package model import ( "context" "crypto/sha256" "database/sql" "encoding/json" "fmt" "net/url" "time" "github.com/google/uuid" "github.com/mohae/deepcopy" "github.com/ory/fosite" "github.com/ory/fosite/handler/openid" "github.com/authelia/authelia/v4/internal/utils" ) // NewOAuth2ConsentSession creates a new OAuth2ConsentSession. func NewOAuth2ConsentSession(subject uuid.UUID, r fosite.Requester) (consent *OAuth2ConsentSession, err error) { valid := subject.ID() != 0 consent = &OAuth2ConsentSession{ ClientID: r.GetClient().GetID(), Subject: uuid.NullUUID{UUID: subject, Valid: valid}, Form: r.GetRequestForm().Encode(), RequestedAt: r.GetRequestedAt(), RequestedScopes: StringSlicePipeDelimited(r.GetRequestedScopes()), RequestedAudience: StringSlicePipeDelimited(r.GetRequestedAudience()), GrantedScopes: StringSlicePipeDelimited(r.GetGrantedScopes()), GrantedAudience: StringSlicePipeDelimited(r.GetGrantedAudience()), } if consent.ChallengeID, err = uuid.NewRandom(); err != nil { return nil, err } return consent, nil } // NewOAuth2BlacklistedJTI creates a new OAuth2BlacklistedJTI. func NewOAuth2BlacklistedJTI(jti string, exp time.Time) (jtiBlacklist OAuth2BlacklistedJTI) { return OAuth2BlacklistedJTI{ Signature: fmt.Sprintf("%x", sha256.Sum256([]byte(jti))), ExpiresAt: exp, } } // NewOAuth2SessionFromRequest creates a new OAuth2Session from a signature and fosite.Requester. func NewOAuth2SessionFromRequest(signature string, r fosite.Requester) (session *OAuth2Session, err error) { var ( subject string sessionOpenID *OpenIDSession ok bool sessionData []byte ) sessionOpenID, ok = r.GetSession().(*OpenIDSession) if !ok { return nil, fmt.Errorf("can't convert type '%T' to an *OAuth2Session", r.GetSession()) } subject = sessionOpenID.GetSubject() if sessionData, err = json.Marshal(sessionOpenID); err != nil { return nil, err } return &OAuth2Session{ ChallengeID: sessionOpenID.ChallengeID, RequestID: r.GetID(), ClientID: r.GetClient().GetID(), Signature: signature, RequestedAt: r.GetRequestedAt(), Subject: subject, RequestedScopes: StringSlicePipeDelimited(r.GetRequestedScopes()), GrantedScopes: StringSlicePipeDelimited(r.GetGrantedScopes()), RequestedAudience: StringSlicePipeDelimited(r.GetRequestedAudience()), GrantedAudience: StringSlicePipeDelimited(r.GetGrantedAudience()), Active: true, Revoked: false, Form: r.GetRequestForm().Encode(), Session: sessionData, }, nil } // NewOAuth2PARContext creates a new Pushed Authorization Request Context as a OAuth2PARContext. func NewOAuth2PARContext(contextID string, r fosite.AuthorizeRequester) (context *OAuth2PARContext, err error) { var ( s *OpenIDSession ok bool req *fosite.AuthorizeRequest session []byte ) if s, ok = r.GetSession().(*OpenIDSession); !ok { return nil, fmt.Errorf("can't convert type '%T' to an *OAuth2Session", r.GetSession()) } if session, err = json.Marshal(s); err != nil { return nil, err } var handled StringSlicePipeDelimited if req, ok = r.(*fosite.AuthorizeRequest); ok { handled = StringSlicePipeDelimited(req.HandledResponseTypes) } return &OAuth2PARContext{ Signature: contextID, RequestID: r.GetID(), ClientID: r.GetClient().GetID(), RequestedAt: r.GetRequestedAt(), Scopes: StringSlicePipeDelimited(r.GetRequestedScopes()), Audience: StringSlicePipeDelimited(r.GetRequestedAudience()), HandledResponseTypes: handled, ResponseMode: string(r.GetResponseMode()), DefaultResponseMode: string(r.GetDefaultResponseMode()), Revoked: false, Form: r.GetRequestForm().Encode(), Session: session, }, nil } // OAuth2ConsentPreConfig stores information about an OAuth2.0 Pre-Configured Consent. type OAuth2ConsentPreConfig struct { ID int64 `db:"id"` ClientID string `db:"client_id"` Subject uuid.UUID `db:"subject"` CreatedAt time.Time `db:"created_at"` ExpiresAt sql.NullTime `db:"expires_at"` Revoked bool `db:"revoked"` Scopes StringSlicePipeDelimited `db:"scopes"` Audience StringSlicePipeDelimited `db:"audience"` } // HasExactGrants returns