oauth/client/manager.go at eff7934db6df19c95a7e526dd91ae94a11101b25 · hailey.at/cocoon

hailey.at / cocoon
An atproto PDS written in Go
cocoon / oauth / client / manager.go
at eff7934db6df19c95a7e526dd91ae94a11101b25 10 kB view raw
  1package client
  2
  3import (
  4	"context"
  5	"encoding/json"
  6	"errors"
  7	"fmt"
  8	"io"
  9	"log/slog"
 10	"net/http"
 11	"net/url"
 12	"slices"
 13	"strings"
 14	"time"
 15
 16	cache "github.com/go-pkgz/expirable-cache/v3"
 17	"github.com/haileyok/cocoon/internal/helpers"
 18	"github.com/lestrrat-go/jwx/v2/jwk"
 19)
 20
 21type Manager struct {
 22	cli           *http.Client
 23	logger        *slog.Logger
 24	jwksCache     cache.Cache[string, jwk.Key]
 25	metadataCache cache.Cache[string, Metadata]
 26}
 27
 28type ManagerArgs struct {
 29	Cli    *http.Client
 30	Logger *slog.Logger
 31}
 32
 33func NewManager(args ManagerArgs) *Manager {
 34	if args.Logger == nil {
 35		args.Logger = slog.Default()
 36	}
 37
 38	if args.Cli == nil {
 39		args.Cli = http.DefaultClient
 40	}
 41
 42	jwksCache := cache.NewCache[string, jwk.Key]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)
 43	metadataCache := cache.NewCache[string, Metadata]().WithLRU().WithMaxKeys(500).WithTTL(5 * time.Minute)
 44
 45	return &Manager{
 46		cli:           args.Cli,
 47		logger:        args.Logger,
 48		jwksCache:     jwksCache,
 49		metadataCache: metadataCache,
 50	}
 51}
 52
 53func (cm *Manager) GetClient(ctx context.Context, clientId string) (*Client, error) {
 54	metadata, err := cm.getClientMetadata(ctx, clientId)
 55	if err != nil {
 56		return nil, err
 57	}
 58
 59	var jwks jwk.Key
 60	if metadata.JWKS != nil {
 61		// TODO: this is kinda bad but whatever for now. there could obviously be more than one jwk, and we need to
 62		// make sure we use the right one
 63		k, err := helpers.ParseJWKFromBytes((*metadata.JWKS)[0])
 64		if err != nil {
 65			return nil, err
 66		}
 67		jwks = k
 68	} else if metadata.JWKSURI != nil {
 69		maybeJwks, err := cm.getClientJwks(ctx, clientId, *metadata.JWKSURI)
 70		if err != nil {
 71			return nil, err
 72		}
 73
 74		jwks = maybeJwks
 75	}
 76
 77	return &Client{
 78		Metadata: metadata,
 79		JWKS:     jwks,
 80	}, nil
 81}
 82
 83func (cm *Manager) getClientMetadata(ctx context.Context, clientId string) (*Metadata, error) {
 84	metadataCached, ok := cm.metadataCache.Get(clientId)
 85	if !ok {
 86		req, err := http.NewRequestWithContext(ctx, "GET", clientId, nil)
 87		if err != nil {
 88			return nil, err
 89		}
 90
 91		resp, err := cm.cli.Do(req)
 92		if err != nil {
 93			return nil, err
 94		}
 95		defer resp.Body.Close()
 96
 97		if resp.StatusCode != http.StatusOK {
 98			io.Copy(io.Discard, resp.Body)
 99			return nil, fmt.Errorf("fetching client metadata returned response code %d", resp.StatusCode)
100		}
101
102		b, err := io.ReadAll(resp.Body)
103		if err != nil {
104			return nil, fmt.Errorf("error reading bytes from client response: %w", err)
105		}
106
107		validated, err := validateAndParseMetadata(clientId, b)
108		if err != nil {
109			return nil, err
110		}
111
112		return validated, nil
113	} else {
114		return &metadataCached, nil
115	}
116}
117
118func (cm *Manager) getClientJwks(ctx context.Context, clientId, jwksUri string) (jwk.Key, error) {
119	jwks, ok := cm.jwksCache.Get(clientId)
120	if !ok {
121		req, err := http.NewRequestWithContext(ctx, "GET", jwksUri, nil)
122		if err != nil {
123			return nil, err
124		}
125
126		resp, err := cm.cli.Do(req)
127		if err != nil {
128			return nil, err
129		}
130		defer resp.Body.Close()
131
132		if resp.StatusCode != http.StatusOK {
133			io.Copy(io.Discard, resp.Body)
134			return nil, fmt.Errorf("fetching client jwks returned response code %d", resp.StatusCode)
135		}
136
137		type Keys struct {
138			Keys []map[string]any `json:"keys"`
139		}
140
141		var keys Keys
142		if err := json.NewDecoder(resp.Body).Decode(&keys); err != nil {
143			return nil, fmt.Errorf("error unmarshaling keys response: %w", err)
144		}
145
146		if len(keys.Keys) == 0 {
147			return nil, errors.New("no keys in jwks response")
148		}
149
150		// TODO: this is again bad, we should be figuring out which one we need to use...
151		b, err := json.Marshal(keys.Keys[0])
152		if err != nil {
153			return nil, fmt.Errorf("could not marshal key: %w", err)
154		}
155
156		k, err := helpers.ParseJWKFromBytes(b)
157		if err != nil {
158			return nil, err
159		}
160
161		jwks = k
162	}
163
164	return jwks, nil
165}
166
167func validateAndParseMetadata(clientId string, b []byte) (*Metadata, error) {
168	var metadataMap map[string]any
169	if err := json.Unmarshal(b, &metadataMap); err != nil {
170		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)
171	}
172
173	_, jwksOk := metadataMap["jwks"].(string)
174	_, jwksUriOk := metadataMap["jwks_uri"].(string)
175	if jwksOk && jwksUriOk {
176		return nil, errors.New("jwks_uri and jwks are mutually exclusive")
177	}
178
179	for _, k := range []string{
180		"default_max_age",
181		"userinfo_signed_response_alg",
182		"id_token_signed_response_alg",
183		"userinfo_encryhpted_response_alg",
184		"authorization_encrypted_response_enc",
185		"authorization_encrypted_response_alg",
186		"tls_client_certificate_bound_access_tokens",
187	} {
188		_, kOk := metadataMap[k]
189		if kOk {
190			return nil, fmt.Errorf("unsupported `%s` parameter", k)
191		}
192	}
193
194	var metadata Metadata
195	if err := json.Unmarshal(b, &metadata); err != nil {
196		return nil, fmt.Errorf("error unmarshaling metadata: %w", err)
197	}
198
199	u, err := url.Parse(metadata.ClientURI)
200	if err != nil {
201		return nil, fmt.Errorf("unable to parse client uri: %w", err)
202	}
203
204	if isLocalHostname(u.Hostname()) {
205		return nil, errors.New("`client_uri` hostname is invalid")
206	}
207
208	if metadata.Scope == "" {
209		return nil, errors.New("missing `scopes` scope")
210	}
211
212	scopes := strings.Split(metadata.Scope, " ")
213	if !slices.Contains(scopes, "atproto") {
214		return nil, errors.New("missing `atproto` scope")
215	}
216
217	scopesMap := map[string]bool{}
218	for _, scope := range scopes {
219		if scopesMap[scope] {
220			return nil, fmt.Errorf("duplicate scope `%s`", scope)
221		}
222
223		// TODO: check for unsupported scopes
224
225		scopesMap[scope] = true
226	}
227
228	grantTypesMap := map[string]bool{}
229	for _, gt := range metadata.GrantTypes {
230		if grantTypesMap[gt] {
231			return nil, fmt.Errorf("duplicate grant type `%s`", gt)
232		}
233
234		switch gt {
235		case "implicit":
236			return nil, errors.New("grantg type `implicit` is not allowed")
237		case "authorization_code", "refresh_token":
238			// TODO check if this grant type is supported
239		default:
240			return nil, fmt.Errorf("grant tyhpe `%s` is not supported", gt)
241		}
242
243		grantTypesMap[gt] = true
244	}
245
246	if metadata.ClientID != clientId {
247		return nil, errors.New("`client_id` does not match")
248	}
249
250	subjectType, subjectTypeOk := metadataMap["subject_type"].(string)
251	if subjectTypeOk && subjectType != "public" {
252		return nil, errors.New("only public `subject_type` is supported")
253	}
254
255	switch metadata.TokenEndpointAuthMethod {
256	case "none":
257		if metadata.TokenEndpointAuthSigningAlg != "" {
258			return nil, errors.New("token_endpoint_auth_method `none` must not have token_endpoint_auth_signing_alg")
259		}
260	case "private_key_jwt":
261		if metadata.JWKS == nil && metadata.JWKSURI == nil {
262			return nil, errors.New("private_key_jwt auth method requires jwks or jwks_uri")
263		}
264
265		if metadata.JWKS != nil && len(*metadata.JWKS) == 0 {
266			return nil, errors.New("private_key_jwt auth method requires atleast one key in jwks")
267		}
268
269		if metadata.TokenEndpointAuthSigningAlg == "" {
270			return nil, errors.New("missing token_endpoint_auth_signing_alg in client metadata")
271		}
272	default:
273		return nil, fmt.Errorf("unsupported client authentication method `%s`", metadata.TokenEndpointAuthMethod)
274	}
275
276	if !metadata.DpopBoundAccessTokens {
