2019-12-07 18:18:22 +07:00
|
|
|
package utils
|
|
|
|
|
2020-03-06 08:38:02 +07:00
|
|
|
import (
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
"fmt"
|
2020-03-06 08:38:02 +07:00
|
|
|
"math/rand"
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
"net/url"
|
2020-12-03 12:23:52 +07:00
|
|
|
"strings"
|
2020-03-06 08:38:02 +07:00
|
|
|
"time"
|
2020-05-21 09:20:55 +07:00
|
|
|
"unicode"
|
2020-03-06 08:38:02 +07:00
|
|
|
)
|
|
|
|
|
feat(oidc): add additional config options, accurate token times, and refactoring (#1991)
* This gives admins more control over their OIDC installation exposing options that had defaults before. Things like lifespans for authorize codes, access tokens, id tokens, refresh tokens, a option to enable the debug client messages, minimum parameter entropy. It also allows admins to configure the response modes.
* Additionally this records specific values about a users session indicating when they performed a specific authz factor so this is represented in the token accurately.
* Lastly we also implemented a OIDC key manager which calculates the kid for jwk's using the SHA1 digest instead of being static, or more specifically the first 7 chars. As per https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-key#section-8.1.1 the kid should not exceed 8 chars. While it's allowed to exceed 8 chars, it must only be done so with a compelling reason, which we do not have.
2021-07-04 06:44:30 +07:00
|
|
|
// IsStringAbsURL checks a string can be parsed as a URL and that is IsAbs and if it can't it returns an error
|
|
|
|
// describing why.
|
|
|
|
func IsStringAbsURL(input string) (err error) {
|
|
|
|
parsedURL, err := url.Parse(input)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not parse '%s' as a URL", input)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !parsedURL.IsAbs() {
|
|
|
|
return fmt.Errorf("the url '%s' is not absolute because it doesn't start with a scheme like 'http://' or 'https://'", input)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-21 09:20:55 +07:00
|
|
|
// IsStringAlphaNumeric returns false if any rune in the string is not alpha-numeric.
|
|
|
|
func IsStringAlphaNumeric(input string) bool {
|
|
|
|
for _, r := range input {
|
|
|
|
if !unicode.IsLetter(r) && !unicode.IsNumber(r) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
// IsStringInSlice checks if a single string is in a slice of strings.
|
2021-06-01 11:09:50 +07:00
|
|
|
func IsStringInSlice(needle string, haystack []string) (inSlice bool) {
|
|
|
|
for _, b := range haystack {
|
|
|
|
if b == needle {
|
2019-12-07 18:18:22 +07:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2019-12-07 18:18:22 +07:00
|
|
|
return false
|
|
|
|
}
|
2020-03-06 08:38:02 +07:00
|
|
|
|
2021-08-03 16:55:21 +07:00
|
|
|
// IsStringInSliceSuffix checks if the needle string has one of the suffixes in the haystack.
|
|
|
|
func IsStringInSliceSuffix(needle string, haystack []string) (hasSuffix bool) {
|
|
|
|
for _, straw := range haystack {
|
|
|
|
if strings.HasSuffix(needle, straw) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
// IsStringInSliceFold checks if a single string is in a slice of strings but uses strings.EqualFold to compare them.
|
2021-06-01 11:09:50 +07:00
|
|
|
func IsStringInSliceFold(needle string, haystack []string) (inSlice bool) {
|
|
|
|
for _, b := range haystack {
|
|
|
|
if strings.EqualFold(b, needle) {
|
2021-03-05 11:18:31 +07:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-12-16 08:30:03 +07:00
|
|
|
// IsStringInSliceContains checks if a single string is in an array of strings.
|
2021-06-01 11:09:50 +07:00
|
|
|
func IsStringInSliceContains(needle string, haystack []string) (inSlice bool) {
|
|
|
|
for _, b := range haystack {
|
|
|
|
if strings.Contains(needle, b) {
|
2020-12-16 08:30:03 +07:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-04-21 04:03:38 +07:00
|
|
|
// SliceString splits a string s into an array with each item being a max of int d
|
|
|
|
// d = denominator, n = numerator, q = quotient, r = remainder.
