func (s *storage) convertFromAuthorizeToken(authorize *api.OAuthAuthorizeToken) (*osin.AuthorizeData, error) {
user, err := s.user.ConvertFromAuthorizeToken(authorize)
if err != nil {
return nil, err
}
client, err := s.client.GetClient(kapi.NewContext(), authorize.ClientName)
if err != nil {
return nil, err
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, authorize.Scopes...); err != nil {
return nil, err
}
return &osin.AuthorizeData{
Code: authorize.Name,
CodeChallenge: authorize.CodeChallenge,
CodeChallengeMethod: authorize.CodeChallengeMethod,
Client: &clientWrapper{authorize.ClientName, client},
ExpiresIn: int32(authorize.ExpiresIn),
Scope: scope.Join(authorize.Scopes),
RedirectUri: authorize.RedirectURI,
State: authorize.State,
CreatedAt: authorize.CreationTimestamp.Time,
UserData: user,
}, nil
}
func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Request) {
q := req.URL.Query()
then := q.Get("then")
clientID := q.Get("client_id")
scopes := q.Get("scopes")
redirectURI := q.Get("redirect_uri")
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, scope.Split(scopes)...); err != nil {
failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)
l.failed(failure, w, req)
return
}
uri, err := getBaseURL(req)
if err != nil {
glog.Errorf("Unable to generate base URL: %v", err)
http.Error(w, "Unable to determine URL", http.StatusInternalServerError)
return
}
csrf, err := l.csrf.Generate(w, req)
if err != nil {
glog.Errorf("Unable to generate CSRF token: %v", err)
l.failed("Could not generate CSRF token", w, req)
return
}
form := Form{
Action: uri.String(),
Values: FormValues{
Then: then,
ThenParam: thenParam,
CSRF: csrf,
CSRFParam: csrfParam,
ClientID: client.Name,
ClientIDParam: clientIDParam,
UserName: user.GetName(),
UserNameParam: userNameParam,
Scopes: scopes,
ScopesParam: scopesParam,
RedirectURI: redirectURI,
RedirectURIParam: redirectURIParam,
ApproveParam: approveParam,
DenyParam: denyParam,
},
}
l.render.Render(form, w, req)
}
// Validate validates a new client
func (s strategy) Validate(ctx kapi.Context, obj runtime.Object) field.ErrorList {
auth := obj.(*api.OAuthClientAuthorization)
validationErrors := validation.ValidateClientAuthorization(auth)
client, err := s.clientGetter.GetClient(ctx, auth.ClientName)
if err != nil {
return append(validationErrors, field.InternalError(field.NewPath("clientName"), err))
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, auth.Scopes...); err != nil {
return append(validationErrors, field.InternalError(field.NewPath("clientName"), err))
}
return validationErrors
}
func (s *storage) convertFromAccessToken(access *api.OAuthAccessToken) (*osin.AccessData, error) {
user, err := s.user.ConvertFromAccessToken(access)
if err != nil {
return nil, err
}
client, err := s.client.GetClient(kapi.NewContext(), access.ClientName)
if err != nil {
return nil, err
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, access.Scopes...); err != nil {
return nil, err
}
return &osin.AccessData{
AccessToken: access.Name,
RefreshToken: access.RefreshToken,
Client: &clientWrapper{access.ClientName, client},
ExpiresIn: int32(access.ExpiresIn),
Scope: scope.Join(access.Scopes),
RedirectUri: access.RedirectURI,
CreatedAt: access.CreationTimestamp.Time,
UserData: user,
}, nil
}
// HandleAuthorize implements osinserver.AuthorizeHandler to ensure the requested scopes have been authorized.
// The AuthorizeRequest.Authorized field must already be set to true for the grant check to occur.
// If the requested scopes are authorized, the AuthorizeRequest is unchanged.
// If the requested scopes are not authorized, or an error occurs, AuthorizeRequest.Authorized is set to false.
// If the response is written, true is returned.
// If the response is not written, false is returned.
