2021-03-13 23:47:35 +08:00
|
|
|
// Copyright 2021 The casbin Authors. All Rights Reserved.
|
|
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
package object
|
|
|
|
|
|
|
|
|
|
import (
|
2021-12-04 00:39:14 +08:00
|
|
|
"fmt"
|
2021-03-14 18:18:03 +08:00
|
|
|
"strings"
|
|
|
|
|
|
2021-07-25 09:34:25 +08:00
|
|
|
"github.com/casbin/casdoor/util"
|
2021-03-13 23:47:35 +08:00
|
|
|
"xorm.io/core"
|
|
|
|
|
)
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
type Code struct {
|
|
|
|
|
Message string `xorm:"varchar(100)" json:"message"`
|
|
|
|
|
Code string `xorm:"varchar(100)" json:"code"`
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
type Token struct {
|
|
|
|
|
Owner string `xorm:"varchar(100) notnull pk" json:"owner"`
|
|
|
|
|
Name string `xorm:"varchar(100) notnull pk" json:"name"`
|
|
|
|
|
CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
|
|
|
|
|
|
2021-05-04 22:36:05 +08:00
|
|
|
Application string `xorm:"varchar(100)" json:"application"`
|
|
|
|
|
Organization string `xorm:"varchar(100)" json:"organization"`
|
|
|
|
|
User string `xorm:"varchar(100)" json:"user"`
|
2021-03-13 23:47:35 +08:00
|
|
|
|
2021-12-18 18:49:38 +08:00
|
|
|
Code string `xorm:"varchar(100)" json:"code"`
|
|
|
|
|
AccessToken string `xorm:"mediumtext" json:"accessToken"`
|
|
|
|
|
RefreshToken string `xorm:"mediumtext" json:"refreshToken"`
|
|
|
|
|
ExpiresIn int `json:"expiresIn"`
|
|
|
|
|
Scope string `xorm:"varchar(100)" json:"scope"`
|
|
|
|
|
TokenType string `xorm:"varchar(100)" json:"tokenType"`
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
type TokenWrapper struct {
|
2021-12-28 19:44:17 +08:00
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
IdToken string `json:"id_token"`
|
|
|
|
|
RefreshToken string `json:"refresh_token"`
|
|
|
|
|
TokenType string `json:"token_type"`
|
|
|
|
|
ExpiresIn int `json:"expires_in"`
|
|
|
|
|
Scope string `json:"scope"`
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-25 10:55:10 +08:00
|
|
|
func GetTokenCount(owner, field, value string) int {
|
|
|
|
|
session := adapter.Engine.Where("owner=?", owner)
|
|
|
|
|
if field != "" && value != "" {
|
|
|
|
|
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
|
|
|
|
|
}
|
|
|
|
|
count, err := session.Count(&Token{})
|
2021-11-06 11:32:22 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return int(count)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
func GetTokens(owner string) []*Token {
|
|
|
|
|
tokens := []*Token{}
|
2021-05-02 10:30:12 +08:00
|
|
|
err := adapter.Engine.Desc("created_time").Find(&tokens, &Token{Owner: owner})
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tokens
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-25 10:55:10 +08:00
|
|
|
func GetPaginationTokens(owner string, offset, limit int, field, value, sortField, sortOrder string) []*Token {
|
2021-11-06 11:32:22 +08:00
|
|
|
tokens := []*Token{}
|
2021-12-25 10:55:10 +08:00
|
|
|
session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
|
|
|
|
|
err := session.Find(&tokens)
|
2021-11-06 11:32:22 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tokens
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
func getToken(owner string, name string) *Token {
|
2021-06-21 01:01:16 +08:00
|
|
|
if owner == "" || name == "" {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
token := Token{Owner: owner, Name: name}
|
2021-05-02 10:30:12 +08:00
|
|
|
existed, err := adapter.Engine.Get(&token)
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if existed {
|
|
|
|
|
return &token
|
|
|
|
|
}
|
2021-11-06 11:32:22 +08:00
|
|
|
|
2021-09-04 22:20:47 +08:00
|
|
|
return nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
func getTokenByCode(code string) *Token {
|
|
|
|
|
token := Token{}
|
2021-05-02 10:30:12 +08:00
|
|
|
existed, err := adapter.Engine.Where("code=?", code).Get(&token)
|
2021-03-14 18:18:03 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if existed {
|
|
|
|
|
return &token
|
|
|
|
|
}
|
2021-11-06 11:32:22 +08:00
|
|
|
|
2021-09-04 22:20:47 +08:00
|
|
|
return nil
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
func GetToken(id string) *Token {
|
|
|
|
|
owner, name := util.GetOwnerAndNameFromId(id)
|
|
|
|
|
return getToken(owner, name)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func UpdateToken(id string, token *Token) bool {
|
|
|
|
|
owner, name := util.GetOwnerAndNameFromId(id)
|
|
|
|
|
