From c9a5b08c76287b51f1ebcb335a2a79c31fbb23fe Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Fri, 5 Apr 2024 15:03:08 +0200 Subject: [PATCH] chore: synchronize workspaces --- consent/sdk_test.go | 3 +- consent/test/manager_test_helpers.go | 5 +- oauth2/fosite_store_helpers.go | 94 ++++++++++++++++++++++++++- persistence/sql/persister_nid_test.go | 3 +- persistence/sql/persister_oauth2.go | 18 ++--- persistence/sql/persister_test.go | 3 +- x/sighash.go | 15 +++++ 7 files changed, 124 insertions(+), 17 deletions(-) create mode 100644 x/sighash.go diff --git a/consent/sdk_test.go b/consent/sdk_test.go index 020922a3a3f..9ada79dbc38 100644 --- a/consent/sdk_test.go +++ b/consent/sdk_test.go @@ -6,12 +6,13 @@ package consent_test import ( "context" "fmt" - "github.com/ory/hydra/v2/consent/test" "net/http" "net/http/httptest" "testing" "time" + "github.com/ory/hydra/v2/consent/test" + hydra "github.com/ory/hydra-client-go/v2" . "github.com/ory/hydra/v2/flow" diff --git a/consent/test/manager_test_helpers.go b/consent/test/manager_test_helpers.go index de5d00027a3..f44c694f381 100644 --- a/consent/test/manager_test_helpers.go +++ b/consent/test/manager_test_helpers.go @@ -7,11 +7,12 @@ import ( "context" "errors" "fmt" + "testing" + "time" + "github.com/ory/fosite/handler/openid" "github.com/ory/hydra/v2/consent" "github.com/ory/hydra/v2/oauth2" - "testing" - "time" "github.com/ory/hydra/v2/aead" "github.com/ory/hydra/v2/flow" diff --git a/oauth2/fosite_store_helpers.go b/oauth2/fosite_store_helpers.go index c98d60f02ce..0e21451b38b 100644 --- a/oauth2/fosite_store_helpers.go +++ b/oauth2/fosite_store_helpers.go @@ -7,11 +7,12 @@ import ( "context" "crypto/sha256" "fmt" - "github.com/ory/x/assertx" "net/url" "testing" "time" + "github.com/ory/x/assertx" + "github.com/ory/hydra/v2/flow" "github.com/ory/hydra/v2/jwk" @@ -209,6 +210,7 @@ func TestHelperRunner(t *testing.T, store InternalRegistry, k string) { } t.Run(fmt.Sprintf("case=testHelperCreateGetDeleteAuthorizeCodes/db=%s", k), testHelperCreateGetDeleteAuthorizeCodes(store)) + t.Run(fmt.Sprintf("case=testHelperExpiryFields/db=%s", k), testHelperExpiryFields(store)) t.Run(fmt.Sprintf("case=testHelperCreateGetDeleteAccessTokenSession/db=%s", k), testHelperCreateGetDeleteAccessTokenSession(store)) t.Run(fmt.Sprintf("case=testHelperNilAccessToken/db=%s", k), testHelperNilAccessToken(store)) t.Run(fmt.Sprintf("case=testHelperCreateGetDeleteOpenIDConnectSession/db=%s", k), testHelperCreateGetDeleteOpenIDConnectSession(store)) @@ -377,6 +379,96 @@ func testHelperCreateGetDeleteAuthorizeCodes(x InternalRegistry) func(t *testing } } +type testHelperExpiryFieldsResult struct { + ExpiresAt time.Time `db:"expires_at"` + name string +} + +func (r testHelperExpiryFieldsResult) TableName() string { + return "hydra_oauth2_" + r.name +} + +func testHelperExpiryFields(reg InternalRegistry) func(t *testing.T) { + return func(t *testing.T) { + m := reg.OAuth2Storage() + t.Parallel() + + mockRequestForeignKey(t, "blank", reg, false) + + ctx := context.Background() + + s := NewSession("bar") + s.SetExpiresAt(fosite.AccessToken, time.Now().Add(time.Hour).Round(time.Minute)) + s.SetExpiresAt(fosite.RefreshToken, time.Now().Add(time.Hour*2).Round(time.Minute)) + s.SetExpiresAt(fosite.AuthorizeCode, time.Now().Add(time.Hour*3).Round(time.Minute)) + request := fosite.Request{ + ID: uuid.New(), + RequestedAt: time.Now().UTC().Round(time.Second), + Client: &client.Client{ + ID: "foobar", + Metadata: sqlxx.JSONRawMessage("{}"), + }, + RequestedScope: fosite.Arguments{"fa", "ba"}, + GrantedScope: fosite.Arguments{"fa", "ba"}, + RequestedAudience: fosite.Arguments{"ad1", "ad2"}, + GrantedAudience: fosite.Arguments{"ad1", "ad2"}, + Form: url.Values{"foo": []string{"bar", "baz"}}, + Session: s, + } + + t.Run("case=CreateAccessTokenSession", func(t *testing.T) { + id := uuid.New() + err := m.CreateAccessTokenSession(ctx, id, &request) + require.NoError(t, err) + + r := testHelperExpiryFieldsResult{name: "access"} + require.NoError(t, reg.Persister().Connection(ctx).Select("expires_at").Where("signature = ?", x.SignatureHash(id)).First(&r)) + + assert.EqualValues(t, s.GetExpiresAt(fosite.AccessToken).UTC(), r.ExpiresAt.UTC()) + }) + + t.Run("case=CreateRefreshTokenSession", func(t *testing.T) { + id := uuid.New() + err := m.CreateRefreshTokenSession(ctx, id, &request) + require.NoError(t, err) + + r := testHelperExpiryFieldsResult{name: "refresh"} + require.NoError(t, reg.Persister().Connection(ctx).Select("expires_at").Where("signature = ?", id).First(&r)) + assert.EqualValues(t, s.GetExpiresAt(fosite.RefreshToken).UTC(), r.ExpiresAt.UTC()) + }) + + t.Run("case=CreateAuthorizeCodeSession", func(t *testing.T) { + id := uuid.New() + err := m.CreateAuthorizeCodeSession(ctx, id, &request) + require.NoError(t, err) + + r := testHelperExpiryFieldsResult{name: "code"} + require.NoError(t, reg.Persister().Connection(ctx).Select("expires_at").Where("signature = ?", id).First(&r)) + assert.EqualValues(t, s.GetExpiresAt(fosite.AuthorizeCode).UTC(), r.ExpiresAt.UTC()) + }) + + t.Run("case=CreatePKCERequestSession", func(t *testing.T) { + id := uuid.New() + err := m.CreatePKCERequestSession(ctx, id, &request) + require.NoError(t, err) + + r := testHelperExpiryFieldsResult{name: "pkce"} + require.NoError(t, reg.Persister().Connection(ctx).Select("expires_at").Where("signature = ?", id).First(&r)) + assert.EqualValues(t, s.GetExpiresAt(fosite.AuthorizeCode).UTC(), r.ExpiresAt.UTC()) + }) + + t.Run("case=CreateOpenIDConnectSession", func(t *testing.T) { + id := uuid.New() + err := m.CreateOpenIDConnectSession(ctx, id, &request) + require.NoError(t, err) + + r := testHelperExpiryFieldsResult{name: "oidc"} + require.NoError(t, reg.Persister().Connection(ctx).Select("expires_at").Where("signature = ?", id).First(&r)) + assert.EqualValues(t, s.GetExpiresAt(fosite.AuthorizeCode).UTC(), r.ExpiresAt.UTC()) + }) + } +} + func testHelperNilAccessToken(x InternalRegistry) func(t *testing.T) { return func(t *testing.T) { m := x.OAuth2Storage() diff --git a/persistence/sql/persister_nid_test.go b/persistence/sql/persister_nid_test.go index d084b4ae004..ceff9594287 100644 --- a/persistence/sql/persister_nid_test.go +++ b/persistence/sql/persister_nid_test.go @@ -7,10 +7,11 @@ import ( "context" "database/sql" "encoding/json" - "github.com/ory/fosite/handler/openid" "testing" "time" + "github.com/ory/fosite/handler/openid" + "github.com/stretchr/testify/assert" "github.com/ory/hydra/v2/persistence" diff --git a/persistence/sql/persister_oauth2.go b/persistence/sql/persister_oauth2.go index 128b3369d31..5888c0b1cad 100644 --- a/persistence/sql/persister_oauth2.go +++ b/persistence/sql/persister_oauth2.go @@ -6,16 +6,18 @@ package sql import ( "context" "crypto/sha256" - "crypto/sha512" "database/sql" "encoding/hex" "encoding/json" "fmt" - "github.com/ory/x/sqlxx" "net/url" "strings" "time" + "github.com/ory/hydra/v2/x" + + "github.com/ory/x/sqlxx" + "go.opentelemetry.io/otel/trace" "github.com/gofrs/uuid" @@ -337,12 +339,6 @@ func (p *Persister) InvalidateAuthorizeCodeSession(ctx context.Context, signatur ) } -// SignatureHash hashes the signature to prevent errors where the signature is -// longer than 128 characters (and thus doesn't fit into the pk). -func SignatureHash(signature string) string { - return fmt.Sprintf("%x", sha512.Sum384([]byte(signature))) -} - func (p *Persister) CreateAccessTokenSession(ctx context.Context, signature string, requester fosite.Requester) (err error) { ctx, span := p.r.Tracer(ctx).Tracer().Start(ctx, "persistence.sql.CreateAccessTokenSession") defer otelx.End(span, &err) @@ -351,7 +347,7 @@ func (p *Persister) CreateAccessTokenSession(ctx context.Context, signature stri append(toEventOptions(requester), events.WithGrantType(requester.GetRequestForm().Get("grant_type")))..., ) - return p.createSession(ctx, SignatureHash(signature), requester, sqlTableAccess, requester.GetSession().GetExpiresAt(fosite.AccessToken)) + return p.createSession(ctx, x.SignatureHash(signature), requester, sqlTableAccess, requester.GetSession().GetExpiresAt(fosite.AccessToken)) } func (p *Persister) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error) { @@ -359,7 +355,7 @@ func (p *Persister) GetAccessTokenSession(ctx context.Context, signature string, defer otelx.End(span, &err) r := OAuth2RequestSQL{Table: sqlTableAccess} - err = p.QueryWithNetwork(ctx).Where("signature = ?", SignatureHash(signature)).First(&r) + err = p.QueryWithNetwork(ctx).Where("signature = ?", x.SignatureHash(signature)).First(&r) if errors.Is(err, sql.ErrNoRows) { // Backwards compatibility: we previously did not always hash the // signature before inserting. In case there are still very old (but @@ -389,7 +385,7 @@ func (p *Persister) DeleteAccessTokenSession(ctx context.Context, signature stri err = sqlcon.HandleError( p.QueryWithNetwork(ctx). - Where("signature = ?", SignatureHash(signature)). + Where("signature = ?", x.SignatureHash(signature)). Delete(&OAuth2RequestSQL{Table: sqlTableAccess})) if errors.Is(err, sqlcon.ErrNoRows) { // Backwards compatibility: we previously did not always hash the diff --git a/persistence/sql/persister_test.go b/persistence/sql/persister_test.go index 2fc311ac4ea..a4818a3e69d 100644 --- a/persistence/sql/persister_test.go +++ b/persistence/sql/persister_test.go @@ -5,10 +5,11 @@ package sql_test import ( "context" - "github.com/ory/hydra/v2/consent/test" "testing" "time" + "github.com/ory/hydra/v2/consent/test" + "github.com/go-jose/go-jose/v3" "github.com/gobuffalo/pop/v6" diff --git a/x/sighash.go b/x/sighash.go new file mode 100644 index 00000000000..00069c6f998 --- /dev/null +++ b/x/sighash.go @@ -0,0 +1,15 @@ +// Copyright © 2024 Ory Corp +// SPDX-License-Identifier: Apache-2.0 + +package x + +import ( + "crypto/sha512" + "fmt" +) + +// SignatureHash hashes the signature to prevent errors where the signature is +// longer than 128 characters (and thus doesn't fit into the pk). +func SignatureHash(signature string) string { + return fmt.Sprintf("%x", sha512.Sum384([]byte(signature))) +}