all: sanitized tests and apis

Author: aeneasr

access_request.go

@@ -20,19 +20,6 @@ func NewAccessRequest(session interface{}) *AccessRequest {
 	}
 }
 
-func (a *AccessRequest) DidHandleGrantTypes() bool {
-	for _, grantType := range a.GrantTypes {
-		if !StringInSlice(grantType, a.HandledGrantType) {
-			return false
-		}
-	}
-	return true
-}
-
-func (a *AccessRequest) SetGrantTypeHandled(name string) {
-	a.HandledGrantType = append(a.HandledGrantType, name)
-}
-
 func (a *AccessRequest) GetGrantTypes() Arguments {
 	return a.GrantTypes
 }

access_request_handler.go

@@ -77,15 +77,11 @@ func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session
 	accessRequest.Client = client
 
 	for _, loader := range f.TokenEndpointHandlers {
-		if err := loader.ValidateTokenEndpointRequest(ctx, r, accessRequest); err != nil {
+		if err := loader.HandleTokenEndpointRequest(ctx, r, accessRequest); err != nil {
 			return accessRequest, err
 		}
 	}
 
-	if !accessRequest.DidHandleGrantTypes() {
-		return accessRequest, errors.New(ErrUnsupportedGrantType)
-	}
-
 	if !accessRequest.GetScopes().Has(f.RequiredScope) {
 		return accessRequest, errors.New(ErrInvalidScope)
 	}

access_request_handler_test.go

@@ -124,7 +124,7 @@ func TestNewAccessRequest(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
 				client.EXPECT().GetHashedSecret().Return([]byte("foo"))
 				hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
-				handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrServerError)
+				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrServerError)
 			},
 			handlers: TokenEndpointHandlers{handler},
 		},
@@ -136,48 +136,11 @@ func TestNewAccessRequest(t *testing.T) {
 			form: url.Values{
 				"grant_type": {"foo"},
 			},
-			expectErr: ErrUnsupportedGrantType,
 			mock: func() {
 				store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
 				client.EXPECT().GetHashedSecret().Return([]byte("foo"))
 				hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
-				handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
-			},
-			handlers: TokenEndpointHandlers{handler},
-		},
-		{
-			header: http.Header{
-				"Authorization": {basicAuth("foo", "bar")},
-			},
-			method: "POST",
-			form: url.Values{
-				"grant_type": {"foo"},
-			},
-			expectErr: ErrUnsupportedGrantType,
-			mock: func() {
-				store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
-				client.EXPECT().GetHashedSecret().Return([]byte("foo"))
-				hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
-				handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester) {
-					a.SetGrantTypeHandled("bar")
-				}).Return(nil)
-			},
-			handlers: TokenEndpointHandlers{handler},
-		},
-		{
-			header: http.Header{
-				"Authorization": {basicAuth("foo", "bar")},
-			},
-			method: "POST",
-			form: url.Values{
-				"grant_type": {"foo"},
-			},
-			mock: func() {
-				store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
-				client.EXPECT().GetHashedSecret().Return([]byte("foo"))
-				hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
-				handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester) {
-					a.SetGrantTypeHandled("foo")
+				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester) {
 					a.SetScopes([]string{"asdfasdf"})
 				}).Return(nil)
 			},
@@ -196,15 +159,13 @@ func TestNewAccessRequest(t *testing.T) {
 				store.EXPECT().GetClient(gomock.Eq("foo")).Return(client, nil)
 				client.EXPECT().GetHashedSecret().Return([]byte("foo"))
 				hasher.EXPECT().Compare(gomock.Eq([]byte("foo")), gomock.Eq([]byte("bar"))).Return(nil)
-				handler.EXPECT().ValidateTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester) {
-					a.SetGrantTypeHandled("foo")
+				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, a AccessRequester) {
 					a.SetScopes([]string{DefaultRequiredScopeName})
 				}).Return(nil)
 			},
 			handlers: TokenEndpointHandlers{handler},
 			expect: &AccessRequest{
-				GrantTypes:       Arguments{"foo"},
-				HandledGrantType: []string{"foo"},
+				GrantTypes: Arguments{"foo"},
 				Request: Request{
 					Client: client,
 				},
@@ -227,7 +188,7 @@ func TestNewAccessRequest(t *testing.T) {
 			t.Logf("Error occured: %s", err.(*errors.Error).ErrorStack())
 		}
 		if err == nil {
-			pkg.AssertObjectKeysEqual(t, c.expect, ar, "GrantType", "Client")
+			pkg.AssertObjectKeysEqual(t, c.expect, ar, "GrantTypes", "Client")
 			assert.NotNil(t, ar.GetRequestedAt())
 		}
 		t.Logf("Passed test case %d", k)

