Scoped oauth

2019-11-02 08:03:54 -06:00 · 2019-11-02 08:03:54 -06:00 · 08add4b521
parent ba44094eb9
commit 08add4b521
7 changed files with 48 additions and 31 deletions
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+x  scope registration by URL /users/register=all /users/register/scope=scoped
+x  rproxy3 scope login by URL
--- a/oauth2client/client.go
+++ b/oauth2client/client.go
@ -11,16 +11,16 @@ import (
 	"time"
 )

-func Authenticate(server string, w http.ResponseWriter, r *http.Request) error {
+func Authenticate(server, scope string, w http.ResponseWriter, r *http.Request) error {
 	oauth2server, err := url.Parse(server)
 	if err != nil {
 		return err
 	}
 	access, exists := findAccess(w, r)
 	if !exists {
-		return login(oauth2server, w, r)
+		return login(oauth2server, scope, w, r)
 	}
-	return verify(access, oauth2server, w, r)
+	return verify(access, oauth2server, scope, w, r)
 }

 func findAccess(w http.ResponseWriter, r *http.Request) (string, bool) {
@ -58,8 +58,8 @@ func findAccessStable(w http.ResponseWriter, r *http.Request) (string, bool) {
 	return access.Value, true
 }

-func login(oauth2server *url.URL, w http.ResponseWriter, r *http.Request) error {
-	oauth2server.Path = "/users/log"
+func login(oauth2server *url.URL, scope string, w http.ResponseWriter, r *http.Request) error {
+	oauth2server.Path = "/users/log/" + scope
 	url := *r.URL
 	url.Host = r.Host
 	if url.Scheme == "" {
@ -72,8 +72,8 @@ func login(oauth2server *url.URL, w http.ResponseWriter, r *http.Request) error
 	return errors.New("logging in")
 }

-func verify(access string, oauth2server *url.URL, w http.ResponseWriter, r *http.Request) error {
-	oauth2server.Path = "/verify"
+func verify(access string, oauth2server *url.URL, scope string, w http.ResponseWriter, r *http.Request) error {
+	oauth2server.Path = "/verify/" + scope
 	data := url.Values{}
 	data.Set("access", access)
 	req, err := http.NewRequest("POST", oauth2server.String(), strings.NewReader(data.Encode()))
@ -94,7 +94,7 @@ func verify(access string, oauth2server *url.URL, w http.ResponseWriter, r *http
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
-		return login(oauth2server, w, r)
+		return login(oauth2server, scope, w, r)
 	}
 	return nil
 }
--- a/oauth2server/server/authorize.go
+++ b/oauth2server/server/authorize.go
@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 	"local/oauth2"
+	"local/router"
 	"local/storage"
 	"net/http"
 	"net/url"
@ -11,18 +12,20 @@ import (
 )

 func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
+	scope := ""
+	router.Params(r, &scope)
 	s.limiter.Wait(r.Context())
 	if r.Method != "POST" {
 		http.NotFound(w, r)
 		return
 	}
-	id := r.FormValue("username")
+	id := scope + "." + r.FormValue("username")
 	user, ok := s.getUser(id)
 	if !ok {
 		http.Error(w, "unknown user", http.StatusForbidden)
 		return
 	}
-	access, ok := s.getAccess(user)
+	access, ok := s.getAccess(scope, user)
 	if !ok {
 		http.Error(w, "no oauth for user", http.StatusForbidden)
 		return
@ -45,23 +48,23 @@ func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func (s *Server) genAuth(user string) {
+func (s *Server) genAuth(scope, user string) {
 	access := uuid.New().String()
 	token := uuid.New().String()
 	s.store.Set(user, []byte(access), ACCESS)
-	s.store.Set(access, []byte(token), TOKEN)
+	s.store.Set(scope+"."+access, []byte(token), TOKEN)
 }

-func (s *Server) getAccess(user string) (string, bool) {
+func (s *Server) getAccess(scope, user string) (string, bool) {
 	access, err := s.store.Get(user, ACCESS)
 	if err == storage.ErrNotFound {
-		s.genAuth(user)
+		s.genAuth(scope, user)
 		access, err = s.store.Get(user, ACCESS)
 	}
 	return string(access), err == nil
 }

-func (s *Server) getToken(access string) (string, bool) {
-	token, err := s.store.Get(access, TOKEN)
+func (s *Server) getToken(scope, access string) (string, bool) {
+	token, err := s.store.Get(scope+"."+access, TOKEN)
 	return string(token), err == nil
 }
--- a/oauth2server/server/routes.go
+++ b/oauth2server/server/routes.go
@ -3,6 +3,7 @@ package server
 import (
 	"fmt"
 	"local/oauth2/oauth2server/config"
+	"local/router"
 	"net/http"
 )

@ -13,25 +14,25 @@ func (s *Server) Routes() error {
 		handler http.HandlerFunc
 	}{
 		{
-			path:    fmt.Sprintf("authorize"),
+			path:    fmt.Sprintf("authorize/%s", router.Wildcard),
 			handler: s.authorize,
 		},
 		{
-			path:    fmt.Sprintf("verify"),
+			path:    fmt.Sprintf("verify/%s", router.Wildcard),
 			handler: s.verify,
 		},
 		{
-			path:    fmt.Sprintf("users/log"),
+			path:    fmt.Sprintf("users/log/%s", router.Wildcard),
 			handler: s.usersLog,
 		},
 		{
 			skip:    !config.UserRegistration,
-			path:    fmt.Sprintf("users/register"),
+			path:    fmt.Sprintf("users/register/%s", router.Wildcard),
 			handler: s.usersRegister,
 		},
 		{
 			skip:    !config.UserRegistration,
-			path:    fmt.Sprintf("users/submit"),
+			path:    fmt.Sprintf("users/submit/%s", router.Wildcard),
 			handler: s.usersSubmit,
 		},
 	}
--- a/oauth2server/server/users.go
+++ b/oauth2server/server/users.go
@ -7,18 +7,21 @@ import (
 	"encoding/hex"
 	"fmt"
 	"local/oauth2/oauth2server/config"
+	"local/router"
 	"net/http"

