mirror of https://github.com/k3s-io/k3s
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
178 lines
5.0 KiB
178 lines
5.0 KiB
// Copyright 2014 The Go Authors. All rights reserved. |
|
// Use of this source code is governed by a BSD-style |
|
// license that can be found in the LICENSE file. |
|
|
|
package oauth2 |
|
|
|
import ( |
|
"context" |
|
"fmt" |
|
"net/http" |
|
"net/url" |
|
"strconv" |
|
"strings" |
|
"time" |
|
|
|
"golang.org/x/oauth2/internal" |
|
) |
|
|
|
// expiryDelta determines how earlier a token should be considered |
|
// expired than its actual expiration time. It is used to avoid late |
|
// expirations due to client-server time mismatches. |
|
const expiryDelta = 10 * time.Second |
|
|
|
// Token represents the credentials used to authorize |
|
// the requests to access protected resources on the OAuth 2.0 |
|
// provider's backend. |
|
// |
|
// Most users of this package should not access fields of Token |
|
// directly. They're exported mostly for use by related packages |
|
// implementing derivative OAuth2 flows. |
|
type Token struct { |
|
// AccessToken is the token that authorizes and authenticates |
|
// the requests. |
|
AccessToken string `json:"access_token"` |
|
|
|
// TokenType is the type of token. |
|
// The Type method returns either this or "Bearer", the default. |
|
TokenType string `json:"token_type,omitempty"` |
|
|
|
// RefreshToken is a token that's used by the application |
|
// (as opposed to the user) to refresh the access token |
|
// if it expires. |
|
RefreshToken string `json:"refresh_token,omitempty"` |
|
|
|
// Expiry is the optional expiration time of the access token. |
|
// |
|
// If zero, TokenSource implementations will reuse the same |
|
// token forever and RefreshToken or equivalent |
|
// mechanisms for that TokenSource will not be used. |
|
Expiry time.Time `json:"expiry,omitempty"` |
|
|
|
// raw optionally contains extra metadata from the server |
|
// when updating a token. |
|
raw interface{} |
|
} |
|
|
|
// Type returns t.TokenType if non-empty, else "Bearer". |
|
func (t *Token) Type() string { |
|
if strings.EqualFold(t.TokenType, "bearer") { |
|
return "Bearer" |
|
} |
|
if strings.EqualFold(t.TokenType, "mac") { |
|
return "MAC" |
|
} |
|
if strings.EqualFold(t.TokenType, "basic") { |
|
return "Basic" |
|
} |
|
if t.TokenType != "" { |
|
return t.TokenType |
|
} |
|
return "Bearer" |
|
} |
|
|
|
// SetAuthHeader sets the Authorization header to r using the access |
|
// token in t. |
|
// |
|
// This method is unnecessary when using Transport or an HTTP Client |
|
// returned by this package. |
|
func (t *Token) SetAuthHeader(r *http.Request) { |
|
r.Header.Set("Authorization", t.Type()+" "+t.AccessToken) |
|
} |
|
|
|
// WithExtra returns a new Token that's a clone of t, but using the |
|
// provided raw extra map. This is only intended for use by packages |
|
// implementing derivative OAuth2 flows. |
|
func (t *Token) WithExtra(extra interface{}) *Token { |
|
t2 := new(Token) |
|
*t2 = *t |
|
t2.raw = extra |
|
return t2 |
|
} |
|
|
|
// Extra returns an extra field. |
|
// Extra fields are key-value pairs returned by the server as a |
|
// part of the token retrieval response. |
|
func (t *Token) Extra(key string) interface{} { |
|
if raw, ok := t.raw.(map[string]interface{}); ok { |
|
return raw[key] |
|
} |
|
|
|
vals, ok := t.raw.(url.Values) |
|
if !ok { |
|
return nil |
|
} |
|
|
|
v := vals.Get(key) |
|
switch s := strings.TrimSpace(v); strings.Count(s, ".") { |
|
case 0: // Contains no "."; try to parse as int |
|
if i, err := strconv.ParseInt(s, 10, 64); err == nil { |
|
return i |
|
} |
|
case 1: // Contains a single "."; try to parse as float |
|
if f, err := strconv.ParseFloat(s, 64); err == nil { |
|
return f |
|
} |
|
} |
|
|
|
return v |
|
} |
|
|
|
// timeNow is time.Now but pulled out as a variable for tests. |
|
var timeNow = time.Now |
|
|
|
// expired reports whether the token is expired. |
|
// t must be non-nil. |
|
func (t *Token) expired() bool { |
|
if t.Expiry.IsZero() { |
|
return false |
|
} |
|
return t.Expiry.Round(0).Add(-expiryDelta).Before(timeNow()) |
|
} |
|
|
|
// Valid reports whether t is non-nil, has an AccessToken, and is not expired. |
|
func (t *Token) Valid() bool { |
|
return t != nil && t.AccessToken != "" && !t.expired() |
|
} |
|
|
|
// tokenFromInternal maps an *internal.Token struct into |
|
// a *Token struct. |
|
func tokenFromInternal(t *internal.Token) *Token { |
|
if t == nil { |
|
return nil |
|
} |
|
return &Token{ |
|
AccessToken: t.AccessToken, |
|
TokenType: t.TokenType, |
|
RefreshToken: t.RefreshToken, |
|
Expiry: t.Expiry, |
|
raw: t.Raw, |
|
} |
|
} |
|
|
|
// retrieveToken takes a *Config and uses that to retrieve an *internal.Token. |
|
// This token is then mapped from *internal.Token into an *oauth2.Token which is returned along |
|
// with an error.. |
|
func retrieveToken(ctx context.Context, c *Config, v url.Values) (*Token, error) { |
|
tk, err := internal.RetrieveToken(ctx, c.ClientID, c.ClientSecret, c.Endpoint.TokenURL, v, internal.AuthStyle(c.Endpoint.AuthStyle)) |
|
if err != nil { |
|
if rErr, ok := err.(*internal.RetrieveError); ok { |
|
return nil, (*RetrieveError)(rErr) |
|
} |
|
return nil, err |
|
} |
|
return tokenFromInternal(tk), nil |
|
} |
|
|
|
// RetrieveError is the error returned when the token endpoint returns a |
|
// non-2XX HTTP status code. |
|
type RetrieveError struct { |
|
Response *http.Response |
|
// Body is the body that was consumed by reading Response.Body. |
|
// It may be truncated. |
|
Body []byte |
|
} |
|
|
|
func (r *RetrieveError) Error() string { |
|
return fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", r.Response.Status, r.Body) |
|
}
|
|
|