2021-09-11 11:35:15 +00:00
|
|
|
/*
|
2023-05-13 11:27:19 +00:00
|
|
|
Copyright 2020-2023 CAcert Inc.
|
|
|
|
SPDX-License-Identifier: Apache-2.0
|
2021-09-11 11:35:15 +00:00
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
2021-09-11 11:35:15 +00:00
|
|
|
|
2023-07-18 18:37:04 +00:00
|
|
|
https://www.apache.org/licenses/LICENSE-2.0
|
2021-09-11 11:35:15 +00:00
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
2021-09-11 11:35:15 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
package handlers
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2023-05-13 11:27:19 +00:00
|
|
|
"errors"
|
|
|
|
"fmt"
|
2021-09-11 11:35:15 +00:00
|
|
|
"html/template"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/go-playground/form/v4"
|
|
|
|
"github.com/gorilla/csrf"
|
|
|
|
"github.com/lestrrat-go/jwx/jwt/openid"
|
|
|
|
"github.com/nicksnyder/go-i18n/v2/i18n"
|
|
|
|
"github.com/ory/hydra-client-go/client/admin"
|
2023-07-29 19:15:11 +00:00
|
|
|
hydra "github.com/ory/hydra-client-go/models"
|
2021-09-11 11:35:15 +00:00
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
|
2023-07-29 19:15:11 +00:00
|
|
|
"code.cacert.org/cacert/oidc-idp/internal/models"
|
|
|
|
"code.cacert.org/cacert/oidc-idp/ui"
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2023-07-29 19:15:11 +00:00
|
|
|
"code.cacert.org/cacert/oidc-idp/internal/services"
|
2021-09-11 11:35:15 +00:00
|
|
|
)
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
type ConsentHandler struct {
|
|
|
|
adminClient admin.ClientService
|
2021-09-11 11:35:15 +00:00
|
|
|
bundle *i18n.Bundle
|
|
|
|
consentTemplate *template.Template
|
|
|
|
logger *log.Logger
|
|
|
|
messageCatalog *services.MessageCatalog
|
|
|
|
}
|
|
|
|
|
|
|
|
type ConsentInformation struct {
|
|
|
|
GrantedScopes []string `form:"scope"`
|
|
|
|
SelectedClaims []string `form:"claims"`
|
|
|
|
ConsentChecked bool `form:"consent"`
|
|
|
|
}
|
|
|
|
|
|
|
|
type UserInfo struct {
|
|
|
|
Email string
|
|
|
|
EmailVerified bool
|
|
|
|
CommonName string
|
|
|
|
}
|
|
|
|
|
|
|
|
var supportedScopes, supportedClaims map[string]*i18n.Message
|
|
|
|
|
|
|
|
const (
|
|
|
|
ScopeOpenID = "openid"
|
|
|
|
ScopeOffline = "offline"
|
|
|
|
ScopeOfflineAccess = "offline_access"
|
|
|
|
ScopeProfile = "profile"
|
|
|
|
ScopeEmail = "email"
|
|
|
|
)
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
const OneDayInSeconds = 86400
|
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
func init() {
|
|
|
|
supportedScopes = make(map[string]*i18n.Message)
|
|
|
|
supportedScopes[ScopeOpenID] = &i18n.Message{
|
|
|
|
ID: "Scope-openid-Description",
|
|
|
|
Other: "Request information about your identity.",
|
|
|
|
}
|
|
|
|
supportedScopes[ScopeOffline] = &i18n.Message{
|
|
|
|
ID: "Scope-offline-Description",
|
|
|
|
Other: "Keep access to your information until you revoke the permission.",
|
|
|
|
}
|
|
|
|
supportedScopes[ScopeOfflineAccess] = supportedScopes[ScopeOffline]
|
|
|
|
supportedScopes[ScopeProfile] = &i18n.Message{
|
|
|
|
ID: "Scope-profile-Description",
|
|
|
|
Other: "Access your user profile information (your name).",
|
|
|
|
}
|
|
|
|
supportedScopes[ScopeEmail] = &i18n.Message{
|
|
|
|
ID: "Scope-email-Description",
|
|
|
|
Other: "Access your email address.",
|
|
|
|
}
|
|
|
|
|
|
|
|
supportedClaims = make(map[string]*i18n.Message)
|
|
|
|
supportedClaims[openid.SubjectKey] = nil
|
|
|
|
supportedClaims[openid.EmailKey] = nil
|
|
|
|
supportedClaims[openid.EmailVerifiedKey] = nil
|
|
|
|
supportedClaims[openid.GivenNameKey] = nil
|
|
|
|
supportedClaims[openid.FamilyNameKey] = nil
|
|
|
|
supportedClaims[openid.MiddleNameKey] = nil
|
|
|
|
supportedClaims[openid.NameKey] = nil
|
|
|
|
supportedClaims[openid.BirthdateKey] = nil
|
|
|
|
supportedClaims[openid.ZoneinfoKey] = nil
|
|
|
|
supportedClaims[openid.LocaleKey] = nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (i *UserInfo) GetFullName() string {
|
|
|
|
return i.CommonName
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
2021-09-11 11:35:15 +00:00
|
|
|
