forked from vmware-archive/atc
/
scope_verifier.go
75 lines (60 loc) · 1.48 KB
/
scope_verifier.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package genericoauth
import (
"encoding/json"
"errors"
"net/http"
"strings"
"golang.org/x/oauth2"
"code.cloudfoundry.org/lager"
"github.com/concourse/atc/auth/verifier"
"github.com/dgrijalva/jwt-go"
)
type ScopeVerifier struct {
scope string
}
func NewScopeVerifier(
scope string,
) verifier.Verifier {
return ScopeVerifier{
scope: scope,
}
}
type GenericOAuthToken struct {
Scopes []string `json:"scope"`
}
func (verifier ScopeVerifier) Verify(logger lager.Logger, httpClient *http.Client) (bool, error) {
oauth2Transport, ok := httpClient.Transport.(*oauth2.Transport)
if !ok {
return false, errors.New("httpClient transport must be of type oauth2.Transport")
}
token, err := oauth2Transport.Source.Token()
if err != nil {
return false, err
}
tokenParts := strings.Split(token.AccessToken, ".")
if len(tokenParts) < 2 {
return false, errors.New("access token contains an invalid number of segments")
}
decodedClaims, err := jwt.DecodeSegment(tokenParts[1])
if err != nil {
return false, err
}
var oauthToken GenericOAuthToken
err = json.Unmarshal(decodedClaims, &oauthToken)
if err != nil {
return false, err
}
if len(oauthToken.Scopes) == 0 {
return false, errors.New("user has no assigned scopes in access token")
}
for _, userScope := range oauthToken.Scopes {
if userScope == verifier.scope {
return true, nil
}
}
logger.Info("does-not-have-scope", lager.Data{
"have": oauthToken.Scopes,
"want": verifier.scope,
})
return false, nil
}