|
|
|
@ -113,7 +113,7 @@ func (i *UserInfo) GetFullName() string {
|
|
|
|
|
func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
challenge := r.URL.Query().Get("consent_challenge")
|
|
|
|
|
|
|
|
|
|
h.logger.Debugf("received consent challenge %s", challenge)
|
|
|
|
|
h.logger.WithField("consent_challenge", challenge).Debug("received consent challenge")
|
|
|
|
|
|
|
|
|
|
accept := r.Header.Get("Accept-Language")
|
|
|
|
|
localizer := i18n.NewLocalizer(h.bundle, accept)
|
|
|
|
@ -128,7 +128,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
switch r.Method {
|
|
|
|
|
case http.MethodGet:
|
|
|
|
|
if err := h.renderConsentForm(w, r, consentData, requestedClaims, localizer); err != nil {
|
|
|
|
|
h.logger.Error(err)
|
|
|
|
|
h.logger.WithError(err).Error("could not render consent form")
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
@ -139,7 +139,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
// validate input
|
|
|
|
|
decoder := form.NewDecoder()
|
|
|
|
|
if err := decoder.Decode(&consentInfo, r.Form); err != nil {
|
|
|
|
|
h.logger.Error(err)
|
|
|
|
|
h.logger.WithError(err).Error("could not decode consent form")
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
@ -148,7 +148,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if consentInfo.ConsentChecked {
|
|
|
|
|
sessionData, err := h.getSessionData(r, consentInfo, requestedClaims, consentData.Payload)
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Errorf("could not get session data: %v", err)
|
|
|
|
|
h.logger.WithError(err).Error("could not get session data")
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
@ -165,7 +165,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
Session: sessionData,
|
|
|
|
|
}).WithTimeout(TimeoutTen))
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Error(err)
|
|
|
|
|
h.logger.WithError(err).Error("accept consent request failed")
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
@ -181,7 +181,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
admin.NewRejectConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
|
|
|
|
&models.RejectRequest{}))
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Error(err)
|
|
|
|
|
h.logger.WithError(err).Error("reject consent request failed")
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
|
|
|
|
|
|
return
|
|
|
|
@ -200,7 +200,7 @@ func (h *ConsentHandler) getRequestedConsentInformation(challenge string, r *htt
|
|
|
|
|
consentData, err := h.adminClient.GetConsentRequest(
|
|
|
|
|
admin.NewGetConsentRequestParams().WithConsentChallenge(challenge))
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Errorf("error getting consent information: %v", err)
|
|
|
|
|
h.logger.WithError(err).Error("error getting consent information")
|
|
|
|
|
|
|
|
|
|
if errorBucket := GetErrorBucket(r); errorBucket != nil {
|
|
|
|
|
errorDetails := &ErrorDetails{
|
|
|
|
@ -218,18 +218,18 @@ func (h *ConsentHandler) getRequestedConsentInformation(challenge string, r *htt
|
|
|
|
|
|
|
|
|
|
requestURL, err := url.Parse(consentData.Payload.RequestURL)
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Warnf("could not parse original request URL %s: %v", consentData.Payload.RequestURL, err)
|
|
|
|
|
h.logger.WithError(err).WithField(
|
|
|
|
|
"request_url", consentData.Payload.RequestURL,
|
|
|
|
|
).Warn("could not parse original request URL")
|
|
|
|
|
} else {
|
|
|
|
|
claimsParameter := requestURL.Query().Get("claims")
|
|
|
|
|
if claimsParameter != "" {
|
|
|
|
|
decoder := json.NewDecoder(strings.NewReader(claimsParameter))
|
|
|
|
|
err := decoder.Decode(&requestedClaims)
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Warnf(
