RubyGems - haveapi-go-client - Versions diffs - 0.28.0 → 0.28.1 - Mend

haveapi-go-client 0.28.0 → 0.28.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/haveapi-go-client.gemspec +1 -1
data/lib/haveapi/go_client/version.rb +1 -1
data/spec/integration/generator_spec.rb +109 -0
data/template/authentication/oauth2.go.erb +1 -1
data/template/client.go.erb +2 -1
data/template/request.go.erb +65 -1
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2311cffaf323ff4da73072897c6b07b9d47645d0768a5a897995e7380ae8dd51
-  data.tar.gz: 9a51f18818d70dbf88c0b6b5501b88b17bb14f86ff34e0110f25c948823830d6
+  metadata.gz: 5c239226a8271dec0cad9730080cf7bb2a7c6993991280fac27a404383018548
+  data.tar.gz: 89bdbf18bd443df9102cefd1395b90065a76661054bbc6ed3f62f93f9254bf84
 SHA512:
-  metadata.gz: f821f3309a480081de9b71f9fadc8d82793271deae5f4de6b1e6f2de114a9137c69f33f5daa2763772120a10f8ea1e07f64657599785f98b20d3767671a42e59
-  data.tar.gz: ad1a5e7a656d0d2bdf0f79497a2ca53873e8679027fc659d2e59fb22364d2c74eecde36a7f5cea7dddc1da09a87461c24846380ce882ea50054dcf9e5db2e0e0
+  metadata.gz: 770b462b28818f311a71ab97576c8841624247a1e67bef23716457bdee0d2e5c45746123d3feef19c86f65922dacd0ff2ec0a21ec59616c510cc6b49467ae586
+  data.tar.gz: 55c4e1e8b5baffffa2952b863aa1ee18fa952ef5b58cd3bc804c876c0103a90b764a9e3e3eb4101d6ad9e71fe063e758d85fbe0ae99d7a6552ab5585b673502c

data/haveapi-go-client.gemspec CHANGED Viewed

@@ -18,5 +18,5 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
-  spec.add_dependency 'haveapi-client', '~> 0.28.0'
+  spec.add_dependency 'haveapi-client', '~> 0.28.1'
 end

data/lib/haveapi/go_client/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module HaveAPI
   module GoClient
-    VERSION = '0.28.0'.freeze
+    VERSION = '0.28.1'.freeze
   end
 end

data/spec/integration/generator_spec.rb CHANGED Viewed

@@ -746,6 +746,115 @@ RSpec.describe HaveAPI::GoClient::Generator do
     end
   end
+  it 'allows explicitly trusted OAuth2 revoke origins' do
+    Dir.mktmpdir('haveapi-go-client-oauth2-revoke-trusted-origin-') do |dir|
+      communicator = instance_double(
+        HaveAPI::Client::Communicator,
+        describe_api: oauth2_revoke_description(
+          revoke_url: 'http://auth.example/revoke'
+        )
+      )
+      allow(HaveAPI::Client::Communicator).to receive(:new).and_return(communicator)
+      generator = described_class.new(
+        'http://api.example',
+        dir,
+        module: 'example.com/haveapi-oauth2-revoke-trusted-origin',
+        package: 'client'
+      )
+      generator.generate
+      generator.go_fmt
+      File.write(File.join(dir, 'client', 'oauth2_revoke_trusted_origin_test.go'), <<~GO)
+        package client
+        import (
+          "io"
+          "net/http"
+          "net/url"
+          "strings"
+          "testing"
+        )
+        type trustedOriginRevokeTransport struct {
+          req  *http.Request
+          body string
+        }
+        func (transport *trustedOriginRevokeTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+          if req.Body != nil {
+            body, err := io.ReadAll(req.Body)
+            if err != nil {
+              return nil, err
+            }
+            if err := req.Body.Close(); err != nil {
+              return nil, err
+            }
+            transport.body = string(body)
+          }
+          transport.req = req
+          return &http.Response{
+            StatusCode: 200,
+            Status:     "200 OK",
+            Body:       io.NopCloser(strings.NewReader("ok")),
+            Header:     make(http.Header),
+            Request:    req,
+          }, nil
+        }
+        func TestOAuth2RevokeTrustedOrigin(t *testing.T) {
+          transport := &trustedOriginRevokeTransport{}
+          token := "trusted-origin-token"
+          c := New("http://api.example")
+          if err := c.AllowOAuth2Origin("http://auth.example"); err != nil {
+            t.Fatalf("allow OAuth2 origin failed: %v", err)
+          }
+          c.SetHTTPClient(&http.Client{Transport: transport})
+          c.SetExistingOAuth2Auth(token)
+          if err := c.RevokeAccessToken(); err != nil {
+            t.Fatalf("revoke failed: %v", err)
+          }
+          if transport.req == nil {
+            t.Fatalf("expected revoke request")
+          }
+          if got := transport.req.URL.String(); got != "http://auth.example/revoke" {
+            t.Fatalf("unexpected revoke URL: %s", got)
+          }
+          if got := transport.req.Header.Get("X-HaveAPI-OAuth2-Token"); got != token {
+            t.Fatalf("expected OAuth2 header %q, got %q", token, got)
+          }
+          form, err := url.ParseQuery(transport.body)
+          if err != nil {
+            t.Fatalf("invalid form body %q: %v", transport.body, err)
+          }
+          if got := form.Get("token"); got != token {
+            t.Fatalf("expected revoke token %q, got %q in body %q", token, got, transport.body)
+          }
+        }
+      GO
+      go_out, go_err, go_status = Open3.capture3(
+        { 'CGO_ENABLED' => '0' },
+        'go',
+        'test',
+        './...',
+        chdir: dir
+      )
+      expect(go_status).to be_success, "go test failed: #{go_out}\n#{go_err}"
+    end
+  end
   it 'escapes untrusted API descriptions when generating Go source' do
     injected_path = <<~PATH.chomp
       /safe",

