Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
influxdb/oauth2/oauth2.go

99 lines
3.4 KiB
Go
Raw Normal View History

Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
package oauth2
import (
"context"
"errors"
"net/http"
"time"
"golang.org/x/oauth2"
)
Merge branch 'master' into feature/#54-tr-enterprise-client Conflicts: Makefile chronograf.go server/routes.go server/users.go
2017-02-24 05:26:09 +00:00
type principalKey string
func (p principalKey) String() string {
return string(p)
}
var (
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
// PrincipalKey is used to pass principal
// via context.Context to request-scoped
// functions.
Merge branch 'master' into feature/#54-tr-enterprise-client Conflicts: Makefile chronograf.go server/routes.go server/users.go
2017-02-24 05:26:09 +00:00
PrincipalKey = principalKey("principal")
// ErrAuthentication means that oauth2 exchange failed
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
ErrAuthentication = errors.New("user not authenticated")
Merge branch 'master' into feature/#54-tr-enterprise-client Conflicts: Makefile chronograf.go server/routes.go server/users.go
2017-02-24 05:26:09 +00:00
// ErrOrgMembership means that the user is not in the OAuth2 filtered group
ErrOrgMembership = errors.New("Not a member of the required organization")
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
)
/* Types */
// Principal is any entity that can be authenticated
Add unified OAuth2 logout route redirecting to provider logout Signed-off-by: Tim Raymond <tim@timraymond.com>
2017-02-15 22:28:17 +00:00
type Principal struct {
Provide route to change current users organization Add current Organization to JWT. Use OrganizationUsersStore to retrieve Users that are not me. Signed-off-by: Michael de Sa <mjdesa@gmail.com>
2017-10-26 22:01:20 +00:00
Subject string
Issuer string
Organization string
Add group to oauth2.Principal
2018-01-02 23:48:58 +00:00
Group string
Provide route to change current users organization Add current Organization to JWT. Use OrganizationUsersStore to retrieve Users that are not me. Signed-off-by: Michael de Sa <mjdesa@gmail.com>
2017-10-26 22:01:20 +00:00
ExpiresAt time.Time
IssuedAt time.Time
Add unified OAuth2 logout route redirecting to provider logout Signed-off-by: Tim Raymond <tim@timraymond.com>
2017-02-15 22:28:17 +00:00
}
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
/* Interfaces */
// Provider are the common parameters for all providers (RFC 6749)
type Provider interface {
// ID is issued to the registered client by the authorization (RFC 6749 Section 2.2)
ID() string
// Secret associated is with the ID (Section 2.2)
Secret() string
// Scopes is used by the authorization server to "scope" responses (Section 3.3)
Scopes() []string
// Config is the OAuth2 configuration settings for this provider
Config() *oauth2.Config
// PrincipalID with fetch the identifier to be associated with the principal.
PrincipalID(provider *http.Client) (string, error)
Add Name to oauth2.Provider Providers should be able to tell us their name. This will help construct routes.
2017-02-14 22:28:05 +00:00
// Name is the name of the Provider
Name() string
Add group to oauth2.Principal
2018-01-02 23:48:58 +00:00
// Group is a comma delimited list of groups and organizations for a provider
// TODO: This will break if there are any group names that contain commas.
// I think this is okay, but I'm not 100% certain.
Group(provider *http.Client) (string, error)
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
}
// Mux is a collection of handlers responsible for servicing an Oauth2 interaction between a browser and a provider
type Mux interface {
Login() http.Handler
Logout() http.Handler
Callback() http.Handler
}
// Authenticator represents a service for authenticating users.
type Authenticator interface {
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// Validate returns Principal associated with authenticated and authorized
Update oauth2 Authenticator signatures to use extend
2017-04-17 16:49:45 +00:00
// entity if successful.
