Merge pull request #419 from MadAppGang/feature/login-scopes-refactoring

Feature/login scopes refactoring

.gitignore

@@ -14,6 +14,7 @@
 *.out
 vendor
 db.db
+db_plugin.db
 shared-local-instance.db
 debug
 *__debug_bin

Makefile

@@ -39,7 +39,7 @@ build:
 	go build -o ./identifo
 
 lint:
-	golangci-lint run -D deadcode,errcheck,unused,varcheck,govet
+	golangci-lint run -D errcheck,unused,govet
 
 build_admin_panel:
 	rm -rf static/admin_panel

cmd/config-boltdb.yaml

@@ -11,7 +11,12 @@ storage:
     type: boltdb
     boltdb:
       path: ./db.db
-  userStorage: *storage_settings
+  userStorage:
+    type: plugin
+    plugin:
+      cmd: ./plugins/bin/bolt-user-storage
+      params: { "path": "./db_plugin.db" }
+      redirectStd: true
   tokenStorage: *storage_settings
   tokenBlacklist: *storage_settings
   verificationCodeStorage: *storage_settings

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/sessions v1.2.1
+	github.com/hashicorp/go-hclog v0.14.1
 	github.com/hashicorp/go-plugin v1.4.5
 	github.com/hummerd/httpdump v0.9.1
 	github.com/joho/godotenv v1.4.0
@@ -70,7 +71,6 @@ require (
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
-	github.com/hashicorp/go-hclog v0.14.1 // indirect
 	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/klauspost/compress v1.13.6 // indirect

impersonation/plugin/provider.go

@@ -5,14 +5,14 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
 	grpcShared "github.com/madappgang/identifo/v2/impersonation/grpc/shared"
 	"github.com/madappgang/identifo/v2/impersonation/plugin/shared"
 	"github.com/madappgang/identifo/v2/model"
 )
 
 func NewImpersonationProvider(settings model.PluginSettings, timeout time.Duration) (model.ImpersonationProvider, error) {
-	var err error
 	params := []string{}
 	for k, v := range settings.Params {
 		params = append(params, "-"+k)
@@ -24,6 +24,10 @@ func NewImpersonationProvider(settings model.PluginSettings, timeout time.Durati
 		Plugins:          shared.PluginMap,
 		Cmd:              exec.Command(settings.Cmd, params...),
 		AllowedProtocols: []plugin.Protocol{plugin.ProtocolGRPC},
+		Logger: hclog.New(&hclog.LoggerOptions{
+			Level:      hclog.Debug,
+			JSONFormat: true,
+		}),
 	}
 
 	if settings.RedirectStd {

jwt/service/jwt_token_service.go

@@ -217,7 +217,7 @@ func (ts *JWTokenService) ValidateTokenString(tstr string, v jwtValidator.Valida
 // NewAccessToken creates new access token for user.
 func (ts *JWTokenService) NewAccessToken(
 	user model.User,
-	scopes []string,
+	scopes model.AllowedScopesSet,
 	app model.AppData,
 	requireTFA bool,
 	tokenPayload map[string]interface{},
@@ -235,10 +235,11 @@ func (ts *JWTokenService) NewAccessToken(
 		payload[PayloadName] = user.Username
 	}
 
-	tokenType := model.TokenTypeAccess
+	scopesStr := scopes.String()
 	if requireTFA {
-		scopes = []string{model.TokenTypeTFAPreauth}
+		scopesStr = model.TokenTypeTFAPreauth
 	}
+
 	if len(tokenPayload) > 0 {
 		for k, v := range tokenPayload {
 			payload[k] = v
@@ -253,9 +254,9 @@ func (ts *JWTokenService) NewAccessToken(
 	}
 
 	claims := &model.Claims{
-		Scopes:  strings.Join(scopes, " "),
+		Scopes:  scopesStr,
 		Payload: payload,
-		Type:    tokenType,
+		Type:    model.TokenTypeAccess,
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: (now + lifespan),
 			Issuer:    ts.issuer,
@@ -278,22 +279,27 @@ func (ts *JWTokenService) NewAccessToken(
 }
 
 // NewRefreshToken creates new refresh token.
-func (ts *JWTokenService) NewRefreshToken(u model.User, scopes []string, app model.AppData) (model.Token, error) {
+func (ts *JWTokenService) NewRefreshToken(
+	user model.User,
+	scopes model.AllowedScopesSet,
+	app model.AppData,
+) (model.Token, error) {
 	if !app.Active || !app.Offline {
 		return nil, ErrInvalidApp
 	}
+
 	// no offline request
-	if !model.SliceContains(scopes, model.OfflineScope) {
+	if !scopes.Contains(model.OfflineScope) {
 		return nil, ErrInvalidOfflineScope
 	}
 