challenge := r.URL.Query().Get("consent_challenge")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField("consent_challenge", challenge).Debug("received consent challenge")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
accept := r.Header.Get("Accept-Language")
|
|
|
|
localizer := i18n.NewLocalizer(h.bundle, accept)
|
|
|
|
|
|
|
|
// retrieve consent information
|
|
|
|
consentData, requestedClaims, err := h.getRequestedConsentInformation(challenge, r)
|
|
|
|
if err != nil {
|
|
|
|
// error is already handled in getRequestConsentInformation
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
switch r.Method {
|
|
|
|
case http.MethodGet:
|
2023-05-13 11:27:19 +00:00
|
|
|
if err := h.renderConsentForm(w, r, consentData, requestedClaims, localizer); err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).Error("could not render consent form")
|
2023-05-13 11:27:19 +00:00
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
2021-09-11 11:35:15 +00:00
|
|
|
case http.MethodPost:
|
|
|
|
var consentInfo ConsentInformation
|
|
|
|
|
|
|
|
// validate input
|
|
|
|
decoder := form.NewDecoder()
|
|
|
|
if err := decoder.Decode(&consentInfo, r.Form); err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).Error("could not decode consent form")
|
2023-05-13 11:27:19 +00:00
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if consentInfo.ConsentChecked {
|
|
|
|
sessionData, err := h.getSessionData(r, consentInfo, requestedClaims, consentData.Payload)
|
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).Error("could not get session data")
|
2021-09-11 11:35:15 +00:00
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
consentRequest, err := h.adminClient.AcceptConsentRequest(
|
|
|
|
admin.NewAcceptConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
2023-07-29 19:15:11 +00:00
|
|
|
&hydra.AcceptConsentRequest{
|
2021-09-11 11:35:15 +00:00
|
|
|
GrantAccessTokenAudience: nil,
|
|
|
|
GrantScope: consentInfo.GrantedScopes,
|
2023-07-29 19:15:11 +00:00
|
|
|
HandledAt: hydra.NullTime(time.Now()),
|
2021-09-11 11:35:15 +00:00
|
|
|
Remember: true,
|
2023-05-13 11:27:19 +00:00
|
|
|
RememberFor: OneDayInSeconds,
|
2021-09-11 11:35:15 +00:00
|
|
|
Session: sessionData,
|
2023-05-13 11:27:19 +00:00
|
|
|
}).WithTimeout(TimeoutTen))
|
2021-09-11 11:35:15 +00:00
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).Error("accept consent request failed")
|
2021-09-11 11:35:15 +00:00
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
w.Header().Add("Location", *consentRequest.GetPayload().RedirectTo)
|
|
|
|
w.WriteHeader(http.StatusFound)
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return
|
2023-05-13 11:27:19 +00:00
|
|
|
}
|
2021-09-11 11:35:15 +00:00
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
consentRequest, err := h.adminClient.RejectConsentRequest(
|
|
|
|
admin.NewRejectConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
2023-07-29 19:15:11 +00:00
|
|
|
&hydra.RejectRequest{}))
|
2023-05-13 11:27:19 +00:00
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).Error("reject consent request failed")
|
2023-05-13 11:27:19 +00:00
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
return
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
w.Header().Add("Location", *consentRequest.GetPayload().RedirectTo)
|
|
|
|
w.WriteHeader(http.StatusFound)
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) getRequestedConsentInformation(challenge string, r *http.Request) (
|
2021-09-11 11:35:15 +00:00
|
|
|
*admin.GetConsentRequestOK,
|
2023-07-29 19:15:11 +00:00
|
|
|
*models.OIDCClaimsRequest,
|
2021-09-11 11:35:15 +00:00
|
|
|
error,
|
|
|
|
) {
|
|
|
|
consentData, err := h.adminClient.GetConsentRequest(
|
|
|
|
admin.NewGetConsentRequestParams().WithConsentChallenge(challenge))
|
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).Error("error getting consent information")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
if errorBucket := GetErrorBucket(r); errorBucket != nil {
|
|
|
|
errorDetails := &ErrorDetails{
|
|
|
|
