-
Notifications
You must be signed in to change notification settings - Fork 28
/
clientid_suffix_authorizer.go
39 lines (33 loc) · 1.28 KB
/
clientid_suffix_authorizer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package authz
import (
"context"
"fmt"
"strings"
"github.com/Peripli/service-manager/pkg/log"
httpsec "github.com/Peripli/service-manager/pkg/security/http"
"github.com/Peripli/service-manager/pkg/web"
)
// NewClientIDSuffixAuthorizer returns OAuth authorizer
func NewClientIDSuffixAuthorizer(trustedClientIDSuffix string, level web.AccessLevel) httpsec.Authorizer {
return NewClientIDSuffixesAuthorizer([]string{trustedClientIDSuffix}, level)
}
// NewClientIDSuffixesAuthorizer returns OAuth authorizer
func NewClientIDSuffixesAuthorizer(trustedClientIDSuffixes []string, level web.AccessLevel) httpsec.Authorizer {
return NewBaseAuthorizer(func(ctx context.Context, userContext *web.UserContext) (httpsec.Decision, web.AccessLevel, error) {
var claims struct {
ZID string
CID string
}
logger := log.C(ctx)
if err := userContext.Data(&claims); err != nil {
return httpsec.Deny, web.NoAccess, fmt.Errorf("invalid token: %v", err)
}
logger.Debugf("User token: zid=%s cid=%s", claims.ZID, claims.CID)
for _, suffix := range trustedClientIDSuffixes {
if strings.HasSuffix(claims.CID, suffix) {
return httpsec.Allow, level, nil
}
}
return httpsec.Deny, web.NoAccess, fmt.Errorf(`client id "%s" from user token does not have the required suffix`, claims.CID)
})
}