true if the granted audience and scopes of this consent pre-configuration matches exactly with // another audience and set of scopes. func (s *OAuth2ConsentPreConfig) HasExactGrants(scopes, audience []string) (has bool) { return s.HasExactGrantedScopes(scopes) && s.HasExactGrantedAudience(audience) } // HasExactGrantedAudience returns true if the granted audience of this consent matches exactly with another audience. func (s *OAuth2ConsentPreConfig) HasExactGrantedAudience(audience []string) (has bool) { return !utils.IsStringSlicesDifferent(s.Audience, audience) } // HasExactGrantedScopes returns true if the granted scopes of this consent matches exactly with another set of scopes. func (s *OAuth2ConsentPreConfig) HasExactGrantedScopes(scopes []string) (has bool) { return !utils.IsStringSlicesDifferent(s.Scopes, scopes) } // CanConsent returns true if this pre-configuration can still provide consent. func (s *OAuth2ConsentPreConfig) CanConsent() bool { return !s.Revoked && (!s.ExpiresAt.Valid || s.ExpiresAt.Time.After(time.Now())) } // OAuth2ConsentSession stores information about an OAuth2.0 Consent. type OAuth2ConsentSession struct { ID int `db:"id"` ChallengeID uuid.UUID `db:"challenge_id"` ClientID string `db:"client_id"` Subject uuid.NullUUID `db:"subject"` Authorized bool `db:"authorized"` Granted bool `db:"granted"` RequestedAt time.Time `db:"requested_at"` RespondedAt sql.NullTime `db:"responded_at"` Form string `db:"form_data"` RequestedScopes StringSlicePipeDelimited `db:"requested_scopes"` GrantedScopes StringSlicePipeDelimited `db:"granted_scopes"` RequestedAudience StringSlicePipeDelimited `db:"requested_audience"` GrantedAudience StringSlicePipeDelimited `db:"granted_audience"` PreConfiguration sql.NullInt64 } // Grant grants the requested scopes and audience. func (s *OAuth2ConsentSession) Grant() { s.GrantedScopes = s.RequestedScopes s.GrantedAudience = s.RequestedAudience if !utils.IsStringInSlice(s.ClientID, s.GrantedAudience) { s.GrantedAudience = append(s.GrantedAudience, s.ClientID) } } // HasExactGrants returns true if the granted audience and scopes of this consent matches exactly with another // audience and set of scopes. func (s *OAuth2ConsentSession) HasExactGrants(scopes, audience []string) (has bool) { return s.HasExactGrantedScopes(scopes) && s.HasExactGrantedAudience(audience) } // HasExactGrantedAudience returns true if the granted audience of this consent matches exactly with another audience. func (s *OAuth2ConsentSession) HasExactGrantedAudience(audience []string) (has bool) { return !utils.IsStringSlicesDifferent(s.GrantedAudience, audience) } // HasExactGrantedScopes returns true if the granted scopes of this consent matches exactly with another set of scopes. func (s *OAuth2ConsentSession) HasExactGrantedScopes(scopes []string) (has bool) { return !utils.IsStringSlicesDifferent(s.GrantedScopes, scopes) } // Responded returns true if the user has responded to the consent session. func (s *OAuth2ConsentSession) Responded() bool { return s.RespondedAt.Valid } // IsAuthorized returns true if the user has responded to the consent session and it was authorized. func (s *OAuth2ConsentSession) IsAuthorized() bool { return s.Responded() && s.Authorized } // IsDenied returns true if the user has responded to the consent session and it was not authorized. func (s *OAuth2ConsentSession) IsDenied() bool { return s.Responded() && !s.Authorized } // CanGrant returns true if the session can still grant a token. This is NOT indicative of if there is a user response // to this consent request or if the user rejected the consent request. func (s *OAuth2ConsentSession) CanGrant() bool { if !s.Subject.Valid || s.Granted { return false } return true } // GetForm returns the form. func (s *OAuth2ConsentSession) GetForm() (form url.Values, err error) { return url.ParseQuery(s.Form) } // OAuth2BlacklistedJTI represents a blacklisted JTI used with OAuth2.0. type