if getToken(owner, name) == nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2021-05-02 10:30:12 +08:00
|
|
|
affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(token)
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-28 00:48:34 +08:00
|
|
|
return affected != 0
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func AddToken(token *Token) bool {
|
2021-05-02 10:30:12 +08:00
|
|
|
affected, err := adapter.Engine.Insert(token)
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return affected != 0
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func DeleteToken(token *Token) bool {
|
2021-05-02 10:30:12 +08:00
|
|
|
affected, err := adapter.Engine.ID(core.PK{token.Owner, token.Name}).Delete(&Token{})
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return affected != 0
|
|
|
|
|
}
|
2021-03-14 00:08:59 +08:00
|
|
|
|
2021-03-20 10:51:00 +08:00
|
|
|
func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string) (string, *Application) {
|
|
|
|
|
if responseType != "code" {
|
|
|
|
|
return "response_type should be \"code\"", nil
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-06 17:27:03 +08:00
|
|
|
application := GetApplicationByClientId(clientId)
|
2021-03-20 10:51:00 +08:00
|
|
|
if application == nil {
|
2021-03-28 08:59:12 +08:00
|
|
|
return "Invalid client_id", nil
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
validUri := false
|
|
|
|
|
for _, tmpUri := range application.RedirectUris {
|
|
|
|
|
if strings.Contains(redirectUri, tmpUri) {
|
|
|
|
|
validUri = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !validUri {
|
2021-12-04 00:39:14 +08:00
|
|
|
return fmt.Sprintf("Redirect URI: \"%s\" doesn't exist in the allowed Redirect URI list", redirectUri), application
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
|
|
|
|
|
2021-09-28 23:41:27 +08:00
|
|
|
// Mask application for /api/get-app-login
|
|
|
|
|
application.ClientSecret = ""
|
2021-03-20 10:51:00 +08:00
|
|
|
return "", application
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-15 21:42:16 +08:00
|
|
|
func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string) *Code {
|
2021-03-14 22:48:09 +08:00
|
|
|
user := GetUser(userId)
|
|
|
|
|
if user == nil {
|
|
|
|
|
return &Code{
|
2021-12-12 19:59:55 +08:00
|
|
|
Message: fmt.Sprintf("The user: %s doesn't exist", userId),
|
2021-03-14 22:48:09 +08:00
|
|
|
Code: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-12-28 19:44:17 +08:00
|
|
|
if user.IsForbidden {
|
|
|
|
|
return &Code{
|
|
|
|
|
Message: "error: the user is forbidden to sign in, please contact the administrator",
|
|
|
|
|
Code: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-03-14 22:48:09 +08:00
|
|
|
|
2021-03-20 13:05:34 +08:00
|
|
|
msg, application := CheckOAuthLogin(clientId, responseType, redirectUri, scope, state)
|
|
|
|
|
if msg != "" {
|
2021-03-14 18:18:03 +08:00
|
|
|
return &Code{
|
2021-03-20 13:05:34 +08:00
|
|
|
Message: msg,
|
2021-03-14 18:18:03 +08:00
|
|
|
Code: "",
|
|
|
|
|
}
|
2021-03-14 00:08:59 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-18 18:49:38 +08:00
|
|
|
accessToken, refreshToken, err := generateJwtToken(application, user, nonce)
|
2021-03-14 22:48:09 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-14 00:08:59 +08:00
|
|
|
token := &Token{
|
2021-05-04 22:36:05 +08:00
|
|
|
Owner: application.Owner,
|
|
|
|
|
Name: util.GenerateId(),
|
|
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: accessToken,
|
2021-12-18 18:49:38 +08:00
|
|
|
RefreshToken: refreshToken,
|
2021-05-04 22:36:05 +08:00
|
|
|
ExpiresIn: application.ExpireInHours * 60,
|
|
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
2021-03-14 00:08:59 +08:00
|
|
|
}
|
|
|
|
|
AddToken(token)
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
return &Code{
|
|
|
|
|
Message: "",
|
|
|
|
|
Code: token.Code,
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func GetOAuthToken(grantType string, clientId string, clientSecret string, code string) *TokenWrapper {
|
2021-06-06 17:27:03 +08:00
|
|
|
application := GetApplicationByClientId(clientId)
|
2021-03-14 18:18:03 +08:00
|
|
|
if application == nil {
|
|
|
|
|
return &TokenWrapper{
|
2021-06-01 21:14:41 +08:00
|
|
|
AccessToken: "error: invalid client_id",
|
2021-03-14 18:18:03 +08:00
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if grantType != "authorization_code" {
|
|
|
|
|
return &TokenWrapper{
|
2021-06-01 21:14:41 +08:00
|
|
|
AccessToken: "error: grant_type should be \"authorization_code\"",
