🔥 0.2.0 (ory#165)

* warden: rename `assertion` to `token` - closes ory#158
* config: do not log database credentials - closes ory#147
* oauth2: upgrade fosite - close ory#160
* config: do not store database config in hydra config - closes ory#164
* oauth2: id_token at_hash / c_hash is null - closes ory#129
* jwk: improve error message of wrong system secrect - closes ory#104
* readme: improve images, add benchmarks - closes ory#161
* cmd: improve connect dialogue - closes ory#170
* cmd: fix --dry option - closes ory#157
* firewall: document warden interface sdk
* readme: link openid connect and oauth2 introduction
* cmd: introduce FORCE_ROOT_CLIENT_CREDENTIALS env var - closes ory#140
* readme: document error redirect to identity provider - closes ory#96
* internal: fosite store must be consistent to avoid errors - closes ory#176
* client: add GetConcreteClient to http manager
* cmd: host process now logs basic information on all http requests - closes ory#178
* all: add memory profiling - closes ory#179
* warden: resolve nil pointer issue - closes ory#181
* cmd: clean up env to struct mapping, add more controls
* cmd: bcrypt cost should be configurable - closes ory#184
* cmd: token lifespans should be configurable - closes ory#183
* cmd: resolve issues with envirnoment config - closes ory#182
* cmd: implement tls termination capability - closes ory#177
* cmd: resolve issues with redirect logic and TLS
* oauth2: implement default oauth2 consent endpoint - closes ory#185
* warden - closes ory#188 
* oauth2: id token claims should be set by using id_token - closes ory#188
* oauth2: oauth2 implicit flow should allow custom protocols - closes ory#180
* oauth2: core scope should not be mandatory - closes ory#189
* warden: warden sdk should not make distinction between token and request - closes ory#190
* warden: rename authorized / allowed endpoints to something more meaningful - closes ory#162
* ci: improve travis config

.travis.yml

@@ -13,16 +13,15 @@ go:
   - 1.6
 
 install:
-  - go get github.com/axw/gocov/gocov github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/pierrre/gotestcover
-  # Workaround for travis
-  - go get -t -v ./...
-  - go install github.com/ory-am/hydra
+  - go get github.com/mattn/goveralls golang.org/x/tools/cmd/cover github.com/pierrre/gotestcover github.com/Masterminds/glide
   - git clone https://github.com/docker-library/official-images.git ~/official-images
+  - glide install
+  - go install github.com/ory-am/hydra
 
 script:
-  - go test -bench=.* -run=nothing $(go list ./... | grep -v /vendor)
+  - gotestcover -coverprofile="cover.out" $(glide novendor)
   - go test -race $(go list ./... | grep -v /vendor | grep -v /cmd)
-  - gotestcover -coverprofile="cover.out" $(go list ./... | grep -v /vendor/)
+  - go test -v -bench=.* -run=none $(glide novendor)
   - goveralls -coverprofile="cover.out"
   - docker build -t hydra-travis-ci .
   - docker run -d hydra-travis-ci

client/client.go

@@ -1,6 +1,9 @@
 package client
 
-import "github.com/ory-am/fosite"
+import (
+	"github.com/ory-am/fosite"
+	"strings"
+)
 
 type Client struct {
 	ID                string   `json:"id" gorethink:"id"`
@@ -9,7 +12,7 @@ type Client struct {
 	RedirectURIs      []string `json:"redirect_uris" gorethink:"redirect_uris"`
 	GrantTypes        []string `json:"grant_types" gorethink:"grant_types"`
 	ResponseTypes     []string `json:"response_types" gorethink:"response_types"`
-	GrantedScopes     []string `json:"granted_scopes" gorethink:"granted_scopes"`
+	Scopes            string `json:"scopes" gorethink:"scopes"`
 	Owner             string   `json:"owner" gorethink:"owner"`
 	PolicyURI         string   `json:"policy_uri" gorethink:"policy_uri"`
 	TermsOfServiceURI string   `json:"tos_uri" gorethink:"tos_uri"`
@@ -30,10 +33,8 @@ func (c *Client) GetHashedSecret() []byte {
 	return []byte(c.Secret)
 }
 
