登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 0

zhuchance/kubernetes

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
client.go 7.11 KB
一键复制 编辑 原始数据 按行查看 历史
Yifan Gu 提交于 2015-08-21 15:34 . Godeps: add Godpes for go-oidc.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323
package oidc



import (

	"errors"

	"fmt"

	"net/http"

	"net/url"

	"sync"

	"time"



	phttp "github.com/coreos/go-oidc/http"

	"github.com/coreos/go-oidc/jose"

	"github.com/coreos/go-oidc/key"

	"github.com/coreos/go-oidc/oauth2"

)



const (

	// amount of time that must pass after the last key sync

	// completes before another attempt may begin

	keySyncWindow = 5 * time.Second

)



var (

	DefaultScope = []string{"openid", "email", "profile"}



	supportedAuthMethods = map[string]struct{}{

		oauth2.AuthMethodClientSecretBasic: struct{}{},

		oauth2.AuthMethodClientSecretPost:  struct{}{},

	}

)



type ClientCredentials oauth2.ClientCredentials



type ClientIdentity struct {

	Credentials ClientCredentials

	Metadata    ClientMetadata

}



type ClientMetadata struct {

	RedirectURLs []url.URL

}



func (m *ClientMetadata) Valid() error {

	if len(m.RedirectURLs) == 0 {

		return errors.New("zero redirect URLs")

	}



	for _, u := range m.RedirectURLs {

		if u.Scheme != "http" && u.Scheme != "https" {

			return errors.New("invalid redirect URL: scheme not http/https")

		} else if u.Host == "" {

			return errors.New("invalid redirect URL: host empty")

		}

	}



	return nil

}



type ClientConfig struct {

	HTTPClient     phttp.Client

	Credentials    ClientCredentials

	Scope          []string

	RedirectURL    string

	ProviderConfig ProviderConfig

	KeySet         key.PublicKeySet

}



func NewClient(cfg ClientConfig) (*Client, error) {

	// Allow empty redirect URL in the case where the client

	// only needs to verify a given token.

	ru, err := url.Parse(cfg.RedirectURL)

	if err != nil {

		return nil, fmt.Errorf("invalid redirect URL: %v", err)

	}



	c := Client{

		credentials:    cfg.Credentials,

		httpClient:     cfg.HTTPClient,

		scope:          cfg.Scope,

		redirectURL:    ru.String(),

		providerConfig: cfg.ProviderConfig,

		keySet:         cfg.KeySet,

	}



	if c.httpClient == nil {

		c.httpClient = http.DefaultClient

	}



	if c.scope == nil {

		c.scope = make([]string, len(DefaultScope))

		copy(c.scope, DefaultScope)

	}



	return &c, nil

}



type Client struct {

	httpClient     phttp.Client

	providerConfig ProviderConfig

	credentials    ClientCredentials

	redirectURL    string

	scope          []string

	keySet         key.PublicKeySet



	keySetSyncMutex sync.RWMutex

	lastKeySetSync  time.Time

}



func (c *Client) Healthy() error {

	now := time.Now().UTC()



	if c.providerConfig.Empty() {

		return errors.New("oidc client provider config empty")

	}



	if !c.providerConfig.ExpiresAt.IsZero() && c.providerConfig.ExpiresAt.Before(now) {

		return errors.New("oidc client provider config expired")

	}



	return nil

}



func (c *Client) OAuthClient() (*oauth2.Client, error) {

	authMethod, err := c.chooseAuthMethod()

	if err != nil {

		return nil, err

	}



	ocfg := oauth2.Config{

		Credentials: oauth2.ClientCredentials(c.credentials),

		RedirectURL: c.redirectURL,

		AuthURL:     c.providerConfig.AuthEndpoint,

		TokenURL:    c.providerConfig.TokenEndpoint,

		Scope:       c.scope,

		AuthMethod:  authMethod,

	}



	return oauth2.NewClient(c.httpClient, ocfg)

}



func (c *Client) chooseAuthMethod() (string, error) {

	if len(c.providerConfig.TokenEndpointAuthMethodsSupported) == 0 {

		return oauth2.AuthMethodClientSecretBasic, nil

	}



	for _, authMethod := range c.providerConfig.TokenEndpointAuthMethodsSupported {

		if _, ok := supportedAuthMethods[authMethod]; ok {

			return authMethod, nil

		}

	}



	return "", errors.New("no supported auth methods")

}



func (c *Client) SyncProviderConfig(discoveryURL string) chan struct{} {

	rp := &providerConfigRepo{c}

	r := NewHTTPProviderConfigGetter(c.httpClient, discoveryURL)

	return NewProviderConfigSyncer(r, rp).Run()

}



func (c *Client) maybeSyncKeys() error {

	tooSoon := func() bool {

		return time.Now().UTC().Before(c.lastKeySetSync.Add(keySyncWindow))

	}



	// ignore request to sync keys if a sync operation has been

	// attempted too recently

	if tooSoon() {

		return nil

	}



	c.keySetSyncMutex.Lock()

	defer c.keySetSyncMutex.Unlock()



	// check again, as another goroutine may have been holding

	// the lock while updating the keys

	if tooSoon() {

		return nil

	}



	r := NewRemotePublicKeyRepo(c.httpClient, c.providerConfig.KeysEndpoint)

	w := &clientKeyRepo{client: c}

	_, err := key.Sync(r, w)

	c.lastKeySetSync = time.Now().UTC()



	return err

}



type providerConfigRepo struct {

	client *Client

}



func (r *providerConfigRepo) Set(cfg ProviderConfig) error {

	r.client.providerConfig = cfg

	return nil

}



type clientKeyRepo struct {

	client *Client

}



func (r *clientKeyRepo) Set(ks key.KeySet) error {

	pks, ok := ks.(*key.PublicKeySet)

	if !ok {

		return errors.New("unable to cast to PublicKey")

	}

	r.client.keySet = *pks

	return nil

}



func (c *Client) ClientCredsToken(scope []string) (jose.JWT, error) {

	if !c.providerConfig.SupportsGrantType(oauth2.GrantTypeClientCreds) {

		return jose.JWT{}, fmt.Errorf("%v grant type is not supported", oauth2.GrantTypeClientCreds)

	}



	oac, err := c.OAuthClient()

	if err != nil {

		return jose.JWT{}, err

	}



	t, err := oac.ClientCredsToken(scope)

	if err != nil {

		return jose.JWT{}, err

	}



	jwt, err := jose.ParseJWT(t.IDToken)

	if err != nil {

		return jose.JWT{}, err

	}



	return jwt, c.VerifyJWT(jwt)

}



// ExchangeAuthCode exchanges an OAuth2 auth code for an OIDC JWT ID token.

func (c *Client) ExchangeAuthCode(code string) (jose.JWT, error) {

	oac, err := c.OAuthClient()

	if err != nil {

		return jose.JWT{}, err

	}



	t, err := oac.RequestToken(oauth2.GrantTypeAuthCode, code)

	if err != nil {

		return jose.JWT{}, err

	}



	jwt, err := jose.ParseJWT(t.IDToken)

	if err != nil {

		return jose.JWT{}, err

	}



	return jwt, c.VerifyJWT(jwt)

}



// RefreshToken uses a refresh token to exchange for a new OIDC JWT ID Token.

func (c *Client) RefreshToken(refreshToken string) (jose.JWT, error) {

	oac, err := c.OAuthClient()

	if err != nil {

		return jose.JWT{}, err

	}



	t, err := oac.RequestToken(oauth2.GrantTypeRefreshToken, refreshToken)

	if err != nil {

		return jose.JWT{}, err

	}



	jwt, err := jose.ParseJWT(t.IDToken)

	if err != nil {

		return jose.JWT{}, err

	}



	return jwt, c.VerifyJWT(jwt)

}



func (c *Client) VerifyJWT(jwt jose.JWT) error {

	var keysFunc func() []key.PublicKey

	if kID, ok := jwt.KeyID(); ok {

		keysFunc = c.keysFuncWithID(kID)

	} else {

		keysFunc = c.keysFuncAll()

	}



	v := NewJWTVerifier(

		c.providerConfig.Issuer,

		c.credentials.ID,

		c.maybeSyncKeys, keysFunc)



	return v.Verify(jwt)

}



// keysFuncWithID returns a function that retrieves at most unexpired

// public key from the Client that matches the provided ID

func (c *Client) keysFuncWithID(kID string) func() []key.PublicKey {

	return func() []key.PublicKey {

		c.keySetSyncMutex.RLock()

		defer c.keySetSyncMutex.RUnlock()



		if c.keySet.ExpiresAt().Before(time.Now()) {

			return []key.PublicKey{}

		}



		k := c.keySet.Key(kID)

		if k == nil {

			return []key.PublicKey{}

		}



		return []key.PublicKey{*k}

	}

}



// keysFuncAll returns a function that retrieves all unexpired public

// keys from the Client

func (c *Client) keysFuncAll() func() []key.PublicKey {

	return func() []key.PublicKey {

		c.keySetSyncMutex.RLock()

		defer c.keySetSyncMutex.RUnlock()



		if c.keySet.ExpiresAt().Before(time.Now()) {

			return []key.PublicKey{}

		}



		return c.keySet.Keys()

	}

}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Go
1
https://gitee.com/meoom/kubernetes.git
git@gitee.com:meoom/kubernetes.git
meoom
kubernetes
kubernetes
v1.1.1-beta.1
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
Cb406eda 1850385 E526c682 1850385