-	if !u.Active {
+	if !user.Active {
 		return nil, ErrInvalidUser
 	}
 
 	payload := make(map[string]interface{})
 	if model.SliceContains(app.TokenPayload, PayloadName) {
-		payload[PayloadName] = u.Username
+		payload[PayloadName] = user.Username
 	}
 	now := ijwt.TimeFunc().Unix()
 
@@ -303,13 +309,13 @@ func (ts *JWTokenService) NewRefreshToken(u model.User, scopes []string, app mod
 	}
 
 	claims := &model.Claims{
-		Scopes:  strings.Join(scopes, " "),
+		Scopes:  scopes.String(),
 		Payload: payload,
 		Type:    model.TokenTypeRefresh,
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: (now + lifespan),
 			Issuer:    ts.issuer,
-			Subject:   u.ID,
+			Subject:   user.ID,
 			Audience:  app.ID,
 			IssuedAt:  now,
 		},
@@ -338,7 +344,10 @@ func (ts *JWTokenService) NewRefreshToken(u model.User, scopes []string, app mod
 }
 
 // RefreshAccessToken issues new access token for provided refresh token.
-func (ts *JWTokenService) RefreshAccessToken(refreshToken model.Token, tokenPayload map[string]interface{}) (model.Token, error) {
+func (ts *JWTokenService) RefreshAccessToken(
+	refreshToken model.Token,
+	tokenPayload map[string]interface{},
+) (model.Token, error) {
 	rt, ok := refreshToken.(*model.JWToken)
 	if !ok || rt == nil {
 		return nil, model.ErrTokenInvalid

jwt/token_test.go

@@ -113,6 +113,7 @@ func TestNewToken(t *testing.T) {
 	}, "password", "admin", false)
 	scopes := []string{"scope1", "scope2"}
 	tokenPayload := []string{"name"}
+
 	app := model.AppData{
 		ID:                           "123456",
 		Secret:                       "1",
@@ -138,7 +139,10 @@ func TestNewToken(t *testing.T) {
 		RolesBlacklist:               []string{},
 		NewUserDefaultRole:           "",
 	}
-	token, err := tokenService.NewAccessToken(user, scopes, app, false, nil)
+
+	allowedScopes := model.AllowedScopes(scopes, scopes, false)
+
+	token, err := tokenService.NewAccessToken(user, allowedScopes, app, false, nil)
 	assert.NoError(t, err)
 
 	tokenString, err := tokenService.String(token)

model/slice.go

@@ -18,11 +18,15 @@ func SliceIntersect(a, b []string) []string {
 }
 
 func SliceContains(s []string, e string) bool {
+	el := strings.TrimSpace(e)
+
 	for _, a := range s {
-		if strings.TrimSpace(strings.ToLower(a)) == strings.TrimSpace(strings.ToLower(e)) {
+		if strings.EqualFold(strings.TrimSpace(a), el) {
 			return true
 		}
+
 	}
+
 	return false
 }
 

model/token.go

@@ -1,6 +1,7 @@
 package model
 
 import (
+	"strings"
 	"time"
 
 	jwt "github.com/golang-jwt/jwt/v4"
@@ -182,15 +183,31 @@ type Claims struct {
 // Full example of how to use JWT tokens:
 // https://github.com/form3tech-oss/jwt-go/blob/master/cmd/jwt/app.go
 
-func AllowedScopes(requestedScopes, userScopes []string, isOffline bool) []string {
-	scopes := []string{}
+// This type is needed for guard against passing unchecked scopes to the token.
+// Do not convert user provided scopes to this type directly.
+type AllowedScopesSet struct {
+	scopes []string
+}
+
+func (a AllowedScopesSet) String() string {
+	return strings.Join(a.scopes, " ")
+}
+
+func (a AllowedScopesSet) Scopes() []string {
+	return a.scopes
+}
+
+func (a AllowedScopesSet) Contains(scope string) bool {
+	return SliceContains(a.scopes, scope)
+}
+
+func AllowedScopes(requestedScopes, userScopes []string, isOffline bool) AllowedScopesSet {
 	// if we requested any scope, let's provide all the scopes user has and requested
-	if len(requestedScopes) > 0 {
-		scopes = SliceIntersect(requestedScopes, userScopes)
-	}
-	if SliceContains(requestedScopes, "offline") && isOffline {
-		scopes = append(scopes, "offline")
+	scopes := SliceIntersect(requestedScopes, userScopes)
+
+	if SliceContains(requestedScopes, OfflineScope) && isOffline {
+		scopes = append(scopes, OfflineScope)
 	}
 
