/
grantflowstate.go
96 lines (76 loc) · 1.75 KB
/
grantflowstate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
package auth
import (
"encoding/json"
"errors"
"fmt"
"time"
"github.com/zalando/skipper/secrets"
)
type state struct {
Validity int64 `json:"validity"`
Nonce string `json:"nonce"`
RequestURL string `json:"redirectUrl"`
}
type flowState struct {
secrets *secrets.Registry
secretsFile string
}
var errExpiredAuthState = errors.New("expired auth state")
func newFlowState(secrets *secrets.Registry, secretsFile string) *flowState {
return &flowState{
secrets: secrets,
secretsFile: secretsFile,
}
}
func stateValidityTime() int64 {
return time.Now().Add(time.Hour).Unix()
}
func (s *flowState) createState(redirectURL string) (string, error) {
encrypter, err := s.secrets.GetEncrypter(secretsRefreshInternal, s.secretsFile)
if err != nil {
return "", err
}
nonce, err := encrypter.CreateNonce()
if err != nil {
return "", err
}
state := state{
Validity: stateValidityTime(),
Nonce: fmt.Sprintf("%x", nonce),
RequestURL: redirectURL,
}
jb, err := json.Marshal(state)
if err != nil {
return "", err
}
eb, err := encrypter.Encrypt(jb)
if err != nil {
return "", err
}
return fmt.Sprintf("%x", eb), nil
}
func (s *flowState) extractState(st string) (state state, err error) {
var encrypter secrets.Encryption
if encrypter, err = s.secrets.GetEncrypter(secretsRefreshInternal, s.secretsFile); err != nil {
return
}
var eb []byte
if _, err = fmt.Sscanf(st, "%x", &eb); err != nil {
return
}
var jb []byte
if jb, err = encrypter.Decrypt(eb); err != nil {
return
}
if err = json.Unmarshal(jb, &state); err != nil {
return
}
validity := time.Unix(state.Validity, 0)
if validity.Before(time.Now()) {
err = errExpiredAuthState
}
return
}
func (s *flowState) Close() {
s.secrets.Close()
}