upgrade fosite to v0.49.0 and handle its API changes

2026-01-07 14:05:50 +00:00 · 2024-12-13 10:17:42 -08:00
parent 57fc177266
commit 90c95866d1
9 changed files with 58 additions and 38 deletions
--- a/internal/federationdomain/endpoints/token/token_handler_test.go
+++ b/internal/federationdomain/endpoints/token/token_handler_test.go
@@ -168,6 +168,20 @@ var (
 		}
 	`)

+	fositeInvalidRefreshTokenErrorBody = here.Doc(`
+		{
+			"error":             "invalid_grant",
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The refresh token is malformed or not valid."
+		}
+	`)
+
+	fositeExpiredRefreshTokenErrorBody = here.Doc(`
+		{
+			"error":             "invalid_grant",
+			"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The refresh token expired."
+		}
+	`)
+
 	fositeReusedAuthCodeErrorBody = here.Doc(`
 		{
 			"error":             "invalid_grant",
@@ -3766,7 +3780,7 @@ func TestRefreshGrant(t *testing.T) {
 			refreshRequest: refreshRequestInputs{
 				want: tokenEndpointResponseExpectedValues{
 					wantStatus:            http.StatusBadRequest,
-					wantErrorResponseBody: fositeInvalidAuthCodeErrorBody,
+					wantErrorResponseBody: fositeExpiredRefreshTokenErrorBody,
 				},
 			},
 		},
@@ -3793,7 +3807,7 @@ func TestRefreshGrant(t *testing.T) {
 				},
 				want: tokenEndpointResponseExpectedValues{
 					wantStatus:            http.StatusBadRequest,
-					wantErrorResponseBody: fositeInvalidAuthCodeErrorBody,
+					wantErrorResponseBody: fositeInvalidRefreshTokenErrorBody,
 				},
 			},
 		},
@@ -3820,7 +3834,7 @@ func TestRefreshGrant(t *testing.T) {
 				},
 				want: tokenEndpointResponseExpectedValues{
 					wantStatus:            http.StatusBadRequest,
-					wantErrorResponseBody: fositeInvalidAuthCodeErrorBody,
+					wantErrorResponseBody: fositeInvalidRefreshTokenErrorBody,
 				},
 			},
 		},
@@ -4831,7 +4845,7 @@ func TestRefreshGrant(t *testing.T) {
 				session.Fosite = &openid.DefaultSession{}
 				err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature)
 				require.NoError(t, err)
-				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester)
+				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, "ignored", firstRequester)
 				require.NoError(t, err)
 			},
 			refreshRequest: refreshRequestInputs{
@@ -4869,7 +4883,7 @@ func TestRefreshGrant(t *testing.T) {
 				delete(session.Fosite.Claims.Extra, "groups")
 				err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature)
 				require.NoError(t, err)
-				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester)
+				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, "ignored", firstRequester)
 				require.NoError(t, err)
 			},
 			refreshRequest: refreshRequestInputs{
@@ -4907,7 +4921,7 @@ func TestRefreshGrant(t *testing.T) {
 				session.Custom.Username = ""
 				err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature)
 				require.NoError(t, err)
-				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester)
+				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, "ignored", firstRequester)
 				require.NoError(t, err)
 			},
 			refreshRequest: refreshRequestInputs{
@@ -4989,7 +5003,7 @@ func TestRefreshGrant(t *testing.T) {
 				session.Fosite.Claims = fositeSessionClaims
 				err = oauthStore.DeleteRefreshTokenSession(context.Background(), refreshTokenSignature)
 				require.NoError(t, err)
-				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, firstRequester)
+				err = oauthStore.CreateRefreshTokenSession(context.Background(), refreshTokenSignature, "ignored", firstRequester)
 				require.NoError(t, err)
 			},
 			refreshRequest: refreshRequestInputs{
--- a/internal/federationdomain/storage/kube_storage.go
+++ b/internal/federationdomain/storage/kube_storage.go
@@ -158,7 +158,7 @@ func (k KubeStorage) RevokeAccessToken(ctx context.Context, requestID string) er
 //
 // These are keyed by the signature of the refresh token.
 //
-// Fosite will create these in the token endpoint whenever it wants to hand out an refresh token, including the original
+// Fosite will create these in the token endpoint whenever it wants to hand out a refresh token, including the original
 // authcode redemption and also during refresh. Refresh tokens are only handed out when the user requested the
 // offline_access scope on the original authorization request.
 //
@@ -169,8 +169,8 @@ func (k KubeStorage) RevokeAccessToken(ctx context.Context, requestID string) er
 // refresh token will never be deleted.
 //