|
2020-03-06 08:38:02 +07:00
|
|
|
func SliceString(s string, d int) (array []string) {
|
|
|
|
n := len(s)
|
|
|
|
q := n / d
|
|
|
|
r := n % d
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-03-06 08:38:02 +07:00
|
|
|
for i := 0; i < q; i++ {
|
|
|
|
array = append(array, s[i*d:i*d+d])
|
|
|
|
if i+1 == q && r != 0 {
|
|
|
|
array = append(array, s[i*d+d:])
|
|
|
|
}
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-03-06 08:38:02 +07:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
func isStringSlicesDifferent(a, b []string, method func(s string, b []string) bool) (different bool) {
|
2021-02-02 08:01:46 +07:00
|
|
|
if len(a) != len(b) {
|
|
|
|
return true
|
2020-05-05 02:39:25 +07:00
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2021-02-02 08:01:46 +07:00
|
|
|
for _, s := range a {
|
2021-05-05 05:06:05 +07:00
|
|
|
if !method(s, b) {
|
2020-05-05 02:39:25 +07:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-05-05 02:39:25 +07:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-05-05 05:06:05 +07:00
|
|
|
// IsStringSlicesDifferent checks two slices of strings and on the first occurrence of a string item not existing in the
|
|
|
|
// other slice returns true, otherwise returns false.
|
|
|
|
func IsStringSlicesDifferent(a, b []string) (different bool) {
|
|
|
|
return isStringSlicesDifferent(a, b, IsStringInSlice)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsStringSlicesDifferentFold checks two slices of strings and on the first occurrence of a string item not existing in
|
|
|
|
// the other slice (case insensitive) returns true, otherwise returns false.
|
|
|
|
func IsStringSlicesDifferentFold(a, b []string) (different bool) {
|
|
|
|
return isStringSlicesDifferent(a, b, IsStringInSliceFold)
|
|
|
|
}
|
|
|
|
|
2020-05-05 02:39:25 +07:00
|
|
|
// StringSlicesDelta takes a before and after []string and compares them returning a added and removed []string.
|
|
|
|
func StringSlicesDelta(before, after []string) (added, removed []string) {
|
|
|
|
for _, s := range before {
|
|
|
|
if !IsStringInSlice(s, after) {
|
|
|
|
removed = append(removed, s)
|
|
|
|
}
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-05-05 02:39:25 +07:00
|
|
|
for _, s := range after {
|
|
|
|
if !IsStringInSlice(s, before) {
|
|
|
|
added = append(added, s)
|
|
|
|
}
|
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-05-05 02:39:25 +07:00
|
|
|
return added, removed
|
|
|
|
}
|
|
|
|
|
2020-04-21 04:03:38 +07:00
|
|
|
// RandomString generate a random string of n characters.
|
2020-03-06 08:38:02 +07:00
|
|
|
func RandomString(n int, characters []rune) (randomString string) {
|
|
|
|
rand.Seed(time.Now().UnixNano())
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-03-06 08:38:02 +07:00
|
|
|
b := make([]rune, n)
|
|
|
|
for i := range b {
|
2020-09-04 10:20:17 +07:00
|
|
|
b[i] = characters[rand.Intn(len(characters))] //nolint:gosec // Likely isn't necessary to use the more expensive crypto/rand for this utility func.
|
2020-03-06 08:38:02 +07:00
|
|
|
}
|
2020-05-06 02:35:32 +07:00
|
|
|
|
2020-03-06 08:38:02 +07:00
|
|
|
return string(b)
|
|
|
|
}
|
2021-07-22 10:52:37 +07:00
|
|
|
|
|
|
|
// StringHTMLEscape escapes chars for a HTML body.
|
|
|
|
func StringHTMLEscape(input string) (output string) {
|
|
|
|
return htmlEscaper.Replace(input)
|
|
|
|
}
|