all: resolve rethinkdb and warden endpoint issues

* rethinkdb: resolve an issue where missing refresh tokens cause duplicate key error close #122 * warden: endpoint should only require valid client, not policy based access control close #121 * consent: set expiry time to one hour * warden: fix tests
ory · Jun 27, 2016 · ac7710d · ac7710d
1 parent c77d2dc
commit ac7710d
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 15 deletions.
diff --git a/internal/fosite_store_memory.go b/internal/fosite_store_memory.go
@@ -98,7 +98,13 @@ func (s *FositeMemoryStore) PersistAuthorizeCodeGrantSession(ctx context.Context
 		return err
 	} else if err := s.CreateAccessTokenSession(ctx, accessSignature, request); err != nil {
 		return err
-	} else if err := s.CreateRefreshTokenSession(ctx, refreshSignature, request); err != nil {
+	}
+
+	if refreshSignature == "" {
+		return nil
+	}
+
+	if err := s.CreateRefreshTokenSession(ctx, refreshSignature, request); err != nil {
 		return err
 	}
 

diff --git a/internal/fosite_store_rethinkdb.go b/internal/fosite_store_rethinkdb.go
@@ -182,7 +182,13 @@ func (s *FositeRehinkDBStore) PersistAuthorizeCodeGrantSession(ctx context.Conte
 		return err
 	} else if err := s.CreateAccessTokenSession(ctx, accessSignature, request); err != nil {
 		return err
-	} else if err := s.CreateRefreshTokenSession(ctx, refreshSignature, request); err != nil {
+	}
+
+	if refreshSignature == "" {
+		return nil
+	}
+
+	if err := s.CreateRefreshTokenSession(ctx, refreshSignature, request); err != nil {
 		return err
 	}
 

diff --git a/internal/fosite_store_test.go b/internal/fosite_store_test.go
@@ -212,6 +212,7 @@ func TestCreateGetDeleteOpenIDConnectSession(t *testing.T) {
 		pkg.AssertError(t, true, err, "%s", k)
 	}
 }
+
 func TestCreateGetDeleteRefreshTokenSession(t *testing.T) {
 	ctx := context.Background()
 	for k, m := range clientManagers {

diff --git a/oauth2/consent_strategy.go b/oauth2/consent_strategy.go
@@ -71,7 +71,7 @@ func (s *DefaultConsentStrategy) ValidateResponse(a fosite.AuthorizeRequester, t
 				Subject:   subject,
 				Issuer:    s.Issuer,
 				IssuedAt:  time.Now(),
-				ExpiresAt: time.Now(),
+				ExpiresAt: time.Now().Add(time.Hour),
 				Extra:     t.Claims,
 			},
 			Headers: &ejwt.Headers{},

diff --git a/warden/handler.go b/warden/handler.go
@@ -61,7 +61,7 @@ func (h *WardenHandler) SetRoutes(r *httprouter.Router) {
 
 func (h *WardenHandler) Authorized(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	ctx := herodot.NewContext()
-	clientCtx, err := h.authorizeClient(ctx, w, r, "an:hydra:warden:authorized")
+	clientCtx, err := h.authorizeClient(ctx, w, r)
 	if err != nil {
 		h.H.WriteError(ctx, w, r, err)
 		return
@@ -87,7 +87,7 @@ func (h *WardenHandler) Authorized(w http.ResponseWriter, r *http.Request, _ htt
 
 func (h *WardenHandler) Allowed(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 	ctx := herodot.NewContext()
-	clientCtx, err := h.authorizeClient(ctx, w, r, "an:hydra:warden:allowed")
+	clientCtx, err := h.authorizeClient(ctx, w, r)
 	if err != nil {
 		h.H.WriteError(ctx, w, r, err)
 		return
@@ -109,11 +109,8 @@ func (h *WardenHandler) Allowed(w http.ResponseWriter, r *http.Request, _ httpro
 	h.H.Write(ctx, w, r, authContext)
 }
 
-func (h *WardenHandler) authorizeClient(ctx context.Context, w http.ResponseWriter, r *http.Request, action string) (*firewall.Context, error) {
-	authctx, err := h.Warden.ActionAllowed(ctx, TokenFromRequest(r), &ladon.Request{
-		Action:   action,
-		Resource: "rn:hydra:warden",
-	}, "hydra.warden")
+func (h *WardenHandler) authorizeClient(ctx context.Context, w http.ResponseWriter, r *http.Request) (*firewall.Context, error) {
+	authctx, err := h.Warden.Authorized(ctx, TokenFromRequest(r), "core")
 	if err != nil {
 		return nil, err
 	}

diff --git a/warden/warden_test.go b/warden/warden_test.go
@@ -38,10 +38,7 @@ var ladonWarden = pkg.LadonWarden(map[string]ladon.Policy{
 		ID:        "2",
 		Subjects:  []string{"siri"},
 		Resources: []string{"<.*>"},
-		Actions: []string{
-			"an:hydra:warden:allowed",
-			"an:hydra:warden:authorized",
-		},
+		Actions: []string{},
 		Effect: ladon.AllowAccess,
 	},
 })
@@ -79,7 +76,7 @@ func init() {
 	fositeStore.CreateAccessTokenSession(nil, tokens[0][0], ar)
 
 	ar = fosite.NewAccessRequest(&oauth2.Session{Subject: "siri"})
-	ar.GrantedScopes = fosite.Arguments{"hydra.warden"}
+	ar.GrantedScopes = fosite.Arguments{"core"}
 	fositeStore.CreateAccessTokenSession(nil, tokens[1][0], ar)
 
 	conf := &coauth2.Config{