ErrorMessage: "could not get consent details",
|
|
|
|
ErrorDetails: []string{http.StatusText(http.StatusInternalServerError)},
|
|
|
|
}
|
|
|
|
|
|
|
|
errorBucket.AddError(errorDetails)
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
return nil, nil, fmt.Errorf("error getting consent information: %w", err)
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2023-07-29 19:15:11 +00:00
|
|
|
var requestedClaims models.OIDCClaimsRequest
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
requestURL, err := url.Parse(consentData.Payload.RequestURL)
|
2021-09-11 11:35:15 +00:00
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).WithField(
|
|
|
|
"request_url", consentData.Payload.RequestURL,
|
|
|
|
).Warn("could not parse original request URL")
|
2021-09-11 11:35:15 +00:00
|
|
|
} else {
|
2023-05-13 11:27:19 +00:00
|
|
|
claimsParameter := requestURL.Query().Get("claims")
|
2021-09-11 11:35:15 +00:00
|
|
|
if claimsParameter != "" {
|
|
|
|
decoder := json.NewDecoder(strings.NewReader(claimsParameter))
|
|
|
|
err := decoder.Decode(&requestedClaims)
|
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).WithField(
|
|
|
|
"claims_parameter", claimsParameter,
|
|
|
|
).Warn("ignoring claims request parameter that could not be decoded")
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return consentData, &requestedClaims, nil
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) renderConsentForm(
|
2021-09-11 11:35:15 +00:00
|
|
|
w http.ResponseWriter,
|
|
|
|
r *http.Request,
|
|
|
|
consentData *admin.GetConsentRequestOK,
|
2023-07-29 19:15:11 +00:00
|
|
|
claims *models.OIDCClaimsRequest,
|
2021-09-11 11:35:15 +00:00
|
|
|
localizer *i18n.Localizer,
|
2023-05-13 11:27:19 +00:00
|
|
|
) error {
|
2021-09-11 11:35:15 +00:00
|
|
|
trans := func(id string, values ...map[string]interface{}) string {
|
|
|
|
if len(values) > 0 {
|
|
|
|
return h.messageCatalog.LookupMessage(id, values[0], localizer)
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return h.messageCatalog.LookupMessage(id, nil, localizer)
|
|
|
|
}
|
|
|
|
|
|
|
|
// render consent form
|
|
|
|
client := consentData.GetPayload().Client
|
2023-05-13 11:27:19 +00:00
|
|
|
err := h.consentTemplate.Lookup("base").Execute(w, map[string]interface{}{
|
2021-09-11 11:35:15 +00:00
|
|
|
"Title": trans("TitleRequestConsent"),
|
|
|
|
csrf.TemplateTag: csrf.TemplateField(r),
|
|
|
|
"errors": map[string]string{},
|
|
|
|
"client": client,
|
|
|
|
"requestedScope": h.mapRequestedScope(consentData.GetPayload().RequestedScope, localizer),
|
|
|
|
"requestedClaims": h.mapRequestedClaims(claims, localizer),
|
|
|
|
"LabelSubmit": trans("LabelSubmit"),
|
|
|
|
"LabelConsent": trans("LabelConsent"),
|
2023-05-13 11:27:19 +00:00
|
|
|
"IntroMoreInformation": template.HTML( //nolint:gosec
|
|
|
|
trans("IntroConsentMoreInformation", map[string]interface{}{
|
|
|
|
"client": client.ClientName,
|
|
|
|
"clientLink": client.ClientURI,
|
|
|
|
})),
|
|
|
|
"ClaimsInformation": template.HTML( //nolint:gosec
|
|
|
|
trans("ClaimsInformation", nil)),
|
|
|
|
"IntroConsentRequested": template.HTML( //nolint:gosec
|
|
|
|
trans("IntroConsentRequested", map[string]interface{}{
|
|
|
|
"client": client.ClientName,
|
|
|
|
})),
|
2021-09-11 11:35:15 +00:00
|
|
|
})
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("rendering failed: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
type scopeWithLabel struct {
|
|
|
|
Name string
|
|
|
|
Label string
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) mapRequestedScope(
|
2023-07-29 19:15:11 +00:00
|
|
|
scope hydra.StringSlicePipeDelimiter,
|
2023-05-13 11:27:19 +00:00
|
|
|
localizer *i18n.Localizer,
|
|
|
|
) []*scopeWithLabel {
|
2021-09-11 11:35:15 +00:00
|
|
|
result := make([]*scopeWithLabel, 0)
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
for _, scopeName := range scope {
|
|
|
|
if _, ok := supportedScopes[scopeName]; !ok {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField("scope", scopeName).Warn("ignoring unsupported scope")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
