mirror of
https://github.com/rocky-linux/peridot.git
synced 2024-11-15 10:11:25 +00:00
183 lines
6.1 KiB
Go
183 lines
6.1 KiB
Go
|
// Copyright (c) All respective contributors to the Peridot Project. All rights reserved.
|
||
|
// Copyright (c) 2021-2022 Rocky Enterprise Software Foundation, Inc. All rights reserved.
|
||
|
// Copyright (c) 2021-2022 Ctrl IQ, Inc. All rights reserved.
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
||
|
// this list of conditions and the following disclaimer in the documentation
|
||
|
// and/or other materials provided with the distribution.
|
||
|
//
|
||
|
// 3. Neither the name of the copyright holder nor the names of its contributors
|
||
|
// may be used to endorse or promote products derived from this software without
|
||
|
// specific prior written permission.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
||
|
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
||
|
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
||
|
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
||
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||
|
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||
|
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||
|
// POSSIBILITY OF SUCH DAMAGE.
|
||
|
|
||
|
package obsidianimplv1
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
"github.com/ory/hydra-client-go/client/admin"
|
||
|
hydramodels "github.com/ory/hydra-client-go/models"
|
||
|
"google.golang.org/grpc/codes"
|
||
|
"google.golang.org/grpc/status"
|
||
|
"google.golang.org/protobuf/proto"
|
||
|
obsidianpb "peridot.resf.org/obsidian/pb"
|
||
|
)
|
||
|
|
||
|
const (
|
||
|
invalidCheckType = "invalid_check_type"
|
||
|
challengeRequired = "challenge_required"
|
||
|
logoutChallengeRequired = "logout_challenge_required"
|
||
|
)
|
||
|
|
||
|
func (s *Server) SessionStatus(_ context.Context, req *obsidianpb.SessionStatusRequest) (*obsidianpb.SessionStatusResponse, error) {
|
||
|
allowedTypes := map[string]bool{"login": true, "consent": true}
|
||
|
if !allowedTypes[req.CheckType] {
|
||
|
return nil, status.Error(codes.InvalidArgument, invalidCheckType)
|
||
|
}
|
||
|
|
||
|
if req.Challenge == "" {
|
||
|
return nil, status.Error(codes.InvalidArgument, challengeRequired)
|
||
|
}
|
||
|
|
||
|
var res *obsidianpb.SessionStatusResponse
|
||
|
var err error
|
||
|
switch req.CheckType {
|
||
|
case "login":
|
||
|
res, err = s.ProcessLoginRequest(req.Challenge)
|
||
|
break
|
||
|
case "consent":
|
||
|
res, err = s.ProcessConsentRequest(req.Challenge)
|
||
|
break
|
||
|
default:
|
||
|
return nil, status.Error(codes.InvalidArgument, "")
|
||
|
}
|
||
|
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
return res, nil
|
||
|
}
|
||
|
|
||
|
func (s *Server) ConsentDecision(ctx context.Context, req *obsidianpb.ConsentDecisionRequest) (*obsidianpb.ConsentDecisionResponse, error) {
|
||
|
if req.Challenge == "" {
|
||
|
return nil, status.Error(codes.InvalidArgument, challengeRequired)
|
||
|
}
|
||
|
|
||
|
consentReq, err := s.hydra.Admin.GetConsentRequest(&admin.GetConsentRequestParams{
|
||
|
Context: ctx,
|
||
|
ConsentChallenge: req.Challenge,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
var redirectURL string
|
||
|
|
||
|
if req.Allow {
|
||
|
res, err := s.AcceptConsentRequest(ctx, req.Challenge, consentReq)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
if !res.Valid {
|
||
|
return nil, status.Error(codes.InvalidArgument, "invalid consent request")
|
||
|
}
|
||
|
redirectURL = res.RedirectUrl
|
||
|
} else {
|
||
|
res, err := s.hydra.Admin.RejectConsentRequest(&admin.RejectConsentRequestParams{
|
||
|
Body: &hydramodels.RejectRequest{
|
||
|
StatusCode: int64(codes.Aborted),
|
||
|
ErrorDescription: "User does not consent to data sharing",
|
||
|
Error: "no_consent",
|
||
|
},
|
||
|
ConsentChallenge: req.Challenge,
|
||
|
Context: ctx,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Errorf("error rejecting consent request: %s", err.Error())
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
redirectURL = *res.Payload.RedirectTo
|
||
|
}
|
||
|
|
||
|
return &obsidianpb.ConsentDecisionResponse{
|
||
|
RedirectUrl: redirectURL,
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
func (s *Server) LogoutDecision(ctx context.Context, req *obsidianpb.LogoutDecisionRequest) (*obsidianpb.LogoutDecisionResponse, error) {
|
||
|
if req.Challenge == "" {
|
||
|
return nil, status.Error(codes.InvalidArgument, logoutChallengeRequired)
|
||
|
}
|
||
|
|
||
|
logout, err := s.hydra.Admin.GetLogoutRequest(&admin.GetLogoutRequestParams{
|
||
|
LogoutChallenge: req.Challenge,
|
||
|
Context: ctx,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Error(err)
|
||
|
return nil, status.Error(codes.Internal, authError)
|
||
|
}
|
||
|
|
||
|
var redirectURL string
|
||
|
if req.Accept {
|
||
|
_, err = s.hydra.Admin.RevokeConsentSessions(&admin.RevokeConsentSessionsParams{
|
||
|
All: proto.Bool(true),
|
||
|
Subject: logout.Payload.Subject,
|
||
|
Context: ctx,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Errorf("error revoking consent sessions: %s", err.Error())
|
||
|
return nil, status.Error(codes.Internal, "error revoking consent sessions")
|
||
|
}
|
||
|
|
||
|
acceptReq, err := s.hydra.Admin.AcceptLogoutRequest(&admin.AcceptLogoutRequestParams{
|
||
|
LogoutChallenge: req.Challenge,
|
||
|
Context: ctx,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Errorf("error accepting logout request: %s", err.Error())
|
||
|
return nil, status.Error(codes.Internal, "error accepting logout request")
|
||
|
}
|
||
|
redirectURL = *acceptReq.Payload.RedirectTo
|
||
|
} else {
|
||
|
_, err := s.hydra.Admin.RejectLogoutRequest(&admin.RejectLogoutRequestParams{
|
||
|
Body: &hydramodels.RejectRequest{
|
||
|
StatusCode: int64(codes.Aborted),
|
||
|
ErrorDescription: "User denied logout request",
|
||
|
Error: "user_denied",
|
||
|
},
|
||
|
LogoutChallenge: req.Challenge,
|
||
|
Context: nil,
|
||
|
HTTPClient: nil,
|
||
|
})
|
||
|
if err != nil {
|
||
|
s.log.Errorf("error rejecting logout request: %s", err.Error())
|
||
|
return nil, status.Error(codes.Internal, "error rejecting logout request")
|
||
|
}
|
||
|
redirectURL = logout.Payload.RequestURL
|
||
|
}
|
||
|
|
||
|
return &obsidianpb.LogoutDecisionResponse{
|
||
|
RedirectUrl: redirectURL,
|
||
|
}, nil
|
||
|
}
|