From 72857018eec737548e581a918acfebd94e4b44d9 Mon Sep 17 00:00:00 2001 From: Mike Bland Date: Fri, 8 May 2015 17:13:35 -0400 Subject: [PATCH] Introduce `validate-url` flag/config --- main.go | 1 + oauthproxy.go | 2 ++ options.go | 12 +++++++----- providers/google.go | 5 +++++ providers/google_test.go | 9 +++++++++ providers/myusa.go | 5 +++++ providers/myusa_test.go | 10 ++++++++++ providers/provider_data.go | 1 + 8 files changed, 40 insertions(+), 5 deletions(-) diff --git a/main.go b/main.go index 1b86c1e..e46a336 100644 --- a/main.go +++ b/main.go @@ -56,6 +56,7 @@ func main() { flagSet.String("login-url", "", "Authentication endpoint") flagSet.String("redeem-url", "", "Token redemption endpoint") flagSet.String("profile-url", "", "Profile access endpoint") + flagSet.String("validate-url", "", "Access token validation endpoint") flagSet.String("scope", "", "Oauth scope specification") flagSet.Parse(os.Args[1:]) diff --git a/oauthproxy.go b/oauthproxy.go index c236cd3..04ab41d 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -40,6 +40,7 @@ type OauthProxy struct { provider providers.Provider oauthRedemptionUrl *url.URL // endpoint to redeem the code oauthLoginUrl *url.URL // to redirect the user to + oauthValidateUrl *url.URL // to validate the access token oauthScope string clientID string clientSecret string @@ -146,6 +147,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy { provider: opts.provider, oauthRedemptionUrl: opts.provider.Data().RedeemUrl, oauthLoginUrl: opts.provider.Data().LoginUrl, + oauthValidateUrl: opts.provider.Data().ValidateUrl, serveMux: serveMux, redirectUrl: redirectUrl, skipAuthRegex: opts.SkipAuthRegex, diff --git a/options.go b/options.go index f9147d9..e6aafac 100644 --- a/options.go +++ b/options.go @@ -39,11 +39,12 @@ type Options struct { // These options allow for other providers besides Google, with // potential overrides. - Provider string `flag:"provider" cfg:"provider"` - LoginUrl string `flag:"login-url" cfg:"login_url"` - RedeemUrl string `flag:"redeem-url" cfg:"redeem_url"` - ProfileUrl string `flag:"profile-url" cfg:"profile_url"` - Scope string `flag:"scope" cfg:"scope"` + Provider string `flag:"provider" cfg:"provider"` + LoginUrl string `flag:"login-url" cfg:"login_url"` + RedeemUrl string `flag:"redeem-url" cfg:"redeem_url"` + ProfileUrl string `flag:"profile-url" cfg:"profile_url"` + ValidateUrl string `flag:"validate-url" cfg:"validate_url"` + Scope string `flag:"scope" cfg:"scope"` RequestLogging bool `flag:"request-logging" cfg:"request_logging"` @@ -148,6 +149,7 @@ func parseProviderInfo(o *Options, msgs []string) []string { p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs) p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs) p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs) + p.ValidateUrl, msgs = parseUrl(o.ValidateUrl, "validate", msgs) o.provider = providers.New(o.Provider, p) return msgs } diff --git a/providers/google.go b/providers/google.go index c9955a9..5fc94be 100644 --- a/providers/google.go +++ b/providers/google.go @@ -24,6 +24,11 @@ func NewGoogleProvider(p *ProviderData) *GoogleProvider { Host: "accounts.google.com", Path: "/o/oauth2/token"} } + if p.ValidateUrl.String() == "" { + p.ValidateUrl = &url.URL{Scheme: "https", + Host: "www.googleapis.com", + Path: "/oauth2/v1/tokeninfo"} + } if p.Scope == "" { p.Scope = "profile email" } diff --git a/providers/google_test.go b/providers/google_test.go index 9ff4d00..532199c 100644 --- a/providers/google_test.go +++ b/providers/google_test.go @@ -15,6 +15,7 @@ func newGoogleProvider() *GoogleProvider { LoginUrl: &url.URL{}, RedeemUrl: &url.URL{}, ProfileUrl: &url.URL{}, + ValidateUrl: &url.URL{}, Scope: ""}) } @@ -26,6 +27,8 @@ func TestGoogleProviderDefaults(t *testing.T) { p.Data().LoginUrl.String()) assert.Equal(t, "https://accounts.google.com/o/oauth2/token", p.Data().RedeemUrl.String()) + assert.Equal(t, "https://www.googleapis.com/oauth2/v1/tokeninfo", + p.Data().ValidateUrl.String()) assert.Equal(t, "", p.Data().ProfileUrl.String()) assert.Equal(t, "profile email", p.Data().Scope) } @@ -45,6 +48,10 @@ func TestGoogleProviderOverrides(t *testing.T) { Scheme: "https", Host: "example.com", Path: "/oauth/profile"}, + ValidateUrl: &url.URL{ + Scheme: "https", + Host: "example.com", + Path: "/oauth/tokeninfo"}, Scope: "profile"}) assert.NotEqual(t, nil, p) assert.Equal(t, "Google", p.Data().ProviderName) @@ -54,6 +61,8 @@ func TestGoogleProviderOverrides(t *testing.T) { p.Data().RedeemUrl.String()) assert.Equal(t, "https://example.com/oauth/profile", p.Data().ProfileUrl.String()) + assert.Equal(t, "https://example.com/oauth/tokeninfo", + p.Data().ValidateUrl.String()) assert.Equal(t, "profile", p.Data().Scope) } diff --git a/providers/myusa.go b/providers/myusa.go index 2c9119a..69014ba 100644 --- a/providers/myusa.go +++ b/providers/myusa.go @@ -32,6 +32,11 @@ func NewMyUsaProvider(p *ProviderData) *MyUsaProvider { Host: myUsaHost, Path: "/api/v1/profile"} } + if p.ValidateUrl.String() == "" { + p.ValidateUrl = &url.URL{Scheme: "https", + Host: myUsaHost, + Path: "/api/v1/tokeninfo"} + } if p.Scope == "" { p.Scope = "profile.email" } diff --git a/providers/myusa_test.go b/providers/myusa_test.go index 74bb1a9..20df092 100644 --- a/providers/myusa_test.go +++ b/providers/myusa_test.go @@ -21,11 +21,13 @@ func testMyUsaProvider(hostname string) *MyUsaProvider { LoginUrl: &url.URL{}, RedeemUrl: &url.URL{}, ProfileUrl: &url.URL{}, + ValidateUrl: &url.URL{}, Scope: ""}) if hostname != "" { updateUrl(p.Data().LoginUrl, hostname) updateUrl(p.Data().RedeemUrl, hostname) updateUrl(p.Data().ProfileUrl, hostname) + updateUrl(p.Data().ValidateUrl, hostname) } return p } @@ -56,6 +58,8 @@ func TestMyUsaProviderDefaults(t *testing.T) { p.Data().RedeemUrl.String()) assert.Equal(t, "https://alpha.my.usa.gov/api/v1/profile", p.Data().ProfileUrl.String()) + assert.Equal(t, "https://alpha.my.usa.gov/api/v1/tokeninfo", + p.Data().ValidateUrl.String()) assert.Equal(t, "profile.email", p.Data().Scope) } @@ -74,6 +78,10 @@ func TestMyUsaProviderOverrides(t *testing.T) { Scheme: "https", Host: "example.com", Path: "/oauth/profile"}, + ValidateUrl: &url.URL{ + Scheme: "https", + Host: "example.com", + Path: "/oauth/tokeninfo"}, Scope: "profile"}) assert.NotEqual(t, nil, p) assert.Equal(t, "MyUSA", p.Data().ProviderName) @@ -83,6 +91,8 @@ func TestMyUsaProviderOverrides(t *testing.T) { p.Data().RedeemUrl.String()) assert.Equal(t, "https://example.com/oauth/profile", p.Data().ProfileUrl.String()) + assert.Equal(t, "https://example.com/oauth/tokeninfo", + p.Data().ValidateUrl.String()) assert.Equal(t, "profile", p.Data().Scope) } diff --git a/providers/provider_data.go b/providers/provider_data.go index 7b665cf..097f065 100644 --- a/providers/provider_data.go +++ b/providers/provider_data.go @@ -9,6 +9,7 @@ type ProviderData struct { LoginUrl *url.URL RedeemUrl *url.URL ProfileUrl *url.URL + ValidateUrl *url.URL Scope string }