Skip to content

Commit

Permalink
feat: support qualified client id from wire clients with : as delimiter
Browse files Browse the repository at this point in the history
  • Loading branch information
@beltram
beltram committed Mar 10, 2023
1 parent 28b0cee commit aa1a6c7
Show file tree
Hide file tree
Showing 18 changed files with 527 additions and 427 deletions.
2 changes: 1 addition & 1 deletion acme/src/identifier.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ pub enum AcmeIdentifier {

impl AcmeIdentifier {
pub fn try_new(display_name: String, domain: String, client_id: ClientId, handle: String) -> RustyAcmeResult<Self> {
let client_id = client_id.to_subject();
let client_id = client_id.to_uri();
let identifier = WireIdentifier {
display_name,
domain,
Expand Down
17 changes: 12 additions & 5 deletions acme/src/order.rs
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,16 @@
use crate::prelude::*;
use rusty_jwt_tools::prelude::*;

use crate::prelude::*;

// Order creation
impl RustyAcme {
/// create a new order
/// see [RFC 8555 Section 7.4](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4).
#[allow(clippy::too_many_arguments)]
pub fn new_order_request(
display_name: String,
display_name: &str,
client_id: ClientId,
handle: String,
handle: &str,
expiry: core::time::Duration,
directory: &AcmeDirectory,
account: &AcmeAccount,
Expand All @@ -21,7 +22,12 @@ impl RustyAcme {
let acct_url = account.acct_url()?;

let domain = client_id.domain.clone();
let identifiers = vec![AcmeIdentifier::try_new(display_name, domain, client_id, handle)?];
let identifiers = vec![AcmeIdentifier::try_new(
display_name.to_string(),
domain,
client_id,
handle.to_string(),
)?];
let not_before = time::OffsetDateTime::now_utc();
let not_after = not_before + expiry;
let payload = AcmeOrderRequest {
Expand Down Expand Up @@ -231,10 +237,11 @@ pub enum AcmeOrderStatus {

#[cfg(test)]
mod tests {
use super::*;
use serde_json::json;
use wasm_bindgen_test::*;

use super::*;

wasm_bindgen_test_configure!(run_in_browser);

mod json {
Expand Down
2 changes: 1 addition & 1 deletion cli/src/access_generate.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ impl AccessGenerate {
extra_claims: None,
};
let nonce: BackendNonce = self.nonce.into();
let client_id: ClientId = self.client_id.as_str().try_into().expect("Invalid 'client_id'");
let client_id = ClientId::try_from_uri(&self.client_id).expect("Invalid 'client_id'");
let expiry = core::time::Duration::from_secs(self.expiry);

let client_dpop_token =
Expand Down
2 changes: 1 addition & 1 deletion cli/src/access_verify.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ impl AccessVerify {
.trim()
.to_string();

let client_id: ClientId = self.client_id.as_str().try_into().expect("Invalid 'client_id'");
let client_id = ClientId::try_from_uri(&self.client_id).expect("Invalid 'client_id'");
let challenge: AcmeNonce = self.challenge.into();
let (_, backend_pk) = parse_public_key_pem(read_file(Some(&self.key)).unwrap());

Expand Down
646 changes: 323 additions & 323 deletions e2e-identity/README.md
View file

Large diffs are not rendered by default.

8 changes: 4 additions & 4 deletions e2e-identity/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,16 +115,16 @@ impl RustyE2eIdentity {
#[allow(clippy::too_many_arguments)]
pub fn acme_new_order_request(
&self,
display_name: String,
client_id: String,
handle: String,
display_name: &str,
client_id: &str,
handle: &str,
expiry: core::time::Duration,
directory: &AcmeDirectory,
account: &E2eiAcmeAccount,
previous_nonce: String,
) -> E2eIdentityResult<Json> {
let account = serde_json::from_value(account.clone().into())?;
let client_id = ClientId::try_from_qualified(client_id.as_str())?;
let client_id = ClientId::try_from_qualified(client_id)?;
let order_req = RustyAcme::new_order_request(
display_name,
client_id,
Expand Down
8 changes: 4 additions & 4 deletions e2e-identity/tests/api.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ fn e2e_api() {
let user_id = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(user_id.to_string());
let client_id = random::<u64>();
let domain = "example.org";
let qualified_client_id = format!("{user_id}/{client_id:x}@{domain}");
let qualified_client_id = format!("{user_id}:{client_id:x}@{domain}");

