mirror of
https://github.com/rocky-linux/peridot.git
synced 2024-11-01 04:41:22 +00:00
167 lines
5.5 KiB
Go
167 lines
5.5 KiB
Go
|
// Copyright (c) All respective contributors to the Peridot Project. All rights reserved.
|
||
|
// Copyright (c) 2021-2022 Rocky Enterprise Software Foundation, Inc. All rights reserved.
|
||
|
// Copyright (c) 2021-2022 Ctrl IQ, Inc. All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// 3. Neither the name of the copyright holder nor the names of its contributors
|
||
|
// may be used to endorse or promote products derived from this software without
|
||
|
// specific prior written permission.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||
|
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||
|
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||
|
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||
|
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||
|
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||
|
// POSSIBILITY OF SUCH DAMAGE.
|
||
|
|
||
|
package obsidianimplv1
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
"github.com/gogo/status"
|
||
|
"github.com/ory/hydra-client-go/client/admin"
|
||
|
"github.com/ory/hydra-client-go/models"
|
||
|
"google.golang.org/grpc/codes"
|
||
|
obsidianpb "peridot.resf.org/obsidian/pb"
|
||
|
)
|
||
|
|
||
|
const (
|
||
|
authError = "auth_error"
|
||
|
noUser = "no_user"
|
||
|
)
|
||
|
|
||
|
func (s *Server) ProcessLoginRequest(challenge string) (*obsidianpb.SessionStatusResponse, error) {
|
||
|
ctx := context.TODO()
|
||
|
|
||
|
loginReq, err := s.hydra.Admin.GetLoginRequest(&admin.GetLoginRequestParams{
|
||
|
LoginChallenge: challenge,
|
||
|
Context: ctx,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
if *loginReq.Payload.Challenge != challenge {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
if *loginReq.Payload.Skip {
|
||
|
return s.AcceptLoginRequest(ctx, challenge, loginReq)
|
||
|
}
|
||
|
|
||
|
return &obsidianpb.SessionStatusResponse{
|
||
|
Valid: true,
|
||
|
ClientName: loginReq.Payload.Client.ClientName,
|
||
|
Scopes: loginReq.Payload.RequestedScope,
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
func (s *Server) ProcessConsentRequest(challenge string) (*obsidianpb.SessionStatusResponse, error) {
|
||
|
ctx := context.TODO()
|
||
|
|
||
|
consentReq, err := s.hydra.Admin.GetConsentRequest(&admin.GetConsentRequestParams{
|
||
|
Context: ctx,
|
||
|
ConsentChallenge: challenge,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
if *consentReq.Payload.Challenge != challenge {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
if consentReq.Payload.Skip {
|
||
|
return s.AcceptConsentRequest(ctx, challenge, consentReq)
|
||
|
}
|
||
|
|
||
|
return &obsidianpb.SessionStatusResponse{
|
||
|
Valid: true,
|
||
|
ClientName: consentReq.Payload.Client.ClientName,
|
||
|
Scopes: consentReq.Payload.RequestedScope,
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
func (s *Server) AcceptConsentRequest(ctx context.Context, challenge string, consentReq *admin.GetConsentRequestOK) (*obsidianpb.SessionStatusResponse, error) {
|
||
|
user, err := s.db.GetUserByID(consentReq.Payload.Subject)
|
||
|
if err != nil {
|
||
|
return nil, status.Error(codes.InvalidArgument, noUser)
|
||
|
}
|
||
|
|
||
|
consent, err := s.hydra.Admin.AcceptConsentRequest(&admin.AcceptConsentRequestParams{
|
||
|
Context: ctx,
|
||
|
ConsentChallenge: challenge,
|
||
|
Body: &models.AcceptConsentRequest{
|
||
|
Remember: true,
|
||
|
GrantScope: consentReq.Payload.RequestedScope,
|
||
|
GrantAccessTokenAudience: consentReq.Payload.RequestedAccessTokenAudience,
|
||
|
Session: &models.ConsentRequestSession{
|
||
|
AccessToken: map[string]interface{}{
|
||
|
"id": user.ID,
|
||
|
},
|
||
|
IDToken: map[string]interface{}{
|
||
|
"id": user.ID,
|
||
|
"name": user.Name.String,
|
||
|
"email": user.Email,
|
||
|
"created_at": user.CreatedAt,
|
||
|
},
|
||
|
},
|
||
|
},
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
return &obsidianpb.SessionStatusResponse{
|
||
|
Valid: true,
|
||
|
RedirectUrl: *consent.Payload.RedirectTo,
|
||
|
ClientName: consentReq.Payload.Client.ClientName,
|
||
|
Scopes: consentReq.Payload.RequestedScope,
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
func (s *Server) AcceptLoginRequest(ctx context.Context, challenge string, loginReq *admin.GetLoginRequestOK) (*obsidianpb.SessionStatusResponse, error) {
|
||
|
acceptLogin, err := s.hydra.Admin.AcceptLoginRequest(&admin.AcceptLoginRequestParams{
|
||
|
LoginChallenge: challenge,
|
||
|
Body: &models.AcceptLoginRequest{
|
||
|
Subject: loginReq.Payload.Subject,
|
||
|
Remember: true,
|
||
|
},
|
||
|
Context: ctx,
|
||
|
})
|
||
|
if err != nil {
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
user, err := s.db.GetUserByID(*loginReq.Payload.Subject)
|
||
|
if err != nil || user == nil || user.ID == "" {
|
||
|
return nil, status.Error(codes.InvalidArgument, noUser)
|
||
|
}
|
||
|
|
||
|
return &obsidianpb.SessionStatusResponse{
|
||
|
Valid: true,
|
||
|
RedirectUrl: *acceptLogin.Payload.RedirectTo,
|
||
|
ClientName: loginReq.Payload.Client.ClientName,
|
||
|
Scopes: loginReq.Payload.RequestedScope,
|
||
|
}, nil
|
||
|
}
|