From 72857018eec737548e581a918acfebd94e4b44d9 Mon Sep 17 00:00:00 2001
From: Mike Bland <michael.bland@gsa.gov>
Date: Fri, 8 May 2015 17:13:35 -0400
Subject: [PATCH] Introduce `validate-url` flag/config

---
 main.go                    |  1 +
 oauthproxy.go              |  2 ++
 options.go                 | 12 +++++++-----
 providers/google.go        |  5 +++++
 providers/google_test.go   |  9 +++++++++
 providers/myusa.go         |  5 +++++
 providers/myusa_test.go    | 10 ++++++++++
 providers/provider_data.go |  1 +
 8 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/main.go b/main.go
index 1b86c1e..e46a336 100644
--- a/main.go
+++ b/main.go
@@ -56,6 +56,7 @@ func main() {
 	flagSet.String("login-url", "", "Authentication endpoint")
 	flagSet.String("redeem-url", "", "Token redemption endpoint")
 	flagSet.String("profile-url", "", "Profile access endpoint")
+	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "Oauth scope specification")
 
 	flagSet.Parse(os.Args[1:])
diff --git a/oauthproxy.go b/oauthproxy.go
index c236cd3..04ab41d 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -40,6 +40,7 @@ type OauthProxy struct {
 	provider            providers.Provider
 	oauthRedemptionUrl  *url.URL // endpoint to redeem the code
 	oauthLoginUrl       *url.URL // to redirect the user to
+	oauthValidateUrl    *url.URL // to validate the access token
 	oauthScope          string
 	clientID            string
 	clientSecret        string
@@ -146,6 +147,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 		provider:           opts.provider,
 		oauthRedemptionUrl: opts.provider.Data().RedeemUrl,
 		oauthLoginUrl:      opts.provider.Data().LoginUrl,
+		oauthValidateUrl:   opts.provider.Data().ValidateUrl,
 		serveMux:           serveMux,
 		redirectUrl:        redirectUrl,
 		skipAuthRegex:      opts.SkipAuthRegex,
diff --git a/options.go b/options.go
index f9147d9..e6aafac 100644
--- a/options.go
+++ b/options.go
@@ -39,11 +39,12 @@ type Options struct {
 
 	// These options allow for other providers besides Google, with
 	// potential overrides.
-	Provider   string `flag:"provider" cfg:"provider"`
-	LoginUrl   string `flag:"login-url" cfg:"login_url"`
-	RedeemUrl  string `flag:"redeem-url" cfg:"redeem_url"`
-	ProfileUrl string `flag:"profile-url" cfg:"profile_url"`
-	Scope      string `flag:"scope" cfg:"scope"`
+	Provider    string `flag:"provider" cfg:"provider"`
+	LoginUrl    string `flag:"login-url" cfg:"login_url"`
+	RedeemUrl   string `flag:"redeem-url" cfg:"redeem_url"`
+	ProfileUrl  string `flag:"profile-url" cfg:"profile_url"`
+	ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
+	Scope       string `flag:"scope" cfg:"scope"`
 
 	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
 
@@ -148,6 +149,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 	p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
 	p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
 	p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)
+	p.ValidateUrl, msgs = parseUrl(o.ValidateUrl, "validate", msgs)
 	o.provider = providers.New(o.Provider, p)
 	return msgs
 }
diff --git a/providers/google.go b/providers/google.go
index c9955a9..5fc94be 100644
--- a/providers/google.go
+++ b/providers/google.go
@@ -24,6 +24,11 @@ func NewGoogleProvider(p *ProviderData) *GoogleProvider {
 			Host: "accounts.google.com",
 			Path: "/o/oauth2/token"}
 	}
+	if p.ValidateUrl.String() == "" {
+		p.ValidateUrl = &url.URL{Scheme: "https",
+			Host: "www.googleapis.com",
+			Path: "/oauth2/v1/tokeninfo"}
+	}
 	if p.Scope == "" {
 		p.Scope = "profile email"
 	}
diff --git a/providers/google_test.go b/providers/google_test.go
index 9ff4d00..532199c 100644
--- a/providers/google_test.go
+++ b/providers/google_test.go
@@ -15,6 +15,7 @@ func newGoogleProvider() *GoogleProvider {
 			LoginUrl:     &url.URL{},
 			RedeemUrl:    &url.URL{},
 			ProfileUrl:   &url.URL{},
+			ValidateUrl:  &url.URL{},
 			Scope:        ""})
 }
 