let display_name = "Smith, Alice M (QA)".to_string();
let qualified_handle = format!("alice.smith.qa@{domain}");
Expand Down Expand Up @@ -73,9 +73,9 @@ fn e2e_api() {
let expiry = core::time::Duration::from_secs(3600); // 1h
let _order_request = enrollment
.acme_new_order_request(
display_name,
qualified_client_id.clone(),
qualified_handle,
&display_name,
&qualified_client_id,
&qualified_handle,
expiry,
&directory,
&account,
Expand Down
2 changes: 1 addition & 1 deletion e2e-identity/tests/utils/cfg.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ impl<'a> E2eTest<'a> {
email: email.to_string(),
password: password.to_string(),
domain: domain.to_string(),
sub: sub.to_subject(),
sub: sub.to_uri(),
},
dex_cfg: DexCfg {
host: dex_host,
Expand Down
6 changes: 3 additions & 3 deletions e2e-identity/tests/utils/fmk.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,9 +136,9 @@ impl<'a> E2eTest<'a> {
self.display_step("create a new order");
let expiry = core::time::Duration::from_secs(3600); // 1h
let order_request = RustyAcme::new_order_request(
self.display_name.clone(),
&self.display_name,
self.sub.clone(),
self.handle.clone(),
&self.handle,
expiry,
directory,
account,
Expand Down Expand Up @@ -267,7 +267,7 @@ impl<'a> E2eTest<'a> {
let b64 = |v: &str| base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(v);

// cheat to share test context
ctx_store("client-id", self.sub.to_subject());
ctx_store("client-id", self.sub.to_uri());
ctx_store("backend-kp", self.backend_kp.to_string());
ctx_store("hash-alg", self.hash_alg.to_string());
ctx_store("wire-server-uri", self.wire_server_uri());
Expand Down
2 changes: 1 addition & 1 deletion e2e-identity/tests/utils/wire_server/server_api.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ pub async fn wire_api(req: Request<Body>) -> Result<Response<Body>, hyper::Error

fn generate_access_token(dpop: &str, nonce: BackendNonce) -> serde_json::Value {
let client_id = ctx_get("client-id").unwrap();
let client_id: ClientId = client_id.as_str().try_into().unwrap();
let client_id = ClientId::try_from_uri(&client_id).unwrap();
let backend_kp: Pem = ctx_get("backend-kp").unwrap().into();
let hash_alg: HashAlgorithm = ctx_get("hash-alg").unwrap().parse().unwrap();
let htu: Htu = ctx_get("wire-server-uri").unwrap().as_str().try_into().unwrap();
Expand Down
6 changes: 3 additions & 3 deletions jwt/src/access/generate.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ impl RustyJwtTools {
challenge: proof_claims.custom.challenge,
cnf,
proof: proof.to_string(),
client_id: client_id.to_subject(),
client_id: client_id.to_uri(),
api_version: Access::WIRE_SERVER_API_VERSION,
scope: Access::DEFAULT_SCOPE.to_string(),
extra_claims: proof_claims.custom.extra_claims,
Expand Down Expand Up @@ -364,8 +364,8 @@ mod tests {

let backend_key = JwtKey::from((ciphersuite.key.alg, backend_key));
let claims = backend_key.claims::<Access>(&token);
assert_eq!(claims.subject, Some(sub.to_subject()));
assert_eq!(claims.custom.client_id, sub.to_subject());
assert_eq!(claims.subject, Some(sub.to_uri()));
assert_eq!(claims.custom.client_id, sub.to_uri());
}

#[apply(all_ciphersuites)]
Expand Down
2 changes: 1 addition & 1 deletion jwt/src/access/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ impl Access {
let exp = Duration::from_secs(Self::EXP);
Claims::with_custom_claims(self, exp)
.with_jwt_id(new_jti())
.with_subject(client_id.to_subject())
.with_subject(client_id.to_uri())
.with_nonce(nonce.to_string())
.with_issuer(issuer)
.with_audience(audience)
Expand Down
2 changes: 1 addition & 1 deletion jwt/src/dpop/generate.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,7 +463,7 @@ pub mod tests {
.unwrap();
let claims = key.claims::<Dpop>(&token);
assert!(claims.subject.is_some());
assert_eq!(claims.subject.unwrap(), client_id.to_subject())
assert_eq!(claims.subject.unwrap(), client_id.to_uri())
}

#[apply(all_keys)]
Expand Down
2 changes: 1 addition & 1 deletion jwt/src/dpop/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,6 @@ impl Dpop {
Claims::with_custom_claims(self, expiry)
.with_jwt_id(new_jti())
.with_nonce(nonce.to_string())
.with_subject(client_id.to_subject())
.with_subject(client_id.to_uri())
}
}
2 changes: 1 addition & 1 deletion jwt/src/jwt/verify.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ impl From<&Verify<'_>> for VerificationOptions {
Self {
accept_future: false,
required_key_id: None, // we don't verify 'jti', just enforce its presence
required_subject: Some(v.client_id.to_subject()),
required_subject: Some(v.client_id.to_uri()),
required_nonce: v.backend_nonce.map(|n| n.to_string()),
time_tolerance: Some(UnixTimeStamp::from_secs(v.leeway as u64)),
..Default::default()
Expand Down
Loading

0 comments on commit aa1a6c7

Please sign in to comment.