OAuth2BlacklistedJTI struct { ID int `db:"id"` Signature string `db:"signature"` ExpiresAt time.Time `db:"expires_at"` } // OAuth2Session represents a OAuth2.0 session. type OAuth2Session struct { ID int `db:"id"` ChallengeID uuid.UUID `db:"challenge_id"` RequestID string `db:"request_id"` ClientID string `db:"client_id"` Signature string `db:"signature"` RequestedAt time.Time `db:"requested_at"` Subject string `db:"subject"` RequestedScopes StringSlicePipeDelimited `db:"requested_scopes"` GrantedScopes StringSlicePipeDelimited `db:"granted_scopes"` RequestedAudience StringSlicePipeDelimited `db:"requested_audience"` GrantedAudience StringSlicePipeDelimited `db:"granted_audience"` Active bool `db:"active"` Revoked bool `db:"revoked"` Form string `db:"form_data"` Session []byte `db:"session_data"` } // SetSubject implements an interface required for RFC7523. func (s *OAuth2Session) SetSubject(subject string) { s.Subject = subject } // ToRequest converts an OAuth2Session into a fosite.Request given a fosite.Session and fosite.Storage. func (s *OAuth2Session) ToRequest(ctx context.Context, session fosite.Session, store fosite.Storage) (request *fosite.Request, err error) { sessionData := s.Session if session != nil { if err = json.Unmarshal(sessionData, session); err != nil { return nil, err } } client, err := store.GetClient(ctx, s.ClientID) if err != nil { return nil, err } values, err := url.ParseQuery(s.Form) if err != nil { return nil, err } return &fosite.Request{ ID: s.RequestID, RequestedAt: s.RequestedAt, Client: client, RequestedScope: fosite.Arguments(s.RequestedScopes), GrantedScope: fosite.Arguments(s.GrantedScopes), RequestedAudience: fosite.Arguments(s.RequestedAudience), GrantedAudience: fosite.Arguments(s.GrantedAudience), Form: values, Session: session, }, nil } // OAuth2PARContext holds relevant information about a Pushed Authorization Request in order to process the authorization. type OAuth2PARContext struct { ID int `db:"id"` Signature string `db:"signature"` RequestID string `db:"request_id"` ClientID string `db:"client_id"` RequestedAt time.Time `db:"requested_at"` Scopes StringSlicePipeDelimited `db:"scopes"` Audience StringSlicePipeDelimited `db:"audience"` HandledResponseTypes StringSlicePipeDelimited `db:"handled_response_types"` ResponseMode string `db:"response_mode"` DefaultResponseMode string `db:"response_mode_default"` Revoked bool `db:"revoked"` Form string `db:"form_data"` Session []byte `db:"session_data"` } func (par *OAuth2PARContext) ToAuthorizeRequest(ctx context.Context, session fosite.Session, store fosite.Storage) (request *fosite.AuthorizeRequest, err error) { if session != nil { if err = json.Unmarshal(par.Session, session); err != nil { return nil, err } } var ( client fosite.Client form url.Values ) if client, err = store.GetClient(ctx, par.ClientID); err != nil { return nil, err } if form, err = url.ParseQuery(par.Form); err != nil { return nil, err } request = fosite.NewAuthorizeRequest() request.Request = fosite.Request{ ID: par.RequestID, RequestedAt: par.RequestedAt, Client: client, RequestedScope: fosite.Arguments(par.Scopes), RequestedAudience: fosite.Arguments(par.Audience), Form: form, Session: session, } if par.ResponseMode != "" { request.ResponseMode = fosite.ResponseModeType(par.ResponseMode) } if par.DefaultResponseMode != "" { request.DefaultResponseMode = fosite.ResponseModeType(par.DefaultResponseMode) } if len(par.HandledResponseTypes) != 0 { request.HandledResponseTypes = fosite.Arguments(par.HandledResponseTypes) } return request, nil } // OpenIDSession holds OIDC Session information. type OpenIDSession struct { *openid.DefaultSession `json:"id_token"` ChallengeID uuid.UUID `db:"challenge_id"` ClientID string Extra map[string]any `json:"extra"` } // Clone copies the OpenIDSession to a new fosite.Session. func (s *OpenIDSession) Clone() fosite.Session { if s == nil { return nil } return deepcopy.Copy(s).(fosite.Session) }