234 lines
5.4 KiB
Go
234 lines
5.4 KiB
Go
package auth
|
||
|
||
import (
|
||
"context"
|
||
"crypto/rand"
|
||
"encoding/base64"
|
||
"errors"
|
||
"fmt"
|
||
"time"
|
||
)
|
||
|
||
// SSOOAuth2Config SSO OAuth2 配置
|
||
type SSOOAuth2Config struct {
|
||
ClientID string
|
||
ClientSecret string
|
||
RedirectURI string
|
||
Scope string
|
||
}
|
||
|
||
// SSOProvider SSO 提供者接口
|
||
type SSOProvider interface {
|
||
// Authorize 处理授权请求
|
||
Authorize(ctx context.Context, req *SSOAuthorizeRequest) (*SSOAuthorizeResponse, error)
|
||
// Introspect 验证 access token
|
||
Introspect(ctx context.Context, token string) (*SSOTokenInfo, error)
|
||
// Revoke 撤销 token
|
||
Revoke(ctx context.Context, token string) error
|
||
}
|
||
|
||
// SSOAuthorizeRequest 授权请求
|
||
type SSOAuthorizeRequest struct {
|
||
ClientID string
|
||
RedirectURI string
|
||
ResponseType string // "code" 或 "token"
|
||
Scope string
|
||
State string
|
||
UserID int64
|
||
}
|
||
|
||
// SSOAuthorizeResponse 授权响应
|
||
type SSOAuthorizeResponse struct {
|
||
Code string // 授权码(authorization_code 模式)
|
||
State string
|
||
}
|
||
|
||
// SSOTokenInfo Token 信息
|
||
type SSOTokenInfo struct {
|
||
Active bool
|
||
UserID int64
|
||
Username string
|
||
ExpiresAt time.Time
|
||
Scope string
|
||
ClientID string
|
||
}
|
||
|
||
// SSOSession SSO Session
|
||
type SSOSession struct {
|
||
SessionID string
|
||
UserID int64
|
||
Username string
|
||
ClientID string
|
||
CreatedAt time.Time
|
||
ExpiresAt time.Time
|
||
Scope string
|
||
}
|
||
|
||
// SSOManager SSO 管理器
|
||
type SSOManager struct {
|
||
sessions map[string]*SSOSession
|
||
}
|
||
|
||
// NewSSOManager 创建 SSO 管理器
|
||
func NewSSOManager() *SSOManager {
|
||
return &SSOManager{
|
||
sessions: make(map[string]*SSOSession),
|
||
}
|
||
}
|
||
|
||
// GenerateAuthorizationCode 生成授权码
|
||
func (m *SSOManager) GenerateAuthorizationCode(clientID, redirectURI, scope string, userID int64, username string) (string, error) {
|
||
code := generateSecureToken(32)
|
||
|
||
session := &SSOSession{
|
||
SessionID: generateSecureToken(16),
|
||
UserID: userID,
|
||
Username: username,
|
||
ClientID: clientID,
|
||
CreatedAt: time.Now(),
|
||
ExpiresAt: time.Now().Add(10 * time.Minute), // 授权码 10 分钟有效期
|
||
Scope: scope,
|
||
}
|
||
|
||
m.sessions[code] = session
|
||
|
||
return code, nil
|
||
}
|
||
|
||
// ValidateAuthorizationCode 验证授权码
|
||
func (m *SSOManager) ValidateAuthorizationCode(code string) (*SSOSession, error) {
|
||
session, ok := m.sessions[code]
|
||
if !ok {
|
||
return nil, errors.New("invalid authorization code")
|
||
}
|
||
|
||
if time.Now().After(session.ExpiresAt) {
|
||
delete(m.sessions, code)
|
||
return nil, errors.New("authorization code expired")
|
||
}
|
||
|
||
// 使用后删除
|
||
delete(m.sessions, code)
|
||
|
||
return session, nil
|
||
}
|
||
|
||
// GenerateAccessToken 生成访问令牌
|
||
func (m *SSOManager) GenerateAccessToken(clientID string, session *SSOSession) (string, time.Time) {
|
||
token := generateSecureToken(32)
|
||
