Source file src/edge-infra.dev/pkg/edge/iam/client/roles.go

Documentation: edge-infra.dev/pkg/edge/iam/client

     1  package client
     2  
     3  import (
     4  	"context"
     5  
     6  	"github.com/ory/fosite"
     7  	"github.com/ory/x/errorsx"
     8  
     9  	"edge-infra.dev/pkg/edge/iam/prometheus"
    10  	"edge-infra.dev/pkg/edge/iam/session"
    11  	"edge-infra.dev/pkg/edge/iam/util"
    12  )
    13  
    14  const clientCredentials = "client_credentials"
    15  
    16  type RolesHandler struct {
    17  	ClientStorage Storage
    18  	metrics       *prometheus.Metrics
    19  }
    20  
    21  func (h *RolesHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool {
    22  	return requester.GetGrantTypes().ExactOne(clientCredentials)
    23  }
    24  
    25  func (h *RolesHandler) HandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) error {
    26  	// make sure we should handle the request...
    27  	if !h.CanHandleTokenEndpointRequest(requester) {
    28  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    29  	}
    30  
    31  	h.metrics.IncHTTPRequestsTotal(clientCredentials)
    32  	client := requester.GetClient()
    33  
    34  	subject := client.GetID()
    35  	//grab the client profile from the storage
    36  	clientProfile, err := h.ClientStorage.GetIAMClient(ctx, subject)
    37  	if err != nil {
    38  		return errorsx.WithStack(fosite.ErrInvalidRequest.WithHint("client was not found"))
    39  	}
    40  	// encode the client roles into bsl format
    41  	serializedRoles, err := util.Serialize(clientProfile.GetRoles())
    42  	if err != nil {
    43  		// error occurred while trying to serialize the client roles
    44  		return errorsx.WithStack(fosite.ErrServerError.WithHint(err.Error()))
    45  	}
    46  	// set the roles on the session
    47  	session.FromRequester(requester).SetRls(serializedRoles)
    48  	// set the sub on the session
    49  	session.FromRequester(requester).SetSubject(subject)
    50  	return nil
    51  }
    52  
    53  func (h *RolesHandler) PopulateTokenEndpointResponse(_ context.Context, requester fosite.AccessRequester, _ fosite.AccessResponder) (err error) {
    54  	if !h.CanHandleTokenEndpointRequest(requester) {
    55  		return errorsx.WithStack(fosite.ErrUnknownRequest)
    56  	}
    57  
    58  	// client credentials are successful
    59  	h.metrics.IncSignInRequestsTotal(clientCredentials, util.Succeeded)
    60  	return nil
    61  }
    62  
    63  // CanSkipClientAuth makes sure we only allow authenticated clients
    64  func (h *RolesHandler) CanSkipClientAuth(_ fosite.AccessRequester) bool {
    65  	return false
    66  }
    67  

View as plain text