mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 01:37:31 +00:00
Merge remote-tracking branch 'origin/master' into new-eventstore
This commit is contained in:
adlerhurst
@@ -42,3 +42,45 @@ func (s *Server) RemoveIdpProviderFromDefaultLoginPolicy(ctx context.Context, pr
|
||||
err := s.iam.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) GetDefaultLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty) (*admin.SecondFactorsResult, error) {
|
||||
result, err := s.iam.SearchDefaultSecondFactors(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return secondFactorsResultFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*admin.SecondFactor, error) {
|
||||
result, err := s.iam.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToModel(mfa))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return secondFactorFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*empty.Empty, error) {
|
||||
err := s.iam.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToModel(mfa))
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) GetDefaultLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty) (*admin.MultiFactorsResult, error) {
|
||||
result, err := s.iam.SearchDefaultMultiFactors(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return multiFactorResultFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*admin.MultiFactor, error) {
|
||||
result, err := s.iam.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToModel(mfa))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return multiFactorFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*empty.Empty, error) {
|
||||
err := s.iam.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToModel(mfa))
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@ func loginPolicyToModel(policy *admin.DefaultLoginPolicyRequest) *iam_model.Logi
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMFA: policy.ForceMfa,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,6 +27,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *admin.DefaultLoginPoli
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
}
|
||||
@@ -42,6 +44,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultL
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIDP,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
}
|
||||
@@ -103,3 +106,75 @@ func idpConfigTypeToModel(providerType iam_model.IdpConfigType) admin.IdpType {
|
||||
return admin.IdpType_IDPTYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorsResultFromModel(result *iam_model.SecondFactorsSearchResponse) *admin.SecondFactorsResult {
|
||||
converted := make([]admin.SecondFactorType, len(result.Result))
|
||||
for i, mfaType := range result.Result {
|
||||
converted[i] = secondFactorTypeFromModel(mfaType)
|
||||
}
|
||||
return &admin.SecondFactorsResult{
|
||||
SecondFactors: converted,
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorFromModel(mfaType iam_model.SecondFactorType) *admin.SecondFactor {
|
||||
return &admin.SecondFactor{
|
||||
SecondFactor: secondFactorTypeFromModel(mfaType),
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) admin.SecondFactorType {
|
||||
switch mfaType {
|
||||
case iam_model.SecondFactorTypeOTP:
|
||||
return admin.SecondFactorType_SECONDFACTORTYPE_OTP
|
||||
case iam_model.SecondFactorTypeU2F:
|
||||
return admin.SecondFactorType_SECONDFACTORTYPE_U2F
|
||||
default:
|
||||
return admin.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorTypeToModel(mfaType *admin.SecondFactor) iam_model.SecondFactorType {
|
||||
switch mfaType.SecondFactor {
|
||||
case admin.SecondFactorType_SECONDFACTORTYPE_OTP:
|
||||
return iam_model.SecondFactorTypeOTP
|
||||
case admin.SecondFactorType_SECONDFACTORTYPE_U2F:
|
||||
return iam_model.SecondFactorTypeU2F
|
||||
default:
|
||||
return iam_model.SecondFactorTypeUnspecified
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *admin.MultiFactorsResult {
|
||||
converted := make([]admin.MultiFactorType, len(result.Result))
|
||||
for i, mfaType := range result.Result {
|
||||
converted[i] = multiFactorTypeFromModel(mfaType)
|
||||
}
|
||||
return &admin.MultiFactorsResult{
|
||||
MultiFactors: converted,
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorFromModel(mfaType iam_model.MultiFactorType) *admin.MultiFactor {
|
||||
return &admin.MultiFactor{
|
||||
MultiFactor: multiFactorTypeFromModel(mfaType),
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) admin.MultiFactorType {
|
||||
switch mfaType {
|
||||
case iam_model.MultiFactorTypeU2FWithPIN:
|
||||
return admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
|
||||
default:
|
||||