@@ -26,6 +27,8 @@ func TestGoogleProviderDefaults(t *testing.T) {
 		p.Data().LoginUrl.String())
 	assert.Equal(t, "https://accounts.google.com/o/oauth2/token",
 		p.Data().RedeemUrl.String())
+	assert.Equal(t, "https://www.googleapis.com/oauth2/v1/tokeninfo",
+		p.Data().ValidateUrl.String())
 	assert.Equal(t, "", p.Data().ProfileUrl.String())
 	assert.Equal(t, "profile email", p.Data().Scope)
 }
@@ -45,6 +48,10 @@ func TestGoogleProviderOverrides(t *testing.T) {
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/oauth/profile"},
+			ValidateUrl: &url.URL{
+				Scheme: "https",
+				Host:   "example.com",
+				Path:   "/oauth/tokeninfo"},
 			Scope: "profile"})
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "Google", p.Data().ProviderName)
@@ -54,6 +61,8 @@ func TestGoogleProviderOverrides(t *testing.T) {
 		p.Data().RedeemUrl.String())
 	assert.Equal(t, "https://example.com/oauth/profile",
 		p.Data().ProfileUrl.String())
+	assert.Equal(t, "https://example.com/oauth/tokeninfo",
+		p.Data().ValidateUrl.String())
 	assert.Equal(t, "profile", p.Data().Scope)
 }
 
diff --git a/providers/myusa.go b/providers/myusa.go
index 2c9119a..69014ba 100644
--- a/providers/myusa.go
+++ b/providers/myusa.go
@@ -32,6 +32,11 @@ func NewMyUsaProvider(p *ProviderData) *MyUsaProvider {
 			Host: myUsaHost,
 			Path: "/api/v1/profile"}
 	}
+	if p.ValidateUrl.String() == "" {
+		p.ValidateUrl = &url.URL{Scheme: "https",
+			Host: myUsaHost,
+			Path: "/api/v1/tokeninfo"}
+	}
 	if p.Scope == "" {
 		p.Scope = "profile.email"
 	}
diff --git a/providers/myusa_test.go b/providers/myusa_test.go
index 74bb1a9..20df092 100644
--- a/providers/myusa_test.go
+++ b/providers/myusa_test.go
@@ -21,11 +21,13 @@ func testMyUsaProvider(hostname string) *MyUsaProvider {
 			LoginUrl:     &url.URL{},
 			RedeemUrl:    &url.URL{},
 			ProfileUrl:   &url.URL{},
+			ValidateUrl:  &url.URL{},
 			Scope:        ""})
 	if hostname != "" {
 		updateUrl(p.Data().LoginUrl, hostname)
 		updateUrl(p.Data().RedeemUrl, hostname)
 		updateUrl(p.Data().ProfileUrl, hostname)
+		updateUrl(p.Data().ValidateUrl, hostname)
 	}
 	return p
 }
@@ -56,6 +58,8 @@ func TestMyUsaProviderDefaults(t *testing.T) {
 		p.Data().RedeemUrl.String())
 	assert.Equal(t, "https://alpha.my.usa.gov/api/v1/profile",
 		p.Data().ProfileUrl.String())
+	assert.Equal(t, "https://alpha.my.usa.gov/api/v1/tokeninfo",
+		p.Data().ValidateUrl.String())
 	assert.Equal(t, "profile.email", p.Data().Scope)
 }
 
@@ -74,6 +78,10 @@ func TestMyUsaProviderOverrides(t *testing.T) {
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/oauth/profile"},
+			ValidateUrl: &url.URL{
+				Scheme: "https",
+				Host:   "example.com",
+				Path:   "/oauth/tokeninfo"},
 			Scope: "profile"})
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "MyUSA", p.Data().ProviderName)
@@ -83,6 +91,8 @@ func TestMyUsaProviderOverrides(t *testing.T) {
 		p.Data().RedeemUrl.String())
 	assert.Equal(t, "https://example.com/oauth/profile",
 		p.Data().ProfileUrl.String())
+	assert.Equal(t, "https://example.com/oauth/tokeninfo",
+		p.Data().ValidateUrl.String())
 	assert.Equal(t, "profile", p.Data().Scope)
 }
 
diff --git a/providers/provider_data.go b/providers/provider_data.go
index 7b665cf..097f065 100644
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@@ -9,6 +9,7 @@ type ProviderData struct {
 	LoginUrl     *url.URL
 	RedeemUrl    *url.URL
 	ProfileUrl   *url.URL
+	ValidateUrl  *url.URL
 	Scope        string
 }