Merge pull request #479 from bobbyrullo/specify_yer_client_creds

Allow specification of client_{id, secret} in admin api

Merge pull request #479 from bobbyrullo/specify_yer_client_creds
Allow specification of client_{id, secret} in admin api
a7b860b9 · bobbyrullo · GitHub · 3b8d704c · 65ce2e57 · a7b860b9
Commit a7b860b9 authored Jun 21, 2016 by bobbyrullo Committed by GitHub Jun 21, 2016
8 changed files
--- a/admin/api.go
+++ b/admin/api.go
@@ -78,6 +78,8 @@ var (

 		client.ErrorPublicClientMissingName: errorMaker("bad_request", "Public clients require a ClientName", http.StatusBadRequest),

+		client.ErrorInvalidClientSecret: errorMaker("bad_request", "Secret must be a base64 encoded string", http.StatusBadRequest),
+
 		user.ErrorNotFound:       errorMaker("resource_not_found", "Resource could not be found.", http.StatusNotFound),
 		user.ErrorDuplicateEmail: errorMaker("bad_request", "Email already in use.", http.StatusBadRequest),
 		user.ErrorInvalidEmail:   errorMaker("bad_request", "invalid email.", http.StatusBadRequest),

--- a/client/client.go
+++ b/client/client.go
@@ -17,6 +17,9 @@ import (

 var (
 	ErrorInvalidClientID = errors.New("not a valid client ID")
+
+	ErrorInvalidClientSecret = errors.New("not a valid client Secret")
+
 	ErrorInvalidRedirectURL    = errors.New("not a valid redirect url for the given client")
 	ErrorCantChooseRedirectURL = errors.New("must provide a redirect url; client has many")
 	ErrorNoValidRedirectURLs   = errors.New("no valid redirect URLs for this client.")
@@ -46,7 +49,7 @@ const (
 func HashSecret(creds oidc.ClientCredentials) ([]byte, error) {
 	secretBytes, err := base64.URLEncoding.DecodeString(creds.Secret)
 	if err != nil {
-		return nil, err
+		return nil, ErrorInvalidClientSecret
 	}
 	hashed, err := bcrypt.GenerateFromPassword([]byte(
 		secretBytes),

--- a/client/manager/manager.go
+++ b/client/manager/manager.go
@@ -196,18 +196,30 @@ func (m *ClientManager) addClientCredentials(cli *client.Client) error {
 		seed = cli.Metadata.RedirectURIs[0].Host
 	}

+	var err error
+	var clientID string
+	if cli.Credentials.ID != "" {
+		clientID = cli.Credentials.ID
+	} else {
 		// Generate Client ID
-	clientID, err := m.clientIDGenerator(seed)
+		clientID, err = m.clientIDGenerator(seed)
 		if err != nil {
 			return err
 		}
+	}

+	var clientSecret string
+	if cli.Credentials.Secret != "" {
+		clientSecret = cli.Credentials.Secret
+	} else {
 		// Generate Secret
 		secret, err := m.secretGenerator()
 		if err != nil {
 			return err
 		}
-	clientSecret := base64.URLEncoding.EncodeToString(secret)
+		clientSecret = base64.URLEncoding.EncodeToString(secret)
+	}
+
 	cli.Credentials = oidc.ClientCredentials{
 		ID:     clientID,
 		Secret: clientSecret,

--- a/integration/admin_api_test.go
+++ b/integration/admin_api_test.go
@@ -383,12 +383,17 @@ func TestCreateClient(t *testing.T) {
 	}

 	addIDAndSecret := func(cli adminschema.Client) *adminschema.Client {
+		if cli.Id == "" {
 			if cli.Public {
 				cli.Id = "client_" + cli.ClientName
 			} else {
 				cli.Id = "client_auth.example.com"
 			}
+		}
+
+		if cli.Secret == "" {
 			cli.Secret = base64.URLEncoding.EncodeToString([]byte("client_0"))
+		}
 		return &cli
 	}

@@ -436,6 +441,24 @@ func TestCreateClient(t *testing.T) {
 	adminClientWithPeers := adminClientGood
 	adminClientWithPeers.TrustedPeers = []string{"test_client_0"}

