/
at.go
62 lines (57 loc) · 1.88 KB
/
at.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package ssh
import (
"encoding/json"
"github.com/gliderlabs/ssh"
"github.com/oidc-mytoken/api/v0"
"github.com/oidc-mytoken/server/internal/endpoints/token/access"
"github.com/oidc-mytoken/server/internal/endpoints/token/access/pkg"
"github.com/oidc-mytoken/server/internal/utils/auth"
"github.com/oidc-mytoken/server/internal/utils/logger"
"github.com/oidc-mytoken/server/shared/model"
mytoken "github.com/oidc-mytoken/server/shared/mytoken/pkg"
"github.com/oidc-mytoken/server/shared/utils"
)
func handleSSHAT(reqData []byte, s ssh.Session) error {
ctx := s.Context()
req := pkg.NewAccessTokenRequest()
if len(reqData) > 0 {
if err := json.Unmarshal(reqData, &req); err != nil {
if err.Error() != "token not valid" {
return err
}
}
}
mt := ctx.Value("mytoken").(*mytoken.Mytoken)
clientMetaData := api.ClientMetaData{
IP: ctx.Value("ip").(string),
UserAgent: ctx.Value("user_agent").(string),
}
req.GrantType = model.GrantTypeMytoken
req.Mytoken = mt.ToUniversalMytoken()
rlog := logger.GetSSHRequestLogger(ctx.Value("session").(string))
rlog.Debug("Handle AT from ssh")
rlog.Trace("Parsed AT request")
errRes := auth.RequireMytokenNotRevoked(rlog, nil, mt)
if errRes != nil {
return writeErrRes(s, errRes)
}
usedRestriction, errRes := auth.CheckCapabilityAndRestriction(
rlog, nil, mt, clientMetaData.IP,
utils.SplitIgnoreEmpty(req.Scope, " "),
utils.SplitIgnoreEmpty(req.Audience, " "),
api.CapabilityAT,
)
if errRes != nil {
return writeErrRes(s, errRes)
}
provider, errRes := auth.RequireMatchingIssuer(rlog, mt.OIDCIssuer, &req.Issuer)
if errRes != nil {
return writeErrRes(s, errRes)
}
res := access.HandleAccessTokenRefresh(rlog, mt, req, clientMetaData, provider, usedRestriction)
if res.Status >= 400 {
return writeErrRes(s, res)
}
tokenRes := res.Response.(pkg.AccessTokenResponse)
return writeString(s, tokenRes.AccessToken)
}