forked from inklabs/goauth2
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathresource_owner_command_authorization.go
102 lines (84 loc) · 2.63 KB
/
resource_owner_command_authorization.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package goauth2
import (
"github.com/inklabs/rangedb"
"github.com/inklabs/rangedb/pkg/clock"
)
type resourceOwnerCommandAuthorization struct {
store rangedb.Store
clock clock.Clock
tokenGenerator TokenGenerator
pendingEvents []rangedb.Event
}
func newResourceOwnerCommandAuthorization(
store rangedb.Store,
tokenGenerator TokenGenerator,
clock clock.Clock,
) *resourceOwnerCommandAuthorization {
return &resourceOwnerCommandAuthorization{
store: store,
tokenGenerator: tokenGenerator,
clock: clock,
}
}
func (a *resourceOwnerCommandAuthorization) Handle(command Command) bool {
switch c := command.(type) {
case GrantUserAdministratorRole:
grantingUser := a.loadResourceOwnerAggregate(c.GrantingUserID)
if !grantingUser.IsOnBoarded {
a.emit(GrantUserAdministratorRoleWasRejectedDueToMissingGrantingUser{
UserID: c.UserID,
GrantingUserID: c.GrantingUserID,
})
return false
}
if !grantingUser.IsAdministrator {
a.emit(GrantUserAdministratorRoleWasRejectedDueToNonAdministrator{
UserID: c.UserID,
GrantingUserID: c.GrantingUserID,
})
return false
}
case AuthorizeUserToOnBoardClientApplications:
authorizingUser := a.loadResourceOwnerAggregate(c.AuthorizingUserID)
if !authorizingUser.IsOnBoarded {
a.emit(AuthorizeUserToOnBoardClientApplicationsWasRejectedDueToMissingAuthorizingUser{
UserID: c.UserID,
AuthorizingUserID: c.AuthorizingUserID,
})
return false
}
if !authorizingUser.IsAdministrator {
a.emit(AuthorizeUserToOnBoardClientApplicationsWasRejectedDueToNonAdministrator{
UserID: c.UserID,
AuthorizingUserID: c.AuthorizingUserID,
})
return false
}
case OnBoardClientApplication:
resourceOwner := a.loadResourceOwnerAggregate(c.UserID)
if !resourceOwner.IsOnBoarded {
a.emit(OnBoardClientApplicationWasRejectedDueToUnAuthorizeUser{
ClientID: c.ClientID,
UserID: c.UserID,
})
return false
}
if !resourceOwner.IsAuthorizedToOnboardClientApplications {
a.emit(OnBoardClientApplicationWasRejectedDueToUnAuthorizeUser{
ClientID: c.ClientID,
UserID: c.UserID,
})
return false
}
}
return true
}
func (a *resourceOwnerCommandAuthorization) emit(events ...rangedb.Event) {
a.pendingEvents = append(a.pendingEvents, events...)
}
func (a *resourceOwnerCommandAuthorization) loadResourceOwnerAggregate(userID string) *resourceOwner {
return newResourceOwner(a.store.AllEventsByStream(resourceOwnerStream(userID)), a.tokenGenerator, a.clock)
}
func (a *resourceOwnerCommandAuthorization) GetPendingEvents() []rangedb.Event {
return a.pendingEvents
}