introspector.go

Documentation: github.com/ory/fosite/handler/oauth2

     1  /*
     2   * Copyright © 2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
     3   *
     4   * Licensed under the Apache License, Version 2.0 (the "License");
     5   * you may not use this file except in compliance with the License.
     6   * You may obtain a copy of the License at
     7   *
     8   *     http://www.apache.org/licenses/LICENSE-2.0
     9   *
    10   * Unless required by applicable law or agreed to in writing, software
    11   * distributed under the License is distributed on an "AS IS" BASIS,
    12   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13   * See the License for the specific language governing permissions and
    14   * limitations under the License.
    15   *
    16   * @author		Aeneas Rekkas <aeneas+oss@aeneas.io>
    17   * @copyright 	2015-2018 Aeneas Rekkas <aeneas+oss@aeneas.io>
    18   * @license 	Apache-2.0
    19   *
    20   */
    21  
    22  package oauth2
    23  
    24  import (
    25  	"context"
    26  
    27  	"github.com/ory/x/errorsx"
    28  
    29  	"github.com/ory/fosite"
    30  )
    31  
    32  type CoreValidator struct {
    33  	CoreStrategy
    34  	CoreStorage
    35  	ScopeStrategy                 fosite.ScopeStrategy
    36  	DisableRefreshTokenValidation bool
    37  }
    38  
    39  func (c *CoreValidator) IntrospectToken(ctx context.Context, token string, tokenUse fosite.TokenUse, accessRequest fosite.AccessRequester, scopes []string) (fosite.TokenUse, error) {
    40  	if c.DisableRefreshTokenValidation {
    41  		if err := c.introspectAccessToken(ctx, token, accessRequest, scopes); err != nil {
    42  			return "", err
    43  		}
    44  		return fosite.AccessToken, nil
    45  	}
    46  
    47  	var err error
    48  	switch tokenUse {
    49  	case fosite.RefreshToken:
    50  		if err = c.introspectRefreshToken(ctx, token, accessRequest, scopes); err == nil {
    51  			return fosite.RefreshToken, nil
    52  		} else if err = c.introspectAccessToken(ctx, token, accessRequest, scopes); err == nil {
    53  			return fosite.AccessToken, nil
    54  		}
    55  		return "", err
    56  	}
    57  
    58  	if err = c.introspectAccessToken(ctx, token, accessRequest, scopes); err == nil {
    59  		return fosite.AccessToken, nil
    60  	} else if err := c.introspectRefreshToken(ctx, token, accessRequest, scopes); err == nil {
    61  		return fosite.RefreshToken, nil
    62  	}
    63  
    64  	return "", err
    65  }
    66  
    67  func matchScopes(ss fosite.ScopeStrategy, granted, scopes []string) error {
    68  	for _, scope := range scopes {
    69  		if scope == "" {
    70  			continue
    71  		}
    72  
    73  		if !ss(granted, scope) {
    74  			return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The request scope '%s' has not been granted or is not allowed to be requested.", scope))
    75  		}
    76  	}
    77  
    78  	return nil
    79  }
    80  
    81  func (c *CoreValidator) introspectAccessToken(ctx context.Context, token string, accessRequest fosite.AccessRequester, scopes []string) error {
    82  	sig := c.CoreStrategy.AccessTokenSignature(token)
    83  	or, err := c.CoreStorage.GetAccessTokenSession(ctx, sig, accessRequest.GetSession())
    84  	if err != nil {
    85  		return errorsx.WithStack(fosite.ErrRequestUnauthorized.WithWrap(err).WithDebug(err.Error()))
    86  	} else if err := c.CoreStrategy.ValidateAccessToken(ctx, or, token); err != nil {
    87  		return err
    88  	}
    89  
    90  	if err := matchScopes(c.ScopeStrategy, or.GetGrantedScopes(), scopes); err != nil {
    91  		return err
    92  	}
    93  
    94  	accessRequest.Merge(or)
    95  	return nil
    96  }
    97  
    98  func (c *CoreValidator) introspectRefreshToken(ctx context.Context, token string, accessRequest fosite.AccessRequester, scopes []string) error {
    99  	sig := c.CoreStrategy.RefreshTokenSignature(token)
   100  	or, err := c.CoreStorage.GetRefreshTokenSession(ctx, sig, accessRequest.GetSession())
   101  
   102  	if err != nil {
   103  		return errorsx.WithStack(fosite.ErrRequestUnauthorized.WithWrap(err).WithDebug(err.Error()))
   104  	} else if err := c.CoreStrategy.ValidateRefreshToken(ctx, or, token); err != nil {
   105  		return err
   106  	}
   107  
   108  	if err := matchScopes(c.ScopeStrategy, or.GetGrantedScopes(), scopes); err != nil {
   109  		return err
   110  	}
   111  
   112  	accessRequest.Merge(or)
   113  	return nil
   114  }
   115
View as plain text