Files
higress/plugins/wasm-go/extensions/oidc/oc/encryption.go
2023-10-31 17:15:55 +08:00

77 lines
2.1 KiB
Go

// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oc
import (
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"golang.org/x/oauth2"
"strings"
)
func Nonce(length int) ([]byte, error) {
b := make([]byte, length)
_, err := rand.Read(b)
return b, err
}
func HashNonce(nonce []byte) string {
hasher := sha256.New()
hasher.Write(nonce)
return base64.RawURLEncoding.EncodeToString(hasher.Sum(nil))
}
func GenState(nonce []byte, key string, redirectUrl string) string {
hashedNonce := HashNonce(nonce)
encodedRedirectUrl := base64.RawURLEncoding.EncodeToString([]byte(redirectUrl))
state := fmt.Sprintf("%s:%s", hashedNonce, encodedRedirectUrl)
signature := SignState(state, key)
return fmt.Sprintf("%s.%s", state, signature)
}
func SignState(state string, key string) string {
mac := hmac.New(sha256.New, []byte(key))
mac.Write([]byte(state))
return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
}
func VerifyState(state, signature, key, redirect string) error {
if !hmac.Equal([]byte(signature), []byte(SignState(state, key))) {
return fmt.Errorf("signature mismatch")
}
parts := strings.Split(state, ":")
if len(parts) != 2 {
return fmt.Errorf("invalid state format")
}
redirectUrl, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return fmt.Errorf("failed to decode redirect URL: %v", err)
}
if string(redirectUrl) != redirect {
return fmt.Errorf("redirect URL mismatch")
}
return nil
}
func SetNonce(nonce string) oauth2.AuthCodeOption {
return oauth2.SetAuthURLParam("nonce", nonce)
}