[oauth2] When Config.InsecureSkipVerify is set to true dont verify certificate.

[Simon Johansson (Gerrit)]

Simon Johansson uploaded a new patch set:
https://go-review.googlesource.com/9907

Add functionality to disable certificate verification.

Change-Id: Ifa95c6476ea1e2f3e27f3d4c260e24494e470bad
---
M internal/token.go
M oauth2.go
M oauth2_test.go
M token.go
4 files changed, 68 insertions(+), 4 deletions(-)


--
https://go-review.googlesource.com/9907

[Simon Johansson (Gerrit)]

Simon Johansson uploaded a change:
https://go-review.googlesource.com/9907

When Config.InsecureSkipVerify is set to true dont verify certificate.

Change-Id: Ifa95c6476ea1e2f3e27f3d4c260e24494e470bad
---
M internal/token.go
M oauth2.go
M oauth2_test.go
M token.go
4 files changed, 68 insertions(+), 4 deletions(-)

diff --git a/internal/token.go b/internal/token.go
index ea6716c..a771972 100644
--- a/internal/token.go
+++ b/internal/token.go
@@ -6,8 +6,10 @@
package internal

import (
+ "crypto/tls"
"encoding/json"
"fmt"
+ "golang.org/x/net/context"
"io"
"io/ioutil"
"mime"
@@ -16,8 +18,6 @@
"strconv"
"strings"
"time"
-
- "golang.org/x/net/context"
)

// Token represents the crendentials used to authorize
@@ -134,7 +134,7 @@
return true
}

-func RetrieveToken(ctx context.Context, ClientID, ClientSecret, TokenURL
string, v url.Values) (*Token, error) {
+func RetrieveToken(ctx context.Context, ClientID, ClientSecret, TokenURL
string, InsecureSkipVerify bool, v url.Values) (*Token, error) {
hc, err := ContextClient(ctx)
if err != nil {
return nil, err
@@ -152,6 +152,14 @@
if !bustedAuth {
req.SetBasicAuth(ClientID, ClientSecret)
}
+
+ if InsecureSkipVerify {
+ tr := &http.Transport{
+ TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+ }
+ hc.Transport = tr
+ }
+
r, err := hc.Do(req)
if err != nil {
return nil, err
diff --git a/oauth2.go b/oauth2.go
index b879351..a433c53 100644
--- a/oauth2.go
+++ b/oauth2.go
@@ -44,6 +44,14 @@

// Scope specifies optional requested permissions.
Scopes []string
+
+ // InsecureSkipVerify controls whether to verify the
+ // server's certificate chain and host name.
+ // If InsecureSkipVerify is true, TLS accepts any certificate
+ // presented by the server and any host name in that certificate.
+ // In this mode, TLS is susceptible to man-in-the-middle attacks.
+ // This should be used only for testing.
+ InsecureSkipVerify bool
}

// A TokenSource is anything that can return a token.
diff --git a/oauth2_test.go b/oauth2_test.go
index 2f7d731..4f70873 100644
--- a/oauth2_test.go
+++ b/oauth2_test.go
@@ -325,6 +325,54 @@
}
}

+func TestPasswordCredentialsTokenRequestOverTLS(t *testing.T) {
+ ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter,
r *http.Request) {
+ defer r.Body.Close()
+ expected := "/token"
+ if r.URL.String() != expected {
+ t.Errorf("URL = %q; want %q", r.URL, expected)
+ }
+ headerAuth := r.Header.Get("Authorization")
+ expected = "Basic Q0xJRU5UX0lEOkNMSUVOVF9TRUNSRVQ="
+ if headerAuth != expected {
+ t.Errorf("Authorization header = %q; want %q", headerAuth, expected)
+ }
+ headerContentType := r.Header.Get("Content-Type")
+ expected = "application/x-www-form-urlencoded"
+ if headerContentType != expected {
+ t.Errorf("Content-Type header = %q; want %q", headerContentType,
expected)
+ }
+ body, err := ioutil.ReadAll(r.Body)
+ if err != nil {
+ t.Errorf("Failed reading request body: %s.", err)
+ }
+ expected
= "client_id=CLIENT_ID&grant_type=password&password=password1&scope=scope1+scope2&username=user1"
+ if string(body) != expected {
+ t.Errorf("res.Body = %q; want %q", string(body), expected)
+ }
+ w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
+
w.Write([]byte("access_token=90d64460d14870c08c81352a05dedd3465940a7c&scope=user&token_type=bearer"))
+ }))
+ defer ts.Close()
+ conf := newConf(ts.URL)
+ conf.InsecureSkipVerify = true
+ tok, err := conf.PasswordCredentialsToken(NoContext, "user1", "password1")
+ if err != nil {
+ t.Error(err)
+ }
+ if !tok.Valid() {
+ t.Fatalf("Token invalid. Got: %#v", tok)
+ }
+ expected := "90d64460d14870c08c81352a05dedd3465940a7c"
+ if tok.AccessToken != expected {
+ t.Errorf("AccessToken = %q; want %q", tok.AccessToken, expected)
+ }
+ expected = "bearer"
+ if tok.TokenType != expected {
+ t.Errorf("TokenType = %q; want %q", tok.TokenType, expected)
+ }
+}
+
func TestTokenRefreshRequest(t *testing.T) {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r
*http.Request) {
if r.URL.String() == "/somethingelse" {
diff --git a/token.go b/token.go
index 252cfc7..d863267 100644
--- a/token.go
+++ b/token.go
@@ -125,7 +125,7 @@
// This token is then mapped from *internal.Token into an *oauth2.Token
which is returned along
// with an error..
func retrieveToken(ctx context.Context, c *Config, v url.Values) (*Token,
error) {
- tk, err := internal.RetrieveToken(ctx, c.ClientID, c.ClientSecret,
c.Endpoint.TokenURL, v)
+ tk, err := internal.RetrieveToken(ctx, c.ClientID, c.ClientSecret,
c.Endpoint.TokenURL, c.InsecureSkipVerify, v)
if err != nil {
return nil, err
}

--
https://go-review.googlesource.com/9907

[Brad Fitzpatrick (Gerrit)]

Brad Fitzpatrick has posted comments on this change.

Add functionality to disable certificate verification.

Patch Set 2: Code-Review-2

This is already possible by using the HTTPClient context key:
http://godoc.org/golang.org/x/oauth2#pkg-variables

--
https://go-review.googlesource.com/9907
Gerrit-Reviewer: Brad Fitzpatrick <brad...@golang.org>
Gerrit-HasComments: No

[Russ Cox (Gerrit)]

Russ Cox has abandoned this change.

Change subject: Add functionality to disable certificate verification.
......................................................................


Abandoned