wip: fix rebase

canonical · Sep 13, 2024 · fba9462 · fba9462
1 parent bf0d389
commit fba9462
Show file tree

Hide file tree

Showing 26 changed files with 1,001 additions and 562 deletions.
diff --git a/...ents-case=10-description=setting_skip_logout_consent_succeeds_for_admin_registration.json b/...ents-case=10-description=setting_skip_logout_consent_succeeds_for_admin_registration.json
@@ -32,5 +32,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }
diff --git a/...apshots/TestHandler-common-case=create_clients-case=12-description=empty_ID_succeeds.json b/...apshots/TestHandler-common-case=create_clients-case=12-description=empty_ID_succeeds.json
@@ -32,5 +32,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }
diff --git a/...eate_clients-case=8-description=setting_skip_consent_succeeds_for_admin_registration.json b/...eate_clients-case=8-description=setting_skip_consent_succeeds_for_admin_registration.json
@@ -32,5 +32,8 @@
   "jwt_bearer_grant_access_token_lifespan": null,
   "refresh_token_grant_id_token_lifespan": null,
   "refresh_token_grant_access_token_lifespan": null,
-  "refresh_token_grant_refresh_token_lifespan": null
+  "refresh_token_grant_refresh_token_lifespan": null,
+  "device_authorization_grant_id_token_lifespan": null,
+  "device_authorization_grant_access_token_lifespan": null,
+  "device_authorization_grant_refresh_token_lifespan": null
 }
diff --git a/consent/strategy_default.go b/consent/strategy_default.go
@@ -1368,7 +1368,7 @@ func (s *DefaultStrategy) verifyDevice(ctx context.Context, _ http.ResponseWrite
 	}
 
 	cookieNameDeviceCSRF := s.r.Config().CookieNameDeviceCSRF(ctx)
-	if err := validateCsrfSession(r, s.r.Config(), store, cookieNameDeviceCSRF, session.Request.CSRF); err != nil {
+	if err := ValidateCsrfSession(r, s.r.Config(), store, cookieNameDeviceCSRF, session.Request.CSRF, f); err != nil {
 		return nil, err
 	}
 

diff --git a/consent/strategy_default_test.go b/consent/strategy_default_test.go
@@ -34,7 +34,7 @@ func checkAndAcceptDeviceHandler(t *testing.T, apiClient *hydra.APIClient) http.
 			UserCode: &userCode,
 		}
 
-		v, _, err := apiClient.OAuth2Api.AcceptUserCodeRequest(context.Background()).
+		v, _, err := apiClient.OAuth2API.AcceptUserCodeRequest(context.Background()).
 			DeviceChallenge(r.URL.Query().Get("device_challenge")).
 			AcceptDeviceUserCodeRequest(payload).
 			Execute()

diff --git a/driver/registry_base.go b/driver/registry_base.go
@@ -585,10 +585,6 @@ func (m *RegistryBase) HSMContext() hsm.Context {
 	return m.hsm
 }
 
-func (m *RegistrySQL) ClientAuthenticator() x.ClientAuthenticator {
-	return m.OAuth2Provider().(*fosite.Fosite)
-}
-
 func (m *RegistryBase) Kratos() kratos.Client {
 	if m.kratos == nil {
 		m.kratos = kratos.New(m)

diff --git a/driver/registry_sql.go b/driver/registry_sql.go
@@ -22,6 +22,7 @@ import (
 	"github.com/ory/fosite/compose"
 	foauth2 "github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/handler/openid"
+	"github.com/ory/fosite/handler/rfc8628"
 	"github.com/ory/fosite/token/hmac"
 	"github.com/ory/herodot"
 	"github.com/ory/hydra/v2/aead"
@@ -99,6 +100,7 @@ type RegistrySQL struct {
 	ats             jwk.JWTSigner
 	hmacs           foauth2.CoreStrategy
 	enigmaHMAC      *hmac.HMACStrategy
+	deviceHmac      rfc8628.RFC8628CodeStrategy
 	fc              *fositex.Config
 	publicCORS      *cors.Cors
 	kratos          kratos.Client
@@ -588,6 +590,16 @@ func (m *RegistrySQL) OAuth2HMACStrategy() foauth2.CoreStrategy {
 	return m.hmacs
 }
 
+// RFC8628HMACStrategy returns the rfc8628 strategy
+func (m *RegistrySQL) RFC8628HMACStrategy() rfc8628.RFC8628CodeStrategy {
+	if m.deviceHmac != nil {
+		return m.deviceHmac
+	}
+
+	m.deviceHmac = compose.NewDeviceStrategy(m.OAuth2Config())
+	return m.deviceHmac
+}
+
 func (m *RegistrySQL) OAuth2Config() *fositex.Config {
 	if m.fc != nil {
 		return m.fc
@@ -614,6 +626,7 @@ func (m *RegistrySQL) OAuth2ProviderConfig() fosite.Configurator {
 
