fix: client secret verification (for introspection) (#2825)

* fix: client secret verification (for introspection) * revert change for ProjectIDAndOriginsByClientID
2024-12-12 02:54:20 +00:00 · 2021-12-10 10:25:17 +01:00 · 2021-12-10 10:25:17 +01:00 · 2f7d8ca557
commit 2f7d8ca557
parent 43f15953c3
3 changed files with 33 additions and 4 deletions
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@ -224,7 +224,7 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Dsfb2", "token is not valid or has expired")
 	}
-	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, clientID)
+	projectID, err := o.query.ProjectIDFromClientID(ctx, clientID)
 	if err != nil {
 		return errors.ThrowPermissionDenied(nil, "OIDC-Adfg5", "client not found")
 	}
@ -283,7 +283,7 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 }

 func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID string, requestedRoles []string) (map[string]map[string]string, error) {
-	projectID, err := o.query.ProjectIDFromOIDCClientID(ctx, applicationID)
+	projectID, err := o.query.ProjectIDFromClientID(ctx, applicationID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/auth/repository/eventsourcing/eventstore/application.go
+++ b/internal/auth/repository/eventsourcing/eventstore/application.go
@ -17,7 +17,7 @@ func (a *ApplicationRepo) AuthorizeClientIDSecret(ctx context.Context, clientID,
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	app, err := a.Query.AppByOIDCClientID(ctx, clientID)
+	app, err := a.Query.AppByClientID(ctx, clientID)
 	if err != nil {
 		return err
 	}
--- a/internal/query/app.go
+++ b/internal/query/app.go
@ -230,6 +230,19 @@ func (q *Queries) AppByID(ctx context.Context, appID string) (*App, error) {
 }

 func (q *Queries) ProjectIDFromOIDCClientID(ctx context.Context, appID string) (string, error) {
+	stmt, scan := prepareProjectIDByAppQuery()
+	query, args, err := stmt.Where(
+		sq.Eq{AppOIDCConfigColumnClientID.identifier(): appID},
+	).ToSql()
+	if err != nil {
+		return "", errors.ThrowInternal(err, "QUERY-7d92U", "Errors.Query.SQLStatement")
+	}
+
+	row := q.client.QueryRowContext(ctx, query, args...)
+	return scan(row)
+}
+
+func (q *Queries) ProjectIDFromClientID(ctx context.Context, appID string) (string, error) {
 	stmt, scan := prepareProjectIDByAppQuery()
 	query, args, err := stmt.Where(
 		sq.Or{
@ -238,7 +251,7 @@ func (q *Queries) ProjectIDFromOIDCClientID(ctx context.Context, appID string) (
 		},
 	).ToSql()
 	if err != nil {
-		return "", errors.ThrowInternal(err, "QUERY-7d92U", "Errors.Query.SQLStatement")
+		return "", errors.ThrowInternal(err, "QUERY-SDfg3", "Errors.Query.SQLStatement")
 	}

 	row := q.client.QueryRowContext(ctx, query, args...)
@ -273,6 +286,22 @@ func (q *Queries) AppByOIDCClientID(ctx context.Context, clientID string) (*App,
 	return scan(row)
 }

+func (q *Queries) AppByClientID(ctx context.Context, clientID string) (*App, error) {
+	stmt, scan := prepareAppQuery()
+	query, args, err := stmt.Where(
+		sq.Or{
+			sq.Eq{AppOIDCConfigColumnClientID.identifier(): clientID},
+			sq.Eq{AppAPIConfigColumnClientID.identifier(): clientID},
+		},
+	).ToSql()
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "QUERY-Dfge2", "Errors.Query.SQLStatement")
+	}
+
+	row := q.client.QueryRowContext(ctx, query, args...)
+	return scan(row)
+}
+
 func (q *Queries) SearchApps(ctx context.Context, queries *AppSearchQueries) (*Apps, error) {
 	query, scan := prepareAppsQuery()
 	stmt, args, err := queries.toQuery(query).ToSql()