-func (c *Client) GetGrantedScopes() fosite.Scopes {
-	return &fosite.DefaultScopes{
-		Scopes: c.GrantedScopes,
-	}
+func (c *Client) GetScopes() fosite.Arguments {
+	return fosite.Arguments(strings.Split(c.Scopes, " "))
 }
 
 func (c *Client) GetGrantTypes() fosite.Arguments {

client/handler.go

@@ -45,7 +45,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 		return
 	}
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: ClientsResource,
 		Action:   "create",
 		Context: ladon.Context{
@@ -80,7 +80,7 @@ func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Pa
 func (h *Handler) GetAll(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = herodot.NewContext()
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: ClientsResource,
 		Action:   "get",
 	}, Scope); err != nil {
@@ -106,13 +106,13 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 	var ctx = herodot.NewContext()
 	var id = ps.ByName("id")
 
-	c, err := h.Manager.GetClient(id)
+	c, err := h.Manager.GetConcreteClient(id)
 	if err != nil {
 		h.H.WriteError(ctx, w, r, err)
 		return
 	}
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: fmt.Sprintf(ClientResource, id),
 		Action:   "get",
 		Context: ladon.Context{
@@ -123,15 +123,15 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Para
 		return
 	}
 
-	c.(*Client).Secret = ""
+	c.Secret = ""
 	h.H.Write(ctx, w, r, c)
 }
 
 func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	var ctx = herodot.NewContext()
 	var id = ps.ByName("id")
 
-	if _, err := h.W.HTTPActionAllowed(ctx, r, &ladon.Request{
+	if _, err := h.W.TokenAllowed(ctx, h.W.TokenFromRequest(r), &ladon.Request{
 		Resource: fmt.Sprintf(ClientResource, id),
 		Action:   "delete",
 	}, Scope); err != nil {

client/manager.go

@@ -18,4 +18,6 @@ type Storage interface {
 	DeleteClient(id string) error
 
 	GetClients() (map[string]Client, error)
+
+	GetConcreteClient(id string) (*Client, error)
 }

client/manager_http.go

@@ -14,7 +14,7 @@ type HTTPManager struct {
 	Dry      bool
 }
 
-func (m *HTTPManager) GetClient(id string) (fosite.Client, error) {
+func (m *HTTPManager) GetConcreteClient(id string) (*Client, error) {
 	var c Client
 	var r = pkg.NewSuperAgent(pkg.JoinURL(m.Endpoint, id).String())
 	r.Client = m.Client
@@ -26,6 +26,10 @@ func (m *HTTPManager) GetClient(id string) (fosite.Client, error) {
 	return &c, nil
 }
 
+func (m *HTTPManager) GetClient(id string) (fosite.Client, error) {
+	return m.GetConcreteClient(id)
+}
+
 func (m *HTTPManager) CreateClient(c *Client) error {
 	var r = pkg.NewSuperAgent(m.Endpoint.String())
 	r.Client = m.Client

client/manager_memory.go

@@ -16,7 +16,7 @@ type MemoryManager struct {
 	sync.RWMutex
 }
 
-func (m *MemoryManager) GetClient(id string) (fosite.Client, error) {
+func (m *MemoryManager) GetConcreteClient(id string) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()
 
@@ -27,6 +27,10 @@ func (m *MemoryManager) GetClient(id string) (fosite.Client, error) {
 	return &c, nil
 }
 
+func (m *MemoryManager) GetClient(id string) (fosite.Client, error) {
+	return m.GetConcreteClient(id)
+}
+
 func (m *MemoryManager) Authenticate(id string, secret []byte) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()

client/manager_rethinkdb.go

@@ -23,7 +23,7 @@ type RethinkManager struct {
 	Hasher  hash.Hasher
 }
 
-func (m *RethinkManager) GetClient(id string) (fosite.Client, error) {
+func (m *RethinkManager) GetConcreteClient(id string) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()
 