continue
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
label, err := localizer.Localize(&i18n.LocalizeConfig{
|
|
|
|
DefaultMessage: supportedScopes[scopeName],
|
|
|
|
})
|
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).WithField("scope", scopeName).Warn("could not localize scope label")
|
2021-09-11 11:35:15 +00:00
|
|
|
label = scopeName
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
result = append(result, &scopeWithLabel{Name: scopeName, Label: label})
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
type claimWithLabel struct {
|
|
|
|
Name string
|
|
|
|
Label string
|
|
|
|
Essential bool
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) mapRequestedClaims(
|
2023-07-29 19:15:11 +00:00
|
|
|
claims *models.OIDCClaimsRequest,
|
2023-05-13 11:27:19 +00:00
|
|
|
localizer *i18n.Localizer,
|
|
|
|
) []*claimWithLabel {
|
2021-09-11 11:35:15 +00:00
|
|
|
result := make([]*claimWithLabel, 0)
|
|
|
|
known := make(map[string]bool)
|
|
|
|
|
2023-07-29 19:15:11 +00:00
|
|
|
for _, claimElement := range []*models.ClaimElement{claims.GetUserInfo(), claims.GetIDToken()} {
|
2021-09-11 11:35:15 +00:00
|
|
|
if claimElement != nil {
|
|
|
|
for k, v := range *claimElement {
|
|
|
|
if _, ok := supportedClaims[k]; !ok {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField("claim", k).Warn("ignoring unsupported claim")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
continue
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
label, err := localizer.Localize(&i18n.LocalizeConfig{
|
|
|
|
DefaultMessage: supportedClaims[k],
|
|
|
|
})
|
|
|
|
if err != nil {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithError(err).WithField("claim", k).Warn("could not localize claim label")
|
2021-09-11 11:35:15 +00:00
|
|
|
label = k
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
if !known[k] {
|
|
|
|
result = append(result, &claimWithLabel{
|
|
|
|
Name: k,
|
|
|
|
Label: label,
|
|
|
|
Essential: v.IsEssential(),
|
|
|
|
})
|
|
|
|
known[k] = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) getSessionData(
|
2021-09-11 11:35:15 +00:00
|
|
|
r *http.Request,
|
|
|
|
info ConsentInformation,
|
2023-07-29 19:15:11 +00:00
|
|
|
claims *models.OIDCClaimsRequest,
|
|
|
|
payload *hydra.ConsentRequest,
|
|
|
|
) (*hydra.ConsentRequestSession, error) {
|
2021-09-11 11:35:15 +00:00
|
|
|
idTokenData := make(map[string]interface{}, 0)
|
|
|
|
accessTokenData := make(map[string]interface{}, 0)
|
|
|
|
|
|
|
|
userInfo := h.GetUserInfoFromClientCertificate(r, payload.Subject)
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
if err := h.fillTokenData(accessTokenData, payload.RequestedScope, claims, info, userInfo); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := h.fillTokenData(idTokenData, payload.RequestedScope, claims, info, userInfo); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2023-07-29 19:15:11 +00:00
|
|
|
return &hydra.ConsentRequestSession{
|
2021-09-11 11:35:15 +00:00
|
|
|
AccessToken: accessTokenData,
|
|
|
|
IDToken: idTokenData,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) fillTokenData(
|
2021-09-11 11:35:15 +00:00
|
|
|
m map[string]interface{},
|
2023-07-29 19:15:11 +00:00
|
|
|
requestedScope hydra.StringSlicePipeDelimiter,
|
|
|
|
claimsRequest *models.OIDCClaimsRequest,
|
2021-09-11 11:35:15 +00:00
|
|
|
consentInformation ConsentInformation,
|
|
|
|
userInfo *UserInfo,
|
2023-05-13 11:27:19 +00:00
|
|
|
) error {
|
2021-09-11 11:35:15 +00:00
|
|
|
for _, scope := range requestedScope {
|
|
|
|
granted := false
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
for _, k := range consentInformation.GrantedScopes {
|
|
|
|
if k == scope {
|
|
|
|
granted = true
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
if !granted {
|
|
|
|
continue
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
switch scope {
|
|
|
|
case ScopeEmail:
|
|
|
|
// email
|
|
|
|
// OPTIONAL. This scope value requests access to the email and
|
|
|
|
// email_verified Claims.
|
|
|
|
m[openid.EmailKey] = userInfo.Email
|
|
|
|
m[openid.EmailVerifiedKey] = userInfo.EmailVerified
|
|
|
|
case ScopeProfile:
|
|
|
|
// profile
|
|
|
|
// OPTIONAL. This scope value requests access to the
|
|
|
|
// End-User's default profile Claims, which are: name,
|
|
|
|
// family_name, given_name, middle_name, nickname,
|
|
|
|
// preferred_username, profile, picture, website, gender,
|
|
|
|
// birthdate, zoneinfo, locale, and updated_at.
|
|
|
|
m[openid.NameKey] = userInfo.GetFullName()
|
|
|
|
}
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
if userInfoClaims := claimsRequest.GetUserInfo(); userInfoClaims != nil {
|
2023-05-13 11:27:19 +00:00
|
|
|
err := h.parseUserInfoClaims(m, userInfoClaims, consentInformation)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *ConsentHandler) parseUserInfoClaims(
|
|
|
|
m map[string]interface{},
|
2023-07-29 19:15:11 +00:00
|
|
|
userInfoClaims *models.ClaimElement,
|
2023-05-13 11:27:19 +00:00
|
|
|
consentInformation ConsentInformation,
|
|
|
|
) error {
|
|
|
|
for claimName, claim := range *userInfoClaims {
|
|
|
|
granted := false
|
|
|
|
|
|
|
|
for _, k := range consentInformation.SelectedClaims {
|
|
|
|
if k == claimName {
|
|
|
|
granted = true
|
|
|
|
|
|
|
|
break
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if !granted {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
wantedValue, err := claim.WantedValue()
|
|
|
|
if err != nil {
|
2023-07-29 19:15:11 +00:00
|
|
|
if !errors.Is(err, models.ErrNoValue) {
|
2023-05-13 11:27:19 +00:00
|
|
|
return fmt.Errorf("error handling claim: %w", err)
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
if wantedValue != "" {
|
|
|
|
m[claimName] = wantedValue
|
|
|
|
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if claim.IsEssential() {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField("claim", claimName).Warn("handling for essential claim not implemented")
|
2023-05-13 11:27:19 +00:00
|
|
|
} else {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField("claim", claimName).Warn("handling for claim not implemented")
|
2023-05-13 11:27:19 +00:00
|
|
|
}
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
|
|
|
return nil
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func (h *ConsentHandler) GetUserInfoFromClientCertificate(r *http.Request, subject string) *UserInfo {
|
2021-09-11 11:35:15 +00:00
|
|
|
if r.TLS != nil && r.TLS.PeerCertificates != nil && len(r.TLS.PeerCertificates) > 0 {
|
|
|
|
firstCert := r.TLS.PeerCertificates[0]
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
var verified bool
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
for _, email := range firstCert.EmailAddresses {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField(
|
|
|
|
"email", email,
|
|
|
|
).Info("authenticated with client certificate for email address")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
if subject == email {
|
|
|
|
verified = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !verified {
|
2023-07-29 18:32:02 +00:00
|
|
|
h.logger.WithField(
|
|
|
|
"subject", subject,
|
|
|
|
).Warn("authentication attempt with a wrong certificate that did not contain the requested address")
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return &UserInfo{
|
|
|
|
Email: subject,
|
|
|
|
EmailVerified: verified,
|
|
|
|
CommonName: firstCert.Subject.CommonName,
|
|
|
|
}
|
|
|
|
}
|
2023-05-13 11:27:19 +00:00
|
|
|
|
2021-09-11 11:35:15 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
func NewConsentHandler(
|
|
|
|
logger *log.Logger,
|
|
|
|
bundle *i18n.Bundle,
|
|
|
|
messageCatalog *services.MessageCatalog,
|
|
|
|
adminClient admin.ClientService,
|
|
|
|
) *ConsentHandler {
|
2022-08-22 16:50:59 +00:00
|
|
|
consentTemplate := template.Must(
|
|
|
|
template.ParseFS(
|
|
|
|
ui.Templates,
|
|
|
|
"templates/base.gohtml",
|
|
|
|
"templates/consent.gohtml",
|
|
|
|
))
|
2021-09-11 11:35:15 +00:00
|
|
|
|
2023-05-13 11:27:19 +00:00
|
|
|
return &ConsentHandler{
|
|
|
|
adminClient: adminClient,
|
|
|
|
bundle: bundle,
|
2021-09-11 11:35:15 +00:00
|
|
|
consentTemplate: consentTemplate,
|
|
|
|
logger: logger,
|
2023-05-13 11:27:19 +00:00
|
|
|
messageCatalog: messageCatalog,
|
|
|
|
}
|
2021-09-11 11:35:15 +00:00
|
|
|
}
|