+	adminClientOwnID := adminClientGood
+	adminClientOwnID.Id = "my_own_id"
+
+	clientGoodOwnID := clientGood
+	clientGoodOwnID.Credentials.ID = "my_own_id"
+
+	adminClientOwnSecret := adminClientGood
+	adminClientOwnSecret.Secret = base64.URLEncoding.EncodeToString([]byte("my_own_secret"))
+	clientGoodOwnSecret := clientGood
+
+	adminClientOwnIDAndSecret := adminClientGood
+	adminClientOwnIDAndSecret.Id = "my_own_id"
+	adminClientOwnIDAndSecret.Secret = base64.URLEncoding.EncodeToString([]byte("my_own_secret"))
+	clientGoodOwnIDAndSecret := clientGoodOwnID
+
+	adminClientBadSecret := adminClientGood
+	adminClientBadSecret.Secret = "not_base64_encoded"
+
 	tests := []struct {
 		req              adminschema.ClientCreateRequest
 		want             adminschema.ClientCreateResponse
@@ -446,24 +469,21 @@ func TestCreateClient(t *testing.T) {
 		{
 			req:       adminschema.ClientCreateRequest{},
 			wantError: http.StatusBadRequest,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminschema.Client{
 					IsAdmin: true,
 				},
 			},
 			wantError: http.StatusBadRequest,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminschema.Client{
 					RedirectURIs: []string{"909090"},
 				},
 			},
 			wantError: http.StatusBadRequest,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminClientGood,
 			},
@@ -471,8 +491,7 @@ func TestCreateClient(t *testing.T) {
 				Client: addIDAndSecret(adminClientGood),
 			},
 			wantClient: clientGood,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminAdminClient,
 			},
@@ -480,8 +499,7 @@ func TestCreateClient(t *testing.T) {
 				Client: addIDAndSecret(adminAdminClient),
 			},
 			wantClient: clientGoodAdmin,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminMultiRedirect,
 			},
@@ -489,8 +507,7 @@ func TestCreateClient(t *testing.T) {
 				Client: addIDAndSecret(adminMultiRedirect),
 			},
 			wantClient: clientMultiRedirect,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminClientWithPeers,
 			},
@@ -499,8 +516,7 @@ func TestCreateClient(t *testing.T) {
 			},
 			wantClient:       clientGood,
 			wantTrustedPeers: []string{"test_client_0"},
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminPublicClientGood,
 			},
@@ -508,18 +524,45 @@ func TestCreateClient(t *testing.T) {
 				Client: addIDAndSecret(adminPublicClientGood),
 			},
 			wantClient: clientPublicGood,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminPublicClientMissingName,
 			},
 			wantError: http.StatusBadRequest,
-		},
-		{
+		}, {
 			req: adminschema.ClientCreateRequest{
 				Client: &adminPublicClientHasARedirect,
 			},
 			wantError: http.StatusBadRequest,
+		}, {
+			req: adminschema.ClientCreateRequest{
+				Client: &adminClientOwnID,
+			},
+			want: adminschema.ClientCreateResponse{
+				Client: addIDAndSecret(adminClientOwnID),
+			},
+			wantClient: clientGoodOwnID,
+		}, {
+			req: adminschema.ClientCreateRequest{
+				Client: &adminClientOwnSecret,
+			},
+			want: adminschema.ClientCreateResponse{
+				Client: addIDAndSecret(adminClientOwnSecret),
+			},
+			wantClient: clientGoodOwnSecret,
+		}, {
+			req: adminschema.ClientCreateRequest{
+				Client: &adminClientOwnIDAndSecret,
+			},
+			want: adminschema.ClientCreateResponse{
+				Client: addIDAndSecret(adminClientOwnIDAndSecret),
+			},
+			wantClient: clientGoodOwnIDAndSecret,
+		}, {
+			req: adminschema.ClientCreateRequest{
+				Client: &adminClientBadSecret,
+			},
+			wantError: http.StatusBadRequest,
 		},
 	}


--- a/schema/adminschema/README.md
+++ b/schema/adminschema/README.md
@@ -28,14 +28,14 @@ __Version:__ v1
 {
    clientName: string // OPTIONAL for normal cliens. Name of the Client to be presented to the End-User. If desired, representation of this Claim in different languages and scripts is represented as described in Section 2.1 ( Metadata Languages and Scripts ). REQUIRED for public clients,
    clientURI: string // OPTIONAL. URL of the home page of the Client. The value of this field MUST point to a valid Web page. If present, the server SHOULD display this URL to the End-User in a followable fashion. If desired, representation of this Claim in different languages and scripts is represented as described in Section 2.1 ( Metadata Languages and Scripts ) .,
-    id: string // The client ID. Ignored in client create requests.,
+    id: string // The client ID. If specified in a client create request, it will be used as the ID. Otherwise, the server will choose the ID.,
    isAdmin: boolean,
    logoURI: string // OPTIONAL. URL that references a logo for the Client application. If present, the server SHOULD display this image to the End-User during approval. The value of this field MUST point to a valid image file. If desired, representation of this Claim in different languages and scripts is represented as described in Section 2.1 ( Metadata Languages and Scripts ) .,
-    public: boolean // OPTIONAL. Determines if the client is public. Public clients have certain restrictions: They cannot use their credentials to obtain a client JWT. Their redirects URLs cannot be specified: they are always http://localhost:$PORT or urn:ietf:wg:oauth:2.0:oob,
+    public: boolean // OPTIONAL. Determines if the client is public. Public clients have certain restrictions: They cannot use their credentials to obtain a client JWT. Their redirects URLs cannot be specified: they are always http://localhost:$PORT or urn:ietf:wg:oauth:2.0:oob.,
    redirectURIs: [
        string
    ],
-    secret: string // The client secret. Ignored in client create requests.,
+    secret: string // The client secret. If specified in a client create request, it will be used as the secret. Otherwise, the server will choose the secret. Must be a base64 URLEncoded string.,
    trustedPeers: [
        string
    ]