277		return nil, errors.New("dpop_bound_access_tokens must be true")
278	}
279
280	if !slices.Contains(metadata.ResponseTypes, "code") {
281		return nil, errors.New("response_types must inclue `code`")
282	}
283
284	if !slices.Contains(metadata.GrantTypes, "authorization_code") {
285		return nil, errors.New("the `code` response type requires that `grant_types` contains `authorization_code`")
286	}
287
288	if len(metadata.RedirectURIs) == 0 {
289		return nil, errors.New("at least one `redirect_uri` is required")
290	}
291
292	if metadata.ApplicationType == "native" && metadata.TokenEndpointAuthMethod != "none" {
293		return nil, errors.New("native clients must authenticate using `none` method")
294	}
295
296	if metadata.ApplicationType == "web" && slices.Contains(metadata.GrantTypes, "implicit") {
297		for _, ruri := range metadata.RedirectURIs {
298			u, err := url.Parse(ruri)
299			if err != nil {
300				return nil, fmt.Errorf("error parsing redirect uri: %w", err)
301			}
302
303			if u.Scheme != "https" {
304				return nil, errors.New("web clients must use https redirect uris")
305			}
306
307			if u.Hostname() == "localhost" {
308				return nil, errors.New("web clients must not use localhost as the hostname")
309			}
310		}
311	}
312
313	for _, ruri := range metadata.RedirectURIs {
314		u, err := url.Parse(ruri)
315		if err != nil {
316			return nil, fmt.Errorf("error parsing redirect uri: %w", err)
317		}
318
319		if u.User != nil {
320			if u.User.Username() != "" {
321				return nil, fmt.Errorf("redirect uri %s must not contain credentials", ruri)
322			}
323
324			if _, hasPass := u.User.Password(); hasPass {
325				return nil, fmt.Errorf("redirect uri %s must not contain credentials", ruri)
326			}
327		}
328
329		switch true {
330		case u.Hostname() == "localhost":
331			return nil, errors.New("loopback redirect uri is not allowed (use explicit ips instead)")
332		case u.Hostname() == "127.0.0.1", u.Hostname() == "[::1]":
333			if metadata.ApplicationType != "native" {
334				return nil, errors.New("loopback redirect uris are only allowed for native apps")
335			}
336
337			if u.Port() != "" {
338				// reference impl doesn't do anything with this?
339			}
340
341			if u.Scheme != "http" {
342				return nil, fmt.Errorf("loopback redirect uri %s must use http", ruri)
343			}
344
345			break
346		case u.Scheme == "http":
347			return nil, errors.New("only loopbvack redirect uris are allowed to use the `http` scheme")
348		case u.Scheme == "https":
349			if isLocalHostname(u.Hostname()) {
350				return nil, fmt.Errorf("redirect uri %s's domain must not be a local hostname", ruri)
351			}
352			break
353		case strings.Contains(u.Scheme, "."):
354			if metadata.ApplicationType != "native" {
355				return nil, errors.New("private-use uri scheme redirect uris are only allowed for native apps")
356			}
357
358			revdomain := reverseDomain(u.Scheme)
359
360			if isLocalHostname(revdomain) {
361				return nil, errors.New("private use uri scheme redirect uris must not be local hostnames")
362			}
363
364			if strings.HasPrefix(u.String(), fmt.Sprintf("%s://", u.Scheme)) || u.Hostname() != "" || u.Port() != "" {
365				return nil, fmt.Errorf("private use uri scheme must be in the form ")
366			}
367		default:
368			return nil, fmt.Errorf("invalid redirect uri scheme `%s`", u.Scheme)
369		}
370	}
371
372	return &metadata, nil
373}
374
375func isLocalHostname(hostname string) bool {
376	pts := strings.Split(hostname, ".")
377	if len(pts) < 2 {
378		return true
379	}
380
381	tld := strings.ToLower(pts[len(pts)-1])
382	return tld == "test" || tld == "local" || tld == "localhost" || tld == "invalid" || tld == "example"
383}
384
385func reverseDomain(domain string) string {
386	pts := strings.Split(domain, ".")
387	slices.Reverse(pts)
388	return strings.Join(pts, ".")
389}