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if code == "" {
|
|
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: "error: code should not be empty",
|
2021-03-14 18:18:03 +08:00
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token := getTokenByCode(code)
|
|
|
|
|
if token == nil {
|
|
|
|
|
return &TokenWrapper{
|
2021-06-01 21:14:41 +08:00
|
|
|
AccessToken: "error: invalid code",
|
2021-03-14 18:18:03 +08:00
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.Name != token.Application {
|
|
|
|
|
return &TokenWrapper{
|
2021-06-01 21:14:41 +08:00
|
|
|
AccessToken: "error: the token is for wrong application (client_id)",
|
2021-03-14 18:18:03 +08:00
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.ClientSecret != clientSecret {
|
|
|
|
|
return &TokenWrapper{
|
2021-06-01 21:14:41 +08:00
|
|
|
AccessToken: "error: invalid client_secret",
|
2021-03-14 18:18:03 +08:00
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tokenWrapper := &TokenWrapper{
|
2021-12-28 19:44:17 +08:00
|
|
|
AccessToken: token.AccessToken,
|
|
|
|
|
IdToken: token.AccessToken,
|
|
|
|
|
RefreshToken: token.RefreshToken,
|
|
|
|
|
TokenType: token.TokenType,
|
|
|
|
|
ExpiresIn: token.ExpiresIn,
|
|
|
|
|
Scope: token.Scope,
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return tokenWrapper
|
2021-03-14 00:08:59 +08:00
|
|
|
}
|
2021-12-18 18:49:38 +08:00
|
|
|
|
2022-01-01 15:20:49 +08:00
|
|
|
func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string) *TokenWrapper {
|
2021-12-18 18:49:38 +08:00
|
|
|
// check parameters
|
|
|
|
|
if grantType != "refresh_token" {
|
2022-01-01 15:20:49 +08:00
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: "error: grant_type should be \"refresh_token\"",
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
application := GetApplicationByClientId(clientId)
|
|
|
|
|
if application == nil {
|
2022-01-01 15:20:49 +08:00
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: "error: invalid client_id",
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if application.ClientSecret != clientSecret {
|
2022-01-01 15:20:49 +08:00
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: "error: invalid client_secret",
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// check whether the refresh token is valid, and has not expired.
|
|
|
|
|
token := Token{RefreshToken: refreshToken}
|
|
|
|
|
existed, err := adapter.Engine.Get(&token)
|
|
|
|
|
if err != nil || !existed {
|
2022-01-01 15:20:49 +08:00
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: "error: invalid refresh_token",
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
}
|
2021-12-31 09:36:48 +08:00
|
|
|
|
|
|
|
|
cert := getCertByApplication(application)
|
2022-01-01 15:20:49 +08:00
|
|
|
_, err = ParseJwtToken(refreshToken, cert)
|
2021-12-18 18:49:38 +08:00
|
|
|
if err != nil {
|
2022-01-01 15:20:49 +08:00
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: fmt.Sprintf("error: %s", err.Error()),
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// generate a new token
|
2022-01-01 15:20:49 +08:00
|
|
|
user := getUser(application.Organization, token.User)
|
2021-12-28 19:44:17 +08:00
|
|
|
if user.IsForbidden {
|
2022-01-01 15:20:49 +08:00
|
|
|
return &TokenWrapper{
|
|
|
|
|
AccessToken: "error: the user is forbidden to sign in, please contact the administrator",
|
|
|
|
|
TokenType: "",
|
|
|
|
|
ExpiresIn: 0,
|
|
|
|
|
Scope: "",
|
2021-12-28 19:44:17 +08:00
|
|
|
}
|
|
|
|
|
}
|
2021-12-18 18:49:38 +08:00
|
|
|
newAccessToken, newRefreshToken, err := generateJwtToken(application, user, "")
|
|
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newToken := &Token{
|
|
|
|
|
Owner: application.Owner,
|
|
|
|
|
Name: util.GenerateId(),
|
|
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: newAccessToken,
|
|
|
|
|
RefreshToken: newRefreshToken,
|
|
|
|
|
ExpiresIn: application.ExpireInHours * 60,
|
|
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
}
|
|
|
|
|
AddToken(newToken)
|
|
|
|
|
|
2022-01-01 15:20:49 +08:00
|
|
|
tokenWrapper := &TokenWrapper{
|
|
|
|
|
AccessToken: token.AccessToken,
|
|
|
|
|
IdToken: token.AccessToken,
|
|
|
|
|
RefreshToken: token.RefreshToken,
|
|
|
|
|
TokenType: token.TokenType,
|
|
|
|
|
ExpiresIn: token.ExpiresIn,
|
|
|
|
|
Scope: token.Scope,
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
2022-01-01 15:20:49 +08:00
|
|
|
|
|
|
|
|
return tokenWrapper
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
