuthorizeRequester); ok { - cleanReq = &fosite.DeviceAuthorizeRequest{ + } else if _, ok := req.(fosite.DeviceUserRequester); ok { + cleanReq = &fosite.DeviceUserRequest{ Request: fosite.Request{ ID: req.GetID(), RequestedAt: req.GetRequestedAt(), @@ -1261,7 +1261,7 @@ func (s *DefaultStrategy) forwardDeviceRequest(ctx context.Context, w http.Respo return errorsx.WithStack(ErrAbortOAuth2Request) } -func (s *DefaultStrategy) verifyDevice(ctx context.Context, w http.ResponseWriter, r *http.Request, req fosite.DeviceAuthorizeRequester, verifier string) (*flow.DeviceGrantRequest, error) { +func (s *DefaultStrategy) verifyDevice(ctx context.Context, w http.ResponseWriter, r *http.Request, req fosite.DeviceUserRequester, verifier string) (*flow.DeviceGrantRequest, error) { session, err := s.r.ConsentManager().GetDeviceGrantRequestByVerifier(ctx, verifier) if errors.Is(err, sqlcon.ErrNoRows) { return nil, errorsx.WithStack(fosite.ErrAccessDenied.WithHint("The device verifier has already been used, has not been granted, or is invalid.")) @@ -1289,7 +1289,7 @@ func (s *DefaultStrategy) verifyDevice(ctx context.Context, w http.ResponseWrite return session, nil } -func (s *DefaultStrategy) invalidateDeviceRequest(ctx context.Context, w http.ResponseWriter, r *http.Request, req fosite.DeviceAuthorizeRequester, verifier string) (*flow.DeviceGrantRequest, error) { +func (s *DefaultStrategy) invalidateDeviceRequest(ctx context.Context, w http.ResponseWriter, r *http.Request, req fosite.DeviceUserRequester, verifier string) (*flow.DeviceGrantRequest, error) { session, err := s.r.ConsentManager().VerifyAndInvalidateDeviceGrantRequest(ctx, verifier) if errors.Is(err, sqlcon.ErrNoRows) { return nil, errorsx.WithStack(fosite.ErrAccessDenied.WithHint("The device verifier has already been used, has not been granted, or is invalid.")) @@ -1304,7 +1304,7 @@ func (s *DefaultStrategy) HandleOAuth2DeviceAuthorizationRequest( ctx context.Context, w http.ResponseWriter, r *http.Request, - req fosite.DeviceAuthorizeRequester, + req fosite.DeviceUserRequester, ) (*flow.AcceptOAuth2ConsentRequest, *flow.Flow, error) { loginVerifier := strings.TrimSpace(req.GetRequestForm().Get("login_verifier")) consentVerifier := strings.TrimSpace(req.GetRequestForm().Get("consent_verifier")) diff --git a/fositex/config.go b/fositex/config.go index 671e39b57fe..33471c85d93 100644 --- a/fositex/config.go +++ b/fositex/config.go @@ -37,12 +37,12 @@ type Factory func(config fosite.Configurator, storage interface{}, strategy inte type Config struct { deps configDependencies - authorizeEndpointHandlers fosite.AuthorizeEndpointHandlers - tokenEndpointHandlers fosite.TokenEndpointHandlers - tokenIntrospectionHandlers fosite.TokenIntrospectionHandlers - revocationHandlers fosite.RevocationHandlers - deviceEndpointHandlers fosite.DeviceEndpointHandlers - deviceAuthorizeEndpointHandlers fosite.DeviceAuthorizeEndpointHandlers + authorizeEndpointHandlers fosite.AuthorizeEndpointHandlers + tokenEndpointHandlers fosite.TokenEndpointHandlers + tokenIntrospectionHandlers fosite.TokenIntrospectionHandlers + revocationHandlers fosite.RevocationHandlers + deviceEndpointHandlers fosite.DeviceEndpointHandlers + deviceUserEndpointHandlers fosite.DeviceUserEndpointHandlers *config.DefaultProvider } @@ -83,8 +83,8 @@ func (c *Config) LoadDefaultHandlers(strategy interface{}) { if dh, ok := res.(fosite.DeviceEndpointHandler); ok { c.deviceEndpointHandlers.Append(dh) } - if dah, ok := res.(fosite.DeviceAuthorizeEndpointHandler); ok { - c.deviceAuthorizeEndpointHandlers.Append(dah) + if duh, ok := res.(fosite.DeviceUserEndpointHandler); ok { + c.deviceUserEndpointHandlers.Append(duh) } if ah, ok := res.