TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-03-01 07:37:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: check allowed origins from calling and not called application (#2106)

Browse Source 
* fix: check allowed origins from calling and not called application

* fix test
This commit is contained in:
Livio Amstutz 2021-07-30 11:30:51 +02:00 committed by GitHub
parent de9f88bf5b
commit e1a3cc732d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 20 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/api/authz/permissions_test.go
View File

@ -15,8 +15,8 @@ type testVerifier struct {
memberships []*Membership memberships []*Membership
} }
func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, error) { func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, string, error) {
return "userID", "agentID", "de", "orgID", nil return "userID", "agentID", "clientID", "de", "orgID", nil
} }
func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*Membership, error) { func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*Membership, error) {
return v.memberships, nil return v.memberships, nil

6
internal/api/authz/token.go
View File

@ -20,7 +20,7 @@ type TokenVerifier struct {
} }
type authZRepo interface { type authZRepo interface {
VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID, prefLang, resourceOwner string, err error) VerifyAccessToken(ctx context.Context, token, verifierClientID string) (userID, agentID, clientID, prefLang, resourceOwner string, err error)
VerifierClientID(ctx context.Context, name string) (clientID string, err error) VerifierClientID(ctx context.Context, name string) (clientID string, err error)
SearchMyMemberships(ctx context.Context) ([]*Membership, error) SearchMyMemberships(ctx context.Context) ([]*Membership, error)
ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error)
@ -33,11 +33,11 @@ func Start(authZRepo authZRepo) (v *TokenVerifier) {
} }
func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang, resourceOwner string, err error) { func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID, prefLang, resourceOwner string, err error) {
clientID, err = v.clientIDFromMethod(ctx, method) verifierClientID, err := v.clientIDFromMethod(ctx, method)
if err != nil { if err != nil {
return "", "", "", "", "", err return "", "", "", "", "", err
} }
userID, agentID, prefLang, resourceOwner, err = v.authZRepo.VerifyAccessToken(ctx, token, clientID) userID, agentID, clientID, prefLang, resourceOwner, err = v.authZRepo.VerifyAccessToken(ctx, token, verifierClientID)
return userID, clientID, agentID, prefLang, resourceOwner, err return userID, clientID, agentID, prefLang, resourceOwner, err
} }

4
internal/api/grpc/server/middleware/auth_interceptor_test.go
View File

@ -21,8 +21,8 @@ var (
type verifierMock struct{} type verifierMock struct{}
func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, error) { func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, string, error) {
return "", "", "", "", nil return "", "", "", "", "", nil
} }
func (v *verifierMock) SearchMyMemberships(ctx context.Context) ([]*authz.Membership, error) { func (v *verifierMock) SearchMyMemberships(ctx context.Context) ([]*authz.Membership, error) {
return nil, nil return nil, nil

22
internal/authz/repository/eventsourcing/eventstore/token_verifier.go
View File

@ -65,40 +65,40 @@ func (repo *TokenVerifierRepo) TokenByID(ctx context.Context, tokenID, userID st
return model.TokenViewToModel(token), nil return model.TokenViewToModel(token), nil
} }
func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, clientID string) (userID string, agentID string, prefLang, resourceOwner string, err error) { func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenString, verifierClientID string) (userID string, agentID string, clientID, prefLang, resourceOwner string, err error) {
ctx, span := tracing.NewSpan(ctx) ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }() defer func() { span.EndWithError(err) }()
tokenData, err := base64.RawURLEncoding.DecodeString(tokenString) tokenData, err := base64.RawURLEncoding.DecodeString(tokenString)
if err != nil { if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-ASdgg", "invalid token")
} }
tokenIDSubject, err := repo.TokenVerificationKey.DecryptString(tokenData, repo.TokenVerificationKey.EncryptionKeyID()) tokenIDSubject, err := repo.TokenVerificationKey.DecryptString(tokenData, repo.TokenVerificationKey.EncryptionKeyID())
if err != nil { if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-8EF0zZ", "invalid token")
} }
splittedToken := strings.Split(tokenIDSubject, ":") splittedToken := strings.Split(tokenIDSubject, ":")
if len(splittedToken) != 2 { if len(splittedToken) != 2 {
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-GDg3a", "invalid token")
} }
token, err := repo.TokenByID(ctx, splittedToken[0], splittedToken[1]) token, err := repo.TokenByID(ctx, splittedToken[0], splittedToken[1])
if err != nil { if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-BxUSiL", "invalid token")
} }
if !token.Expiration.After(time.Now().UTC()) { if !token.Expiration.After(time.Now().UTC()) {
return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
} }
projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, clientID) projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, verifierClientID)
if err != nil { if err != nil {
return "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token")
} }
for _, aud := range token.Audience { for _, aud := range token.Audience {
if clientID == aud || projectID == aud { if verifierClientID == aud || projectID == aud {
return token.UserID, token.UserAgentID, token.PreferredLanguage, token.ResourceOwner, nil return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil
} }
} }
return "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience") return "", "", "", "", "", caos_errs.ThrowUnauthenticated(nil, "APP-Zxfako", "invalid audience")
} }
func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error) { func (repo *TokenVerifierRepo) ProjectIDAndOriginsByClientID(ctx context.Context, clientID string) (projectID string, origins []string, err error) {

4
internal/command/main_test.go
View File

@ -189,8 +189,8 @@ type testVerifier struct {
features []string features []string
} }
func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, error) { func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, string, string, string, error) {
return "userID", "agentID", "de", "orgID", nil return "userID", "agentID", "clientID", "de", "orgID", nil
} }
func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*authz.Membership, error) { func (v *testVerifier) SearchMyMemberships(ctx context.Context) ([]*authz.Membership, error) {
return nil, nil return nil, nil