Validate(context.Context, *http.Request) (Principal, error)
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// Authorize will grant privileges to a Principal
Authorize(context.Context, http.ResponseWriter, Principal) error
Update oauth2 Authenticator signatures to use extend
2017-04-17 16:49:45 +00:00
// Extend will extend the lifetime of a already validated Principal
Extend(context.Context, http.ResponseWriter, Principal) (Principal, error)
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// Expire revokes privileges from a Principal
Expire(http.ResponseWriter)
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
}
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// Token represents a time-dependent reference (i.e. identifier) that maps back
// to the sensitive data through a tokenization system
type Token string
// Tokenizer substitutes a sensitive data element (Principal) with a
// non-sensitive equivalent, referred to as a token, that has no extrinsic
// or exploitable meaning or value.
type Tokenizer interface {
Add JWT refresh on validation. JWTs will only life five minutes into the future. Any time the server receives an authenicated request, the JWT's expire at will be extended into the future.
2017-04-14 07:12:52 +00:00
// Create issues a token at Principal's IssuedAt that lasts until Principal's ExpireAt
Create(context.Context, Principal) (Token, error)
Add new auth duration CLI option; add client heartbeat; fix logout (#1119) * User can now set oauth cookie session duration via the CLI to any duration or to expire on browser close * Refactor GET 'me' into heartbeat at constant interval * Add ping route to all routes * Add /chronograf/v1/ping endpoint for server status * Refactor cookie generation to use an interface * WIP adding refreshable tokens * Add reminder to review index.js Login error handling * Refactor Authenticator interface to accommodate cookie duration and logout delay * Update make run-dev to be more TICKStack compliant * Remove heartbeat/logout duration from authentication * WIP Refactor tests to accommodate cookie and auth refactor * Update oauth2 tests to newly refactored design * Update oauth provider tests * Remove unused oauth2/consts.go * Move authentication middleware to server package * Fix authentication comment * Update authenication documentation to mention AUTH_DURATION * Update /chronograf/v1/ping to simply return 204 * Fix Makefile run-dev target * Remove spurious ping route * Update auth docs to clarify authentication duration * Revert "Refactor GET 'me' into heartbeat at constant interval" This reverts commit 298a8c47e1431720d9bd97a9cb853744f04501a3. Conflicts: ui/src/index.js * Add auth test for JWT signing method * Add comments for why coverage isn't written for some areas of jwt code * Update auth docs to explicitly mention how to require re-auth for all users on server restart * Add Duration to Validation interface for Tokens * Make auth duration of zero yield a everlasting token * Revert "Revert "Refactor GET 'me' into heartbeat at constant interval"" This reverts commit b4773c15afe4fcd227ad88aa9d5686beb6b0a6cd. * Rename http status constants and add FORBIDDEN * Heartbeat only when logged in, notify user if heartbeat fails * Update changelog * Fix minor word semantics * Update oauth2 tests to be in the oauth2_test package * Add check at compile time that JWT implements Tokenizer * Rename CookieMux to AuthMux for consistency with earlier refactor * Fix logout middleware * Fix logout button not showing due to obsolete data shape expectations * Update changelog * Fix proptypes for logout button data shape in SideNav
2017-04-06 18:40:57 +00:00
// ValidPrincipal checks if the token has a valid Principal and requires
Add JWT refresh on validation. JWTs will only life five minutes into the future. Any time the server receives an authenicated request, the JWT's expire at will be extended into the future.
2017-04-14 07:12:52 +00:00
// a lifespan duration to ensure it complies with possible server runtime arguments.
ValidPrincipal(ctx context.Context, token Token, lifespan time.Duration) (Principal, error)
Update oauth2 Authenticator signatures to use extend
2017-04-17 16:49:45 +00:00
// ExtendedPrincipal adds the extention to the principal's lifespan.
ExtendedPrincipal(ctx context.Context, principal Principal, extension time.Duration) (Principal, error)
Reorganize OAuth2 Logic Created an oauth2 package which encapsulates all oauth2 providers, utility functions, types, and interfaces. Previously some methods of the Github provider were used as http.HandlerFuncs. These have now been pulled into a concrete type called a JWTMux to implement other Oauth2 providers. JWTMux has all of the functionality required to take a token from any provider and store it as a JWT in a browser, and that is the extent of its responsibilities. It implements the oauth2.Mux interface which would potentially allow other strategies of oauth2 credential storage.
2017-02-14 21:14:24 +00:00
}