|
|
|
@ -32,13 +32,13 @@ import (
|
|
|
|
|
"github.com/lestrrat-go/jwx/jwt/openid"
|
|
|
|
|
"github.com/nicksnyder/go-i18n/v2/i18n"
|
|
|
|
|
"github.com/ory/hydra-client-go/client/admin"
|
|
|
|
|
"github.com/ory/hydra-client-go/models"
|
|
|
|
|
hydra "github.com/ory/hydra-client-go/models"
|
|
|
|
|
log "github.com/sirupsen/logrus"
|
|
|
|
|
|
|
|
|
|
commonModels "code.cacert.org/cacert/oidc_idp/internal/models"
|
|
|
|
|
"code.cacert.org/cacert/oidc_idp/ui"
|
|
|
|
|
"code.cacert.org/cacert/oidc-idp/internal/models"
|
|
|
|
|
"code.cacert.org/cacert/oidc-idp/ui"
|
|
|
|
|
|
|
|
|
|
"code.cacert.org/cacert/oidc_idp/internal/services"
|
|
|
|
|
"code.cacert.org/cacert/oidc-idp/internal/services"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type ConsentHandler struct {
|
|
|
|
@ -156,10 +156,10 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
|
|
consentRequest, err := h.adminClient.AcceptConsentRequest(
|
|
|
|
|
admin.NewAcceptConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
|
|
|
|
&models.AcceptConsentRequest{
|
|
|
|
|
&hydra.AcceptConsentRequest{
|
|
|
|
|
GrantAccessTokenAudience: nil,
|
|
|
|
|
GrantScope: consentInfo.GrantedScopes,
|
|
|
|
|
HandledAt: models.NullTime(time.Now()),
|
|
|
|
|
HandledAt: hydra.NullTime(time.Now()),
|
|
|
|
|
Remember: true,
|
|
|
|
|
RememberFor: OneDayInSeconds,
|
|
|
|
|
Session: sessionData,
|
|
|
|
@ -179,7 +179,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
|
|
consentRequest, err := h.adminClient.RejectConsentRequest(
|
|
|
|
|
admin.NewRejectConsentRequestParams().WithConsentChallenge(challenge).WithBody(
|
|
|
|
|
&models.RejectRequest{}))
|
|
|
|
|
&hydra.RejectRequest{}))
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.logger.WithError(err).Error("reject consent request failed")
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
@ -194,7 +194,7 @@ func (h *ConsentHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
|
|
|
|
|
func (h *ConsentHandler) getRequestedConsentInformation(challenge string, r *http.Request) (
|
|
|
|
|
*admin.GetConsentRequestOK,
|
|
|
|
|
*commonModels.OIDCClaimsRequest,
|
|
|
|
|
*models.OIDCClaimsRequest,
|
|
|
|
|
error,
|
|
|
|
|
) {
|
|
|
|
|
consentData, err := h.adminClient.GetConsentRequest(
|
|
|
|
@ -214,7 +214,7 @@ func (h *ConsentHandler) getRequestedConsentInformation(challenge string, r *htt
|
|
|
|
|
return nil, nil, fmt.Errorf("error getting consent information: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var requestedClaims commonModels.OIDCClaimsRequest
|
|
|
|
|
var requestedClaims models.OIDCClaimsRequest
|
|
|
|
|
|
|
|
|
|
requestURL, err := url.Parse(consentData.Payload.RequestURL)
|
|
|
|
|
if err != nil {
|
|
|
|
@ -241,7 +241,7 @@ func (h *ConsentHandler) renderConsentForm(
|
|
|
|
|
w http.ResponseWriter,
|
|
|
|
|
r *http.Request,
|
|
|
|
|
consentData *admin.GetConsentRequestOK,
|
|
|
|
|
claims *commonModels.OIDCClaimsRequest,
|
|
|
|
|
claims *models.OIDCClaimsRequest,
|
|
|
|
|
localizer *i18n.Localizer,
|
|
|
|
|
) error {
|
|
|
|
|
trans := func(id string, values ...map[string]interface{}) string {
|
|
|
|