--- a/schema/adminschema/v1-gen.go
+++ b/schema/adminschema/v1-gen.go
@@ -125,7 +125,8 @@ type Client struct {
 	// Languages and Scripts ) .
 	ClientURI string `json:"clientURI,omitempty"`

-	// Id: The client ID. Ignored in client create requests.
+	// Id: The client ID. If specified in a client create request, it will
+	// be used as the ID. Otherwise, the server will choose the ID.
 	Id string `json:"id,omitempty"`

 	IsAdmin bool `json:"isAdmin,omitempty"`
@@ -141,7 +142,7 @@ type Client struct {
 	// Public: OPTIONAL. Determines if the client is public. Public clients
 	// have certain restrictions: They cannot use their credentials to
 	// obtain a client JWT. Their redirects URLs cannot be specified: they
-	// are always http://localhost:$PORT or urn:ietf:wg:oauth:2.0:oob
+	// are always http://localhost:$PORT or urn:ietf:wg:oauth:2.0:oob.
 	Public bool `json:"public,omitempty"`

 	// RedirectURIs: REQUIRED for normal clients. Array of Redirection URI
@@ -154,7 +155,9 @@ type Client struct {
 	// clients.
 	RedirectURIs []string `json:"redirectURIs,omitempty"`

-	// Secret: The client secret. Ignored in client create requests.
+	// Secret: The client secret. If specified in a client create request,
+	// it will be used as the secret. Otherwise, the server will choose the
+	// secret. Must be a base64 URLEncoded string.
 	Secret string `json:"secret,omitempty"`

 	// TrustedPeers: Array of ClientIDs of clients that are allowed to mint

--- a/schema/adminschema/v1-json.go
+++ b/schema/adminschema/v1-json.go
@@ -58,11 +58,11 @@ const DiscoveryJSON = `{
      "properties": {
        "id": {
          "type": "string",
-          "description": "The client ID. Ignored in client create requests."
+          "description": "The client ID. If specified in a client create request, it will be used as the ID. Otherwise, the server will choose the ID."
        },
        "secret": {
          "type": "string",
-          "description": "The client secret. Ignored in client create requests."
+          "description": "The client secret. If specified in a client create request, it will be used as the secret. Otherwise, the server will choose the secret. Must be a base64 URLEncoded string."
        },
        "isAdmin": {
          "type": "boolean"
@@ -95,7 +95,7 @@ const DiscoveryJSON = `{
        },
        "public": {
          "type": "boolean",
-          "description": "OPTIONAL. Determines if the client is public. Public clients have certain restrictions: They cannot use their credentials to obtain a client JWT. Their redirects URLs cannot be specified: they are always http://localhost:$PORT or urn:ietf:wg:oauth:2.0:oob"
+          "description": "OPTIONAL. Determines if the client is public. Public clients have certain restrictions: They cannot use their credentials to obtain a client JWT. Their redirects URLs cannot be specified: they are always http://localhost:$PORT or urn:ietf:wg:oauth:2.0:oob."
        }
      }
    },

--- a/schema/adminschema/v1.json
+++ b/schema/adminschema/v1.json
@@ -51,11 +51,11 @@
      "properties": {
        "id": {
          "type": "string",
-          "description": "The client ID. Ignored in client create requests."
+          "description": "The client ID. If specified in a client create request, it will be used as the ID. Otherwise, the server will choose the ID."
        },
        "secret": {
          "type": "string",
-          "description": "The client secret. Ignored in client create requests."
+          "description": "The client secret. If specified in a client create request, it will be used as the secret. Otherwise, the server will choose the secret. Must be a base64 URLEncoded string."
        },
        "isAdmin": {
          "type": "boolean"