forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 0
/
authenticator.go
108 lines (92 loc) · 2.79 KB
/
authenticator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package handlers
import (
"net/http"
"github.com/RangelReale/osin"
"github.com/golang/glog"
"github.com/openshift/origin/pkg/auth/api"
"github.com/openshift/origin/pkg/auth/authenticator"
)
type AuthorizeAuthenticator struct {
handler AuthenticationHandler
request authenticator.Request
}
func NewAuthorizeAuthenticator(handler AuthenticationHandler, request authenticator.Request) *AuthorizeAuthenticator {
return &AuthorizeAuthenticator{handler, request}
}
func (h *AuthorizeAuthenticator) HandleAuthorize(ar *osin.AuthorizeRequest, w http.ResponseWriter, req *http.Request) (handled bool) {
info, ok, err := h.request.AuthenticateRequest(req)
if err != nil {
h.handler.AuthenticationError(err, w, req)
return true
}
if !ok {
h.handler.AuthenticationNeeded(w, req)
return true
}
ar.UserData = info
ar.Authorized = true
return
}
type AccessAuthenticator struct {
password authenticator.Password
assertion authenticator.Assertion
client authenticator.Client
}
func NewAccessAuthenticator(password authenticator.Password, assertion authenticator.Assertion, client authenticator.Client) *AccessAuthenticator {
return &AccessAuthenticator{password, assertion, client}
}
func (h *AccessAuthenticator) HandleAccess(ar *osin.AccessRequest, w http.ResponseWriter, req *http.Request) {
switch ar.Type {
case osin.AUTHORIZATION_CODE, osin.REFRESH_TOKEN:
// auth codes and refresh tokens are assumed allowed
case osin.PASSWORD:
info, ok, err := h.password.AuthenticatePassword(ar.Username, ar.Password)
if err != nil {
glog.Errorf("Unable to authenticate password: %v", err)
return
}
if !ok {
return
}
ar.AccessData.UserData = info
case osin.ASSERTION:
info, ok, err := h.assertion.AuthenticateAssertion(ar.AssertionType, ar.Assertion)
if err != nil {
glog.Errorf("Unable to authenticate password: %v", err)
return
}
if !ok {
return
}
ar.AccessData.UserData = info
case osin.CLIENT_CREDENTIALS:
info, ok, err := h.client.AuthenticateClient(ar.Client)
if err != nil {
glog.Errorf("Unable to authenticate password: %v", err)
return
}
if !ok {
return
}
ar.AccessData.UserData = info
return
default:
glog.Warningf("Received unknown access token type: %s", ar.Type)
return
}
ar.Authorized = true
}
func NewDenyAccessAuthenticator() *AccessAuthenticator {
return &AccessAuthenticator{Deny, Deny, Deny}
}
var Deny = denyAuthenticator{}
type denyAuthenticator struct{}
func (denyAuthenticator) AuthenticatePassword(user, password string) (api.UserInfo, bool, error) {
return nil, false, nil
}
func (denyAuthenticator) AuthenticateAssertion(assertionType, data string) (api.UserInfo, bool, error) {
return nil, false, nil
}
func (denyAuthenticator) AuthenticateClient(client api.Client) (api.UserInfo, bool, error) {
return nil, false, nil
}