Merge pull request #28 from zachmann/feat/trustmark_refresher

Feat/trustmark refresher
zachmann · Dec 6, 2024 · 12c82a8 · 12c82a8
2 parents 15ebb3a + 13e95be
commit 12c82a8
Show file tree

Hide file tree

Showing 30 changed files with 567 additions and 383 deletions.
diff --git a/examples/rp/config.go b/examples/rp/config.go
@@ -10,15 +10,15 @@ import (
 )
 
 type config struct {
-	EntityID         string              `yaml:"entity_id"`
-	TrustAnchors     pkg.TrustAnchors    `yaml:"trust_anchors"`
-	AuthorityHints   []string            `yaml:"authority_hints"`
-	OrganisationName string              `yaml:"organisation_name"`
-	ServerAddr       string              `yaml:"server_addr"`
-	KeyStorage       string              `yaml:"key_storage"`
-	OnlyAutomaticOPs bool                `yaml:"filter_to_automatic_ops"`
-	EnableDebugLog   bool                `yaml:"enable_debug_log"`
-	TrustMarks       []pkg.TrustMarkInfo `yaml:"trust_marks"`
+	EntityID         string                                    `yaml:"entity_id"`
+	TrustAnchors     pkg.TrustAnchors                          `yaml:"trust_anchors"`
+	AuthorityHints   []string                                  `yaml:"authority_hints"`
+	OrganisationName string                                    `yaml:"organisation_name"`
+	ServerAddr       string                                    `yaml:"server_addr"`
+	KeyStorage       string                                    `yaml:"key_storage"`
+	OnlyAutomaticOPs bool                                      `yaml:"filter_to_automatic_ops"`
+	EnableDebugLog   bool                                      `yaml:"enable_debug_log"`
+	TrustMarks       []*pkg.EntityConfigurationTrustMarkConfig `yaml:"trust_marks"`
 }
 
 var conf *config
@@ -45,4 +45,9 @@ func mustLoadConfig() {
 	if conf.EnableDebugLog {
 		pkg.EnableDebugLogging()
 	}
+	for _, c := range conf.TrustMarks {
+		if err = c.Verify(conf.EntityID); err != nil {
+			log.Fatal(err)
+		}
+	}
 }
diff --git a/examples/ta/config/config.go b/examples/ta/config/config.go
@@ -16,21 +16,21 @@ import (
 
 // Config holds configuration for the entity
 type Config struct {
-	ServerPort            int                         `yaml:"server_port"`
-	EntityID              string                      `yaml:"entity_id"`
-	AuthorityHints        []string                    `yaml:"authority_hints"`
-	MetadataPolicyFile    string                      `yaml:"metadata_policy_file"`
-	MetadataPolicy        *pkg.MetadataPolicies       `yaml:"-"`
-	SigningKeyFile        string                      `yaml:"signing_key_file"`
-	ConfigurationLifetime int64                       `yaml:"configuration_lifetime"`
-	OrganizationName      string                      `yaml:"organization_name"`
-	DataLocation          string                      `yaml:"data_location"`
-	ReadableStorage       bool                        `yaml:"human_readable_storage"`
-	Endpoints             Endpoints                   `yaml:"endpoints"`
-	TrustMarkSpecs        []extendedTrustMarkSpec     `yaml:"trust_mark_specs"`
-	TrustMarks            []pkg.TrustMarkInfo         `yaml:"trust_marks"`
-	TrustMarkIssuers      pkg.AllowedTrustMarkIssuers `yaml:"trust_mark_issuers"`
-	TrustMarkOwners       pkg.TrustMarkOwners         `yaml:"trust_mark_owners"`
+	ServerPort            int                                       `yaml:"server_port"`
+	EntityID              string                                    `yaml:"entity_id"`
+	AuthorityHints        []string                                  `yaml:"authority_hints"`
+	MetadataPolicyFile    string                                    `yaml:"metadata_policy_file"`
+	MetadataPolicy        *pkg.MetadataPolicies                     `yaml:"-"`
+	SigningKeyFile        string                                    `yaml:"signing_key_file"`
+	ConfigurationLifetime int64                                     `yaml:"configuration_lifetime"`
+	OrganizationName      string                                    `yaml:"organization_name"`
+	DataLocation          string                                    `yaml:"data_location"`
+	ReadableStorage       bool                                      `yaml:"human_readable_storage"`
+	Endpoints             Endpoints                                 `yaml:"endpoints"`
+	TrustMarkSpecs        []extendedTrustMarkSpec                   `yaml:"trust_mark_specs"`
+	TrustMarks            []*pkg.EntityConfigurationTrustMarkConfig `yaml:"trust_marks"`
+	TrustMarkIssuers      pkg.AllowedTrustMarkIssuers               `yaml:"trust_mark_issuers"`
+	TrustMarkOwners       pkg.TrustMarkOwners                       `yaml:"trust_mark_owners"`
 }
 
