Skip to content

Commit

Permalink
[CHANGE] changed GetScope and GetScopeByRole to return an error if th…
Browse files Browse the repository at this point in the history
…e scope is not found. Note that if a signing key is present but it is not scoped, the scope is not found.

[FEAT] added Contains(sk) to return true, true if the signing key exists, and if it is scoped.
  • Loading branch information
aricart committed Mar 6, 2024
1 parent 714eb00 commit b66d57a
Show file tree
Hide file tree
Showing 4 changed files with 51 additions and 43 deletions.
17 changes: 11 additions & 6 deletions account_signingkeys.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,11 @@ func (as *accountSigningKeys) ListRoles() []string {
return roles
}

func (as *accountSigningKeys) Contains(sk string) (bool, bool) {
scope, ok := as.data.Claim.SigningKeys.GetScope(sk)
return ok, scope != nil
}

func (as *accountSigningKeys) AddScope(role string) (ScopeLimits, error) {
k, err := KeyFor(nkeys.PrefixByteAccount)
if err != nil {
Expand All @@ -61,25 +66,25 @@ func (as *accountSigningKeys) AddScope(role string) (ScopeLimits, error) {
return toScopeLimits(as.data, conf), nil
}

func (as *accountSigningKeys) GetScope(key string) (ScopeLimits, bool) {
func (as *accountSigningKeys) GetScope(key string) (ScopeLimits, error) {
scope, ok := as.data.Claim.SigningKeys.GetScope(key)
if ok && scope != nil {
us := scope.(*jwt.UserScope)
return toScopeLimits(as.data, us), ok
return toScopeLimits(as.data, us), nil
}
return nil, ok
return nil, ErrNotFound
}

func (as *accountSigningKeys) GetScopeByRole(role string) (ScopeLimits, bool) {
func (as *accountSigningKeys) GetScopeByRole(role string) (ScopeLimits, error) {
for _, v := range as.data.Claim.SigningKeys {
if v != nil {
scope, ok := v.(*jwt.UserScope)
if ok && scope.Role == role {
return toScopeLimits(as.data, scope), true
return toScopeLimits(as.data, scope), nil
}
}
}
return nil, false
return nil, ErrNotFound
}

func (as *accountSigningKeys) Delete(key string) (bool, error) {
Expand Down
65 changes: 33 additions & 32 deletions tests/accounts_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,8 +193,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsMaxSubs() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
t.Equal(int64(10), s.MaxSubscriptions())
}

Expand All @@ -214,8 +214,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsMaxPayload() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
t.Equal(int64(101), s.MaxPayload())
}

Expand All @@ -236,8 +236,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsMaxData() {
t.NoError(err)
t.NotNil(a)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
t.Equal(int64(4123), s.MaxData())
}

Expand All @@ -257,8 +257,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsBearerToken() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
t.True(s.BearerToken())
}

Expand All @@ -279,8 +279,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsConnectionTypes() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
types = s.ConnectionTypes()
t.Contains(types.Types(), "websocket")
}
Expand All @@ -302,8 +302,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsConnectionSources() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
sources = s.ConnectionSources()
t.Contains(sources.Sources(), "192.0.2.0/24")
}
Expand All @@ -325,8 +325,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsConnectionTimes() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
times = s.ConnectionTimes()
t.Len(times.List(), 1)
t.Equal(times.List()[0].Start, "08:00:00")
Expand All @@ -348,8 +348,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsLocale() {
a, err = o.Accounts().Get("A")
t.NoError(err)

s, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
s, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)
t.Equal("en_US", s.Locale())
}

