func (s *storage) convertToAuthorizeToken(data *osin.AuthorizeData) (*api.OAuthAuthorizeToken, error) { token := &api.OAuthAuthorizeToken{ ObjectMeta: kapi.ObjectMeta{ Name: data.Code, CreationTimestamp: util.Time{data.CreatedAt}, }, ClientName: data.Client.GetId(), ExpiresIn: int64(data.ExpiresIn), Scopes: scope.Split(data.Scope), RedirectURI: data.RedirectUri, State: data.State, } if err := s.user.ConvertToAuthorizeToken(data.UserData, token); err != nil { return nil, err } return token, nil }
func (c *ClientAuthorizationGrantChecker) HasAuthorizedClient(user user.Info, grant *api.Grant) (approved bool, err error) { id := c.registry.ClientAuthorizationName(user.GetName(), grant.Client.GetId()) authorization, err := c.registry.GetClientAuthorization(kapi.NewContext(), id) if errors.IsNotFound(err) { return false, nil } if err != nil { return false, err } if len(authorization.UserUID) != 0 && authorization.UserUID != user.GetUID() { return false, fmt.Errorf("user %s UID %s does not match stored client authorization value for UID %s", user.GetName(), user.GetUID(), authorization.UserUID) } // TODO: improve this to allow the scope implementation to determine overlap if !scope.Covers(authorization.Scopes, scope.Split(grant.Scope)) { return false, nil } return true, nil }
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) { if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil { glog.Errorf("Unable to check CSRF token: %v", err) l.failed("Invalid CSRF token", w, req) return } then := req.FormValue("then") scopes := req.FormValue("scopes") if len(req.FormValue(approveParam)) == 0 { // Redirect with rejection param url, err := url.Parse(then) if len(then) == 0 || err != nil { l.failed("Access denied, but no redirect URL was specified", w, req) return } q := url.Query() q.Set("error", "access_denied") url.RawQuery = q.Encode() http.Redirect(w, req, url.String(), http.StatusFound) return } clientID := req.FormValue("client_id") client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID) if err != nil || client == nil { l.failed("Could not find client for client_id", w, req) return } clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name) ctx := kapi.NewContext() clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID) if err == nil && clientAuth != nil { // Add new scopes and update clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes)) if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil { glog.Errorf("Unable to update authorization: %v", err) l.failed("Could not update client authorization", w, req) return } } else { // Make sure client name, user name, grant scope, expiration, and redirect uri match clientAuth = &oapi.OAuthClientAuthorization{ UserName: user.GetName(), UserUID: user.GetUID(), ClientName: client.Name, Scopes: scope.Split(scopes), } clientAuth.Name = clientAuthID if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil { glog.Errorf("Unable to create authorization: %v", err) l.failed("Could not create client authorization", w, req) return } } if len(then) == 0 { l.failed("Approval granted, but no redirect URL was specified", w, req) return } http.Redirect(w, req, then, http.StatusFound) }