-
Notifications
You must be signed in to change notification settings - Fork 13
/
expectations.go
112 lines (88 loc) · 3.52 KB
/
expectations.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
// Copyright 2022 Dimitrij Drus <dadrus@gmx.de>
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0
package oauth2
import (
"errors"
"slices"
"time"
"github.com/dadrus/heimdall/internal/x"
"github.com/dadrus/heimdall/internal/x/errorchain"
"github.com/dadrus/heimdall/internal/x/slicex"
)
const defaultLeeway = 10 * time.Second
var ErrAssertion = errors.New("assertion error")
type Expectation struct {
TrustedIssuers []string `mapstructure:"issuers"`
ScopesMatcher ScopesMatcher `mapstructure:"scopes"`
Audiences []string `mapstructure:"audience"`
AllowedAlgorithms []string `mapstructure:"allowed_algorithms"`
ValidityLeeway time.Duration `mapstructure:"validity_leeway"`
}
func (e *Expectation) Merge(other *Expectation) Expectation {
if e == nil {
return *other
}
e.TrustedIssuers = x.IfThenElse(len(e.TrustedIssuers) != 0, e.TrustedIssuers, other.TrustedIssuers)
e.ScopesMatcher = x.IfThenElse(e.ScopesMatcher != nil, e.ScopesMatcher, other.ScopesMatcher)
e.Audiences = x.IfThenElse(len(e.Audiences) != 0, e.Audiences, other.Audiences)
e.AllowedAlgorithms = x.IfThenElse(len(e.AllowedAlgorithms) != 0, e.AllowedAlgorithms, other.AllowedAlgorithms)
e.ValidityLeeway = x.IfThenElse(e.ValidityLeeway != 0, e.ValidityLeeway, other.ValidityLeeway)
return *e
}
func (e *Expectation) AssertAlgorithm(alg string) error {
if !slices.Contains(e.AllowedAlgorithms, alg) {
return errorchain.NewWithMessagef(ErrAssertion, "algorithm %s is not allowed", alg)
}
return nil
}
func (e *Expectation) AssertIssuer(issuer string) error {
if !slices.Contains(e.TrustedIssuers, issuer) {
return errorchain.NewWithMessagef(ErrAssertion, "issuer %s is not trusted", issuer)
}
return nil
}
func (e *Expectation) AssertAudience(audience []string) error {
if len(e.Audiences) == 0 {
return nil
}
if !slicex.Intersects(e.Audiences, audience) {
return errorchain.NewWithMessage(ErrAssertion, "no expected audience present")
}
return nil
}
func (e *Expectation) AssertValidity(notBefore, notAfter time.Time) error {
leeway := int64(x.IfThenElse(e.ValidityLeeway != 0, e.ValidityLeeway, defaultLeeway).Seconds())
now := time.Now().Unix()
nbf := notBefore.Unix()
exp := notAfter.Unix()
if nbf > 0 && now+leeway < nbf {
return errorchain.NewWithMessage(ErrAssertion, "not yet valid")
}
if exp > 0 && now-leeway >= exp {
return errorchain.NewWithMessage(ErrAssertion, "expired")
}
return nil
}
func (e *Expectation) AssertIssuanceTime(issuedAt time.Time) error {
leeway := x.IfThenElse(e.ValidityLeeway != 0, e.ValidityLeeway, defaultLeeway)
// IssuedAt is optional but cannot be in the future. This is not required by the RFC, but
// if by misconfiguration it has been set to future, we don't trust it.
if !issuedAt.Equal(time.Time{}) && time.Now().Add(leeway).Before(issuedAt) {
return errorchain.NewWithMessage(ErrAssertion, "issued in the future")
}
return nil
}
func (e *Expectation) AssertScopes(scopes []string) error { return e.ScopesMatcher.Match(scopes) }