func (h *GrantCheck) HandleAuthorize(ar *osin.AuthorizeRequest, resp *osin.Response, w http.ResponseWriter) (bool, error) {
// Requests must already be authorized before we will check grants
if !ar.Authorized {
return false, nil
}
// Reset request to unauthorized until we verify the grant
ar.Authorized = false
user, ok := ar.UserData.(user.Info)
if !ok || user == nil {
utilruntime.HandleError(fmt.Errorf("the provided user data is not a user.Info object: %#v", user))
resp.SetError("server_error", "")
return false, nil
}
client, ok := ar.Client.GetUserData().(*oauthapi.OAuthClient)
if !ok || client == nil {
utilruntime.HandleError(fmt.Errorf("the provided client is not an *api.OAuthClient object: %#v", client))
resp.SetError("server_error", "")
return false, nil
}
// Normalize the scope request, and ensure all tokens contain a scope
scopes := scope.Split(ar.Scope)
if len(scopes) == 0 {
scopes = append(scopes, scopeauthorizer.UserFull)
}
ar.Scope = scope.Join(scopes)
// Validate the requested scopes
if scopeErrors := validation.ValidateScopes(scopes, nil); len(scopeErrors) > 0 {
resp.SetError("invalid_scope", scopeErrors.ToAggregate().Error())
return false, nil
}
invalidScopes := sets.NewString()
for _, scope := range scopes {
if err := scopeauthorizer.ValidateScopeRestrictions(client, scope); err != nil {
invalidScopes.Insert(scope)
}
}
if len(invalidScopes) > 0 {
resp.SetError("access_denied", fmt.Sprintf("scope denied: %s", strings.Join(invalidScopes.List(), " ")))
return false, nil
}
grant := &api.Grant{
Client: ar.Client,
Scope: ar.Scope,
Expiration: int64(ar.Expiration),
RedirectURI: ar.RedirectUri,
}
// Check if the user has already authorized this grant
authorized, err := h.check.HasAuthorizedClient(user, grant)
if err != nil {
utilruntime.HandleError(err)
resp.SetError("server_error", "")
return false, nil
}
if authorized {
ar.Authorized = true
return false, nil
}
// React to an unauthorized grant
authorized, handled, err := h.handler.GrantNeeded(user, grant, w, ar.HttpRequest)
if authorized {
ar.Authorized = true
}
return handled, err
}
func (l *Grant) handleGrant(user user.Info, w http.ResponseWriter, req *http.Request) {
if ok, err := l.csrf.Check(req, req.FormValue(csrfParam)); !ok || err != nil {
glog.Errorf("Unable to check CSRF token: %v", err)
l.failed("Invalid CSRF token", w, req)
return
}
req.ParseForm()
then := req.FormValue(thenParam)
scopes := scope.Join(req.Form[scopeParam])
username := req.FormValue(userNameParam)
if username != user.GetName() {
glog.Errorf("User (%v) did not match authenticated user (%v)", username, user.GetName())
l.failed("User did not match", w, req)
return
}
if len(req.FormValue(approveParam)) == 0 || len(scopes) == 0 {
// Redirect with an error param
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access denied, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("error", "access_denied")
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
return
}
clientID := req.FormValue(clientIDParam)
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, scope.Split(scopes)...); err != nil {
failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)
l.failed(failure, w, req)
return
}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
ctx := kapi.NewContext()
clientAuth, err := l.authregistry.GetClientAuthorization(ctx, clientAuthID)
if err == nil && clientAuth != nil {
// Add new scopes and update
clientAuth.Scopes = scope.Add(clientAuth.Scopes, scope.Split(scopes))
if _, err = l.authregistry.UpdateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to update authorization: %v", err)
l.failed("Could not update client authorization", w, req)
return
}
} else {
// Make sure client name, user name, grant scope, expiration, and redirect uri match
clientAuth = &oapi.OAuthClientAuthorization{
UserName: user.GetName(),
UserUID: user.GetUID(),
ClientName: client.Name,
Scopes: scope.Split(scopes),
}
clientAuth.Name = clientAuthID
if _, err = l.authregistry.CreateClientAuthorization(ctx, clientAuth); err != nil {
glog.Errorf("Unable to create authorization: %v", err)
l.failed("Could not create client authorization", w, req)
return
}
}
// Redirect, overriding the scope param on the redirect with the scopes that were actually granted
url, err := url.Parse(then)
if len(then) == 0 || err != nil {
l.failed("Access granted, but no redirect URL was specified", w, req)
return
}
q := url.Query()
q.Set("scope", scopes)
url.RawQuery = q.Encode()
http.Redirect(w, req, url.String(), http.StatusFound)
}
func (l *Grant) handleForm(user user.Info, w http.ResponseWriter, req *http.Request) {
q := req.URL.Query()
then := q.Get(thenParam)
clientID := q.Get(clientIDParam)
scopes := scope.Split(q.Get(scopeParam))
redirectURI := q.Get(redirectURIParam)
client, err := l.clientregistry.GetClient(kapi.NewContext(), clientID)
if err != nil || client == nil {
l.failed("Could not find client for client_id", w, req)
return
}
if err := scopeauthorizer.ValidateScopeRestrictions(client, scopes...); err != nil {
failure := fmt.Sprintf("%v requested illegal scopes (%v): %v", client.Name, scopes, err)
l.failed(failure, w, req)
return
}
uri, err := getBaseURL(req)
if err != nil {
glog.Errorf("Unable to generate base URL: %v", err)
http.Error(w, "Unable to determine URL", http.StatusInternalServerError)
return
}
csrf, err := l.csrf.Generate(w, req)
if err != nil {
glog.Errorf("Unable to generate CSRF token: %v", err)
l.failed("Could not generate CSRF token", w, req)
return
}
grantedScopeNames := []string{}
grantedScopes := []Scope{}
requestedScopes := []Scope{}
clientAuthID := l.authregistry.ClientAuthorizationName(user.GetName(), client.Name)
if clientAuth, err := l.authregistry.GetClientAuthorization(kapi.NewContext(), clientAuthID); err == nil {
grantedScopeNames = clientAuth.Scopes
}
for _, s := range scopes {
requestedScopes = append(requestedScopes, getScopeData(s, grantedScopeNames))
}
for _, s := range grantedScopeNames {
grantedScopes = append(grantedScopes, getScopeData(s, grantedScopeNames))
}
form := Form{
Action: uri.String(),
GrantedScopes: grantedScopes,
Names: GrantFormFields{
Then: thenParam,
CSRF: csrfParam,
ClientID: clientIDParam,
UserName: userNameParam,
Scopes: scopeParam,
RedirectURI: redirectURIParam,
Approve: approveParam,
Deny: denyParam,
},
Values: GrantFormFields{
Then: then,
CSRF: csrf,
ClientID: client.Name,
UserName: user.GetName(),
Scopes: requestedScopes,
RedirectURI: redirectURI,
},
}
if saNamespace, saName, err := serviceaccount.SplitUsername(client.Name); err == nil {
form.ServiceAccountName = saName
form.ServiceAccountNamespace = saNamespace
}
l.render.Render(form, w, req)
}