package etcd import ( "context" "encoding/json" "fmt" "log/slog" "strings" "time" clientv3 "go.etcd.io/etcd/client/v3" "github.com/dexidp/dex/storage" ) const ( clientPrefix = "client/" authCodePrefix = "auth_code/" refreshTokenPrefix = "refresh_token/" authRequestPrefix = "auth_req/" passwordPrefix = "password/" offlineSessionPrefix = "offline_session/" connectorPrefix = "connector/" keysName = "openid-connect-keys" deviceRequestPrefix = "device_req/" deviceTokenPrefix = "device_token/" userIdentityPrefix = "user_identity/" authSessionPrefix = "auth_session/" // defaultStorageTimeout will be applied to all storage's operations. defaultStorageTimeout = 5 * time.Second ) var _ storage.Storage = (*conn)(nil) type conn struct { db *clientv3.Client logger *slog.Logger } func (c *conn) Close() error { return c.db.Close() } func (c *conn) GarbageCollect(ctx context.Context, now time.Time) (result storage.GCResult, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() authRequests, err := c.listAuthRequests(ctx) if err != nil { return result, err } var delErr error for _, authRequest := range authRequests { if now.After(authRequest.Expiry) { if err := c.deleteKey(ctx, keyID(authRequestPrefix, authRequest.ID)); err != nil { c.logger.Error("failed to delete auth request", "err", err) delErr = fmt.Errorf("failed to delete auth request: %v", err) } result.AuthRequests++ } } if delErr != nil { return result, delErr } authCodes, err := c.listAuthCodes(ctx) if err != nil { return result, err } for _, authCode := range authCodes { if now.After(authCode.Expiry) { if err := c.deleteKey(ctx, keyID(authCodePrefix, authCode.ID)); err != nil { c.logger.Error("failed to delete auth code", "err", err) delErr = fmt.Errorf("failed to delete auth code: %v", err) } result.AuthCodes++ } } deviceRequests, err := c.listDeviceRequests(ctx) if err != nil { return result, err } for _, deviceRequest := range deviceRequests { if now.After(deviceRequest.Expiry) { if err := c.deleteKey(ctx, keyID(deviceRequestPrefix, deviceRequest.UserCode)); err != nil { c.logger.Error("failed to delete device request", "err", err) delErr = fmt.Errorf("failed to delete device request: %v", err) } result.DeviceRequests++ } } deviceTokens, err := c.listDeviceTokens(ctx) if err != nil { return result, err } for _, deviceToken := range deviceTokens { if now.After(deviceToken.Expiry) { if err := c.deleteKey(ctx, keyID(deviceTokenPrefix, deviceToken.DeviceCode)); err != nil { c.logger.Error("failed to delete device token", "err", err) delErr = fmt.Errorf("failed to delete device token: %v", err) } result.DeviceTokens++ } } return result, delErr } func (c *conn) CreateAuthRequest(ctx context.Context, a storage.AuthRequest) error { return c.txnCreate(ctx, keyID(authRequestPrefix, a.ID), fromStorageAuthRequest(a)) } func (c *conn) GetAuthRequest(ctx context.Context, id string) (a storage.AuthRequest, err error) { // TODO: Add this to other funcs?? ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var req AuthRequest if err = c.getKey(ctx, keyID(authRequestPrefix, id), &req); err != nil { return } return toStorageAuthRequest(req), nil } func (c *conn) UpdateAuthRequest(ctx context.Context, id string, updater func(a storage.AuthRequest) (storage.AuthRequest, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyID(authRequestPrefix, id), func(currentValue []byte) ([]byte, error) { var current AuthRequest if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(toStorageAuthRequest(current)) if err != nil { return nil, err } return json.Marshal(fromStorageAuthRequest(updated)) }) } func (c *conn) DeleteAuthRequest(ctx context.Context, id string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyID(authRequestPrefix, id)) } func (c *conn) CreateAuthCode(ctx context.Context, a storage.AuthCode) error { return c.txnCreate(ctx, keyID(authCodePrefix, a.ID), fromStorageAuthCode(a)) } func (c *conn) GetAuthCode(ctx context.Context, id string) (a storage.AuthCode, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var ac AuthCode err = c.getKey(ctx, keyID(authCodePrefix, id), &ac) if err == nil { a = toStorageAuthCode(ac) } return a, err } func (c *conn) DeleteAuthCode(ctx context.Context, id string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyID(authCodePrefix, id)) } func (c *conn) CreateRefresh(ctx context.Context, r storage.RefreshToken) error { return c.txnCreate(ctx, keyID(refreshTokenPrefix, r.ID), fromStorageRefreshToken(r)) } func (c *conn) GetRefresh(ctx context.Context, id string) (r storage.RefreshToken, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var token RefreshToken if err = c.getKey(ctx, keyID(refreshTokenPrefix, id), &token); err != nil { return } return toStorageRefreshToken(token), nil } func (c *conn) UpdateRefreshToken(ctx context.Context, id string, updater func(old storage.RefreshToken) (storage.RefreshToken, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyID(refreshTokenPrefix, id), func(currentValue []byte) ([]byte, error) { var current RefreshToken if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(toStorageRefreshToken(current)) if err != nil { return nil, err } return json.Marshal(fromStorageRefreshToken(updated)) }) } func (c *conn) DeleteRefresh(ctx context.Context, id string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyID(refreshTokenPrefix, id)) } func (c *conn) ListRefreshTokens(ctx context.Context) (tokens []storage.RefreshToken, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, refreshTokenPrefix, clientv3.WithPrefix()) if err != nil { return tokens, err } for _, v := range res.Kvs { var token RefreshToken if err = json.Unmarshal(v.Value, &token); err != nil { return tokens, err } tokens = append(tokens, toStorageRefreshToken(token)) } return tokens, nil } func (c *conn) CreateClient(ctx context.Context, cli storage.Client) error { return c.txnCreate(ctx, keyID(clientPrefix, cli.ID), cli) } func (c *conn) GetClient(ctx context.Context, id string) (cli storage.Client, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() err = c.getKey(ctx, keyID(clientPrefix, id), &cli) return cli, err } func (c *conn) UpdateClient(ctx context.Context, id string, updater func(old storage.Client) (storage.Client, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyID(clientPrefix, id), func(currentValue []byte) ([]byte, error) { var current storage.Client if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(current) if err != nil { return nil, err } return json.Marshal(updated) }) } func (c *conn) DeleteClient(ctx context.Context, id string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyID(clientPrefix, id)) } func (c *conn) ListClients(ctx context.Context) (clients []storage.Client, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, clientPrefix, clientv3.WithPrefix()) if err != nil { return clients, err } for _, v := range res.Kvs { var cli storage.Client if err = json.Unmarshal(v.Value, &cli); err != nil { return clients, err } clients = append(clients, cli) } return clients, nil } func (c *conn) CreatePassword(ctx context.Context, p storage.Password) error { return c.txnCreate(ctx, passwordPrefix+strings.ToLower(p.Email), p) } func (c *conn) GetPassword(ctx context.Context, email string) (p storage.Password, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() err = c.getKey(ctx, keyEmail(passwordPrefix, email), &p) return p, err } func (c *conn) UpdatePassword(ctx context.Context, email string, updater func(p storage.Password) (storage.Password, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyEmail(passwordPrefix, email), func(currentValue []byte) ([]byte, error) { var current storage.Password if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(current) if err != nil { return nil, err } return json.Marshal(updated) }) } func (c *conn) DeletePassword(ctx context.Context, email string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyEmail(passwordPrefix, email)) } func (c *conn) ListPasswords(ctx context.Context) (passwords []storage.Password, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, passwordPrefix, clientv3.WithPrefix()) if err != nil { return passwords, err } for _, v := range res.Kvs { var p storage.Password if err = json.Unmarshal(v.Value, &p); err != nil { return passwords, err } passwords = append(passwords, p) } return passwords, nil } func (c *conn) CreateOfflineSessions(ctx context.Context, s storage.OfflineSessions) error { return c.txnCreate(ctx, keySession(s.UserID, s.ConnID), fromStorageOfflineSessions(s)) } func (c *conn) UpdateOfflineSessions(ctx context.Context, userID string, connID string, updater func(s storage.OfflineSessions) (storage.OfflineSessions, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keySession(userID, connID), func(currentValue []byte) ([]byte, error) { var current OfflineSessions if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(toStorageOfflineSessions(current)) if err != nil { return nil, err } return json.Marshal(fromStorageOfflineSessions(updated)) }) } func (c *conn) GetOfflineSessions(ctx context.Context, userID string, connID string) (s storage.OfflineSessions, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var os OfflineSessions if err = c.getKey(ctx, keySession(userID, connID), &os); err != nil { return } return toStorageOfflineSessions(os), nil } func (c *conn) DeleteOfflineSessions(ctx context.Context, userID string, connID string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keySession(userID, connID)) } func (c *conn) CreateUserIdentity(ctx context.Context, u storage.UserIdentity) error { return c.txnCreate(ctx, keyUserIdentity(u.UserID, u.ConnectorID), fromStorageUserIdentity(u)) } func (c *conn) GetUserIdentity(ctx context.Context, userID, connectorID string) (u storage.UserIdentity, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var