expiresAt := time.Now().Add(2 * time.Hour) // Access token 2 小时有效期
|
||
|
||
accessSession := &SSOSession{
|
||
SessionID: token,
|
||
UserID: session.UserID,
|
||
Username: session.Username,
|
||
ClientID: clientID,
|
||
CreatedAt: time.Now(),
|
||
ExpiresAt: expiresAt,
|
||
Scope: session.Scope,
|
||
}
|
||
|
||
m.sessions[token] = accessSession
|
||
|
||
return token, expiresAt
|
||
}
|
||
|
||
// IntrospectToken 验证 token
|
||
func (m *SSOManager) IntrospectToken(token string) (*SSOTokenInfo, error) {
|
||
session, ok := m.sessions[token]
|
||
if !ok {
|
||
return &SSOTokenInfo{Active: false}, nil
|
||
}
|
||
|
||
if time.Now().After(session.ExpiresAt) {
|
||
delete(m.sessions, token)
|
||
return &SSOTokenInfo{Active: false}, nil
|
||
}
|
||
|
||
return &SSOTokenInfo{
|
||
Active: true,
|
||
UserID: session.UserID,
|
||
Username: session.Username,
|
||
ExpiresAt: session.ExpiresAt,
|
||
Scope: session.Scope,
|
||
ClientID: session.ClientID,
|
||
}, nil
|
||
}
|
||
|
||
// RevokeToken 撤销 token
|
||
func (m *SSOManager) RevokeToken(token string) error {
|
||
delete(m.sessions, token)
|
||
return nil
|
||
}
|
||
|
||
// CleanupExpired 清理过期的 session(可由后台 goroutine 定期调用)
|
||
func (m *SSOManager) CleanupExpired() {
|
||
now := time.Now()
|
||
for key, session := range m.sessions {
|
||
if now.After(session.ExpiresAt) {
|
||
delete(m.sessions, key)
|
||
}
|
||
}
|
||
}
|
||
|
||
// generateSecureToken 生成安全随机 token
|
||
func generateSecureToken(length int) string {
|
||
bytes := make([]byte, length)
|
||
rand.Read(bytes)
|
||
return base64.URLEncoding.EncodeToString(bytes)[:length]
|
||
}
|
||
|
||
// SSOClient SSO 客户端配置存储
|
||
type SSOClient struct {
|
||
ClientID string
|
||
ClientSecret string
|
||
Name string
|
||
RedirectURIs []string
|
||
}
|
||
|
||
// SSOClientsStore SSO 客户端存储接口
|
||
type SSOClientsStore interface {
|
||
GetByClientID(clientID string) (*SSOClient, error)
|
||
}
|
||
|
||
// DefaultSSOClientsStore 默认内存存储
|
||
type DefaultSSOClientsStore struct {
|
||
clients map[string]*SSOClient
|
||
}
|
||
|
||
// NewDefaultSSOClientsStore 创建默认客户端存储
|
||
func NewDefaultSSOClientsStore() *DefaultSSOClientsStore {
|
||
return &DefaultSSOClientsStore{
|
||
clients: make(map[string]*SSOClient),
|
||
}
|
||
}
|
||
|
||
// RegisterClient 注册客户端
|
||
func (s *DefaultSSOClientsStore) RegisterClient(client *SSOClient) {
|
||
s.clients[client.ClientID] = client
|
||
}
|
||
|
||
// GetByClientID 根据 ClientID 获取客户端
|
||
func (s *DefaultSSOClientsStore) GetByClientID(clientID string) (*SSOClient, error) {
|
||
client, ok := s.clients[clientID]
|
||
if !ok {
|
||
return nil, fmt.Errorf("client not found: %s", clientID)
|
||
}
|
||
return client, nil
|
||
}
|
||
|
||
// ValidateClientRedirectURI 验证客户端的 RedirectURI
|
||
func (s *DefaultSSOClientsStore) ValidateClientRedirectURI(clientID, redirectURI string) bool {
|
||
client, err := s.GetByClientID(clientID)
|
||
if err != nil {
|
||
return false
|
||
}
|
||
|
||
for _, uri := range client.RedirectURIs {
|
||
if uri == redirectURI {
|
||
return true
|
||
}
|
||
}
|
||
return false
|
||
}
|