-	return scopes
+	return AllowedScopesSet{scopes}
 }

model/token_service.go

@@ -7,8 +7,8 @@ const (
 
 // TokenService is an abstract token manager.
 type TokenService interface {
-	NewAccessToken(u User, scopes []string, app AppData, requireTFA bool, tokenPayload map[string]interface{}) (Token, error)
-	NewRefreshToken(u User, scopes []string, app AppData) (Token, error)
+	NewAccessToken(u User, scopes AllowedScopesSet, app AppData, requireTFA bool, tokenPayload map[string]interface{}) (Token, error)
+	NewRefreshToken(u User, scopes AllowedScopesSet, app AppData) (Token, error)
 	RefreshAccessToken(token Token, tokenPayload map[string]interface{}) (Token, error)
 	NewInviteToken(email, role, audience string, data map[string]interface{}) (Token, error)
 	NewResetToken(userID string) (Token, error)

plugins/bolt-user-storage/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"flag"
+	"log/slog"
 	"os"
 	"os/signal"
 	"syscall"
@@ -13,7 +14,20 @@ import (
 	"github.com/madappgang/identifo/v2/storage/plugin/shared"
 )
 
+type wproxy struct {
+}
+
+func (w wproxy) Write(p []byte) (n int, err error) {
+	return os.Stderr.Write(p)
+}
+
 func main() {
+	slog.SetDefault(slog.New(slog.NewJSONHandler(
+		wproxy{},
+		&slog.HandlerOptions{
+			Level: slog.LevelDebug,
+		})))
+
 	path := flag.String("path", "", "path to database")
 	flag.Parse()
 
@@ -34,7 +48,6 @@ func main() {
 		Plugins: map[string]plugin.Plugin{
 			"user-storage": &shared.UserStoragePlugin{Impl: s},
 		},
-
 		// A non-nil value here enables gRPC serving for this plugin...
 		GRPCServer: plugin.DefaultGRPCServer,
 	})

storage/dynamodb/db.go

@@ -51,12 +51,17 @@ func (db *DB) IsTableExists(table string) (bool, error) {
 }
 
 func (db *DB) DeleteTable(table string) error {
-	svc := dynamodb.New(session.New())
+	sess, err := session.NewSession()
+	if err != nil {
+		return err
+	}
+
+	svc := dynamodb.New(sess)
 	input := &dynamodb.DeleteTableInput{
 		TableName: aws.String(table),
 	}
 
-	_, err := svc.DeleteTable(input)
+	_, err = svc.DeleteTable(input)
 	return err
 }
 

storage/dynamodb/invite.go

@@ -270,6 +270,7 @@ func (is *InviteStorage) ArchiveAllByEmail(email string) error {
 	if err != nil {
 		is.logger.Error("Error querying for invites",
 			logging.FieldError, err)
+
 		return ErrorInternalError
 	}
 

storage/dynamodb/user.go

@@ -90,6 +90,7 @@ func (us *UserStorage) UserByID(id string) (model.User, error) {
 	if err != nil {
 		us.logger.Error("Error getting item from DynamoDB",
 			logging.FieldError, err)
+
 		return model.User{}, ErrorInternalError
 	}
 	if result.Item == nil {

storage/plugin/user.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"os/exec"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
 	"github.com/madappgang/identifo/v2/model"
 	grpcShared "github.com/madappgang/identifo/v2/storage/grpc/shared"
@@ -12,7 +13,6 @@ import (
 
 // NewUserStorage creates and inits plugin user storage.
 func NewUserStorage(settings model.PluginSettings) (model.UserStorage, error) {
-	var err error
 	params := []string{}
 	for k, v := range settings.Params {
 		params = append(params, "-"+k)
@@ -24,6 +24,10 @@ func NewUserStorage(settings model.PluginSettings) (model.UserStorage, error) {
 		Plugins:          shared.PluginMap,
 		Cmd:              exec.Command(settings.Cmd, params...),
 		AllowedProtocols: []plugin.Protocol{plugin.ProtocolGRPC},
+		Logger: hclog.New(&hclog.LoggerOptions{
+			Level:      hclog.Debug,
+			JSONFormat: true,
+		}),
 	}
 
 	if settings.RedirectStd {

user_payload_provider/plugin/provider.go

@@ -5,6 +5,7 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-plugin"
 	"github.com/madappgang/identifo/v2/model"
 	grpcShared "github.com/madappgang/identifo/v2/user_payload_provider/grpc/shared"
@@ -13,19 +14,21 @@ import (
 
 // NewTokenPayloadProvider creates and inits plugin for payload provider.
 func NewTokenPayloadProvider(settings model.PluginSettings, timeout time.Duration) (model.TokenPayloadProvider, error) {
-	var err error
 	params := []string{}
 	for k, v := range settings.Params {
 		params = append(params, "-"+k)
 		params = append(params, v)
 	}
 
 	cfg := &plugin.ClientConfig{
-		SyncStdout:       os.Stdout,
 		HandshakeConfig:  shared.Handshake,
 		Plugins:          shared.PluginMap,
 		Cmd:              exec.Command(settings.Cmd, params...),
 		AllowedProtocols: []plugin.Protocol{plugin.ProtocolGRPC},
+		Logger: hclog.New(&hclog.LoggerOptions{
+			Level:      hclog.Debug,
+			JSONFormat: true,
+		}),
 	}
 
 	if settings.RedirectStd {