coolaj86
/
issuer.rest.walnut.js
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
issuer.rest.walnut.js/rest.js

223 lines
8.3 KiB
JavaScript
Raw Blame History

'use strict';
var PromiseA = require('bluebird');
var crypto = require('crypto');
module.exports.create = function (bigconf, deps, app) {
var Jwks = { restful: {} };
var Grants = { restful: {} };
// This tablename is based on the tablename found in the objects in model.js.
// Instead of the snake_case the name with be UpperCammelCase, converted by masterquest-sqlite3.
function attachSiteStore(tablename, req, res, next) {
return req.getSiteStore().then(function (store) {
req.Store = store[tablename];
next();
});
}
function detachSiteStore(req, res, next) {
delete req.Store;
next();
}
function authorizeIssuer(req, res, next) {
var promise = PromiseA.resolve().then(function () {
// It might seem unnecessary to wrap a promise in another promise, but this way it will
// catch the error thrown when a token isn't provided and verifyAsync isn't a function.
return req.oauth3.verifyAsync();
}).then(function (token) {
// Now that we've confirmed the token is valid we also need to make sure the authorized party
// is us.
// TODO: For the time being the only verify-able tokens are the ones we issued, but this
// will not always be the case. We will need a better way to verify the authorized party.
if (token.iss !== token.azp || token.iss !== token.aud) {
throw new Error("token does not allow access to requested resource");
}
var sub = token.sub || token.ppid || (token.acx && (token.acx.id || token.acx.appScopedId));
if (!sub) {
if (!Array.isArray(token.axs) || !token.axs.length) {
throw new Error("no account pairwise identifier");
}
var allowed = token.axs.some(function (acc) {
return req.params.sub === (acc.id || acc.ppid || acc.appScopedId);
});
if (!allowed) {
throw new Error("no account pairwise identifier matching '" + req.params.sub + "'");
}
sub = req.params.sub;
}
if (req.params.sub !== sub) {
throw new Error("token does not allow access to resources for '"+req.params.sub+"'");
}
next();
});
app.handleRejection(req, res, promise, '[issuer@oauth3.org] authorize req as issuer');
}
Jwks.thumbprint = function (jwk) {
// To produce a thumbprint we need to create a JSON string with only the required keys for
// the key type, with the keys sorted lexicographically and no white space. We then need
// run it through a SHA-256 and encode the result in url safe base64.
// https://stackoverflow.com/questions/42588786/how-to-fingerprint-a-jwk
var keys;
if (jwk.kty === 'EC') {
keys = ['crv', 'x', 'y'];
} else if (jwk.kty === 'RSA') {
keys = ['e', 'n'];
} else {
return PromiseA.reject(new Error('invalid JWK key type ' + jwk.kty));
}
keys.push('kty');
keys.sort();
var missing = keys.filter(function (name) { return !jwk.hasOwnProperty(name); });
if (missing.length > 0) {
return PromiseA.reject(new Error('JWK of type '+jwk.kty+' missing fields ' + missing));
}
// I'm not 100% sure this behavior is guaranteed by a real standard, but when we use an array
// as the replacer argument the keys are always in the order they appeared in the array.
var jwkStr = JSON.stringify(jwk, keys);
var hash = crypto.createHash('sha256').update(jwkStr).digest('base64');
return PromiseA.resolve(hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+/g, ''));
};
Jwks.restful.get = function (req, res) {
var store;
// The sub in params is the 3rd party PPID, but the keys are stored by the issuer PPID, so
// we need to look up the issuer PPID using the 3rd party PPID.
var promise = req.getSiteStore().then(function (_store) {
store = _store;
return store.IssuerOauth3OrgGrants.find({ azpSub: req.params.sub });
}).then(function (results) {
if (!results.length) {
throw new Error("unknown PPID '"+req.params.sub+"'");
}
if (results.length > 1) {
// This should not ever happen since there is a check for PPID collisions when saving
// grants, but it's probably better to have this check anyway just incase something
// happens that isn't currently accounted for.
