oauth2/revocation: token revocation fails silently with sql store - c…

…loses ory#311
boost-entropy-golang · Nov 22, 2016 · 7d3cb4e · 7d3cb4e
1 parent 00bdd28
commit 7d3cb4e
Show file tree

Hide file tree

Showing 7 changed files with 97 additions and 17 deletions.
diff --git a/cmd/cli/handler.go b/cmd/cli/handler.go
@@ -5,17 +5,19 @@ import (
 )
 
 type Handler struct {
-	Clients  *ClientHandler
-	Policies *PolicyHandler
-	Keys     *JWKHandler
-	Warden   *WardenHandler
+	Clients    *ClientHandler
+	Policies   *PolicyHandler
+	Keys       *JWKHandler
+	Warden     *WardenHandler
+	Revocation *RevocationHandler
 }
 
 func NewHandler(c *config.Config) *Handler {
 	return &Handler{
-		Clients:  newClientHandler(c),
-		Policies: newPolicyHandler(c),
-		Keys:     newJWKHandler(c),
-		Warden:   newWardenHandler(c),
+		Clients:    newClientHandler(c),
+		Policies:   newPolicyHandler(c),
+		Keys:       newJWKHandler(c),
+		Warden:     newWardenHandler(c),
+		Revocation: newRevocationHandler(c),
 	}
 }
diff --git a/cmd/cli/handler_recovation.go b/cmd/cli/handler_recovation.go
@@ -0,0 +1,41 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"github.com/ory-am/hydra/config"
+	"github.com/ory-am/hydra/oauth2"
+	"github.com/ory-am/hydra/pkg"
+	"github.com/spf13/cobra"
+	"golang.org/x/oauth2/clientcredentials"
+)
+
+type RevocationHandler struct {
+	Config *config.Config
+	M      *oauth2.HTTPRecovator
+}
+
+func newRevocationHandler(c *config.Config) *RevocationHandler {
+	return &RevocationHandler{
+		Config: c,
+		M:      &oauth2.HTTPRecovator{},
+	}
+}
+
+func (h *RevocationHandler) RevokeToken(cmd *cobra.Command, args []string) {
+	h.M.Endpoint = h.Config.Resolve("/oauth2/revoke")
+	h.M.Config = &clientcredentials.Config{
+		ClientID:     h.Config.ClientID,
+		ClientSecret: h.Config.ClientSecret,
+	}
+
+	if len(args) != 1 {
+		fmt.Print(cmd.UsageString())
+		return
+	}
+
+	token := args[0]
+	err := h.M.RevokeToken(context.Background(), args[0])
+	pkg.Must(err, "Could not revoke token: %s", err)
+	fmt.Printf("Revoked token %s", token)
+}
diff --git a/cmd/root_test.go b/cmd/root_test.go
@@ -42,6 +42,7 @@ func TestExecute(t *testing.T) {
 		{args: []string{"keys", "create", "foo", "-a", "HS256"}},
 		{args: []string{"keys", "get", "foo"}},
 		{args: []string{"keys", "delete", "foo"}},
+		{args: []string{"token", "revoke", "foo"}},
 		{args: []string{"token", "client"}},
 		{args: []string{"token", "user", "--no-open"}, wait: func() bool {
 			time.Sleep(time.Millisecond * 10)

diff --git a/cmd/token_revoke.go b/cmd/token_revoke.go
@@ -0,0 +1,17 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// validateCmd represents the validate command
+var tokenRevokeCmd = &cobra.Command{
+	Use:   "revoke <token>",
+	Short: "Revoke an access or refresh token",
+	Run:   cmdHandler.Revocation.RevokeToken,
+}
+
+func init() {
+	tokenCmd.AddCommand(tokenRevokeCmd)
+
+}
diff --git a/cmd/token_validate.go b/cmd/token_validate.go
@@ -7,7 +7,7 @@ import (
 // validateCmd represents the validate command
 var tokenValidatorCmd = &cobra.Command{
 	Use:   "validate <token>",
-	Short: "Check if an access token is valid.",
+	Short: "Check if an access token is valid",
 	Run:   cmdHandler.Warden.IsAuthorized,
 }
 