(fosite.AuthorizeEndpointHandler); ok { c.authorizeEndpointHandlers.Append(ah) @@ -129,8 +129,8 @@ func (c *Config) GetDeviceEndpointHandlers(ctx context.Context) fosite.DeviceEnd return c.deviceEndpointHandlers } -func (c *Config) GetDeviceAuthorizeEndpointHandlers(ctx context.Context) fosite.DeviceAuthorizeEndpointHandlers { - return c.deviceAuthorizeEndpointHandlers +func (c *Config) GetDeviceUserEndpointHandlers(ctx context.Context) fosite.DeviceUserEndpointHandlers { + return c.deviceUserEndpointHandlers } func (c *Config) GetGrantTypeJWTBearerCanSkipClientAuth(context.Context) bool { diff --git a/fositex/token_strategy.go b/fositex/token_strategy.go index 45fcb41bfd2..229eadff5f6 100644 --- a/fositex/token_strategy.go +++ b/fositex/token_strategy.go @@ -88,27 +88,3 @@ func genericSignature(token string) string { return "" } } - -func (t TokenStrategy) DeviceCodeSignature(ctx context.Context, token string) (signature string, err error) { - return t.devHmac.DeviceCodeSignature(ctx, token) -} - -func (t *TokenStrategy) GenerateDeviceCode(ctx context.Context) (token string, signature string, err error) { - return t.devHmac.GenerateDeviceCode(ctx) -} - -func (t *TokenStrategy) ValidateDeviceCode(ctx context.Context, r fosite.Requester, code string) (err error) { - return t.devHmac.ValidateDeviceCode(ctx, r, code) -} - -func (t TokenStrategy) UserCodeSignature(ctx context.Context, token string) (signature string, err error) { - return t.devHmac.UserCodeSignature(ctx, token) -} - -func (t *TokenStrategy) GenerateUserCode(ctx context.Context) (token string, signature string, err error) { - return t.devHmac.GenerateUserCode(ctx) -} - -func (t *TokenStrategy) ValidateUserCode(context context.Context, r fosite.Requester, code string) (err error) { - return t.devHmac.ValidateUserCode(context, r, code) -} diff --git a/go.mod b/go.mod index a763fcbc21a..f69be62eebd 100644 --- a/go.mod +++ b/go.mod @@ -12,7 +12,7 @@ replace ( replace github.com/ory/hydra-client-go/v2 => ./internal/httpclient -replace github.com/ory/fosite => github.com/BuzzBumbleBee/fosite v0.0.0-20231124164728-b1fbd361a56b +replace github.com/ory/fosite => ../fosite require ( github.com/ThalesIgnite/crypto11 v1.2.5 @@ -46,7 +46,7 @@ require ( github.com/ory/hydra-client-go/v2 v2.1.1 github.com/ory/jsonschema/v3 v3.0.8 github.com/ory/kratos-client-go v0.13.1 - github.com/ory/x v0.0.604 + github.com/ory/x v0.0.609 github.com/pborman/uuid v1.2.1 github.com/pkg/errors v0.9.1 github.com/prometheus/client_golang v1.16.0 @@ -62,11 +62,11 @@ require ( github.com/toqueteos/webbrowser v1.2.0 github.com/twmb/murmur3 v1.1.8 github.com/urfave/negroni v1.0.0 - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 - go.opentelemetry.io/otel v1.19.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 - go.opentelemetry.io/otel/sdk v1.19.0 - go.opentelemetry.io/otel/trace v1.19.0 + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 + go.opentelemetry.io/otel v1.21.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0 + go.opentelemetry.io/otel/sdk v1.21.0 + go.opentelemetry.io/otel/trace v1.21.0 go.uber.org/automaxprocs v1.5.3 golang.org/x/crypto v0.15.0 golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa @@ -199,6 +199,7 @@ require ( github.com/openzipkin/zipkin-go v0.4.2 // indirect github.com/ory/dockertest/v3 v3.10.0 // indirect github.com/ory/go-convenience v0.1.0 // indirect + github.com/patrickmn/go-cache v2.1.0+incompatible // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.9 // indirect github.com/pkg/profile v1.7.0 // indirect @@ -226,19 +227,20 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect go.mongodb.org/mongo-driver v1.12.1 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.45.0 // indirect - go.opentelemetry.io/contrib/propagators/b3 v1.20.0 // indirect - go.opentelemetry.io/contrib/propagators/jaeger v1.20.0 // indirect - go.opentelemetry.io/contrib/samplers/jaegerremote v0.14.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect + go.opentelemetry.io/contrib/propagators/b3 v1.21.0 // indirect + go.opentelemetry.io/contrib/propagators/jaeger v1.21.1 // indirect + go.opentelemetry.io/contrib/samplers/jaegerremote v0.15.1 // indirect go.opentelemetry.io/otel/exporters/jaeger v1.17.