Skip to content
Snippets Groups Projects
Select Git revision
  • dependabot/go_modules/github.com/go-sql-driver/mysql-1.9.1
  • dependabot/go_modules/github.com/redis/go-redis/v9-9.7.3
  • dependabot/go_modules/github.com/coreos/go-oidc/v3-3.13.0
  • prerel default protected
  • master protected
  • dependabot/go_modules/github.com/coreos/go-oidc/v3-3.8.0
  • dependabot/go_modules/golang.org/x/mod-0.14.0
  • dependabot/go_modules/github.com/gofiber/fiber/v2-2.51.0
  • dependabot/go_modules/github.com/valyala/fasthttp-1.51.0
  • dependabot/go_modules/golang.org/x/oauth2-0.15.0
  • dependabot/go_modules/github.com/lestrrat-go/jwx-1.2.27
  • dependabot/go_modules/golang.org/x/term-0.15.0
  • dependabot/go_modules/golang.org/x/crypto-0.16.0
  • dependabot/go_modules/github.com/go-jose/go-jose/v3-3.0.1
  • dependabot/go_modules/golang.org/x/crypto-0.15.0
  • dependabot/go_modules/golang.org/x/oauth2-0.14.0
  • dependabot/go_modules/golang.org/x/term-0.14.0
  • dependabot/go_modules/github.com/redis/go-redis/v9-9.3.0
  • dependabot/go_modules/github.com/coreos/go-oidc/v3-3.7.0
  • dependabot/go_modules/github.com/gofiber/fiber/v2-2.50.0
  • v0.10.1
  • v0.10.0
  • v0.9.2
  • v0.9.1
  • v0.9.0
  • v0.8.1
  • v0.8.0
  • v0.7.2
  • v0.7.1
  • v0.7.0
  • v0.6.1
  • v0.6.1-c
  • v0.6.1-b
  • v0.6.1-a
  • v0.6.0
  • v0.5.4
  • v0.5.3
  • v0.5.2
  • v0.5.1
  • v0.5.0
40 results
Blame Permalink
mytoken.go 4.48 KiB 
package mytokenrepo

import (
	"encoding/base64"

	"github.com/jmoiron/sqlx"
	"github.com/pkg/errors"

	"github.com/oidc-mytoken/api/v0"

	"github.com/oidc-mytoken/server/internal/db"
	eventService "github.com/oidc-mytoken/server/shared/mytoken/event"
	event "github.com/oidc-mytoken/server/shared/mytoken/event/pkg"
	mytoken "github.com/oidc-mytoken/server/shared/mytoken/pkg"
	"github.com/oidc-mytoken/server/shared/mytoken/pkg/mtid"
	"github.com/oidc-mytoken/server/shared/utils/cryptUtils"
)

// MytokenEntry holds the information of a MytokenEntry as stored in the
// database
type MytokenEntry struct {
	ID                     mtid.MTID
	SeqNo                  uint64
	ParentID               mtid.MTID `db:"parent_id"`
	RootID                 mtid.MTID `db:"root_id"`
	Token                  *mytoken.Mytoken
	rtID                   *uint64
	refreshToken           string
	encryptionKey          []byte
	rtEncrypted            string
	encryptionKeyEncrypted string
	Name                   string
	IP                     string `db:"ip_created"`
	networkData            api.ClientMetaData
}

// InitRefreshToken links a refresh token to this MytokenEntry
func (ste *MytokenEntry) InitRefreshToken(rt string) error {
	ste.refreshToken = rt
	ste.encryptionKey = cryptUtils.RandomBytes(32)
	tmp, err := cryptUtils.AESEncrypt(ste.refreshToken, ste.encryptionKey)
	if err != nil {
		return err
	}
	ste.rtEncrypted = tmp
	jwt, err := ste.Token.ToJWT()
	if err != nil {
		return err
	}
	tmp, err = cryptUtils.AES256Encrypt(base64.StdEncoding.EncodeToString(ste.encryptionKey), jwt)
	if err != nil {
		return err
	}
	ste.encryptionKeyEncrypted = tmp
	return nil
}