@@ -34,6 +34,10 @@ func (m *RethinkManager) GetClient(id string) (fosite.Client, error) {
 	return &c, nil
 }
 
+func (m *RethinkManager) GetClient(id string) (fosite.Client, error) {
+	return m.GetConcreteClient(id)
+}
+
 func (m *RethinkManager) Authenticate(id string, secret []byte) (*Client, error) {
 	m.RLock()
 	defer m.RUnlock()

client/manager_test.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/julienschmidt/httprouter"
+	"github.com/ory-am/dockertest"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/fosite/hash"
 	. "github.com/ory-am/hydra/client"
@@ -22,7 +23,6 @@ import (
 	"github.com/pborman/uuid"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/net/context"
-	"gopkg.in/ory-am/dockertest.v2"
 )
 
 var clientManagers = map[string]Storage{}

cmd/cli/handler_client.go

@@ -9,6 +9,7 @@ import (
 	"github.com/ory-am/hydra/config"
 	"github.com/ory-am/hydra/pkg"
 	"github.com/spf13/cobra"
+	"strings"
 )
 
 type ClientHandler struct {
@@ -24,7 +25,6 @@ func newClientHandler(c *config.Config) *ClientHandler {
 }
 
 func (h *ClientHandler) ImportClients(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
 	h.M.Endpoint = h.Config.Resolve("/clients")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	if len(args) == 0 {
@@ -52,7 +52,7 @@ func (h *ClientHandler) ImportClients(cmd *cobra.Command, args []string) {
 func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 	var err error
 
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/clients")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 
@@ -70,7 +70,7 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 		ID:            id,
 		Secret:        string(secret),
 		ResponseTypes: responseTypes,
-		GrantedScopes: allowedScopes,
+		Scopes:        strings.Join(allowedScopes, " "),
 		GrantTypes:    grantTypes,
 		RedirectURIs:  callbacks,
 		Name:          name,
@@ -87,7 +87,6 @@ func (h *ClientHandler) CreateClient(cmd *cobra.Command, args []string) {
 }
 
 func (h *ClientHandler) DeleteClient(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
 	h.M.Endpoint = h.Config.Resolve("/clients")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	if len(args) == 0 {

cmd/cli/handler_connection.go

@@ -23,7 +23,7 @@ func newConnectionHandler(c *config.Config) *ConnectionHandler {
 }
 
 func (h *ConnectionHandler) CreateConnection(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	h.M.Endpoint = h.Config.Resolve("/connections")
 	if len(args) != 3 {
@@ -45,7 +45,7 @@ func (h *ConnectionHandler) CreateConnection(cmd *cobra.Command, args []string)
 }
 
 func (h *ConnectionHandler) DeleteConnection(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	h.M.Endpoint = h.Config.Resolve("/connections")
 	if len(args) == 0 {

cmd/cli/handler_jwk.go

@@ -23,7 +23,7 @@ func newJWKHandler(c *config.Config) *JWKHandler {
 }
 
 func (h *JWKHandler) CreateKeys(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/keys")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	if len(args) == 0 {
@@ -46,7 +46,7 @@ func (h *JWKHandler) CreateKeys(cmd *cobra.Command, args []string) {
 }
 
 func (h *JWKHandler) GetKeys(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/keys")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	if len(args) == 0 {
@@ -68,6 +68,7 @@ func (h *JWKHandler) GetKeys(cmd *cobra.Command, args []string) {
 }
 
 func (h *JWKHandler) DeleteKeys(cmd *cobra.Command, args []string) {
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/keys")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	if len(args) == 0 {

cmd/cli/handler_policy.go

@@ -25,7 +25,7 @@ func newPolicyHandler(c *config.Config) *PolicyHandler {
 }
 
 func (h *PolicyHandler) CreatePolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/policies")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 
@@ -80,7 +80,7 @@ func (h *PolicyHandler) CreatePolicy(cmd *cobra.Command, args []string) {
 }
 
 func (h *PolicyHandler) AddResourceToPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/policies")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 
@@ -112,12 +112,11 @@ func (h *PolicyHandler) AddResourceToPolicy(cmd *cobra.Command, args []string) {
 }
 
 func (h *PolicyHandler) RemoveResourceFromPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
 	fmt.Println("Not yet implemented.")
 }
 
 func (h *PolicyHandler) AddSubjectToPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/policies")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 
@@ -149,12 +148,11 @@ func (h *PolicyHandler) AddSubjectToPolicy(cmd *cobra.Command, args []string) {
 }
 
 func (h *PolicyHandler) RemoveSubjectFromPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
 	fmt.Println("Not yet implemented.")
 }
 
 func (h *PolicyHandler) AddActionToPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/policies")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 
@@ -186,12 +184,11 @@ func (h *PolicyHandler) AddActionToPolicy(cmd *cobra.Command, args []string) {
 }
 
 func (h *PolicyHandler) RemoveActionFromPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
 	fmt.Println("Not yet implemented.")
 }
 
 func (h *PolicyHandler) GetPolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/policies")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 
@@ -214,7 +211,7 @@ func (h *PolicyHandler) GetPolicy(cmd *cobra.Command, args []string) {
 }
 
 func (h *PolicyHandler) DeletePolicy(cmd *cobra.Command, args []string) {
-	h.M.Dry = *h.Config.Dry
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Endpoint = h.Config.Resolve("/policies")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 

cmd/cli/handler_warden.go

@@ -24,6 +24,7 @@ func newWardenHandler(c *config.Config) *WardenHandler {
 }
 
 func (h *WardenHandler) IsAuthorized(cmd *cobra.Command, args []string) {
+	h.M.Dry, _ = cmd.Flags().GetBool("dry")
 	h.M.Client = h.Config.OAuth2Client(cmd)
 	h.M.Endpoint = h.Config.Resolve("/connections")
 
@@ -33,11 +34,7 @@ func (h *WardenHandler) IsAuthorized(cmd *cobra.Command, args []string) {
 	}
 
 	scopes, _ := cmd.Flags().GetStringSlice("scopes")
-	if len(scopes) == 0 {
-		scopes = []string{"core"}
-	}
-
-	res, err := h.M.Authorized(context.Background(), args[0], scopes...)
+	res, err := h.M.InspectToken(context.Background(), args[0], scopes...)
 	pkg.Must(err, "Could not validate token: %s", err)
 
 	out, err := json.MarshalIndent(res, "", "\t")

cmd/clients.go

@@ -26,12 +26,9 @@ var clientsCmd = &cobra.Command{
 }
 
 func init() {
-	var dry bool
-	c.Dry = &dry
-
 	RootCmd.AddCommand(clientsCmd)
+	clientsCmd.PersistentFlags().Bool("dry", false, "do not execute the command but show the corresponding curl command instead")
 
-	clientsCmd.PersistentFlags().BoolVar(c.Dry, "dry", false, "do not execute the command but show the corresponding curl command instead")
 	// Here you will define your flags and configuration settings.
 
 	// Cobra supports Persistent Flags which will work for this command
@@ -41,5 +38,4 @@ func init() {
 	// Cobra supports local flags which will only run when this command
 	// is called directly, e.g.:
 	// clientsCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
-
 }

cmd/clients_create.go

@@ -22,6 +22,6 @@ func init() {
 	clientsCreateCmd.Flags().StringSliceP("callbacks", "c", []string{}, "REQUIRED list of allowed callback URLs")
 	clientsCreateCmd.Flags().StringSliceP("grant-types", "g", []string{"authorization_code"}, "A list of allowed grant types")
 	clientsCreateCmd.Flags().StringSliceP("response-types", "r", []string{"code"}, "A list of allowed response types")
-	clientsCreateCmd.Flags().StringSliceP("allowed-scopes", "a", []string{"core"}, "A list of allowed scopes")
+	clientsCreateCmd.Flags().StringSliceP("allowed-scopes", "a", []string{""}, "A list of allowed scopes")
 	clientsCreateCmd.Flags().StringP("name", "n", "", "The client's name")
 }