 	"github.com/google/uuid"
 )

 func (s *Server) usersLog(w http.ResponseWriter, r *http.Request) {
+	scope := ""
+	router.Params(r, &scope)
 	s.limiter.Wait(r.Context())
 	q := r.URL.Query()
 	fmt.Fprintln(w, `
      <html>
         <body>
-            <form method="post" action="/authorize?`+q.Encode()+`">
+            <form method="post" action="/authorize/`+scope+`?`+q.Encode()+`">
               <input type="password" name="username"></input>
               <input type="submit"></input>
            </form>
@ -28,11 +31,13 @@ func (s *Server) usersLog(w http.ResponseWriter, r *http.Request) {
 }

 func (s *Server) usersRegister(w http.ResponseWriter, r *http.Request) {
+	scope := ""
+	router.Params(r, &scope)
 	s.limiter.Wait(r.Context())
 	fmt.Fprintln(w, `
      <html>
         <body>
-            <form method="post" action="/users/submit">
+            <form method="post" action="/users/submit/`+scope+`">
               <input type="text" name="username"></input>
               <input type="submit"></input>
            </form>
@ -42,12 +47,14 @@ func (s *Server) usersRegister(w http.ResponseWriter, r *http.Request) {
 }

 func (s *Server) usersSubmit(w http.ResponseWriter, r *http.Request) {
+	scope := ""
+	router.Params(r, &scope)
 	s.limiter.Wait(r.Context())
 	if r.Method != "POST" {
 		http.NotFound(w, r)
 		return
 	}
-	id := r.FormValue("username")
+	id := scope + "." + r.FormValue("username")
 	if _, ok := s.getUser(id); ok {
 		http.Error(w, "user already exists", http.StatusConflict)
 		return
--- a/oauth2server/server/verify.go
+++ b/oauth2server/server/verify.go
@ -1,16 +1,19 @@
 package server

 import (
+	"local/router"
 	"net/http"
 )

 func (s *Server) verify(w http.ResponseWriter, r *http.Request) {
+	scope := ""
+	router.Params(r, &scope)
 	if r.Method != "POST" {
 		http.NotFound(w, r)
 		return
 	}
 	access := r.FormValue("access")
-	token, ok := s.getToken(access)
+	token, ok := s.getToken(scope, access)
 	if !ok {
 		http.Error(w, "unknown access", http.StatusUnauthorized)
 		return
--- a/oauth2test/package_test.go
+++ b/oauth2test/package_test.go
@ -45,6 +45,7 @@ func TestAll(t *testing.T) {

 func launchServer() (*httptest.Server, error) {
 	config.Store = "map"
+	config.UserRegistration = true

 	oauth2server := server.New()
 	err := oauth2server.Routes()
@ -62,7 +63,7 @@ func launchServer() (*httptest.Server, error) {

 func dummyServer(oauth2server string) *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		err := oauth2client.Authenticate(oauth2server, w, r)
+		err := oauth2client.Authenticate(oauth2server, "scope", w, r)
 		if err != nil {
 			return
 		}
@ -71,7 +72,7 @@ func dummyServer(oauth2server string) *httptest.Server {
 }

 func createUser(oauth2server string) error {
-	resp, err := http.Post(oauth2server+"/users/submit", "application/x-www-form-urlencoded", strings.NewReader("username=abc"))
+	resp, err := http.Post(oauth2server+"/users/submit/scope", "application/x-www-form-urlencoded", strings.NewReader("username=abc"))
 	if err != nil {
 		return err
 	}
@ -83,7 +84,7 @@ func createUser(oauth2server string) error {
 }

 func logUser(oauth2server string) error {
-	resp, err := http.Post(oauth2server+"/authorize", "application/x-www-form-urlencoded", strings.NewReader("username=abc"))
+	resp, err := http.Post(oauth2server+"/authorize/scope", "application/x-www-form-urlencoded", strings.NewReader("username=abc"))
 	if err != nil {
 		return err
 	}
@ -106,7 +107,7 @@ func clientShouldRedir(c *http.Client, dummy string) error {
 		return err
 	}
 	defer resp.Body.Close()
-	if resp.Request.URL.Path != "/users/log" {
+	if resp.Request.URL.Path != "/users/log/scope" {
 		return fmt.Errorf("did not need redir without auth: %v", resp.Request.URL)
 	}
 	return nil
@ -119,7 +120,7 @@ func clientShouldNotRedir(c *http.Client, dummy string) error {
 		return err
 	}
 	defer resp.Body.Close()
-	if resp.Request.URL.Path == "/users/log" {
+	if resp.Request.URL.Path == "/users/log/scope" {
 		return fmt.Errorf("did redir with auth: %v", resp.Request.URL.Path)
 	}
 	return nil
@ -147,7 +148,7 @@ func testAuth(oauth2server, dummy string) error {
 }

 func clientLogin(c *http.Client, oauth2server string) (string, error) {
-	req, _ := http.NewRequest("POST", oauth2server+"/authorize?"+oauth2.REDIRECT+"="+oauth2server+"/", strings.NewReader("username=abc"))
+	req, _ := http.NewRequest("POST", oauth2server+"/authorize/scope?"+oauth2.REDIRECT+"="+oauth2server+"/", strings.NewReader("username=abc"))
 	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 	resp, err := c.Do(req)
 	if err != nil {