diff --git a/oauth2/fosite_store_sql.go b/oauth2/fosite_store_sql.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"github.com/Sirupsen/logrus"
 	"github.com/jmoiron/sqlx"
 	"github.com/ory-am/fosite"
 	"github.com/ory-am/hydra/client"
@@ -69,6 +70,10 @@ type sqlData struct {
 }
 
 func sqlSchemaFromRequest(signature string, r fosite.Requester) (*sqlData, error) {
+	if r.GetSession() == nil {
+		logrus.Debugf("Got an empty session in sqlSchemaFromRequest")
+	}
+
 	session, err := json.Marshal(r.GetSession())
 	if err != nil {
 		return nil, errors.Wrap(err, "")
@@ -86,13 +91,13 @@ func sqlSchemaFromRequest(signature string, r fosite.Requester) (*sqlData, error
 	}, nil
 }
 
-func (s *sqlData) ToRequest(session fosite.Session, cm client.Manager) (*fosite.Request, error) {
-	if session == nil {
-		return nil, errors.New("Session undefined")
-	}
-
-	if err := json.Unmarshal(s.Session, session); err != nil {
-		return nil, errors.Wrap(err, "")
+func (s *sqlData) toRequest(session fosite.Session, cm client.Manager) (*fosite.Request, error) {
+	if session != nil {
+		if err := json.Unmarshal(s.Session, session); err != nil {
+			return nil, errors.Wrap(err, "")
+		}
+	} else {
+		logrus.Debugf("Got an empty session in toRequest")
 	}
 
 	c, err := cm.GetClient(s.Client)
@@ -144,7 +149,7 @@ func (s *FositeSQLStore) findSessionBySignature(signature string, session fosite
 		return nil, errors.Wrap(err, "")
 	}
 
-	return d.ToRequest(session, s.Manager)
+	return d.toRequest(session, s.Manager)
 }
 
 func (s *FositeSQLStore) deleteSession(signature string, table string) error {

diff --git a/oauth2/revocator_test.go b/oauth2/revocator_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/ory-am/hydra/herodot"
 	"github.com/ory-am/hydra/oauth2"
 	"github.com/ory-am/hydra/pkg"
+	"github.com/stretchr/testify/assert"
 	"golang.org/x/net/context"
 	"golang.org/x/oauth2/clientcredentials"
 )
@@ -87,6 +88,7 @@ func TestRevoke(t *testing.T) {
 		for _, c := range []struct {
 			token     string
 			expectErr bool
+			assert    func(*testing.T)
 		}{
 			{
 				token:     "invalid",
@@ -95,6 +97,9 @@ func TestRevoke(t *testing.T) {
 			{
 				token:     tokensRecovator[0][1],
 				expectErr: false,
+				assert: func(t *testing.T) {
+					assert.Len(t, fositeStoreRecovator.AccessTokens, 2)
+				},
 			},
 			{
 				token:     tokensRecovator[0][1],
@@ -103,15 +108,24 @@ func TestRevoke(t *testing.T) {
 			{
 				token:     tokensRecovator[2][1],
 				expectErr: false,
+				assert: func(t *testing.T) {
+					assert.Len(t, fositeStoreRecovator.AccessTokens, 1)
+				},
 			},
 			{
 				token:     tokensRecovator[1][1],
 				expectErr: false,
+				assert: func(t *testing.T) {
+					assert.Len(t, fositeStoreRecovator.AccessTokens, 0)
+				},
 			},
 		} {
 			t.Run(fmt.Sprintf("case=%s", k), func(t *testing.T) {
 				err := w.RevokeToken(context.Background(), c.token)
 				pkg.AssertError(t, c.expectErr, err)
+				if c.assert != nil {
+					c.assert(t)
+				}
 			})
 		}
 	}