 type extendedTrustMarkSpec struct {
@@ -132,4 +132,9 @@ func Load(filename string) {
 			log.Fatal(err)
 		}
 	}
+	for _, tmc := range c.TrustMarks {
+		if err = tmc.Verify(c.EntityID); err != nil {
+			log.Fatal(err)
+		}
+	}
 }
diff --git a/go.mod b/go.mod
@@ -7,8 +7,10 @@ require (
 	github.com/adam-hanna/arrayOperations v1.0.1
 	github.com/dgraph-io/badger/v4 v4.5.0
 	github.com/fatih/structs v1.1.0
+	github.com/go-resty/resty/v2 v2.16.2
 	github.com/gofiber/fiber/v2 v2.52.5
 	github.com/google/uuid v1.6.0
+	github.com/jarcoal/httpmock v1.3.1
 	github.com/lestrrat-go/jwx v1.2.30
 	github.com/luci/go-render v0.0.0-20160219211803-9a04cc21af0f
 	github.com/pkg/errors v0.9.1

diff --git a/go.sum b/go.sum
@@ -36,6 +36,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
+github.com/go-resty/resty/v2 v2.16.2 h1:CpRqTjIzq/rweXUt9+GxzzQdlkqMdt8Lm/fuK/CAbAg=
+github.com/go-resty/resty/v2 v2.16.2/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
 github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
 github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/gofiber/fiber/v2 v2.52.5 h1:tWoP1MJQjGEe4GB5TUGOi7P2E0ZMMRx5ZTG4rT+yGMo=
@@ -66,6 +68,8 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/jarcoal/httpmock v1.3.1 h1:iUx3whfZWVf3jT01hQTO/Eo5sAYtB2/rqaUuOtpInww=
+github.com/jarcoal/httpmock v1.3.1/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
 github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
@@ -90,6 +94,8 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -152,6 +158,8 @@ golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
 golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=

diff --git a/go.work.sum b/go.work.sum
@@ -669,6 +669,8 @@ github.com/lyft/protoc-gen-star v0.6.1 h1:erE0rdztuaDq3bpGifD95wfoPrSZc95nGA6tbi
 github.com/lyft/protoc-gen-star v0.6.1/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-star/v2 v2.0.1 h1:keaAo8hRuAT0O3DfJ/wM3rufbAjGeJ1lAtWZHDjKGB0=
 github.com/lyft/protoc-gen-star/v2 v2.0.1/go.mod h1:RcCdONR2ScXaYnQC5tUzxzlpA3WVYF7/opLeUgcQs/o=
+github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
+github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
 github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
 github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4=
 github.com/onsi/gomega v1.10.2 h1:aY/nuoWlKJud2J6U0E3NWsjlg+0GtwXxgEqthRdzlcs=
@@ -903,6 +905,8 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e h1:FDhOuMEY4JVRztM/gsbk+IKUQ8kj74bxZrgw87eMMVc=
 golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=

diff --git a/internal/constants/constants.go b/internal/constants/constants.go
@@ -0,0 +1,4 @@
+package constants
+
+// FederationSuffix is the well-known openid-federation suffix
+const FederationSuffix = "/.well-known/openid-federation"
diff --git a/internal/http.go b/internal/http.go
diff --git a/internal/http/http.go b/internal/http/http.go
@@ -0,0 +1,69 @@
+package http
+
+import (
+	"fmt"
+	"net/url"
+	"time"
+
+	"github.com/go-resty/resty/v2"
+	"github.com/pkg/errors"
+)
+
+var client *resty.Client
+
+func init() {
+	client = resty.New()
+	client.SetCookieJar(nil)
+	// client.SetDisableWarn(true)
+	client.SetRetryCount(2)
+	client.SetRedirectPolicy(resty.FlexibleRedirectPolicy(10))
+	client.SetTimeout(20 * time.Second)
+}
+
+// HttpError is a type for returning the server's error response including its status code
+type HttpError struct {
+	Error            string `json:"error"`
+	ErrorDescription string `json:"error_description"`
+	Status           int
+}
+
+// Err returns an error including the server's error response
+func (e *HttpError) Err() error {
+	errStr := fmt.Sprintf("http error response: %d: %s", e.Status, e.Error)
+	if e.ErrorDescription != "" {
+		errStr += ": " + e.ErrorDescription
+	}
+	return errors.New(errStr)
+
+}
+
+// Do returns the client, so it can be used to do requests
+func Do() *resty.Client {
+	return client
+}
+
+// Get performs a http GET request and parses the response into the given interface{}
+func Get(url string, params url.Values, res interface{}) (*resty.Response, *HttpError, error) {
+	resp, err := client.R().SetQueryParamsFromValues(params).SetError(&HttpError{}).SetResult(res).Get(url)
+	if err != nil {
+		return nil, nil, errors.WithStack(err)
+	}
+	if errRes, ok := resp.Error().(*HttpError); ok && errRes != nil && errRes.Error != "" {
+		errRes.Status = resp.RawResponse.StatusCode
+		return nil, errRes, nil
+	}
+	return resp, nil, nil
+}
+
+// Post performs a http POST request and parses the response into the given interface{}
+func Post(url string, req interface{}, res interface{}) (*resty.Response, *HttpError, error) {
+	resp, err := client.R().SetBody(req).SetError(&HttpError{}).SetResult(res).Post(url)
+	if err != nil {
+		return nil, nil, errors.WithStack(err)
+	}
+	if errRes, ok := resp.Error().(*HttpError); ok && errRes != nil && errRes.Error != "" {
+		errRes.Status = resp.RawResponse.StatusCode
+		return nil, errRes, nil
+	}
+	return resp, nil, nil
+}
diff --git a/internal/jwx/jws.go b/internal/jwx/jws.go
@@ -6,11 +6,13 @@ import (
 	"github.com/lestrrat-go/jwx/jwa"
 	"github.com/lestrrat-go/jwx/jwk"
 	"github.com/lestrrat-go/jwx/jws"
+	"github.com/lestrrat-go/jwx/jwt"
 	"github.com/pkg/errors"
 	"github.com/vmihailenco/msgpack/v5"
 