-func (k KubeStorage) CreateRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string, request fosite.Requester) (err error) {
-	return k.refreshTokenStorage.CreateRefreshTokenSession(ctx, signatureOfRefreshToken, request)
+func (k KubeStorage) CreateRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string, accessTokenSignature string, request fosite.Requester) (err error) {
+	return k.refreshTokenStorage.CreateRefreshTokenSession(ctx, signatureOfRefreshToken, accessTokenSignature, request)
 }

 func (k KubeStorage) GetRefreshTokenSession(ctx context.Context, signatureOfRefreshToken string, session fosite.Session) (request fosite.Requester, err error) {
@@ -185,8 +185,14 @@ func (k KubeStorage) RevokeRefreshToken(ctx context.Context, requestID string) e
 	return k.refreshTokenStorage.RevokeRefreshToken(ctx, requestID)
 }

-func (k KubeStorage) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error {
-	return k.refreshTokenStorage.RevokeRefreshTokenMaybeGracePeriod(ctx, requestID, signature)
+func (k KubeStorage) RotateRefreshToken(ctx context.Context, requestID string, _refreshTokenSignature string) error {
+	// RotateRefreshToken was added in fosite v0.49.0, replacing RevokeRefreshTokenMaybeGracePeriod.
+	// Confusingly, its job is to both revoke the old refresh token and also revoke the old access token.
+	// See their sample storage implementation here: https://github.com/ory/fosite/blob/v0.49.0/storage/memory.go#L497-L504
+	if err := k.refreshTokenStorage.RevokeRefreshToken(ctx, requestID); err != nil {
+		return err
+	}
+	return k.accessTokenStorage.RevokeAccessToken(ctx, requestID)
 }

 //
--- a/internal/federationdomain/storage/null_storage.go
+++ b/internal/federationdomain/storage/null_storage.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package storage
@@ -39,7 +39,7 @@ func (NullStorage) RevokeRefreshToken(_ context.Context, _ string) error {
 	return errNullStorageNotImplemented
 }

-func (NullStorage) RevokeRefreshTokenMaybeGracePeriod(_ context.Context, _ string, _ string) error {
+func (NullStorage) RotateRefreshToken(_ context.Context, _ string, _ string) error {
 	return errNullStorageNotImplemented
 }

@@ -47,7 +47,7 @@ func (NullStorage) RevokeAccessToken(_ context.Context, _ string) error {
 	return errNullStorageNotImplemented
 }

-func (NullStorage) CreateRefreshTokenSession(_ context.Context, _ string, _ fosite.Requester) (err error) {
+func (NullStorage) CreateRefreshTokenSession(_ context.Context, _ string, _ string, _ fosite.Requester) (err error) {
 	return nil
 }

--- a/internal/fositestorage/refreshtoken/refreshtoken.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken.go
@@ -42,7 +42,7 @@ const (
 type RevocationStorage interface {
 	fositeoauth2.RefreshTokenStorage
 	RevokeRefreshToken(ctx context.Context, requestID string) error
-	RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error
+	RotateRefreshToken(ctx context.Context, requestID string, refreshTokenSignature string) error
 }

 var _ RevocationStorage = &refreshTokenStorage{}
@@ -82,12 +82,12 @@ func (a *refreshTokenStorage) RevokeRefreshToken(ctx context.Context, requestID
 	return a.storage.DeleteByLabel(ctx, fositestorage.StorageRequestIDLabelName, requestID)
 }

