Exemple #1
0
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the AuthorizeRequest is authenticated.
// If the request is authenticated, UserData and Authorized are set and false is returned.
// If the request is not authenticated, the auth handler is called and the request is not authorized
func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {
	info, ok, err := h.request.AuthenticateRequest(ar.HttpRequest)
	if err != nil {
		return h.errorHandler.AuthenticationError(err, w, ar.HttpRequest)
	}
	if !ok {
		return h.handler.AuthenticationNeeded(ar.Client, w, ar.HttpRequest)
	}
	ar.UserData = info
	ar.Authorized = true
	return false, nil
}
Exemple #2
0
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the AuthorizeRequest is authenticated.
// If the request is authenticated, UserData and Authorized are set and false is returned.
// If the request is not authenticated, the auth handler is called and the request is not authorized
func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {
	info, ok, err := h.request.AuthenticateRequest(ar.HttpRequest)
	if err != nil {
		glog.V(4).Infof("OAuth authentication error: %v", err)
		return h.errorHandler.AuthenticationError(err, w, ar.HttpRequest)
	}
	if !ok {
		return h.handler.AuthenticationNeeded(ar.Client, w, ar.HttpRequest)
	}
	glog.V(4).Infof("OAuth authentication succeeded: %#v", info)
	ar.UserData = info
	ar.Authorized = true
	return false, nil
}
Exemple #3
0
func (o *OAuthHandler) handleLoginPage(ar *osin.AuthorizeRequest, w http.ResponseWriter, r *http.Request) bool {
	_ = "breakpoint"
	r.ParseForm()
	username := ""
	password := ""
	loginError := false
	if r.Method == "POST" {
		username = r.Form.Get("username")
		password = r.Form.Get("password")
		user, _ := userRepo.Login(username, password)
		ar.UserData = user
		loginError = (user == nil)
		if user != nil || loginError == false {
			return true
		}
		//return (user != nil)
	}
	page := &LoginPage{
		ResponseType: ar.Type,
		ClientId:     ar.Client.GetId(),
		State:        ar.State,
		RedirectUri:  url.QueryEscape(ar.RedirectUri),
		Username:     username,
		LoginError:   loginError,
	}
	renderLoginPage(w, page)
	return false
}
Exemple #4
0
//try login the user to the platform and apply requested permissons
func (o *Api) applyAuthorization(user, password string, ar *osin.AuthorizeRequest) error {
	log.Println(OAUTH2_API_PREFIX, "applyAuthorization")

	if usr, _, err := o.userApi.Login(user, password); err != nil {
		log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: err during account login: %s", err.Error())
		return err
	} else if usr != nil {
		log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: tidepool login success for userid[%s] now applying permissons", usr.UserID)
		if o.applyPermissons(usr.UserID, ar.Client.GetId(), getAllScopes()) {

			//make sure we persist any existing client userdata
			ud := ar.Client.GetUserData().(map[string]interface{})
			ud["AppUser"] = usr.UserID

			ar.Client = &osin.DefaultClient{
				Id:          ar.Client.GetId(),
				Secret:      ar.Client.GetSecret(),
				RedirectUri: ar.Client.GetRedirectUri(),
				UserData:    ud,
			}

			log.Print(OAUTH2_API_PREFIX, "applyAuthorization: user data set", ar.UserData)
			return nil
		} else {
			log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: error[%s]", error_applying_permissons)
			return errors.New(error_applying_permissons)
		}
	}
	log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: no user or error from login returning[%s] ", error_check_tidepool_creds)
	return errors.New(error_check_tidepool_creds)
}
Exemple #5
0
func inner_GET_authorize(c martini.Context, sess sessions.Session, r *http.Request, ar *osin.AuthorizeRequest) bool {
	var (
		identity = ActiveIdentity(c)
		source   = current_url(r)
		handler  martini.Handler
	)

	if identity != nil {
		ar.UserData = identity
		sess.Delete("flow")
		return true
	} else {
		sess.Set("flow", FlowState{
			Type:    AuthorizeFlow,
			Source:  source,
			StartAt: time.Now(),
		})

		if provider := r.URL.Query().Get("p"); provider == "" {
			handler = show_provider_chooser()
		} else {
			handler = redirect_to_provider(provider)
		}
	}

	c.Invoke(handler)
	return false
}
Exemple #6
0
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized.
// The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur.
// If the requested scopes are authorized, the AuthorizeRequest is unchanged.
// If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false.
// If the response is written, true is returned.
// If the response is not written, false is returned.
func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {

	// Requests must already be authorized before we will check grants
	if !ar.Authorized {
		return false, nil
	}

	// Reset request to unauthorized until we verify the grant
	ar.Authorized = false

	user, ok := ar.UserData.(user.Info)
	if !ok || user == nil {
		return h.errorHandler.GrantError(errors.New("the provided user data is not user.Info"), w, ar.HttpRequest)
	}

	grant := &api.Grant{
		Client:      ar.Client,
		Scope:       ar.Scope,
		Expiration:  int64(ar.Expiration),
		RedirectURI: ar.RedirectUri,
	}

	// Check if the user has already authorized this grant
	authorized, err := h.check.HasAuthorizedClient(user, grant)
	if err != nil {
		return h.errorHandler.GrantError(err, w, ar.HttpRequest)
	}
	if authorized {
		ar.Authorized = true
		return false, nil
	}

	// React to an unauthorized grant
	authorized, handled, err := h.handler.GrantNeeded(user, grant, w, ar.HttpRequest)
	if authorized {
		ar.Authorized = true
	}
	return handled, err
}
Exemple #7
0
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized.
// The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur.
// If the requested scopes are authorized, the AuthorizeRequest is unchanged.
// If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false.
// If the response is written, true is returned.
// If the response is not written, false is returned.
func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {

	// Requests must already be authorized before we will check grants
	if !ar.Authorized {
		return false, nil
	}

	// Reset request to unauthorized until we verify the grant
	ar.Authorized = false

	user, ok := ar.UserData.(user.Info)
	if !ok || user == nil {
		utilruntime.HandleError(fmt.Errorf("the provided user data is not a user.Info object: %#v", user))
		resp.SetError("server_error", "")
		return false, nil
	}

	client, ok := ar.Client.GetUserData().(*oauthapi.OAuthClient)
	if !ok || client == nil {
		utilruntime.HandleError(fmt.Errorf("the provided client is not an *api.OAuthClient object: %#v", client))
		resp.SetError("server_error", "")
		return false, nil
	}

	// Normalize the scope request, and ensure all tokens contain a scope
	scopes := scope.Split(ar.Scope)
	if len(scopes) == 0 {
		scopes = append(scopes, scopeauthorizer.UserFull)
	}
	ar.Scope = scope.Join(scopes)

	// Validate the requested scopes
	if scopeErrors := validation.ValidateScopes(scopes, nil); len(scopeErrors) > 0 {
		resp.SetError("invalid_scope", scopeErrors.ToAggregate().Error())
		return false, nil
	}

	invalidScopes := sets.NewString()
	for _, scope := range scopes {
		if err := scopeauthorizer.ValidateScopeRestrictions(client, scope); err != nil {
			invalidScopes.Insert(scope)
		}
	}
	if len(invalidScopes) > 0 {
		resp.SetError("access_denied", fmt.Sprintf("scope denied: %s", strings.Join(invalidScopes.List(), " ")))
		return false, nil
	}

	grant := &api.Grant{
		Client:      ar.Client,
		Scope:       ar.Scope,
		Expiration:  int64(ar.Expiration),
		RedirectURI: ar.RedirectUri,
	}

	// Check if the user has already authorized this grant
	authorized, err := h.check.HasAuthorizedClient(user, grant)
	if err != nil {
		utilruntime.HandleError(err)
		resp.SetError("server_error", "")
		return false, nil
	}
	if authorized {
		ar.Authorized = true
		return false, nil
	}

	// React to an unauthorized grant
	authorized, handled, err := h.handler.GrantNeeded(user, grant, w, ar.HttpRequest)
	if authorized {
		ar.Authorized = true
	}
	return handled, err
}