/
interfaces.go
109 lines (93 loc) · 5.21 KB
/
interfaces.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package handlers
import (
"net/http"
"github.com/openshift/origin/pkg/auth/api"
"k8s.io/kubernetes/pkg/auth/user"
)
// AuthenticationHandler reacts to unauthenticated requests
type AuthenticationHandler interface {
// AuthenticationNeeded reacts to unauthenticated requests, and returns true if the response was written,
AuthenticationNeeded(client api.Client, w http.ResponseWriter, req *http.Request) (handled bool, err error)
}
// AuthenticationChallenger reacts to unauthenticated requests with challenges
type AuthenticationChallenger interface {
// AuthenticationChallenge take a request and return whatever challenge headers are appropriate. If none are appropriate, it should return an empty map, not nil.
AuthenticationChallenge(req *http.Request) (header http.Header, err error)
}
// AuthenticationRedirector reacts to unauthenticated requests with redirects
type AuthenticationRedirector interface {
// AuthenticationRedirect is expected to write a redirect to the ResponseWriter or to return an error.
AuthenticationRedirect(w http.ResponseWriter, req *http.Request) (err error)
}
// AuthenticationErrorHandler reacts to authentication errors
type AuthenticationErrorHandler interface {
// AuthenticationError reacts to authentication errors, returns true if the response was written,
// and returns any unhandled error (which should be the original error in most cases)
AuthenticationError(error, http.ResponseWriter, *http.Request) (handled bool, err error)
}
// ProviderInfo represents display information for an oauth identity provider. This is used by the
// selection provider template to render links to login using different identity providers.
type ProviderInfo struct {
// Name is unique and corresponds to the name of the identity provider in the oauth configuration
Name string
// URL to login using this identity provider
URL string
}
// AuthenticationSelectionHandler is responsible for selecting which identity provider to use for login
type AuthenticationSelectionHandler interface {
// SelectAuthentication will choose which identity provider to use for login or handle the request
// If the request is being handled, such as rendering a login provider selection page, then handled will
// be true and selected will be nil. If the request is not handled then a provider may be selected,
// if a provider could not be selected then selected will be nil.
SelectAuthentication([]ProviderInfo, http.ResponseWriter, *http.Request) (selected *ProviderInfo, handled bool, err error)
}
// AuthenticationSuccessHandler reacts to a user authenticating
type AuthenticationSuccessHandler interface {
// AuthenticationSucceeded reacts to a user authenticating, returns true if the response was written,
// and returns false if the response was not written.
AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error)
}
// GrantChecker is responsible for determining if a user has authorized a client for a requested grant
type GrantChecker interface {
// HasAuthorizedClient returns true if the user has authorized the client for the requested grant
HasAuthorizedClient(user user.Info, grant *api.Grant) (bool, error)
}
// GrantHandler handles errors during the grant process, or the client requests an unauthorized grant
type GrantHandler interface {
// GrantNeeded reacts when a client requests an unauthorized grant, and returns true if the response was written
// granted is true if authorization was granted
// handled is true if the response was already written
GrantNeeded(user user.Info, grant *api.Grant, w http.ResponseWriter, req *http.Request) (granted, handled bool, err error)
}
// GrantErrorHandler reacts to grant errors
type GrantErrorHandler interface {
// GrantError reacts to grant errors, returns true if the response was written,
// and returns any unhandled error (which could be the original error)
GrantError(error, http.ResponseWriter, *http.Request) (handled bool, err error)
}
// AuthenticationSuccessHandlers combines multiple AuthenticationSuccessHandler objects into a chain.
// On success, each handler is called. If any handler writes the response or returns an error,
// the chain is aborted.
type AuthenticationSuccessHandlers []AuthenticationSuccessHandler
func (all AuthenticationSuccessHandlers) AuthenticationSucceeded(user user.Info, state string, w http.ResponseWriter, req *http.Request) (bool, error) {
for _, h := range all {
if handled, err := h.AuthenticationSucceeded(user, state, w, req); handled || err != nil {
return handled, err
}
}
return false, nil
}
// AuthenticationErrorHandlers combines multiple AuthenticationErrorHandler objects into a chain.
// Each handler is called in turn. If any handler writes the response, the chain is aborted.
// Otherwise, the next handler is called with the error returned from the previous handler.
type AuthenticationErrorHandlers []AuthenticationErrorHandler
func (all AuthenticationErrorHandlers) AuthenticationError(err error, w http.ResponseWriter, req *http.Request) (bool, error) {
handled := false
for _, h := range all {
// Each handler gets a chance to handle or transform the error
if handled, err = h.AuthenticationError(err, w, req); handled {
return handled, err
}
}
return handled, err
}