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect - go.opentelemetry.io/otel/exporters/zipkin v1.19.0 // indirect - go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect + go.opentelemetry.io/otel/exporters/zipkin v1.21.0 // indirect + go.opentelemetry.io/otel/metric v1.21.0 // indirect go.opentelemetry.io/proto/otlp v1.0.0 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.18.0 // indirect golang.org/x/sys v0.14.0 // indirect golang.org/x/text v0.14.0 // indirect + golang.org/x/time v0.4.0 // indirect golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17 // indirect diff --git a/oauth2/handler.go b/oauth2/handler.go index ae7d0035204..b453ff0ee60 100644 --- a/oauth2/handler.go +++ b/oauth2/handler.go @@ -128,7 +128,7 @@ func (h *Handler) SetRoutes(admin *httprouterx.RouterAdmin, public *httprouterx. func (h *Handler) performOAuth2DeviceAuthorizationFlow(w http.ResponseWriter, r *http.Request, _ httprouter.Params) { var ctx = r.Context() - authorizeRequest, err := h.r.OAuth2Provider().NewDeviceAuthorizeRequest(ctx, r) + authorizeRequest, err := h.r.OAuth2Provider().NewDeviceUserRequest(ctx, r) if err != nil { x.LogError(r, err, h.r.Logger()) return @@ -208,7 +208,7 @@ func (h *Handler) performOAuth2DeviceAuthorizationFlow(w http.ResponseWriter, r claims.Add("sid", session.ConsentRequest.LoginSessionID) // done - response, err := h.r.OAuth2Provider().NewDeviceAuthorizeResponse(ctx, authorizeRequest, &Session{ + response, err := h.r.OAuth2Provider().NewDeviceUserResponse(ctx, authorizeRequest, &Session{ DefaultSession: &openid.DefaultSession{ Claims: claims, Headers: &jwt.Headers{Extra: map[string]interface{}{ @@ -237,7 +237,7 @@ func (h *Handler) performOAuth2DeviceAuthorizationFlow(w http.ResponseWriter, r h.r.Writer().WriteError(w, r, err) } - h.r.OAuth2Provider().WriteDeviceAuthorizeResponse(ctx, r, w, authorizeRequest, response) + h.r.OAuth2Provider().WriteDeviceUserResponse(ctx, r, w, authorizeRequest, response) } // OAuth2 Device Flow diff --git a/oauth2/oauth2_helper_test.go b/oauth2/oauth2_helper_test.go index 12665d0ffc6..0a9767f7af6 100644 --- a/oauth2/oauth2_helper_test.go +++ b/oauth2/oauth2_helper_test.go @@ -54,7 +54,7 @@ func (c *consentMock) HandleHeadlessLogout(ctx context.Context, w http.ResponseW panic("not implemented") } -func (c *consentMock) HandleOAuth2DeviceAuthorizationRequest(ctx context.Context, w http.ResponseWriter, r *http.Request, req fosite.DeviceAuthorizeRequester) (*flow.AcceptOAuth2ConsentRequest, *flow.Flow, error) { +func (c *consentMock) HandleOAuth2DeviceAuthorizationRequest(ctx context.Context, w http.ResponseWriter, r *http.Request, req fosite.DeviceUserRequester) (*flow.AcceptOAuth2ConsentRequest, *flow.Flow, error) { if c.deny { return nil, nil, fosite.ErrRequestForbidden } diff --git a/oauth2/oauth2_provider_mock_test.go b/oauth2/oauth2_provider_mock_test.go index 522823a7c8b..a4a69d860b1 100644 --- a/oauth2/oauth2_provider_mock_test.go +++ b/oauth2/oauth2_provider_mock_test.go @@ -121,34 +121,34 @@ func (mr *MockOAuth2ProviderMockRecorder) NewAuthorizeResponse(arg0, arg1, arg2 return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewAuthorizeResponse", reflect.TypeOf((*MockOAuth2Provider)(nil).NewAuthorizeResponse), arg0, arg1, arg2) } -// NewDeviceAuthorizeRequest mocks base method. -func (m *MockOAuth2Provider) NewDeviceAuthorizeRequest(arg0 context.Context, arg1 *http.Request) (fosite.DeviceAuthorizeRequester, error) { +// NewDeviceUserRequest mocks base method. +func (m *MockOAuth2Provider) NewDeviceUserRequest(arg0 context.Context, arg1 *http.Request) (fosite.DeviceUserRequester, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NewDeviceAuthorizeRequest", arg0, arg1) - ret0, _ := ret[0].(fosite.DeviceAuthorizeRequester) + ret := m.ctrl.Call(m, "NewDeviceUserRequest", arg0, arg1) + ret0, _ := ret[0].(fosite.DeviceUserRequester) ret1, _ := ret[1].