// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the AuthorizeRequest is authenticated.
// If the request is authenticated, UserData and Authorized are set and false is returned.
// If the request is not authenticated, the auth handler is called and the request is not authorized
func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {
info, ok, err := h.request.AuthenticateRequest(ar.HttpRequest)
if err != nil {
return h.errorHandler.AuthenticationError(err, w, ar.HttpRequest)
}
if !ok {
return h.handler.AuthenticationNeeded(ar.Client, w, ar.HttpRequest)
}
ar.UserData = info
ar.Authorized = true
return false, nil
}
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the AuthorizeRequest is authenticated.
// If the request is authenticated, UserData and Authorized are set and false is returned.
// If the request is not authenticated, the auth handler is called and the request is not authorized
func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {
info, ok, err := h.request.AuthenticateRequest(ar.HttpRequest)
if err != nil {
glog.V(4).Infof("OAuth authentication error: %v", err)
return h.errorHandler.AuthenticationError(err, w, ar.HttpRequest)
}
if !ok {
return h.handler.AuthenticationNeeded(ar.Client, w, ar.HttpRequest)
}
glog.V(4).Infof("OAuth authentication succeeded: %#v", info)
ar.UserData = info
ar.Authorized = true
return false, nil
}
func (o *OAuthHandler) handleLoginPage(ar *osin.AuthorizeRequest, w http.ResponseWriter, r *http.Request) bool {
_ = "breakpoint"
r.ParseForm()
username := ""
password := ""
loginError := false
if r.Method == "POST" {
username = r.Form.Get("username")
password = r.Form.Get("password")
user, _ := userRepo.Login(username, password)
ar.UserData = user
loginError = (user == nil)
if user != nil || loginError == false {
return true
}
//return (user != nil)
}
page := &LoginPage{
ResponseType: ar.Type,
ClientId: ar.Client.GetId(),
State: ar.State,
RedirectUri: url.QueryEscape(ar.RedirectUri),
Username: username,
LoginError: loginError,
}
renderLoginPage(w, page)
return false
}
//try login the user to the platform and apply requested permissons
func (o *Api) applyAuthorization(user, password string, ar *osin.AuthorizeRequest) error {
log.Println(OAUTH2_API_PREFIX, "applyAuthorization")
if usr, _, err := o.userApi.Login(user, password); err != nil {
log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: err during account login: %s", err.Error())
return err
} else if usr != nil {
log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: tidepool login success for userid[%s] now applying permissons", usr.UserID)
if o.applyPermissons(usr.UserID, ar.Client.GetId(), getAllScopes()) {
//make sure we persist any existing client userdata
ud := ar.Client.GetUserData().(map[string]interface{})
ud["AppUser"] = usr.UserID
ar.Client = &osin.DefaultClient{
Id: ar.Client.GetId(),
Secret: ar.Client.GetSecret(),
RedirectUri: ar.Client.GetRedirectUri(),
UserData: ud,
}
log.Print(OAUTH2_API_PREFIX, "applyAuthorization: user data set", ar.UserData)
return nil
} else {
log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: error[%s]", error_applying_permissons)
return errors.New(error_applying_permissons)
}
}
log.Printf(OAUTH2_API_PREFIX+"applyAuthorization: no user or error from login returning[%s] ", error_check_tidepool_creds)
return errors.New(error_check_tidepool_creds)
}
func inner_GET_authorize(c martini.Context, sess sessions.Session, r *http.Request, ar *osin.AuthorizeRequest) bool {
var (
identity = ActiveIdentity(c)
source = current_url(r)
handler martini.Handler
)
if identity != nil {
ar.UserData = identity
sess.Delete("flow")
return true
} else {
sess.Set("flow", FlowState{
Type: AuthorizeFlow,
Source: source,
StartAt: time.Now(),
})
if provider := r.URL.Query().Get("p"); provider == "" {
handler = show_provider_chooser()
} else {
handler = redirect_to_provider(provider)
}
}
c.Invoke(handler)
return false
}
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized.
// The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur.
// If the requested scopes are authorized, the AuthorizeRequest is unchanged.
// If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false.
// If the response is written, true is returned.
// If the response is not written, false is returned.
func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter) (bool, error) {
// Requests must already be authorized before we will check grants
if !ar.Authorized {
return false, nil
}
// Reset request to unauthorized until we verify the grant
ar.Authorized = false
user, ok := ar.UserData.(user.Info)
if !ok || user == nil {
return h.errorHandler.GrantError(errors.New("the provided user data is not user.Info"), w, ar.HttpRequest)
}
grant := &api.Grant{
Client: ar.Client,
Scope: ar.Scope,
Expiration: int64(ar.Expiration),
RedirectURI: ar.RedirectUri,
}
// Check if the user has already authorized this grant
authorized, err := h.check.HasAuthorizedClient(user, grant)
if err != nil {
return h.errorHandler.GrantError(err, w, ar.HttpRequest)
}
if authorized {
ar.Authorized = true
return false, nil
}
// React to an unauthorized grant
authorized, handled, err := h.handler.GrantNeeded(user, grant, w, ar.HttpRequest)
if authorized {
ar.Authorized = true
}
return handled, err
}
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized.
// The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur.
// If the requested scopes are authorized, the AuthorizeRequest is unchanged.
// If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false.
// If the response is written, true is returned.
// If the response is not written, false is returned.
func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {
// Requests must already be authorized before we will check grants
if !ar.Authorized {
return false, nil
}
// Reset request to unauthorized until we verify the grant
ar.Authorized = false
user, ok := ar.UserData.(user.Info)
if !ok || user == nil {
utilruntime.HandleError(fmt.Errorf("the provided user data is not a user.Info object: %#v", user))
resp.SetError("server_error", "")
return false, nil
}
client, ok := ar.Client.GetUserData().(*oauthapi.OAuthClient)
if !ok || client == nil {
utilruntime.HandleError(fmt.Errorf("the provided client is not an *api.OAuthClient object: %#v", client))
resp.SetError("server_error", "")
return false, nil
}
// Normalize the scope request, and ensure all tokens contain a scope
scopes := scope.Split(ar.Scope)
if len(scopes) == 0 {
scopes = append(scopes, scopeauthorizer.UserFull)
}
ar.Scope = scope.Join(scopes)
// Validate the requested scopes
if scopeErrors := validation.ValidateScopes(scopes, nil); len(scopeErrors) > 0 {
resp.SetError("invalid_scope", scopeErrors.ToAggregate().Error())
return false, nil
}
invalidScopes := sets.NewString()
for _, scope := range scopes {
if err := scopeauthorizer.ValidateScopeRestrictions(client, scope); err != nil {
invalidScopes.Insert(scope)
}
}
if len(invalidScopes) > 0 {
resp.SetError("access_denied", fmt.Sprintf("scope denied: %s", strings.Join(invalidScopes.List(), " ")))
return false, nil
}
grant := &api.Grant{
Client: ar.Client,
Scope: ar.Scope,
Expiration: int64(ar.Expiration),
RedirectURI: ar.RedirectUri,
}
// Check if the user has already authorized this grant
authorized, err := h.check.HasAuthorizedClient(user, grant)
if err != nil {
utilruntime.HandleError(err)
resp.SetError("server_error", "")
return false, nil
}
if authorized {
ar.Authorized = true
return false, nil
}
// React to an unauthorized grant
authorized, handled, err := h.handler.GrantNeeded(user, grant, w, ar.HttpRequest)
if authorized {
ar.Authorized = true
}
return handled, err
}