 	"github.com/zachmann/go-oidfed/internal/utils"
 	myjwk "github.com/zachmann/go-oidfed/pkg/jwk"
+	"github.com/zachmann/go-oidfed/pkg/unixtime"
 )
 
 // ParsedJWT is a type extending jws.Message by holding the original jwt
@@ -113,3 +115,13 @@ func SignPayload(payload []byte, signingAlg jwa.SignatureAlgorithm, key crypto.S
 	}
 	return jws.Sign(payload, signingAlg, key, jws.WithHeaders(headers))
 }
+
+// GetExp returns the expiration of a jwt
+func GetExp(bytes []byte) (exp unixtime.Unixtime, err error) {
+	parsed, err := jwt.Parse(bytes)
+	if err != nil {
+		err = errors.WithStack(err)
+		return
+	}
+	return unixtime.Unixtime{Time: parsed.Expiration()}, nil
+}
diff --git a/pkg/discovery.go b/pkg/discovery.go
@@ -1,9 +1,12 @@
 package pkg
 
 import (
-	"encoding/json"
+	"net/url"
+
+	"github.com/pkg/errors"
 
 	"github.com/zachmann/go-oidfed/internal"
+	"github.com/zachmann/go-oidfed/internal/http"
 	"github.com/zachmann/go-oidfed/internal/utils"
 )
 
@@ -183,15 +186,20 @@ var OPDiscoveryFilterExplicitRegistration opDiscoveryFilterExplicitRegistration
 var OPDiscoveryFilterAutomaticRegistration opDiscoveryFilterAutomaticRegistration
 
 func fetchList(listEndpoint, entityType string) ([]string, error) {
-	body, err := entityStatementObtainer.ListEntities(listEndpoint, entityType)
+	params := url.Values{}
+	params.Add("entity_type", entityType)
+	resp, errRes, err := http.Get(listEndpoint, params, &[]string{})
 	if err != nil {
 		return nil, err
 	}
-	var entities []string
-	if err = json.Unmarshal(body, &entities); err != nil {
-		return nil, err
+	if errRes != nil {
+		return nil, errRes.Err()
+	}
+	entities, ok := resp.Result().(*[]string)
+	if !ok || entities == nil {
+		return nil, errors.New("unexpected response type")
 	}
-	return entities, nil
+	return *entities, nil
 }
 
 // OPDiscoveryFilterSupportedGrantTypesIncludes returns an OPDiscoveryFilter that filters to OPs that support the

diff --git a/pkg/entitystatement.go b/pkg/entitystatement.go
@@ -11,6 +11,7 @@ import (
 	"github.com/zachmann/go-oidfed/internal/jwx"
 	"github.com/zachmann/go-oidfed/internal/utils"
 	"github.com/zachmann/go-oidfed/pkg/jwk"
+	"github.com/zachmann/go-oidfed/pkg/unixtime"
 
 	"github.com/fatih/structs"
 )
@@ -66,8 +67,8 @@ func (e *EntityStatement) UnmarshalMsgpack(data []byte) error {
 type EntityStatementPayload struct {
 	Issuer             string                   `json:"iss"`
 	Subject            string                   `json:"sub"`
-	IssuedAt           Unixtime                 `json:"iat"`
-	ExpiresAt          Unixtime                 `json:"exp"`
+	IssuedAt           unixtime.Unixtime        `json:"iat"`
+	ExpiresAt          unixtime.Unixtime        `json:"exp"`
 	JWKS               jwk.JWKS                 `json:"jwks"`
 	Audience           string                   `json:"aud,omitempty"`
 	AuthorityHints     []string                 `json:"authority_hints,omitempty"`
@@ -86,7 +87,7 @@ type EntityStatementPayload struct {
 
 // TimeValid checks if the EntityStatementPayload is already valid and not yet expired.
 func (e EntityStatementPayload) TimeValid() bool {
-	return verifyTime(&e.IssuedAt, &e.ExpiresAt) == nil
+	return unixtime.VerifyTime(&e.IssuedAt, &e.ExpiresAt) == nil
 }
 
 func extraMarshalHelper(explicitFields []byte, extra map[string]interface{}) ([]byte, error) {