access_response_handler.go

@@ -13,7 +13,7 @@ func (f *Fosite) NewAccessResponse(ctx context.Context, req *http.Request, reque
 
 	response := NewAccessResponse()
 	for _, tk = range f.TokenEndpointHandlers {
-		if err = tk.HandleTokenEndpointRequest(ctx, req, requester, response); err != nil {
+		if err = tk.PopulateTokenEndpointResponse(ctx, req, requester, response); err != nil {
 			return nil, errors.Wrap(err, 1)
 		}
 	}

access_response_handler_test.go

@@ -31,21 +31,21 @@ func TestNewAccessResponse(t *testing.T) {
 		},
 		{
 			mock: func() {
-				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrServerError)
+				handler.EXPECT().PopulateTokenEndpointResponse(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(ErrServerError)
 			},
 			handlers:  TokenEndpointHandlers{handler},
 			expectErr: ErrServerError,
 		},
 		{
 			mock: func() {
-				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
+				handler.EXPECT().PopulateTokenEndpointResponse(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil)
 			},
 			handlers:  TokenEndpointHandlers{handler},
 			expectErr: ErrUnsupportedGrantType,
 		},
 		{
 			mock: func() {
-				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, _ AccessRequester, resp AccessResponder) {
+				handler.EXPECT().PopulateTokenEndpointResponse(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, _ AccessRequester, resp AccessResponder) {
 					resp.SetAccessToken("foo")
 				}).Return(nil)
 			},
@@ -54,7 +54,7 @@ func TestNewAccessResponse(t *testing.T) {
 		},
 		{
 			mock: func() {
-				handler.EXPECT().HandleTokenEndpointRequest(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, _ AccessRequester, resp AccessResponder) {
+				handler.EXPECT().PopulateTokenEndpointResponse(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Do(func(_ context.Context, _ *http.Request, _ AccessRequester, resp AccessResponder) {
 					resp.SetAccessToken("foo")
 					resp.SetTokenType("bar")
 				}).Return(nil)

arguments.go

@@ -4,7 +4,7 @@ import "strings"
 
 type Arguments []string
 
-func (r Arguments) Is(items ...string) bool {
+func (r Arguments) Matches(items ...string) bool {
 	found := make(map[string]bool)
 	for _, item := range items {
 		if !StringInSlice(item, r) {
@@ -13,7 +13,7 @@ func (r Arguments) Is(items ...string) bool {
 		found[item] = true
 	}
 
-	return len(found) != len(r) && len(r) != len(items)
+	return len(found) == len(r) && len(r) == len(items)
 }
 
 func (r Arguments) Has(items ...string) bool {

arguments_test.go

@@ -95,7 +95,7 @@ func TestArgumentsHas(t *testing.T) {
 	}
 }
 
-func TestArgumentsIs(t *testing.T) {
+func TestArgumentsMatches(t *testing.T) {
 	for k, c := range []struct {
 		args   Arguments
 		is     []string
@@ -124,12 +124,12 @@ func TestArgumentsIs(t *testing.T) {
 		{
 			args:   Arguments{"foo", "bar"},
 			is:     []string{"foo"},
-			expect: true,
+			expect: false,
 		},
 		{
 			args:   Arguments{"foo", "bar"},
 			is:     []string{"bar"},
-			expect: true,
+			expect: false,
 		},
 		{
 			args:   Arguments{"foo", "bar"},
@@ -142,7 +142,7 @@ func TestArgumentsIs(t *testing.T) {
 			expect: false,
 		},
 	} {
-		assert.Equal(t, c.expect, c.args.Is(c.is...), "%d", k)
+		assert.Equal(t, c.expect, c.args.Matches(c.is...), "%d", k)
 		t.Logf("Passed test case %d", k)
 	}
 }

authorize_error.go

@@ -2,17 +2,22 @@ package fosite
 
 import (
 	"net/http"
-
-	"github.com/ory-am/common/pkg"
+	"encoding/json"
 )
 