Expand All @@ -374,8 +374,8 @@ func (t *ProviderSuite) Test_ScopedPermissionsSubject() {

t.NoError(auth.Reload())

admin, ok := a.ScopedSigningKeys().GetScopeByRole("admin")
t.True(ok)
admin, err = a.ScopedSigningKeys().GetScopeByRole("admin")
t.NoError(err)

t.Contains(admin.PubPermissions().Allow(), "foo")
t.Contains(admin.PubPermissions().Allow(), "bar")
Expand Down Expand Up @@ -403,28 +403,28 @@ func (t *ProviderSuite) Test_ScopeRotation() {
scope, err := a.ScopedSigningKeys().AddScope("admin")
t.NoError(err)
t.NotNil(scope)
scope2, ok := a.ScopedSigningKeys().GetScope(scope.Key())
t.True(ok)
scope2, err := a.ScopedSigningKeys().GetScope(scope.Key())
t.NoError(err)
t.NotNil(scope2)

key, err := a.ScopedSigningKeys().Rotate(scope.Key())
t.NoError(err)
t.NotEmpty(key)

scope2, ok = a.ScopedSigningKeys().GetScope(scope.Key())
t.False(ok)
scope2, err = a.ScopedSigningKeys().GetScope(scope.Key())
t.ErrorIs(err, authb.ErrNotFound)
t.Nil(scope2)

scope2, ok = a.ScopedSigningKeys().GetScope(key)
t.True(ok)
scope2, err = a.ScopedSigningKeys().GetScope(key)
t.NoError(err)
t.NotNil(scope2)

ok, err = a.ScopedSigningKeys().Delete(key)
ok, err := a.ScopedSigningKeys().Delete(key)
t.NoError(err)
t.True(ok)

scope2, ok = a.ScopedSigningKeys().GetScope(key)
t.False(ok)
scope2, err = a.ScopedSigningKeys().GetScope(key)
t.ErrorIs(err, authb.ErrNotFound)
t.Nil(scope2)
}

Expand All @@ -440,8 +440,9 @@ func (t *ProviderSuite) Test_SigningKeyRotation() {
sk, err := a.ScopedSigningKeys().Add()
t.NoError(err)
t.NotEmpty(sk)
scope, ok := a.ScopedSigningKeys().GetScope(sk)
t.True(ok)

scope, err := a.ScopedSigningKeys().GetScope(sk)
t.ErrorIs(err, authb.ErrNotFound)
t.Nil(scope)

u, err := a.Users().Add("U", sk)
Expand Down Expand Up @@ -687,9 +688,9 @@ func (t *ProviderSuite) Test_AccountSkUpdate() {
t.NoError(err)
a, err = o.Accounts().Get("A")
t.NoError(err)
scope, ok := a.ScopedSigningKeys().GetScope(k)
t.Nil(scope)
t.True(ok)
exists, isScope := a.ScopedSigningKeys().Contains(k)
t.True(exists)
t.False(isScope)
}

func (t *ProviderSuite) Test_AccountSigningKeys() {
Expand Down
2 changes: 1 addition & 1 deletion tests/exports_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ func (t *ProviderSuite) Test_ExportNameSubject() {
_, err = a.Exports().Services().GetByName("q")
t.ErrorIs(err, authb.ErrNotFound)
_, err = a.Exports().Services().Get("qq.>")
t.NoError(nil)
t.NoError(err)
_, err = a.Exports().Services().GetByName("qq")
t.NoError(err)

Expand Down
10 changes: 6 additions & 4 deletions types.go
Original file line number Diff line number Diff line change
Expand Up @@ -726,14 +726,16 @@ type ScopedKeys interface {
// a new signing key.
AddScope(role string) (ScopeLimits, error)
// GetScope returns the scope associated with the specified key.
// This function returns nil for the scope if no scope is found.
// This function returns true if the signing key entry was found.
GetScope(string) (ScopeLimits, bool)
// This function returns error if the key is not found
GetScope(string) (ScopeLimits, error)
// GetScopeByRole returns the first scope that matches the specified role.
// Note that the search must be an exact match
GetScopeByRole(string) (ScopeLimits, bool)
GetScopeByRole(string) (ScopeLimits, error)
// List returns a list of signing keys
List() []string
// ListRoles returns the names of roles associated with the account
ListRoles() []string
// Contains returns true if the signing key is known, and true on the second
// return value if the signing key is scoped.
Contains(sk string) (bool, bool)
}

0 comments on commit b66d57a

Please sign in to comment.