 	conf := m.OAuth2Config()
 	hmacAtStrategy := m.OAuth2HMACStrategy()
+	deviceHmacAtStrategy := m.RFC8628HMACStrategy()
 	oidcSigner := m.OpenIDJWTStrategy()
 	atSigner := m.AccessTokenJWTStrategy()
 	jwtAtStrategy := &foauth2.DefaultJWTStrategy{
@@ -628,6 +641,7 @@ func (m *RegistrySQL) OAuth2ProviderConfig() fosite.Configurator {
 			HMACSHAStrategy: hmacAtStrategy,
 			Config:          conf,
 		}),
+		RFC8628CodeStrategy: deviceHmacAtStrategy,
 		OpenIDConnectTokenStrategy: &openid.DefaultStrategy{
 			Config: conf,
 			Signer: oidcSigner,

diff --git a/go.mod b/go.mod
@@ -96,9 +96,7 @@ require (
 	github.com/cockroachdb/cockroach-go/v2 v2.3.5 // indirect
 	github.com/containerd/continuity v0.4.3 // indirect
 	github.com/coocood/freecache v1.2.4 // indirect
-	github.com/creasty/defaults v1.7.0 // indirect
 	github.com/cristalhq/jwt/v4 v4.0.2 // indirect
-	github.com/dave/jennifer v1.6.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgraph-io/ristretto v0.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
@@ -108,11 +106,9 @@ require (
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/ecordell/optgen v0.0.9 // indirect
 	github.com/elliotchance/orderedmap v1.6.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/fatih/color v1.17.0 // indirect
-	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
@@ -239,6 +235,7 @@ require (
 	go.opentelemetry.io/otel/exporters/zipkin v1.21.0 // indirect
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/mod v0.19.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
@@ -255,4 +252,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20240507154459-e62ac074c345
+replace github.com/ory/fosite => github.com/canonical/fosite v0.0.0-20240912115750-b545ba541d61
diff --git a/go.sum b/go.sum
@@ -47,8 +47,8 @@ github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dR
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/canonical/fosite v0.0.0-20240507154459-e62ac074c345 h1:NRZ3z68Bvm9QNIwx0v430QzLKnrnDSRiNj8+DFvQpCs=
-github.com/canonical/fosite v0.0.0-20240507154459-e62ac074c345/go.mod h1:0El/DgcBMMqEB7GInPR3avWS4vilDOiXjeLQTOI04Kk=
+github.com/canonical/fosite v0.0.0-20240912115750-b545ba541d61 h1:FLHK4keajnlbF2YwD4AKUHrE6lyTf4rZmVQ0JaQEDiQ=
+github.com/canonical/fosite v0.0.0-20240912115750-b545ba541d61/go.mod h1:R7lyy9ub6BYA0M26Q9c2B+rhvTdobE1O26bZyVTvUGs=
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -75,12 +75,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/creasty/defaults v1.7.0 h1:eNdqZvc5B509z18lD8yc212CAqJNvfT1Jq6L8WowdBA=
-github.com/creasty/defaults v1.7.0/go.mod h1:iGzKe6pbEHnpMPtfDXZEr0NVxWnPTjb1bbDy08fPzYM=
 github.com/cristalhq/jwt/v4 v4.0.2 h1:g/AD3h0VicDamtlM70GWGElp8kssQEv+5wYd7L9WOhU=
 github.com/cristalhq/jwt/v4 v4.0.2/go.mod h1:HnYraSNKDRag1DZP92rYHyrjyQHnVEHPNqesmzs+miQ=
-github.com/dave/jennifer v1.6.1 h1:T4T/67t6RAA5AIV6+NP8Uk/BIsXgDoqEowgycdQQLuk=
-github.com/dave/jennifer v1.6.1/go.mod h1:nXbxhEmQfOZhWml3D1cDK5M1FLnMSozpbFN/m3RmGZc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -104,8 +100,6 @@ github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/ecordell/optgen v0.0.9 h1:kmRMqOkbNsWayOnZSk2m5SeGaOTOc7amfi+MAnaMOeI=
-github.com/ecordell/optgen v0.0.9/go.mod h1:+YZ4tk5pNGMoeH+Y4F4HeDDj0SLOlIgMMNae7az4h5g=
 github.com/elliotchance/orderedmap v1.6.0 h1:xjn+kbbKXeDq6v9RVE+WYwRbYfAZKvlWfcJNxM8pvEw=
 github.com/elliotchance/orderedmap v1.6.0/go.mod h1:wsDwEaX5jEoyhbs7x93zk2H/qv0zwuhg4inXhDkYqys=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
@@ -114,8 +108,6 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
 github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
-github.com/fatih/structtag v1.2.0 h1:/OdNE99OxoI/PqaW/SuSK9uxxT3f/tcSZgon/ssNSx4=
-github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -580,6 +572,8 @@ go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
 go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
 go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
 go.uber.org/goleak v1.2.1/go.mod h1:qlT2yGI9QafXHhZZLxlSuNsMw3FFLxBr+tBRlmO1xH4=
+go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
+go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=