-const minStateLength = 8
-
 func (c *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error) {
 	rfcerr := ErrorToRFC6749Error(err)
 
 	if !ar.IsRedirectURIValid() {
-		pkg.WriteIndentJSON(rw, rfcerr)
+		js, err := json.MarshalIndent(rfcerr, "", "\t")
+		if err != nil {
+			http.Error(rw, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		rw.Header().Set("Content-Type", "application/json")
+		rw.WriteHeader(rfcerr.StatusCode)
+		rw.Write(js)
 		return
 	}
 

authorize_request.go

@@ -14,6 +14,15 @@ type AuthorizeRequest struct {
 	Request
 }
 
+func NewAuthorizeRequest() *AuthorizeRequest {
+	return &AuthorizeRequest{
+		ResponseTypes:        Arguments{},
+		RedirectURI:          &url.URL{},
+		HandledResponseTypes: Arguments{},
+		Request:              *NewRequest(),
+	}
+}
+
 func (d *AuthorizeRequest) IsRedirectURIValid() bool {
 	if d.GetRedirectURI() == nil {
 		return false

authorize_request_handler.go

@@ -55,14 +55,7 @@ func (c *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth
 	// values, where the order of values does not matter (e.g., response
 	// type "a b" is the same as "b a").  The meaning of such composite
 	// response types is defined by their respective specifications.
-	responseTypes := removeEmpty(strings.Split(r.Form.Get("response_type"), " "))
-
-	// Enable support of multiple response types. This is for example required by OpenID Connect.
-	if !c.EnableHybridAuthorizationFlow && len(responseTypes) > 1 {
-		return request, errors.New(ErrInvalidRequest)
-	}
-
-	request.ResponseTypes = responseTypes
+	request.ResponseTypes = removeEmpty(strings.Split(r.Form.Get("response_type"), " "))
 
 	// rfc6819 4.4.1.8.  Threat: CSRF Attack against redirect-uri
 	// The "state" parameter should be used to link the authorization
@@ -74,7 +67,7 @@ func (c *Fosite) NewAuthorizeRequest(ctx context.Context, r *http.Request) (Auth
 	if state == "" {
 		return request, errors.New(ErrInvalidState)
 	} else if len(state) < minStateLength {
-		// We're assuming that using less then 6 characters for the state can not be considered "unguessable"
+		// We're assuming that using less then 8 characters for the state can not be considered "unguessable"
 		return request, errors.New(ErrInvalidState)
 	}
 	request.State = state

authorize_request_handler_test.go

@@ -149,47 +149,9 @@ func TestNewAuthorizeRequest(t *testing.T) {
 			},
 			expectedError: ErrInvalidScope,
 		},
-		{
-			desc: "should not pass because hybrid flow is not active",
-			conf: &Fosite{Store: store},
-			query: url.Values{
-				"redirect_uri":  {"https://foo.bar/cb"},
-				"client_id":     {"1234"},
-				"response_type": {"code token"},
-				"state":         {"strong-state"},
-				"scope":         {DefaultRequiredScopeName + " foo bar"},
-			},
-			mock: func() {
-				store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
-			},
-			expectedError: ErrInvalidRequest,
-		},
-		{
-			desc: "should not pass because hybrid flow is not active",
-			conf: &Fosite{Store: store},
-			query: url.Values{
-				"redirect_uri":  {"https://foo.bar/cb"},
-				"client_id":     {"1234"},
-				"response_type": {"code foo"},
-				"state":         {"strong-state"},
-				"scope":         {DefaultRequiredScopeName + " foo bar"},
-			},
-			mock: func() {
-				store.EXPECT().GetClient("1234").Return(&SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}}, nil)
-			},
-			expect: &AuthorizeRequest{
-				RedirectURI:   redir,
-				ResponseTypes: []string{"code"},
-				State:         "strong-state",
-				Request: Request{
-					Scopes: []string{DefaultRequiredScopeName, "foo", "bar"},
-					Client: &SecureClient{RedirectURIs: []string{"https://foo.bar/cb"}},
-				},
-			},
-		},
 		{
 			desc: "should pass",
-			conf: &Fosite{Store: store, EnableHybridAuthorizationFlow: true},
+			conf: &Fosite{Store: store},
 			query: url.Values{
 				"redirect_uri":  {"https://foo.bar/cb"},
 				"client_id":     {"1234"},

authorize_response.go

@@ -13,6 +13,14 @@ type AuthorizeResponse struct {
 	Fragment url.Values
 }
 
+func NewAuthorizeResponse() *AuthorizeResponse {
+	return &AuthorizeResponse{
+		Header: http.Header{},
+		Query: url.Values{},
+		Fragment: url.Values{},
+	}
+}
+
 func (a *AuthorizeResponse) SetID(id string) {
 	a.ID = id
 }