support CAS identity provider

Signed-off-by: hongming <talonwan@yunify.com>
2021-02-05 15:20:37 +08:00
parent 2d73e777f4
commit 5f0727cf34
27 changed files with 1853 additions and 3 deletions
--- a/vendor/gopkg.in/cas.v2/rest_handler.go
+++ b/vendor/gopkg.in/cas.v2/rest_handler.go
@@ -0,0 +1,59 @@
+package cas
+
+import (
+	"net/http"
+
+	"github.com/golang/glog"
+)
+
+// restClientHandler handles CAS REST Protocol over HTTP Basic Authentication
+type restClientHandler struct {
+	c *RestClient
+	h http.Handler
+}
+
+// ServeHTTP handles HTTP requests, processes HTTP Basic Authentication over CAS Rest api
+// and passes requests up to its child http.Handler.
+func (ch *restClientHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if glog.V(2) {
+		glog.Infof("cas: handling %v request for %v", r.Method, r.URL)
+	}
+
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		w.Header().Set("WWW-Authenticate", "Basic realm=\"CAS Protected Area\"")
+		w.WriteHeader(401)
+		return
+	}
+
+	// TODO we should implement a short cache to avoid hitting cas server on every request
+	// the cache could use the authorization header as key and the authenticationResponse as value
+
+	success, err := ch.authenticate(username, password)
+	if err != nil {
+		if glog.V(1) {
+			glog.Infof("cas: rest authentication failed %v", err)
+		}
+		w.Header().Set("WWW-Authenticate", "Basic realm=\"CAS Protected Area\"")
+		w.WriteHeader(401)
+		return
+	}
+
+	setAuthenticationResponse(r, success)
+	ch.h.ServeHTTP(w, r)
+	return
+}
+
+func (ch *restClientHandler) authenticate(username string, password string) (*AuthenticationResponse, error) {
+	tgt, err := ch.c.RequestGrantingTicket(username, password)
+	if err != nil {
+		return nil, err
+	}
+
+	st, err := ch.c.RequestServiceTicket(tgt)
+	if err != nil {
+		return nil, err
+	}
+
+	return ch.c.ValidateServiceTicket(st)
+}