ui UserIdentity if err = c.getKey(ctx, keyUserIdentity(userID, connectorID), &ui); err != nil { return } return toStorageUserIdentity(ui), nil } func (c *conn) UpdateUserIdentity(ctx context.Context, userID, connectorID string, updater func(u storage.UserIdentity) (storage.UserIdentity, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyUserIdentity(userID, connectorID), func(currentValue []byte) ([]byte, error) { var current UserIdentity if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(toStorageUserIdentity(current)) if err != nil { return nil, err } return json.Marshal(fromStorageUserIdentity(updated)) }) } func (c *conn) DeleteUserIdentity(ctx context.Context, userID, connectorID string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyUserIdentity(userID, connectorID)) } func (c *conn) ListUserIdentities(ctx context.Context) (identities []storage.UserIdentity, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, userIdentityPrefix, clientv3.WithPrefix()) if err != nil { return identities, err } for _, v := range res.Kvs { var ui UserIdentity if err = json.Unmarshal(v.Value, &ui); err != nil { return identities, err } identities = append(identities, toStorageUserIdentity(ui)) } return identities, nil } func (c *conn) CreateAuthSession(ctx context.Context, s storage.AuthSession) error { return c.txnCreate(ctx, keyAuthSession(s.ID), fromStorageAuthSession(s)) } func (c *conn) GetAuthSession(ctx context.Context, sessionID string) (storage.AuthSession, error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var s AuthSession if err := c.getKey(ctx, keyAuthSession(sessionID), &s); err != nil { return storage.AuthSession{}, err } return toStorageAuthSession(s), nil } func (c *conn) UpdateAuthSession(ctx context.Context, sessionID string, updater func(s storage.AuthSession) (storage.AuthSession, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyAuthSession(sessionID), func(currentValue []byte) ([]byte, error) { var current AuthSession if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(toStorageAuthSession(current)) if err != nil { return nil, err } return json.Marshal(fromStorageAuthSession(updated)) }) } func (c *conn) ListAuthSessions(ctx context.Context) (sessions []storage.AuthSession, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, authSessionPrefix, clientv3.WithPrefix()) if err != nil { return sessions, err } for _, v := range res.Kvs { var s AuthSession if err = json.Unmarshal(v.Value, &s); err != nil { return sessions, err } sessions = append(sessions, toStorageAuthSession(s)) } return sessions, nil } func (c *conn) DeleteAuthSession(ctx context.Context, sessionID string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyAuthSession(sessionID)) } func (c *conn) CreateConnector(ctx context.Context, connector storage.Connector) error { return c.txnCreate(ctx, keyID(connectorPrefix, connector.ID), connector) } func (c *conn) GetConnector(ctx context.Context, id string) (conn storage.Connector, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() err = c.getKey(ctx, keyID(connectorPrefix, id), &conn) return conn, err } func (c *conn) UpdateConnector(ctx context.Context, id string, updater func(s storage.Connector) (storage.Connector, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyID(connectorPrefix, id), func(currentValue []byte) ([]byte, error) { var current storage.Connector if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(current) if err != nil { return nil, err } return json.Marshal(updated) }) } func (c *conn) DeleteConnector(ctx context.Context, id string) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.deleteKey(ctx, keyID(connectorPrefix, id)) } func (c *conn) ListConnectors(ctx context.Context) (connectors []storage.Connector, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, connectorPrefix, clientv3.WithPrefix()) if err != nil { return nil, err } for _, v := range res.Kvs { var c storage.Connector if err = json.Unmarshal(v.Value, &c); err != nil { return nil, err } connectors = append(connectors, c) } return connectors, nil } func (c *conn) GetKeys(ctx context.Context) (keys storage.Keys, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() res, err := c.db.Get(ctx, keysName) if err != nil { return keys, err } if res.Count > 0 && len(res.Kvs) > 0 { err = json.Unmarshal(res.Kvs[0].Value, &keys) } return keys, err } func (c *conn) UpdateKeys(ctx context.Context, updater func(old storage.Keys) (storage.Keys, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keysName, func(currentValue []byte) ([]byte, error) { var current storage.Keys if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(current) if err != nil { return nil, err } return json.Marshal(updated) }) } func (c *conn) deleteKey(ctx context.Context, key string) error { res, err := c.db.Delete(ctx, key) if err != nil { return err } if res.Deleted == 0 { return storage.ErrNotFound } return nil } func (c *conn) getKey(ctx context.Context, key string, value interface{}) error { r, err := c.db.Get(ctx, key) if err != nil { return err } if r.Count == 0 { return storage.ErrNotFound } return json.Unmarshal(r.Kvs[0].Value, value) } func (c *conn) listAuthRequests(ctx context.Context) (reqs []AuthRequest, err error) { res, err := c.db.Get(ctx, authRequestPrefix, clientv3.WithPrefix()) if err != nil { return reqs, err } for _, v := range res.Kvs { var r AuthRequest if err = json.Unmarshal(v.Value, &r); err != nil { return reqs, err } reqs = append(reqs, r) } return reqs, nil } func (c *conn) listAuthCodes(ctx context.Context) (codes []AuthCode, err error) { res, err := c.db.Get(ctx, authCodePrefix, clientv3.WithPrefix()) if err != nil { return codes, err } for _, v := range res.Kvs { var c AuthCode if err = json.Unmarshal(v.Value, &c); err != nil { return codes, err } codes = append(codes, c) } return codes, nil } func (c *conn) txnCreate(ctx context.Context, key string, value interface{}) error { b, err := json.Marshal(value) if err != nil { return err } txn := c.db.Txn(ctx) res, err := txn. If(clientv3.Compare(clientv3.CreateRevision(key), "=", 0)). Then(clientv3.OpPut(key, string(b))). Commit() if err != nil { return err } if !res.Succeeded { return storage.ErrAlreadyExists } return nil } func (c *conn) txnUpdate(ctx context.Context, key string, update func(current []byte) ([]byte, error)) error { getResp, err := c.db.Get(ctx, key) if err != nil { return err } var currentValue []byte var modRev int64 if len(getResp.Kvs) > 0 { currentValue = getResp.Kvs[0].Value modRev = getResp.Kvs[0].ModRevision } updatedValue, err := update(currentValue) if err != nil { return err } txn := c.db.Txn(ctx) updateResp, err := txn. If(clientv3.Compare(clientv3.ModRevision(key), "=", modRev)). Then(clientv3.OpPut(key, string(updatedValue))). Commit() if err != nil { return err } if !updateResp.Succeeded { return fmt.Errorf("failed to update key=%q: concurrent conflicting update happened", key) } return nil } func keyID(prefix, id string) string { return prefix + id } func keyEmail(prefix, email string) string { return prefix + strings.ToLower(email) } func keySession(userID, connID string) string { return offlineSessionPrefix + strings.ToLower(userID+"|"+connID) } func keyUserIdentity(userID, connectorID string) string { return userIdentityPrefix + strings.ToLower(userID+"|"+connectorID) } func keyAuthSession(sessionID string) string { return strings.ToLower(authSessionPrefix + sessionID) } func (c *conn) CreateDeviceRequest(ctx context.Context, d storage.DeviceRequest) error { return c.txnCreate(ctx, keyID(deviceRequestPrefix, d.UserCode), fromStorageDeviceRequest(d)) } func (c *conn) GetDeviceRequest(ctx context.Context, userCode string) (r storage.DeviceRequest, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var dr DeviceRequest if err = c.getKey(ctx, keyID(deviceRequestPrefix, userCode), &dr); err == nil { r = toStorageDeviceRequest(dr) } return } func (c *conn) listDeviceRequests(ctx context.Context) (requests []DeviceRequest, err error) { res, err := c.db.Get(ctx, deviceRequestPrefix, clientv3.WithPrefix()) if err != nil { return requests, err } for _, v := range res.Kvs { var r DeviceRequest if err = json.Unmarshal(v.Value, &r); err != nil { return requests, err } requests = append(requests, r) } return requests, nil } func (c *conn) CreateDeviceToken(ctx context.Context, t storage.DeviceToken) error { return c.txnCreate(ctx, keyID(deviceTokenPrefix, t.DeviceCode), fromStorageDeviceToken(t)) } func (c *conn) GetDeviceToken(ctx context.Context, deviceCode string) (t storage.DeviceToken, err error) { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() var dt DeviceToken if err = c.getKey(ctx, keyID(deviceTokenPrefix, deviceCode), &dt); err == nil { t = toStorageDeviceToken(dt) } return } func (c *conn) listDeviceTokens(ctx context.Context) (deviceTokens []DeviceToken, err error) { res, err := c.db.Get(ctx, deviceTokenPrefix, clientv3.WithPrefix()) if err != nil { return deviceTokens, err } for _, v := range res.Kvs { var dt DeviceToken if err = json.Unmarshal(v.Value, &dt); err != nil { return deviceTokens, err } deviceTokens = append(deviceTokens, dt) } return deviceTokens, nil } func (c *conn) UpdateDeviceToken(ctx context.Context, deviceCode string, updater func(old storage.DeviceToken) (storage.DeviceToken, error)) error { ctx, cancel := context.WithTimeout(ctx, defaultStorageTimeout) defer cancel() return c.txnUpdate(ctx, keyID(deviceTokenPrefix, deviceCode), func(currentValue []byte) ([]byte, error) { var current DeviceToken if len(currentValue) > 0 { if err := json.Unmarshal(currentValue, ¤t); err != nil { return nil, err } } updated, err := updater(toStorageDeviceToken(current)) if err != nil { return nil, err } return json.Marshal(fromStorageDeviceToken(updated)) }) }