func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) {
if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil {
glog.Errorf("Unable to check CSRF token: %v", err)
l.failed("Invalid CSRF token", w, req)
return
}
then := req.FormValue("then")
scopes := req.FormValue("scopes")
if len(req.FormValue(approveParam)) == 0 {
// Redirect with rejection param
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access denied, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("error", "access_denied")
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
return
}
clientID := req.FormValue("client_id")
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
ctx := kapi.NewContext()
clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID)
if err == nil && clientAuth != nil {
// Add new scopes and update
clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to update authorization: %v", err)
l.failed("Could not update client authorization", w, req)
return
}
} else {
// Make sure client name, user name, grant scope, expiration, and redirect uri match
clientAuth = &oapi.OAuthClientAuthorization{
UserName: user.GetName(),
UserUID: user.GetUID(),
ClientName: client.Name,
Scopes: scope.Split(scopes),
}
clientAuth.Name = clientAuthID
if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to create authorization: %v", err)
l.failed("Could not create client authorization", w, req)
return
}
}
if len(then) == 0 {
l.failed("Approval granted, but no redirect URL was specified", w, req)
return
}
http.Redirect(w, req, then, http.StatusFound)
}
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) {
if ok, err := l.csrf.Check(req, req.FormValue(csrfParam)); !ok || err != nil {
glog.Errorf("Unable to check CSRF token: %v", err)
l.failed("Invalid CSRF token", w, req)
return
}
req.ParseForm()
then := req.FormValue(thenParam)
scopes := scope.Join(req.Form[scopeParam])
username := req.FormValue(userNameParam)
if username != user.GetName() {
glog.Errorf("User (%v) did not match authenticated user (%v)", username, user.GetName())
l.failed("User did not match", w, req)
return
}
if len(req.FormValue(approveParam)) == 0 || len(scopes) == 0 {
// Redirect with an error param
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access denied, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("error", "access_denied")
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
return
}
clientID := req.FormValue(clientIDParam)
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, scope.Split(scopes)...); err != nil {
failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)
l.failed(failure, w, req)
return
}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
ctx := kapi.NewContext()
clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID)
if err == nil && clientAuth != nil {
// Add new scopes and update
clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to update authorization: %v", err)
l.failed("Could not update client authorization", w, req)
return
}
} else {
// Make sure client name, user name, grant scope, expiration, and redirect uri match
clientAuth = &oapi.OAuthClientAuthorization{
UserName: user.GetName(),
UserUID: user.GetUID(),
ClientName: client.Name,
Scopes: scope.Split(scopes),
}
clientAuth.Name = clientAuthID
if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to create authorization: %v", err)
l.failed("Could not create client authorization", w, req)
return
}
}
// Redirect, overriding the scope param on the redirect with the scopes that were actually granted
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access granted, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("scope", scopes)
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
}