|
|
|
|
|
"ignoring claims request parameter %s that could not be decoded: %v",
|
|
|
|
|
claimsParameter,
|
|
|
|
|
err,
|
|
|
|
|
)
|
|
|
|
|
h.logger.WithError(err).WithField(
|
|
|
|
|
"claims_parameter", claimsParameter,
|
|
|
|
|
).Warn("ignoring claims request parameter that could not be decoded")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -296,7 +296,7 @@ func (h *ConsentHandler) mapRequestedScope(
|
|
|
|
|
|
|
|
|
|
for _, scopeName := range scope {
|
|
|
|
|
if _, ok := supportedScopes[scopeName]; !ok {
|
|
|
|
|
h.logger.Warnf("unsupported scope %s ignored", scopeName)
|
|
|
|
|
h.logger.WithField("scope", scopeName).Warn("ignoring unsupported scope")
|
|
|
|
|
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
@ -305,7 +305,7 @@ func (h *ConsentHandler) mapRequestedScope(
|
|
|
|
|
DefaultMessage: supportedScopes[scopeName],
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Warnf("could not localize label for scope %s: %v", scopeName, err)
|
|
|
|
|
h.logger.WithError(err).WithField("scope", scopeName).Warn("could not localize scope label")
|
|
|
|
|
label = scopeName
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -332,7 +332,7 @@ func (h *ConsentHandler) mapRequestedClaims(
|
|
|
|
|
if claimElement != nil {
|
|
|
|
|
for k, v := range *claimElement {
|
|
|
|
|
if _, ok := supportedClaims[k]; !ok {
|
|
|
|
|
h.logger.Warnf("unsupported claim %s ignored", k)
|
|
|
|
|
h.logger.WithField("claim", k).Warn("ignoring unsupported claim")
|
|
|
|
|
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
@ -341,7 +341,7 @@ func (h *ConsentHandler) mapRequestedClaims(
|
|
|
|
|
DefaultMessage: supportedClaims[k],
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.Warnf("could not localize label for claim %s: %v", k, err)
|
|
|
|
|
h.logger.WithError(err).WithField("claim", k).Warn("could not localize claim label")
|
|
|
|
|
label = k
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -469,15 +469,9 @@ func (h *ConsentHandler) parseUserInfoClaims(
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if claim.IsEssential() {
|
|
|
|
|
h.logger.Warnf(
|
|
|
|
|
"handling for essential claim name %s not implemented",
|
|
|
|
|
claimName,
|
|
|
|
|
)
|
|
|
|
|
h.logger.WithField("claim", claimName).Warn("handling for essential claim not implemented")
|
|
|
|
|
} else {
|
|
|
|
|
h.logger.Warnf(
|
|
|
|
|
"handling for claim name %s not implemented",
|
|
|
|
|
claimName,
|
|
|
|
|
)
|
|
|
|
|
h.logger.WithField("claim", claimName).Warn("handling for claim not implemented")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -491,7 +485,9 @@ func (h *ConsentHandler) GetUserInfoFromClientCertificate(r *http.Request, subje
|
|
|
|
|
var verified bool
|
|
|
|
|
|
|
|
|
|
for _, email := range firstCert.EmailAddresses {
|
|
|
|
|
h.logger.Infof("authenticated with a client certificate for email address %s", email)
|
|
|
|
|
h.logger.WithField(
|
|
|
|
|
"email", email,
|
|
|
|
|
).Info("authenticated with client certificate for email address")
|
|
|
|
|
|
|
|
|
|
if subject == email {
|
|
|
|
|
verified = true
|
|
|
|
@ -499,10 +495,9 @@ func (h *ConsentHandler) GetUserInfoFromClientCertificate(r *http.Request, subje
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !verified {
|
|
|
|
|
h.logger.Warnf(
|
|
|
|
|
"authentication attempt with a wrong certificate that did not contain the requested address %s",
|
|
|
|
|
subject,
|
|
|
|
|
)
|
|
|
|
|
h.logger.WithField(
|
|
|
|
|
"subject", subject,
|
|
|
|
|
).Warn("authentication attempt with a wrong certificate that did not contain the requested address")
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|