Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
D
dex
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
go
dex
Commits
74169294
Commit
74169294
authored
Apr 06, 2016
by
Eric Chiang
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
*: add revocation methods to refresh repo
parent
de8f3456
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
135 additions
and
2 deletions
+135
-2
refresh.go
db/refresh.go
+30
-0
client_repo_test.go
functional/repo/client_repo_test.go
+4
-2
refresh_repo_test.go
functional/repo/refresh_repo_test.go
+93
-0
repo.go
refresh/repo.go
+8
-0
No files found.
db/refresh.go
View file @
74169294
...
...
@@ -14,6 +14,7 @@ import (
"github.com/coreos/dex/pkg/log"
"github.com/coreos/dex/refresh"
"github.com/coreos/dex/repo"
"github.com/coreos/go-oidc/oidc"
)
const
(
...
...
@@ -179,6 +180,35 @@ func (r *refreshTokenRepo) Revoke(userID, token string) error {
return
tx
.
Commit
()
}
func
(
r
*
refreshTokenRepo
)
RevokeTokensForClient
(
userID
,
clientID
string
)
error
{
q
:=
fmt
.
Sprintf
(
"DELETE FROM %s WHERE user_id = $1 AND client_id = $2"
,
r
.
quote
(
refreshTokenTableName
))
_
,
err
:=
r
.
executor
(
nil
)
.
Exec
(
q
,
userID
,
clientID
)
return
err
}
func
(
r
*
refreshTokenRepo
)
ClientsWithRefreshTokens
(
userID
string
)
([]
oidc
.
ClientIdentity
,
error
)
{
q
:=
`SELECT c.* FROM %s as c
INNER JOIN %s as r ON c.id = r.client_id WHERE r.user_id = $1;`
q
=
fmt
.
Sprintf
(
q
,
r
.
quote
(
clientIdentityTableName
),
r
.
quote
(
refreshTokenTableName
))
var
clients
[]
clientIdentityModel
if
_
,
err
:=
r
.
executor
(
nil
)
.
Select
(
&
clients
,
q
,
userID
);
err
!=
nil
{
return
nil
,
err
}
c
:=
make
([]
oidc
.
ClientIdentity
,
len
(
clients
))
for
i
,
client
:=
range
clients
{
ident
,
err
:=
client
.
ClientIdentity
()
if
err
!=
nil
{
return
nil
,
err
}
c
[
i
]
=
*
ident
// Do not share the secret.
c
[
i
]
.
Credentials
.
Secret
=
""
}
return
c
,
nil
}
func
(
r
*
refreshTokenRepo
)
get
(
tx
repo
.
Transaction
,
tokenID
int64
)
(
*
refreshTokenModel
,
error
)
{
ex
:=
r
.
executor
(
tx
)
result
,
err
:=
ex
.
Get
(
refreshTokenModel
{},
tokenID
)
...
...
functional/repo/client_repo_test.go
View file @
74169294
...
...
@@ -24,7 +24,8 @@ var (
RedirectURIs
:
[]
url
.
URL
{
url
.
URL
{
Scheme
:
"https"
,
Host
:
"client1.example.com/callback"
,
Host
:
"client1.example.com"
,
Path
:
"/callback"
,
},
},
},
...
...
@@ -38,7 +39,8 @@ var (
RedirectURIs
:
[]
url
.
URL
{
url
.
URL
{
Scheme
:
"https"
,
Host
:
"client2.example.com/callback"
,
Host
:
"client2.example.com"
,
Path
:
"/callback"
,
},
},
},
...
...
functional/repo/refresh_repo_test.go
0 → 100644
View file @
74169294
package
repo
import
(
"encoding/base64"
"net/url"
"os"
"testing"
"time"
"github.com/coreos/go-oidc/oidc"
"github.com/go-gorp/gorp"
"github.com/kylelemons/godebug/pretty"
"github.com/coreos/dex/db"
"github.com/coreos/dex/refresh"
"github.com/coreos/dex/user"
)
func
newRefreshRepo
(
t
*
testing
.
T
,
users
[]
user
.
UserWithRemoteIdentities
,
clients
[]
oidc
.
ClientIdentity
)
refresh
.