return admin.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorTypeToModel(mfaType *admin.MultiFactor) iam_model.MultiFactorType {
|
||||
switch mfaType.MultiFactor {
|
||||
case admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
|
||||
return iam_model.MultiFactorTypeU2FWithPIN
|
||||
default:
|
||||
return iam_model.MultiFactorTypeUnspecified
|
||||
}
|
||||
}
|
||||
|
||||
@@ -63,3 +63,45 @@ func (s *Server) RemoveIdpProviderFromLoginPolicy(ctx context.Context, provider
|
||||
err := s.org.RemoveIDPProviderFromLoginPolicy(ctx, idpProviderToModel(provider))
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) GetLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty) (*management.SecondFactorsResult, error) {
|
||||
result, err := s.org.SearchSecondFactors(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return secondFactorResultFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*management.SecondFactor, error) {
|
||||
result, err := s.org.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToModel(mfa))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return secondFactorFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*empty.Empty, error) {
|
||||
err := s.org.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToModel(mfa))
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) GetLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty) (*management.MultiFactorsResult, error) {
|
||||
result, err := s.org.SearchMultiFactors(ctx)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return multiFactorResultFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*management.MultiFactor, error) {
|
||||
result, err := s.org.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToModel(mfa))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return multiFactorFromModel(result), nil
|
||||
}
|
||||
|
||||
func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*empty.Empty, error) {
|
||||
err := s.org.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToModel(mfa))
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
@@ -12,6 +12,7 @@ func loginPolicyRequestToModel(policy *management.LoginPolicyRequest) *iam_model
|
||||
AllowUsernamePassword: policy.AllowUsernamePassword,
|
||||
AllowExternalIdp: policy.AllowExternalIdp,
|
||||
AllowRegister: policy.AllowRegister,
|
||||
ForceMFA: policy.ForceMfa,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -28,6 +29,7 @@ func loginPolicyFromModel(policy *iam_model.LoginPolicy) *management.LoginPolicy
|
||||
AllowRegister: policy.AllowRegister,
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -45,6 +47,7 @@ func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *management.Log
|
||||
AllowRegister: policy.AllowRegister,
|
||||
CreationDate: creationDate,
|
||||
ChangeDate: changeDate,
|
||||
ForceMfa: policy.ForceMFA,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -140,3 +143,75 @@ func idpProviderTypeFromModel(providerType iam_model.IDPProviderType) management
|
||||
return management.IdpProviderType_IDPPROVIDERTYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorResultFromModel(result *iam_model.SecondFactorsSearchResponse) *management.SecondFactorsResult {
|
||||
converted := make([]management.SecondFactorType, len(result.Result))
|
||||
for i, mfaType := range result.Result {
|
||||
converted[i] = secondFactorTypeFromModel(mfaType)
|
||||
}
|
||||
return &management.SecondFactorsResult{
|
||||
SecondFactors: converted,
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorFromModel(mfaType iam_model.SecondFactorType) *management.SecondFactor {
|
||||
return &management.SecondFactor{
|
||||
SecondFactor: secondFactorTypeFromModel(mfaType),
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) management.SecondFactorType {
|
||||
switch mfaType {
|
||||
case iam_model.SecondFactorTypeOTP:
|
||||
return management.SecondFactorType_SECONDFACTORTYPE_OTP
|
||||
case iam_model.SecondFactorTypeU2F:
|
||||
return management.SecondFactorType_SECONDFACTORTYPE_U2F
|
||||
default:
|
||||
return management.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func secondFactorTypeToModel(mfaType *management.SecondFactor) iam_model.SecondFactorType {
|
||||
switch mfaType.SecondFactor {
|
||||
case management.SecondFactorType_SECONDFACTORTYPE_OTP:
|
||||
return iam_model.SecondFactorTypeOTP
|
||||
case management.SecondFactorType_SECONDFACTORTYPE_U2F:
|
||||
return iam_model.SecondFactorTypeU2F
|
||||
default:
|
||||
return iam_model.SecondFactorTypeUnspecified
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *management.MultiFactorsResult {
|
||||