@ -289,7 +289,7 @@ type scopeWithLabel struct {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *ConsentHandler) mapRequestedScope(
|
|
|
|
|
scope models.StringSlicePipeDelimiter,
|
|
|
|
|
scope hydra.StringSlicePipeDelimiter,
|
|
|
|
|
localizer *i18n.Localizer,
|
|
|
|
|
) []*scopeWithLabel {
|
|
|
|
|
result := make([]*scopeWithLabel, 0)
|
|
|
|
@ -322,13 +322,13 @@ type claimWithLabel struct {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (h *ConsentHandler) mapRequestedClaims(
|
|
|
|
|
claims *commonModels.OIDCClaimsRequest,
|
|
|
|
|
claims *models.OIDCClaimsRequest,
|
|
|
|
|
localizer *i18n.Localizer,
|
|
|
|
|
) []*claimWithLabel {
|
|
|
|
|
result := make([]*claimWithLabel, 0)
|
|
|
|
|
known := make(map[string]bool)
|
|
|
|
|
|
|
|
|
|
for _, claimElement := range []*commonModels.ClaimElement{claims.GetUserInfo(), claims.GetIDToken()} {
|
|
|
|
|
for _, claimElement := range []*models.ClaimElement{claims.GetUserInfo(), claims.GetIDToken()} {
|
|
|
|
|
if claimElement != nil {
|
|
|
|
|
for k, v := range *claimElement {
|
|
|
|
|
if _, ok := supportedClaims[k]; !ok {
|
|
|
|
@ -363,9 +363,9 @@ func (h *ConsentHandler) mapRequestedClaims(
|
|
|
|
|
func (h *ConsentHandler) getSessionData(
|
|
|
|
|
r *http.Request,
|
|
|
|
|
info ConsentInformation,
|
|
|
|
|
claims *commonModels.OIDCClaimsRequest,
|
|
|
|
|
payload *models.ConsentRequest,
|
|
|
|
|
) (*models.ConsentRequestSession, error) {
|
|
|
|
|
claims *models.OIDCClaimsRequest,
|
|
|
|
|
payload *hydra.ConsentRequest,
|
|
|
|
|
) (*hydra.ConsentRequestSession, error) {
|
|
|
|
|
idTokenData := make(map[string]interface{}, 0)
|
|
|
|
|
accessTokenData := make(map[string]interface{}, 0)
|
|
|
|
|
|
|
|
|
@ -379,7 +379,7 @@ func (h *ConsentHandler) getSessionData(
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &models.ConsentRequestSession{
|
|
|
|
|
return &hydra.ConsentRequestSession{
|
|
|
|
|
AccessToken: accessTokenData,
|
|
|
|
|
IDToken: idTokenData,
|
|
|
|
|
}, nil
|
|
|
|
@ -387,8 +387,8 @@ func (h *ConsentHandler) getSessionData(
|
|
|
|
|
|
|
|
|
|
func (h *ConsentHandler) fillTokenData(
|
|
|
|
|
m map[string]interface{},
|
|
|
|
|
requestedScope models.StringSlicePipeDelimiter,
|
|
|
|
|
claimsRequest *commonModels.OIDCClaimsRequest,
|
|
|
|
|
requestedScope hydra.StringSlicePipeDelimiter,
|
|
|
|
|
claimsRequest *models.OIDCClaimsRequest,
|
|
|
|
|
consentInformation ConsentInformation,
|
|
|
|
|
userInfo *UserInfo,
|
|
|
|
|
) error {
|
|
|
|
@ -437,7 +437,7 @@ func (h *ConsentHandler) fillTokenData(
|
|
|
|
|
|
|
|
|
|
func (h *ConsentHandler) parseUserInfoClaims(
|
|
|
|
|
m map[string]interface{},
|
|
|
|
|
userInfoClaims *commonModels.ClaimElement,
|
|
|
|
|
userInfoClaims *models.ClaimElement,
|
|
|
|
|
consentInformation ConsentInformation,
|
|
|
|
|
) error {
|
|
|
|
|
for claimName, claim := range *userInfoClaims {
|
|
|
|
@ -457,7 +457,7 @@ func (h *ConsentHandler) parseUserInfoClaims(
|
|
|
|
|
|
|
|
|
|
wantedValue, err := claim.WantedValue()
|
|
|
|
|
if err != nil {
|
|
|
|
|
if !errors.Is(err, commonModels.ErrNoValue) {
|
|
|
|
|
if !errors.Is(err, models.ErrNoValue) {
|
|
|
|
|
return fmt.Errorf("error handling claim: %w", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|