RefreshTokenRepo
{
var
dbMap
*
gorp
.
DbMap
if
dsn
:=
os
.
Getenv
(
"DEX_TEST_DSN"
);
dsn
==
""
{
dbMap
=
db
.
NewMemDB
()
}
else
{
dbMap
=
connect
(
t
)
}
if
_
,
err
:=
db
.
NewUserRepoFromUsers
(
dbMap
,
users
);
err
!=
nil
{
t
.
Fatalf
(
"Unable to add users: %v"
,
err
)
}
if
_
,
err
:=
db
.
NewClientIdentityRepoFromClients
(
dbMap
,
clients
);
err
!=
nil
{
t
.
Fatalf
(
"Unable to add clients: %v"
,
err
)
}
return
db
.
NewRefreshTokenRepo
(
dbMap
)
}
func
TestRefreshTokenRepo
(
t
*
testing
.
T
)
{
clientID
:=
"client1"
userID
:=
"user1"
clients
:=
[]
oidc
.
ClientIdentity
{
{
Credentials
:
oidc
.
ClientCredentials
{
ID
:
clientID
,
Secret
:
base64
.
URLEncoding
.
EncodeToString
([]
byte
(
"secret-2"
)),
},
Metadata
:
oidc
.
ClientMetadata
{
RedirectURIs
:
[]
url
.
URL
{
url
.
URL
{
Scheme
:
"https"
,
Host
:
"client1.example.com"
,
Path
:
"/callback"
},
},
},
},
}
users
:=
[]
user
.
UserWithRemoteIdentities
{
{
User
:
user
.
User
{
ID
:
userID
,
Email
:
"Email-1@example.com"
,
CreatedAt
:
time
.
Now
()
.
Truncate
(
time
.
Second
),
},
RemoteIdentities
:
[]
user
.
RemoteIdentity
{
{
ConnectorID
:
"IDPC-1"
,
ID
:
"RID-1"
,
},
},
},
}
repo
:=
newRefreshRepo
(
t
,
users
,
clients
)
tok
,
err
:=
repo
.
Create
(
userID
,
clientID
)
if
err
!=
nil
{
t
.
Fatalf
(
"failed to create refresh token: %v"
,
err
)
}
if
tokUserID
,
err
:=
repo
.
Verify
(
clientID
,
tok
);
err
!=
nil
{
t
.
Errorf
(
"Could not verify token: %v"
,
err
)
}
else
if
tokUserID
!=
userID
{
t
.
Errorf
(
"Verified token returned wrong user id, want=%s, got=%s"
,
userID
,
tokUserID
)
}
if
userClients
,
err
:=
repo
.
ClientsWithRefreshTokens
(
userID
);
err
!=
nil
{
t
.
Errorf
(
"Failed to get the list of clients the user was logged into: %v"
,
err
)
}
else
{
if
diff
:=
pretty
.
Compare
(
userClients
,
clients
);
diff
==
""
{
t
.
Errorf
(
"Clients user logged into: want did not equal got %s"
,
diff
)
}
}
if
err
:=
repo
.
RevokeTokensForClient
(
userID
,
clientID
);
err
!=
nil
{
t
.
Errorf
(
"Failed to revoke refresh token: %v"
,
err
)
}
if
_
,
err
:=
repo
.
Verify
(
clientID
,
tok
);
err
==
nil
{
t
.
Errorf
(
"Token which should have been revoked was verified"
)
}
}
refresh/repo.go
View file @
74169294
...
...
@@ -3,6 +3,8 @@ package refresh
import
(
"crypto/rand"
"errors"
"github.com/coreos/go-oidc/oidc"
)
const
(
...
...
@@ -47,4 +49,10 @@ type RefreshTokenRepo interface {
// Revoke deletes the refresh token if the token belongs to the given userID.
Revoke
(
userID
,
token
string
)
error
// RevokeTokensForClient revokes all tokens issued for the userID for the provided client.
RevokeTokensForClient
(
userID
,
clientID
string
)
error
// ClientsWithRefreshTokens returns a list of all clients the user has an outstanding client with.
ClientsWithRefreshTokens
(
userID
string
)
([]
oidc
.
ClientIdentity
,
error
)
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment