158 line
5.3 KiB
JavaScript
158 line
5.3 KiB
JavaScript
'use strict';
|
|
|
|
var PromiseA = require('bluebird');
|
|
var crypto = require('crypto');
|
|
|
|
module.exports.create = function (bigconf, deps, app) {
|
|
var Jwks = { restful: {} };
|
|
var Grants = { restful: {} };
|
|
|
|
// This tablename is based on the tablename found in the objects in model.js.
|
|
// Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
|
|
function attachSiteStore(tablename, req, res, next) {
|
|
return req.getSiteStore().then(function (store) {
|
|
req.Store = store[tablename];
|
|
next();
|
|
});
|
|
}
|
|
function detachSiteStore(req, res, next) {
|
|
delete req.Store;
|
|
next();
|
|
}
|
|
|
|
Jwks.thumbprint = function (jwk) {
|
|
// To produce a thumbprint we need to create a JSON string with only the required keys for
|
|
// the key type, with the keys sorted lexicographically and no white space. We then need
|
|
// run it through a SHA-256 and encode the result in url safe base64.
|
|
// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk
|
|
var keys;
|
|
if (jwk.kty === 'EC') {
|
|
keys = ['crv', 'x', 'y'];
|
|
} else if (jwk.kty === 'RSA') {
|
|
keys = ['e', 'n'];
|
|
} else {
|
|
return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty));
|
|
}
|
|
keys.push('kty');
|
|
keys.sort();
|
|
|
|
var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); });
|
|
if (missing.length > 0) {
|
|
return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing));
|
|
}
|
|
|
|
// I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array
|
|
// as the replacer argument the keys are always in the order they appeared in the array.
|
|
var jwkStr = JSON.stringify(jwk, keys);
|
|
var hash = crypto.createHash('sha256').update(jwkStr).digest('base64');
|
|
return PromiseA.resolve(hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, ''));
|
|
};
|
|
|
|
Jwks.restful.get = function (req, res) {
|
|
var promise = req.Store.find({ kid: req.params.kid }, { limit: 1 }).then(function (results) {
|
|
if (!results.length) {
|
|
throw new Error('no keys stored with kid "'+req.params.kid+'"');
|
|
}
|
|
var jwk = results[0];
|
|
|
|
// We need to sanitize the key to make sure we don't deliver any private keys fields if
|
|
// we were given a key we could use to sign tokens on behalf of the user. We also don't
|
|
// want to deliver the sub or any other PPIDs.
|
|
var whitelist = [ 'kty', 'alg', 'kid', 'use' ];
|
|
if (jwk.kty === 'EC') {
|
|
whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);
|
|
} else if (jwk.kty === 'RSA') {
|
|
whitelist = whitelist.concat([ 'e', 'n' ]);
|
|
}
|
|
|
|
var result = {};
|
|
whitelist.forEach(function (key) {
|
|
result[key] = jwk[key];
|
|
});
|
|
return result;
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");
|
|
};
|
|
Jwks.restful.saveNew = function (req, res) {
|
|
var jwk = req.body;
|
|
var promise = Jwks.thumbprint(jwk).then(function (kid) {
|
|
if (jwk.kid && jwk.kid !== kid) {
|
|
throw new Error('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"');
|
|
}
|
|
jwk.kid = kid;
|
|
jwk.sub = req.params.sub;
|
|
|
|
return req.Store.find({ kid: jwk.kid, sub: jwk.sub}).then(function (results) {
|
|
if (!results.length) {
|
|
return crypto.randomBytes(32).toString('hex');
|
|
} else {
|
|
return results[0].id;
|
|
}
|
|
}).then(function (id) {
|
|
return req.Store.upsert(id, jwk);
|
|
});
|
|
}).then(function () {
|
|
return { success: true };
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, "[issuer@oauth3.org] create JWK");
|
|
};
|
|
|
|
Grants.restful.get = function (req, res) {
|
|
var query = {
|
|
sub: req.params.sub || req.query.sub,
|
|
azp: req.params.azp || req.query.azp,
|
|
};
|
|
var promise = req.Store.find(query, function (results) {
|
|
if (!results.length) {
|
|
throw new Error('no grants found');
|
|
}
|
|
return {
|
|
sub: results[0].sub,
|
|
azp: results[0].azp,
|
|
scope: results[0].scope,
|
|
};
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve grants");
|
|
};
|
|
Grants.restful.saveNew = function (req, res) {
|
|
var query = {
|
|
sub: req.params.sub,
|
|
azp: req.params.azp,
|
|
};
|
|
var promise = PromiseA.resolve().then(function () {
|
|
if (typeof req.body.scope !== 'string') {
|
|
throw new Error("malformed request: 'scope' should be a string");
|
|
}
|
|
}).then(function () {
|
|
return req.Store.find(query, function (results) {
|
|
if (!results.length) {
|
|
return crypto.randomBytes(32).toString('hex');
|
|
} else {
|
|
return results[0].id;
|
|
}
|
|
});
|
|
}).then(function (id) {
|
|
query.scope = req.body.scope.replace(/ *, */g, ',');
|
|
return req.Store.upsert(id, query);
|
|
}).then(function () {
|
|
return {success: true};
|
|
});
|
|
|
|
app.handlePromise(req, res, promise, '[issuer@oauth3.org] save grants');
|
|
};
|
|
|
|
app.use( '/jwks', attachSiteStore.bind(null, 'IssuerOauth3OrgJwks'));
|
|
app.get( '/jwks/:kid.json', Jwks.restful.get);
|
|
app.post( '/jwks/:sub', Jwks.restful.saveNew);
|
|
|
|
app.use( '/grants', attachSiteStore.bind(null, 'IssuerOauth3OrgGrants'));
|
|
app.get( '/grants', Grants.restful.check);
|
|
app.get( '/grants/:sub/:azp', Grants.restful.check);
|
|
app.post( '/grants/:sub/:azp', Grants.restful.saveNew);
|
|
|
|
app.use(detachSiteStore);
|
|
};
|