Merge pull request #200 from stlaz/client_secrets_comparison

Fix dependencies, add the organizational build machinery and use constant time comparisons for client secrets

CHANGELOG

@@ -1,3 +1,8 @@
+2019-05-13
+==========
+* NON-BREAKING CHANGES
+  - Updated imports in examples to use github.com/openshift/osin instead of github.com/RangelReale/osin
+
 2014-06-25
 ==========
 * BREAKING CHANGES:

Makefile

@@ -0,0 +1,18 @@
+GO_BUILD_PACKAGES := .
+
+include $(addprefix ./vendor/github.com/openshift/build-machinery-go/make/, \
+    golang.mk \
+    targets/openshift/deps.mk \
+)
+
+build-examples: 
+	@ for d in `find ./example -maxdepth 1 -mindepth 1 -type d`; do \
+		echo "building $$d" ; \
+		go build -race "$$d" ; \
+	done
+
+clean:
+	@ for d in `find ./example -maxdepth 1 -mindepth 1 -type d -exec basename {} \; `; do \
+		echo "removing $$d" ; \
+		rm -f "$$d" ; \
+	done

README.md

@@ -1,7 +1,7 @@
 OSIN
 ====
 
-[![GoDoc](https://godoc.org/github.com/RangelReale/osin?status.svg)](https://godoc.org/github.com/RangelReale/osin)
+[![GoDoc](https://godoc.org/github.com/openshift/osin?status.svg)](https://godoc.org/github.com/openshift/osin)
 
 
 Golang OAuth2 server library
@@ -21,8 +21,8 @@ The library implements the majority of the specification, like authorization and
 
 ````go
 import (
-	"github.com/RangelReale/osin"
-	ex "github.com/RangelReale/osin/example" 
+	"github.com/openshift/osin"
+	ex "github.com/openshift/osin/example"
 )
 
 // ex.NewTestStorage implements the "osin.Storage" interface
@@ -90,6 +90,10 @@ Rangel Reale
 [email protected]
 
 ### Changes
+2019-05-13
+==========
+* NON-BREAKING CHANGES
+  - Updated imports in examples to use github.com/openshift/osin instead of github.com/RangelReale/osin
 
 2014-06-25
 ==========

client.go

@@ -1,5 +1,7 @@
 package osin
 
+import "crypto/subtle"
+
 // Client information
 type Client interface {
 	// Client id
@@ -49,7 +51,7 @@ func (d *DefaultClient) GetUserData() interface{} {
 
 // Implement the ClientSecretMatcher interface
 func (d *DefaultClient) ClientSecretMatches(secret string) bool {
-	return d.Secret == secret
+	return subtle.ConstantTimeCompare([]byte(d.Secret), []byte(secret)) == 1
 }
 
 func (d *DefaultClient) CopyFrom(client Client) {

dependencymagnet/doc.go

@@ -0,0 +1,7 @@
+// +build tools
+
+// go mod won't pull in code that isn't depended upon, but we have some code we don't depend on from code that must be included
+// for our build to work.
+package dependencymagnet
+
+import _ "github.com/openshift/build-machinery-go"

example/complete/complete.go

@@ -5,8 +5,8 @@ package main
 
 import (
 	"fmt"
-	"github.com/RangelReale/osin"
-	"github.com/RangelReale/osin/example"
+	"github.com/openshift/osin"
+	"github.com/openshift/osin/example"
 	"net/http"
 	"net/url"
 )

example/goauth2client/goauth2client.go

@@ -8,8 +8,8 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/RangelReale/osin"
-	"github.com/RangelReale/osin/example"
+	"github.com/openshift/osin"
+	"github.com/openshift/osin/example"
 	"golang.org/x/oauth2"
 )
 

example/helper.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/RangelReale/osin"
+	"github.com/openshift/osin"
 )
 
 func HandleLoginPage(ar *osin.AuthorizeRequest, w http.ResponseWriter, r *http.Request) bool {

example/jwttoken/jwttoken.go

@@ -9,8 +9,8 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/RangelReale/osin"
-	"github.com/RangelReale/osin/example"
+	"github.com/openshift/osin"
+	"github.com/openshift/osin/example"
 	jwt "github.com/dgrijalva/jwt-go"
 )
 

example/openidconnect/openidconnect.go

@@ -14,8 +14,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/RangelReale/osin"
-	"github.com/RangelReale/osin/example"
+	"github.com/openshift/osin"
+	"github.com/openshift/osin/example"
 
 	"gopkg.in/square/go-jose.v1"
 )

example/osincliclient/osincliclient.go

@@ -1,14 +1,14 @@
 package main
 
-// Use github.com/RangelReale/osincli client to test
+// Use github.com/openshift/osincli client to test
 // Open url in browser:
 // http://localhost:14001
 
 import (
 	"fmt"
-	"github.com/RangelReale/osin"
-	"github.com/RangelReale/osin/example"
-	"github.com/RangelReale/osincli"
+	"github.com/openshift/osin"
+	"github.com/openshift/osin/example"
+	"github.com/openshift/osincli"
 	"net/http"
 )
 

example/simple/simple.go

@@ -5,8 +5,8 @@ package main
 
 import (
 	"fmt"
-	"github.com/RangelReale/osin"
-	"github.com/RangelReale/osin/example"
+	"github.com/openshift/osin"
+	"github.com/openshift/osin/example"
 	"net/http"
 	"net/url"
 )

example/teststorage.go

@@ -2,7 +2,7 @@ package example
 
 import (
 	"fmt"
-	"github.com/RangelReale/osin"
+	"github.com/openshift/osin"
 )
 
 type TestStorage struct {

go.mod

@@ -0,0 +1,12 @@
+module github.com/openshift/osin
+
+go 1.15
+
+require (
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab
+	github.com/openshift/osincli v0.0.0-20160924135400-fababb0555f2
+	github.com/pborman/uuid v1.2.0
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	gopkg.in/square/go-jose.v1 v1.1.2
+)

go.sum

@@ -0,0 +1,25 @@
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
+github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab h1:lBrojddP6C9C2p67EMs2vcdpC8eF+H0DDom+fgI2IF0=
+github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
+github.com/openshift/osincli v0.0.0-20160924135400-fababb0555f2 h1:9oADVMmPa4G60MQtoSjD26aD/vZreqbIAfiUiO220eY=
+github.com/openshift/osincli v0.0.0-20160924135400-fababb0555f2/go.mod h1:Riv9DbfKiX3y9ebcS4PHU4zLhVXu971+4jCVwKIue5M=
+github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
+github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e h1:bRhVy7zSSasaqNksaRZiA5EEI+Ei4I1nO5Jh72wfHlg=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+gopkg.in/square/go-jose.v1 v1.1.2 h1:/5jmADZB+RiKtZGr4HxsEFOEfbfsjTKsVnqpThUpE30=
+gopkg.in/square/go-jose.v1 v1.1.2/go.mod h1:QpYS+a4WhS+DTlyQIi6Ka7MS3SuR9a055rgXNEe6EiA=

util.go

@@ -1,6 +1,7 @@
 package osin
 
 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"net/http"
@@ -28,7 +29,7 @@ func CheckClientSecret(client Client, secret string) bool {
 		return client.ClientSecretMatches(secret)
 	default:
 		// Fallback to the less secure method of extracting the plain text secret from the client for comparison
-		return client.GetSecret() == secret
+		return subtle.ConstantTimeCompare([]byte(client.GetSecret()), []byte(secret)) == 1
 	}
 }