data/template/authentication/oauth2.go.erb CHANGED Viewed

@@ -34,7 +34,7 @@ func (client *Client) RevokeAccessToken() error {
 	form := url.Values{}
 	form.Set("token", auth.AccessToken)
-	revokeURL, err := client.descriptionURL(<%= go_string_literal(auth.revoke_url) %>)
+	revokeURL, err := client.oauth2DescriptionURL(<%= go_string_literal(auth.revoke_url) %>)
 	if err != nil {
 		return err
 	}

data/template/client.go.erb CHANGED Viewed

@@ -13,7 +13,8 @@ type Client struct {
 	// Options for authentication method
 	Authentication Authenticator
-	httpClient *http.Client
+	httpClient            *http.Client
+	oauth2TrustedOrigins map[string]struct{}
 <% api.resources.each do |r| -%>
 	// Resource <%= go_comment_text(r.full_dot_name) %>

data/template/request.go.erb CHANGED Viewed

@@ -28,6 +28,29 @@ func (client *Client) actionURL(path string) (string, error) {
 }
 func (client *Client) descriptionURL(rawURL string) (string, error) {
+	return client.descriptionURLWithTrustedOrigins(rawURL, nil)
+}
+func (client *Client) oauth2DescriptionURL(rawURL string) (string, error) {
+	return client.descriptionURLWithTrustedOrigins(rawURL, client.oauth2TrustedOrigins)
+}
+// AllowOAuth2Origin permits OAuth2 endpoints from an additional trusted origin.
+func (client *Client) AllowOAuth2Origin(rawOrigin string) error {
+	origin, err := parseTrustedOrigin(rawOrigin)
+	if err != nil {
+		return err
+	}
+	if client.oauth2TrustedOrigins == nil {
+		client.oauth2TrustedOrigins = make(map[string]struct{})
+	}
+	client.oauth2TrustedOrigins[origin] = struct{}{}
+	return nil
+}
+func (client *Client) descriptionURLWithTrustedOrigins(rawURL string, trustedOrigins map[string]struct{}) (string, error) {
 	base, err := client.parsedBaseURL()
 	if err != nil {
 		return "", err
@@ -42,8 +65,12 @@ func (client *Client) descriptionURL(rawURL string) (string, error) {
 		return "", fmt.Errorf("unsafe API description URL %q", rawURL)
 	}
+	if ref.Host != "" && ref.Scheme == "" {
+		return "", fmt.Errorf("unsafe API description URL %q", rawURL)
+	}
 	resolved := base.ResolveReference(ref)
-	if !sameOrigin(base, resolved) {
+	if !sameOrigin(base, resolved) && !originAllowed(resolved, trustedOrigins) {
 		return "", fmt.Errorf("API description URL %q is outside client origin", rawURL)
 	}
@@ -87,6 +114,43 @@ func sameOrigin(a *url.URL, b *url.URL) bool {
 		originPort(a) == originPort(b)
 }
+func originAllowed(u *url.URL, trustedOrigins map[string]struct{}) bool {
+	if len(trustedOrigins) == 0 {
+		return false
+	}
+	_, ok := trustedOrigins[originKey(u)]
+	return ok
+}
+func parseTrustedOrigin(rawOrigin string) (string, error) {
+	if rawOrigin == "" || strings.ContainsAny(rawOrigin, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\t\n\v\f\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f \x7f\\") {
+		return "", fmt.Errorf("invalid trusted OAuth2 origin %q", rawOrigin)
+	}
+	parsed, err := url.Parse(rawOrigin)
+	if err != nil {
+		return "", err
+	}
+	if parsed.Scheme == "" || parsed.Host == "" || parsed.User != nil ||
+		(parsed.Path != "" && parsed.Path != "/") ||
+		parsed.RawQuery != "" || parsed.Fragment != "" {
+		return "", fmt.Errorf("invalid trusted OAuth2 origin %q", rawOrigin)
+	}
+	return originKey(parsed), nil
+}
+func originKey(u *url.URL) string {
+	host := strings.ToLower(u.Hostname())
+	if strings.Contains(host, ":") {
+		host = "[" + host + "]"
+	}
+	return strings.ToLower(u.Scheme) + "://" + host + ":" + originPort(u)
+}
 func originPort(u *url.URL) string {
 	port := u.Port()
 	if port != "" {

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: haveapi-go-client
 version: !ruby/object:Gem::Version
-  version: 0.28.0
+  version: 0.28.1
 platform: ruby
 authors:
 - Jakub Skokan
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.28.0
+        version: 0.28.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.28.0
+        version: 0.28.1
 description: Go client generator
 email:
 - jakub.skokan@vpsfree.cz