diff --git a/internal/httpclient/.openapi-generator/FILES b/internal/httpclient/.openapi-generator/FILES
@@ -6,7 +6,6 @@ api/openapi.yaml
 api_jwk.go
 api_metadata.go
 api_o_auth2.go
-api_oauth.go
 api_oidc.go
 api_wellknown.go
 client.go
@@ -44,7 +43,6 @@ docs/OAuth2LoginRequest.md
 docs/OAuth2LogoutRequest.md
 docs/OAuth2RedirectTo.md
 docs/OAuth2TokenExchange.md
-docs/OauthAPI.md
 docs/OidcAPI.md
 docs/OidcConfiguration.md
 docs/OidcUserInfo.md

diff --git a/internal/httpclient/README.md b/internal/httpclient/README.md
@@ -107,8 +107,10 @@ Class | Method | HTTP request | Description
 *OAuth2API* | [**ListOAuth2ConsentSessions**](docs/OAuth2API.md#listoauth2consentsessions) | **Get** /admin/oauth2/auth/sessions/consent | List OAuth 2.0 Consent Sessions of a Subject
 *OAuth2API* | [**ListTrustedOAuth2JwtGrantIssuers**](docs/OAuth2API.md#listtrustedoauth2jwtgrantissuers) | **Get** /admin/trust/grants/jwt-bearer/issuers | List Trusted OAuth2 JWT Bearer Grant Type Issuers
 *OAuth2API* | [**OAuth2Authorize**](docs/OAuth2API.md#oauth2authorize) | **Get** /oauth2/auth | OAuth 2.0 Authorize Endpoint
+*OAuth2API* | [**OAuth2DeviceFlow**](docs/OAuth2API.md#oauth2deviceflow) | **Post** /oauth2/device/auth | The OAuth 2.0 Device Authorize Endpoint
 *OAuth2API* | [**Oauth2TokenExchange**](docs/OAuth2API.md#oauth2tokenexchange) | **Post** /oauth2/token | The OAuth 2.0 Token Endpoint
 *OAuth2API* | [**PatchOAuth2Client**](docs/OAuth2API.md#patchoauth2client) | **Patch** /admin/clients/{id} | Patch OAuth 2.0 Client
+*OAuth2API* | [**PerformOAuth2DeviceVerificationFlow**](docs/OAuth2API.md#performoauth2deviceverificationflow) | **Get** /oauth2/device/verify | OAuth 2.0 Device Verification Endpoint
 *OAuth2API* | [**RejectOAuth2ConsentRequest**](docs/OAuth2API.md#rejectoauth2consentrequest) | **Put** /admin/oauth2/auth/requests/consent/reject | Reject OAuth 2.0 Consent Request
 *OAuth2API* | [**RejectOAuth2LoginRequest**](docs/OAuth2API.md#rejectoauth2loginrequest) | **Put** /admin/oauth2/auth/requests/login/reject | Reject OAuth 2.0 Login Request
 *OAuth2API* | [**RejectOAuth2LogoutRequest**](docs/OAuth2API.md#rejectoauth2logoutrequest) | **Put** /admin/oauth2/auth/requests/logout/reject | Reject OAuth 2.0 Session Logout Request
@@ -118,8 +120,6 @@ Class | Method | HTTP request | Description
 *OAuth2API* | [**SetOAuth2Client**](docs/OAuth2API.md#setoauth2client) | **Put** /admin/clients/{id} | Set OAuth 2.0 Client
 *OAuth2API* | [**SetOAuth2ClientLifespans**](docs/OAuth2API.md#setoauth2clientlifespans) | **Put** /admin/clients/{id}/lifespans | Set OAuth2 Client Token Lifespans
 *OAuth2API* | [**TrustOAuth2JwtGrantIssuer**](docs/OAuth2API.md#trustoauth2jwtgrantissuer) | **Post** /admin/trust/grants/jwt-bearer/issuers | Trust OAuth2 JWT Bearer Grant Type Issuer
-*OauthAPI* | [**OAuth2DeviceFlow**](docs/OauthAPI.md#oauth2deviceflow) | **Post** /oauth2/device/auth | The OAuth 2.0 Device Authorize Endpoint
-*OauthAPI* | [**PerformOAuth2DeviceVerificationFlow**](docs/OauthAPI.md#performoauth2deviceverificationflow) | **Get** /oauth2/device/verify | OAuth 2.0 Device Verification Endpoint
 *OidcAPI* | [**CreateOidcDynamicClient**](docs/OidcAPI.md#createoidcdynamicclient) | **Post** /oauth2/register | Register OAuth2 Client using OpenID Dynamic Client Registration
 *OidcAPI* | [**CreateVerifiableCredential**](docs/OidcAPI.md#createverifiablecredential) | **Post** /credentials | Issues a Verifiable Credential
 *OidcAPI* | [**DeleteOidcDynamicClient**](docs/OidcAPI.md#deleteoidcdynamicclient) | **Delete** /oauth2/register/{id} | Delete OAuth 2.0 Client using the OpenID Dynamic Client Registration Management Protocol