(error) return ret0, ret1 } -// NewDeviceAuthorizeRequest indicates an expected call of NewDeviceAuthorizeRequest. -func (mr *MockOAuth2ProviderMockRecorder) NewDeviceAuthorizeRequest(arg0, arg1 interface{}) *gomock.Call { +// NewDeviceUserRequest indicates an expected call of NewDeviceUserRequest. +func (mr *MockOAuth2ProviderMockRecorder) NewDeviceUserRequest(arg0, arg1 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewDeviceAuthorizeRequest", reflect.TypeOf((*MockOAuth2Provider)(nil).NewDeviceAuthorizeRequest), arg0, arg1) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewDeviceUserRequest", reflect.TypeOf((*MockOAuth2Provider)(nil).NewDeviceUserRequest), arg0, arg1) } -// NewDeviceAuthorizeResponse mocks base method. -func (m *MockOAuth2Provider) NewDeviceAuthorizeResponse(arg0 context.Context, arg1 fosite.DeviceAuthorizeRequester, arg2 fosite.Session) (fosite.DeviceAuthorizeResponder, error) { +// NewDeviceUserResponse mocks base method. +func (m *MockOAuth2Provider) NewDeviceUserResponse(arg0 context.Context, arg1 fosite.DeviceUserRequester, arg2 fosite.Session) (fosite.DeviceUserResponder, error) { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "NewDeviceAuthorizeResponse", arg0, arg1, arg2) - ret0, _ := ret[0].(fosite.DeviceAuthorizeResponder) + ret := m.ctrl.Call(m, "NewDeviceUserResponse", arg0, arg1, arg2) + ret0, _ := ret[0].(fosite.DeviceUserResponder) ret1, _ := ret[1].(error) return ret0, ret1 } -// NewDeviceAuthorizeResponse indicates an expected call of NewDeviceAuthorizeResponse. -func (mr *MockOAuth2ProviderMockRecorder) NewDeviceAuthorizeResponse(arg0, arg1, arg2 interface{}) *gomock.Call { +// NewDeviceUserResponse indicates an expected call of NewDeviceUserResponse. +func (mr *MockOAuth2ProviderMockRecorder) NewDeviceUserResponse(arg0, arg1, arg2 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewDeviceAuthorizeResponse", reflect.TypeOf((*MockOAuth2Provider)(nil).NewDeviceAuthorizeResponse), arg0, arg1, arg2) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NewDeviceUserResponse", reflect.TypeOf((*MockOAuth2Provider)(nil).NewDeviceUserResponse), arg0, arg1, arg2) } // NewDeviceRequest mocks base method. @@ -288,16 +288,16 @@ func (mr *MockOAuth2ProviderMockRecorder) WriteAuthorizeResponse(arg0, arg1, arg return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteAuthorizeResponse", reflect.TypeOf((*MockOAuth2Provider)(nil).WriteAuthorizeResponse), arg0, arg1, arg2, arg3) } -// WriteDeviceAuthorizeResponse mocks base method. -func (m *MockOAuth2Provider) WriteDeviceAuthorizeResponse(arg0 context.Context, arg1 *http.Request, arg2 http.ResponseWriter, arg3 fosite.DeviceAuthorizeRequester, arg4 fosite.DeviceAuthorizeResponder) { +// WriteDeviceUserResponse mocks base method. +func (m *MockOAuth2Provider) WriteDeviceUserResponse(arg0 context.Context, arg1 *http.Request, arg2 http.ResponseWriter, arg3 fosite.DeviceUserRequester, arg4 fosite.DeviceUserResponder) { m.ctrl.T.Helper() - m.ctrl.Call(m, "WriteDeviceAuthorizeResponse", arg0, arg1, arg2, arg3, arg4) + m.ctrl.Call(m, "WriteDeviceUserResponse", arg0, arg1, arg2, arg3, arg4) } -// WriteDeviceAuthorizeResponse indicates an expected call of WriteDeviceAuthorizeResponse. -func (mr *MockOAuth2ProviderMockRecorder) WriteDeviceAuthorizeResponse(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call { +// WriteDeviceUserResponse indicates an expected call of WriteDeviceUserResponse. +func (mr *MockOAuth2ProviderMockRecorder) WriteDeviceUserResponse(arg0, arg1, arg2, arg3, arg4 interface{}) *gomock.Call { mr.mock.ctrl.T.Helper() - return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteDeviceAuthorizeResponse", reflect.TypeOf((*MockOAuth2Provider)(nil).WriteDeviceAuthorizeResponse), arg0, arg1, arg2, arg3, arg4) + return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "WriteDeviceUserResponse", reflect.TypeOf((*MockOAuth2Provider)(nil).WriteDeviceUserResponse), arg0, arg1, arg2, arg3, arg4) } // WriteDeviceResponse mocks base method.