converted := make([]management.MultiFactorType, len(result.Result))
|
||||
for i, mfaType := range result.Result {
|
||||
converted[i] = multiFactorTypeFromModel(mfaType)
|
||||
}
|
||||
return &management.MultiFactorsResult{
|
||||
MultiFactors: converted,
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorFromModel(mfaType iam_model.MultiFactorType) *management.MultiFactor {
|
||||
return &management.MultiFactor{
|
||||
MultiFactor: multiFactorTypeFromModel(mfaType),
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) management.MultiFactorType {
|
||||
switch mfaType {
|
||||
case iam_model.MultiFactorTypeU2FWithPIN:
|
||||
return management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
|
||||
default:
|
||||
return management.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
|
||||
}
|
||||
}
|
||||
|
||||
func multiFactorTypeToModel(mfaType *management.MultiFactor) iam_model.MultiFactorType {
|
||||
switch mfaType.MultiFactor {
|
||||
case management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
|
||||
return iam_model.MultiFactorTypeU2FWithPIN
|
||||
default:
|
||||
return iam_model.MultiFactorTypeUnspecified
|
||||
}
|
||||
}
|
||||
|
||||
@@ -195,6 +195,11 @@ func (s *Server) SetInitialPassword(ctx context.Context, request *management.Pas
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) ResendInitialMail(ctx context.Context, request *management.InitialMailRequest) (*empty.Empty, error) {
|
||||
err := s.user.ResendInitialMail(ctx, request.Id, request.Email)
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) SearchUserExternalIDPs(ctx context.Context, request *management.ExternalIDPSearchRequest) (*management.ExternalIDPSearchResponse, error) {
|
||||
externalIDP, err := s.user.SearchExternalIDPs(ctx, externalIDPSearchRequestToModel(request))
|
||||
if err != nil {
|
||||
@@ -208,12 +213,12 @@ func (s *Server) RemoveExternalIDP(ctx context.Context, request *management.Exte
|
||||
return &empty.Empty{}, err
|
||||
}
|
||||
|
||||
func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.MultiFactors, error) {
|
||||
func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.UserMultiFactors, error) {
|
||||
mfas, err := s.user.UserMfas(ctx, userID.Id)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &management.MultiFactors{Mfas: mfasFromModel(mfas)}, nil
|
||||
return &management.UserMultiFactors{Mfas: mfasFromModel(mfas)}, nil
|
||||
}
|
||||
|
||||
func (s *Server) SearchUserMemberships(ctx context.Context, in *management.UserMembershipSearchRequest) (*management.UserMembershipSearchResponse, error) {
|
||||
|
||||
@@ -491,16 +491,16 @@ func userMembershipViewFromModel(membership *usr_model.UserMembershipView) *mana
|
||||
}
|
||||
}
|
||||
|
||||
func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.MultiFactor {
|
||||
converted := make([]*management.MultiFactor, len(mfas))
|
||||
func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.UserMultiFactor {
|
||||
converted := make([]*management.UserMultiFactor, len(mfas))
|
||||
for i, mfa := range mfas {
|
||||
converted[i] = mfaFromModel(mfa)
|
||||
}
|
||||
return converted
|
||||
}
|
||||
|
||||
func mfaFromModel(mfa *usr_model.MultiFactor) *management.MultiFactor {
|
||||
return &management.MultiFactor{
|
||||
func mfaFromModel(mfa *usr_model.MultiFactor) *management.UserMultiFactor {
|
||||
return &management.UserMultiFactor{
|
||||
State: mfaStateFromModel(mfa.State),
|
||||
Type: mfaTypeFromModel(mfa.Type),
|
||||
}
|
||||
|
||||
@@ -89,6 +89,22 @@ func userGrantSearchKeyToModel(key management.UserGrantSearchKey) grant_model.Us
|
||||
return grant_model.UserGrantSearchKeyRoleKey
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_GRANT_ID:
|
||||
return grant_model.UserGrantSearchKeyGrantID
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_USER_NAME:
|
||||
return grant_model.UserGrantSearchKeyUserName
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_FIRST_NAME:
|
||||
return grant_model.UserGrantSearchKeyFirstName
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_LAST_NAME:
|
||||
return grant_model.UserGrantSearchKeyLastName
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_EMAIL:
|
||||
return grant_model.UserGrantSearchKeyEmail
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_NAME:
|
||||
return grant_model.UserGrantSearchKeyOrgName
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_DOMAIN:
|
||||
return grant_model.UserGrantSearchKeyOrgDomain
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_NAME:
|
||||
return grant_model.UserGrantSearchKeyProjectName
|
||||
case management.UserGrantSearchKey_USERGRANTSEARCHKEY_DISPLAY_NAME:
|
||||
return grant_model.UserGrantSearchKeyDisplayName
|
||||
default:
|
||||
return grant_model.UserGrantSearchKeyUnspecified
|
||||
}
|
||||
|
||||
@@ -243,9 +243,9 @@ func CodeChallengeToOIDC(challenge *model.OIDCCodeChallenge) *oidc.CodeChallenge
|
||||
}
|
||||
}
|
||||
|
||||
func AMRFromMFAType(mfaType model.MfaType) string {
|
||||
func AMRFromMFAType(mfaType model.MFAType) string {
|
||||
switch mfaType {
|
||||
case model.MfaTypeOTP:
|
||||
case model.MFATypeOTP:
|
||||
return amrOTP
|
||||
default:
|
||||
return ""
|
||||
|
||||
@@ -2,6 +2,7 @@ package oidc
|
||||
|
||||
import (
|
||||
"context"
|
||||
"github.com/caos/zitadel/internal/auth_request/model"
|
||||
"strings"
|
||||
|
||||
"golang.org/x/text/language"
|
||||
@@ -153,6 +154,9 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
|
||||
if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
|
||||
roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
|
||||
}
|
||||
if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
|
||||
userInfo.AppendClaims(model.OrgDomainPrimaryScope, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -170,17 +174,19 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
|
||||
return userInfo, nil
|
||||
}
|
||||
|
||||
func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, applicationID string, scopes []string) (claims map[string]interface{}, err error) {
|
||||
func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]interface{}, err error) {
|
||||
roles := make([]string, 0)
|
||||
for _, scope := range scopes {
|
||||
if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
|
||||
roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
|
||||
} else if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
|
||||
claims = map[string]interface{}{model.OrgDomainPrimaryScope: strings.TrimPrefix(scope, model.OrgDomainPrimaryScope)}
|
||||
}
|
||||
}
|
||||
if len(roles) == 0 || applicationID == "" {
|
||||
return nil, nil
|
||||
if len(roles) == 0 || clientID == "" {
|
||||
return claims, nil
|
||||
}
|
||||
projectRoles, err := o.assertRoles(ctx, userID, applicationID, roles)
|
||||
projectRoles, err := o.assertRoles(ctx, userID, clientID, roles)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
package oidc
|
||||
|
||||
import (
|
||||
authreq_model "github.com/caos/zitadel/internal/auth_request/model"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
@@ -63,16 +65,22 @@ func (c *Client) DevMode() bool {
|
||||
return c.ApplicationView.DevMode
|
||||
}
|
||||
|
||||
func (c *Client) AllowedScopes() []string {
|
||||
return c.allowedScopes
|
||||
func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
|
||||
return func(scopes []string) []string {
|
||||
if c.IDTokenRoleAssertion {
|
||||
return scopes
|
||||
}
|
||||
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Client) AssertAdditionalIdTokenScopes() bool {
|
||||
return c.IDTokenRoleAssertion
|
||||
}
|
||||
|
||||
func (c *Client) AssertAdditionalAccessTokenScopes() bool {
|
||||
return c.AccessTokenRoleAssertion
|
||||
func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
|
||||
return func(scopes []string) []string {
|
||||
if c.AccessTokenRoleAssertion {
|
||||
return scopes
|
||||
}
|
||||
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
|
||||
}
|
||||
}
|
||||
|
||||
func (c *Client) AccessTokenLifetime() time.Duration {
|
||||
@@ -87,6 +95,21 @@ func (c *Client) AccessTokenType() op.AccessTokenType {
|
||||
return accessTokenTypeToOIDC(c.ApplicationView.AccessTokenType)
|
||||
}
|
||||
|
||||
func (c *Client) IsScopeAllowed(scope string) bool {
|
||||
if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
|
||||
return true
|
||||
}
|
||||
if strings.HasPrefix(scope, authreq_model.ProjectIDScope) {
|
||||
return true
|
||||
}
|
||||
for _, allowedScope := range c.allowedScopes {
|
||||
if scope == allowedScope {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
|
||||
switch tokenType {
|
||||
case model.OIDCTokenTypeBearer:
|
||||
@@ -131,3 +154,20 @@ func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
|
||||
return oidc.ResponseTypeCode
|
||||
}
|
||||
}
|
||||
|
||||
func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
|
||||
newScopeList := make([]string, 0)
|
||||
for _, scope := range scopes {
|
||||
hasPrefix := false
|
||||
for _, prefix := range scopePrefix {
|
||||
if strings.HasPrefix(scope, prefix) {
|
||||
hasPrefix = true
|
||||
continue
|
||||
}
|
||||
}
|
||||
if !hasPrefix {
|
||||
newScopeList = append(newScopeList, scope)
|
||||
}
|
||||
}
|
||||
return newScopeList
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user