-func (a *refreshTokenStorage) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, _signature string) error {
-	// We don't support a grace period, so always call the regular RevokeRefreshToken().
+func (a *refreshTokenStorage) RotateRefreshToken(ctx context.Context, requestID string, _refreshTokenSignature string) error {
+	// Rotation is called to revoke an old token during a refresh, so we can always call RevokeRefreshToken().
 	return a.RevokeRefreshToken(ctx, requestID)
 }

-func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, signature string, requester fosite.Requester) error {
+func (a *refreshTokenStorage) CreateRefreshTokenSession(ctx context.Context, signature string, _accessTokenSignature string, requester fosite.Requester) error {
 	request, err := fositestorage.ValidateAndExtractAuthorizeRequest(requester)
 	if err != nil {
 		return err
--- a/internal/fositestorage/refreshtoken/refreshtoken_test.go
+++ b/internal/fositestorage/refreshtoken/refreshtoken_test.go
@@ -109,7 +109,7 @@ func TestRefreshTokenStorage(t *testing.T) {
 		RequestedAudience: nil,
 		GrantedAudience:   nil,
 	}
-	err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", request)
+	err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", "ignored", request)
 	require.NoError(t, err)
 	require.Equal(t, 1, storageLifetimeFuncCallCount)
 	require.Equal(t, request, storageLifetimeFuncCallRequesterArg)
@@ -172,7 +172,7 @@ func TestRefreshTokenStorageRevocation(t *testing.T) {
 		Form:    url.Values{"key": []string{"val"}},
 		Session: testutil.NewFakePinnipedSession(),
 	}
-	err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", request)
+	err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", "ignored", request)
 	require.NoError(t, err)

 	// Revoke the request ID of the session that we just created
@@ -227,12 +227,12 @@ func TestRefreshTokenStorageRevokeRefreshTokenMaybeGracePeriod(t *testing.T) {
 		Form:    url.Values{"key": []string{"val"}},
 		Session: testutil.NewFakePinnipedSession(),
 	}
-	err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", request)
+	err := storage.CreateRefreshTokenSession(ctx, "fancy-signature", "ignored", request)
 	require.NoError(t, err)

-	// Revoke the request ID of the session that we just created. We don't support grace periods, so this
+	// Revoke the request ID of the session that we just created. This
 	// should work exactly like the regular RevokeRefreshToken() function.
-	err = storage.RevokeRefreshTokenMaybeGracePeriod(ctx, "abcd-1", "fancy-signature")
+	err = storage.RotateRefreshToken(ctx, "abcd-1", "fancy-signature")
 	require.NoError(t, err)

 	testutil.LogActualJSONFromCreateAction(t, client, 0) // makes it easier to update expected values when needed
@@ -306,7 +306,7 @@ func TestNilSessionRequest(t *testing.T) {
 func TestCreateWithNilRequester(t *testing.T) {
 	ctx, _, _, storage := makeTestSubject(lifetimeFunc)

-	err := storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", nil)
+	err := storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", "ignored", nil)
 	require.EqualError(t, err, "requester must be of type fosite.Request")
 }

@@ -317,14 +317,14 @@ func TestCreateWithWrongRequesterDataTypes(t *testing.T) {
 		Session: nil,
 		Client:  &clientregistry.Client{},
 	}
-	err := storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", request)
+	err := storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", "ignored", request)
 	require.EqualError(t, err, "requester's session must be of type PinnipedSession")

 	request = &fosite.Request{
 		Session: &psession.PinnipedSession{},
 		Client:  nil,
 	}
-	err = storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", request)
+	err = storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", "ignored", request)
 	require.EqualError(t, err, "requester's client must be of type clientregistry.Client")
 }

@@ -336,7 +336,7 @@ func TestCreateWithoutRequesterID(t *testing.T) {
 		Session: &psession.PinnipedSession{},
 		Client:  &clientregistry.Client{},
 	}
-	err := storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", request)
+	err := storage.CreateRefreshTokenSession(ctx, "signature-doesnt-matter", "ignored", request)
 	require.NoError(t, err)

 	// the blank ID was filled in with an auto-generated ID