func (w *LocalWarden) actionAllowed(ctx context.Context, a *ladon.Request, scopes []string, oauthRequest fosite.AccessRequester, session *oauth2.Session) (*Context, error) {
session = oauthRequest.GetSession().(*oauth2.Session)
if a.Subject != "" && a.Subject != session.Subject {
return nil, errors.New("Subject mismatch " + a.Subject + " - " + session.Subject)
}
if !matchScopes(oauthRequest.GetGrantedScopes(), scopes, session, oauthRequest.GetClient()) {
return nil, errors.New(herodot.ErrForbidden)
}
a.Subject = session.Subject
if err := w.Warden.IsAllowed(a); err != nil {
return nil, err
}
logrus.WithFields(logrus.Fields{
"scopes": scopes,
"subject": a.Subject,
"audience": oauthRequest.GetClient().GetID(),
"request": a,
}).Infof("Access granted")
return &Context{
Subject: session.Subject,
GrantedScopes: oauthRequest.GetGrantedScopes(),
Issuer: w.Issuer,
Audience: oauthRequest.GetClient().GetID(),
IssuedAt: oauthRequest.GetRequestedAt(),
}, nil
}