// SetRefreshToken updates the refresh token for this MytokenEntry
func (ste *MytokenEntry) SetRefreshToken(rtID uint64, key []byte) error {
	ste.encryptionKey = key
	jwt, err := ste.Token.ToJWT()
	if err != nil {
		return err
	}
	tmp, err := cryptUtils.AES256Encrypt(base64.StdEncoding.EncodeToString(key), jwt)
	if err != nil {
		return err
	}
	ste.encryptionKeyEncrypted = tmp
	ste.rtID = &rtID
	return nil
}

// NewMytokenEntry creates a new MytokenEntry
func NewMytokenEntry(mt *mytoken.Mytoken, name string, networkData api.ClientMetaData) *MytokenEntry {
	return &MytokenEntry{
		ID:          mt.ID,
		SeqNo:       mt.SeqNo,
		Token:       mt,
		Name:        name,
		IP:          networkData.IP,
		networkData: networkData,
	}
}

// Root checks if this MytokenEntry is a root token
func (ste *MytokenEntry) Root() bool {
	return !ste.RootID.HashValid()
}

// Store stores the MytokenEntry in the database
func (ste *MytokenEntry) Store(tx *sqlx.Tx, comment string) error {
	steStore := mytokenEntryStore{
		ID:       ste.ID,
		SeqNo:    ste.SeqNo,
		ParentID: ste.ParentID,
		RootID:   ste.RootID,
		Name:     db.NewNullString(ste.Name),
		IP:       ste.IP,
		Iss:      ste.Token.OIDCIssuer,
		Sub:      ste.Token.OIDCSubject,
	}
	return db.RunWithinTransaction(tx, func(tx *sqlx.Tx) error {
		if ste.rtID == nil {
			if _, err := tx.Exec(`CALL CryptStoreRT_Insert(?,@ID)`, ste.rtEncrypted); err != nil {
				return errors.WithStack(err)
			}
			var rtID uint64
			if err := tx.Get(&rtID, `SELECT @ID`); err != nil {
				return errors.WithStack(err)
			}
			ste.rtID = &rtID
		}
		steStore.RefreshTokenID = *ste.rtID
		if err := steStore.Store(tx); err != nil {
			return err
		}
		if err := storeEncryptionKey(tx, ste.encryptionKeyEncrypted, steStore.RefreshTokenID, ste.ID); err != nil {
			return err
		}
		return eventService.LogEvent(tx, eventService.MTEvent{
			Event: event.FromNumber(event.MTCreated, comment),
			MTID:  ste.ID,
		}, ste.networkData)
	})
}

func storeEncryptionKey(tx *sqlx.Tx, key string, rtID uint64, myid mtid.MTID) error {
	_, err := tx.Exec(`CALL EncryptionKeysRT_Insert(?,?,?)`, key, rtID, myid)
	return errors.WithStack(err)
}

type mytokenEntryStore struct {
	ID             mtid.MTID
	SeqNo          uint64
	ParentID       mtid.MTID `db:"parent_id"`
	RootID         mtid.MTID `db:"root_id"`
	RefreshTokenID uint64    `db:"rt_id"`
	Name           db.NullString
	IP             string `db:"ip_created"`
	Iss            string
	Sub            string
}

// Store stores the mytokenEntryStore in the database; if this is the first token for this user, the user is also added
// to the db
func (e *mytokenEntryStore) Store(tx *sqlx.Tx) error {
	return db.RunWithinTransaction(tx, func(tx *sqlx.Tx) error {
		_, err := tx.Exec(`CALL MTokens_Insert(?,?,?,?,?,?,?,?,?)`,
			e.Sub, e.Iss, e.ID, e.SeqNo, e.ParentID, e.RootID, e.RefreshTokenID, e.Name, e.IP)
		return errors.WithStack(err)
	})
}

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog