func UserToSubject(u user.Info) pkix.Name {
return pkix.Name{
CommonName: u.GetName(),
SerialNumber: u.GetUID(),
Organization: u.GetGroups(),
}
}
func (a *Authenticator) AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error) {
session, err := a.store.Get(req, a.name)
if err != nil {
return false, err
}
values := session.Values()
values[UserNameKey] = user.GetName()
values[UserUIDKey] = user.GetUID()
// TODO: should we save groups, scope, and extra in the session as well?
return false, a.store.Save(w, req)
}
func (c *ClientAuthorizationGrantChecker) HasAuthorizedClient(user user.Info, grant *api.Grant) (approved bool, err error) {
id := c.registry.ClientAuthorizationName(user.GetName(), grant.Client.GetId())
authorization, err := c.registry.GetClientAuthorization(kapi.NewContext(), id)
if errors.IsNotFound(err) {
return false, nil
}
if err != nil {
return false, err
}
if len(authorization.UserUID) != 0 && authorization.UserUID != user.GetUID() {
return false, fmt.Errorf("user %s UID %s does not match stored client authorization value for UID %s", user.GetName(), user.GetUID(), authorization.UserUID)
}
// TODO: improve this to allow the scope implementation to determine overlap
if !scope.Covers(authorization.Scopes, scope.Split(grant.Scope)) {
return false, nil
}
return true, nil
}
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) {
if ok, err := l.csrf.Check(req, req.FormValue("csrf")); !ok || err != nil {
glog.Errorf("Unable to check CSRF token: %v", err)
l.failed("Invalid CSRF token", w, req)
return
}
then := req.FormValue("then")
scopes := req.FormValue("scopes")
if len(req.FormValue(approveParam)) == 0 {
// Redirect with rejection param
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access denied, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("error", "access_denied")
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
return
}
clientID := req.FormValue("client_id")
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
ctx := kapi.NewContext()
clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID)
if err == nil && clientAuth != nil {
// Add new scopes and update
clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to update authorization: %v", err)
l.failed("Could not update client authorization", w, req)
return
}
} else {
// Make sure client name, user name, grant scope, expiration, and redirect uri match
clientAuth = &oapi.OAuthClientAuthorization{
UserName: user.GetName(),
UserUID: user.GetUID(),
ClientName: client.Name,
Scopes: scope.Split(scopes),
}
clientAuth.Name = clientAuthID
if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to create authorization: %v", err)
l.failed("Could not create client authorization", w, req)
return
}
}
if len(then) == 0 {
l.failed("Approval granted, but no redirect URL was specified", w, req)
return
}
http.Redirect(w, req, then, http.StatusFound)
}
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) {
if ok, err := l.csrf.Check(req, req.FormValue(csrfParam)); !ok || err != nil {
glog.Errorf("Unable to check CSRF token: %v", err)
l.failed("Invalid CSRF token", w, req)
return
}
req.ParseForm()
then := req.FormValue(thenParam)
scopes := scope.Join(req.Form[scopeParam])
username := req.FormValue(userNameParam)
if username != user.GetName() {
glog.Errorf("User (%v) did not match authenticated user (%v)", username, user.GetName())
l.failed("User did not match", w, req)
return
}
if len(req.FormValue(approveParam)) == 0 || len(scopes) == 0 {
// Redirect with an error param
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access denied, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("error", "access_denied")
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
return
}
clientID := req.FormValue(clientIDParam)
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, scope.Split(scopes)...); err != nil {
failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)
l.failed(failure, w, req)
return
}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
ctx := kapi.NewContext()
clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID)
if err == nil && clientAuth != nil {
// Add new scopes and update
clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to update authorization: %v", err)
l.failed("Could not update client authorization", w, req)
return
}
} else {
// Make sure client name, user name, grant scope, expiration, and redirect uri match
clientAuth = &oapi.OAuthClientAuthorization{
UserName: user.GetName(),
UserUID: user.GetUID(),
ClientName: client.Name,
Scopes: scope.Split(scopes),
}
clientAuth.Name = clientAuthID
if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to create authorization: %v", err)
l.failed("Could not create client authorization", w, req)
return
}
}
// Redirect, overriding the scope param on the redirect with the scopes that were actually granted
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access granted, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("scope", scopes)
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
}