throw new Error('PPID collision - unable to safely retrieve keys');
}
return store.IssuerOauth3OrgJwks.get(results[0].sub+'/'+req.params.kid);
}).then(function (jwk) {
if (!jwk) {
throw new Error("no keys stored with kid '"+req.params.kid+"' for PPID "+req.params.sub);
}
// We need to sanitize the key to make sure we don't deliver any private keys fields if
// we were given a key we could use to sign tokens on behalf of the user. We also don't
// want to deliver the sub or any other PPIDs.
var whitelist = [ 'kty', 'alg', 'kid', 'use' ];
if (jwk.kty === 'EC') {
whitelist = whitelist.concat([ 'crv', 'x', 'y' ]);
} else if (jwk.kty === 'RSA') {
whitelist = whitelist.concat([ 'e', 'n' ]);
}
var result = {};
whitelist.forEach(function (key) {
result[key] = jwk[key];
});
return result;
});
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve JWK");
};
Jwks.restful.saveNew = function (req, res) {
var jwk = req.body;
var promise = Jwks.thumbprint(jwk).then(function (kid) {
if (jwk.kid && jwk.kid !== kid) {
throw new Error('provided kid "'+jwk.kid+'" does not match calculated "'+kid+'"');
}
jwk.kid = kid;
jwk.sub = req.params.sub;
return req.Store.upsert(jwk.sub+'/'+jwk.kid, jwk);
}).then(function () {
return { success: true };
});
app.handlePromise(req, res, promise, "[issuer@oauth3.org] save JWK");
};
Grants.trim = function (grant) {
return {
sub: grant.sub,
azp: grant.azp,
// azpSub: grant.azpSub,
scope: grant.scope,
updatedAt: parseInt(grant.updatedAt, 10),
};
};
Grants.restful.getOne = function (req, res) {
var promise = req.Store.get(req.params.sub+'/'+req.params.azp).then(function (grant) {
if (!grant) {
throw new Error('no grants found');
}
return Grants.trim(grant);
});
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve grants");
};
Grants.restful.getAll = function (req, res) {
var promise = req.Store.find({ sub: req.params.sub }).then(function (results) {
return results.map(Grants.trim).sort(function (grantA, grantB) {
return (grantA.azp < grantB.azp) ? -1 : 1;
});
});
app.handlePromise(req, res, promise, "[issuer@oauth3.org] retrieve grants");
};
Grants.restful.saveNew = function (req, res) {
var promise = PromiseA.resolve().then(function () {
if (typeof req.body.scope !== 'string' || typeof req.body.sub !== 'string') {
throw new Error("malformed request: 'sub' and 'scope' must be strings");
}
return req.Store.find({ azpSub: req.body.sub });
}).then(function (existing) {
if (existing.length) {
if (existing.length > 1) {
throw new Error("pre-existing PPID collision detected");
} else if (existing[0].sub !== req.params.sub || existing[0].azp !== req.params.azp) {
throw new Error("PPID collision detected, cannot save authorized party's sub");
}
}
var grant = {
sub: req.params.sub,
azp: req.params.azp,
azpSub: req.body.sub,
scope: req.body.scope.split(/[+ ,]+/g).join(','),
};
return req.Store.upsert(grant.sub+'/'+grant.azp, grant);
}).then(function () {
return {success: true};
});
app.handlePromise(req, res, promise, '[issuer@oauth3.org] save grants');
};
app.get( '/jwks/:sub/:kid.json', Jwks.restful.get);
// Everything but getting keys is only for the issuer
app.use( '/jwks/:sub', authorizeIssuer, attachSiteStore.bind(null, 'IssuerOauth3OrgJwks'));
app.post( '/jwks/:sub', Jwks.restful.saveNew);
// Everything regarding grants is only for the issuer
app.use( '/grants/:sub', authorizeIssuer, attachSiteStore.bind(null, 'IssuerOauth3OrgGrants'));
app.get( '/grants/:sub', Grants.restful.getAll);
app.get( '/grants/:sub/:azp', Grants.restful.getOne);
app.post( '/grants/:sub/:azp', Grants.restful.saveNew);
app.use(detachSiteStore);
};
Reference in New Issue View Git Blame Copy Permalink